Recently, (the previous time) FTB was down for several days because of our hosting service’s response to a DMCA takedown request. The whole story is weird, and has some odd implications. “I am not a lawyer” sort of applies here, but there’s more to it than that.
Remember, I worked in computer security since the mid 1980s, and have some experience with abuse systems and workflows – but this one is baffling. It points to interesting flaws in the system, too, but I’m not going to point those out and dwell on them because they lead to interesting denial of service attacks against other sites. Ah, screw it, go make the world burn.
Briefly, we must first understand DMCA. DMCA is a pure hunk of evil, pushed into place by huge providers in order to cover their asses. Perhaps you may (if you are my age) remember Harlan Ellison’s famous lawsuit against AOL for carrying copyright infringing digital versions of his books. Ellison apparently settled out of court for a substantial amount. Just getting his legal expenses back would have been a substantial amount. [techdirt] The issue was real: what is the liability of a business like, say, youtube, that makes ad revenues off of displaying and publishing copyright infringing material? In fact, when youtube first started, the founders illicitly uploaded copyrighted movies and such, in order to make the site more attractive. The rest, as they say, is history. But the Ellison case revealed a dagger poised at the heart of the internet, in the form of copyright. Something needed to be done to protect the tech-bros and all their investors from the ravaging hordes of musicians, writers, photographers, movie studios, etc., whose material was being constantly ripped off. DMCA was the tech industry’s response to the problem, which is – I have to say – practically solomonic. What they did was lobby for a “safe harbor” law that shields them from copyright liability, so long as they act “diligently” to protect the copyright holders. If a copyright holder contacts a provider and begins a formal process to declare infringement, the provider takes it down until the dispute is resolved. In return, the provider cannot be sued for copyright infringement.
Sounds reasonable, right?
It’s reasonable until you look at it more closely. When you look at it more closely, its tuned to allow big tech companies to have a “get out of jail free” card and, in return (I’m trying to be funny, here) it places the burden on the copyright holder. So, if you’re a photographer who has shot a popular image that shows up in 1,293 myspace pages, you are responsible for policing all those myspace pages. And the facebook pages. And youtube, and and and and. Meanwhile, those sites get to continue serving up your content (along with revenue-generating ads!) with no liability. Imagine if you were an amateur photographer, who shot a photo that became a popular myspace page decorator, and now suddenly you’re getting none of the ad revenue your image is driving, and your only recourse is to complain. A lot.
DMCA’s formal process is a “takedown request” which attests that a) you are the copyright holder of a given work, b) you do not want your work displayed in the way it is being displayed c) please take it down. The recipient of the DMCA takedown has 30 days to remove the offending work, notify the person who posted it, and that’s it. There is a provision where the person who posted the work can contest the takedown request, and the whole process can go back and forth.
Back in the day, I had a big problem with people using some of my photos and claiming “that’s me!” (mostly, professional escorts …) or worse, they’d take one of my photos, photoshop on it a bit, and post it claiming it was their artwork. Then, there were the well-meaning unaware creative talents who’d take one of my photos, and put some stupid piece of doggrel poetry on it, and post it as theirs. Those folks were a huge problem because a) obviously they understood nothing about copyright, b) obviously they didn’t care anything about copyright, c) it was personal for them and they’d go to great lengths to get slapped around by an angry artist. I’m not going to bore you all here with stories of copyright infringement, though, I’m just going to talk about a couple DMCA cases that have affected FTB and how and why, and why DMCA is an evil piece of shit legislation. But, I used to have to constantly – to the tune of 5 or 6 a week – write DMCA takedowns, just for deviantart. I gave up on the rest of the internet. Then, I gave up on deviantart, too.
8/25/2021, I got an email forwarded to me from PZ, our iron-fisted overlord, that was a WTF-a-gram asking basically, “what trouble have you gone and created this time?”
Knuckling my brow, in my best Eyegore imitation, I started digging to figure out what was going on.
And, it was weird. The page in question was my recipe for peanut butter sriracha pasta sauce, and the image that was being DMCA’d was one I shot of some pasta, on my kitchen counter. I immediately replied with an image indicating I was the copyright holder, and proving it – after all, since I had downsampled the image, the claimant would have had to have the original to be able to produce the downsampled version, right? But that does not matter, DMCA has specific provisions and the service is only interested in minimal response that keeps them within the safe harbor provision:
See, it doesn’t matter if you can prove it’s your image, you still have to take it down because the machinery of DMCA is very specific and all it amounts to is: if you’re the copyright holder, it’s your problem.
