Web “security” provider Sucuri helps online pirates cloak criminal activities
As piracy has evolved and enforcement efforts increase, pirate entrepreneurs have been forced to set up shop in far offshore to avoid the long arm of U.S. law. What’s troubling is how U.S. companies help them evade the law by providing cover for their illegal piracy business while at the same time pocketing their own dirty profits in the process.
Follow along as I take an obstacle course–the type creators face every day trying to protect their work–to see the way U.S. companies–in this case GoDaddy owned Sucuri–help criminals cloak their activities and keep their illegal sites operating smoothly.
Start the hunt with Google Search
While Google claims to have cleaned up its act, the reality is that with a single search I quickly found a website featuring a cache of pirated movies. It wasn’t difficult.
No surprise, the 2nd Google result led directly to a site offering a cornucopia of pirated popular lesbian-themed films and television shows, both Hollywood and indie fare.
I chose an indie feature and with a click began my journey through the maze to uncover where the stream for the stolen movie was actually hosted.
Finding the actual source code is a huge pain….I was forced to click through a series of popup ads–after all, that’s how these online pirates make money. Finally, I used Firefox’s web developer tools to scan through the source code as the movie streamed and eventually uncovered the pirate link I was looking for.
When I clicked that link, I ended up at the actual full stream for the film.
You find the source. Now what?
Turns out the file is hosted on site called “gounlimited.to” but isn’t much help. As I discovered, and Torrent Freak has previously noted, this particular pirate website brags that it ignores the DMCA. and uses that fact as a selling point. Per Torrent Freak, this isn’t the operators only rodeo either, “Faced with a lack of stable ‘takedown resistant’ hosting providers to stream videos from, Bader decided to start one of his own, GO Unlimited.”
Of course, like all piracy sites, this operation is in the business of making money off stolen goods so its content is populated thanks to minions worldwide enticed by a cash rewards with payouts based on the number of eyeballs each illegal upload attracts. It’s the typical cyberlocker scenario. For the record, I will also be contacting PayPal to ask why they remain affiliated with this criminal operation, but I digress….
Since Go Unlimited brags about ignoring the DMCA and offers no contact information, the next step is to investigate registrar and host. The .to domain is popular among shady sites for a reason and information isn’t listed in the typical WHOIS database. The .to domain offers its own search, but offers little in the way of actual information. The registrar cares little about criminal enterprises.
What next? Turns out a U.S. based company, GoDaddy’s Sucuri is listed as the IP provider. Sucuri does business with a pirate website, but explains that its not responsible in its disclaimer (poor spelling aside) this way:
The Sucuri Firewall is a passthrough proxy WAF & CDN service. Sites using our service will point their DNS records at Sucuri IP’s, but all content is actualy (sic) hosted outside of the Sucuri network.
The excuse that they don’t “host” the content is a bit weak considering that the pirated data does flow through Securi servers on their way to the end user. Essentially the excuse goes like this, “We only provide the ingredients used to bake the cake, not the finished cake.”Pretty lame excuse. While perhaps legal, it certainly doesn’t seem moral. The question is, WHY do we allow U.S. companies to do business with sites that ignore U.S. copyright law?
In a further insult, Sucuri lists publisher Harper Collins as one of its customers. Ironic that Sucuri PR folks see no conflict of interest in servicing a piracy operator aside one of its potential victims. (Note book publishers and authors are suffering mightily due to e-book piracy).
So what’s the solution? Once again the DMCA needs to be updated for the 21st century. I’ve written about this issue extensively in the past, and you can read those thoughts here. Clearly, third parties who are knowingly complicit providing infrastructure for criminal enterprises need to be held to greater account when a client ignores the law.
Once again a possible path forward can be found by looking at the European Union. Last month a court in Italy ruled against Cloudflare, ordering the company to cease doing business with an illicit website.
The courts used the EU’s Electronic Commerce Directive 2000/31/EC, to justify its judgement against Cloudflare. The law cited provides a legal “framework” for electronic commerce. It’s time for U.S. lawmakers to enact similar safeguards for U.S. creators. Participating as a for profit player in the piracy ecosystem should not be a legal business model in the United States.
When people talk about effective ways to mitigate the impact of online piracy, YouTube’s Content ID is often used as an example of what works. Unfortunately, despite its role as poster boy for anti-piracy tech, in reality it falls flat as a gatekeeper against online piracy.
