CipherCloud Discovers Senorita Streisand Effect Is A Hateful Mistress

from the doing-it-wrong dept

Companies using DMCA claims as censorship typically fall into one of two categories. Either the company thinks it's somehow losing money over posted content, or they are looking to silence crticism. This is a story about the latter and how the attempt Streisand-apulted (this should undoubtedly be a word) CipherCloud into an internet frenzy over how the company achieves the encryption they purport to do.

For the purposes of background, CipherCloud runs an online service for encrypting any data that is stored in other cloud-based services, such as public email systems or CRM. It's essentially a promise to make your cloud data private. As adoption of cloud-based services continues to progress, this would seemingly be a valuable service to use, assuming it works as well as they claim. The problem is that the company doesn't get into many specifics over how they achieve any of this, leaving it to internet forums like StackExchange and their users to try and figure it out. That particular string covers a technical but important question raised by a forum member last August.

Last August, when someone posted a question about CipherCloud’s service to StackExchange, a popular question and answer site for software developers. “How is CipherCloud doing homomorphic encryption?” the question read.
That’s a geeky question, but an honest one. CipherCloud’s service is designed to encrypt data stored in exiting online applications without hampering the way these applications operate, and that’s not an easy thing to do. If you encrypt a collection of data, for instance, you may have trouble searching that data. One solution is a technique called “homomorphic encryption,” which would let users manipulate encrypted data as if it wasn’t encrypted — and that’s what the question was getting at.
The question received several answers, with the consensus being that the service likely was not doing homomorphic encryption, since that's a technology that isn't really ready for wider use as of yet. Instead, forum users posted a CipherCloud white paper, a corporate promotional video, and a presentation from a security conference by the company to try to figure out exactly what CipherCloud's service was doing. Most of them settled on the idea that deterministic encryption was being done instead. That technique is generally considered a weak form of encryption. And there the post sat for months. And months. Mostly unnoticed.

Until, that is, CipherCloud decided to see how badly they could shoot themselves in their own feet.
On Saturday, the company sent a DMCA takedown notice and defamation complaint to StackExchange. With its letter, CipherCloud complained that StackExchange users violated its intellectual property in posting its marketing materials to the site and that defamed its operation in misrepresenting the way its technology works. The users guessed that CipherCloud used something called deterministic encryption, a relatively weak form of security. The company said this is not the case, pointing out that one of the posters, Sid Shetye, is the CEO of CipherDb, a company that competes with CipherCloud in some ways.
A couple things here. It's difficult to understand how a defamation case works when the forum posts made it clear they were simply speculating based on the marketing material at hand. That's not defamation. Secondly, the idea of sending a copyright takedown notice over marketing material may just be the most ridiculous thing I've ever heard. The entire point of marketing is to spread it as far and wide as possible. Using the DMCA notice this way makes it clear that this isn't about copyright at all, but rather about silencing criticism or, in this case, speculation (which is worse, by the way).

And, finally, it's fun to note that this move will ultimately fail in both the legal realm and in purpose. The EFF has already weighed in, stating that it's clear that use of the marketing material fell under Fair Use and that the defamation claim is laughably without merit.
“I don’t think there’s a court in the country that would hold [the posters] liable for defamation,” [Corynne McSherry of the EFF] says. And if CipherCloud did try to bring defamation charges against the users, she says, the company could be exposed to a potential counter suit under SLAPP laws, which are designed to prevent individuals or companies from using bogus lawsuits to silence critics.
Of course, this previously little-heard-of forum and the questions it posed have now been splashed all over Reddit, Slashdot, Hacker News, and now here. All over a meritless DMCA notice for a forum half a year old. Well done, CipherCloud.



Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Josh in CharlotteNC (profile), Apr 26th, 2013 @ 1:17pm

    CipherCloud now dead man walking

    CipherCloud is about to be in trouble as serious crypto geeks look over their stuff for weaknesses as a result of this publicity.

    Truth is absolute defense in defamation, right? In order for Cipher to show they were defamed, they'd need to show they were using homomorphic encryption.

    If they refuse to answer in detail how their crypto works, the (naturally quite paranoid) crypto community will take that as equivalent to admitting it is vulnerable, and no one serious will support or use it.

    Cipher is effectively dead in any situation other than if their stuff works as designed and advertised with no vulnerabilities and they can actually prove it.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Josh in CharlotteNC (profile), Apr 26th, 2013 @ 1:26pm

      Re: CipherCloud now dead man walking

      Ah, Cipher has put up a blog post claiming that they use neither homomorphic or deterministic encryption.

      http://blog.ciphercloud.com/responding-to-the-myths-about-CipherClouds-encryption-tec hnology/

      They still haven't answered how their stuff works, only how it doesn't work. Not going over well.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        That Anonymous Coward (profile), Apr 27th, 2013 @ 12:12am

        Re: Re: CipherCloud now dead man walking

        My guess.... Cap'n Crunch decoder ring

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          PaulT (profile), Apr 27th, 2013 @ 1:25am

          Re: Re: Re: CipherCloud now dead man walking

          Could be. Perhaps the reason why they don't want to say is because if revealed, the method would be instantly recognisable to any security expert as laughably weak and thus kill their product.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Apr 27th, 2013 @ 11:01am

            Re: Re: Re: Re: CipherCloud now dead man walking

            All I know about cryto I learned from Security Now! from Twit.tv. My two big takeaways are never trust a security method that hasn't been pounded on by the experts and never trust a security regime that refuses to show you it's methodology.