Flip that around and imagine I’m Disney Corporation. Now, one of my small army of copyright infringement checkers identifies an infringing piece of video on youtube. They click a button, some expensive software grinds into action, and youtube gets a correctly formatted DMCA filed by a certified Media Mega Corp backed by an army of lawyers, and – that’s it. As Harlan Ellison once said, “you don’t fuck with the mouse” [ironically, that story is available online here] Did I forget to mention that, now that he’s dead and not filing DMCAs, his work is apparently undefended? So DMCA serves to defend the powerful and well-resourced against the powerful and well-resourced, but does fuck all for the little guy. One more example: I ran across one guy on fetlife who had 20 images in “his” portfolio that were mine, which he claimed to have taken. Thanks to DMCA, fetlife’s response was “you have to file 20 DMCA takedowns” and – worse yet – because the provider was meeting the terms of DMCA at a minimum, they didn’t do anything else, like look at the other images in the portfolio, or shut the account down.
Anyhow, the only response I could make to my DMCA at freethoughtblogs was to take down the image that had been flagged as offending.
There’s another flaw in the DMCA: the copyright holder has to attest and swear that they are the copyright holder, and provide a contact name, address, phone number. OK, that’s interesting. The other problem is that the claimant has to provide a link to where their copy of my allegedly infringing material is hosted. So, there’s a URL included in the DMCA takedown that takes you right to the other guy’s page… and your piece of copyrighted material. I expect that by now you’ve realized there’s a problem here. In computer security terms: 1) disclosure of PII, and 2) denial of service. The claimant has to attest that they actually are a real person and own the copyright to the work, but that can all be completely fabricated.
In fact, in the DMCA case from 2021, the contact information provided was not entirely accurate. The DMCA form had a phone number in Turkey, and the name of Mohammed Tawfiq. The phone number did not work. It took me a bit of digging but I pretty quickly had his home address and actual phone number, and called him up, and asked him to take down his site because he was annoying all the Wrong People. That is not strictly true. I will attach a story about annoying the Wrong People in an appendix to this post.
Obviously, the site that was hosting the stolen copy of my recipe is now down, but because of the wonders of the DMCA process, it is possible that freethoughtblogs’ provider could suddenly decide to reactivate an old case and drop a bunch of IP blocks all over my pages here. Or worse. This is what Tawfiq’s site consisted of:
It’s a basic link-farm. When you employ one of those “Search Engine Optimization” sites, this is the kind of thing that’s going on behind the scenes. They publish link-farms that link to popular stuff (like my sriracha peanut butter pasta sauce!) and then try to manipulate search engine algorithms through proximity. This sort of link-farm is created automatically by grazing a bunch of sites for terms matching a search, then mashing up a bunch of content and vomiting out HTML that is automatically uploaded to a hosting service. Naturally, the current generation of these things will be AI-driven, so they won’t immediately light up pattern matches and may be mistaken for legitimate content. Actually, I may have phrased that wrong – they will be legitimate content because lots of legitimate sites are letting AIs write their news and articles, already, and it is no longer possible to determine what’s human-originated, or even if it matters.
Pages like this are generally not hosted on US providers, and sending them a DMCA takedown is completely pointless, because the DMCA is US law and some site in Romania is going to give absolutely no shits at all and that only because it’s not possible to give negative shits. Again, DMCA shows its uselessness for actually protecting copyright – all that matters is providing the safe harbor for US-based content aggregators.
Now, if you’ve been paying attention thus far, you’re probably wondering, “then why did our squirrel issue a DMCA? If he had just left his pirated link-farm on the down low, nobody’d ever know and nobody’d try to take it down.” That’s a really good question. And, I asked a few of the internet security wizards I know, and got back a bunch of /shrug. Most hardcore internet security folks ignore scammers because the scamming field evolves extremely rapidly and the scams are plentiful, confusing, sometimes stupid, and often complicated. Also, they change so fast it’s hardly worth keeping up to date on them. For example, in this case, it could be that Mr Mohammed Tawfiq was pursuing a search-engine optimization technique that made sense in 2009, read about it in 2010, and tried it in 2013 by which time it barely worked at all. Google, youtube, etc., – AKA “the sites that matter” – invest time and money into digging into this stuff because it’s highly relevant to their ad-sales business, but nobody else does because none of us are making gigantic piles of money selling ads.