Aside from a labyrinth-like user interface that seems likely to have been designed–not to help– but to discourage rights holders from using Content ID, the actual fingerprinting technology behind it can be easily fooled.
YouTube introduced the Content ID system in 2007. At the time, the company was facing pressure from a Viacom lawsuit, among others. According to YouTube, it’s pretty straightforward:
Videos uploaded to YouTube are scanned against a database of files that have been submitted to us by content owners. Copyright owners get to decide what happens when content in a video on YouTube matches a work they own. When this happens, the video gets a Content ID claim.
Looking to make money off work they don’t own, clever YouTube users have discovered ways to fool the technology so their illegal uploads of copyrighted movies and music don’t get flagged, blocked or removed.
I began noticing this phenomenon more lately as I’ve begun to find full, infringing copies of films uploaded that matched content owned by a film distributor I work for. This seems to be happening more often and I was curious as to how these pirated copies had avoided detected by Content ID. When I looked closely I saw that subtle manipulations in brightness had taken place along with slight adjustments to frame size and sometimes the crop of the frame.
When I started poking around YouTube to find other examples of these uploads they were easy to find. It only took me a few minutes to find dozens of copies of a variety of full copyrighted movies, old and new. One title I came across was the movie, Everest. Below are screen captures from two different full uploads of the movie I found streaming on YouTube.
Two full copies of the movie Everest uploaded to YouTube.
In this case the uploader had used several techniques to avoid detection including reversing the frame (note the backwards title), darkening the lower part of the frame and cropping it. Of course, having recently viewed the film on HBO, watching a lousy copy like this on YouTube wouldn’t be my choice, but apparently others didn’t mind. Uploaded only a month ago, the movie had already racked up more than 16,000 views.
Pirate uploads make money for uploader and for YouTube
Why go to all this trouble to manipulate a movie for upload to YouTube? Well, it’s the age-old pirate motivator–money. This uploader, who goes by the name Kenneth Lamb, has claimed ownership of this content and monetized it with ads. He makes money. YouTube makes money. The movie’s actual production companies make nothing.
This YouTube user claims to own rights to Everest movie worldwide and makes money off ads
In an ironic twist, several of the ads that appeared when I was examining (and reloading) this pirated copy of the film were for films including DreamWork’s upcoming movie Trolls and Warner Brother’s Jason Bourne.It’s more than a tad ironic that Hollywood studios are (inadvertently) putting cash in YouTube’s hands via advertising on a pirated copy for one of its own productions.
Ultimate irony that ads for upcoming movie releases are featured on pirated copies of Hollywood films
I don’t deal with music or audio files on YouTube but there are similar manipulations happening there as well where uploaders resample, add noise, etc. to fool the Content ID system into ignoring the file.
What can YouTube do to fix this growing problem? Per usual, the list is long and varied, but begins with asking Google engineers to design better fingerprinting tech. There are other companies that offer digital fingerprinting technology seem to do a better job catching these circumventions. If I can easily uncover an upload is a copy of the movie Everest, why can’t Content ID? You can’t tell me that with all its financial (and technological) resources YouTube doesn’t means to upgrade its system?
Technological solutions exist. It’s just a matter of priorities. Stopping piracy isn’t a priority for YouTube.
Aside from updating its fingerprinting capabilities, YouTube could also improve the Content ID system through providing a better interface, more transparency, better compensation for artists, etc. Of course again that would mean lower profits for Google/YouTube so such straightforward fixes are unlikely. Meanwhile, YouTube makes great hay out of its concerns for poor, maligned users who may have received an erroneous DMCA notice. The company is willing to spend money to defend a few select uploaders but won’t spend resources to fix its broken Content ID system?
Operating only a marginal (not great) Content ID system is in YouTube’s best interests
Of course the powers that be at YouTube probably prefer to keep Content ID just the way it is–creaking along, occupying a neutral zone positioned between accolades and scorn. It’s a safe position, one that gives YouTube officials cover when they use disingenuous excuses about their anti-piracy practices to critics, while avoiding any real (legal or financial) consequences.
