The article buried the lede, which I think is this-- Google as email provider had information all along that DMCA notices it was sending to its YouTube property were not legitimate. Google even went so far as to flag and reject some of those notices because of false personalities, but instead of going to the root cause to stop abuse of its systems it allowed the same user to plug along long enough to manipulate YouTube in a way that caused Bungie an alleged $7.6m in damages. Then the icing is that when Bungie came knocking Google initially resisted a court-related request to allow Bungie to identify the user and stop the abuse. Wow.
But basically all of those actions would be things that would generate negative headlines. Would any of the following Hacker News stories surprise you?
* Google Shut Down British Teen's YouTube Account, Kid Loses Access to GMail
* Google Giving Out User Information to Companies Without Court Order or Protest
* Google Is Sharing GMail User Information with Game Publishers Out For DMCA Revenge
Every step along the way, there'd be an article and 100 Hacker News comments talking about how evil Google is and talking up how Duck Duck Go really isn't so bad as long as you remember the shortcuts that make it use Google.
Resisting requests from big companies demanding that they give out user information is a good thing. Changing their mind when they had clear evidence that the user was up to no good is a good thing. Not immediately shutting down someone's GMail account because they're doing something that upsets YouTube is a good thing.
The thing that's missing in all those headlines is context. Google has context and I like to imagine Hacker News readers would understand the context too (or at least find a top comment talking about the context). So Google refusing to do anything or make life extremely hard when they're the ones with all the data is really frustrating.
Now I don't know the details of those stories but I can tell you the comments are what you'd think. There's never context when someone feels wronged and wants to show the world.
Google like many companies doesn't comment in detail on these types of situations so what we would get is the kind of headlines the parent made up.
> Google like many companies doesn't comment in detail on these types of situations.
I think the best statement from Google would say:
"We have more information which gives additional context to our actions here. We have asked for permission from the account holder to publish this information, but so far that permission hasn't been granted".
This isn't really a great example of the point, however. This wasn't a story about a large company that cut corners for the sake of speed and efficiency just because there was context could have justified it.
Otherwise we’d be astonished at “Bungie sues long time gamer for 7.6m”. Obviously we can investigate further, it’s not that complicated a matter.
I neither believe negative publicity would have occurred, nor that this is a justification for a cover-up.
A trivial headline would be “Google suspends account of DMCA troll.” -
I doubt it would even generate any clicks.
It just sounds like Google weren’t looking into the matter sufficiently (there are humans there afterall.)
This 100x. I feel the Gel-Mann effect so hard on HN sometimes. 99 times out of 100 I think “wow the discussion on HN is so good”. The other 1 it’s about something I’m an expert in and the comments are so wrong it hurts. But I simply ignore that and continue thinking HN comments are great. That’s how the cycle goes.
But if Google is deciding that avoiding those potential headlines is of higher priority than protecting its users from getting abused by the unfair system they put in place, we are justified to attach a derogative label to the company.
And it's cumulative, with all the other ones. The labels, I mean.
I just hope people will not forget them in 20 years after they make a giant PR campaign to become the good guys again, like with Microsoft.
> Then the icing is that when Bungie came knocking Google initially resisted a court-related request to allow Bungie to identify the user and stop the abuse. Wow.
A big corporation came asking for data on an individual GMail user, and Google told them, "we're not giving that to you without a proper subpoena." That's exactly what you want your email provider to do.
Maybe, but that's not the point. It's not about the owner of the Gmail account, it's about the identity of whoever sent the DMCA request. Google should have had more than just an email, should have verified at least a registered company or domain or trademark, and should have willingly gave up the verified contact information to anyone who asks.
Regardless of that it should be required for filing an automated DMCA filing with Google. They should just be paying a helpdesk that does KYC for stuff like this.
Google shouldn't just hand over someone's information, but when Bungie provided evidence of abuse, Google _should_ have kicked off a robust internal abuse investigation. Knocking people off their platform for being jerks is absolutely within their ToS and purview under law.
The fact that they harbored the jerk for so long, even in the face of credible evidence and actual harm, suggests that, as another headline on the frontpage right now says, "If your [platform] is full of assholes, it's your fault."
Back a decade ago, century link kept disabling my isdn line based of spammed dmca takedowns. I wrote them several letters demanding proof, even pointing that their abuse form was entirely open to anyone and asking for any substantive proof. It took them a third time to actually send some printouts which amounted to again random spammer on their dmca form.
They "solved" the problem by firewalling connections and a lame gateway asking you to admit to whatever.
They didn't just bury the lede, they didn't cover google's barn door security hole on the DMCA submission process that allowed this guy to submit a hundred or so DMCA takedown requests with no need to prove his identity.
And then there's this:
> Bungie had to devote significant internal resources to addressing it and
helping its players restore their videos and channels – an effort complicated by the fact
that while YouTube has a form that allows anyone to claim to represent a copyright
holder and issue copyright strikes, it has no dedicated mechanism for copyright holders
who are being impersonated to let YouTube know about the DMCA fraud
Small content creators have only been complaining about this for, oh, ten years or so?
> This meant that Bungie had to work through several layers of YouTube contacts over a period of several days before it could adequately communicate and begin addressing the problem.
Days? Several layers? Gasp! Fetch the vapors!
Now imagine you're not a billions-of-dollars-in-revenue worldwide-known gaming company - and thus you have zero ability to reach a human.
To my mind it's far more concerning that Google did so little to confirm the identity of the guy sending the fake notices, let alone establish whether he had any right to be sending the notices in the first place.
While the DMCA might not oblige google to do any of that they could do it off their own back. Given that a few dodgy DMCA notices can effectively shut down a channel (which could be someone's livelihood) it doesn't seem that unreasonable.
IANAL but I think they might be able to pursue a case of "vexatious litigancy" against the person. That essentially strips them of some ability to use the legal system because they've rampantly abused it in the past.
It's a high bar to pass, but literal thousands of fake claims might indeed pass it.
> On March 22, the Reynolds account logged out of Google and less than a second later, the Wiland account logged in, suggesting the same person was behind both accounts.
I've always wondered how often timing analysis is used in practice by surveillence big tech. I suspect that as people become more privacy aware, and start using VPNs, pseudonames, multiple accounts, etc, that big tech will start using timing analysis more and more to correlate traffic and identify users. Like if your friend sends you a Reddit link on WhatsApp, and you immediately open it in your browser, that Reddit session is now linked to you.
Another more complex example: let's say Google has already identified your Reddit account. You open a Reddit discussion, and deep in the discussion it links to a Youtube video, and you open it in your browser. Now even if you weren't logged into Youtube, Google could guess that it's you based on the timing of when your Reddit account opened the discussion, and when the linked Youtube video was accessed. And not just that video, but now every Youtube video watched in the same browsing session, is now linked back to you (assuming you have first-party cookies enabled, which is basically required if you ever want to log into anything).
Seems a bit paranoid, but I actually suspect this happened to me a few months ago. I was using a FOSS reddit client and clicked a youtube link buried deep in a reddit thread, and opened it in Newpipe (a FOSS youtube client). I wasn't logged in, and was using a VPN, and yet the next day on my Youtube feed I started getting recommendations based on that video (and those recommendations were very different from my usual ones). Scary stuff.
> I've always wondered how often timing analysis is used in practice by surveillence big tech
Books written about the NSA, GCHQ, CSE etc talk about them using things like timestamp logs/traffic analysis/time of day analyzing commercial and government telecom links going back to the 1960s, so in the modern era even if your crypto is absolutely unbreakable, there's a huge amount of analysis and correlation that can be done based on timing analysis.
Then you combine your timing analysis with things like correlating geolocation of blocks of IP addresses, netflow and traffic analysis, metadata obtained from other adjacent/nearby users on same ISPs at either end, a whole fire hose of other data that's still useful even if the crypto is solid.
> let's say Google has already identified your Reddit account. You open a Reddit discussion, and deep in the discussion it links to a Youtube video, and you open it in your browser. Now even if you weren't logged into Youtube, Google could guess that it's you based on the timing
Not just timing but also cookies, client device/browser fingerprinting, IP address/what ISP you're on, and the usage patterns and logged in activity (and app-collected telemetry data on android and ios devices) of all the other persons in your household and neighbors.
I guess part of my hope was that big tech didn't think timing analysis was worth the effort. But it's rather scary if they are truly scaling up their timing analysis efforts. Now, if you care about privacy, it's not enough to just use a VPN or stay logged out or use anonymous accounts. You have to worry about _when_ you open every webpage. Be wary of immediately opening links that your friend sends you, or sharing webpages that you had just opened to your friends. And that's not even factoring in fingerprinting attacks
the average residential DHCP-pool-assigned customer on a cablemodem, dsl, gpon line or something doesn't change IP addresses that much, and very often the dhcpd will renew the router/modem's WAN port lease with the same address for months at a time. even if it's not an actual static IP.
this alone can be used to correlate a huge number of things since very often you have one household with a whole assortment of people and tablets, phones, laptops, xboxes, playstations, smart speakers etc all behind one IP address and NAT.
just having an entity like google know that your ip address is coming from a /24 in a /19 sized IP block that's known to be a comcast dhcp pool in a particular city/metro area is a huge amount of info.
other things happen as well. you have other people in your household who installed the facebook app on their phone and left geolocation/GPS permissions set to on? now your IP address has been correlated with a very specific latitude/longitude and the usage patterns of your (spouse, roommate, child, etc) who is using that app.
I'm well aware of the issues with IP (I mentioned that I use a VPN), and the general public is becoming more wary too, as can be seen with the rise of VPN usage. Which is why timing analysis is so scary, it bypasses most countermeasures
That's the optimistic case I guess. But I've already given an example where I suspect Google used timing analysis to figure out a youtube video that I watched (over VPN and using a FOSS youtube client). I think it's plausible that Google is already using timing analysis to track users
Yes. It used the world’s oldest “AI”; the human brain.
