Most people who are first interacting with the DMCA law are unfamiliar with the fact it has protections against people files false notifications.
Without knowing details about this (and not providing legal advice) this may be how it would work:
If the claim is in fact BS, go lawyer up. File a counter notification, wait 10 days and your content will be put back online (unless they file an injunction to keep it offline), then you file suit against the alleged infringer for the statutory damages of $150,000 per false alleged infringement claim. Likely they'll settle out of court for some number less than their legal costs/time.
Pay your lawyer, use the rest to fund your project.
Go out for a pint, and tell the story to tell on how your project was funded by out witting a scammer.
That sounds really great, but the courts have been very lenient to those who file false DMCA notices and the burden of proof falls on you to prove that it was filed falsely intentionally.
So, I'd say, don't lawyer up yet. File the counter-notice and if they come after you, then get a lawyer and publicity.
So basically it is in the best interest of any company that is interested in filing these claims without regard for publicity to hire a complete imbecile to do it.
Plus aren't statutory damages based on the degree of harm? I think it would be hard to show 150k of harm if this was just a side project for the author.
Filing false report falls under perjury as defined in the statement on the DMCA takedown notice. This would be a criminal matter but as of yet, I don't know of one case where criminal charges have been filed.
Correct, which may also implicate any "hired guns" lawyers who send DMCA notices for crackpot clients.
In one instance I personally saw, a lawyer sent a false DMCA and they signed it under penalty of perjury for their client. This resulted in a clarification of the perjury that the lawyer may have placed themselves in, and threats to bring it up with the state bar association. Personally I doubted the guy was even accredited in the first place, but the DMCA related harassment stopped promptly.
> A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
The only part that is perjury is if you don't actually represent the client you claim to. Assuming the request isn't from a random person pretending to represent a company they don't, the request is not perjury regardless of how frivolous and unwarranted it is.
I understand that you want to extend professional courtesy to the lawyers and programmers involved, and by all measures, I think you should do so. However you must understand that the DMCA takedown procedure is not a human; it is a legal robot. By invoking DMCATakedownBot, they have not extended you proper courtesy, and probably the correct action is to file the counter-notification.
Your counter-notification can point out that the original legal letter to GitHub was largely not a 'notification of claimed infringement' under 17 USC § 512 (c) (3) (A) [the "safe harbor"/"takedown" requirement of GitHub] -- because it claimed that the injury was a violation of 17 USC § 1201, which is not about copyright infringement. You should point out that there is a claimed infringement in this notice -- "He has taken proprietary source code from inside of our application" -- but that this claimed infringement is outright false, you have not copied any source code from inside of their application. So the 'safe harbor' DMCA takedown notice (§ 512) is probably not a proper venue for the legal discussion to occur. Rather, the proper venue is described in § 1203; they should bring a civil action against you in a US district court for the actual damages and any additional profits of the violator, or statutory damages per violation.
You can then add to this notice something about how you'd much rather attempt to sort this out in a one-to-one discussion with the aggrieved programmers at the company, rather than in court. You can also tell them that section 1203 (c) (5) allows a court to remit the total award of damages if you can prove to the court's satisfaction that you were not aware and had no reason to believe that your acts constituted a violation.
Since this is not legal advice so much as "advice on what you can say to lawyers to get them off your back", I will recommend that you read the relevant laws here:
I also recommend that if they do sue you under section 1203, you contact a lawyer. You might also consider contacting a copyright lawyer right now, if it's not too much hassle.
The interesting thing is that they say the library used proprietary code. From talking to Contra, they are just using a REST API which is not documented (Undocumented API !== Proprietary). If you publish a publicly accessible API then expect it to be used by everyone and everything.
By that reasoning, can't one make the argument that what weev did was use an undocumented API though? The endpoints were publicly accessible but obfuscated (and quite poorly at that).
I wonder if by that token you could find a security exploit in an API that causes undesired behaviour (e.g. elevated privileges) and claim you're simply accessing an undocumented API?
Or another way of looking at it - does accessing an undocumented API constitute hacking/unauthorized access? (which is probably an even more serious violation than copyright infringement in most countries)
(disclaimer: I don't even know what this particular API is doing, or what's the alleged infringement, I'm just wondering about the principles in general)
Computers do what they're programmed to do, they do what you told them to do, if you didn't want your computer to respond to a buffer overflow by writing over the stack and executing a sequence of commands that escalated the defendant to an administrator, you shouldn't of programmed that feature in.
