RATS are used by hackers to install malware that takes over computers of unsuspecting internet users. According to the “Selling Slaving” report by the DCA, their targets are often the young:
…are actively looking to take over the computers, called “slaving,” of young girls and boys—and then selling that information online. In effect, they are selling access to our children’s bedrooms.
How does the growth of this illicit spying activity link back to YouTube? As is the case with terrorist recruiting videos, YouTube also offers unsavory creeps a worldwide portal that makes it easy to spread their criminal wares via video. To add insult to injury, these videos are often monetized, meaning YouTube and the hackers not only spread information on this unsavory activity, but also make money from it.
The tutorials included many that showed how to use and spread RATs; links where ratters could download the malware; and examples of RATs successfully deployed showing victims’ faces and IP addresses…Roughly 38 percent of the tutorials for the best-known RATs had advertisements running alongside the videos. The advertising we found included well-known car companies, cosmetics, and even tickets to New York Yankees’ baseball games. YouTube’s parent company, Google, is positioned to get revenue from the sharing of these malicious tutorials that target innocents. –DCA report
The fact Google is making money off garbage is nothing new, but lately a number of online businesses (like Reddit) have been forced to reexamine their “anything goes” policy when it comes to what content to allow online. The question is to ask in the case of YouTube RATS is why can’t Google do a better with housekeeping?
There has been no shortage of discussion about how legacy media companies will find their way forward in the digital age. But in trying to recalibrate their identities, Gawker and Reddit are demonstrating that digital media companies are struggling to manage a difficult transition of their own — from financially underachieving, if popular, start-ups to thriving, mature businesses.
“This feels like a moment of reckoning to me,” said Vivian Schiller, the former head of news at Twitter who was previously an executive at The New York Times. “We’re moving from the early days of ‘We’re free to write or post whatever we want,’ to the reality of building a business.”
With this latest DCA report in mind, and the fact that other dubious YouTube users earn income off the filth they spread, one wonders if Google will make better business decisions going forward. The DCA reports suggests a way forward for YouTube’s parent:
A solution exists, but it will require Google to change the way it approaches this issue. When Google is serious about solving a problem, it assigns a human team to do what an algorithm clearly can’t. Bringing in human teams helped block tens of thousands of search queries for child pornography and to ensure the quality of apps on Google Play. Hacking victims deserve the same concern and protection. Google should assign a human team to reviewing these videos and immediately cease advertising on such video platforms. These victims should not be clickbait and ad revenues from slaving tutorial videos can’t be worth the pain and suffering they cause. [emphasis added]
However, if past history is any indication, Google will likely continue to deflect and dodge. If they do, they risk further damage to its brand. The DCA report ends with this observation and a quote from a Ratter’s victim asking that Google do more to eradicate this insidious infestation on YouTube:
If Google continues to sell ads beside slaving videos, can it claim Internet freedom as a defense? If one of the world’s most admired companies takes a stand against slaving, others will follow. Perhaps the best advice on how the company could handle that question came from Cassidy Wolf, who said she would tell Google: “They need to put themselves in (the victim’s) shoes… and imagine if it was their daughter that was being watched in their room and now its being promoted on YouTube and the people that are doing this are making money of this and Google is making money off of this. Honestly, I would just tell them to put themselves in the victim’s shoes and imagine if this was happening to them.”
Once again, the ball is in Google’s court.
*full disclosure-I’m a member of the DCA’s Advisory Board
Protecting private data from online theft is not the same as protecting copyrighted content
Update 8/20/15-The hackers have released the hacked data after Ashley Madison’s parent company did not comply with their demand that the site be closed. It appears, once again, Avid Media’s lawyers are misusing the DMCA in order to prevent the hacked (private) data from being widely disseminated. The post below explores why the DCMA is not the solution.
Original story from 7/21/15: In news first reported by investigative journalist/blogger Brian Krebs, hackers broke into a database containing customer data for web hook-up site Ashley Madison and threatened to post it online. Stealing customer or employee private data is always a bad thing, but what makes this particular hack particularly notable is that Ashley Madison’s business is based on promoting and enabling infidelity among couples. The company’s mantra is “Life is short. Have an affair,” and in order for customers to fool around on their mates without repercussions, anonymity is clearly key. I imagine there are more than a few Ashley Madison clients who are sweating big-time right about now.
