A little over a year ago, Matt Holt, who created the Caddy Server that helps make it easier to protect websites with HTTPS encryption, posted a hypothetical blog post, from the year 2022, in which he worried that enterprising and persistent copyright lawyers would have continued moving up the stack with their DMCA notices, and started to use the process to get HTTPS security certificates removed.
A lawyer need only be successful in convincing one of those four “choke points” by threatening legal action in order to suffocate the site. (There are others, like ISPs, which operate more generally, and we skip them for brevity.) These entities totally control the site’s availability, which is one crucial dimension of secure systems. Here they are again:
Site owner. He or she can voluntarily remove the site/content.
Web host. They can destroy the site owner’s account or files.
Domain registrar. They can cancel or transfer ownership of the domain name.
DNS provider. They can make the site inaccessible via hostname.
Now that it’s 2022, a site needs HTTPS in order to be trusted by browsers. At very least, this means they show an indicator above the page. Maybe it even means the browser shows a warning before navigating to the site. Either way, HTTPS is critical to a site’s availability and integrity.
DMCA lawyers are clever, and they realize this emerging trend. They contact a site’s CA and demand the site be disconnected for violating the law (despite lack of a court case). The CA, operating without policy for such requests and afraid of legal ramifications, revokes the site’s certificate.
Within hours, browsers begin to refuse connecting to the site on port 443 and warning flags fly instead, scaring users away. Browsers don’t revert to port 80 anymore because HTTPS is expected and using HTTP is effectively a downgrade attack. Visitors aren’t sure what to do, and the site goes offline around the globe.
We've raised some questions in the past about this process of copyright holders moving up the stack -- and not just targeting the content hosts, but companies further upstream, including ad providers, domain registers and registrars, and the like. There are serious issues with each of these, but going after security certificates seems especially pernicious.
But Matt was a bit off in his predicted timing on this. After his article ran, we learned of at least a few examples of copyright holders going after security certificate providers. Take for example this copyright notice that was sent to Squarespace (the host), Tucows (the domain register), and Let's Encrypt (the security certificate provider).
“In response to a court order against Sci-Hub, Comodo CA has revoked four certificates for the site,” Jonathan Skinner, Director, Global Channel Programs at Comodo CA informed TorrentFreak.
“By policy Comodo CA obeys court orders and the law to the full extent of its ability.”
Comodo refused to confirm any additional details, including whether these revocations were anything to do with the current ACS injunction. However, Susan R. Morrissey, Director of Communications at ACS, told TorrentFreak that the revocations were indeed part of ACS’ legal action against Sci-Hub.
“[T]he action is related to our continuing efforts to protect ACS’ intellectual property,” Morrissey confirmed.
We've obviously covered a lot about the Sci-hub story over the years, and the weird quixotic focus by some to take down a site focused on (of all things) better sharing academic knowledge (especially to academics in the developing world). It's already sickening enough the level to which some copyright holders have gone to effectively shut down a library, but going after the security certificate is beyond the pale.
The DMCA allows for approaching a variety of different intermediaries, from network communications, to hosts, to caching, to "information location tools" (i.e. search engines), but I have a very difficult time seeing how any of that applies to security certificate providers (or, for that matter, to domain registers).
Even more bizarre is that going after the security certificate doesn't stop any actual infringement -- it just makes users a lot less safe. And yet, it's coming from the very same copyright holders who keep trying to tell people they shouldn't pirate content because it exposes them to malware and viruses and dangerous computers and the like. But removing security certificates would make that a much more serious problem. And yet, here we have a case where ACS went after a security certificate, a judge okayed it, and Comodo played along. That's dangerous for the way the internet works and is kept secure. If they want to go after the hosts, go after the hosts. Destroying the ability to protect users by encrypting the traffic is just evil.
Last month, we wrote about the strange and unfortunate decision by a magistrate judge in the copycat lawsuit by the American Chemical Society against Sci-Hub, the "renegade" online repository of academic knowledge. As we've discussed for years, the copyright attacks on Sci-Hub are silly, given the entire stated purpose of copyright is supposed to be to increase "learning" (and there's rarely a monetary incentive to the scholars writing academic articles). Copyright in academic papers is silly for a whole host of reasons, and then using copyright law to take down what is effectively an incredibly useful library of academic knowledge seems to run entirely counter to the basis of copyright law.