The only reasoning I can think of for why the squirrels do a DMCA is they hope to take down the real site with the interesting content, and maybe when the real site is down their click score will go up, accordingly. It still does not make a huge amount of sense because then the squirrel should have gone after the interesting content, not a link on a page of interesting content. It may just be that the squirrels are experimenting with the search engines’ algorithms and trying to see what works. My guess is it’s a waste of time because the search engine guys are constantly worrying about overcoming such games, and are really quite skilled. Basically, google has a roomful of high end hackers who sit around thinking “how can we defeat the algorithm?” and then defeating the defeat technique before anyone else thinks of it.
Meanwhile: the entire ad economy balances wobblingly atop an ecosystem of scammers and marketers, both of whom are competing for the same thing – attention – and are willing to sink to any depths to get a few eyeball jerks or mouse-clicks. If the scammers get ahead of the game, the ad economy collapses because it no longer has value. Internet cognoscenti, of course, have always known that it has always never had any value, but that doesn’t stop the marketers.
[By the way, have you noticed, lately, how the quality of the ads on youtube has begun to drop fairly precipitously? There was a time when you’d get ads from big car companies, or insurance companies, but now it’s AI-voiced crap selling dick pills and nostrums. What we may be seeing is the beginning of the inevitable swan-dive in which the content of ads devolves to the kind of garbage that is hosted on free porn sites. Why is this happening? My guess is that it’s another thing we can blame on Elon Musk (!) – here’s the scenario: Musk’s messing around with the ad model at X, causes a bunch of the big media advertisers to leave, then they look at their numbers and realize that their ads on X really didn’t drive any business, anyway. They look around and conclude that “influencer” marketing is the way to go – i.e.: ads embedded in podcasts or vlogs by the content creators themselves, so that the ad cannot be picked out or blocked. Have you noticed, yet, how some podcasts dedicate 15 minutes of every show to reading stupid ads from pointless companies? This may be the beginning of the end for banner ads, except that since banner ads are cheap and will get cheaper, they’ll become a new form of internet spam. And, not that any of them are listening, when a podcast starts turning to embedded ads, I unsubscribe. It’s excruciatingly embarrassing to hear Malcolm Gladwell, a person I formerly respected a bit, shilling shit in his own voice. Fuck you, you ruined your legacy and it’ll be there for everyone to see/hear forever.]
The recent lengthy downtime at Freethoughtblogs was caused by a false DMCA takedown request. The provider sends an email, “you have 3 days to take down the offending copyright infringement” and if there’s no response, in go the IP blocks. You may have noticed the FTB logo vanished or was changed on some pages: the squirrel who issued the fraudulent DMCA takedown was running a link-farm of logo designs and (apparently) was trying a similar search engine weighting game, to Mohammed Tawfiq’s.
Security Operations Centers (SOCs) are all about managed work-flow. When they get an item, it goes in one side, and a crank gets turned. Sometimes actions are taken, when required, and sometimes the case is cleared. But everything is boiled down to “that which is not forbidden is compulsory” and the folks in the SOC are not allowed to think, or act, or really do anything more than turn the crank and get on to the next case. I’m certain that these messages are all boiler-plate:
So helpful. “In the event you provide us with a counter notice” is a funny thing to say in a reply to a counter notice, and the offer to “happily” provide it to the abuse reporter is just stupid: they know as well as I do that it’s going to a bulk mail account on a hosting service that nobody checks, because the person filing the notice is not and never was, real.
Where does this leave us? Well, if you want to get someone’s contact information, and they run a website, you can DMCA their hosting service and direct the response to a bulk mail account, then you wait until they do a counter-claim and you’ve got their real address/email address, unless they decide to lie, too. Or, if you want to take someone’s site down, you can start DMCA’ing chunks of it in a Resource Consumption Attack [rca: cyberinsurgency] – just go for a straightforward “death of 1,000 cuts” strategy but make sure you do it with carefully assembled layers of anonymity if you are going after the Wrong People. You can also, in fact you get for free, a denial of service opportunity, because if the target does not burn cycles responding, their provider will take them off the air for you. Of course this is all very naughty and it’s fraud because you’re attesting that you’re the copyright holder and nobody’d ever anonymously do something like that. Also, the big sites, naturally, have security teams and can afford to spend the time calling people at the hosting service, nudging the FBI, etc. This probably wouldn’t work against a well-funded well-defended target.