Ashley Madison’s clientele are not the only ones at risk of having their online escapades outed. The hackers, who identify as The Impact Team, actually targeted the entire database for the site’s parent company, Toronto-based Avid Life Media (ALM). ALM also operates two other online hook-up sites, CougarLife.com and EstablishedMen.com.
According to Krebs, the hackers were motivated by the websites’ failure to comply with its $19 “full delete” feature, whereby a customer’s information is (supposedly) scrubbed from its database upon request. As Krebs reports:
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Desperate to protect brand, lawyers fight Ashley Madison hackers with dubious use of DMCA law
ALM confirmed that the hack took place and told CNBC it has managed to take down all the personal information that hackers posted online.
“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the…posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online,” ALM said in an emailed statement.
Is the DMCA really the right (and legal) way to fight the Ashley Madison hackers? The DMCA was designed to give creators a means to safeguard their copyrighted creations from online thieves in the digital age but does it extend to hacked data too?
When Jennifer Lawrence’s personal photographs were stolen by a hacker and posted online her lawyers used the DMCA to block their spread since technically, she (and other women who were victimized by the photo theft) owned the copyright for the stolen pictures. In the case of the Ashley Madison hackers, company lawyers claim that ALM “owns” their customers’ content and thus have legal grounds to send DMCA takedown notices to prevent it being published online. Although I’m not legal expert, it seems like a stretch.
The DMCA, old and broken as it is, is the only tool creators have to protect their work. When ALM lawyers send takedown notices in situations like this only serves to muddy the waters and give critics of the law ammunition to attack it.
The DMCA is not a band-aid to be applied in every case of online theft
One can understand why ALM is moving quickly to protect their business model, but shouldn’t the DMCA be reserved for clear instances of real copyright infringement? Can the operators of Ashley Madison really claim to own the photographs and biographical material of its clients?
I suppose the issue will eventually end up in a court of law but in the meantime why doesn’t Congress to step up to the plate and tackle issues surrounding digital hacking, cyber abuse and privacy? No matter what does or does not happen on Capitol Hill, it’s clear that companies (and governments) ultimately need to do a better job encrypting databases to protect them from determined hackers.
Using the DMCA is a dubious solution to a vexing problem. As D.E. Wittkowe noted today in an opinion piece for the Christian Science Monitor:
Copyright law is supposed to protect creative works in a marketplace so that creating and selling these works can be profitable. Protecting these intimate expressions as goods in a marketplace fails to address what’s wrong about wrongfully publishing them. It’s wrong because it’s an invasion of privacy and a violation of trust, not because it threatens someone’s profits.
Google could learn a thing or two from VIMEO about how to run an efficient DMCA takedown system
Love it or hate it, for now the DMCA (Digital Millennium Copyright Act) is the law of the land when it comes to safeguarding creative content online. The law, passed nearly 20 years ago, is woefully outdated, but for now, it’s the only tool creators have to protect their work from online thieves. Unfortunately, not every company in the business of “user generated content” approaches DMCA compliance the same way.
Google, a company that makes billions each year in ad revenues generated via trafficking in dubious content, has set up a takedown system that ensures the sending of a DMCA takedown notice is an onerous and inefficient task. After all, the harder Google makes it, the more discouraged creators will become, and the more money continues to flow into its coffers…
Anyone who’s made music or a movie probably has had experience with sending a DMCA takedown request to Google in some form. Whether it’s removing pirated music on YouTube, or requesting the takedown of pirated movies off Blogger sites, creators must tackle a haphazard and convoluted patchwork of online forms in order to get their work removed from Google’s online products.
Not that Google will listen to me, but I’m going to offer some suggestions for simple ways the company could improve the takedown system. Part I will focus on Blogger, Google’s online website platform that’s become the favorite of many pirate entrepreneurs due to its ease of use.
As a creator, when you discover a pirate website hosted by Google’s Blogger (on blogspot.com) is offering pirated copies of your music or movie, to get it removed you usually have to send a DMCA notice to Google.