Content ID does the job just well enough….but that doesn’t mean it does a good job. It could serve as a true model for technological safeguards against piracy, but as now, it’s merely a slight bump in the road for those determined to steal and monetize the works of others. Meanwhile, YouTube continues to pocket advertising cash, make its stockholders happy while leaving filmmakers and musicians on the outside, looking in.
YouTube users claim Fair Use as a defense for uploading full copies of pirated movies
There was a lot of talk about fair use and takedown abuse at last week’s U.S. Copyright Office Section 512 roundtables in San Francisco. Many of those who spoke, bemoaned how poor, innocent uploaders were victimized, time after time, by malicious DMCA takedowns.
It’s a tried and true talking point, convenient, but disingenuous all the same. Some of us, myself included, tried to make the point that creators, whose work is routinely (and massively stolen), are often (doubly) victimized bymalicious fair use claims.
I thought I’d share an example of this that occurred just this week on YouTube. On Tuesday a full-copy of the Swedish indie film “Kyss Mig” (all 147 minutes of it) was uploaded to YouTube by a user aptly named “Free Movies.” As an added flourish, the user-name included the notation, “free movies bitches.”
In this instance YouTube’s Content ID system worked as intended. The Content ID user (an indie film distributor) had set the system to block uploads of a certain length in its territories. Even though the video was a full, pirated copy of the film, it wasn’t taken down, it was simply blocked. So far, so good right?
Wrong…This YouTube user didn’t seem to think the rights holder had the right to block the full, infringing copy and promptly disputed the block. S/he stated the reason as being:
Approval from copyright Holder is not required. It is fair use under copyright Law.
The user also added a note: “I don’t need to explain.” Clearly Free Movies didn’t bother to read YouTube’s information on disputing a claim or its explainer on fair use.
Despite all the testimony at last week’s roundtable about fair use–and how copyright holders seek out to punish those who claim it using malicious takedowns–it’s worth pointing out, yet again, that for every legit “fair use” claim, there are also false, and rather malicious, abuses of that defense. It’s a fact conveniently overlooked by the anti-copyright apologists.
Bogus “fair use” claim on YouTube
Take a gander below at the actual screen caps documenting this bogus “fair use” claim. Hopefully, officials considering DMCA reforms will acknowledge that creators can be twice victimized by abusive fair use claims.
I did in fact “reinstate” the claim (on behalf of the indie distributor I work for) so we’ll have to wait and see if this user goes on to file a counter-notice. If s/he does so, the film, in its entirety, will return to YouTube even though it’s CLEARLY infringing because we don’t have the financial resources to enforce the removal in federal court.
I’ve had the same thing happen after full pirated copies of our film were uploaded to YouTube. For creators trying to protect their work it’s a lose, lose…Perhaps YouTube should require it’s users to review “fair use” and “copyright” before they are allowed to uploaded content of a certain length? Why should creators be twice victimized while uploaders walk away unscathed?
The threat of malware could turn people away from piracy
Last week the Digital Citizens Alliance (DCA)* released a study that found websites offering free, pirated content were rife with malware. According to the report, 33% of content theft sites exposed users to malware. Every month 12 million U.S. visitors to these sites open themselves up to the theft of personal data, or worse.
To assess the impact that this malware threat might have on American’s web surfing habits the DCA conducted two surveys on December 10-13.
The first examined behavior and opinions of 1,000 Americans, while the second focused on 500 Americans aged 18-29 (an age group more likely to partake in piracy). The main takeaway–once people realize malware is a threat–is that respondents would be much less likely to visit these sites.
Fifty-three percent of Americans aged 18-29 acknowledge having visited content theft sites, nearly three times as much as the overall population.
Seventy percent said that they knew these websites illegally offered content, while 13 percent said they knew it was “wrong” but weren’t sure if it was illegal or not.
Sixty-three percent said that if visiting these content theft websites exposed them to malware they would steer clear of them in the future.
Figures for all age groups show an even great aversion to the malware risk with 82% reporting they’d steer clear of such websites. This, coupled with the growing influence (and traffic) of legit streaming sites like Netflix give some cause for optimism in the ongoing battle against online pirate profiteers. Below are more results from the survey.
