What's interesting is that there is a whole ecosystem of companies like CipherCloud that do the minimum required to provide solutions for those interested in "compliance," not "security."
My sense has been that their customers are predominately those bound by things like HIPPA or PCI, who want to use cloud services, but can't do it with a straight face unless they can say they're "encrypting" their data.
What their customers want isn't security; it's the minimum required that will allow them to use salesforce.com. Incriminating details on StackExchange aren't a problem because their customers don't already know CipherCloud is insecure, they're a problem because it would make it harder for customers to say they're in compliance with a straight face.
It can be both. There are going to be companies that are serious about actually protecting their customers (but don't have the technical know-how to be an informed customer), and there are companies that see these laws/rules (PCI, HIPPA) as hindrances to cast aside with the least possible effort.
On some level, the fact that compliance regulations exist is an indication that security is not a priority for many of the entities that it applies to.
Certainly snake-oil is a problem, but I think this particular area is one where buyers are most concerned about being able to effectively claim that they made what seemed like reasonable efforts.
The penalty for materially misrepresenting a DMCA claim is actual damages plus costs and attorney fees. That's automatic, written into the bill, unlike many other torts/crimes where you need exceptional circumstances to get attorneys fees in addition to the damages.
So, it's not practically unenforceable. The case Eric is citing appears to be a case where Someone has an actual good faith but unreasonable belief that they have a cause of action.
That eliminates the "knowingly" part. A lot of DMCA claims, including the one in the OP, are being filed by lawyers or companies who will have a much harder time showing they have a good faith but unreasonable belief. They are basically going to have to argue they are idiots.
The second you can show bad faith, i have trouble believing (and I don't know of any cases where ..) a court would not impute knowledge.
Basically, you want them to have to consider your affirmative defenses (which is what fair use is). While i don't necessarily disagree, to be fair, this would be wholly inconsistent with almost every other area of law.
For example, if i file a negligence claim against you, you bear the burden of proving any affirmative defense to my claim, such as assumption of risk. I don't have to consider it at all when I file my claim, and if you don't prove your defense, i win. This is true no matter how valid your defense may be.
But what are the 'actual damages' in this case, it would be hard to argue a monetary damage to Stack Exchange. So the most you could 'win' from CipherCloud for their abuse would be your legal costs. Hard to justify taking that action.
Yes, you would get some nominal damages, plus any actual loss you could prove (IE the money of the people who spent time processing your DMCA request, plus how much you would have earned from ads on the post) or, and if they did it repeatedly, you may get something more (Punitive damages are rare in contract law, but possible).
Look, as much as I don't like it, this is a tradeoff.
On one side, you have the fact that websites like this would normally be liable for everything they publish.
DMCA says "we'll fix that for you", the cost being "if you want safe harbor, and someone with a good faith belief sends a takedown notice, you honor it".
If StackExchange really believed the material was non-infringing, they could always ignore the DMCA takedown, and force CipherCloud to sue them.
They didn't choose to take that risk.
Newspapers have the same issue, FWIW: They get threatened all the time by bad actors (and not just for defamation of public figures, which the are mostly protected from). They just often choose to take the risk and force bad actors to sue them.
It's not at all clear what you think the solution is. If you institute harsh penalties for filing "bad" DMCA requests, all that would happen would be large numbers of lawsuits over DMCA requests, bad or good, because it would likely be profitable. You really think torrentfreak/isohunt/et al wouldn't just start filing suits over every single DMCA request they receive? What do they have to lose? They wouldn't have to win many suits to make money off it.
If you have a good solution, i'd love to hear it :)
I realize how odd this sounds, and i really do hate the way content companies/et al abuse the DMCA process, but one doesn't need to look very hard at history to see what lawyers in general will do if you make it profitable (see the history of rule 11 sanctions, particularly, the period from 1983 to 1993, or you know, recent prop 65 litigation, resulting in everything in the world having "the state of California believes this may cause cancer" labels on it ).
