The guys in Bad Dog, a folkie duo from Washington, D.C., weren’t hoping to get rich off the album they recorded this summer. David Post and Craig Blackwell have been devoted amateurs for decades, and they’re long past dreams of tours and limos. Mostly they wanted a CD to give away at a house party in December.
Listen to This Article
Open this article in the New York Times Audio app on iOS.
But not long after “The Jukebox of Regret” was finished in July and posted on SoundCloud, nearly every song on it somehow turned up on Spotify, Apple Music, YouTube and at least a dozen other streaming platforms. This might have counted as a pleasant surprise, except for a bizarre twist: Each song had a new title, attached to the name of a different artist.
This mysterious switcheroo might have gone unnoticed. But by happenstance, it was discovered when the guy who produced the album posted one of the songs on his studio’s Instagram account. To his astonishment, Instagram automatically tagged the song “Preston” by Bad Dog as a song called “Drunk the Wine” by Vinay Jonge — a “musician” with no previous songs and zero profile on the internet. He didn’t seem to exist.
The full extent of this heist soon became clear. “Pop Song” by Bad Dog had become “With Me Tonight” by someone named Kyro Schellen. “The Misfit” had become “Outlier” by Arend Grootveld. “Verona” had become “I Told You” by Ferdinand Eising. And so on. Same music, different track names and credited to different artists, none of whom had any other songs or any profile on the web.
It got weirder. Disc Makers, the CD production company hired by the band, was about to start pressing copies of the album and, as part of its routine due diligence, ran the metadata of the songs — their digital fingerprints, essentially — through a program designed to determine if they were originals. They were not, the program reported. Whoever had pirated the tracks had commandeered their digital fingerprints, too.
For all intents and purposes, Bad Dog’s music now belonged to someone else. Disc Makers wouldn’t press the discs until the band proved it owned the songs on “Jukebox.” Which meant the duo couldn’t even get a CD to hand out as a freebie.
“It felt like someone had broken into my house and stole my prize possessions,” said Mr. Blackwell. “And it’s not like I’m looking to make $10 from Spotify. It’s about attribution.”
Few in the business have ever heard of this kind of musical hijacking. That includes Bad Dog, which would spend weeks trying to reclaim its music, with little success. The fight was maddening even though it occurred on turf that both band members know well. Mr. Blackwell, 58, is a practicing lawyer who spends time on intellectual property rights. Mr. Post, 72, is a retired law professor who specialized in internet copyright.
Despite their backgrounds, both men were stymied by the vast and arcane world of music streaming fraud, a realm where anonymous pirates are constantly devising new ways to steal from the $17 billion a year pool of royalty money intended for artists.
That’s a giant, tempting pot of gold for scammers around the world. Beatdapp, a Vancouver company that detects fraud for industry clients, estimates that a little more than 10 percent of that pot, about $2 billion, is swiped annually.
“Bad actors are getting creative,” said Andreea Gleeson of the Music Fights Fraud Alliance, a collection of labels, distributors and streaming platforms. “It’s a constantly moving target.”
Spotify and its rivals were supposed to end the era of music piracy. In the late 1990s and early aughts, millions of fans routinely downloaded songs from online peer-to-peer file services without paying a penny, a fiasco that cost the industry a fortune. When monthly subscription services (like Spotify) and pay-per-song offerings (the early version of Apple Music) came along, musicians and labels finally had a lucrative way to harness the convenience of online music.
But the streaming ecosystem, say critics, is easily gamed. For $20, artists can buy an annual subscription to a music distributor, a company that can instantly post songs to dozens of streaming platforms. Unfortunately, bad actors have the same opportunity.
Some marketers have been caught trying to juice the profile of legitimate artists, usually with “bot farms” programmed to play songs on repeat. More often, though, scammers simply create white noise tracks or A.I.-generated tunes on their computers.
In the streaming world, 40 seconds of noise is as much a song as “Hey Jude.” To garner listens for these tracks, fraudsters buy log-ins to legitimate accounts on Spotify and other services cheaply and in bulk on the dark web. Bots then play those tracks on repeat without account holders realizing they have been hacked.
“If you’ve ever gotten a recommendation for a song and thought, ‘That’s weird, I don’t listen to that,’ now you know why,” said Andrew Batey of Beatdapp.
Andrew Batey of Beatdapp helps track down Internet fraud.Credit…Agnes Lopez for The New York Times
Mr. Batey has seen other streaming shenanigans that are hard to explain. Like an account on one platform that generated 694,000 listens in a week. Or an account that showed up in a dozen countries on 40 different devices in the same span of time.
Digital streaming platforms have tried to impose new rules that make it harder to monetize noise. One unintended consequence is that human-made songs have become more valuable to fraudsters — especially music by artists who aren’t interested in earning money from pay-to-play streaming platforms.
This might have made Bad Dog an inviting target.
The duo met in the early ’90s, when both men were associates at a large law firm, Wilmer Cutler & Pickering (now called WilmerHale). Mr. Post played the banjo, Mr. Blackwell played the guitar and the pair jammed on the roof of the firm’s offices, wearing coats and ties.
“People came up there and listened to us,” Mr. Blackwell recalled.
The crowds were thin, which might have been for the best.
“At that point,” Mr. Post said, “we weren’t any damn good.”
The band released a six-song cassette in 1995, praised in the Washington City Paper for music that “twists the genre in interesting, albeit gentle ways.” The pair played together, on and off over the decades, but they always regarded music as a passionate hobby. Most of their energy went into their legal careers.