Here’s where Google turns what could be a relatively easy task into a huge time suck. First, in order to find the correct online form for Blogger you’re forced to click through a myriad of radio-buttons on Google’s Removing Content From Google page. When you finally do manage to click your way through to the proper form (it takes 7 clicks) you’ll waste more time carefully filling in each and every section. Note, your browser’s auto-fill function won’t work particularly well here. Finally, after you complete the form and click send, you can only wait (and hope) that the content will be removed. It can literally take weeks and sometimes it never gets removed.
Here’s where it gets particularly annoying. Many companies, take the video-hosting site Vimeo, for example, give rights holders several ways to send a takedown notice: email, a web form or snail mail. When sending a DMCA to Vimeo (and many other sites) I use a template I created (with an attorney’s help) that makes it easy to copy and paste infringing links into a DMCA takedown email. It’s not only quick, but I have a record of the notice in my sent email box. For indie content creators fighting online piracy, email is by far the most efficient way to send and record DMCA notices. As far as I’m concerned, Vimeo earns a gold start for DMCA takedown efficiency.
Vimeo provides a shining example of good DMCA takedown practices:
Vimeo accepts email submissions. It’s quick and efficient–a godsend if you have to send notices routinely (as many musicians and filmmakers do).
You have a copy of the DMCA notice you sent and proof of when it was sent.
You receive an email confirmation from Vimeo that the material has been removed and their message includes a copy of your original DMCA notice.
Vimeo provides a reference # so that if there are any issues with your notice, you can easily follow-up with the real person that signs the email receipt.
Meanwhile, over at Google, things aren’t so straightforward. Each time I send a DMCA takedown to Google via its web form, if I want to keep a copy, I’m forced to create a PDF copy of web form. Even then some of the entries don’t show up. For the rights holder it’s an imperfect and time-wasting process. Google has intentionally created a takedown process that impedes creators at every step.
Google’s Blogger takedown procedure is a joke:
Google requires users navigate through a series of buttons (7 clicks) to get to the DMCA web takedown form.
Google requires you fill in the entire form each time you need to sent a takedown notice.
Google does not give you a copy of the form you sent, only a brief acknowledgement that you sent something signed by the mysterious “Google Team.”
Sender never receives notification infringing material has been disabled.
Because of their business practices, Google does have to deal with tons of takedown notices every day. It’s a mess of its own making and they certainly have the financial resources to deal with it responsibly. Google reps insist a web form is the only way to make sure they receive the information required in a DMCA notice. However, their refusal to accept emails (that could be read by a bot) forces indie artists who routinely send takedown requests to its web maze.
Since users are forced to use a DMCA web form, there’s certainly NO justifiable reason Google can’t respond with an email confirmation that includes the original takedown notice. After all, that’s an automated process and would require ZERO resources on their part. Google chooses not to do so because they want to make the process as opaque and complicated as possible. While it complies with the letter of the law, Google has refined a system whereby creators are discouraged from exercising their legal rights at every turn.
Google’s DMCA practices are designed to impede rights holders every step of the way
Vimeo quickly sends an email confirming removal
Along with the email, Vimeo includes the original DMCA notice
Google makes users jump through hoops to send a DMCA notice, doesn’t provide a copy, and offers no confirmation that any action has been taken
Google includes a case number in the subject heading of the email, but don’t bother trying to contact Google using it. The “Google Team” won’t respond. So what’s the case number good for? Not much.
As for turnaround time-when I send VIMEO a notice within hours the content has been removed (and I receive an email confirmation along with a copy of my notice). With Google it can literally take weeks…and sometimes nothing happens…ever.
In order to improve the DMCA system on Blogger I would ask for the following:
Offer a direct link to the Blogger DMCA takedown form
Allow the form to be auto-filled and if one has a Google account information the form would be pre-filled with the appropriate information
Send an email receipt that includes a copy of the DMCA notice
Send confirmation when the infringing content has been disabled
Remove content in a timely manner. This means days, NOT weeks.
