One of the many strange and problematic features of modern copyright law is the DMCA anti-circumvention exception system, wherein the Librarian of Congress makes unilateral decisions about what you can and can't do with software and products that include DRM and other protections. This week we're joined by Kyle Wiens, CEO of iFixit and a long-time champion of the right to repair and tinker, to discuss the ins and outs of this system, and what is (or isn't) coming in the next round of exemptions.
from the is-that-domestic-appliance-lying-to-you? dept
There have been a number of stories on Techdirt recently about the increasing use of software in cars, and the issues that this raises. For example, back in April, Mike wrote about GM asserting that while you may own the car, the company still owns the software that runs it. You might expect GM to come out against allowing you to modify that software, but very recently we reported that it had received support from a surprising quarter: the Environmental Protection Agency (EPA). The EPA had a particular concern that engine control software might be tampered with, causing cars to breach emissions regulations. We've just found out that the EPA was right to worry about this, but not for the reason it mentioned, as the The New York Times explains:
The Environmental Protection Agency issued [the German car manufacturer Volkswagen] a notice of violation and accused the company of breaking the law by installing software known as a "defeat device" in 4-cylinder Volkswagen and Audi vehicles from model years 2009-15. The device is programmed to detect when the car is undergoing official emissions testing, and to only turn on full emissions control systems during that testing. Those controls are turned off during normal driving situations, when the vehicles pollute far more heavily than reported by the manufacturer, the E.P.A. said.
So, just as the EPA feared, software that regulates the emissions control system was indeed tampered with, though not by reckless users, but by the cars' manufacturer, Volkswagen (VW), which must now recall nearly half a million cars, and faces the prospect of some pretty big fines -- Reuters speaks of "up to $18 billion". The EPA's Notice Of Violation (pdf) spells out the details of what it calls the software "switch":
The "switch" senses whether the vehicle is being tested or not based on various inputs including the position of the steering wheel, vehicle speed, the duration of the engine's operation, and barometric pressure. These inputs precisely track the parameters of the federal test procedure used for emission testing for EPA certification purposes. During EPA emission testing, the vehicles' ECM [electronic control module] ran software which produced compliant emission results under an ECM calibration that VW referred to as the "dyno calibration" (referring to the equipment used in emission testing, called a dynamometer). At all other times during normal vehicle operation, the "switch" was activated and the vehicle ECM software ran a separate "road calibration" which reduced the effectiveness of the emission control system (specifically the selective catalytic reduction or the lean NOx [nitrous oxides] trap.) As a result, emission of NOx increased by a factor of 10 to 40 times above the EPA compliant levels, depending on the type of drive cycle (e.g. city, highway).
That trick was discovered by the West Virginia University's Center for Alternative Fuels, Engines & Emissions when studying the VW vehicles. Initially, VW claimed that the increased emissions were due to "technical issues" and "unexpected in-use conditions." But further tests confirmed the problem, and eventually VW admitted "it had designed and installed a defeat device in these vehicles in the form of a sophisticated software algorithm that detected when a vehicle was undergoing emissions testing."
It's significant that the trick was discovered through extensive mechanical testing. Assuming some form of DRM was employed, it would not have been possible to spot the cheating algorithm of the emissions control code because it would have been illegal to circumvent the software protection. This emphasizes once more the folly of allowing the DMCA to apply to such systems, where problems could be found much earlier by inspecting the software, rather than waiting for them to emerge in use, possibly years later.
The revelation about VW's behavior once more concerns code in cars, but there is a much larger issue here. As software starts to appear routinely in an ever-wider range of everyday objects, so the possibility arises for them to exhibit different behaviors in different situations. Thanks to programming, these objects no longer have a single, fixed set of features, but are malleable, which makes checking their conformance to legal standards much more problematic. When the VW story broke last week, Zeynep Tufekci, assistant professor at the University of North Carolina, tweeted that this was an example of "The Internet of cheating things." I'm not sure whether she coined that phrase -- I'd not seen it before – but it encapsulates neatly a key feature of the world we are beginning to enter.
Politics and intellectual property always get weird and silly, often during Presidential election season. Following on last year's insanity in which Hillary Clinton's PAC tried to take down parodies on CafePress and Zazzle, presidential candidate Ben Carson has apparently decided no one should possibly be allowed to create any kind of Ben Carson merchandise, except for the Ben Carson PAC, and he's decided to list out every possible intellectual property argument he can think of: copyright, trademark, privacy rights. I'm almost surprised he didn't find a way to include patents too.
