The Saga of MegaUpload

This is what you see when a website is seized by the federal government.

Several of my friends have posted today that they think that the Anonymous DDOS attack against the websites for the FBI, the DOJ, MPAA, RIAA and others was wrong.  I disagree with them and there is a lengthy reason why.  Let me walk you through the Saga of MegaUpload.

For those who don’t know, MegaUpload is a file sharing site.  People use this site because they tend to sometimes have files that exceed the capacity limits of regular email providers, and they need to send those files to other people. There are whole broad range of websites who perform this service including YouSendIt and DropBox.  But MegaUpload was extremely popular because they had great connection speeds and a lot of individuals and businesses used it for its intended purposes.  Well, with any file sharing service comes a crop of people who use that service to share copies of copyright protected material.  Some users had taken advantage of the unlimited file sizes and uploaded entire sets of television shows and DVD rips, CDs and more.  When you upload a file you get a link to somewhere on the MegaUpload server, that you can share with whomever, and some people shared those links with the entire world.

Now, as I said before, every website that allows users to upload content runs into this problem one way or another.  So, Congress when they were exploring legal options for the future of protecting copyright crafted the Digital Millennium Copyright Act.  In the DMCA there is a provision for businesses who run upload sites to be exempted from copyright lawsuits and to continue doing business so long as they investigate and take down infringing content when prompted by a copyright holder.  This is called the “Safe Harbor” provision.  Every site that hosts user uploads has to comply with this, for fear of losing their entire business.  YouTube provides one of the main examples of how this works.  Say someone saves an mp4 of Saturday Night Live, they clip a skit out from the show and upload that as a YouTube video.  NBC Universal owns the right to reproduce SNL videos and they find that clip on YouTube.  They tell YouTube to take down the video because it’s infringing on their copyright.  YouTube checks the video and takes it down if they believe that the copyright holder is in the right.  Though more often than not the link will get taken down first, the link uploader will write back to YouTube and tell them that this was wrong and that they do own the copyright for real and then the link gets restored.

In early December MegaUpload released a promotional video on YouTube made by a number of high profile recording artists like Kanye West, Snoop Dogg, Alicia Keys, and Will.i.am to promote the use of MegaUpload.  Universal Music Group promptly filed a DMCA takedown request with YouTube to have the video suppressed, because UMG, the parent company for many of these artists, believes that MegaUpload is a threat to their business model, and the Recording Industry Association of America has deemed MegaUpload a “rogue site.”  So, even though all of the artists have contracts on file with MegaUpload to perform and distribute the song, UMG filed this takedown notice claiming that there were some people on there who didn’t in fact actually agree to it.  It went back and forth for a while at YouTube and eventually it just got taken down entirely.  On December 13 MegaUpload announced that it was going to directly sue UMG for filing false DMCA takedown requests.  The thing that was even more interesting is that UMG filed a DMCA take down notice for a local news program who played the video in the background of a report about the UMG MegaUpload controversy, and YouTube took that down too.

Now all of this was happening while in the background there was a slowly simmering online opposition to the impending SOPA and PIPA legislation that I wrote about previously.  As many people pointed out SOPA would eradicate the safe harbor provisions inherent in the DMCA, making sites like YouTube, DropBox, and MegaUpload vulnerable to DNS seizure by the federal government.  As the internet began to rally against SOPA the entire conversation about MegaUpload began falling by the wayside.

On January 18th, a host of prominent and powerful websites participated in an internet blackout in response to SOPA.  The effect was tremendous, and number of legislators who had originally been backing SOPA and PIPA in Congress pulled their support, many who were undecided declared their opposition, and ultimately Patrick Leahy and Lamar Smith tabled both bills.  No one is under any delusion that there won’t be new versions of these bills coming out sometime in the near future, but the legislation as it was originally drafted is not coming back.

The very next day Federal agents shut down MegaUpload, raided the homes of their founder and staff and seized data centers in three different countries. It’s kind of hard to say that it wasn’t an attack of vengeance, or a strike back against the derailment of SOPA.  In fact former Senator Chris Dodd, who is now the public face of the Motion Picture Association of America, basically said that Obama could just forget about Hollywood financing if he doesn’t get tough on piracy.  Sure, correlation is not causation, but it sometimes is just a lot of correlation.  To threaten the campaign funding of an incumbent President to get your way, well, that sure looks a lot like blackmail for favors.