*Disclosure-I’m a member of the Digital Citizens Alliance Advisory Board
MUSO’s Global Piracy Insights Report 2016 – Click for more
A report in today’s Torrent Freak noted that content protection firm (anti-piracy) firm Muso recently released its annual Global Piracy Insights Report for 2016 so I was prompted to take a look to see what what’s new on the piracy landscape. According to the report there’s been a, “massive shift towards direct downloads for music content – growing by 31% in 2015” In addition the report found that “28% of all visits to piracy sites in 2015 were through mobile devises, up 8% during the year.”
Viewing habits for pirated movie watchers also seems to have shifted over the past year as more and more users to viewing streamed content instead of downloading torrents. The study examined traffic from 14,000 pirate websites, encompassing 141 billion visits, and according to an analysis of the report on Advanced Television, discovered this trend:
Out of a total 78.49 billion film and television piracy site visits, 73.69 per cent (57.84 billion) were visits to streaming sites…the second most popular piracy delivery type was torrents, capturing 17.24 per cent of audience visits.
The report is available to subscribers only so I cannot delve deeper into the figures but I’m not surprised to see streaming gain a growing foothold as the favored viewing platform. Pirates, like the rest of us, have grown accustomed to watching shows streaming on Netflix, HULU and Amazon. It’s no wonder the same patterns persists when watching pirated fare.
For those who care about the impact of piracy on musicians, comes this unfortunate news:
2015 saw a 25% rise in the use of YouTube ripper sites, used primarily for downloading mp3’s from YouTube music videos. The ripper piracy from mobile devices overtook piracy from desktop devices, growing by 46% last year. The usage of these sites is far larger than many realise, in fact making up 17.7% of all visits to piracy sites for music content.
One piece of apparent good news from the report is that, according to MUSO researchers, “…piracy levels remained relatively throughout the year, with a 5% overall decline.”
Andy Chatterley, MUSO CEO ultimately focuses on what can be gained by studying these trends noting the report as helping creators develop a framework by which nudge consumers in better (legal) directions:
This report gives a complete picture of the piracy landscape and identifies key insights into piracy audience and behaviour. The Global Piracy Report is hugely valuable to right holders and for the first time looks at all forms of piracy traffic and not just p2p usage. In understanding the scale and mechanism of the audience we can be better informed to re-connect this audience to legal content.-MuSO press release
The report also found that streaming piracy in both the United States and UK was trending down, “likely to be due to legal music and video streaming services such as Spotify and Netflix.” But, before celebrate too much it also noted that in many countries, streaming piracy is actually increasing. What’s that old saying, two steps forward, one step back?
Facebook has been promising for some time to introduce tools that would allow rights holders to automatically detect and remove pirated content from its pages.
The company has endured a lot of bad publicity around the freebooting of viral YouTube videos on its pages, but Facebook’s also long been a place where pirated movies and music found a cozy habitat. That is–until now. I’ve recently begun to utilize this tool to manage Facebook DMCA takedowns and wanted to share my first impressions, but first a bit of background.
First of all, I’m thrilled that Facebook, with all its resources, has finally begun to take copyright infringement seriously. In introducing the new tool last month the Facebook development team explained why the company had finally stepped up:
Video has become an important part of the Facebook experience for people around the world, due in large part to the amazing creativity we’re seeing from all kinds of video publishers.
To provide the best experience for everyone who watches, creates and shares videos on Facebook, we work with our community to understand which tools they want us to build. Based on this feedback, on top of the measures we already have in place, we’ve been building new video matching technology to further help rights owners protect the content they own.
Signing up is easy and the interface straightforward and simple to use
I found signing up for the rights manager tool to be relatively straightforward. You must have a page to link the rights manager to and I initially applied for, and was accepted into the program, by using our film’s Facebook page. Once I received approval I was able to upload a reference copy of our film (and trailer) to the Facebook rights manager dashboard. A trailer I’d uploaded to our page previously was also listed. From there, Facebook’s automated digital matching tools went to work.
Facebook’s Rights Manager dashboard is pretty straightforward
Easily upload and maintain a reference library of the video content they want to monitor and protect. Publishers can upload content libraries and publish live video as references for Rights Manager to check against, including videos they are not sharing publicly on Facebook. Rights Manager then monitors for potential infringement of that content across Facebook.
Create rules about how individual videos may be used. Publishers can set specific match rules to either allow or report copies of their videos based on criteria of their choosing—for example, how much content has been reused, where the matching video is located or how many views the matching video has received.