“The aforementioned action is a violation of the Digital Millennium Copyright Act, The Lanham Act, Federal Trademark Infringement, Federal Copyright Infringement, state misappropriation and privacy laws.”
Except none of that is true. Thankfully, CafePress has been working with Paul Levy from Public Citizen on these issues for many years, and he has sent a reply to K. Clyde Vanel, the lawyer representing the Carson campaign in which he systematically dismantles the arguments made in the letter. As with most letters from Paul Levy (and, yes, he's written one or two on our behalf in the past), it's a work of art. The summary line:
The notion that expressing views about Carson's candidacy violates any of his rights is
simply absurd. It is shocking that a lawyer whose web site touts his expertise in intellectual property
law would sign his name to such a communication.
Then, let's go one by one through each of the claims to show just how ridiculous they each are. We'll start with trademark. Levy points out that it's true that the "Ben Carson for President 2016" organization has applied for a trademark on a logo for the campaign, but the items they're looking to get taken down do not include that logo.
At most, the items display the phrase "Ben Carson for President 2016," often appearing in
the patriotic colors of red, white and blue. Many of them simply use Carson's name, or just his given
name or his profession. You cannot use trademark theories to ride roughshod over members of the
American public who either share your clients' views and favor Carson's candidacy, or for that
matter disagree with their views and oppose Carson's candidacy. They can hardly express their
views in that respect without identifying the candidacy about which they wish to speak.
Oh, and you know how SuperPACs need to be entirely separate and independent from campaigns? Well, as Levy notes, if Carson's lawyer's theory is accurate, no SuperPAC can support Carson without violating his trademark:
it is very common for people to express their views about presidential candidacies, completely
independent of the campaign; this is so common that it defies belief that a reasonably careful
consumer would believe that a shirt or bumper sticker advocating your client's election necessarily
came from the campaign itself. Indeed, the Super PAC "2016 Committee" carries various wares that
display the phrase "Ben Carson for President 2016." E.g., http://store2016committee.org/pins-stickers-and-magnets/. Super PACs have to be independent committees, and cannot coordinate with the official campaign. I assume you are not going to argue that 2016 Committee's use might
confuse consumers into believing that Carson or his campaign committee is the sponsor of the PAC.
So I doubt that you have any realistic chance of arguing that the items carried by CafePress are likely
to cause confusion, a key element of a trademark infringement claim. And because your state law
claims regarding misappropriation of name or likeness also require a showing that the use implies
that the plaintiff endorsed or authorized the product in question, your inability to show lack of likely
confusion condemns those claims as well.
Yes we're this far and we haven't even discussed fair use or that whole First Amendment thing. No worries, Levy's got that covered as well:
More important are the issues of fair use and the First Amendment, which apply equally to
your purported misappropriation of name and likeness claims as well as to your trademark claims.
Speech about a candidate for president is squarely protected by the First Amendment, hence any
effort to use trademark law to quash such uses is highly suspect. Although CafePress users' products
are sold, their contents are noncommercial speech, which qualifies for full First Amendment
Okay, next up: privacy rights. Yes, the guy running for President is claiming that T-shirts supporting his campaign for President violate his privacy rights. I'm almost surprised Levy didn't just respond with "Really?":
Your reference to a purported invasion of Carson's privacy is particularly foolish. Given the
intense scrutiny that presidential candidates receive in this day and age, it is a matter of some doubt
whether any statement about a presidential candidate, especially one who now stands second in the
polls of the Republican nomination, could constitute an invasion of privacy, no matter how personal.
But there is nothing "private" in the expression contained on the products that CafePress carries--
they are all specifically about the Carson candidacy. That candidacy is certainly not private.