And yet, things with Sci-Hub keep getting dumber. After it lost the lawsuit Elsevier filed against it, the American Chemical Society jumped in to file a copy cat lawsuit. The issue last month was our surprise that a magistrate judge recommended an injunction against third parties who were not parties to the lawsuit, demanding that they block all access to Sci-Hub. This could impact tons of ISPs, search engines, domain registrars and more. On Friday, amazingly, the Title III judge on the case, Judge Leonie Brinkema, more or less went with the magistrate's recommendations, with one slight change. You can see the order and injunction either at those links, or embedded below.
Because Sci-Hub -- run by a woman who doesn't live in the US -- chose to ignore the lawsuit, this is a default judgment, so the judge never got to hear anyone else's viewpoint, other than ACS. It's troubling that the judge -- just prior to issuing the injunction -- decided to reject an attempted amicus brief from CCIA, which sought to explain why site blocking is not allowed as a remedy. The judge did make one change, which at the very least improves the injunction slightly. The official injunction reads as follows:
ORDERED that any person or entity in active concert or participation with Defendant Sci-Hub and with notice of the injunction, including any Internet search engines, web hosting and Internet service providers, domain name registrars, and domain name registries, cease facilitating access to any or all domain names and websites through which Defendant Sci-Hub engages in unlawful access to, use, reproduction, and distribution of the ACS Marks or ACS's Copyrighted Works; and it is FURTHER
ORDERED that the domain name registries and/or registrars for Defendant Sci-Hub's domain names and websites, or their technical administrators, shall place the domain names on registryHold/serverHold or other status to render the names/sites non-resolving.
The original recommendation from the magistrate judge said that "any person or entity in privity with Sci-Hub" had to do those things. The difference being switching out "in active concert or participation" rather than "in privity." That's... slightly better, but it's unclear exactly what "in active concert or participation" really means.
ACS is now claiming that this won't apply to general search engines, but just to those working more closely with Sci-Hub:
“The court’s affirmative ruling does not apply to search engines writ large, but only to those entities who have been in active concert or participation with Sci-Hub, such as websites that host ACS content stolen by Sci-Hub. ACS will now look to identify said entities and seek enforcement accordingly.”
Steve McLaughlin, who has been following the case closely, expects that ACS is likely to target Cloudflare with this injunction -- and it will be worth seeing how Cloudflare responds.
Either way, setting aside the questions about why we're even arguing about a library of academic research that was not incentivized by copyright, it's still perplexing that a federal judge believes this is a justifiable remedy. Again, five years ago Congerss explored the idea of allowing site blocking as a remedy for copyright infringement and decided against it when it chose not to pass SOPA/PIPA (whose main purpose was to create a site blocking remedy). No matter what you think of Sci-Hub, it should worry people when judges can demand third parties censor and block sites, without any First Amendment analysis whatsoever.
We've discussed in the past the completely ridiculous attacks on Sci-Hub, a site that should be celebrated as an incredible repository of all the world's academic knowledge. It's an incredible and astounding achievement... and, instead of celebrating it, we have big publishers attacking it. Because copyright. And even though the purpose of copyright was supposedly to advance "learning" and Sci-Hub serves that purpose amazingly well, so many people have bought into the myth of copyrights must "exclude" usage, that we're in a time where one of the most amazing libraries in the world is being attacked. Sci-Hub lost its big case earlier this year, and almost immediately others piled on. Specifically, back in June, the American Chemical Society (ACS) jumped in with a similar "us too!" lawsuit, knowing full well that Sci-Hub would likely ignore it.
