Category: Intellectual Property

DCA Releases New Report on Piracy Sites and Malware

Apropos my recent response to the EFF’s standard policy of shrugging at online piracy, I want to highlight one paragraph from the post to which I replied. Katherine Trendacosta wrote:

From the fever-pitch moral panic of the early 2000s, discussions about “piracy” disappeared from pop culture for about a decade. It’s come back, both from the side explaining why and the side that wants everyone punished.

Aside from the statement being inaccurate—discussions about piracy have persisted (often quite heatedly) every year since the Napster days—I cite the quote here because its sarcasm derives from that common fallacy which asserts that Piracy is a victimless crime. No it is not.

If one wants to cling to the rationale that because certain artists are wealthy, piracy is therefore harmless to creators, fine. Whatever. But the fact that EFF and other “digital rights” groups so consistently echo the alleged “harmlessness” of piracy suggests that they’re not terribly concerned about the broader security threats posed by this $2billion/year, global, criminal enterprise.

In a new report published yesterday, Digital Citizens Alliance tells us that the 500 pirate sites studied in its latest research—there are thousands of pirate sites—earn at least $121 million per year just by hosting “malvertising” (i.e., ads designed to deliver malware). Entitled, Unholy Triangle, the report was produced in collaboration with brand safety organization White Bullet and cyber security firm Unit 221B. It describes a symbiotic relationship between malvertisers and pirate sites—two sides of the triangle—and the various ways these parties profit by endangering visitors to pirate platforms—the third side of the triangle.

Highlights from the Report

Researchers found that among the sites studied, 8 in 10 were littered with ads specifically created to entice clicks that will instantly download malware to a device or network. One out of every six visits to pirate sites, the report says, will encounter an attempted malware attack. The most popular type of bug is ransomware, but the researchers also found trojan horses and other malware used to obtain personal or financial information and/or to take control of devices. Of that $121 million annual revenue the pirate sites acquire from serving malvertising, the report states that more than half ($68.3 million) came from U.S. visits.

Among the most compelling, albeit ironic, details revealed by the report is that the majority of ads used to trigger responses are based on fear—specifically, fear of malware! It seems that because many pirate site visitors know they are exploring illegal and sketchy platforms, they are more susceptible to pop-up and pop-under ads warning them that their devices may be infected, or that they should make changes to their devices to ensure their security or anonymity.

A visitor clicks that ad offering to protect her device, immediately downloads malware, and within minutes,[1] her files are locked up, and she will soon receive a ransom demand promising to release those files for $800 to $1,000—in crypto, of course. Even people who pay these ransom demands report that, at best, they get about 65% of their data back, and there is no reason to assume that the hacker(s), who this report indicates are mostly located in Russia, will restore any data once they’re paid.

Ad Intermediaries Facilitate Sketchy Ads

DCA notes the success of initiatives like the Trustworthy Accountability Group (TAG), which launched in 2015 to extricate the legitimate advertising industry from the piracy business. But, the report describes certain advertising intermediaries that seem to straddle the legal and illegal trade. For instance, researchers focused on intermediary RichAds, which the report describes as follows:

RichAds is an advertising company that touts its ability to capture new quality leads from premium sources through its productive ads. The company is listed as being based in Cyprus, with many of its employees listing Belarusian universities as their alma maters on LinkedIn. It promises to deliver the best traffic and claims, on its LinkedIn page, that “We block any bot or other fraudulent traffic.”

Researchers sent the ad shown here for approval and received a “no problem” message from RichAds. This was hardly surprising because, looking a bit further, it appears that this intermediary is not just turning a blind eye to malware campaigns but is promoting its services to facilitate malvertising on pirate sites. “In the case study [used to promote itself], RichAds highlights how the customer relied upon the company to generate and place ads that ‘warned’ users that a virus was detected on their devices and they needed to update their antivirus software,” the report states.

National Security Implications

With operators in countries like Russia and Belarus—and with more than half the malvertising revenue (measured in this report) being generated by American visits to pirate sites—questions about national security come to mind. No, I am not saying that some teenager in Indiana illegally streams Stranger Things, and the power grid shuts down—and neither is DCA. But with more telecommuting and connections between critical enterprise databases to personal networks, the vulnerabilities to the former have increased, and enterprises are big fish for ransomware hackers.