And then the copyright claims. Those should be pretty quick to take care of, because (as you guessed) everything about them is bullshit:
Finally, you make a claim of copyright infringement and claim that the DMCA has been
violated. But the DMCA imposes an obligation on the hosts of interactive web sites like
CafePress.com only once the purported copyright holder has scrupulously followed the formalities
required by 17 U.S.C. §512(c)(3)(A); your email does not meet those requirements. One important
flaw in the copyright claim is that you do not identify the specific works that infringe your clients'
copyrights, and looking through the various items displayed at http://www.cafepress.com/+ben+carson+gifts,
I do not see any materials that are likely to infringe
copyrights that your clients own. Most of the items contain some variation of the phrase "Ben
Carson for President 2016." That expression lacks sufficient originality for copyright protection.
Indeed, if the phrase were copyrightable, your clients might not be the owners of the copyright,
because they might not have been the first to fix it in a tangible medium of expression. It is quite
possible that some supporter hoping to encourage Carson to run may have written it down before
Carson did. That person would own the copyright, if the phrase were copyrightable, and your clients
would be among the infringers.
CafePress takes its copyright obligations very seriously. Therefore, I invite you to specify,
in detail, the specific works in which your clients claim copyright, so that we can assess whether the
inclusion of any copyrighted content in its users' designs might be fair use. Certainly, if you identify
any material that genuinely infringes a valid copyright that your clients own, CafePress will take it
In closing, Levy points out that way back in 2008, he helped CafePress sue the Republican National Committee for threatening CafePress in a similar manner.
During the 2008 election, the Republican National Committee sent CafePress a
series of threats to sue for trademark infringement because CafePress users were having shirts and
other items printed with designs expressing views about the Republican Party or various candidates,
using the acronym GOP or images of elephants. CafePress eventually had to sue the RNC for a
declaratory judgment of non-infringement, and the result was a great deal of embarrassment for the
Republican Party; the RNC then retracted its threat, subject to a request that CafePress direct users
who, without any other expressive design elements, displayed a particular image of an elephant that
the RNC had trademarked, to ask the RNC for permission (the RNC indicated that consent would
readily be given).
I trust that Carson will want to save a similar embarrassment for his political campaign. I
hope you will issue a prompt retraction of your demand.
Intellectual property sure makes candidates and their lawyers do weird things.
Some potentially good news this morning -- which may be undermined by the fine print. After many years of back and forth, the 9th Circuit appeals court has ruled that Universal Music may have violated the DMCA in not taking fair use into account before issuing a DMCA takedown request on a now famous YouTube video of Stephanie Lenz's infant dancing to less than 30 seconds of a Prince song playing in the background. Because of this, there can now be a trial over whether or not Universal actually had a good faith belief that the video was not fair use.
This case has been going on forever, and if you've watched the video, it's kind of amazing that a key case on fair use should be focused on that particular video, where you can barely even make out the music. The key question was whether or not Universal abused the DMCA in not first considering fair use before sending the takedown. This is fairly important, because, of course, DMCA takedowns suppress speech and if fair use is supposed to be the "pressure valve" that stops copyright from violating the First Amendment, it has to actually mean something. Section 512(f) of the DMCA says that the filer of a DMCA notice may be liable for damages for "misrepresentations," but historically that has been an almost entirely toothless part of the law (in part because of earlier rulings in the Lenz case). People hoped that would change with this ruling, and while the beginning of the ruling suggests 512(f) is getting teeth, the end yanks them all away.
The ruling in the 9th Circuit starts out great, but starts getting iffy pretty fast.
Her claim boils down to
a question of whether copyright holders have been abusing
the extrajudicial takedown procedures provided for in the
DMCA by declining to first evaluate whether the content
qualifies as fair use. We hold that the statute requires
copyright holders to consider fair use before sending a
takedown notification, and that failure to do so raises a triable
issue as to whether the copyright holder formed a subjective
good faith belief that the use was not authorized by law.
Sounds good, right? Anyone sending a DMCA notice needs to take fair use into account before sending a takedown. That may be trouble for all of those automated takedown filing systems out there, many of which we've written about. The court also reiterates that fair use is not "allowed infringement," but rather it's not infringement at all. This is also important (even though it says that directly in the law, many people pretend that it's just an "allowed" infringement). The court is not impressed by Universal Music's defense in the case, in which it argues that fair use is "not authorized by law" because, as Universal falsely claims, it is merely a "defense" to infringement. The court says that's wrong:
interpretation is incorrect as it conflates two different
concepts: an affirmative defense that is labeled as such due to
the procedural posture of the case, and an affirmative defense
that excuses impermissible conduct. Supreme Court
precedent squarely supports the conclusion that fair use does
not fall into the latter camp: “[A]nyone who . . . makes a fair
use of the work is not an infringer of the copyright with
respect to such use.”