For a company like Google that can take us to the top of Mt. Everest with the click of a mouse it’s beyond comprehension as to why they can’t offer content creators a better way to utilize the DMCA process. Google periodically publishes puff PR pieces extolling the myriad of ways it supposedly tackles piracy, but in reality helps maintain the status quo where the rights of online thieves are held in higher regard than those of creators. Of course for Google impeding the legal rights of creators is good for business. Profits ahead of people is the key to Google’s success.
Next week-Part II-YouTube’s DMCA CMS takedown, another inefficient mess for rights holders.
Tim Wu, the legal scholar credited with coining the oft used term “net neutrality” was hired by Yelp to conduct research into Google’s search algorithm. Wu, along with Harvard Business School professor Michael Luca and researchers at Yelp, examined whether Google gives consumers the best results. The results don’t look good. Per Recode.net:
Google knowingly manipulates search results according to a research paper published Monday from several academics. The study presents evidence that the search giant sets out to hamper competitors and limit consumers’ options. The paper lands as Google prepares to release its response to the European Union investigation, which rests on similar claims about Google’s comparison-shopping product.
Meanwhile, in the EU a new website Focus on the User (http://www.focusontheuser.eu/) has been set up to publicize the issue, charging, “Google+ is hurting the Internet. Europeans have the power to stop it.” Along with a rundown of the various ways Google manipulates search results to favor its own product via Google+ the website offers a video explainer (below).
2. 40 State Attorneys Generals file amicus brief in support of subpoena process to investigate Google
Attorneys General from 40 states have filed in amicus brief in support of Mississippi’s AG Jim Hood’s efforts to subpoena Google. In the brief they ask a U.S. Appeals Court to overturn a preliminary injunction issued last March by U.S. District Judge Henry Wingate that blocked Hood’s efforts to investigate Google’s anti-consumer business practices. From the brief:
As is evident from the letters of record signed by multiple Attorneys General, Mississippi is not the only state with concerns about Google’s consumer practices. (See ROA.1199-1200, ROA.1243-1244, ROA.1245-1246). Mississippi, like every state, is entitled to address these concerns through further investigation utilizing proper tools, including administrative subpoenas. Mississippi, like every state, also is entitled to review information gathered pursuant to its investigation and make decisions about actions to take—or not take—to enforce its consumer protection laws for its citizens. Google may challenge Mississippi’s Subpoena consistent with state law. But Google should not be allowed to bypass state subpoena review processes and derail a legitimate state consumer protection investigation by filing premature declaratory judgment lawsuits and obtaining sweeping preliminary injunctions in federal court. Both the law and public policy counsel against it.
3. Google accused of eavesdropping
According to an article published in The Guardian, Google is also under fire from privacy advocates for incorporating technology into its Chrome browser that allows eavesdropping.
“Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room,” said Rick Falkvinge, the Pirate party founder, in a blog post. “Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by … an unknown and unverifiable set of conditions.”
Scott Cleland, a noted Google critic, points out that it’s business as usual in comments posted on his Precursor Blog:
This is not an isolated incident. It is a part of a broader Google pattern of behavior.
What should be big news and scandalous here is that the company that has gathered the most Internet users in the world based upon public representations of being pro-privacy and open — is secretly engaged in widespread wiretapping.
June Gloom for Googleiath
Earlier this month Google was slapped down by a Canadian appeals court, Its judges were not impressed by Google’s specious “free speech” arguments and affirmed a lower court ruling mandating Google remove certain search results (linking to illegal products) on a worldwide basis.
As regulators in Europe continue to tighten the vise, perhaps this summer will be a turning point in efforts to hold Google accountable for its bad business practices. Stay tuned…
Blocking pirate sites is not censorship–it’s common sense
In a move being celebrated by creators worldwide, the Australian parliament has approved the Copyright Amendment (Online Infringement) Bill 2015. The legislation will allow rights holders go to court to request that pirate websites be blocked in Australia. The explanatory memorandum, notes that the purpose of the bill is to “reduce online infringement.”
The bill’s opponents have employed the standard tech talking points, crying censorship and calling its justification “bogus.” They claim to be concerned about collateral damagebut consistently show zero regard for the ongoing “collateral damage” suffered by filmmakers, musicians, and authors whose livelihoods are routinely leached by online thieves. For piracy apologists blocking pirate sites is an anathema. In their view the rights of piracy profiteers (who pocket profits from content theft) trumps the rights of creators at every turn.
