For instance, the “abuse tool” allegedly does not remove the actual file being complained about by a rightsholder. Instead, it only removes a specific Web address linked to that file—but there might be hundreds of such addresses for popular content.
Am I misreading, or are they saying that a takedown notice should go after every copy of the same file?
That's not quite it. They kept one internal copy that never got deleted, even when abuse took down a URL. If someone attempted to reupload it, it shortcutted to use the same file from before. I assume this was to cut down on redundancy when many people stored stuff.
TorrentFreak explains it well:
Megaupload’s “Abuse Tool” to which major copyright holders were given access, enabled the removal of links to infringing works hosted on MegaUpload’s servers. However, the indictment claims that it “did not actually function as a DMCA compliance tool as the copyright owners were led to believe.” And here’s why.
The indictment claims that when a copyright holder issued a takedown notice for content referenced by its URL, only the URL was taken down, not the content to which it pointed. So although the URL in question would report that it had been removed and would no longer resolve to infringing material, URLs issued to others would remain operational.
Furthermore, the indictment states that although MegaUpload staff (referred to as Members of the Conspiracy) discussed how they could automatically remove child pornography from their systems given a specific hash value, the same standards weren’t applied to complained-about copyright works.
In June 2010, it appears that MegaUpload was subjected to a something of a test by the authorities. The company was informed, pursuant to a criminal search warrant from the U.S. District Court for the Eastern District of Virginia, that thirty-nine infringing movies were being stored on their servers at Carpathia Hosting in the Eastern District of Virginia.
Other file hosts will probably learn from this mistake. The expensive, but seemingly legal kosher, solution would be to have multiple copies of the files and not redundancy check, perhaps getting some kind of plausible deniability; this may need to be augmented by some form of encryption trick that would fuck up checksums or otherwise make it impossible to do a dumb, cheap comparison of files. E.g., "We believe in user privacy, so only users with a PK can download/extract this. We don't store the PK, so we can't check unless it's somehow provided with a report. We can remove things on a case-by-case basis, as we're notified, but we have no mechanism for internally checking one file against another."
Slightly less naive, though probably legally perilous, would be to maintain a copy
only while some non-reported links remain.
The safest legal solution. If you have 5 links to X, and one of them is DMCA-reported, all 5 of the links die and the file is removed. Slightly less safe, but more conducive to re-uploads of pirated content: once the infringing content is gone, you nuke the local copy
and its checksum, so if someone else uploads it again, there's nothing to check against.
Either way, there's a good chance more releasers will start doing silly shit like having an archive file containing the content, but also an additional "downloaded from domain" text file, so as to change the checksum and other mechanisms which would be caught by the dupe-checker.