So, that's all good. But... the details matter, and from that point on... they're weird. The court points to the earlier ruling, saying that the copyright holder "need only form a subjective good faith belief that a use is not authorized." Thus, as long as the issuer can come up with some sort of argument for why they didn't think it was fair use, they're probably safe.
As a result, Lenz’s request to impose a subjective
standard only with respect to factual beliefs and an objective
standard with respect to legal determinations is untenable.
And because of that, the court leaves a big out for just about any copyright holder. It says the court has no place in questioning how the copyright holder decided whether the use was authorized or not:
To be clear, if a copyright holder ignores or neglects our
unequivocal holding that it must consider fair use before
sending a takedown notification, it is liable for damages
under § 512(f). If, however, a copyright holder forms a
subjective good faith belief the allegedly infringing material
does not constitute fair use, we are in no position to dispute
the copyright holder’s belief even if we would have reached
the opposite conclusion.
The court says a copyright holder can't just "pay lip service" to the idea that it checked on fair use, but in the same paragraph admits that, well, it basically can. Even worse, it says that forming a "good faith belief" doesn't require actually investigating the details:
In order to comply with the strictures of
§ 512(c)(3)(A)(v), a copyright holder’s consideration of fair
use need not be searching or intensive. We follow Rossi’s
guidance that formation of a subjective good faith belief does
not require investigation of the allegedly infringing content.
So.... huh? (1) You need to take into account if it's fair use or not and you need to show a "good faith belief" that it's fair use, but... (2) you don't actually have to investigate anything, and the court cannot review your reasons for having a good faith belief. That's not a loophole. It's a blackhole that collapses 512(f) in on itself.
From there, it actually notes that automated takedowns... may be fine:
We note, without passing judgment, that the
implementation of computer algorithms appears to be a valid
and good faith middle ground for processing a plethora of
content while still meeting the DMCA’s requirements to
somehow consider fair use. Cf. Hotfile, 2013 WL 6336286,
at *47 (“The Court . . . is unaware of any decision to date that
actually addressed the need for human review, and the statute
does not specify how belief of infringement may be formed
or what knowledge may be chargeable to the notifying
entity.”). For example, consideration of fair use may be
sufficient if copyright holders utilize computer programs that
automatically identify for takedown notifications content
where: “(1) the video track matches the video track of a
copyrighted work submitted by a content owner; (2) the audio
track matches the audio track of that same copyrighted work;
and (3) nearly the entirety . . . is comprised of a single
So, uh, what? Automated takedowns may be fine because that's sort of a way to consider fair use because... no reason given. That is not at all helpful.
On a separate note, the court confirms that the trial cannot move forward by arguing that Universal had "willful blindness" about the likelihood of fair use in the case, because Lenz didn't really show that Universal had willful blindness. So that's another dead end.
Finally, the court rejected Universal Music's claim that Lenz had to show monetary damages in order to recover damages under 512(f). The court says 512(f) spans more than just monetary damages. Of course, that's almost entirely meaningless in a world in which everyone has an out through "subjective good faith" that doesn't even require investigating anything.
So this is a ruling that looks good up top, but gets bad as you read the details. There is a dissent, from Judge Milan Smith, pointing out some of the problems with the majority ruling, and the loophole that it creates. As the dissent notes, stating that something is infringing when you haven't done any fair use analysis is a misrepresentation, and 512(f) covers misrepresentations. So, in the end, a possibly important ruling is undermined with a massive loophole, which likely will lead to a continuing barrage of DMCA takedowns, including automated takedowns that suppress speech. That seems... wrong.
Update: Quick update on the story below, again alerted by Mitch Stoltz, a copy of the actual text of the law has been released and it does appear to more closely track with the safe harbor protections for ISPs. That is, the claims made by the copyright bureaucrat above that it's about making ISPs liable was misleading... The rest of the post stands however.
Via Mitch Stoltz, we learn of a new proposed copyright law in Kenya that not only would be a disaster for the internet in that country, but where the people pushing it don't even seem to understand what they're talking about. The key element: forcing ISPs to be copyright cops and putting liability on them if they somehow fail to magically stop piracy:
The Government is now turning it’s sights on ISPs in a move to curb piracy, which erodes revenues for the country’s film industry.
