In a stunning display of technological and regulatory ineptitude, Italy’s ‘Piracy Shield’ law has managed to block access to Google Drive, apparently confusing the popular cloud storage service with a hotbed of illegal activity. Bravo, Italy, bravo.
Earlier this year, we wrote about Italy’s new “Piracy Shield” nonsense, in which the country’s telecom regulator, AGCOM, could designate certain IP addresses as “piracy” and require all internet providers and VPNs to block access to those sites. As we noted in our original article, this was already causing problems, such as when a dynamic IP address from Cloudflare was blocked, taking out legitimate sites in the process.
The structure of the Piracy Shield means that it’s almost impossible to appeal bad blocks. The focus seems to be on blocking first and dealing with the fallout later.
Earlier this month, Italy made the Privacy Shield even worse, amending the regulations to increase criminal sanctions for failing to block IP addresses AGCOM designates and expanding even further the list of VPNs and DNS services covered. It also put in place rules demanding that ISPs proactively alert AGCOM of suspected piracy or face criminal charges with potential prison sentences.
Just last week, our own Glyn Moody sent over an article he had written on Walled Culture about just how bad all of this was. I was all set to republish it here this week. But fate intervened. Over the weekend, someone alerted us to the news that AGCOM had designated Google Drive as a piracy service, and pretty much all of it was blocked in Italy for a few hours.
On the evening of Saturday 19 October, a ticket uploaded to the system adopted by the Communications Authority (Agcom) to stamp out illegal streaming blocked a critical domain of Drive, the Big G web service used to archive and share data in the cloud, and one of the YouTube caches. Two resources that, obviously, have nothing to do with the pirate broadcasting of football matches and other sports, which is what Piracy Shield should be dealing with, but which demonstrates for the umpteenth time how the technology gifted by Serie A to Agcom ends up paving over harmless sites. Even stepping on Google’s toes.
Let’s reconstruct the facts. At least since 6:56 PM on Saturday afternoon, as demonstrated by a source to Wired through some analysis, Piracy shield has been blocking the addressdrive.usercontent.google.com . As Google itself explains , it is one of the critical domains for Drive. The blackout implemented by the national anti-piracy platform prevents it from being reached and, in fact, from being able to download files stored on Drive . Wired was able to verify on Piracy shield search , a project for public sharing of blacked-out domains provided by Infotech srl, the effective blocking of the domain.
The same report notes that some YouTube URLs were also listed, so part (but not all) of YouTube was blocked across Italy.
Really making a dent in piracy there, AGCOM. Great work. Bang-up job, everyone.
As Wired explains, part of the issue is that the Piracy Shield law is so stupidly written. Rights holders can file complaints with huge lists of domains they want blocked, and ISPs are then given 30 minutes to block those domains. So, you know, mistakes are made. Like blocking all of Google Drive.
There is an “allowlist” that is supposed to protect against taking down big trusted sites like Google, but apparently a key Google Drive domain wasn’t on there.
The article also notes that while a few ISPs have chosen to unblock Google Drive, many had not at the time of writing. They have strong incentives not to unblock, as ISPs are subject to costly sanctions if they unblock domains designated under the Piracy Shield.
Of course, this kind of overblocking always happens. We’ve talked about examples in the past where similarly stupid blocking demands have removed tens of thousands of sites from the internet. You would think that someone in the Italian government might recognize the problems of this approach by now?
If you accidentally leave your Google Drive accessible to anyone with the URL, and someone goes there and deletes stuff, is that “unauthorized access” and a violation of the CFAA? To me, the answer should be absolutely not. But in this recent ruling the judge went the other direction (first noted by Evan Brown).
So, let’s start this one off by noting that the defendant in this case seems to be a generally terrible person, who runs a Facebook group focused on spreading ridiculous nonsense regarding her local school district. As described in the lawsuit the group is:
“dedicated to propagating anti-mask policies, anti-vaccine policies, anti-LGBTQ policies,
and anti-Critical Race Theory policies within the Scottsdale Unified School District.”
Yeah. So, you get an idea of what we’re dealing with here. The father of a member of that school board, who seemed (perhaps reasonably) concerned about the activity in this group, started collecting information on what was going on in the group and storing it on a Google Drive account. Apparently without realizing it, he set the folder to be accessible to anyone with the URL.
At some point, things got messy, with the son of the school board member being accused of defamation. Here is the description of what happened next from the court opinion:
In 2021, Plaintiff’s son was accused of defamation. He responded to his accuser by
emailing “13 photographs of public Facebook comments, made by his accuser, some of
which were stored on the server.” One of the photographs displayed the URL to the Google
Drive, and that photograph made its way into Amanda’s possession, where she noticed the
URL and asked a third party to make a hyperlink for the URL. Once provided, she clicked
on it to access the Google Drive. She reviewed, downloaded, deleted, added, reorganized,
renamed, and publicly disclosed contents of the Google Drive.
So, obviously, that’s not great. But, it seems clear that the fault was with the owner of the Google Drive folder, Mark Greenburg, who failed to properly secure it. Even if it feels icky that the defendant here, Amanda Wray, messed with the folder, none of that would have happened if Greenburg had properly secured the account (which is the default setting — so he had to proactively choose to share the folder differently).