Anonymous flag via WikiMedia Commons

The hacker community swiftly responded with a coordinated DDOS attack against the public websites for the Department of Justice, the FBI, Universal Music Group, the RIAA, and MPAA.  Where people have been losing their minds is when irresponsible journalists like those at the Washington Post use headlines that say that the Department of Justice was “hacked.”  No, the DOJ was not “hacked.”  Nothing was broken into.  No files were stolen or compromised.  These sites were hit with a distributed denial of service attack against their public websites.  DDOS is basically when a website is hit all at once with a huge number of requests to send the content to a browser.  The volume of requests can’t be handled by the web servers and it slows to a crawl.  This renders the website inaccessible during the timeframe of the attack.  In this case the DDOS lasted 70 minutes.

As a former federal employee, I can tell you that I used my agency’s publicly facing website 0% of the time.  All of my activities for my work happened entirely on intranet systems or external vendor services that would not be effected by something of this nature.  I imagine the same is true of any company, government agency, or non-profit institution.  DDOSing a public website just means that someone from the public can’t go to that website until the DDOS is over.  Given the length of time that Anonymous ran this attack, the sites that were targeted, and the irrelevance to business operational functions, my opinion of this DDOS attack is that it served simply as a statement.  Hackers were pissed that a popular site was taken down, so they sought to “take down” those responsible.  Is it juvenile?  Sure.  Does it make a point?  Absolutely.

Putting the activities of Anonymous aside, there are a ton of reasons why the MegaUpload raid was uncalled for, and that the DOJ may have an extremely difficult time pushing this to conviction.  TechDirt did some really great analysis of how the indictment is not only problematic, but attempts to prosecute the case in a method that is inconsistent with previous cases of its type.  It’s definitely worth taking a look.

The main problem that I have with the MegaUpload take down is that thousands millions of innocent, non-infringing people are being screwed out of content that they legitimately own.  MegaUpload had over 150 million users, and nearly 50 million hits per day.  All of that can’t be infringing material.  A personal friend of mine had all of his music backed up on MegaUpload.  He didn’t make his links available to anyone but himself, and as a storage solution this was great.  The same is true of a number of companies and non-profits, like Public Knowledge.  Software developers would use MegaUpload to host code they were working on to build new apps.  And this is exactly why the DMCA has a safe harbor protection.  The fallout for taking down a website like this is so much greater than just the people who are committing acts that violate copyright.  It means that people who use this service for legitimate purposes have no recourse to regain their data.  Even if Kim Dotcom and his staff are acquitted, the servers and their data will remain as evidence in a warehouse somewhere throughout the course of the trial.

Opposition to SOPA and PIPA was based around provisions in those bills that would make practices like what is currently happening to MegaUpload the norm.  Any website that was accused of being non-compliant would be raided, shutdown and prosecuted.  There didn’t even have to be a finding of fact, or a trial, just an accusation.  As Matthew Inman from The Oatmeal said in his hilarious and brilliant animation it’s like dealing with a lion who escaped from the zoo by using a flame thrower on a basket of kittens.  Yes.  Copyright violation is bad.  But so is deleting the files of thousands of innocent people who use a service for legitimate means.  While the DMCA may not be perfect, they did get one thing absolutely right and that was that prosecution for copyright violations should target the offenders, not the service they use.

Advertisements

LiveJournal DDoS: An Actual Internet Human Rights Violation

Over the last few weeks I’ve been blogging about Andre Vrignaud’s data capping internet shutoff, and whether or not that could be construed as a human rights violation.  Most people seem to be of the opinion that it’s really pushing a button that doesn’t need to be pushed (the human rights card?).  But here’s something that is in fact an actual violation of human rights: the LiveJournal DDoS attack that’s happening right now.