“We are proposing to introduce an amendment in the Copyright Act that will place the onus of responsibility for Kenyan content illegally downloaded, squarely on local internet service providers,” said Head of the Kenya Copyright Board (Kecobo) Edward Sigei.
Bizarrely, Sigei argues that he's just copying the DMCA in the US:
“We are borrowing from the Digital Millennium Copyright Act of America and others that have come after it and we have designed an amendment where the ISP will be liable under certain circumstances for infringements that happen through their channels.”
Except, that's the exact opposite approach of the DMCA, whose safe harborsprotect ISPs from liability, by noting that the responsibility should be on the actual people infringing, rather than the service providers in the middle. It's this safe harbor protection that allows the internet to function as it does, encouraging platforms for communication, sharing and content creation and hosting. Making ISPs liable puts tremendous liability on those ISPs, meaning they're much less likely to offer such services at all.
Is Kenya really looking to shut down useful internet services in that country?
Even more bizarre is that Kenya claims it's doing this in order to catch up with countries like Nigeria, whose movies have become huge throughout Africa:
This is part of a push to have Kenyan local content earn a larger foothold on Kenya’s airwaves currently dominated by Nigerian and Latin American programming.
Except, if you actually look at why the Nigeraian film business became so successful, it was actually because of a lack of copyright enforcement that helped create informal distribution and promotional channels across Africa. As the Economist explained years ago:
The merchants curse the pirates, but in a way they are a blessing. Pirate gangs were probably Nollywood's first exporters. They knew how to cross tricky borders and distribute goods across a disparate continent where vast tracts of land are inaccessible. Sometimes they filled empty bags with films when returning from an arms delivery. Often they used films to bribe bored guards at remote borders. The pirates created the pan-African market Mr Akudinobi now feeds.
A detailed academic research paper a few years later made it clear that it was piracy, not regulations that helped establish Nigerian film as a dominant player across Africa and further noted that this lack of copyright enforcement actually massively helped the economy.
Notably, although many countries have sought to incentivize particular types of film production through direct government funding, subsidies, or film protection schemes involving film quotas, many of these industries have not been commercially viable in the absence of subsidies or other support schemes. In contrast, Nollywood has created significant volume of local video film content with virtually no government involvement or subsidies. The success of Nollywood may in many respects be attributable to a lack of government involvement and its decentralized nature, which has permitted Nollywood participants to be highly entrepreneurial, adaptive and innovative. Nollywood now may employ as many as 200,000 people directly, with estimates of indirect employment as high as 1 million. The market-driven Nollywood approach is less costly than existing models of film production and distribution and may offer a new model for developing countries that wish to develop domestic film industries.
And yet, Kenya insists that it's trying to copy Nigeria, but it's doing the exact opposite? And it's going to do so by "copying" the DMCA, by apparently doing the exact opposite of the DMCA? It really makes you wonder what officials in Kenya are actually thinking in pushing this forward. Given the nature of the proposal, it looks much more like the wishes of foreign film interests, such as those from Hollywood, looking for yet another beachhead from which to push bogus rules to make ISPs copyright cops, rather than fixing their own business models.
As we noted earlier this year, as the Copyright Office and the Librarian of Congress consider the requested "exemptions" from Section 1201 of the DMCA, General Motors has come out strongly against allowing you to modify the software in the car that you (thought you) bought from the company. If you're new to this fight, Section 1201 of the DMCA is the "anti-circumvention" clause that says that it's copyright infringement if you "circumvent" any "technological protection method" (TPM) -- even if that circumvention has absolutely nothing to do with copyright infringement. Yes, this is insane. It's so insane that Congress even realized it would lead to ridiculous situations. But, rather than fixing the damn law, Congress instead decided to duct tape on an even more ridiculous "solution." That is that every three years (the so-called "triennial review"), people could beg and plead with the Copyright Office and the Librarian of Congress to issue special "exemptions" for classes of work where Section 1201 wouldn't apply. Yes, that's right, you have a law, but Congress knew the law made no sense in some cases, and so it just gave the Librarian of Congress (the guy who currently can't keep his website online) the power to anoint certain classes of technology immune from the law.