When you inserted that string directly into that SQL command, you gave your users access to a wide range of features. Now all of a sudden you don't like that feature any more because someone used it? You gave the users the ability to ask for arbitrary tables in your database, why should a hacker go to court for asking for a "user table"? Shouldn't you be the one in court?
That's how I saw things when I was ~15, anyway. I still kinda think that way... Though I've figured out that just because someone left their safe open, doesn't mean you get to steal the gold.
> Though I've figured out that just because someone left their safe open, doesn't mean you get to steal the gold.
True. Though on the other hand, if somebody figures out they they get free sodas when they hold down both the coke and sprite buttons, as far as I am concerned they get to have their free soda.
> > Though I've figured out that just because someone left their safe open, doesn't mean you get to steal the gold.
> True. Though on the other hand, if somebody figures out they they get free sodas when they hold down both the coke and sprite buttons, as far as I am concerned they get to have their free soda.
So, if the safe is left open, you don't get to take it, but if you press buttons that unintentionally make it open up, you get you have your free gold? uh.
If the teller gives you free money, that is on the teller, not you. Whether that teller is human or an automated machine doesn't particularly matter to me.
Just don't take money that the teller, automated or otherwise, does not volunteer. Regular safes and vaults, with no teller, have no agency and are not capable of giving you money.
"If the teller gives you free money, that is on the teller, not you." That's not true in law, if a bank mistakenly credits your account they can retrieve the money.
Considering that most custom scrapers these days simplify their job by using whatever undocumented API the site's javascript might be using (makes the job very easy, but is of course a fragile solution), making the use of undocumented APIs be considered "unauthorized access", even in the absence of a restrictive robots.txt or EULA, would be very bad for a lot of people.
If pushing the right buttons on a Video Poker machine to make it pay out 10x jackpot is a CFAA violation, then yes, writing a script to access an undocumented API is unauthorized access.
Then again, I'm pretty sure that company lost their case. How can you claim that it's not documented if you provide HTML and Javascript example code?
If you read the notice carefully, you'll see they do not claim the target of the takedown was infringing their copyright, but only claim that it is an illegal circumvention method. Which is interesting because I've never seen a DMCA takedown that didn't claim infringment.
Looking through wikipedia's description, it looks like anti-circumvention isn't even in the same section of the act as the the rules for taking down infringing content.
According to one grooveshark software engineer on twitter "@jameshartig: @fernando_takai Groovr was abusing our internal API to provide download links. We have a public API for developers that is free to use."[1]
>>According to one grooveshark software engineer on twitter "@jameshartig: @fernando_takai Groovr was abusing our internal API to provide download links.
Its not an "internal API" if it is publicly accessible and doesn't require credentials other than the user's own. Did this API client have stolen creds embedded?
No - it loaded grooveshark.com with the node module "request" and used cheerio to get the session id from the page source. Then API calls are made with the session id and client info. The APIs don't require a login or any authentication
In other words it simulates browsing the grooveshark website, instead of using their public API. I think it's this that they are upset about, but it makes little sense because if people can see something on their browser then that user should just as well be allowed to see it through a script.
Unfortunately the law's definition of "publicly accessible" is a bit retarded. If I post a url ending in pic002.jpg, and you try to access a similar url ending in pic001.jpg, and that picture happens to contain sensitive data, then you are a hacker.
If I tell you the combination on my laptop case is 1-2-3-4 so you can get me my power adapter and you then try 1-2-3-4 on my luggage and successfully steal my collection of Kylie Minogue's undergarments (I never travel without them), while I am a (rather creepy) idiot, you are a naughty boy.
It's completely ridiculous to ethically or legally equate trespass and theft on/with physical property with data copying and access. Whereas I can be expected to know you don't want me looking through your briefcase, given a link to something without any context is nowhere near as clear. Your example makes sense only for data where someone is guessing usernames and passwords because they know they are trying to circumvent some access control. It absolutely does not make sense for guessing addresses.
Sending requests to servers must be likened to finding publicly posted data. E.g, Buildings 1, 2, and 3 all have neat flyers, so you look at building 4's flyer. Oops, that was a felony.
If your power adapter is in glass case 1, and I curiously glance at glass case 2 and see the undergarments was I wrong?
Combination locks are locks and are designed to prevent access.
Web servers are online. They provide responses to web clients. There are established methods to control access to what a client can and cannot access.
If it's online, and responding to my client, and not giving a 401 or 403 or etc status code then it's hard to understand why just visiting example.com/example1.jpg example.com/example2.jpg makes someone a federal criminal at risk of years in prison.
Yes, and if I find your laptop and login as Administrator and try 1-2-3-4, I am a felon. There is currently no requirement of any due diligence in protecting a computer.
Hey guys, I'm an Engineer at Grooveshark and I handle developer relations.
Unfortunately, groovr appears to circumvent internal copyright protections for content hosted at Grooveshark. The groovr library offered a way to get, and subsequently allow you to easily download, song mp3s via a call (groovr.getSongFile). It was able to provide these services by using our internal authentication methods and internal API.
Grooveshark offers a public API (http://developers.grooveshark.com/) which allows you to search for content, authenticate users, view popular music, and more, all for free. Developers are encouraged to register for a key and use our content for their applications.
Your tweet[1] says you don't know if anyone reached out to them. Another tweet[2] sure makes it sound like this is a technical issue of how they're doing something, rather than what they're doing.
If you "handle developer relations", why weren't you involved before the notice was sent? Why didn't you reach out to the developers before your lawyers reached out to github?
This does not sound like "handling developer relations".
OK, so what about the allegation that the developer in question "has taken proprietary source code from inside of our application and posted it as a GitHub project"? Was there any of GrooveShark's actual code that was distributed without permission? Because that's what your lawyer told GitHub in order to get it taken down.
You'll find that fastest963 is posting that boilerplate reply across the web, and then failing to reply to the very question that you ask, which everyone else is asking too.
Grooveshark PR clearly thought that by rolling out a "one of us" developer to make a "shucks, it sucks, but what choice did we have?" type statement, the wider dev community would be pacified and wouldn't keep asking the hard questions.
So do I actually read this right... Your companies piss-poor coding practices expose things to the world you don't want to have exposed, and instead of fixing your crappy code you file bogus DMCA requests?
I use your site daily, but don't facilitate wide scale copy right infringement and then go act all buthurt when somebody use your undocumented api. Document it.
Did you draft the DMCA takedown, or order its writing? Who did? Positions if not names. Not just "legal", but who authorized it?
Either way, you must have read it by now and are negligent in being here discussing this if you haven't, so, do you agree with its claims? If not, which ones are wrong?
Was actual proprietary source code taken as the notice claims? Do you guys even know what source code is? How was this source code accessed?
What is the hash of the git repo that contained it, and which lines are yours? (If you need to check, it's okay - there appear to be many new mirrors you could reference.)
This may seem harsh, but you've had someone's website removed and accused them of a crime. Put up or shut-up. In response to this post.
It appears Groveshark has some poor coding practices.
It appears that Groveshark innacuraltley filed a DMCA.
However it appears that the orriginal poster is in violation of DMCA, for DRM Violations. The DMCA provides groveshark protection against your "API" which is actually a way to circumvent grovesharks DRM.
While Groveshark didn't state this in the orriginal DMCA, they can file another and have you taken down for correct issues.
I don't know much about law and I'm not qualified to speak on behalf of Grooveshark. Having said that, I interned as a developer for the company for over a year. During that time I got to know its true culture and learned a a bit how it operates.
All of the folks I worked with saw it as their mission to support both independent music and independent software development. Everyone in the office brainstormed ways to help broaden their fan bases. (For example, giving artists Flattr accounts & letting them live-broadcast their music as they chatted with fans.) At the same time, many of the Grooveshark engineers I know contributed to open-source projects in their free time.
The API has never allowed users to download songs, and it seems clear to me (by browsing the comments in the code on Github) that one element of the project in question performed that function. That seems to be the crux of this problem.
Again, I'm not qualified to speak on behalf of Grooveshark, but I know from experience that its engineers are extremely supportive of these kind of open-source projects.
groovr.getSongFile songs[0].SongID, (err, file) ->
###
file.url is an mp3 url you can download
the file object also contains some meta info like song length
###
That indeed confirms what the Grooveshark developer was saying on the DCMA notice comments. Even though the API doesn't provide the MP3 file directly, it's trivial to get it through this function call.
This is why you don't use GitHub (or, more generally, American companies.) The prospect that someone can arbitrarily take down your repository until you go out of your way to provide a counternotice is beyond absurd.