Whether there is any crossover between the private malvertising industry and state-directed hacking aimed at the U.S. is a matter of speculation, but as the DCA report puts it:

Russia, China, Iran, and North Korea make up half of [all ransomware attacks]. As their primary target is the United States, it’s a safe assumption that the motivations go beyond financial to geo-political with national security implications. Those concerns have some states reconsidering the protocols for dealing with an attack on government operations.

Hardly Victimless

Clearly, even if one does not give a RAT’s butt about creators’ works being illegally distributed, piracy is not a victimless crime. On the contrary, a substantial and growing revenue stream for the pirate site operators is, in fact, a trade in victims. Whether it’s slaving personal computers, identity theft, or delivering ransomware to a pharmaceutical company, malware is big business, and piracy sites continue to be an excellent super-spreader.

After about ten years of reading DCA’s reports, this recent one comes closest to at least implying that media piracy can be a vector for malware attacks on something larger than personal computers. Assuming that’s not an exaggeration, the “digital rights” groups may need to drop the false narrative that mitigating piracy comes at the cost of online “freedom.” Site blocking, technical measures, and other means to interdict the piracy trade become very different conversations, if we are indeed talking about critical supply chains and not just “Hollywood.”

[1] The report cites Paul Watters, who “found it typically takes just 42 seconds for an “advanced persistent threat” such as malware to infect a Windows device and 78 seconds to infect an Android device.”

Tedious Anti-Copyright Stance of EFF is Not About Protecting Anyone

Welp (as the kids say), it looks like Katherine Trendacosta of the Electronic Frontier Foundation (EFF) found an old PowerPoint deck from 2012 and used it to write a new post ominously titled Hollywood’s Insistence on New Draconian Copyright Rules Is Not About Protecting Artists.

Typical of the EFF playbook, Trendacosta devotes an entire post maligning the motion picture industry rather than address the “rule” (the SMART Act), which she does not even mention until the final paragraph. At that point, the reader is meant to take her word for it that the proposed legislation is bad because—believe it or not—there is too much diversity and choice in the streaming market, and because film producers want to make money.

Ms. Trendacosta calls streaming a “hellscape” where consumers cannot find what they want and/or where shows and films are canceled or moved to different platforms. She writes, “It’s disingenuous for Hollywood’s lobbyists to claim that they need harsher copyright laws to protect artists when it’s the studios that are busy disappearing the creations of these artists.”

“Hellscape” is a bit dramatic as critiques go, given that market research indicates that 74% of consumers report being satisfied with streaming and that those numbers are currently trending upward. Of course, the anti-copyright playbook Trendacosta is using tells her to imply that when producers make market decisions to stop producing a given work, or to move a work from one channel to another, this is “disappearing” material that should be available in perpetuity. In fact, she inscrutably cites the “disappearance” of a film which is temporarily being made available in a new 4K cinema format and will return to streaming in a matter of months. Hellish, no?

Perhaps Trendacosta is unaware that we are enjoying a new golden age of filmed entertainment available on—or produced especially for—the private screen market. Streaming models have fostered a diverse range of projects that would never have been made, let alone been sustainable, in the narrower distribution paradigms pre-Netflix. But a reality of all this bounty is that more experimentation and risk-taking means that a higher volume of material will be canceled or redistributed more frequently as audiences respond to what gets made. That’s just the business of making entertainment media, and the EFF always acts as if the business is what makes efforts to mitigate piracy somehow dishonest or sinister.

Here, Trendacosta digs a little deeper into the big box of EFF’s toys and argues that ordinary tensions that arise among studios and talent—including strikes and financial disagreements—are evidence that the parties seeking remedies to piracy “don’t care about artists.” True to form, the folks at EFF pretend to care about artists by erecting a false dichotomy between the creators who work on projects and Hollywood, where “Hollywood” is a generic term to describe a monolith that does not exist.

It’s a very strange argument because the artists to which Trendacosta refers in those strikes, etc., want money, too. In fact, money is often exactly why they have disagreements with certain producers or studios. Yet, Trendacosta elides the fact that piracy hurts everyone in the ecosystem, regardless of their internal disputes and negotiations with one another. That’s why unions like DGA, WGA, and IATSE are members of the Copyright Alliance and work closely with the studios to fight piracy. It is categorically false to suggest that large studios are the only parties with an interest in this issue. As independent filmmakers and other artists have explained repeatedly, it’s the smaller, independent projects that are most vulnerable to the negative effects of piracy.

And let’s be honest. EFF opposes all copyright enforcement measures in the same style as this post—no substance, just uninformed, ad hominem attacks—and it behaves no differently when smaller groups or indie artists seek copyright remedies in Congress.

So, what is the supposedly “harsh” new piracy remedy that EFF is opposing this time?

The Strengthening Measures to Advance Rights Technologies (SMART) Act is a legislative response to the fact that for more than 25 years, Big Tech has refused to fulfil its side of the bargain struck with the adoption of Section 512 of the DMCA. Simply put, Section 512(i) requires online service providers to collaborate with copyright owners to develop standard technical measures (STM) to identify and expeditiously remove infringing content from internet platforms.

But not only did the development of STM never quite happen, the Googles and Facebooks of the world, who came after the OSPs that negotiated the DMCA, benefitted from mass infringement on their platforms because the DMCA shielded them from liability.

SMART seeks to address more than two decades of stonewalling by adding a new Section 514 to the DMCA that would create new remedies to confront Big Tech’s refusal to adopt appropriate and affordable technical measures to reduce online piracy. At the same time, its proposals would protect smaller and less well-resourced service providers by calling for a variety of tailored and practical technical measures to be developed under a multi-stakeholder process overseen by the Librarian of Congress.

This is what the EFF is calling “draconian”—a proposal to restore the intent of the DMCA as it was enacted in 1998. SMART is the first substantive response to Big Tech’s two big lies: 1) We can’t do it; and 2) We shouldn’t do it because it will chill speech. Those arguments have worn paper thin in recent years given the role these same companies have played in fostering the most toxic, Republic-shaking nonsense ever to be “freely spoken.” But credit where it’s due. At least Ms. Trendacosta didn’t say SOPA.

Brief in Defense of CDL Indicts Internet Archive and CDL

Among the amici who filed briefs in Hachette v. Internet Archive is former law professor and library director Michelle Wu, who, as the brief states, “…is recognized by many as the originator of the legal theory underlying controlled digital lending (“CDL”) ….” With her brief, Wu seeks to defend CDL as a doctrine and asks the court to limit its considerations to the facts related solely to IA’s conduct and to reject what she calls the publishers’ overbroad “attack” on CDL itself. She states:

CDL takes many forms. Many libraries around the United States offer works through CDL subject to their own individual platforms and practices. The arguments offered by Plaintiffs in support of their motion for summary judgment are a broad-based attack on all of them, shoehorning the very concept of CDL into a dispute about the Internet Archive’s individual implementation of it.

Before addressing the arguments presented in the brief, it is noteworthy that if Ms. Wu would have CDL inoculated against the conduct of Internet Archive, she and her colleagues have had ample time to distance themselves and the legal theory from IA’s founder and avowed anti-copyright crusader Brewster Kahle. Because one year after IA engaged in the infringing conduct that triggered the publishers’ litigation (March 2020), Wu was a key member in a Public Knowledge-hosted panel with Kahle (March 2021), entitled Burying Information – Big Tech & Access to Information.

Promoted in the wake of the January 6th insurrection as a remedy to misinformation, the panel blamed copyright law for contributing to the perils of widespread ignorance and conspiracy theories threatening democracy. Specifically, Wu et al. touted CDL as a necessary alternative to ebook library licensing on the grounds that this licensing is somehow keeping knowledge away from the very people who need it. Further, nobody on the panel disputed Kahle’s allegations that the publishers’ suit against IA was an attack on CDL and libraries in general.

So, in addition to the fact that it seems hypocritical for Wu to now ask the court to distinguish the underlying theory of CDL from the conduct and agenda of IA, it is no surprise that the arguments she presents echo the same general complaints against copyright rights articulated in that panel discussion. For instance, Wu reprises the theme that libraries are sentinels against the tide of rampant mis- and disinformation in the digital age—and repeats the claim that CDL is integral to that mission. “CDL is an essential pillar of countering misinformation by making library materials accessible, relevant, and competitive,” the brief states.

Even if that premise were not magical thinking (because lack of access is not the cause of the dangerously misinformed), Wu paints with too broad a brush in defense of her theory that CDL is inherently legal. Aside from the fact that there is no evidence that all the access to all the books in the world will disburse the fact-immune hoards from laying siege to reason,[1] Wu’s faith in the contrary belies a general prejudice against copyright law in lieu of articulating a concise argument for the narrow opinion she claims to want from the court.

Moreover, Wu may be blind to the fatal flaw in her central argument when she says that “many libraries” use CDL in different ways to achieve a variety of purposes. The problem with her list of general examples (e.g., CDL for preservation, serving readers with disabilities, etc.) is twofold. First, many of the examples stated or implied are activities exempted for libraries by statute. Second, the possibility that certain activities of several libraries may be allowed by fair use undermines the broad sweep of Wu’s defense by emphasizing that fair use is a fact-intensive, case-by-case consideration.

Finally, and perhaps most importantly, a fair use defense does not turn on a particular method of copying or making a work available. The CDL theory asserts that it is legal for a library to essentially make its own ebooks from the printed books in its collection, as long as it never loans more electronic copies than it owns physical copies that were legally obtained. Wu’s brief impliedly acknowledges that Internet Archive did not adhere to the “controlled” part of CDL, but in seeking to rescue “real CDL,” the brief is tellingly overstuffed with allegations that, even if true, are not applicable to a question of fair use.

For instance, Wu refers to budgetary constraints of libraries and the supposedly onerous cost of ebook licensing by publishers. But even if this allegation were valid for most libraries—and it does not appear to be—it would say nothing about whether a library’s version of CDL would fall under the fair use exception. On the contrary, Wu’s complaint about existing ebook licensing effectively acknowledges that CDL is a means of bypassing that licensing model and implies that this is justified by cost.

This argument is barely distinguishable from familiar rationalizations for large-scale piracy, which any court should find unpersuasive in general and should find meaningless as a fair use question. The amount of a licensing fee demanded for any work is immaterial to the question of whether a user who avoids paying the license is making a fair use. Wu’s attention to the cost of ebook licensing seems meant to distract from the reality that, even with the controls in force as prescribed by the CDL theory, the model displaces the authors’ right to license ebooks on their terms to libraries. And this market substitute consideration should ultimately doom a fair use defense on all four factors.

This consideration would be unaffected, even if ebook licenses were shown to be onerous because such a complaint, if valid, would properly sound in antitrust law or consumer protection or be argued before Congress seeking a new library-based exemption in the Copyright Act.[2] But because allegations of burdensome pricing models are not properly addressed by fair use, this suggests, again, that Wu and her colleagues defending CDL are admitting that the model is a market substitute and believe that it should be based on their own ideological reasoning

Several aspects of Internet Archive’s operation, including the activities at issue in this litigation, disqualify the entity from statutory exemptions accorded to libraries in Section 108 of the Copyright Act. Inasmuch as IA tries to stand in the shoes of real libraries, this is a PR message for social media but one without a foundation in law. And because IA is not a real library, a finding that its conduct is legal would only further embolden any commercial enterprise to engage in mass, unlicensed digitization and distribution of ebooks and other works.

By contrast, Wu’s insinuation of difficulties for legit libraries engaged in “many forms” of CDL are either unfounded or, perhaps, they inadvertently implicate some of those libraries in infringing conduct. Either way, facts pertaining to the operation of some number of unnamed libraries are not before the court in this case, and only a detailed accounting of those facts, library-by-library could have any legal bearing on those activities. As such, we must conclude that Wu and her colleagues simply want the courts to find that CDL is automatically fair use, and this would be doctrinally absurd. Because the courts are well aware that no conduct is automatically fair use. Not even for libraries.

[1] As noted in my post about that panel, the entire Western canon is more widely and freely available than at any time in history.

[2] In fact, the state ebook licensing laws for libraries have largely been premised on consumer protection and still failed, thus far, as unconstitutional state compulsory licenses.

Photo by: nito