Anyway, as mentioned, General Motors and others car makers (and also tractor maker John Deere) have been lobbying against the change, arguing all sorts of damage might occur should people be able to hack their own cars legally. And, to be fair, there is a legitimate point that someone messing with their own car's software could potentially do some damage. But, there are some pretty easy responses to that. First off, that's not copyright's job. If you want to ban tinkering with the software in cars, pass a damn law that is specifically about tinkering with software in cars, so that there can be a real public debate about it. Second, lots of perfectly legal tinkering with the mechanical parts of automobiles can also lead to dangers on the road, but we don't ban it because people are allowed to tinker with things they own.
Either way, the Copyright Office reached out to the EPA about this issue, and in a just published letter (even though it was sent months ago), it's revealed that the EPA is asking for the exemption to be denied because it's "concerned" that these exemptions would "slow or reverse gains made under the Clean Air Act." It also argues that allowing the right to modify your own software would "hinder its ability to enforce... tampering prohibition[s]" that are in existing law already:
EPA is also concerned that the exemptions would hinder its ability to enforce the tampering prohibition. Under section 203(a), the Agency has taken enforcement action against third-party vendors who sell or install equipment that can "bypass, defeat, or render inoperative" software designed to enable vehicles to comply with CFAA regulations. EPA can curb this practice more effectively if circumventing TPMs remains prohibited under the DMCA
First of all, this shows that there's already another law in place for dealing with people who are doing things that will impact the environment. Second, who cares if it makes the EPA's job easier, that's not the role of copyright. That the EPA would so casually argue that it's okay for it to be abusing copyright law, just because it makes the EPA's job easier is patently ridiculous.
Following that, the EPA then mocks the idea that anyone would have a legitimate reason to tinker with the software in their own cars:
The Agency also questions whether there is a real need for the exemptions. Car makers are already required to provide access for lawful diagnosis and repair. In EPA's view, whether or not they are designed for this purpose, the TPMs prevent unlawful tampering of important motor vehicle software.
Again, that's not the job of copyright, and supporting the abuse of copyright for this purpose is ridiculous. Furthermore, now that we're living in an age of connected cars, where we're already discovering that car software is a security nightmare it's actually more important than ever that people be able to tinker with the software in their cars, to probe for security weaknesses and to improve that software where possible. The EPA has every right to go after those who do so in a manner that violates environmental laws, but it shouldn't support abusing copyright law just because it makes the EPA's job easier. And, it shouldn't just assume that there are no legitimate reasons for wanting to modify the software in your car just because EPA staffers are too simple-minded to understand what those reasons might be.
Whatever you might think of the EPA and its mission, the idea that it would advocate abusing copyright laws is a disgrace.
A few weeks ago, Brian Krebs published a fantastic article entitled how not to start an encryption company, which detailed the rather questionable claims of a company called Secure Channels Inc (SCI). The post is long and detailed and suggests strongly that (1) SCI was selling snake oil pretending to be an "unbreakable" security solution and (2) that its top execs had pretty thin skins (and in the case of the CEO, a criminal record for running an investment ponzi scheme). The company also set up a bullshit "unwinnable" hacking challenge, and then openly mocked people who criticized it.
Now enter Asher Langton, who has an uncanny ability to spot all sorts of scams (he was the one who initially tipped me off to the Walter O'Brien scam, for example). He seems to especially excel at calling out bullshit security products and companies. He's spent the past few weeks tweeting up a storm showing just how bogus Secure Channels is -- including revealing that they're just rebranding someone else's free app. He also noted that the company appeared to be (not very subtly) astroturfing its own reviews, noting that the reviews came from execs at the company:
So, uh, how did SCI respond? Let's just say not well. As detailed by Adam Steinbaugh at Popehat, a bunch of anonymous Twitter accounts magically appeared attempting to attack Langton, claiming that he was violating various computer crime and copyright laws. The accounts ridiculously argued that by posting screenshots of Secure Channel's source code, he was violating various statutes, including copyright law. This is wrong. Very wrong. Laughably wrong. In one of the screenshots posted by one of these "anonymous" accounts, other browser tabs were left visible -- and you'll notice the other two tabs.