>You really think torrentfreak/isohunt/et al wouldn't just start filing suits over every single DMCA request they receive? What do they have to lose?
Money? Time? It wouldn't make any sense for them to litigate the cases they would obviously lose when they could choose the subset of cases where the take down issuer clearly has no copyright in the material in question -- which is the whole idea.
You're also giving the money to the wrong party. It doesn't make any sense to give YouTube or Tumblr the right to sue for bad take downs, if they thought they were bad they could just not execute them. The right for redress should be for the user who posted the material, not the intermediary. Which solves your problem with torrent sites filing frivolous claims. Do you honestly think release groups are going to get into the business of filing frivolous lawsuits against content owners? As soon as they identified themselves and consented to jurisdiction they would be counter-sued for infringement or arrested.
You're not following his reasoning to its conclusion. The people who run Isohunt surely don't want to spend their time writing court filings. But they'd be sitting on top of a mountain of potential claims, which would prove lucrative if even a tiny percentage resulted in damages. Unscrupulous law firms would notice and send Isohunt offers; at some point, it would become irrational of Isohunt not to accept one of them.
Isohunt is the intermediary. If they don't like a takedown notice then they can just not execute it; they don't need any redress from the courts. The plaintiffs with standing should be the end users who posted the material that was removed.
>But they'd be sitting on top of a mountain of potential claims, which would prove lucrative if even a tiny percentage resulted in damages.
Setting aside that Isohunt is the wrong party, yes, there are a mountain of take downs from which some small percentage should result in damages. But you can identify those cases ahead of time -- you know perfectly well you aren't going to win a case where you posted Fast & Furious 6 to Isohunt and Universal Studios issued a take down for it, there is no point in even trying. And if you do try then you're effectively admitting your own liability for copyright infringement when you have to assert you posted that material in order to get standing to sue.
The cases lawyers will want to take are the ones they think they can win -- and as long as they're right, that's what they're supposed to do. That's the whole idea.
Are you arguing that the situations where the take down is in a grey area (e.g. fair use) will create too much litigation? I don't really see that happening. On the one hand, the existence of penalties would create a disincentive for copyright holders to wantonly issue take downs in questionable cases, and if there was no take down then there is nothing to litigate. Then, in the consequently much reduced number of edge cases, in order to claim a take down was fraudulent a plaintiff would have to admit in court to posting the material and thus to liability for copyright infringement if the take down was legitimate.
Oh I don't have a solution, was just pointing out how the penalties for DMCA abuses end up not being enforced. I actually agree that DMCA takedown notices are surprisingly efficient.
Are there lawyers who will take on cases for consignment only?
It's a calculation that little people will not be able to take on the big people.
This is why corporations have zero fear of incorrectly killing individual content on youtube, little chance of penalty and they can smother any attempt to fight them.
Nope, all you are supposed to have to do to get the content restored is submit a counter-notice. And it should be back in two weeks, not years.
But you can be sued by the rightsholder for posting infringing material.
The DMCA is really about protecting the ISP/host. The ISP can't be sued for hosting your infringing material -- so long as they take it down when receiving a takedown notice; and even when they put it back up after receiving the counter-notice from the original poster.
But YOU (the poster) can still be sued.
I am not sure how often ISPs/hosts have clearly identified counter-notice procedures, but that's the way the law is written.
Not years. It's back up ~10 business days after you file a counternotice or the service provider loses their safe harbor. The DMCA is designed so that disputed content is not taken down permanently without an actual injunction signed by a judge.
YouTube is not responding to DMCA notices, it's given media companies direct access to take down content through their own system, and it can do this because it has no obligation to host your material for free in the first place, infringing or not.
That's not how it works. If StackExchange wants safe harbor from being sued itself, it must put the content back online if it receives a counternotice. YouTube doesn't have this problem because it's not receiving DMCA notices in the first place. One can't send a counternotice when there was never a notice to begin with. Since Google gives all the major media companies direct access to their system, they don't have to use the DMCA process to remove content from the site.