But that is exactly how this works. From what I understand, the “enhanced” version of the technique is scarily accurate, able to match, using just a couple of sentences.
> I've always wondered how often timing analysis is used in practice by surveillence big tech
Temporal correlation is the difference between regular network analysis, and dynamic network analysis. Just search "dynamic network analysis" on Google Scholar, and look at who's writing the papers :)
But to back up a step — every SaaS company does this on some level. If you have an backend audit-log for e.g. user registrations, and you eyeball it every so often to notice event clusters of people trying to bulk-register accounts in order to block their IPs — well, that's timing analysis!
I don't have an expert understanding of how cookies or VPNs function, but these are the two categories of causes that I came up with. Both seem more likely than Google having timing data from a third-party service.
Within the first category, possibilities include that the phone logged into your Google account while using the VPN, that there was a Google tracking cookie on your phone and that phone wasn't always connected to the VPN so it related 2 ip addresses, and that your other device on same network shared a VPN session with your phone.
The 2nd category I'm including for posterity even if it's unlikely based off your stated usage of FOSS on your phone. That your phone isn't a degoogled OS or other device with Google integration. Smart devices with microphones aren't supposed to collect voice data when not explicitly activated, but it is a potentiality.
At this point I feel like I should have used a throwaway with how many details I'm giving away here haha, but I have never attached a google account to my phone (I access any google services via browser), and while I don't run a degoogled OS but I have disabled play services and all google features + apps. I'm aware that there's still a chance that Google has trackers, but those trackers would (1) have to detect which reddit account I was using inside my FOSS reddit client (2) detect which video I watched on my FOSS youtube client. It's possible but I decided that this level of surveillance was both more nefarious and less likely than them using timing analysis.
In your example how does google correlate your particular reddit account with the link you clicked? YouTube can't access your reddit session cookie so how would google be able to disambiguate your reddit session from arbitrary traffic flowing through the reddit page?
That's where the timing comes in. The reddit discussion I clicked the link from was an old one, and so was the youtube video (though it did have hundreds of thousands of views). I was probably the only person who opened them up within the same hour
There was an article about how easy it is to find out if 2 of your Facebook friends are dating just by analyzing when your Facebook friends are online, and there isn't any effective way of stopping it from working other than disabling presence notifications.
Though worrying if it's done, I doubt that it's done at any scale in the way you're suggesting. Linking accounts is PII and the GDPR would require consent, right to view the information, right to correct the information and so on.
I think it was only doable in the end in the article because the data were released as part of a legal process.
Regarding your YouTube story, there are lots of examples of things like this (e.g. "I talked to someone about X in person then saw X in Facebook ads") but I haven't yet seen hard evidence. So far I've written it off as coincidence at scale.
The GDPR considerations are interesting, and it does seem like GDPR can cover things like behavioral data [1]. I'm not sure how it works in regards to Newpipe, the FOSS youtube client I use though. I assume whatever scraper Newpipe uses in the background has already accepted the cookie consent dialog, which would allow Google to start scraping data like IPs and other behavioral data. Not an expert on GDPR law though obviously.
As far as it being a coincidence, that's usually something I assume as well. But it really comes down to a game of probabilities. Is it more likely that it's a coincidence, or that Google is doing timing analysis? In this case, a coincidence just felt less likely. I check my youtube feed at least once a day, so I know what my recommendations look like. This recommendation was so out of the ordinary that it stood out to me in a sea of my usual recommendations. And it stood out so much that it prompted me to go back and check my Newpipe history and Reddit history, and spend like an hour investigating and trying to figure out what was most likely. I even wrote down notes about the incident. Also I should probably mention now that earlier I had said that I got those youtube recommendations the next day, but checking my notes now, it was actually within an hour. The video that was recommended to me was not some trending video, it was already a few months old. I also searched my Youtube history to see if I had watched anything else from the same channel, and I had only watched 2 videos from that channel total, and over a year prior.
I know that timing analysis seems very nefarious, more high-effort and nefarious that I would expect from even a company like Google. But my guess is that they aren't doing it intentionally, they instead just feed a bunch of analytics data (that they have user consent to collect) into some giant ML model, and that ML model has learned to use timing in its predictions.
My understanding is that if you wanted to hurt a YouTube channel, you could do so like this
1. Use a VPN create a gmail address.
2. Use that address to file a DMCA notice on each channel video.
3. Google auto-accepts; the channel challenges each notice.
4. You deny all challenges.
And just like that, you can destroy any YouTube channel, without any accountability. Is this correct?
I'm not sure about Google in particular, but typically the service provider will pass along the information and tell the parties to settle in court. They will also keep the reported material down until either party forwards them the outcome of the court case.