You'll note Asher's tweet, but also a primer on "computer crime laws" and a "how to take screenshots" tab (apparently it didn't include a lesson on cropping). Oh, but more important, this tweet from a supposedly anonymous Twitter user also showed that the person taking the screenshot is logged in from a different account, that just happens to be the account of... SCI's director of Marketing Deirdre Murphy. It even uses the same photo.
This same Deirdre Murphy, back in Krebs' original article, used Twitter to attack another well recognized security expert who had been mocking SCI's claims:
James said he let it go when SCI refused to talk seriously about sharing its cryptography solution, only to hear again this past weekend from SCI’s director of marketing Deirdre “Dee” Murphy on Twitter that his dismissal of their challenge proved he was “obsolete.” Murphy later deleted the tweets, but some of them are saved here.
Right. It's entirely possible that Murphy is not behind the anonymous accounts, but she's pretty clearly connected to the screenshots that showed up on those anonymous accounts -- so even if it's not her directly... it seems likely that she's associated with whoever is doing the posting.
Oh, and then it gets worse. Right about the time Steinbaugh's article was published, someone claiming to be SecureChannels' CEO Richard Blech, sent Twitter a DMCA notice over some of Langton's tweets -- and Twitter took them down:
Twitter did this despite the fact that the DMCA claim itself was pretty clearly invalid. As summarized by Steinbaugh:
About an hour and a half after this post went live, SecureChannels CEO Richard Blech (or someone claiming to be him) sent a DMCA notice to Twitter for two of Langton's tweets, complaining that they consisted of "employee pics, company and personnel, posts copyright material, hacks products and posts copyright code from products, using trademarks, targeted harassment, slander to destroy commerce." As for the description of the "original work," Blech blathered: "Cracked an app and placed code online, uses trademarked logos to attack company."
This is a censorious abuse of copyright law to suppress criticism. It is, in essence, an attempt to use copyright law for everything except copyright. That SecureChannels would use copyright law to shield criticism on the basis that its trademarks are being used and because of "slander" is, well, hysterical. This is not a company interested in permitting people to criticize it.
A little while ago, I tweeted about how ridiculous it was that Twitter's legal team would go forward with the takedown on an obviously bogus takedown notice, and within 10 minutes, I was told by someone on Twitter's legal team that the notice had been reviewed and the posts had been restored.
Either way, for a company bragging that its "security" solution is "unhackable" -- you'd think the company would be more open to actual criticism. Instead, it seems to spend an inordinate amount of time attacking critics and abusing the law to try to silence them. Odd.
We've written a few times now about how the parent company of Ashley Madison, Avid Life Media, has been committing perjury and issuing completely bogus copyright demands to try to hide the information that was leaked after its servers got hacked. Last month, that tactic (despite not complying with the law) apparently worked briefly, until the full data dump happened last week. But that hasn't stopped the company from continuing to try. EFF wrote a long blog post detailing how this was a clear abuse of the law, but Avid Life Media doesn't seem to care.
After the leak came out, a few sites sprung up quickly to help people search the database. Whether or not you think it's appropriate to set up such a site (or to use it) is a separate issue, but what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons. There were two main sites that got the bulk of attention for setting up such a database, and one has already shut down and the other has received a takedown demand (though not a copyright one). I won't link to either site, but here's what's now posted on one of the sites:
Meanwhile, the creator of the other main search engine has said on Twitter that he, too, has been hit with "a vexatious DMCA from lawyers acting on behalf of Avid Life Media" and reporters are similarly mistakenly calling it a DMCA, but according to the copy the guy posted to Pastebin, the letter sent by Avid Life Media's lawyers at giant law firm DLA Piper to CloudFlare is not actually a DMCA, but rather a weird "please, take this down because... vague reasons and terms of service violations." That is, there's no real legal threat (because there's no basis for one). It's just vaguely threatening hoping to scare off people:
Our firm is counsel to Avid Life Media, Inc. (“ALM”) with respect to its intellectual property and data privacy matters. As you may know, ALM is the parent company of the online dating and social networking service Ashley Madison. Because users entrust ALM with highly sensitive and intimate details (collectively the “Ashley Madison User Data”), the privacy of ALM’s users is of utmost importance. As a result, ALM proactively and arduously regulates any authorized (and unauthorized) use of Ashley Madison User Data.
