“You can remember it for us wholesale.” – the government of India, probably.
The Indian government has been working for years to ensure it has complete control of constituents’ use of the internet. It has been steadily increasing its stake in internet use for years, ensuring its interests (especially those of Narendra Modi, who has served as its Prime Minister since 2014) are shielded from the criticism of the governed.
Things have escalated in recent months. The Indian government has declared the state of the country to be Blackwatch Plaid, which means getting all up in everyone’s internet business for the alleged interests of the nation’s security.
India’s government is already home to one of the most comprehensive biometric databases in the world. It has managed to collect at least some physical data points from nearly every one of of its 1.2 billion citizens. Now, it wants to be able to tie these immutable physical characteristics to internet users, starting with entities that might be able to distance users from their online activities.
Earlier this month, the Indian government made it clear (via its cybersecurity force) that no entity was exempted from data collection and retention demands. India’s cybersecurity agency, the Computer Emergency Response Team (CERT-In), was given the power to demand information (on a historical and ongoing basis) from these entities providing services to India residents.
India’s nodal cybersecurity agency, Computer Emergency Response Team (CERT-In), has directed all service providers, intermediaries, data center providers, corporates, and government organizations to report cyber incidents within six hours of their detection.
Companies providing cloud, virtual private network (VPN) will also have to register validated names, emails, and IP addresses of subscribers.
With this data, India’s government can de-anonymize users and do whatever they think is in the easily offended Prime Minister’s best interests.
The six hour time limit is not essential to the Indian government’s national security pretense. This time limit exists solely to allow the government to punish companies moderating content generated by a country of 1.2 billion people, converting the impossibility of the job into fines, fees, self-serving public statements, and criminal actions in local courts.
The tech companies being subjected to these demands recognize the impossibility of the ask. The Indian government doesn’t care. Do or do not. There is no try. Otherwise, GTFO.
The government had its say, as The Indian Express reports:
The Indian Computer Emergency Response Team issued a directive in April asking tech companies to report data breaches within six hours of “noticing such incidents” and to maintain IT and communications logs for six months.
They also mandated cloud service providers such as Amazon and virtual private network (VPN) companies to retain names of their customers and IP addresses for at least five years, even after they stop using the company’s services.
The measures have raised concerns within the industry about a growing compliance burden and higher costs.
Those complaining about the impossibility of the task are being handed the same answer many Indian immigrants received when complaining about bigotry/bullshit in the United States after arriving in the “Land of Opportunity:” if you don’t like it, go back to where you came from.
“If you don’t want to go by these rules, and if you want to pull out, then frankly … you have to pull out,” [India junior IT minister Rajeev] Chandrasekhar told reporters.
Fuck everyone but the government, I guess. Millions of users may rely on these services, but if they can’t perform six-hour takedowns of stuff hosted at cloud services or served up via VPNs, screw the services and the users. Whatever it takes to ensure the government remains free of criticism and everyone else — whether its someone sitting at the lower end of the caste system or a billion-dollar multinational company — subservient to an ever-changing list of acceptable conditions.
India has some serious national security issues it needs to forcefully address. But those problems would be best handled by military force and diplomatic efforts. The security of the country does not flow through various internet services and certainly does not require punishing people for criticizing their government. If that’s what India wants to do, it really shouldn’t expend any more effort (physically) fighting off Chinese incursions. It should just accept who it wants to be and allow the world’s largest dictatorship to show it how oppression is really done.
Filed Under: censorship, cybersecurity, data breaches, incidents, india, takedowns, vpns, web hosting
A federal judge has just let a plaintiff know there’s a big difference between providing hosting for infringing content and actually participating in copyright infringement. ALS Scan sued basically everybody for copyright infringement after discovering adult images that it owned posted all over the web. In addition to Steadfast Holdings — the defendant just dismissed from this suit — ALS Scan sued Cloudflare, Juicy Ads, and a number of other hosting services and Does.
One by one, these defendants have been excused from the suit. The underlying logic for the dismissals is solid. Providing web hosting is not the same thing as contributory infringement, no matter how much ALS Scan wants it to be.
In the Steadfast ruling, Wu said that merely hosting a pirate site does not make the hosting service liable for any copyright infringement actions the site may be guilty of.
In its motion to dismiss, Steadfast argued that it did not manage or operate the Imagebam site, and that it only provided computer storage.
“The court is unaware of any authority holding that merely alleging that a defendant provides some form of ‘hosting’ service to an infringing website is sufficient to establish contributory copyright infringement,” Wu wrote.
“The court would therefore find that the [complaint] fails to allege facts establishing that Steadfast materially contributed to the infringement,” Wu wrote.