Wray seems like a terrible human being in oh so many ways, but it seems ridiculous to argue that she violated the CFAA. The court, however, goes the other way:
This is a close call. Plaintiff acknowledges that the portion of the Google Drive
accessed by Amanda was not password protected; Plaintiff had inadvertently enabled the
setting that allowed anyone with the URL to access the site. But, Plaintiff alleges that this
setting did not per se render the Google Drive public, given that the URL was a string of
68 characters. What’s more, the Google Drive was not indexed by any search engines,
unlike the website in hiQ. Therefore, it wasn’t just “anyone with a browser” who could
stumble upon the Google Drive on a web search—the internet denizen wishing to access
the Google Drive needed to obtain the exact URL into the browser. By the Court’s eye,
Plaintiff alleges that the Google Drive had limitations and thus persons attempting to access
it needed authorization.
In short, the plaintiff’s argument is that security by obscurity should be legally protected. The fact that it was not indexed by search engines doesn’t seem like it should matter at all. The fact is that Greenburg (accidentally, but that shouldn’t matter) made the folder available to anyone with the URL, and his son (accidentally, but that also shouldn’t matter) revealed the URL. At that point, it’s public. It’s on Greenburg to secure the folder.
Wray’s response, to go into the folder and mess around with it isn’t great, but that should not be seen as “unauthorized access” under the CFAA.
I worry about rulings like this, because it could cause real damage, especially for security researchers, and others who quite often will find public folders that are not secured properly. If the settings are set so that the folders are public, it is deeply problematic to argue that the access is unauthorized. The settings themselves that open up the folder literally say that everyone with the URL is authorized to view it, even if they have to type in a long URL by hand. That’s what happened here, and to argue that the access is unauthorized, once again, raises serious problems with the way the CFAA is interpreted.
We’ve talked at length about the issues surrounding automated copyright infringement “bots” and how often those bots get the primary question they’re tagged with wrong. Examples of this are legion: Viacom’s bot takes down a Star Trek panel discussion, all kinds of bots disrupted the DNC’s livestream of its convention, and one music distributor’s bot firing off DMCA notices to, well, everyone. Google itself has reported that nearly 100% of the DMCA notices it gets are just bot-generated buckshot.
But Google isn’t the savior here either. The company also uses automated systems for detecting copyright infringement and, at least in the case of Google Drive, those automated systems occasionally suck out loud at their job.
This week, Assistant Professor at Michigan State University, Dr. Emily Dolson, Ph.D. reported seeing some odd behavior when using Google Drive. One of the files in Dolson’s Google Drive, ‘output04.txt’ was nearly empty—with nothing other than the digit ‘1’ inside it.
But according to Google, this file violated the company’s “Copyright Infringement policy” and was hence flagged. And what’s worse is, the warning sent to the professor ended with “A review cannot be requeste for this restriction.”
If your bot thinks a single digit is somehow copyright infringement, then your bot is a bad bot and should be taken behind the woodshed and humanely sent to bot-heaven where it can run and frolic with all the other bots. Now, to be fair, there is an open question in this case as to whether the filepath names that were chosen somehow were what was getting flagged. And, sure, maybe that happened. But it doesn’t really change the point: a bot thought a file that contained a single integer was copyright infringement.
That being said, other Drive users have reproduced this, calling into the question the filepath theory.
Dr. Chris Jefferson, Ph.D., an AI and mathematics researcher at the University of St Andrews, was also able to reproduce the issue when uploading multiple computer-generated files to Drive. Jefferson generated over 2,000 files, each containing just a number between -1000 and 1000.
The files containing the digits 173, 174, 186, 266, 285, 302, 336, 451, 500, and 833 were shortly flagged by Google Drive for copyright infringement.
Again, this sucks. For what it’s worth, Google has finally responded and, despite the notices indicating there was no way to dispute the bot’s findings, has been sharing out links to do exactly that. But that isn’t really the point. This is base-level stuff here: having a system that operates this poorly means you have a system that never should have been in production to begin with. Particularly, frankly, when that system is operating as personal file storage for many, many people.
If the ongoing battle between copyright infringers and copyright holders could be described in any simple term, that term would have to be whac-a-mole. Since the early days of piracy on the internet, the copyright industries have used their legal mallets to smack down any site or service whose head managed to rise out of obscurity. Napster was pushed into irrelevance, as were other similar apps. Then websites that hosted infringing files were slammed. At present, we are in the midst of a crackdown on torrent sites, with the copyright industries blaming them for widespread infringement.
As crackdown on torrent sites continues around the world, people who are pirating TV shows and movies are having to get a little more creative. Cloud storage services such as Google Drive, Dropbox, and Kim Dotcom’s Mega are some of the popular ones that are being used to distribute copyrighted content, according to DMCA takedown requests reviewed by Gadgets 360.
Google Drive seems most popular among such users, with nearly five thousand DMCA takedown requests filed by Hollywood studios and other copyright holders just last month. Each DMCA requests had listed a few hundred Google Drive links that the content owners wanted pulled.