This letter is to inform CloudFlare, Inc., and all related entities (collectively, “You”) that, upon information and belief, CloudFlare, Inc.’s client (“Your Client”), has posted a searchable database of the Ashley Madison User Data to a website hosted on a domain name hosted by You. Specifically, Your Client has posted the Ashley Madison User Data at the following URL: https://ashley.cynic.al/ (the “URL”). Your Client’s publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information, and potentially expose millions of individuals around the world to identity theft.
Please note that this letter is made without prejudice to any other rights or remedies that may be available to ALM. Nothing contained herein should be deemed a waiver, admission, or license by ALM, and ALM expressly reserves the right to assert any other factual or legal positions as additional facts come to light or as the circumstances warrant.
CloudFlare, in response, told the guy that it had forwarded the name of the actual hosting provider (a non-US company) to the lawyers at DLA Piper, and at last check, the guy claims that his hosting company, ColoCall out of Ukraine, has not done anything about it. That may change, but it's not clear what legal basis ALM has for the demand. It's nice to see that ALM is no longer making totally bullshit copyright claims, but these weird "privacy and personal data rights" claims don't have much legal basis either.
We write frequently about those who abuse the DMCA either directly for the sake of censorship or, more commonly, because some are in such a rush to take down anything and everything that they don't bother (or care) to check to see if what they're taking down is actually infringing. The latter, while common, could potentially expose those issuing the takedowns to serious legal liability, though the courts are still figuring out to what extent.
Last week, we wrote about Boston public television station WGBH issuing a bogus takedown on some public domain (government created) video that Carl Malamud had uploaded to YouTube. That doesn't look like an automated takedown, but rather someone working for WGBH's legal team who just decided that anything with "American Experience" in a title must be infringing. Malamud has now published the letter that he sent YouTube, about the whole situation. It includes some more details concerning the insulting manner in which WGBH's legal team, Susan Kantrowitz and Eric Brass, handled the situation, including Brass telling Malamud that this wasn't a big deal because deleting this "particular film" was not that important.
Meanwhile, I finally reached the WGBH legal department. Susan L. Kantrowitz, General Counsel, wrote to me that “It is highly unusual for Amex to be in a title and not be one of our shows” and they would “address it on Monday.” Eric Brass, Corporate Counsel, wrote that “the take down request very well may have been an error, but given that it is late on a Friday afternoon in August, I may not be able to get back to you (or YouTube) until Monday.” He then wrote me back and indicated that while perhaps my YouTube account was important, this “particular film” was certainly not. I spoke to him on the phone and he repeated that no harm had been done, but and that after he completed his investigation he would,“follow up with something in writing that might be helpful for you if a question arises down the road about the take down.”
I want to stress that the timing of this takedown was not mine, it was instigated by WGBH and it was done deliberately as a formal legal action. Mr. Brass seemed quite peeved that I was upset, even though I was just minding my own business on the Internet when some hooligans from Boston came over and smacked me for no reason at all, then left for a weekend at the Cape.
The process of creating a copyright strike is not a casual one. WGBH had to go through several screens to identify the video, fill out their contact information, and checked numerous boxes indicating that they understood this was the beginning of a legal process, then signed a statement indicating that all statements were true and that they were in fact the true and correct owners of that film or portions of that film. In order to respond to that legal accusation, I had to go through a similar process of swearing under oath and accepting a court’s jurisdiction for my counter-claim.
Because of all of this, Malamud has suggested that YouTube institute a similar reverse three strikes policy for those who abuse the DMCA takedown process:
I believe that incorrectly posting a video that is under copyright is in fact worthy of a copyright strike. However, I think the opposite of that should be true. WGBH committed a copyright foul and should be prohibited from having the capability to take another user’s films down for a six-month period. If they commit 3 copyright fouls, their account should be revoked. WGBH personnel should be required to go to copyright school so that they fully understand their responsibilities under the law.
Given the blithe and uncaring attitude of WGBH legal staff, they should also be required to undergo copyright school. Their blase attitude was not impressive, and I can just imagine the reaction of WGBH if somebody had improperly taken down one of their media properties would not have been nearly so casual.
The idea of a reverse three strikes policy is not a new one. We first wrote about it back in 2008. Unfortunately, under the current wording of the DMCA, it would be very difficult to do it properly, but it does seem worth considering, considering just how frequency such a power is abused.