Sure, but doesn't Google assume the DMCA notice is valid unless proven otherwise? If that is the case, time is on the attackers side, and won't affect the attack too much.
How does Google know you're on a VPN? I'd assume that it could only be inferred from the source IP address of your UA, which implies Google keeps track of well-known VPN source IPs. However, apart from the fact this is imperfect (I assume IP blocks are shifting all the time?) you could easily spin up a VPN of your own on a cloud VPS, in which case tracking IP blocks wouldn't work.
Perhaps simplest of all, you could always sign up for the email on a semi/public wifi access point, or even from a shared computer, as from an internet cafe or even a friends phone.
VPN detection isn’t rocket science. It’s a commodity and works well for Netflix and all other services relying on geo ip detection. It’s not always accurate but works well enough. Blocking data center IP ranges is also done frequently and so spinning up a VPS on a provider like DigitalOcean won’t work.
The most likely option to use is residential proxies which are real IPs of devices, these are very hard to block but expensive.
Probably best to just go to a public wifi and used a burner phone if that’s what you want to do.
Cloud VPSs can be looked up and you can see theyre a datacenter IP, which is probably assumed to be "VPN" by default. I'm running my own vpn like that, but i still get blocked on sites for use of a VPN.
Try textverified, you can even pay in crypto for legit unused numbers
Though I don't know if they are somehow blacklisted by Google. And the main service is just a one time verification rental but you can also rent a number for a few days.
They do not. I know from first hand experience. More fundamental question: How can you distiguish a "burner" phone (no registered user name at mobile phone company)? As I understand, a SaaS (like Google et al) cannot distinguish.
Facebook probably can (or could if they wanted) because they've got everyone's contacts. But yeah, never had an issue with throwaway SIMs with any of the listed services.
Yes, I do. All you have to do is look up the IP of someone connecting, and if its not a home IP (e.g. a datacenter IP, like inside an IP range that a larger hosting company owns), its most likely a VPN or something similar.
Instead of writing this comment you could've taken one of the nodes you run (since you seem to be so qualified) and simply install openvpn on it and connect to it. Then go and visit sites that would be restrictive, or visit any site that tells you more about your IP.
But sure, go off and question my qualifications because you haven't considered this, or tried it, or ran into the issue yourself.
Plus, the way Discord, for example, does phone numbers, is that they just block anything they arent quite sure about.
I’m surprised I haven’t read any articles about how low income people with bad credit who can’t get a post paid cell phone are banned from gmail. Or maybe this is just incorrect.
I cannot remember the last time I've read an article about any issues low income households face when using tech, but maybe thats just my selection of news, im not sure.
I know that I have difficulties using some services because I cannot afford faster internet, for example.
I have a burner phone specifically for SMS. When jackasses sell it to the credit bureaus I deny it's my phone, whether I utilized it for SMS is irrelevant.
Its funny how people are siding with Bungie that Google should have given them the details but these same people complain about google knowing too much about them and its privacy implications. From the looks of it Google did the right thing where it comes to siloing data of different departments. Youtube dmca should not know the ip address of someone that send the email using gmail that is the correct way to go about it.
Genuine question: for Google to offer free services, economic constraints dictate they can't offer human support. If we just assume for a moment this is valid, there is a possible solution:
You can pre-pay $50/hour (in 30 minute increments) for live human access that can fix your problem. The fee is paid no matter whose fault it is -- it's basically a "competent, in-your-country, rep fair wage fee". How much take up would there be? Would that fix the complaints with these free services not offering support?
Except I don’t assume that is valid. Google has plenty of money, they can easily afford support personnel, they’re just more interested in making money.
Well they can certainly offer free support for one-user, but for all users? There are a lot of 100-view, $1/year revenue accounts out there, and good quality customer services (based in-developed-country, good benefits, smart, can solve problems) probably is in reality excess of $100/hour of fully burdened cost.
On the steelmaning your argument side, there is definitely an argument for "common carrier" status for a lot of web technologies. This would guarantee universal access, fixed prices (either dollars or amount of data collected), and due process for disconnects. Governments could also mandate real ids with each account (therefore drastically reducing fraud and abuse in the first case).
20,000 is an arbitrary number without knowing the denominator. How many accounts do they have, how often would they need to support these accounts per year?
Well luckily 2.5% is an arbitrary number too. They’d have no problem scaling up to as many customer support people as they need. But yes, they would need to figure out how many staff members per account they need.
No... charging for support is the most popular software business model, and in the enterprise sector, FAR more lucrative than selling the software itself.
The goal of the company charging for support (directly or indirectly through purchases) is to collect the support payment WITHOUT having to turn around and spend it on paying someone to solve problems.
It's very much in the company's financial best interest to not have problems.
But for YouTube creators it's NOT a free service, they're uploading videos for YouTube to monetize so both YouTube and the content produces get revenue.
> A smaller content creator might not have even overturned a false DMCA claim
In the YouTube DMCA process, they always, 100% restore your video if you submit a DMCA counterclaim. It'll only stay down if the claimant informs YouTube they are pursuing a lawsuit against you.