            Sounds like an attempt at security through obscurity which is rarely all that secure.

             

            reply to this | link to this | view in chronology ]

        •  
          icon
          G Thompson (profile), Apr 27th, 2013 @ 1:27am

          Re: Re: Re: CipherCloud now dead man walking

          nah they aren't cool enough for the crunch ring.

          rot13 would be my guess

           

          reply to this | link to this | view in chronology ]

        •  
          identicon
          davnel, Apr 27th, 2013 @ 10:50am

          Re: Re: Re: CipherCloud now dead man walking

          They use very sophisticated methods: the Union Cipher Disk, FOLLOWED by the Captain Midnight Secret Decoder Ring. It don't get much better than that.

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    BentFranklin (profile), Apr 26th, 2013 @ 2:28pm

    What is the meaning of "Senorita" in the title?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Mason Wheeler, Apr 26th, 2013 @ 2:39pm

    StackExchange

    previously little-heard-of forum


    For the record, StackExchange is not a forum; it's a Q&A site. That may sound pedantic, but to those of us involved in the SE community it's an important distinction. It means you don't come in to have discussions; you're supposed to ask specific questions and provide authoritative answers, and if you try to act like you're on a forum, your posts are likely to get closed.

    It's one of the biggest secrets behind SE's popularity, since it keeps the signal-to-noise ratio much higher than your average forum. It may have been little-heard-of four years ago, but today if you go Googling for technical questions, especially regarding programming, you're likely to find answers from StackOverflow (the premier site of the StackExchange network) on the first page, and frequently at the top of it.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Mike Masnick (profile), Apr 27th, 2013 @ 12:17am

      Re: StackExchange

      I don't think he was using "forum" in the sense of "web forums" but rather as in "venue." Basically, this "little heard of spot where this was being discussed."

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Apr 27th, 2013 @ 3:54am

      Re: StackExchange

      It is still a form of forum, limited in scope(specialized or whatever you wanna call it) but a forum nonetheless.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    btr1701 (profile), Apr 26th, 2013 @ 3:28pm

    > "I don't think there's a court in the country
    > that would hold [the posters] liable for defamation."

    Not to mention, if CiperCloud did proceed with a suit for defamation, the defendants would be entitled to discovery to defend their case, truth being an ultimate defense to defamation. Which means CipherCloud would be ordered to open their code up to the defendants for inspection, which is the last thing I imagine they want to do.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Rekrul, Apr 26th, 2013 @ 3:33pm

    Secondly, the idea of sending a copyright takedown notice over marketing material may just be the most ridiculous thing I've ever heard. The entire point of marketing is to spread it as far and wide as possible.

    And yet companies will still issue a DMCA takedown notice if you post their TV commercials to YouTube...

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      PaulT (profile), Apr 27th, 2013 @ 1:34am

      Re:

      I forget the name now, but one of my earliest viewed examples of how Hollywood didn't have a clue about the internet was when they shut down a site dedicated to streaming movie trailers (late 90s, I think - I was still on dialup at that point).

      That's right, a site is set up so that people can see all of their advertising with no cost to the studios. Trailers whose *entire purpose* is to make the people watching them want to go and watch the full movie, and they shut it down "because copyright"...

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Rekrul, May 1st, 2013 @ 12:27pm

        Re: Re:

        That's right, a site is set up so that people can see all of their advertising with no cost to the studios. Trailers whose *entire purpose* is to make the people watching them want to go and watch the full movie, and they shut it down "because copyright"...

        Exactly.

        Quite a few years ago, I was browsing one of the adult newsgroups and one producer of adult material was posting censored copies of photos from his web site. I commented that by censoring them, it was much less likely that people would keep them, or repost them in the future. He practically blew a gasket and said that if anyone dared to repost the free, promotional photos that he was posting, he would sue that person.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    madasahatter (profile), Apr 26th, 2013 @ 9:45pm

    What Defamation

    The cryptographers are curious about the encryption method and based on the published information they concluded by consensus a particular method was likely being used. The best reaction is not to sue but to publish enough information about the cryptography methods to keep the crypto-spooks happy.

    If I was researching the company and saw this Q&A I would likely read and research more about the techniques mentioned. My interest is not the details of the specific algorithm but what method(s) are they using and what the crypto-spooks think of it.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Eric Hay, Apr 27th, 2013 @ 7:08am

    Correction: CipherCloud does not offer a service

    CipherCloud is not a service - they sell a software solution as a subscription. This is a relatively new security solution known as a Cloud Encryption Gateway. (Gartner includes this type of product in their Cloud Access Security Broker industry segment.) Many organizations are fearful of putting sensitive data in a cloud service that is out of their control, and some are prevented from doing so based on industry or government regulations. These solutions let organizations secure data via gateways they manage on site, or in a cloud solution managed separately from the SaaS application.

    Full disclosure:
    My company, PerspecSys, competes with CipherCloud and we actually created the first product in this space back in 2009. However, unlike CipherCloud, we have not written our own encryption - customers are free to use well-vetted solutions from Voltage, Oracle, RSA, and many others, in addition to random tokenization.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This