You may or may not know about LiveJournal.  It was one of the early blogging platforms to come out in 1999 right around when blogging was the thing and Facebook didn’t exist.  But unlike other blogging platforms, LiveJournal was much more social.  You could add friends who also had LJ accounts.  You could join groups.  When you posted an update it could be made totally public, available to a group, available to all your friends, available to a customized list of your friends, or only available to yourself.  That level of granular sharing detail is unheard of in the world of blogging.  Hell, it’s unheard of on Facebook!  Only in Google+ do you get that level of customizable content sharing, and even that only started about a month ago!  LJ has been doing this for over a decade, because they understand that you don’t always want to post things to the entire world.

LiveJournal was purchased several years ago by a company called SUP, which is based in Russia.  LiveJournal had been a very global company in general prior to that, and Russian activity on LJ was very high.  Today, over 80 of the top 100 Russian bloggers use LJ professionally.

And that is a problem to the Russian government.  Many of these bloggers are extremely vocal about political corruption in Russia and they use LJ to call people out.

For the last few weeks the entirety of LiveJournal has been assaulted by a Distributed Denial of Service attack.  From what the folks at LJ can surmise, this is a direct attempt to silence bloggers who are critical of the Russian government.  The impact of this is not just on Russian bloggers though, it is effecting everyone who uses LiveJournal as a blogging platform.  Numerous friends of mine have reported frustration and site outages for days.  Unfortunately you can’t even get to the site news, because of the outage.  The LiveJournal staff have had to make site outage announcements via Twitter and Facebook.

Let’s go back to the UN Special Rapporteur’s report on the internet and human rights.  This is from the section IV.E on “cyber attacks”:

The Special Rapporteur is deeply concerned that websites of human rights organizations, critical bloggers, and other individuals or organizations that disseminate information that is embarrassing to the State or the powerful have increasingly become targets of cyber-attacks. 81. When a cyber-attack can be attributed to the State, it clearly constitutes, inter alia, a violation of its obligation to respect the right to freedom of opinion and expression. Although determining the origin of cyber-attacks and the identity of the perpetrator is often technically difficult, it should be noted that States have an obligation to protect individuals against interference by third parties that undermines the enjoyment of the right to freedom of opinion and expression.

It’s unclear whether or not this is an act being perpetrated by the Russian government, but the article linked from Time magazine at the head of this piece strongly implies that it’s the most likely candidate. Especially since Russian political candidates are gearing up for next year’s election cycle, and that an attack upon LiveJournal, the country’s most powerful blogging service, could lead readers to question the credibility of the bloggers.

But whether or not this is in fact perpetrated by the state, the DDoS attack is effecting the most powerful voice of the Russian people, one that is unmediated by the government.  By taking the site down, the hackers are silencing critics of the government, and that is a violation of freedom of speech.  By extension they are also taking down the rest of the users of the system who live in other countries, including my friends and myself here in the US.

Yes, I have a LiveJournal account, and I have had one since 2002.  In fact, I have two!  When I moved to DC LJ was the only way I was able to stay connected with the vast majority of my friends around the country (Cincinnati, Seattle, Philadelphia, New York).  I have thousands of entries on LiveJournal, and still use it for personal blogging and occasional creative writing.  I started this WordPress blog for professional purposes, because I do believe in having a public and private face, though my private side is very publicly accessible.  The WordPress is strictly for me to write about libraries, technology and apparently legal issues therefrom.  The LJ is where I talk about my religion, social activism, my family, my vacations, and other juicy, intimate details that no one from my workplace ought to know about (those are hidden to my LJ friends only).

Am I claiming a human rights violation because LJ is being DDoS’d and I can’t write about my Frappuccino?  No.  I’m claiming that this the DDoS attack that LJ is currently undergoing is most likely a result of someone trying to silence critics of the Russian government, and THAT should be considered a violation according to the document released by the U.N.  I just happen to be an innocent bystander caught in the crossfire, along with over 31 million other bloggers.

The question now is, if this is in fact a human rights violation, how does one stop it?  How do you stop a DDoS attack?  Since this is directed against a very specific web service, is the UN obligated to try to do something to help LiveJournal?  Are they going to investigate the Russian government?  Sadly, I don’t think anything is really going to come of it.  Users will continue to get error messages and see Frank the Goat eating their posts until the hackers give up. If it is an attack coordinated by the state, that probably won’t let up until long after the elections are over, if then.

All I can do is sigh…