Facebook's ContentID Clone Had A Vulnerability That Opened Up Ability For Users To Game Others' Videos

from the this-stuff-ain't-easy dept

Earlier this year, we noted that Facebook had launched its own ContentID clone, called Rights Manager, which was a response to a bunch of angry YouTubers who were annoyed at people "freebooting" popular YouTube videos onto Facebook. We noted that, like ContentID, we fully expected the system to be abused to take down content. While we haven't heard examples of that just yet, it does appear that Rights Manager had some serious vulnerabilities that enabled anyone else who was signed up for Rights Manager to manipulate the information and rules on any other video in the system (including, obviously, those claimed by other users).

Simply put, an imposter could easily wander into your anti-imposter pages without logging in first.

According to Muthiyah, pirates could actually have used Rights Manager to rip off their own copies of your reference copies, thus freebooting directly via the anti-freebooting interface

To its credit, Facebook fixed the problem and paid the researcher who found it a bug bounty of $4,000.

However, this does point out something rather important. Building these kinds of systems is really difficult. Beyond the problem of abuse that we frequently talk about, bugs and security flaws are a real risk as well. And yet, many in the film and recording industries still insist that it's "easy" to build a filtering system like this and that all sites should be legally required to do so. And, sure, Facebook and Google and the likes can afford to pay lots of money to build systems -- even buggy ones -- and then have bug bounties and such. But smaller companies aren't able to do so. Requiring them to do so basically wipes out the possibility of smaller startups entering the space and cedes the market, permanently, to the giant companies that everyone complains about.

Filed Under: contentid, copyright, filters, rights manager, security, videos
Companies: facebook

Facebook Launches Its Own Version Of ContentID, Which Will Soon Be Abused To Take Down Content

from the watch-this-space dept

Last year, after a bunch of YouTube video creators started slamming Facebook for allowing people to re-upload their videos to Facebook (they called it "freebooting"), Facebook insisted that it, too, was building a ContentID-like system to automate the process of taking down videos based on infringement claims. Last fall, the company announced that it would be using the same system basically everyone other than Google uses: Audible Magic as the backend system of that tool. And now Facebook has officially announced its product, called "Rights Manager."

Today we’re announcing the launch of Rights Manager, a set of admin and workflow tools that help publishers and creators manage and protect their video content on Facebook at scale. With Rights Manager, we want to give video publishers the confidence that their content is protected across Facebook, as well as provide them with increased flexibility and greater control over the use of their video.

Of course, these days, thanks to pressure from copyright holders, large platforms all feel compelled to offer something like this, even if it's not legally required. It's amusing that even in an age where the legacy players are demanding a "notice-and-staydown" system for copyright claims, they're still not happy that basically all the large platforms are already creating platforms that do exactly that.

But what's totally missing from the announcement is how Facebook will avoid the kind of abusive takedowns that YouTube's ContentID sees all the time. There's no mention of how it will protect against bogus claims. There's no mention of how it will handle disputes. Facebook just seems to pretend that the system will work perfectly and it won't be abused. There's little basis to think that's true given how widely ContentID is abused on a regular basis. The company also says that it has updated its "repeat infringer" policy, which is the new hotness thanks to some recent lawsuits over what qualifies as a reasonable repeat infringer policy.

Perhaps Facebook's system won't be nearly as abused as ContentID since it doesn't appear to (yet!) include ContentID's "monetize this use" feature -- but it still seems destined for abuse. And that's especially true since the company notes that the new system will be used against live content:

Video publishers and media companies can also provide reference streams of live content so that we can check live video on Facebook against those reference streams in real time.

So I'm sure we'll start seeing examples of livestreams being killed mid-show thanks to a snippet of music playing in the background. Considering that Facebook is betting big on live streaming, a few false flags taking down events that were livestreamed due to incidental copyright-covered content playing in the background may raise questions about how viable a tool this is.

To be clear, this is a difficult position for platforms to be in. They obviously feel strong pressure to take down infringing content, and an automated solution feels like it makes sense. But we've seen how these things are abused, and it's at least a little concerning that Facebook doesn't even seem to acknowledge that possibility in its announcement.

Filed Under: automated systems, content id, copyright, notice and staydown, rights manager, takedowns
Companies: facebook