For the small content publisher, like freethoughtblogs, the answer is pretty simple: you get a DMCA, you move the offending ${whatever} to another hosting site then reply to the DMCA request that you have taken down the offending ${whatever} – which their workflow software verifies is true, and the crank turns and the world keeps spinning. That’s a variant of a defensive security technique some of us used to call “make it google’s problem” because if you can make a problem become one of google’s problems they’ll be motivated to solve it. I have no idea what google spends on DMCA workflow these days, but it’s got to be a lot. On the other hand, google is so big that it’s probably difficult to annoy it enough that it registers any annoyance at all.
But behold the brilliance of DMCA: since it serves the big well-funded guys, there’s no benefit to anyone who might invest the money to go after it and reveal DMCA for the stink-pot it is. This is one of those, “well, if I had Peter Thiel money…” things, where, if I had Peter Thiel money I wouldn’t do anything because I wouldn’t care, and I’d be an asshole who wanted to be on the wrong side of the problem, anyway. I think that there might be some traction had if a well-funded person whose copyright had been infringed began sending certified letters from their lawyer to sites that infringed their material regularly, saying something like: “We are notifying you that the following intellectual properties belonging to my client are often targets of infringement – see Exhibits A through Z, attached – now that you have constructive knowledge that these properties belong to my client, who wishes to defend their copyright, you have a duty to ensure that they are blocked before being made publicly available. We understand the DMCA process, and will defend copyright on other materials using that method, but we may attempt to recover damages and court costs from you if you ignore this notice, forthwith. We consider this notice to be permanent, and will notify you further if any of the copyrighted items come out from under copyright, at such a time as they do. Happily, etc, Dewey Cheatem and Howe LLP” I actually have talked to my actual lawyer, who actually told me that the approach would amount mostly to demonstrating “we are prepared to spend a lot of money on lawyers, fear us.” That’s about right. It works for Disney.
Annoying the Wrong People: back in the late 90s I was involved in a project where the company I worked at the time was supporting the FBI with some tech talent for a specific problem. There was a guy who was contacting various sites and telling them that they’d experience some unpredictable but damaging downtime if they didn’t pay a “consulting fee” – a basic shakedown. The guy who was doing it was in Europe but had gone after a few targets in the US as well, which is how we got dragged into it. I used to love “special projects” like that because they were always a chance to get creative and pull rabbits out of a hat, or whatever. So, I got started tugging on some strings and talking to some people who had website logs and people who knew people and it turned out that our guy was in Amsterdam, using a particular cyber-cafe. It looked like he had a few compromised boxes in places around the world, and he’d go to the cyber-cafe, have a smoke or whatever, and use one of their gaming systems to pop up an ssh shell to his compromised boxes, then he’d launch attacks from there. While the FBI guys were making muttering sounds about an orbital drop ship full of ninjas to catch him in the act, I just called the guy who owned the cybercafe and talked to him, asked him if he’d be OK with sending some IP traces off his firewall, and maybe setting up a drop camera to record the guy so we could figure out what he looked like. Then, I was going to call a friend of mine who lived in Amsterdam at the time, and have him followed. Most people do not expect to be followed and do not have good operations security. This guy certainly didn’t. Setting something like that up isn’t instantaneous – you have to talk people around to it, get them willing to play, answer their questions, etc. But everything was moving along then then, silence. The FBI guy who had been calling me for updates stopped calling. Finally, I called him (not always easy to do at that time) and he said, “oh, we’re not working that situation any more.” Why not? “Well, it turns out that the guy went after a Russian mafia-owned online gambling site* and they found pieces of him in several dumpsters around town.” Those are the Wrong People. The Wrong People use circular saws to resolve their DMCA takedown “requests.” The Wrong People’s lawyers are sleepy-eyed guys who wear raincoats even in the summer.