Identify new matches against protected content. Rights Manager’s dashboard surfaces any new matches against a publisher’s uploaded reference files and live video. On the dashboard, publishers can filter matches by time, date or view count, and then either report potential copyright infringement or allow the matching content to remain published.
Whitelist specific Pages or profiles to allow them to use their copyrighted content. Publishers can specify Pages or profiles that have permission to publish their protected content without being monitored for potential infringement.
Protect their reference library at scale with the new Rights Manager API. We’re rolling out an API for Rights Manager to improve bulk uploading for publishers and to allow media management companies to support partners in managing, monitoring and protecting their content across Facebook. You can find out more about the Rights Manager API here.
Facebook’s tech support is responsive and proactive in working to improve the system
Facebook asks for feedback in an effort to improve its rights manager tools
I do believe this type of fingerprinting technology will be an increasingly crucial tool as we move forward in the battle against online piracy on sites like Facebook, but as with any new offering, there are glitches.
The good news is that so far, Facebook’s technical support team is quite responsive and the company seems to be making a concerted effort to sort through issues and improve the tool’s operation. Any time you remove an item from the dashboard a window pops up soliciting feedback. I’ve also had a fair amount of helpful email correspondence with the support team and have found Facebook’s prompt and open response to my queries offers a welcome contrast the less-than-stellar support offered by a (popular) site that shall remain nameless.
As with any new tech, there are some glitches
I also set up a Rights Manager account for an independent film distributor I work for and in the process of uploading dozens of reference files have found the “matching” to be rather hit and miss. At this point Rights Manager seems to do a great job detecting the company’s opening logo (and music) but little else. What makes it even stranger is that the tool detects the distributors opening logo and music and then matches it to the wrong reference file. Obviously ALL the titles I’ve been uploading share the same opening sequence from the distributor but when it comes time to actually issue the takedown to remove the infringing (matched) content, it auto-populates the form with the film’s title, which in these instances is the wrong one.
Lots of early glitches with Facebook’s Rights Manager tools
I’ve also come across situations where a single film title is simultaneously listed has having matched multiple reference files to different titles, but NEVER the actual reference file for that particular film. Consequently, rather than send a DMCA notice with incorrect information, which would be illegal, I have chosen to wait for Facebook to sort out this particular glitch. This is where their responsive tech support will, hopefully, come in handy.
I’ve also found that there’s a lot of uploaded content that doesn’t really match anything. Perhaps a song is playing in the background that matches the film’s soundtrack, but it’s difficult to tell? At this point the system’s matching capabilities clearly need to be dialed in order to better weed out innocent content.
As it stands, I have been manually removing this erroneous matches from the dashboard, but that takes precious time, and efficiency is one reason this system was developed in the first place. For larger entities there are API tools, but for independent, smaller entities, it seems that utilizing the dashboard will be best route.
Users can create “match rules” to fine tune content matching
Some of the hiccups I’ve encountered thus far are likely simple bugs in the system, while others may well be user error. Fortunately, Facebook has created tools that allow publishers/creators to fine tune the matches based on length of time, territory and content type.
I plan to spend some time working through the reference files I’ve uploaded to create appropriate match rules in the hope that it will result in fewer false positives.
Will creators be able to make money from their videos and music?
There’s also the question of monetization. Will rights holders be able to earn money from copies of their work uploaded to Facebook? It’s likely at some point in the future, but first Facebook will need to fine-tune Rights Manager. They can’t afford to complicate a system that’s still for all practical purposes in beta mode.
Overall I’m pleased with Facebook’s effort. Yes, it’s overdue and yes, it’s not (yet) perfect but it is a huge step in the right direction and hopefully can serve as a model for other social media and video sites across the web looking to do a better job thwarting piracy.
As I’ve written previously, I firmly believe UGC sites of a certain size (like Facebook, Vimeo, YouTube, et al) should be required to offer this type of tech in order to qualify for safe harbor. Of course that assumes the creaky old DMCA will be revised and the odds of that actually happening any time soon….well, I’ll leave that discussion for another day. In the meantime, I’m going to get busy on Facebook and upload some more reference files. So far I’ll give the new system a thumbs up!
As an indie film and broadcast journalism veteran, I'll share my perspectives on issues of interest to the creative community and beyond--Ellen Seidler