There’s a lot more Steadfast (and the other hosting companies) would have to do to be considered contributory infringers, and the hosting companies are doing none of those things. ALS Scan wants hosting sites to do more than they’re legally obligated to do. But it can’t sue just because it doesn’t agree with their practices. From the opinion [PDF]:
[T]he only allegations specific to Steadfast that are raised in the SAC are that Steadfast “hosts” pirate sites, including Imagebam, and that Plaintiff has sent numerous notifications to Steadfast of infringing content on Imagebam, but Steadfast has failed to implement or enforce a repeat infringer policy by removing Imagebam from its servers.
Beyond that, ALS’s complaint contains nothing that shows evidence of its claims.
Steadfast also contends that the SAC fails to allege material contribution or inducement. The Court would agree. The SAC alleges only that Steadfast “hosts” pirate sites that feature infringing content. It is entirely unclear what services Steadfast provides to Imagebam; what type of infringing activity Imagebam conducts (or even what Imagebam is); or how Steadfast contributes to or facilitates that infringing activity. As such, the Court would find that the SAC fails to plead material contribution.
The same goes for the rest of the allegations. Steadfast did not induce or contribute to infringing activity at hosted sites, nor did it somehow violate ALS’s trademarks by hosting sites where infringing images could be found.
As Judge Wu’s opinion points out, it’s not up to the court to determine whether sued websites are “responsive enough” to rightsholders’ demands. The law rightsholders wanted — the DMCA — sets the rules and as long as sites and hosts follow the statutory requirements, they’re insulated from most infringement claims.
It appears ALS is engaging in pray-and-spray litigating. Beyond the Does, there’s been no attempt made to target those actually participating in copyright infringement. Instead, ALS sued a bunch of hosting companies (and an ad network) in hopes of landing a settlement or two before its allegations were exposed as weak and baseless by the presiding judge.
Filed Under: advertising, cdn, contributory infringement, dmca, secondary liability, web hosting
Companies: als scan, cloudflare, juicy ads, steadfast holdings
(Mis)Uses of Technology
On Monday morning, we wrote about John Oliver’s brilliant report on net neutrality, which ended with a stirring “call to action” for internet commenters to tell the FCC why it should preserve a free and open internet. If you somehow missed it, here’s the clip again: Many of our commenters noted that the FCC comment page that Oliver pointed to, FCC.gov/comments, appeared to be down for most of the day, either suggesting wonderful irony or that Oliver’s call to action has been monumentally successful. The FCC has put up some tweets in which it apologizes for technical difficulties, without explaining why they were occurring beyond “heavy traffic.”
We’ve been experiencing technical difficulties with our comment system due to heavy traffic. We’re working to resolve these issues quickly.
— The FCC (@FCC) June 2, 2014
We’re still experiencing technical difficulties with our comment system. Thanks for your patience as we work to resolve the issues.
— The FCC (@FCC) June 2, 2014
Some of us quickly speculated that the two things were related, while some publications have simply assumed without question that it was Oliver’s pleas that brought the system down. To some extent I hope that’s the case, though I do fear a bit the kinds of comments people might be leaving.
Either way, the irony of the FCC having trouble under heavy loads concerning net neutrality was not lost on many people, who didn’t miss the opportunity to tweet some replies mocking the whole net neutrality proposal.
.@FCC can I haz priority access?
— Falk Steiner (@flueke) June 2, 2014
(Mis)Uses of Technology
When I first got into this business I frequently wondered why the domain-policy mailing lists I was getting involved in attracted a lot of activist types.
Over the years it became apparent to me very quickly, that in an emerging era of global communications and transparency (what Anthony Wile calls “The Internet Reformation”) – that “the name” (the domain name) along with the ability to “locate it” (DNS) was a central, all-important “secret sauce” to the entire internet.
But it was only gradually that I became aware that it would take centre stage politically and and become the battleground between forces for liberty, free speech and emerging civil & business models on one hand and entrenched reactionary, authoritarian, cronyist kleptocrats on the other.
Hence those passionate activist types (some of whom I used to tirelessly argue with) were getting so worked up over the high-intensity Orwellianism that they could sense coming somewhere over the event-horizon.
While the co-opting of this marvellous internet into an all pervasive surveillance apparatus is a paramount issue, it is outside the scope of this article. Consider it one side of a dual-pronged approach of modern-era repression and totalitarianism.
The other side of that vice is the DNS and naming system of the internet which is the “choke point”, where control can be exerted, censorship implemented and protection rackets flourish.
In a world where news travels over the internet before the traditional media is even aware of it, where non-sanctioned, unofficial sources can audaciously disseminate the truth without central planners massaging, spinning or heavily redacting it; the domain name, or the DNS that powers them is basically the dial tone of the entire global communications medium. Take out a domain or its DNS, you shut down it’s voice, it’s message or it’s economic activity. You make it go away.