> let alone get information about the copyright troll submitting it.
You receive the full information of the copyright holder if you receive a DMCA takedown. You obviously don't get IP log information unless you subpoena Google, though.
What is "after some work" here alluding to (I know it's verbatim from the article but very cryptic)? Can Google arbitrarily share account details with anyone who asks without a subpoena? Does that not violate even their own ToS?
The First Amended Complaint linked in the article indicates that Google required a subpoena (paragraphs 112-114) and were unwilling/unable to provide information informally.
> While Bungie’s legal department, management, and executives were attempting to negotiate the byzantine procedural labyrinth Google required before it would address the fraud Minor was committing, let alone identify him to Bungie, Minor was gloating, confessing, and threatening
I'm guessing there was something more going on here...
This seems more like difficulty getting in touch with a human at YouTube in the first place. Once they got that, the practical issues were resolved with YouTube undoing the takedowns, but the PII of the involved accounts needed to go through the legal process.
Can anyone explain the below? Did he DMCA strike himself, and then get angry about it? Or am I reading something wrong...
> The clickable emblem link was sent to PerfectNazo1@gmail.com and during the chaos of fake notice campaign, a YouTuber called ‘Lord Nazo’ was hit with fraudulent DMCA notice, sent by the Wiland Google account.
> Apparently angered by this injustice, Lord Nazo fired a DMCA counternotice back at YouTube in which he criticized the wave of fake notices and claimed his video was not infringing since it was a “transformative case of fair use.”
He got legitimately DMCA stricken, then he manufactured a campaign of illegitimate DMCA strikes and hoped he could get his own strike overturned as part of the reversal of illegitimate strikes.
And that idiot revenge campaign served him with over $7M in damages. Assuming he can't pay even a fraction of that amount, what is going to happen to this genius? Will he land in jail for some time?
I have mixed feelings about this however: pretty sure that if they inverted the roles, that is, it was the big company that sent bogus DMCA take down requests, the outcome wouldn't change: the small fish would still be eaten.
Here's what will happen. He will lose the $7M civil suit. He will have a judgement of $7M that Bungie is free to collect on such as wage garnishments if his home state allows it or repossessing any assets the state doesn't protect (many states block repossession of your primary household). At this point his option is Bankruptcy.
Depending on his total assets, a judge will either allow Chapter 7 or Chapter 13. Chapter 13 happens when you negotiate with your creditors based on your income. In Chapter 7, you discharge the entirety of the debt. If he does not file Bankruptcy, then Bungie can reinstate the judgement every 10 years (time depends on the state) and continue collecting until his death.
After Bankruptcy, the debt will follow him for 7 years (possibly more as unscrupulous debt buyers will give him a taste of his own medicine filing invalid, but hard to prove, claims on his credit report). The size of the debt may make seeking employment difficult. Having a judgement of any size will limit his ability to rent houses or getting any sort of credit. And good luck getting any kind of government clearance. This is the real debtor's prison which will regulate him to living under sleazy landlords likely in questionable locations, getting loans with insanely high APRs, and having to use his own money to generate credit (secured credit cards). Even though judgements last for 7 years, after bankruptcy you are usually out of this prison in 3-4 years. FWIW, many loan officers may look at that judgement as a clerical error (someone pressed 0 too many times) but once they ask for clarity all bets are off. But I've heard many stories of people climbing into a $50K car loan a year after bankruptcy so his mileage may vary
EDIT: Bungie and this gentleman could settle out of court with no judgement as well. The filed civil suit will still be a public record but that is much lower weight on one's credit score. The out of court settlement could stipulate no more bungie content being uploaded or posted on the internet for a period of time. There are many different directions, what I outlined is if this person does not respond or otherwise loses the civil suit
Or he will do something like leave the United States entirely and get a low-end job teaching English in China, or something similar.
There's a number of things overseas that a reasonably well educated American can try to get hired for, and a US domestic civil judgment won't show up on a criminal background check if one is run.
Leaving the United States doesn’t absolve him of the debt. Any wages or assets he makes in the USA is subject to garnishment. I would fully recommend bankruptcy for this individual regardless of his residence
Civil cases are dischargable. Government judgements iirc cannot be discharged. The two most well known are IRS debt and government backed student loan debt
EDIT: the government agency has a method to discharge the debt, which is why the courts will not intervene except under extraordinary circumstances
It seems like actual debtors' prison, or rather a system of translating judgement debts to months imprisonment, would be better than the current system, for everyone. It keeps these consequences from being invisible.
No because you still have all of your rights. The government is not infringing on your freedoms, they are providing a service (the courts) to settle disputes between civilians
>And that idiot revenge campaign served him with over $7M in damages. Assuming he can't pay even a fraction of that amount, what is going to happen to this genius? Will he land in jail for some time?