(* multiple redundancies there)
Charly says
The ads on YouTube definitively deteriorated. I am getting the same scam ad that I have already reported multiple times. The same scam, against which there are several ongoing lawsuits in CZ, and Google is now responding that the ad does NOT violate their guidelines.
Tabby Lavalamp says
One thing I still see, particularly on YouTube, is the disclaimer “No copyright infringement intended” on what is clearly infringed copyright. Any, all this talk about copyright and DMCA got me thinking about that and how it borders on sovereign citizenship in that people seem to think there are magic words that skirt around laws.
Marcus Ranum says
Google is now responding that the ad does NOT violate their guidelines.
“Did they pay?” shall be the whole of the law.
outis says
Thanks for the explanation, I did see an error-504 when trying to reach the site and wondered what was going on.
As for the ads situation well, they are getting more and more annoying and as useless as they always were.
‘Tis said, “the algorithm in YouTube knows you better than you know yourself”: well that’s 110% bullshit. I either get general ads for supermarkets, telcos and such, or ridiculously off-target rubbish like promotions for cat food or ladies’ hair products (for my flowing tresses, mmyeah). Totally random, and it has already put me off listening to music on YT except for very short pieces. Return of the CD collection ahoy!
Trickster Goddess says
I use adblockers on my computer and tablet so I don’t get YouTube ads there, however I also sometimes watch YouTube on a smart TV where I can’t block the ads and do actually get mostly quality ads there. In addition to the usual consumer goods, I get ads for bulldozers, construction equipment parts, investment opportunities for a salt mine in Labrador, industrial electrical transformers, chemical storage warehousing,and even giant trucks for open pit mines.
About 80% of the videos I watch on the TV have to do with trains so I think the algorithm must have me pegged as an engineering type. Which I’m not, just a train and urban transit nerd.
beholder says
I’m going to have to side with the tech-bros here (not the ones that wrote the DMCA, of course). Copyright is a scam, and the industries built on top of it are illegitimate. Hollywood knows they make nothing worth paying for unless they can twist your arm, over and over again.
Copyright will be overturned by the first amendment at some point in the (hopefully near) future, and people will wonder why the courts took over 200 years to get around to doing that.
Dunc says
The other thing I’ve noticed that I think presages the end (or at least the decline) of the ad-supported intenet model is that more and more places are putting up paywalls and pushing readers to subscribe, or at least register.
Do you think it’s legitimate for me to take somebody else’s creative work, republish it myself without crediting them, sell it, and keep the money? Or do you think it’s illegitimate to sell art, music, or literature at all?
sonofrojblake says
I never get ads on Youtube on my phone, because I can access it via an intermediary that strips them (Cleantube) – it’s great. On my TV-through-Roku – ads. But not terrible ones, just quite intrusive.
What baffles me properly is this: one of the vanishingly few shows I actually watch regularly from “normal” terrestrial TV is “Taskmaster”. I’ve streamed most of it from the Channel 4 app, and that leaves the ad breaks intact.
When I watch it “live”, i.e. when broadcast, I get the broadcast ad breaks – ads I assume have been placed there by a human who’s been instructed that car insurance company A or online betting company B want the first ad spot in the second ad break, or whatever, and the relevant ad is cued up and plays along with all the others who’ve paid for the various slots available.
BUT: when I stream it, I still get ad-breaks, but the ads are put there by an algorithm. A really, REALLY bad one. Bad for two quite different reasons:
1. targetting – I’m regularly advertised at during those ad breaks by Coutts. If you’ve not heard of them, they’re literally bankers to royalty – the King’s current account is with them. If you want to bank with them, they’re very happy to have you… provided you maintain a MINIMUM balance at all times of more than three million sterling.
I have two problems with this ad. First – why does it even exist? I don’t see ads on the TV for Lamborghinis or Patek Phillipe watches. I assume people who are in the market for such items get their awareness of them from sources other than television ads during comedy panel shows. What are they doing slumming it in a Channel 4 ad break at 21:30 on a Thursday?
Second – why is it being shown to ME? They’re not interested in my broke ass, as the young people say. Sure, try to sell me car insurance or betting (I’m not buying, but I get why you’re trying). But exclusive banking for millionaires? Why do I even know this exists? Baffling.
