Someone Impersonated New Jersey's Attorney General To Demand Cloudflare Takedown 3d Printed Gun Instructions
from the faking-takedowns dept
Buckle in, folks. Here’s a crazy one involving 3D printed guns, angry lawsuits and an apparently forged letter from the New Jersey Attorney General.
Over the past few years, we’ve been highlighting a whole bunch of stories concerning the lengths that some people will go to in an effort to block certain content online. One version that we’ve seen quite a bit in the past few years is forging takedown demands, including forged court orders. However, now we’ve seen it expand to a different arena — touching on another issue we’ve written about before. Last year (not for the first time) we wrote about the moral panic and hysteria around 3D printed guns that had resulted in a few states claiming the right to order 3D files offline.
Not much had seemed to happen on that front, until a week or so ago when various 2nd Amendment groups, including the somewhat infamous Defense Distributed (makers of 3D printer files for firearm components) filed a lawsuit, seeking an injunction against New Jersey’s Attorney General, Gurbir Grewal, arguing that he had sent an unconstitutional takedown letter to Cloudflare, which was the CDN service that Defense Distributed was using for its website CodeIsFreeSpeech.com.
In theory, this was setting up an important potential 1st Amendment case. But, on Tuesday, something unexpected happened. The State of New Jersey showed up in court to say no one there actually sent the takedown — and that they believed it was forged, and sent via a proxy service in the Slovak Republic. Really.
The Attorney General?s Division of Criminal Justice (DCJ) has concluded that a key document supporting Plaintiff?s TRO application?a ?takedown notice? purportedly sent by DCJ to CloudFlare, Inc., which hosts one of the plaintiff?s websites, CodeIsFreeSpeech.com?was not in fact issued by DCJ, and appears to have been issued by some entity impersonating the Attorney General?s Office.
The filing recognizes that New Jersey’s legislature did pass a law late last year restricting the distribution of such 3D printed instructions, but that the state’s law enforcement arm has yet to do anything to enforce it, and most certainly did not send the letter in question.
As noted, we have no reason to believe the Attorney General?s Office filed this takedown notice with Cloudflare, and our investigation thus far demonstrates the office did not do so. We have conferred with all relevant parties within the Attorney General?s Office?including DCJ and the New Jersey State Police?and there is no evidence that anyone within the Office authorized its filing. In an effort to determine who, in fact, issued the notice, DCJ assigned two investigators to review the matter, who obtained the IP address of the device used to submit the notice to Cloudflare, and learned that the IP address is associated with a server located in the Slovak Republic. This IP address is not connected to DCJ, nor would DCJ use this type of proxy server for routine communications with third parties.
Cloudflare has similarly posted a blog post giving its side of the story, noting that there were some oddities with the notice, but considering that it doesn’t actually host the content in question, it followed its standard operating procedures of filing the notice along to the actual host. But then they started to notice some oddities:
A few days after we forwarded the complaint, we saw news reports indicating that the website operator and a number of other entities had sued the State of New Jersey over the complaint we had forwarded. That lawsuit prompted us to take a closer look at the complaint. We immediately noticed a few anomalies with the complaint.
First, when law enforcement agencies contact us, they typically reach out directly, through a dedicated email line. Indeed, we specifically encourage law enforcement to contact us directly on our abuse page, because it facilitates a personalized review and response. The NJ-related request did not come in through this channel, but was instead submitted through our general abuse form. This was one data point that raised our skepticism as to the legitimacy of this report.
Second, the IP address linked to the complaint was geo-located to the Slovak Republic, which seemed like an unlikely location for the New Jersey Attorney General to be submitting an abuse report from. This particular data point was a strong indicator that this might be a fraudulent report.
Third, while the contact information provided in the complaint appeared to be a legitimate, publicly available email address operated by the State of NJ, it was one intended for public reporting of tips of criminal misconduct, as advertised here. It seems unlikely that a state attorney general would use such an email to threaten criminal prosecution. On occasion, we see this technique used when an individual would like to have Cloudflare?s response to an abuse report sent to some type of presumably interested party. The person filing this misattributed abuse report likely hopes that the party who controls that email address will then initiate some type of investigation or action based on that abuse report.
Cloudflare further notes that, having learned that this notice was forged, it has now found “other abuse reports submitted from this IP address” and established “a clear pattern of fake abuse reports,” such that abuse reports from that IP will no longer be allowed.
There are, of course, some larger issues here. As we’ve noted for years and years and years — mainly with regard to the DMCA notice-and-takedown process — when you have a process that allows for notice and takedown it will get abused. Widely and continuously. Expanding notice and takedown to other arenas only means it will get abused more and more, and the abuse will become increasingly sophisticated.
We should be especially concerned about things like the EU’s Terrorist Content Regulation, which will not only deputize random law enforcement officials to send such takedowns to various platforms, but also mandate that platforms takedown any such content within one hour of the notice being sent. If you don’t believe that process won’t be abused in a similar manner to what we see above, you have not been paying attention. Giving people tools for censorship will lead to censorship, and often it will be done in very surreptitious ways.
We should be extra careful about enabling more such activity under the false belief that only the “good guys” will use such powers, and that they will only use them for good.