ACS has moved for a default judgment against Sci-Hub (what you tend to get when the defendant ignores the lawsuit), which it would likely get. However, in an extremely troubling move, the magistrate judge reviewing the case for the Article III judge who will make the final ruling has recommended forcing ISPs and search engines to block access to Sci-Hub. After recommending the standard (and expected) injunction against Sci-Hub, the recommendation then says:
In addition, the undersigned recommends that it be ordered that
any person or entity in privity with Sci-Hub and with notice of the injunction, including any
Internet search engines, web hosting and Internet service providers, domain name registrars, and
domain name registries, cease facilitating access to any or all domain names and websites
through which Sci-Hub engages in unlawful access to, use, reproduction, and distribution of
ACS's trademarks or copyrighted works. Finally, the undersigned recommends that it be
ordered that the domain name registries and/or registrars for Sci-Hub's domain names and
websites, or their technical administrators, shall place the domain names on
registryHold/serverHold or such other status to render the names/sites non-resolving.
So, this is kind of incredible. Because, as you might remember, there was a big fight a little over five years ago about a pair of bills in Congress called SOPA and PIPA that proposed allowing for such an order being issued to third parties like search engines, ISPs, domain registrars and the like, demanding they block all access to certain websites. And, following quite a public outcry (which also explained why this approach would do serious harm to certain security standards and other technical aspects of how the internet works), Congress backed down and decided it did not want to enable courts to issue such orders.
So why the hell is Magistrate Judge John F. Anderson recommending such an order?
At the very least, it seems problematic. Even if you ignore the Sci-Hub part of the equation (since it ignored the lawsuit, a default judgment was basically inevitable), you should be concerned about this. Here's a court order binding a very large number of non-parties to the lawsuit to completely block access to a variety of websites, without any sort of due process. One hopes that ISPs, domain registrars and search engines will push back on such an overbroad order -- one that even Congress realized was a step too far and never authorized.
God bless the drivers of Maryland, whose government officials have been experimenting on them for years by placing their driving records and insurance rates in the hands of unreliable private contractors for years. We've already covered one major traffic camera firm (ATS - American Traffic Solutions) in the Maryland-DC area whose response to questionable photos captured by its cameras was to crop out anything that might make the ticket challengeable, like calibration lines or other vehicles.
Consultant URS Corp. evaluated the camera system as run by Xerox State and Local Solutions in 2012 and found an error rate of more than 10 percent — 40 times higher than city officials have claimed. The city got those findings last April but never disclosed the high error rate, refusing calls by members of the City Council to release the audit.
The city issued roughly 700,000 speed camera tickets at $40 each in fiscal year 2012. If 10 percent were wrong, 70,000 would have wrongly been charged $2.8 million.
Xerox's contract ended in 2012, and the city tried out a couple of new contractors after the Baltimore Sun reported that the city's cameras were producing faulty citations. Previous to the Sun's investigative work, city officials claimed the cameras had a "one-quarter of one percent error rate." Xerox performed its own audit and found 5 cameras with a 5.2% error rate, but said it took those offline upon discovery.
Neither claim matches up with the URS audit. Not only were 10% clearly erroneous, but another 26% were declared "questionable," meaning the system Xerox ran for three years was only unquestionably "right" less than two-thirds of the time.
To top this all off, members of the city government still hadn't seen this audit until the Baltimore Sun managed to secure a copy of it.
City Council members reacted with dismay and anger when told Wednesday of the audit's results, asking why the Rawlings-Blake administration didn't reveal the high error rate months ago and take steps to fully refund fines paid by motorists.
The administration has one good reason not to release the report: it doesn't want to get sued.
Despite calls from the City Council to release the audit, the administration does not plan to do so, Harris said. City Solicitor George Nilson, the administration's chief lawyer, has said releasing the audit would violate a settlement agreement with Xerox and "create obvious risks and potential exposure for the city."
In the settlement, the city agreed to pay Xerox $2.3 million for invoices from late 2012. The city also agreed to keep confidential any documents "referring or relating to, or reflecting, each party's internal considerations, discussions, analyses, and/or evaluations of issues raised during the settlement discussions."