Thankfully, we don't have explicit (although there's plenty of incarcerated folks who wouldn't spend a day in jail if they had enough money to fight whatever bullshit charges are brought against them) debtor's prisons, so probably not.
But isn't filing a false DMCA takedown in and of itself illegal, beyond any civil damages caused?
Edit: Okay, the filing requires asserting "under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly in-fringed." But I'm not sure whether anyone has ever been prosecuted for perjury for something like this. It's seemingly generally resolved only by suing for damages.
>But isn't filing a false DMCA takedown in and of itself illegal, beyond any civil damages caused?
According to this site[0]:
"...if someone files a fraudulent DMCA takedown notice, they can be sued for the damages caused, along with the costs and attorneys’ fees that were incurred in pursuing those damages. In many cases, the costs of attorneys’ fees can far outweigh the actual damages."
Apparently, there is standing for civil action against someone filing a fake DMCA claim, but no criminal penalties.
But YMMV. The above was just the first relevant link in a search for 'criminal fake dmca claims'.
That article also mentions that (at least some aspect of) the filing is made under penalty of perjury. So, theoretically, there's potential for criminal charges for abuse of DMCA process. I think that just never gets prosecuted.
>That article also mentions that (at least some aspect of) the filing is made under penalty of perjury. So, theoretically, there's potential for criminal charges for abuse of DMCA process. I think that just never gets prosecuted.
The relevant Federal laws[0] do appear to support your assertions.
That said, it's apparently a bit more complicated to prosecute someone in the context of a false DMCA takedown requests.
Even more, you can't put a corporate entity in jail (limited liability, the corporate veil, etc.), only people.
As such, I imagine that unless there's something really egregious (and this situation might be an example of that -- ask a US Attorney -- I'm not one of those), I suppose Federal prosecutors could charge someone with perjury over such false claims.
He posted the soundtrack from the game to youtube and got a real DMCA takedown notice. Then he created fake email accounts similar to the those used by the lawfirm bungie hired and started sending out fake notices
Does anyone else have any other interesting court case filings to share, off the top of their head, that documents the evidence trail used to unmask litigants?
This doesn't have much of an 'evidence trail' but I thought last year's court filing about the Maryland nuclear engineer was interesting: https://www.justice.gov/opa/pr/maryland-nuclear-engineer-and... (click on the "Download Toebbe Complaint" link to see the full PDF)
not on the topic of unmasking anyone, but the judgment on Meads v. Meads is required reading on the topic of what's going on now with "sovereign citizens / freeman on the land", an increasingly common thing.
The law doesn't require them to behave this way. They have implemented their own system that is more draconian than the DMCA so they don't have to deal with entertainment industry lawyers.
This is highly overlooked “The company tried to subpoena Google using the DMCA but the chosen mechanism only allowed Bungie to identify an alleged copyright infringer, not the sender of allegedly abusive DMCA notices.”
We have been the recipient of many invalid notices to Google. Google publishes the details via Lumen but makes it impossible to reasonably analyze the data. 1) They hide the sender info. 2) They make you validate, via email, for EACH DMCA you want to view. In other words, they claim transparency, but practical use isn't possible. They also don’t publish DMCA’s against sites like YouTube.
All claims in this process dealt with the DMCA system, not the Content ID system, and YT handled it in the only way they legally can throughout the entire process.
The safe harbor provisions of the DMCA are a carrot, not a stick. They do not impose any responsibilities upon YT, they only provide benefits should YT voluntarily respond to complaints in a specific way. YT does not accept every DMCA complaint at face value, and they aren't required to.
YouTube goes FAR beyond what the DMCA requires, they actively filter EVERY video through a data lake of fingerprints for copyrighted music/video and this process biases HEAVILY toward false positives. It not only takes down videos cases of accidental infringement (e.g. a vlogger walking past a radio in public) but also suffers from well-documented cases of just plain getting it wrong. Musicians often get their own music taken down, even when it contains no samples.
Many content creators have fallen back to playing NO music at all in their videos, and they still get hit by it. YouTube has been silent on the matter, not to mention on how that's even possible.
The algorithm is so effective that police have taken to playing loud copyrighted music when engaging in actions that they don't want spread via social media.
At this point, it's getting hard to ascribe the awfulness of the fingerprint-driven auto-takedowns as mere incompetence.
That's called Content ID and was created in response to Viacom dragging YT through court for not preemptively stopping people from uploading episodes of Spongebob. Viacom was planning to take it further up the appeal process until a settlement was reached, almost certainly with the goal being "you upload your copyrighted material and we'll automatically scan every video upload to remove it". Of course, other copyright holders weren't going to let Viacom have all the fun, so YT expanded it to allow any big-name rights management firm or copyright holder to use the system.
Despite this, everything mentioned in the torrentfreak article was handled under the official DMCA process, and they handled it as they should have, as they disabled access to all videos immediately until the counter-notice was posted by the claimee. Eventually they started asking the user for proof of identity after they suspected he didn't represent Bungie, but that's not a requirement in the DMCA process.