If you care about this, also keep your hosting provider and domain name provider in mind as well, since they can simply cut off access to your entire site in response to a DMCA complaint.
The API client just let you search, get popular songs, and get individual song info. There was no downloading included in the API client - if you wanted to download a song based on the info from their APIs you would have to write your own code to do that
It provides only basic search functions of course, but it is publicly documented and I'm sure Grooveshark can't complain if you use it.
I wrote a Go package for it years ago (literally, 2010 I think) and it still works fine. You get tinysong.com shortlinks, which lead to the song on Grooveshark.
I am not in anyway affiliated with GS/Escape and have 0 influence on their operations, but given what I know of them and that it only replicates what several other API libs provide, this DMCA seems really odd or a mistake?
From someone elses comment, looked at the google cache of your github repo,
.url is a part of the meta info from the api - there is no downloading functionality in the api library itself. The song url is just the culmination of the song id and your session
Counter-claim is for after you have removed the content. I am not going to remove the content just because a fuzzy DMCA was issued. Apparently there are no options besides taking it offline or going into a legal battle
This text is a bit misleading - in step two, you aren't promising that you will remove the content, you're simply listing the things that GitHub removed that you'd like to see reinstated.
The meaning of the counter-claim is not, "I agree, I removed the stuff, sorry", the meaning is, "I disagree, put the stuff back up. If you don't like it, take me to court."
By filing a counter claim you aren't really starting a legal battle, you're giving them 10 days to start a real legal battle by going to a court. Your content is already offline. File a counter claim and it will be back up in a week and a half.
| you're giving them 10 days to start a real
| legal battle by going to a court
To be clear, that's 10 days before the content goes back up to take you to court to prevent it from going back up. Nothing stops them from suing you over it after the content is restored.
Just out of curiosity. Is there a time limit of how long they can sue for after it's restored?
Could they wait for you to get a huge user base or revenue and then strike to get the most out of you or is there protection against that?
I don't see myself ever creating anything that would get taken down but I imagine most people don't when it happens to them.
Any time I hear about DMCA it seems so very one sided that there is just about no recourse.
Well, they can sue you at any time. They don't really need to issue a DMCA notice first. The issue is that:
1) Most of the time they don't know your real identity from your (e.g.) YouTube username. IIRC, you have to use your real name or contact information when filing a counter-notice.
2) If they sue you, the content stays up until they can convince the judge to order it to be taken down.
The point of the DMCA was to allow for things to be taken down quickly, and then sorted out in court later if need be. The content is taken down quickly. If you push back (counter-notice), then the (claimed) content owner has 10-14 days to start court proceedings to keep it down; otherwise, it goes back up. None of this precludes a suit being filed at any point.
The real issue with this process is that there is little relief for negligence in filing DMCA notices. All you have to do is have a good-faith belief that you are the content owner, and this violates your rights. So acting like you're ignorant of the law is actually a defence against being held accountable for filing a bogus notice.
If bogus DMCA notices were punished more often, and people were required to consult a lawyer before firing at the hip (e.g. people that don't understand copyright law, and just say, "I don't like X take it down! DMCA!"), then maybe it would be working better.
I think you are mis-reading the page. To file the counter notification, you have to provide the link to the content that was already removed by github. They are not telling you that you have to remove the content, then provide a link proving that you removed the content.
No, github already removed access to the public... you have to file the counter-claim for github to put it back. Github will notify the original party of the counter-claim, then if they want it down permanently, they have to take you to court.
Absolutely. Pushing to DMCA'd repos might actually be necessary in some cases, and if this is abused github may be forced to disable this for everybody. Still, pretty neat; thanks for trying it out!
How so? I think it's quite clear that this notice is mistaken, or in any case not specific enough to have merit. Is it infringing on their source code? Which code, then? Is it circumvention of their DRM? That doesn't fall under DMCA takedowns. Is it a TOS violation for not using the public API? Again, doesn't fall under DMCA.
Without knowing details about this (and not providing legal advice) this may be how it would work:
If the claim is in fact BS, go lawyer up. File a counter notification, wait 10 days and your content will be put back online (unless they file an injunction to keep it offline), then you file suit against the alleged infringer for the statutory damages of $150,000 per false alleged infringement claim. Likely they'll settle out of court for some number less than their legal costs/time.
Pay your lawyer, use the rest to fund your project.
Go out for a pint, and tell the story to tell on how your project was funded by out witting a scammer.