Sure it is. Upon receiving the counternotice, StackExchange can just say "OK, we're no longer have the question offline because of the DMCA notice; as a separate matter we have decided that we decline to host this question". To believe otherwise would be to believe that a DMCA notice and counternotice somehow privileges the subject content above all other content on the site.
But it does privilege that content above all other if the service provider wants the liability protection. You either treat that content specially or you are open to being sued for having hosted it before you took it down. To meet the requirements of the act, they must actually "replace the removed material and cease disabling access to it" (H.R.2281 Sec. 501(g)(2)(C)). Doing what you said would fail to meet that, as would some kind of "it was available for a split second but you didn't see it" prank. Real judges don't take kindly to trying to weasel around the intent of a law.
Just like in many states you can fire an employee for no reason but you can't fire them for a discriminatory reason, you are in violation if you take down the content from the notice despite the counter.
OK, that makes sense (in a twisted way). But then, aren't Google and the media businesses balancing on the edge of something very nasty here? They have effectively made their own legal system alongside the real one. I'm not entirely sure how the US legal system works, but it sounds like something an EU court could strike down on.
Using the same example, if it's a lawyer that sends a bogus takedown notice (at least in clear-cut cases), you could always notify the relevant bar association to look into the idea that this person might be unfit to practice law in that area (either too stupid of the law to be allowed to practice, or abusing it and needs to be stopped).
Aren't DMCA takedowns required, under penalty of perjury, to assert a non-frivolous copyright claim? Is there any recourse for what appears to be clear abuses of the DMCA?
There is recourse against truly false claims made in bad faith, but it's not the penalty of perjury part. All you swear under penalty of perjury is that you are authorized to act on behalf of the owner of some copyright allegedly infringed (i.e. you're not filing a claim about someone else's work).
Here's the actual recourse created by the bill:
> (f) MISREPRESENTATIONS- Any person who knowingly materially misrepresents under this section-- (1) that material or activity is infringing, or (2) that material or activity was removed or disabled by mistake or misidentification, shall be liable for any damages, including costs and attorneys' fees, incurred by the alleged infringer, by any copyright owner or copyright owner's authorized licensee, or by a service provider, who is injured by such misrepresentation, as the result of the service provider relying upon such misrepresentation in removing or disabling access to the material or activity claimed to be infringing, or in replacing the removed material or ceasing to disable access to it.
Note that the EFF is trying to prosecute a case over this clause [1]. IANAL, but it seems to be hard to hold someone responsible for a bad DMCA notice unless they specifically knew that it was bad (rather than merely being sloppy and sending notices without adequately considering fair use). Whether that is the case for this notice could theoretically be found out through discovery.
Their likely justification is the use of those image snippets which appear to come from their manual. Realistically, those small captures represent fair use (though I am not a lawyer so can't speak legally).
I assume it would fall under commentary[1], esp. as it's one a single image and it has literally been written over to show the material that the comment is referencing.
The DMCA notice/counternotice system is only about copyright infringement. They wouldn't get one for the circumvention prohibitions; or if they did, it would be an illegal use of those notices.
If something can be destroyed by the truth, then it should be.
If a crypto company abuses DMCA to fight this, then they deserve the Streisand effect. You should send the materials to someone in a free country where DMCA doesn't apply and speech is still free, and they can host the documents and discussion.
Isn't it the same thing then? Just send a counter-notice to SE's hosts?
Of course, that doesn't stop all of Stack Exchage from being down for "10 business days" in the meantime. Should be interesting to see the public response to that if it actually happens.
(I made a snapshot of the page from Google's cache only to discover that at least two others used the very same service within the last hour to do exactly the same...and there are a few services to snapshot web pages.)
Why would you (or anyone) deliberately try to hurt a company? Just because their tech is not 'on par'? Please think about how it would hurt that company and the employees (and their families!).
Why would a company (deliberately) try to sell a false sense of security to anyone whose knowledge of cryptography is not 'on par'? Please think about how it might hurt these customers and their employees (and their families!).