2: scheduling: Like I said, on broadcast, the ads are scheduled by a human at some point. A typical ad break might be three minutes, with six 30 second ads filling that time, say. The other day, when streaming, an ad break started, and I looked down at my phone, but didn’t bother muting the TV. In the background, I heard an advert for a Samsung pholding phone. Whatever. Then it ended.
Then it started again. I looked up. Ah, I thought, this is presumably some cute “spot the difference” gimmick going on. I looked back down. Then it ended.
Then it started again. And again. And again. In one ad break, I saw EXACTLY THE SAME AD five times in a row… and one other, unrelated ad. This isn’t the only time it’s happened – the record is six repetitions of the same ad IN THE SAME BREAK, with no other ads shown. I can’t believe that this is what the advertisers actually want – papering the entire ad break with an annoyingly repetitive wall of the same ad over and over. I’d have thought it likely to make them look annoying or stupid to any viewer.
I’m going to have to reinstate my pihole and see if that can filter any of this nonsense out…
David says
I recently, for the first time, subscribed thru Patreon to a podcast to both get rid of host spoken ads and hear bonus content. This seems an emerging ploy that I find satisfactory and relatively inexpensive.
beholder says
@7 Dunc
Yes.
Yes.
We can dither on whether that’s an ethical choice or not, but it certainly shouldn’t be illegal.
Yes. Good luck finding someone who will pay more than the work and raw material you put into copying it, though. Remember, everyone is able to do this.
All those pennies are yours, yes.
Go right ahead. You’ll quickly find out what a copy is actually worth when everyone can do this.
Yawn. You could have posed interesting ethical dilemmas that copyright forces a one-size-fits-all answer to (Orphaned works, work-for-hire, owners modifying the work against the author’s wishes after it’s been written), but your failure of imagination only posed the apocalyptic scenario where…everything is public domain. Where people can copy art, music, and literature freely because congress shall make no law abridging the freedom of speech. My point exactly.
LykeX says
@Dunc #7
My emphasis, because I think it’s relevant to point out that there are two separate things going on and you’re kinda mixing them together.
1) Who gets the money that people pay for a creative medium?
2) Who gets the (non-financial) credit for having done the creative thing?
I think copying something without giving credit to the person who came up with the idea is bad, simply because it’s dishonest. If you got an idea from someone else, you should say so and not pretend it’s your own. However, when it comes to selling a medium, I think it’s fair to wonder just how much profit a person should get simply for having the idea first.
If I compose a text, but you’re the one who sets up a printing press, produce the books, transport them to a shop, and sell them to people, just how much of that profit can I really lay claim to? After all, I didn’t do any of the actual, physical work of producing the actual physical books.
If more books are sold, I get more profit, but you’re the one that has to do more work. Is that quite right?
What if you copy someone’s work, give them full credit, but don’t sell it; you just give it away? It’s still a copyright violation, but you’re not denying them profits, because there are none.
And then there’s the notion in copyright of saying to someone “you’re not allowed to copy that,” even if they’re willing to pay you royalties. Is that fair?
I don’t have a good conclusion, but these are the thoughts that occurred to me.
Reginald Selkirk says
OT:
DEC nostalgia article
markp8703 says
“Malcolm Gladwell, a person I formerly respected a bit…”
The “a bit” does a lot of heavy lifting.
What did it for me was his defence of his facile 10,000 hours bilge, in which he basically said that if you disagreed with him you weren’t the sort of reader at which his books are aimed.
xohjoh2n says
@13:
What? “You’re not sufficiently easily led to be a useful reader for me”?
cmconnelly says
@5 Those sorts of ads are awesome! I’m generally amazed at just how many specialized tools there are for so many different tasks, and relish the opportunity to see some bizarre piece of equipment for some super-specific purpose in an obscure industry; often something I’ve never thought about.
There was one I saw once, a long time ago, that was completely opaque to me, but fascinating. Unfortunately, they never actually said what the company was, so I’m left with nothing but a vague memory. Much better than most of the ads they show otherwise.
We, too, watch a lot of the train/transit videos (Geoff Marshall. Jago Hazzard, et al.), so maybe that’s the key. (We also watch lots of computer and electronics videos, because that’s what my spouse and I are both into, and those drown out my Gresham College videos.). We also have ad-tracking turned off, which presumably makes it more likely that they’d show random ads.