The documents are no longer "confidential" at this point (and can be viewed here), and what's been uncovered may cause future problems for Xerox, which was selected by a city panel last year to take over Chicago's traffic cams. This happened in August of 2013, after Baltimore had already cut the contractor loose, but well before URS' report surfaced. Knowing it had buried the company's ineptitude by contractually obligating Baltimore's administration to keep its mouth shut, Xerox officials had the confidence to make the following claim when reached for comment last August:
Xerox officials have said the problems in Baltimore accounted for less than 1 percent of all the tickets issued there.
So, that's clearly untrue. Xerox kept burying itself, though, much like it thought it had buried that report.
"The majority of our camera programs are extremely well run and our customers are very satisfied," Xerox Corp. spokesman Carl Langsenkamp said. "That's really all I have to say about Baltimore."
Well, its "customers" were as satisfied as anyone can be when the truth has been contractually bound and gagged. The Chicago mayor's office defended doing business with Xerox by pointing out it had done its due diligence, noting no Baltimore official had declared Xerox barred or ineligible for city contracts. That's what NDA's do. They keep people from telling you bad things.
In even more "good" news for Chicago's drivers, the story also contains this bit of info:
Xerox Corp., best known for its onetime domination of the photocopier market, is a relative newcomer to the automated camera industry. In 2009 it purchased Affiliated Computer Services Inc. — well-known in the industry — for $6.4 billion.
"Well-known" has lots of different meanings. ACS is "well-known" for its close relationship with New Orleans cops, who formed their own company in order to cash in on ACS' traffic cam photo backlog, along the way violating NOPD ethics rules, laundering their funds through a police charity, and generally reinforcing the negative image of a corrupt New Orleans police force in many people's minds. In fairness, ACS accidentally outed the officers' unethical sideline by paying the controlling officer directly through his company, rather than obscuring the transaction through the charity.
ACS is also "well-known" for being careless with the personal info of millions of private citizens. ACS lost a data CD containing the personal info of 2.9 million Georgia residents back in 2007. Prior to that, it had a computer stolen (500k-1.4 million Colorado residents' data contained therein), suffered a website glitch that exposed 21,000 students' info, and had seven years of credit card data stolen from one of its computers at the Denver airport.
What Chicago may have watching over its drivers is a set of malfunctioning cameras overseen by a company that can't seem to stop coughing up people's personal data. Good times.
Earlier this morning we wrote about Charles Carreon suing Matthew Inman, IndieGoGo, the National Wildlife Federation and the American Cancer Society. At that time, all anyone had was the summary of the lawsuit as written by Courthouse News Service. Now, Carreon has posted the filing to his own website (with portions redacted) and the full version is now available via PACER. I've attached the officially filed version below. Rather than reveal new theories that we had missed in our original analysis, it would appear that our initial thoughts were dead on. This case is just begging to be anti-SLAPPed out of existence, in which case Carreon may find himself on the hook for significant legal fees.
When I was writing about the original case, I went looking through California's regulations on charities, and couldn't find anything that would impact Inman or IndieGoGo and all I came across was this law from this page on the California Attorney's General website. But I couldn't see how that specifically applied to Inman or IndieGoGo, since it seemed to be focused (a) on charities themselves or (b) on professional fundraisers (i.e., people hired to fundraise on a charity's behalf). It did not seem to apply to people who just tried to raise money which they promised to donate to a charity. However, that is the law that Carreon is relying on. Carreon seems to try to twist the definition of a "commercial fundraiser" to make it apply to Inman and IndieGoGo, but it's a pretty massive stretch. Inman isn't doing this "for compensation," so the law doesn't seem to apply to him. IndieGoGo is just the platform, but isn't doing the soliciting or directly touching the funds. The law is designed for an entirely different purpose.
