Several of my friends have posted today that they think that the Anonymous DDOS attack against the websites for the FBI, the DOJ, MPAA, RIAA and others was wrong. I disagree with them and there is a lengthy reason why. Let me walk you through the Saga of MegaUpload.
For those who don’t know, MegaUpload is a file sharing site. People use this site because they tend to sometimes have files that exceed the capacity limits of regular email providers, and they need to send those files to other people. There are whole broad range of websites who perform this service including YouSendIt and DropBox. But MegaUpload was extremely popular because they had great connection speeds and a lot of individuals and businesses used it for its intended purposes. Well, with any file sharing service comes a crop of people who use that service to share copies of copyright protected material. Some users had taken advantage of the unlimited file sizes and uploaded entire sets of television shows and DVD rips, CDs and more. When you upload a file you get a link to somewhere on the MegaUpload server, that you can share with whomever, and some people shared those links with the entire world.
Now, as I said before, every website that allows users to upload content runs into this problem one way or another. So, Congress when they were exploring legal options for the future of protecting copyright crafted the Digital Millennium Copyright Act. In the DMCA there is a provision for businesses who run upload sites to be exempted from copyright lawsuits and to continue doing business so long as they investigate and take down infringing content when prompted by a copyright holder. This is called the “Safe Harbor” provision. Every site that hosts user uploads has to comply with this, for fear of losing their entire business. YouTube provides one of the main examples of how this works. Say someone saves an mp4 of Saturday Night Live, they clip a skit out from the show and upload that as a YouTube video. NBC Universal owns the right to reproduce SNL videos and they find that clip on YouTube. They tell YouTube to take down the video because it’s infringing on their copyright. YouTube checks the video and takes it down if they believe that the copyright holder is in the right. Though more often than not the link will get taken down first, the link uploader will write back to YouTube and tell them that this was wrong and that they do own the copyright for real and then the link gets restored.
In early December MegaUpload released a promotional video on YouTube made by a number of high profile recording artists like Kanye West, Snoop Dogg, Alicia Keys, and Will.i.am to promote the use of MegaUpload. Universal Music Group promptly filed a DMCA takedown request with YouTube to have the video suppressed, because UMG, the parent company for many of these artists, believes that MegaUpload is a threat to their business model, and the Recording Industry Association of America has deemed MegaUpload a “rogue site.” So, even though all of the artists have contracts on file with MegaUpload to perform and distribute the song, UMG filed this takedown notice claiming that there were some people on there who didn’t in fact actually agree to it. It went back and forth for a while at YouTube and eventually it just got taken down entirely. On December 13 MegaUpload announced that it was going to directly sue UMG for filing false DMCA takedown requests. The thing that was even more interesting is that UMG filed a DMCA take down notice for a local news program who played the video in the background of a report about the UMG MegaUpload controversy, and YouTube took that down too.
Now all of this was happening while in the background there was a slowly simmering online opposition to the impending SOPA and PIPA legislation that I wrote about previously. As many people pointed out SOPA would eradicate the safe harbor provisions inherent in the DMCA, making sites like YouTube, DropBox, and MegaUpload vulnerable to DNS seizure by the federal government. As the internet began to rally against SOPA the entire conversation about MegaUpload began falling by the wayside.
On January 18th, a host of prominent and powerful websites participated in an internet blackout in response to SOPA. The effect was tremendous, and number of legislators who had originally been backing SOPA and PIPA in Congress pulled their support, many who were undecided declared their opposition, and ultimately Patrick Leahy and Lamar Smith tabled both bills. No one is under any delusion that there won’t be new versions of these bills coming out sometime in the near future, but the legislation as it was originally drafted is not coming back.
The very next day Federal agents shut down MegaUpload, raided the homes of their founder and staff and seized data centers in three different countries. It’s kind of hard to say that it wasn’t an attack of vengeance, or a strike back against the derailment of SOPA. In fact former Senator Chris Dodd, who is now the public face of the Motion Picture Association of America, basically said that Obama could just forget about Hollywood financing if he doesn’t get tough on piracy. Sure, correlation is not causation, but it sometimes is just a lot of correlation. To threaten the campaign funding of an incumbent President to get your way, well, that sure looks a lot like blackmail for favors.
The hacker community swiftly responded with a coordinated DDOS attack against the public websites for the Department of Justice, the FBI, Universal Music Group, the RIAA, and MPAA. Where people have been losing their minds is when irresponsible journalists like those at the Washington Post use headlines that say that the Department of Justice was “hacked.” No, the DOJ was not “hacked.” Nothing was broken into. No files were stolen or compromised. These sites were hit with a distributed denial of service attack against their public websites. DDOS is basically when a website is hit all at once with a huge number of requests to send the content to a browser. The volume of requests can’t be handled by the web servers and it slows to a crawl. This renders the website inaccessible during the timeframe of the attack. In this case the DDOS lasted 70 minutes.
As a former federal employee, I can tell you that I used my agency’s publicly facing website 0% of the time. All of my activities for my work happened entirely on intranet systems or external vendor services that would not be effected by something of this nature. I imagine the same is true of any company, government agency, or non-profit institution. DDOSing a public website just means that someone from the public can’t go to that website until the DDOS is over. Given the length of time that Anonymous ran this attack, the sites that were targeted, and the irrelevance to business operational functions, my opinion of this DDOS attack is that it served simply as a statement. Hackers were pissed that a popular site was taken down, so they sought to “take down” those responsible. Is it juvenile? Sure. Does it make a point? Absolutely.
Putting the activities of Anonymous aside, there are a ton of reasons why the MegaUpload raid was uncalled for, and that the DOJ may have an extremely difficult time pushing this to conviction. TechDirt did some really great analysis of how the indictment is not only problematic, but attempts to prosecute the case in a method that is inconsistent with previous cases of its type. It’s definitely worth taking a look.
The main problem that I have with the MegaUpload take down is that thousands millions of innocent, non-infringing people are being screwed out of content that they legitimately own. MegaUpload had over 150 million users, and nearly 50 million hits per day. All of that can’t be infringing material. A personal friend of mine had all of his music backed up on MegaUpload. He didn’t make his links available to anyone but himself, and as a storage solution this was great. The same is true of a number of companies and non-profits, like Public Knowledge. Software developers would use MegaUpload to host code they were working on to build new apps. And this is exactly why the DMCA has a safe harbor protection. The fallout for taking down a website like this is so much greater than just the people who are committing acts that violate copyright. It means that people who use this service for legitimate purposes have no recourse to regain their data. Even if Kim Dotcom and his staff are acquitted, the servers and their data will remain as evidence in a warehouse somewhere throughout the course of the trial.
Opposition to SOPA and PIPA was based around provisions in those bills that would make practices like what is currently happening to MegaUpload the norm. Any website that was accused of being non-compliant would be raided, shutdown and prosecuted. There didn’t even have to be a finding of fact, or a trial, just an accusation. As Matthew Inman from The Oatmeal said in his hilarious and brilliant animation it’s like dealing with a lion who escaped from the zoo by using a flame thrower on a basket of kittens. Yes. Copyright violation is bad. But so is deleting the files of thousands of innocent people who use a service for legitimate means. While the DMCA may not be perfect, they did get one thing absolutely right and that was that prosecution for copyright violations should target the offenders, not the service they use.