Without getting too detailed with the technical specifics (although I’ll happily talk the ear off of anybody who asks me about it), the “inverted tree” structure of the DNS naming system distributes power in the following pattern:
ICANN is conspicuously absent from curating the interests of global stakeholders within the overall naming scheme. Because of this, US law applies across most of the internet, and in the absence of a concerted effort to address global interests (no, not globalist interests, I mean “also considering interests from outside the USA”) there will eventually be a root level net split and won’t be pretty (yes, I’m fully aware how crazy that sounds now, I always sound crazy about 5-years in advance.)
At Level 2, the registry operators are themselves, pretty big and pretty bureaucratic – if a vested interest wants to compel them to do something they know they have to get a legal basis to do it, like a court order.
So the soft underbelly of coercive control starts at Level 3, which is rife with myriad third parties falling over each other to “serve” registrars, DNS providers, web hosts and ISPs with various facades of “legalese” designed to baffle unwitting abuse desks into submissive compliance with purely “made up” takedown rationalizations.
If you remember the Simpsons episode where Monty Burns is being committed to a mental institution against his will for becoming inordinately enthralled with the difference between “Ketchup” and “Catsup”, he is informed by Chief Wiggum as he is being dragged up the steps to the asylum: “Relax…you’ve gone off your nut and you’re being committed to a mental institution…. those grocery store clerks signed the commitment papers”.
That’s about the best description there is of today’s “takedown request” racket that is overrunning the internet.
Quite literally “some guy”, in England or “someplace” (often times in England tho), will email a registrar or a DNS host in some other country entirely and will tell them “Hi! I’m an ‘internet investigator’ here in some place in some official capacity, and the following domain names are operating in contravention to some laws here. So, uh, take the domains down. Ok?”
And more often than not, the recipient will simply AGREE and just do it.
If they do not comply right away the “official guy somewhere” will tell the recipient that if they do not comply then they are themselves in some sort of legal trouble (or in violation of some contractual obligation which some official guy somewhere is not even a party to) and there will be trouble.
Recipient usually agrees and shuts down the domain. Which, absent some obvious network abuse issue, I find mind-boggling. Some of the letters we get from private, non-governmental, self-appointed “regulatory” bodies with no legal or enforcement powers anywhere on earth contain claims and make leaps of logic which are on par with fantastic narratives spun in Nigerian 419 scams.
That some of the largest ISPs and registrars in the world actually take them seriously and shut down entire businesses on this basis is nothing short of criminally negligent.
But shut down they will. Somebody with a badge out of a box of Cracker Jacks can probably email your registrar right now and tell them to unplug your domain name from the internet and there’s a good chance they’ll do it.
People may tell me to calm down, because right now the most common targets seem to be “dodgy” websites (like “rogue” pharmacies), but as we’ve noted elsewhere, the script we laid out in First They Came For The File Sharing Domains is playing out nearly verbatim in the three years hence. And there was an extra-judicial attempt to take out Wikileaks for the crime of egregious truth telling.
All of this begs the fundamental question of due process, something these ersatz enforcement agencies are happy to throw overboard and replace with their own Calvin-ball interpretations of reality.
So if or when it happens to you, you should know this:
Unless there is a court order in the jurisdiction of the Registrar who shuts you down – they CANNOT stop you from transferring your domain out to another Registrar.
That is your basic domain right (notice it’s in the singular). It was just upheld by an NAF panel under an ICANN TDRP proceeding.
We’re in the process of doing this again right now for another client who had their fully compliant Canadian business, doing business from and in Canada was shut down entirely when literally “some guy in England” emailed their US-based registrar and told them to shut down their domain – which they promptly did, no questions asked (watch our blog as this unfolds).
Hopefully before long Registrars are going to wake up and realize that Chief Wiggum can’t compel them to take down, hijack and lock your domain name unless he has a court order from some place other than Springfield.
Mark Jeftovic is CEO of easyDNS
Filed Under: dns, domain transfers, domains, mark jeftovic, web hosting
Over on the Insight Community, we’re seeking opinions and feedback from developers in the Techdirt community. New Relic, a performance monitoring platform for online services, wants your insights into the challenges of hosting for high-performance web and mobile apps.
We’re running a series of these cases, and this month we’re starting with an open question: what are your experiences with app hosting online? We’re interested to know where, how and why various apps for web and mobile are hosted, what works and what doesn’t, and what the biggest ongoing challenges are when it comes to deploying a reliable, high-performance app or service.
In exchange for your insights, we’re offering some perks. Firstly, anyone who signs up for New Relic and installs the service will receive a free Nerd Life t-shirt. Additionally, one best response chosen by New Relic and the Techdirt editorial team will receive a free one-year Watercooler subscription on Techdirt (regular price $50). The subscription includes access to the Crystal Ball and the Insider Chat, plus five monthly First Word/Last Word credits, and can be applied to your own Techdirt account or gifted to someone else.
If you have a Techdirt account, then you’re already a member of the Insight Community. Submit your insights this week for a chance to win!
Filed Under: app developers, app hosting, apps, insights, web hosting