Fortunately members of the Australian parliament were able to see through the over-wrought hyperbole and craft legislation that seeks to balance the rights of creators with concerns about online censorship. With the legislation’s passage, Australia joins the UK and a number of other nations in setting up a judicial review process to determine whether certain pirate websites should be blocked. The new Australian law establishes a “high threshold test” for the Court:
The Court must take into account a number of factors before granting an injunction. These factors include:
the flagrancy of the infringement or its facilitation
whether disabling access to the online location is a proportionate response in the circumstances
the impact on any person likely to be affected by the grant of the injunction, and
whether it is in the public interest to disable access to the online location.
Further reading of the explanatory memorandum demonstrates the rationale for the legislation and, despite rhetoric thrown about by opponents, it seems quite reasonable.
8. Copyright protection provides an essential mechanism for ensuring the viability and success of creative industries by incentivising and rewarding creators. Online copyright infringement poses a significant threat to these incentives and rewards, due to the ease in which copyright material can be copied and shared through digital means without authorisation. [emphasis added]
9. Where online copyright infringement occurs on a large scale, copyright owners need an efficient mechanism to disrupt the business models of online locations operated outside Australia that distribute infringing copyright material to Australian consumers. [emphasis added] In addition, a consequence of fewer visitors at the particular online location may also impact the advertising revenue, which is often an integral element of the business models of these types of entities.
10. The Bill acknowledges the difficulties in taking direct enforcement action against entities operating outside Australia. The proposed amendments are intended to create a no-fault remedy against CSPs where they are in a position to address copyright infringement.
In the United States opponents of such legislation, often funded by tech interests, have successfully conflated sincere efforts to thwart online piracy with the specter of online censorship. However, no matter how they try to slice it, piracy does not = free speech. Websites that profit from piracy are criminal enterprises and are not worthy of protection.
Illegal activity in the brick and mortar world is not sheltered by the “free speech” excuse. Why should online piracy’s black markets be above the law? There are plenty of options for web users around the world to “share” files via any number of legitimate free sites. Sites like Pirate Bay and Kick Ass Torrents should not be thought of as sentinels to safeguard an open internet.
With passage of the law attention has turned to VPNs (virtual private networks) that would allow Australians to bypass blockages but its a red herring. VPNs are not the panacea many claim and, in fact, are often rife with malware and other security concerns. Of course, for the determined downloader there are other ways to get around a blockade, but the law’s intent isn’t really to prevent all access, but rather to deter easy access. The majority of folks who download illegal content online do so not only because it’s free, but it’s also easy. Any roadblock that can redirect these users to legitimate outlets is a welcome one.
Would similar legislation ever pass in the United States? After the SOPA (Stop Online Piracy Act) debacle it seems unlikely. Given the lobbying largess of Google and other tech interests in Washington, opponents seem to have constructed a formidable bunker against those who seek to fight online piracy profiteers. After all, some entities within the U.S. tech industry are also piracy profiteers and have a vested financial interest in keeping the Wild West status quo where an online eco-system of online theft for profit is allowed to flourish. Fortunately not every worldwide legislative body is under the thumb of big tech and so bit by bit, progress is being made.
Google’s global reach has global implications when it comes to the law
In a case that could have broad implications moving forward, a Canadian appeals court handed Google a rare legal setback when it upheld a worldwide injunction ordering the search giant to remove results linked to counterfeit hardware. The ruling was an affirmation of a lower court ruling that mandated Google remove certain search results (linking to illegal products) on a worldwide basis.
Reading the court’s decision, the plaintiff’s arguments–and Google’s responses–are familiar to anyone who’s gone toe to toe with tech behemoth and its shills like the EFF. What’s new is that the appeals court not only upheld the lower court’s worldwide injunction, but it also shot down the tired, oft-used “free speech” canard employed by tech apologists to attack rights holders:
[105] The plaintiffs made considerable efforts attempting to track down the defendants, and find ways to eliminate their websites. The judge’s finding that the granting of the injunction was the only practical way to impede the defendants from flouting the court’s orders amounts to a finding that the involvement of Google in this matter was necessary.