Separately, YT does often go to bat for its creators if/when they suspect supposedly infringing content is actually protected under fair use, eg. recently when "Vantage Media" was trying to take down all footage of the trailers for Kevin Spacey's new movie, Peter Five-Eight[1]. This is still only wrt DMCA, as Content ID is designed to allow rights management companies to control their content on YT entirely (with no regard for fair use, on purpose) as YouTube doesn't want to get on the bad side of their partners in the Music (YouTube Music[2][3]) and TV/Sports (YouTube TV) space.
That's actually wildly hilarious in a way. Pretty creative way of attacking businesses. Probably more creative than something I could come up with. Copyright is way too strict though. It's ridiculous that this is even possible, to an extent.
Weaponizing Google's lack of customer service is in fact pretty creative. The "exploit" here is that Google really doesn't care in the slightest about fraudulent DMCA takedowns - it's expensive labor-wise to handle it.
Doing it from your home internet connection, less creative...
You have to be a true imbecile to pull this type of stuff without spoofing your IP and keep using the same email addresses created by the same address. This person must be a kid.
I know this forum is about curious conversation, but in this case, fuck Google and the system it uses. It’s overreaching and again the classic “you don’t talk to humans Google, unless you are a rich or famous company/person.”
Which is why I'm particularly worried about Google getting involved with healthcare. "We're sorry, the malgorithm has denied you access to your health records. Go ahead and sue us, but good luck surviving long enough to see resolution with both you and your doctor locked out of your health records."
And yes, I'm aware that Google doesn't currently seek to be in a position where they could lock you out of your own records, but the octopus's tentacles only grow. I'm also aware that Google Health is quite old... it was around back when I worked on Google's indexing system a decade ago.
Edit: This month, expiration of Google's legacy free tier of whatever they now call Apps For Your Domain is forcing me to get off of my butt and migrate my vanity domain away, and start moving the keys to my digital life off of Google's "free" services. It'd be rather painful if I got locked out of GMail today, and I don't have any financial leverage to get back in.
You can confirm it's non-commercial and they let you keep it for free... for now.
They made the change fairly late in the process, and supposedly there was a way to undo the paid migrations by opening a support ticket, but I saw lots of posts about people being unable to migrate back and get refunded.
Thanks; great info! However, I think it's long past due for me to move the keys to my kingdom onto a paid service. However, maybe I'll leave one of my vanity domains on Google services. (Roughly 70 people worldwide share my surname, so it was easy to pick up a few vanity domains.)
Honestly though, it's not "fuck Google," it's "fuck Congress."
Google needs to err on the side of caution with DMCA because it's the immediate response to the requests that provides the safe harbor to Google under the law.
You had Disney (et al) lobbying like crazy decades ago to get the most insane laws passed when it came to digital IP.
Now we live in a world where those lobbying efforts were successful, which of course sucks for everyone that didn't have millions of dollars to spend on lobbying their interests and far outnumber those that did.
Minority rule through corruption causing a pseudo-oligarchy is sucking more and more every day, and DMCA takedowns are simply a small part of that larger sucking.
Even before congress there is a lot of wiggle room for Google to step in. Why is this possible? : “The immediate challenge for Bungie was that the company either didn’t know or couldn’t prove the identity of the culprit before filing the lawsuit.”
The takedown notice should come with a verifiable address. Google has a business directory for crying out loud! Just make it mandatory you have a business listing account.
Honestly though, it's not "fuck Congress", it's "fuck the electorate".
One of the great ironies about the rise of corporate fascism in the US is that the democracy does function on a technical level. If enough people worked together to do the right things, ballots could be cast and there is no dictator to prevent the will of the people from being heard.
Of course, that does not happen. The people have proven ineffective at self-governance.
At this point I'm wondering if we should just hand all governance over to a consortium of industry leaders that are accountable to shareholders. If we're going to do an oligarchy, let's at least be efficient about it.
That seems better to me than the current system of an easily brainwashed public electing whoever has the best disinformation campaign.
Do you think we'd have all these crazy IP laws if the big IP holders and big tech companies had to get in a room together and actually figure out what the law should be?
> we should just hand all governance over to a consortium of industry leaders that are accountable to shareholders. If we're going to do an oligarchy, let's at least be efficient about it.
All the fascist stuff is pretty bad -- nationalism, strongman leaders, isolating an "other" with violence, grifters selling out the people's interests to corporations -- I'm not down with any of that.
But maybe we could have some kind of system where corporations are forced to vote on governance that applies to all other corporations for the collective good of capitalist progress?
There needs to be some kind of unified governing principle to make everyone's lives better.
We can't go on with BIG_CO hiring lobbying firms to most efficiently snake their legislation through the system unchecked.
In my thought experiment here, most corporations would want to enact policy responsibly for the public good. Cooperation between corporations would happen, but the default position would be for more happy consumers.
So far we've tried letting representative democracy work out hard issues and that hasn't gone well. We've also tried deferring governance entirely to the courts with poor results.