And even if, somehow, a court actually believes that this law applies here, you might wonder how it's possible that Carreon has any standing to sue whatsoever. The fundraiser has nothing to do with him (it was about Funnyjunk, but remember that Carreon is suing on his own behalf, not Funnyjunk's.). Carreon appears to just be suing because he's pissed off. Except, that Carreon thinks he found a loophole. He donated to the campaign himself in order to create standing:
Plaintiff is a contributor to the Bear Love campaign, and made his contribution with the intent to benefit the purposes of the NWF and the ACS. Plaintiff is acting on his own behalf and to protect the rights of all other contributors to the Bear Love campaign to have their reasonable expectation that 100% of the money they contributed would go to a charitable purpose. Plaintiff opposes the payment of any funds collected from the Bear Love campaign to Indiegogo, on the grounds that the contract between Indiegogo and Inman is an illegal contract that violates the Act, and its enforcement may be enjoined. Plaintiff opposes the payment of any funds to Inman because he is not a registered commercial fundraiser, because he failed to enter into a written contract with the Charitable Organization defendants, because the Bear Love campaign utilized false and deceptive statements and insinuations of bestiality on the part of Plaintiff and his client’s “mother,” all of which tends to bring the Charitable Defendants and the institution of public giving into disrepute.
Yeah. Once again, Carreon contributed to Inman's campaign for what appears to be the sole reason of using that as a way to get standing to sue. I'm somewhat stunned.
Also, how can he possibly blame the charities? Well, Carreon's lawsuit fails in that it never actually states a claim against the charities. Seriously. At one point in the explanation of the lawsuit, he does state the following, but never actually includes the charities in any of the actual claims:
Although the Charitable Organization defendants have notified by Plaintiff in writing about the fact that the “Bear Love” campaign alleged infra is being conducted by Inman and Indiegogo in violation of the Act, and that the campaign is being conducted in a manner that could cause public disparagement of the Charitable Organization defendants’s good name and good will, neither the ACS or the NWF have acted to disavow their association with the Bear Love campaign, thus lending their tacit approval to the use of their names to the Bear Love campaign.
Again, just for emphasis, I'll point out that even with this paragraph, Carreon fails to name either charity with any of the actual claims in the lawsuit. He does include them in part of the claim, by stating that they "have failed to perform their statutory duty to exercise authority over the Bear Love campaign," but still fails to directly assert the claim against them. Even if he somehow figured out a way to work them into one of the claims, this particular legal theory of not disavowing "their association" with Inman's campaign leading to "tacit approval" is pretty ridiculous as well, and not something I could see standing up in court.
Meanwhile, Carreon's theory that Inman "disparages the image of charitable fundraising" again seems to stretch all kinds of definitions and understanding of the internet. Basically, he relies on the fact that Inman likes to mock people he doesn't like. But that's entirely unrelated to the issues at hand. Furthermore, despite Inman and Inman's lawyer explaining (in great detail) to Carreon, earlier, that Inman has an ASCII pterodactyl on all pages of The Oatmeal's source code, Carreon spends an inordinate amount of space talking about how awful this is.
Inman has announced his vindictive response to his real and imagined enemies by posting, within the source code of all of the webpages on his main website, www.theoatmeal.com, the following image and text, depicting himself as a pterodactyl that will “ptero-you a new asshole.” A screencapture of the core of the source-code appears as follows:
Following the link to http://pterodactyl.me leads the Internet user to a page on TheOatmeal.com where a video created by Inman and Sarah Donner depicts Inman, in his character as a carnivorous, prehistoric flying reptile that first rips the intestines out of a man's anus, then flogs him with his entrails, then steals a pineapple from a boy, tears his head off, flings it a girl and knocks here head off, then grinds up the girl’s head up in a wood-chipper, blends it with the pineapple, and drinks the grisly cocktail
The filing then shows screenshots from the video in question, which we'll just embed here for your viewing pleasure:
Carreon tries to claim that these images actually incite Inman's followers into action:
Inman’s followers are by and large with technologically savvy young people eager to follow the
latest trend, who embrace Inman’s brutal ideology of “tearing you a new asshole.”
Seriously? Carreon is literally arguing that fans of a silly comic with cartoonishly ridiculous violence leads them to "embrace" this "brutal ideology?" Carreon really ought to spend more time online. Carreon repeatedly makes incredibly weak connections between Inman's cartoons, his online persona and the later hatred directed his way, but without any actual evidence.