[106] With respect to extraterritorial effects, Google has, in this Court, suggested that a more limited order ought to have been made, affecting only searches that take place on the google.ca site. I accept that an order with international scope should not be made lightly, and that where an order with only domestic consequences will accomplish all that is necessary, a more expansive order should not be made…
[107] The plaintiffs have established, in my view, that an order limited to the google.ca search site would not be effective. I am satisfied that there was a basis, here, for giving the injunction worldwide effect. [emphasis added] I have already noted that applications can be made to vary the order should unexpected issues arise concerning comity.
[108] Finally, I note concerns expressed by Google and by the intervenors Canadian Civil Liberties Association and Electronic Frontier Foundation concerning the openness of the World Wide Web, and the need to avoid unnecessary impediments to free speech.
[109] The order made in this case is an ancillary order designed to give force to earlier orders prohibiting the defendants from marketing their product. Those orders were made after thorough consideration of the strength of the plaintiffs’ and defendants’ cases. Google does not suggest that the orders made against the defendants were inappropriate, nor do the intervenors suggest that those orders constituted an inappropriate intrusion on freedom of speech.
[110] There has, in the course of argument, been some reference to the possibility that the defendants (or others) might wish to use their websites for legitimate free speech, rather than for unlawfully marketing the GW1000. That possibility, it seems to me, is entirely speculative. There is no evidence that the websites in question have ever been used for lawful purposes, nor is there any reason to believe that the domain names are in any way uniquely suitable for any sort of expression other than the marketing of the illegal product. [emphasis added] Of course, if the character of the websites changes, it is always open to the defendants or others to seek a variation of the injunction.
It’s refreshing to see a court of a law look past EFF hyperbole and distinguish between legit websites and those engaged in criminal activity. Score one for common sense (and the law). It should be noted that in predictable fashion, the EFF characterized the decision as “dangerous precedent” and that allows an intermediate to “edit the internet” and warned that the ruling “lays the groundwork for nations with authoritarian restrictions on speech to also impose their own rules on the global Internet.”
I suppose we should consider it progress that instead of “breaking the internet” we are now only accused of wanting to “edit it?”
Over the years, Google has run roughshod over any effort to impede its take-no-prisoners business practices, but lately its veneer of invincibility seems to have cracked. As this latest ruling demonstrates, courts and regulators (outside the U.S.) are finally beginning to treat Google as the global beast that it is.
In May of 2014 the Court of Justice of the European Union found that EU citizens had the “right to be forgotten” and that search engines like Google must remove search results upon request. Last November, Article 29 Data Protection Working Party, the group charged with overseeing the ruling, issued guidelines on implementation that .com domains worldwide, not just those in the European Union should be included in requests for data removal.
7. Territorial effect of a de-listing decision In order to give full effect to the data subject’s rights as defined in the Court’s ruling, delisting decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights and that EU law cannot be circumvented. In that sense, limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient mean to satisfactorily guarantee the rights of data subjects according to the ruling. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com. [emphasis added]
In April, the EU’s scrutiny of Google’s business practices became even bolder when it charged the company with anti-trust violations. From the Wall Street Journal:
The European Commission took direct aim at Google Inc. Wednesday, charging the Internet-search giant with skewing results to favor its comparison-shopping service. But the formal complaint may only be the opening salvo in a broader assault that prompts big changes at Google.
European antitrust chief Margrethe Vestager said she continues to examine other domains, such as travel and local services, where Google is accused of favoring its own services over those of others. She also opened a second front, intensifying a separate probe of Google’s conduct with its Android mobile-operating system.
Given Google’s growing influence as a Washington lobbying force, don’t expect to see U.S. lawmakers following in the EU’s footsteps any time soon. However, any crack in Google’s armor is progress. While U.S. authorities won’t hold Google accountable, it seems like the rest of the world just might.
As an indie film and broadcast journalism veteran, I'll share my perspectives on issues of interest to the creative community and beyond--Ellen Seidler