Mr. Post left Wilmer to clerk for Justice Ruth Bader Ginsburg at the Supreme Court. In 1994, he joined Georgetown Law School and burrowed into the then-new world of cyber law. At the time, copyright owners were predicting that the internet meant Armageddon for musicians, authors and other creators of intellectual property. Heedless web surfers were going to post everything online, where it would be downloaded for free, wrecking the value of creative endeavors. So content owners pushed for the most robust possible copyrights. Mr. Post pushed back.
“Copyright owners were taking this circle-the-wagons approach, that the internet will kill us, it’s ruinous and we should sue the platforms,” he said. “I wasn’t on the side of the infringers. I just thought that copyright is too rigid, it lasts too long, it tamps down creativity.” When copyrights are too expansive, he elaborated, others can’t borrow, quote and get inspired in ways that lead to more art.
Mr. Post stuck with this philosophy for decades, but it was tested after the theft of “The Jukebox of Regret.” The galling part was that Bad Dog’s connection to the songs had been completely erased.
“Initially, I had in my head a picture of someone saying, ‘I found these guys in Washington who put out this album, it’s really good,’” Mr. Post said. “Even if they’d made money off it, that would have been fine with me.”
To retrieve their songs, Mr. Post and Mr. Blackwell sent out what are called takedown notices, or formal requests to remove pirated music, to a bunch of different sites. The band members used their SoundCloud page to demonstrate that their recordings predated all the uploads on the streaming platforms.
Two sites responded fairly quickly. Amazon Music removed the songs in about a week. YouTube soon followed.
Other platforms offered little more than canned emails. (“Your claim will be processed by our team,” Spotify replied.) Apple Music sent a form letter, too, though it included a tantalizing clue: the name of the company that had uploaded the songs.
It was Warner Music, one of the big three labels.
On Dec. 5, this reporter emailed the public relations department at Warner. A spokeswoman there looked into the matter and soon after said the songs had been uploaded via a subsidiary called Level, a music distributor catering to independent artists. (“Your release, streamlined,” the company says on its website.) For a $20 annual fee, Level uploads audio to a long list of digital streaming platforms. It asks only for customers to tick a box and agree to terms of service, which include a promise not to post any audio owned or created by someone else.
Warner moved quickly. On Dec. 6, the company removed all the pirated versions of Bad Dog’s songs from all of the sites. (The company would not discuss how.) Soon after, anyone typing “Vinay Jonge” into Deezer, the French online music platform, got an error page that read, “Oops … It did it again.”
By then, Bad Dog’s songs had collectively been played more than 60,000 times on Spotify. The number suggests that the fraudster found a way to generate listens for the song, but not at numbers that would arouse suspicion. At Spotify’s rates, all those listens would translate into just over $250.
It seems a pittance, though additional sums were earned through other platforms, so it’s impossible to know how much the Bad Dog robbery actually netted. And it seems likely that other artists were hacked in the same way. This is a scalable scam, said Mr. Batey of Beatdapp. SoundCloud boasts more than 320 million songs, many of them the work of weekend noodlers. These people may never realize that their work has been grabbed and renamed and is siphoning money from the royalty pool.
“This won’t be the last time someone will think, ‘Hey, there’s a gap here — we might be able to exploit this gap with tens of thousands of artists,” Mr. Batey said.
The saga raises many questions. Like, who was behind this particular fraud? Did Level perform a digital fingerprint search and miss that all of the music was previously uploaded to SoundCloud? Or does it skip such searches entirely?
Unfortunately, much of the music industry is about as chatty as a Swiss bank. SoundCloud would not comment. A representative for Warner Music, who fielded questions for Level, would not say who had uploaded the band’s songs to Level, citing company policy.
“We take matters of fraud and theft very seriously and cooperate with authorities in any investigations,” the Warner spokeswoman wrote in an email.
A spokeswoman from Spotify said filtering out stolen songs was the job of music distributors.
“Ultimately we rely on representations from our content providers that the content they deliver is not infringing,” said Laura Batey of Spotify (no relation to Mr. Batey). After getting a takedown notice from Bad Dog, she added, Spotify flagged the issue to Warner Music.
The members of Bad Dog are still trying to make sense of what happened. Mr. Blackwell is the more irritated of the two. He’s especially angry at Warner Music, though he doesn’t plan to take legal action (the damages are emotional, not financial).
“I couldn’t get a deal with Warner to save my life,” he said. “But they made money from my music, and that money was from straight-up infringement.”
For Mr. Post, the past few months have been illuminating. He still supports the broad protections provided for online platforms. But some flaws are now glaringly obvious. Current law seems ill-suited for a world where infringement can occur on an industrial scale.
“In 1997, I don’t think people were thinking about this automated operation that just sucks up unprotected material, rejiggers it to make it unfindable and uploads to platforms where they can start monetizing it,” he said. “That wasn’t on anybody’s radar.”
Also, the notice-and-take down system, at least in this case, didn’t work. Notices went in and, in the case of Spotify and others, little happened.
Communicating with the old-school part of the music industry proved far easier. Bad Dog convinced Disc Makers that it really did write all the songs on “Jukebox” — the SoundCloud link helped — and the company printed 100 CDs. They were ready in time for the release party, on Dec. 2, a bring-your-own-beer event at the Palisades Hub in D.C. Giving away the disc might have been the biggest challenge of the evening; not a lot of people own CD players these days. The live show, by contrast, was a mellow, breezy cinch, and it included a cookie break at the end of the first set. (Toffee diamonds, jam thumbprints and pistachio meringues, all baked by a Bad Dog fan.)
Today, evidence of the pirate’s handiwork lives on, stubbornly, in at least one place. Open Shazam, the song identification app owned by Apple, and let it listen to “Preston.” A few seconds later, the app will offer up a familiar title: “Drunk the Wine” by Vinay Jonge.
Audio produced by Tally Abecassis.
