DMCA DDOS: Why compliance is not an option

One of the important stipulations of the Megaupload indictment (which I mentioned in my post-SOPA article) was that Kim Dotcom and his crew purposefully capped the number of DMCA take-down requests that could be submitted per an account. To an outsider, this may look like an indication of guilt. Megaupload made half-assed attempt to pretend they are being DMCA compliant, but made sure the only responded to a fraction of requests thus keeping the pirated files online longer. Unfortunately, it does not work that way. The caps were there for a very good reason – to prevent rampant abuse.

How do I know this? After all I wasn’t there. That is true my friends, but I do sometimes read the blogs of The Enemy to better know their goals, aims and strategies. Despite the popular belief, people who work in copyright protection industry are not stupid. I may not agree with their philosophy, their morals and their conduct but I am not ready to dismiss them as complete nincompoops. Note that I’m not talking about entertainment industry execs (incompetents who failed upwards via nepotism and favoritism) or politicians on their payroll (corrupt sociopaths). I’m talking about the folks working in the so called “takedown industry”.

You see, the above mentioned copyright moguls don’t really know how to use computers. They are really good at calling law makers, pulling the “don’t you know who I am” card, and threatening to stop handing out bribes. Those strategies do not work against file sharing sites. You can’t just call up Kim Dotcom and try to scare him with your fancy looking Armani suit and your scary looking lawyer friend, because he has two of each, plus he does not care. To deal with digital piracy, you often have to use digital means – ie submit online DMCA takedowns. If you have ever watched a Hollywood movie, you have probably noticed that none of the movie makers have actually ever used a real computer. So they would rather hire someone to do that for them, rather tan try to learn the internet themselves.

Enter takedown industry: companies that specialize in automated DMCA takedowns. It is still a niche market – one that most geeks would not touch with a ten foot pole. As such, it is desperate for technological know-how. A semi-competent programmer or sysadmin can easily break into it make a decent salary and a name for himself there. And thus many of our brothers and sisters end up gravitating there, and building tools and systems designed to abuse DMCA and stretch it to it’s limits.

The concept is simple – DMCA works quite well against casual infringement. If someone uploads copyrighted material on their blog, or on Youtube you can easily bring it down with a single request. The problem is with organized file sharing sites – torrent communities, cyberlockers, file sharing forums, etc… When you have a large community of people committed to infringe your copyright no matter what, then takedown notices become mostly useless. As soon as you get your IP taken down, someone else will “re-up” it in the same forum. So you have to issue another DMCA request, and another, and another. If you want to suppress the availability of the file in said forum, you need to be faster than the pirates. You must request a take-down as soon as the file re-surfaces, and you have to make sure it goes down before the bulk of sites users can find it.

Use of automated takedown tools becomes a necessity. And once you have these tools in place, guess what happens? Yup – script kiddie instincts take over. DMCA is broken enough not to require any proof of ownership. You can request takedowns on any files, whether or not you are authorized to do so or not. If you set your search parameters wide enough, and have enough machines, running automated scripts 24-7 you can more or less cripple the pirate site by repeatedly nuking everything on it’s front page.

So over the last few years or so, the small cottage industry of copyright protection has been slowly shifting from “we protect your files” to “we will nuke your enemies from the orbit” type services. And they have been getting better at it.

This does not surprise me. If there is a tool to be built, someone will build it. In fact, I find this industry somewhat fascinating because it actually follows what Charles Stross predicted in Accelerando. He came up with an idea of a “legal DDOS attack” in which bunch of expert systems would gang up against a legal entity to inundate it with threats, civil suits, inquiries and etc… Unless you had an equally potent legal system in place, your company would drown in the sea of legal paperwork in a matter of days, if not hours. And just like IRL, the first use of such systems in Stross’ book was to aid the failing entertainment industry.

But if you don’t believe me, here is a quote taken directly from the horse’s mouth: an owner of take-down company boasting about his contribution in the destruction of adult torrent tracker known as Cheggit:

At first the site tried hiding in numerous offshore countries where they would not have to comply with DMCAs but eventually they tried to become DMCA compliant by hiring DMCANotice.com to handle DMCAs. Once word got around that Cheggit was complying, myself and at least one other removal company began a carpet-bombing attack where literally 100s if not 1000s of torrents were being reported every day. The site complied with these notices quickly and without incident. This immediately resulted in panic on the forum as users pleaded with the site to move offshore again and to stop removing torrents. (…) Myself and the other removal company were literally removing content within minutes of it being posted.

Eventually it was revealed that the site was going dark and shutting down. The owner, was vague as to the exact reasoning but mentioned that starting in December 11 (when our carpet bombing started) it became too difficult to keep the site compliant. I’m sure there was legal pressure as well and I know my company wasn’t the only one involved in takedowns so a big kudos to everyone else involved. I know both myself and Eric from RemoveYourContent were on this one like white on rice. I can’t stress this enough how much effort both Eric and myself put into this from our end. I’m sure more will come out in the coming weeks and we’ll learn about others who were involved in taking this site down.

No doubt the freeloaders will migrate somewhere else and try and reestablish their den of thieves. But we will be there waiting.

As you can see, the author mentions a coordinated “carpet bombing” attack executed by several companies with a clear aim of crippling the website, and forcing it to shut down under the pressure. They were not really interested in protecting their client’s intellectual property – they were out to cause disruption and damage to their target community. And they did it using classic script kiddie tactics – via a coordinated DDOS. And this is just an example involving few tiny companies ganging up against a low profile pr0n tracker. The adult industry is not really known for spending exuberant amounts of money on chasing pirates. They don’t have the same resources as MPAA for example. So you can imagine how this scales when dealing with general purpose trackers and cyber-lockers.

Instead of a handful one-man shops like the one above, imagine dozens of big companies with dedicated server farms mounting all-out attack on Megaupload. Do you still wonder why Kim Dotcom instituted a DMCA takdown cap? Most likely it was the only way he could keep the site afloat, without dedicating all his resources to processing and fielding the barrage of requests.

Because of the brokenness of DMCA, the entertainment industry has turned it into a potent weapon of suppression. It can be used to take down just about any site in a one-two punch combo. The first stage is legal pressure – they send their lawyers against the site owners and pressure them to become DMCA compliant. The promise is that once you put in a DMCA tak-down system and let them remove their latest releases from your site, they will back down. Then as soon as a site becomes compliant the take-down companies enter the picture and pounce on it nuking all the content with extreme prejudice. And you know what? This works. It is astonishingly effective – but it takes time, and costs money.

When SOPA supporters were saying that DMCA is too slow, they did not mean that it is not quick enough at removing requested files. No, it works fine for that – but entertainment industry no longer cares, because it is a Sisyphean work. They no longer use DMCA as a protection tool. They use it as a website takedown weapon. As such DMCA is just too slow at sinking pirate sites – especially ones that don’t care about compliance. This is why they wanted SOPA – an instant “nuke this site” button.

I’m glad SOPA got tabled, but we should not forget that you can do a lot of damage with DMCA alone. I don’t condone piracy as such, but if you happen to run a site with user submitted content, and some of your users turn to piracy, you might one day find yourself in the cross hairs of one of the takedown companies and under a legal pressure to create automated compliance tools. This is a trap. As soon as you allow them to issue take down notices they will pounce and DDOS you. If you refuse, or cap them, they will use it to build a legal case against you that may really hurt you in a civil suit, or lead to a criminal indictment. It seems that the only way to be safe, is not to allow user submitted content. And that makes me worried about the future of the internet.