Did I receive fraudulent DMCA takedowns?Wed 21 June 2023
Tagged: ipfs, cybercrime
I received 3 DMCA takedown emails today, covering 7350 URLs on my hardbin.com IPFS gateway. The URLs were allegedly serving infringing copies of books. The strange part is that of those 7350 URLs, during the time for which I have nginx logs, none of them have ever been accessed, and of the ones that I checked, none even worked. Does this mean the DMCA takedown notices were fraudulent?
The notices were actually sent to abuse addresses at DigitalOcean and gandi, and I think gandi forwarded them to me.
I have now taken hardbin.com down completely because dealing with this sort of thing makes it less fun to run and more like hard work, but I do still have a copy of the log files.
I did some bash-fu to extract the IPFS hashes from the emails and grep for them in my nginx logs, and was surprised to find not a single match.
In case you are interested, I have posted the contents of the takedown notices in github gists:
Graham pointed me at a Law.StackExchange thread covering what happens if you send false DMCA takedown notices. The short answer is I think nobody has ever faced criminal charges, and there have been a very tiny number of civil cases.
The emails are sent from "firstname.lastname@example.org". There is a login form on www.ciu-online.net, but it is incredibly generic, so it's hard to work out who is behind it:
The name at the bottom of the emails is "Gareth Young, Internet Investigator". I did find a slideshow on Creating a Global Internet Anti-Piracy Strategy by a "Gareth Young - Senior Internet Investigator" who apparently worked for Covington & Burling LLP, although the name Gareth Young does not currently appear in their A-Z list of "Professionals". It is certainly possible that this is nothing to do with Covington & Burling LLP, I have nothing but that slideshow to suggest any link to that company.
Page 14 of the slideshow, "What Are Your Options?" includes "Make it less fun to run and more like hard work".
Certainly the receipt of these DMCA takedown notices has made hardbin.com less fun to run and more like hard work, albeit that nobody was using hardbin.com to pirate any of the books he listed (so it has had no effect on piracy whatsoever), nor indeed did he even check whether hardbin.com could be used to access the URLs he listed, because there were no requests in my logs for any of the 7350 URLs. I checked a few, and they didn't work, they just gave 504 Gateway Timeout responses.
Apparently the DMCA requires "a statement that the information in the notification is accurate". So what does the information in the notification actually say?
3. Statement of authority:
I swear, under penalty of perjury, that the information in the notification is accurate [...]
(The only part that the DMCA states is under penalty of perjury is the assertion that the complaining party is authorised to act on behalf of the copyright owner. As far as I can tell, there is not in fact a penalty of perjury for putting other false information in a DMCA takedown notice. But never mind that part.)
Gareth Young, Internet Investigator, swears, under penalty of perjury, that the information in the notification is accurate. But section 2 begins:
2. Copyright infringing material or activity found at the following location(s):
Copyright infringing material or activity could not have been found at those locations because in order to find it you must have accessed it, and since my logs show that nobody accessed it, we can infer that Gareth Young, Internet Investigator, can not have found it. It is not enough to make the leap from "this content exists at this IPFS hash" to "this IPFS gateway allows access to this content" because you don't know if the hash is already blocked in the web server configuration, or if the server is broken in some way that prevents access to that hash, etc.
I believe this amounts to inaccurate information in the DMCA notice.
I found an ipfs-gateway-dmca-requests github repo which documents a similar phenomenon on a different IPFS gateway, although it seems they've been subject to it since at least the 15th of February 2022 - over a year ago.
The README in that repo also suggests that that person's DMCA requests also usually come from someone called Gareth Young, and are also sent without first checking whether the allegedly infringing URLs are actually infringing.
So are these DMCA takedowns fraudulent? And, if so, what can we do about it?
If you like my blog, please consider subscribing to the RSS feed or the mailing list: