What3Words Sends Ridiculous Legal Threat To Security Researcher Over Open Source Alternative
from the never-use-what3words dept
A couple years we wrote about What3Words, and noted that it was a clever system that created an easy way to allow people to better share exact locations in an easily communicated manner (every bit of the globe can be described with just 3 words — so something like best.tech.blog is a tiny plot near Hanover, Ontario). While part of this just feels like fun, a key part of the company’s marketing message is that the system is useful in emergency situations where someone needs to communicate a very exact location quickly and easily.
However, as we noted in our article, as neat and clever as the idea is, it’s very, very proprietary, and that could lead to serious concerns for anyone using it. In our article, we wrote about a bunch of reasons why What3Words and its closed nature could lead to problems — including the fact that the earth is not static and things move around all the time, such that these 3 word identifiers may not actually remain accurate. But there were other problems as well.
And, apparently one of those problems is that they’re censorial legal bullies. Zach Whittaker has the unfortunate story of how What3Words unleashed its legal threat monkeys on a security researcher named Aaron Toponce. Toponce had been working with some other security researchers who had been highlighting some potentially dangerous flaws in the What3Words system beyond those we had mentioned a few years back. The key problem was that some very similar 3 word combos were very close to one another, such that someone relying on them in an emergency could risk sending people to the wrong location.
The company insists that this is rare, but the research (mainly done by researcher Andrew Tierney) indicates otherwise. He seemed to find a fairly large number of similar 3 word combos near each other. You can really see this when Tierney maps out some closely related word combos:
When this happens, you get cells with these offset areas *very* closely matched.
We can see that the row above the banding has a "q" (the value on "n" on the lower left) that is approximately 14,560,000 lower than the cell below. pic.twitter.com/pYumzdxyTh
— Cybergibbons (@cybergibbons) April 27, 2021
In a follow up article, Tierney detailed a bunch of examples where this confusion could be dangerous. Some of them are really striking. Here’s just one:
?I think I?m having a heart attack. I?m walking at North Mountain Park. Deep Pinks Start.? ? 1053m.
(Try reading both out)
Anyway, Toponce had been tweeting about Tierney’s findings, and talked about WhatFreeWords, which had been “an open-source, compatible implementation of the What3Words geocoding algorithm.” It was a reverse engineered version of the proprietary What3Words system. That tool was created back in 2019, but a week after it went online, What3Words lawyers sent incredibly overbroad takedown letters about it to everyone who had anything even remotely connected to WhatFreeWords, and had it pulled offline basically everywhere.
First up: this is ridiculous. While reverse engineering is unfortunately fraught with legal risk, there are many areas in which it is perfectly legal. And it seems like WhatFreeWords implementation should be legal. But it appeared to have been a fun side project, and not worth the legal headache.
Even though WhatFreeWords was disappeared from the world in late 2019, it appears that Toponce still had some of the code. So in tweeting about Tierney’s research, he offered up the tool to researchers to help investigate more problems with What3Words, similar to what Tierney had found.
And that’s when What3Words’ lawyers pounced. And, in pouncing, the mere chilling effects of the legal threat worked:
I've been served legal threats by @what3words. Both via email and post.
I am complying with all their demands. This is not a battle worth fighting.
Just let it be known however, they are evil.
— Aaron Toponce ?? (@AaronToponce) April 30, 2021
Toponce also admits he couldn’t even sleep after receiving the threat letter. This is an underappreciated aspect of the insanely litigious nature of many censorial bullies these days. Even if you’re in the right, getting sued can be completely destructive. Toponce was trying to help security researchers better research an application that is promoted for being safe and security researchers should be allowed to make use of reverse engineering to do exactly that. But, What3Words and their bullying lawyers made sure that’s impossible.
To be fair to their bullying lawyers, the threat letter is not as aggressive as some others, and they even make it explicit that they are not seeking that Toponce stop criticizing the company:
In this connection, and to be clear, our client does not require the deletion of your criticism of and feedback in respect of its service.
But… it still makes pretty stringent demands.
i) delete all copies of “What Free Words” and any other works derivative of W3W’s software and wordlist presently in your possession or under your control;
ii) confirm, to the best of your knowledge, the identities of all parties / individuals to whom you have provided copies or derivations of the software and/or wordlist;
iii) agree that you will not in the future make further copies or derivations of and/or distribute copies or derivations of the software and/or wordlist;
iv) delete any Tweets or other online references made to the copies / derivations of our client’s software and wordlist and that are connected with or emanate from the “What Free Words”, and agree not to make similar representations in the future.
Of course, there are some questions about what intellectual property is actually being infringed upon here as well. When the company’s lawyers got the original WhatFreeWords site taken down, they claimed copyright and trademark rights, though extraordinarily broadly. They claim their own software is covered by copyright, but WhatFreeWords isn’t using their software. They also claim that all the 3 word combos are covered by copyright and… eh… it might be in the UK where W3W is based, but in the US, it would be harder to claim that three random word combos are creative enough to get a copyright. Also, in the US there would be a strong fair use defense. Unfortunately, in the UK, there is a ridiculous concept known as “database rights” that let you claim a right over a mere collection of things, even if you have no claim to the underlying rights. But, even so, it seems that there should be a fair use defense here. The UK has a fair dealing exception for research and private study, which seems like it should apply as well.
As for the trademark claims, well, no one’s going to get confused about it, since it’s pretty clear that WhatFreeWords was designed explicitly not to be from What3Words, and in this particular case, it’s not being offered widely, just to knowledgeable security researchers. Even more insane: the original threat letter over WhatFreeWords claimed that there could be criminal penalties for violating consumer protection laws, and that’s just insane.
Still, as Mike Dunford notes in his thread about this situation, W3W’s decision to focus on locking up and threatening everyone perhaps explains why so few people know about or use What3Words. Imagine if they had built this as an open tool that others could build on and incorporate into other offerings. Then they could have others experiment and innovate and get more people to adopt it. By making it proprietary, and locking it down with threats and asshole lawyers, there’s simply no reason to bother.
The only proper response to this is never, ever use What3Words for anything that matters. Beyond not giving in to censorial, abusive bullies, their legal reaction to a security researcher doing reverse engineering work to help find potentially dangerous problems with What3Words screams loudly to the world that What3Words has no confidence that it’s products are safe. They’re scared to death of security researchers being able to really test their work.