It's not about deliberately hurting a company; if it's possible to make such a script, it will be made. Period.
The question is: do you want the script publicly available, or in the hands of your adversaries without anyone knowing? There's a third alternative: fix the problem.
Fraudster companies SHOULD be hurt. And their employees should have been the ones that bring this to light - otherwise, they are accomplices and deserve whatever they get.
Putting the merits of their technology aside, I've had numerous unpleasant experiences working with the CipherCloud Founders as both a Salesforce Partner and Customer. They use fear tactics to scare prospects into believing a) their data is unsafe in the cloud and b) their competition uses inferior encryption algorithms.
This DMCA takedown is unfortunately just another of their "just try and stop us" tactics.
In a situation like this, who files the counter-claim(s) to get the content restored?
I would SE as an organization cannot, as they are the safe harbor in this case, but it sounds like the takedown notice wasn't specific enough for the relevant users to know what they can leave up. Does each user involved need to counter-claim so that SE can put the question and answers back up? Can one user claim that nothing on the site was infringing and have that be enough to protect SE?
When a company does something like this, whether or not the claims/criticisms are actually true, their actions tacitly imply that they believe that the claims are true. In other words, terrible PR/technical brand management.
We should start a collection of these kinds of stories as case studies in why laws allowing any entity to legally compel removal of content are ripe for abuse.
DMCA as a law isn't even that ridiculous or reprehensible; it mostly offers protection for websites that have user-submitted content. And yet here we are.
The damages clause needs to be strengthened if we wish to continue having free speech on the internet.
CipherCloud claim copyright infringement on the three images used to evidence the posts.
They also claim that certain statements in the posts are false, misleading defaming. While some statements look indeed wrong, others (in particular the determinism claim) are clearly evidenced in screenshots. They hint that their actual product might use different encryption from the demo video.
Encryption and security does usually not get any better by pretending its secure and not letting anyone dig around the solution.
Indeed. Schneier has some excellent discussion on this topic, singling out closed source encryption as always eventually being cracked, and the security world's consideration of open source as a pre-requisite for security:
DMCA'd CipherCloud discussion on stackexchange online again (minus images). The Copyright part of the notice only covered the images and stackexchange apparently didn't consider the text part of the posts a ToS violation.
I expanded my analysis, but you'll need to check the original material for evidence since the embedded images were subject to the notice.
Situations like this really highlight how out of step the DMCA is with peoples' right to free speech and fair use. DMCA takedowns put too much compliance burden on individuals who are unaware of or intimidated by the counter-notice process.
At the very least, there should be more stringent requirements for legitimate takedown claims and stricter penalties for abusing the process.
I wonder if doing something similar to Ciphercloud, using a homomorphic encryption library like libScarab[0], would actually make it secure. I guess I still don't understand what Ciphercloud does.
FHE is far too slow for any practical use. In a few more years, things might be different, but for now anyone marketing a practical FHE solution is probably lying.
I'm still trying to find performance numbers that prove it impractical. Otherwise, it just sounds like a problem that could be mitigated by clustering.
Here are some results from a research team that has been on the forefront of FHE implementations; note that this has been improved on significantly since last August, but you are still looking at minutes of computation for relatively small functions:
Don't forget Amdahl's law and Gustafson's law on the limits of parallelizing when the problem isn't P-complete. Either way, I disagree with your conclusion that it is misguided.
So wrong answers (assuming they're wrong) and speculation are now speech that can legally be suppressed? You can't say anything that's wrong or a guess?
long story short, stackexchange didn't want to lose a potential ad sale. It's not good for their business to have users question products advertised on stackexchange network.
My sense has been that their customers are predominately those bound by things like HIPPA or PCI, who want to use cloud services, but can't do it with a straight face unless they can say they're "encrypting" their data.
What their customers want isn't security; it's the minimum required that will allow them to use salesforce.com. Incriminating details on StackExchange aren't a problem because their customers don't already know CipherCloud is insecure, they're a problem because it would make it harder for customers to say they're in compliance with a straight face.