CipherCloud Discovers Senorita Streisand Effect Is A Hateful Mistress
from the doing-it-wrong dept
Companies using DMCA claims as censorship typically fall into one of two categories. Either the company thinks it’s somehow losing money over posted content, or they are looking to silence crticism. This is a story about the latter and how the attempt Streisand-apulted (this should undoubtedly be a word) CipherCloud into an internet frenzy over how the company achieves the encryption they purport to do.
For the purposes of background, CipherCloud runs an online service for encrypting any data that is stored in other cloud-based services, such as public email systems or CRM. It’s essentially a promise to make your cloud data private. As adoption of cloud-based services continues to progress, this would seemingly be a valuable service to use, assuming it works as well as they claim. The problem is that the company doesn’t get into many specifics over how they achieve any of this, leaving it to internet forums like StackExchange and their users to try and figure it out. That particular string covers a technical but important question raised by a forum member last August.
Last August, when someone posted a question about CipherCloud’s service to StackExchange, a popular question and answer site for software developers. “How is CipherCloud doing homomorphic encryption?” the question read.
That’s a geeky question, but an honest one. CipherCloud’s service is designed to encrypt data stored in exiting online applications without hampering the way these applications operate, and that’s not an easy thing to do. If you encrypt a collection of data, for instance, you may have trouble searching that data. One solution is a technique called “homomorphic encryption,” which would let users manipulate encrypted data as if it wasn’t encrypted — and that’s what the question was getting at.
The question received several answers, with the consensus being that the service likely was not doing homomorphic encryption, since that’s a technology that isn’t really ready for wider use as of yet. Instead, forum users posted a CipherCloud white paper, a corporate promotional video, and a presentation from a security conference by the company to try to figure out exactly what CipherCloud’s service was doing. Most of them settled on the idea that deterministic encryption was being done instead. That technique is generally considered a weak form of encryption. And there the post sat for months. And months. Mostly unnoticed.
Until, that is, CipherCloud decided to see how badly they could shoot themselves in their own feet.
On Saturday, the company sent a DMCA takedown notice and defamation complaint to StackExchange. With its letter, CipherCloud complained that StackExchange users violated its intellectual property in posting its marketing materials to the site and that defamed its operation in misrepresenting the way its technology works. The users guessed that CipherCloud used something called deterministic encryption, a relatively weak form of security. The company said this is not the case, pointing out that one of the posters, Sid Shetye, is the CEO of CipherDb, a company that competes with CipherCloud in some ways.
A couple things here. It’s difficult to understand how a defamation case works when the forum posts made it clear they were simply speculating based on the marketing material at hand. That’s not defamation. Secondly, the idea of sending a copyright takedown notice over marketing material may just be the most ridiculous thing I’ve ever heard. The entire point of marketing is to spread it as far and wide as possible. Using the DMCA notice this way makes it clear that this isn’t about copyright at all, but rather about silencing criticism or, in this case, speculation (which is worse, by the way).
And, finally, it’s fun to note that this move will ultimately fail in both the legal realm and in purpose. The EFF has already weighed in, stating that it’s clear that use of the marketing material fell under Fair Use and that the defamation claim is laughably without merit.
“I don’t think there’s a court in the country that would hold [the posters] liable for defamation,” [Corynne McSherry of the EFF] says. And if CipherCloud did try to bring defamation charges against the users, she says, the company could be exposed to a potential counter suit under SLAPP laws, which are designed to prevent individuals or companies from using bogus lawsuits to silence critics.
Of course, this previously little-heard-of forum and the questions it posed have now been splashed all over Reddit, Slashdot, Hacker News, and now here. All over a meritless DMCA notice for a forum half a year old. Well done, CipherCloud.