Later in the lawsuit, Carreon again claims that Inman's statement that Funnyjunk "stole" images is "false and misleading." Whether or not that's true, it's irrelevant here. Funnyjunk is not a plaintiff in the lawsuit. He also goes off on Inman for "fighting
words, and incitements to commit cybervandalism, none of which are entitled to constitutional
protection." Neither of those make sense. It's nearly impossible to see how Inman's cartoons, as sophomoric as they might be, qualify under the standard legal definition of "fighting words" or any kind of incitement to violence. In fact, Inman has made no references inciting his audience to do anything other than give money to charities (which most people would consider a good thing).
Moving on... we've got the trademark and publicity rights claim. As expected, Carreon is asserting that various actions violate the trademark on his name and his publicity rights. The key is that someone set up a fake Twitter account in his name and tweeted various statements that might make Carreon look silly. Of course, reading some of the tweets, it seems rather obvious that the account is fake. For example, one of them talks about "backtracing" Inman's IP -- a rather obvious reference to the famous ya dun goofed internet meme. Also, as he had suggested in an interview on Friday, Carreon makes interesting leaps of logic in suggesting that Inman himself may have set up the fake account.
Then, finally, we have the "inciting and committing cybervandalism in the nature of trespass to chattels, false personation and identity theft." Here, he claims that the fact that his email address was made public was part of that incitement, claiming that he never made it public:
As noted above, Doe1 or Inman proliferated Plaintiff’s email address via a fake tweet made by “@Charles_Carreon.com.” Plaintiff had not posted the chas@charlescarreon.com email address anywhere on the Internet except where required by law and Internet regulations. (The email address appears on legal papers in PACER filings in cases where required by the rules of this and other U.S. District Courts; however, these filings are viewable only by PACER users. The email address was also used in the Whois registration database for various websites Plaintiff has registered for his benefit, and as by the authorized registrant/agent of various legal clients.) Inman or persons incited by Inman also proliferated the email address and Plaintiff’s home address on social networking websites, again for the malicious purpose of enabling cybervandalism.
Except... court filings are not only viewable to those with a PACER account. Filings with the court, if not under seal, are considered public documents and are often available from a variety of sources, including the Internet Archive and other places as well. Separately, if he didn't use an anonymizer, the whois info that includes his email address is public info. Furthermore, his address is available elsewhere online as well, including (um...) both the websites for the State Bar of California and the State Bar of Oregon. Oh, and the email address is also clearly stated in the version of the legal filing that Carreon posted to his own website. While he redacted his email address in the header, he did not within the text of the complaint. In other words, that address was widely available to the public already.
His second claim of cybervandalism was that someone tried to reset the password on his webhosting account:
On June 13, 2012, at 9:28 p.m., either Inman or one of the persons named as Does 1 – 100 engaged in the act of trespass to chattels, cracking the password on Plaintiff’s website at http://www.charlescarreon.com and requesting to reset the password. Fortunately, the intrusion discovered instantly by Plaintiff who was sitting looking at his computer screen when he received an email from the website software system, and was able to retain control of the website by immediately changing the password using the hyperlink in the email.
First of all, merely requesting a reset password is not "cracking the password." It's requesting a new password, which the user would not be able to act upon unless they had access to Carreon's email (and there is no indication that that happened). In fact, it appears that the password reset system worked as designed, in that Carreon was warned that someone wanted to reset the password. And, actually, the fact that Carreon admits to "using the hyperlink in the email" suggests that that could have been the real hack attempt. You should never change your password using a hyperlink sent to you in an email. You should always go directly to the site yourself and login and make the change. Normally, if you receive one of those reset emails and haven't tried to reset your password, you're supposed to ignore it so that the password doesn't get reset. Clicking on the link and changing a password that way makes one susceptible to phishing attacks.
Finally, Carreon notes that some idiots online have signed his email account up for various spam emails/newsletters. If true, that's pretty stupid on whoever signed him up for those kinds of things, and people really shouldn't do that. But claiming that's "cybervandalism" or anything that can or should be pinned on Inman (again, whose target was Funnyjunk, not Carreon) seems ridiculous in the extreme.