The system YouTube uses backs up onto the DMCA. If you submit a copyright counter notice, the claimant needs to engage in legal action within a certain amount of time or YT will reinstate the video.
During which the content creator misses out on revenue, much of which they often can’t recoup because the content may not be evergreen.
If I release a video about election results during an election and it takes weeks - hell let’s be generous and say 72 hours - to go out because of a bogus DMCA claim, that’s a huge financial loss for me.
90 days? No way. In the world of online content creation that’s a death sentence. That’s not even remotely a solution.
This is one of the few things Vimeo (at least used to, it’s been a while since it happened to me) does right.
I got a notice that I used licensed music and they took my video down, I appealed and my video immediately went back up during the appeal process. This all took place within about half an hour of my posting it. I sent them the email showing the artist gave me permission, and a few days later the notice was lifted. All through this process my video was only down for about 15min.
For YouTube: Freeze the transfer of the revenue on that one video until it’s resolved but keep the video up and let it still collect revenue. It’s not great if you depend on the income but it’s a hell of a lot better than losing the income entirely. This solution is much better, if still imperfect.
> (f)Misrepresentations.—Any person who knowingly materially misrepresents under this section— (1)that material or activity is infringing, or (2)that material or activity was removed or disabled by mistake or misidentification, shall be liable for any damages, including costs and attorneys’ fees, incurred by the alleged infringer, by any copyright owner or copyright owner’s authorized licensee...
In practice, as far as I know nobody has ever been prosecuted or civilly sued under this section of the DMCA. Maybe this will be the first case to do so.
Try to look at it from small content owner perspective:
Google is making content you own available online and monetizing it through subscription fees and ads.
Then when you ask them to stop, they require you to start with law suit before doing anything. That costs money and takes time. Meanwhile there might be already couple more channels with the content, requiring more lawsuits.
When I worked for them a decade ago, it was an in-joke that internal surveys were anonymous, but you needed to be logged in to fill them out.
One year, my manager said he was in a meeting where they told him that he was the only manager in New York where nobody on the team said that they thought it was highly likely that they'd be at Google in 5 years (or was it 10 years?). What a hell of a way to find out that the survey really isn't anonymous. What was management thinking in leaking that to him? The beatings will continue until morale improves.
Edit: as I remember, the survey asked things like "Which office are you in?" and "What's your seniority level?", but didn't ask who our managers were, leading to some plausibility that login information wasn't being used to aggregate the data, but it turns out they were aggregating down to the team (4-6 people) level.
This is an interesting lawsuit as it is a *company* seeking damages due to DMCA abuse by a third party, and my understanding is that this is very widespread (no source sorry). Is anyone aware of any studies done on the total cost¹ (vs benefit¹) of the DMCA due to malicious actors?
¹ defining what is a cost vs benefit (and how much) is probably the hardest part, maybe after acquiring the necessary data.
What stands out most here is that the youtube video creator behind the "fake" DMCA notices was himself hit by a fraudulent DMCA notice. It seems like he was only trying to bring attention to the completely broken system.
I see this more as a political protest than anything else. But if you rock the boat you're going to get hit.
My understanding of the article was that the perpetrator was hit with a genuine DMCA notice that he was upset about. It seemed his plan was to generate these fake notices with the hope that they'd be noticed and rolled back, and in the confusion, he could get his notice rescinded as well.
It was from a company with the legal right to do so but it was still abusive and not an appropriate or legal use of the DMCA. The only difference from his 'fake' DMCA claims was having a legal connection to the rightsholders. But the DMCA claim he experienced and the ones he sent out were all fake and abusive.
Is part of the story missing on how google eventually accepted the fake dmca requests? Seems like at some point google slipped up or else this wouldn’t have gotten so out of hand
> Is part of the story missing on how google eventually accepted the fake dmca requests?
There isn't really a story here. YouTube just kind of blindly accepts any and all DMCAs regardless of whether the claimant has legitimate ownership or not.
Here's an excerpt from the court filing:
> Ninety-six separate times, Minor used his fake “CSC” Gmail addresses to exploit the hole in YouTube’s DMCA-process security that allows anyone at all to claim to be representing a rights holder for purposes of issuing a takedown, with no real safeguards against fraud.
> In its submission, Google notes that more than half (57%) of the takedown notices it has received under the US Digital Millennium Copyright Act 1998, were sent by business targeting competitors and over one third (37%) of notices were not valid copyright claims.
> There isn't really a story here. YouTube just kind of blindly accepts any and all DMCAs regardless of whether the claimant has legitimate ownership or not.
That is what is required under the DMCA, though. YouTube must remove content immediately after receiving a notice, under penalty of losing safe-harbor privileges. In turn, the claimant must represent themselves as the copyright holder or their agent, and the content must be infringing, under penalty of liability for the accused's costs and attorney fees. The law does not make a provision for YouTube to reject bogus claims.