But what’s notable about many of these DMCA takedown requests is that they target Google Drive links that don’t actually host any content themselves, but instead have embedded YouTube videos within them. YouTube has long been accused of hosting copyright infringing content, but few people consider it a serious vector for pirating movies or television shows. That’s because YouTube cracks down on piracy itself, and it is easily searchable, meaning that copyright holders can find their content and send takedown requests. Most infringing content is taken down quickly because of this, so what would be the point of these embedded videos?
It turns out that the pirates found a simple workaround – the videos are simply uploaded as unlisted, so they don’t turn up in search results. The links to these videos are then shared as Google Drive links through discussion forums and other channels so it’s difficult for the content owners to find the videos and get them taken down.
Popular video sites YouTube, Vimeo, and Dailymotion are also being abused by distributing and hosting illicit content, DMCA takedown requests reveal, but the volume of such requests again implies that they are not being as widely used. Some pirates, getting creative, also turned to another streaming venue which is not used as widely – porn sites. For example, last year, news outlets reported an instance where all the songs of Kanye West’s The Life of Pablo album were uploaded as a video to the popular website PornHub. You can still find a number of movies on the site, and oddly enough, also things like game trailers and music videos that could safely be posted on other sites as well.
While nobody would want to cheer this sort of infringement on, there is a certain aspect of creativity to it. That creativity nicely demonstrates the axiom: the internet is designed to route around obstructions. So too, it seems, are the communities dedicated to sharing copyrighted content. It seems that this war on piracy is whac-a-mole by nature, but it’s actually worse than that.
What if the moles were hydras and every time you hit one on the head, two or more heads sprouted out as a result? Because it should be noted that the above strategy using Google Drive and YouTube to distribute infringing content isn’t the only creative strategy that’s sprouted out of the crackdown on torrent sites.
The most unusual service that is being abused for distributing content that we came across is My Maps. It’s a feature Google introduced in 2007 to enable users to create custom maps. Anyone can visit the My Maps website, and create a custom map by pointing to a location on the map, adding a title, and filling up a description box. Google doesn’t verify what kind of information users are sharing in description, so you can again easily share links to unlisted YouTube streams, or Google Drive files to download. What this means is that people can then share locations on maps, which lead to the pirated movies.
While Google’s services are only the most abused of many for this sort of thing, you can already hear the content industries warming up their voices to sing a tune of how Evil Google is the pirate’s tool of choice for copyright infringement. It’s worth noting that all of this, however, has emerged despite Google’s efforts at complying with copyright laws. It’s also emerged as a result of this ongoing arms race waged primarily by the content industries, who could have expended this effort in figuring out new business models on which to make money from their content. Instead, we can mark time in the modern era by what the “piracy threat vector” du jour is. It seems tomorrow it may become Google Drive. Or My Maps. More years on it will be something we haven’t even thought of yet.
It’s almost becoming a rule in the tech industry, that actually doing something that people want to use absolutely guarantees that you’re going to get sued for patent infringement. It’s pretty clear that the current patent system is acting as a massive tax/tollbooth on innovation. The latest in a long line of examples: just as Google has been rolling out its Google Drive offering to users, it’s been hit with a patent infringement lawsuit from a company with a patent (5,918,244) that covers a “method and system for coherently caching I/O devices across a network.” As the lawsuit notes, the technology behind the patent is to enable the ability of “multiple
computers [to] all communicate with each other and… all access data from the same data
storage device or devices, such as hard disk.” Basically, the patent describes a system of RAM caching. Because I’m sure no one ever would have figured out how to do that without the patent system… So, rather than just allowing the technology to progress in the market as new products are developed, we’re left with legal fights and a tollbooth on innovation.
Remember when everyone freaked out about parts of Pinterest’s terms of service? And how, slowly but surely, word got out that the same terms can be found on virtually every website and are mostly harmless? And then everyone learned a lesson and calmed down, and would approach future terms of service with new knowledge and understanding?
Wait, scratch that last part. TNW reports that the terms of Google’s much-anticipated Drive service, which launched this week, have been treated to the same warm welcome from the Twitterverse. Someone spotted yet another variant of the “worldwide license” clause that all websites include, and before long the freakout flag was flying.
The clause in question, though admittedly scary-sounding, is routine:
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.
I hate to break it to the panicking masses, but Google is not planning on turning your spreadsheets into a touring art exhibit. A broad license like this is necessary to allow Google to operate such a service, permitting them to move the data around freely on their many servers all over the world, and display it to you (or the people you share it with) through a variety of devices and interfaces. The nightmare-labyrinth of international copyright law means that the most Google could do without such a clause is accept your data then immediately delete it—and even then someone would probably try to claim they made five unauthorized copies en route to the trash bin.
Perhaps most amusing is the fact that this piece of legal lingo doesn’t come from the Google Drive terms of service, but from Google’s overall terms for all their services. Meaning it already applies to everything from Gmail to Google Mars—so this might just be getting started. At this point, I suspect every social network and user content website online is waiting for the hammer to fall, since any one of them could be singled out at any time for yet another round. Oh well, I guess nothing beats a good freakout.
