Tag Archive for: Confused

Confused how firewalls work? Here’s how they protect your information


Firewalls on your computer do more than you think to protect your information. Here's how different programs work and what your computer might use.

Question: What does a firewall do and is it something I need to get?

Answer: In the early days of the internet, we often connected through a dial-up modem or some other form of direct connection.

When you connected in this way, your computer was assigned a “public IP address,” which meant that it was directly accessible by others on the internet.

It was important to install a software firewall to block direct access to your computer when you were connected to the internet. Popular consumer-focused firewalls like Zone Alarm also monitored outgoing traffic to alert the user when suspicious activity was detected.

Source…

Very Confused Judge Allows Bizarre Copyright Lawsuit Against Cloudflare To Continue

In the past, law professor Eric Goldman has suggested that when it comes to infringing content, courts have an uncanny ability to ignore the actual law, and make up their own rules in response to the belief that “infringement bad!” An ongoing lawsuit against Cloudflare seems to be a case in point. As covered by TorrentFreak, a judge has allowed a case against Cloudflare to move forward. However, in doing so, it seems clear that the judge is literally ignoring what the law says.

The case itself is… odd. In the complaint, two makers of bridal dresses are upset about the sale of counterfeits. Now, if we’re talking about counterfeits, you’ll probably think that this is a trademark lawsuit. But, no, Mon Cheri Bridals and Maggie Sottero Designs are trying to make a copyright case out of this, because they’re arguing that sites selling counterfeits are using their copyright-protected photos to do so. And Cloudflare is, apparently, providing CDN services to these sites that are selling counterfeit dresses using allegedly infringing photographs. It is odd to go after Cloudflare. It is not the company selling counterfeit dresses. It is not the company hosting the websites of those selling counterfeit dresses. It is providing CDN services to them. This is like suing AT&T for providing phone service to a counterfeit mail order operation. But that’s what’s happening. From the complaint:

The photographic images of Plaintiffs’ dress designs are the lifeblood of Plaintiffs’ advertising and marketing of their dress designs to the consuming public. Plaintiffs invest hundreds of thousands of dollars each year in the development of sophisticated marketing campaigns which involve the engagement of models and photographers and the coordination of expensive photoshoots to capture the appropriate “look” of the campaign for a particular line of dresses. Plaintiffs’ ability to market their unique dress designs to consumers is driven largely by the images of their dresses which appear on their websites and in other marketing materials.

Plaintiffs, along with other members of the formalwear industry, are the victims of a massive Internet scheme to advertise and sell products using the copyrighted images of their dresses. These Internet websites, including ones serviced by Cloudflare which are the subject of this Complaint, have manufactured, imported, distributed, offered for sale and sold counterfeit goods, including bridal gowns, social occasion dresses, prom dresses and other formalwear using copyrighted images of Plaintiffs’ dresses, they continue to do so to this day.

Again the legal violation here seems very, very far removed from Cloudflare, and yet it’s Cloudflare these companies are suing. In response, Cloudflare submitted a fairly thorough and detailed motion to dismiss, highlighting how there’s no actionable claim against Cloudflare.

The Court should dismiss this action for several reasons. First, the plaintiffs have not alleged facts that meet the standard for contributory infringement in the Supreme Court’s landmark case Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., 545 U.S. 913, (2005), and the Ninth Circuit’s most recent restatement of its jurisprudence in Cobbler Nevada, LLC v. Gonzales, 901 F.3d 1142 (9thCir. 2018). The plaintiffs have not alleged that Cloudflare’s service is so devoted to infringement that it is incapable of substantial non-infringing use. Nor can the plaintiffs cure that defect by amendment: plaintiff Maggie Sottero Designs is a Cloudflare customer. Second, the plaintiffs cannot allege, or ever show, that Cloudflare has actively and intentionally encouraged its customers, by clear expression or other affirmative steps, to infringe upon the plaintiffs’ copyrights. No facts exist to support such a claim. For that reason, the plaintiffs allege only Cloudflare’s passivity in failing to terminate customers whom the plaintiffs accuse of being infringers. They cannot state a viable claim because the alleged inaction does not suffice to create contributory infringement liability.

That is all pretty important. But there’s also a second defect in the complaint. It confuses the law.

The plaintiffs’ invocation of the Digital Millennium Copyright Act, 17 U.S.C. § 512, has no bearing on the contributory infringement claim for two reasons. First, the DMCA is relevant only as providing a remedies limitation after a determination of liability. There is no basis for Cloudflare’s liability to begin with. Second, the plaintiffs ground their irrelevant DMCA argument on a fatal error in their notifications of claimed infringement: they had in mind the wrong subsection of the DMCA, applicable only to hosting providers, instead of the subsection that applies to system caching providers like Cloudflare. They therefore failed to provide in the notifications additional elements that were necessary for Cloudflare. The plaintiffs cannot cure these defects in an amended pleading.

This all requires a bit of explanation. First, “contributory” infringement is a concept that is not technically in the statute, but was invented by the Supreme Court in the Grokster decision back in 2005. However, the Supreme Court made it clear that for their to be contributory infringement, the party in question had to take affirmative steps to encourage or induce the infringement. Here, the bridal dress companies make literally no attempt to show any such activity (perhaps because there was none).

Second, for Cloudflare to be engaged in contributory infringement, under the Betamax case, the dress companies would separately need to show that Cloudflare’s service is incapable of substantial non-infringing uses (the standard that was used to declare the VCR legal). That’s why the Cloudflare motion to dismiss notes that one of the plaintiffs is, in fact, a Cloudflare customer (and has been for years). That certainly goes a long way towards showing that the plaintiffs know that Cloudflare has substantial non-infringing uses.

The second part is even more bizarre. The DMCA’s safe harbors in Section 512 of the law apply differently to different types of internet companies. Section (a) is for “transitory digital network communications” (i.e., internet access providers. Section (b) is for “system caching” (i.e., CDN providers). Section (c) is for providers of “information residing on systems or networks at direction of users” (i.e., hosting providers) and Section (d) is for “information location tools” (i.e., search engines). There are slightly different rules associated with each one.

I should note that it’s a good thing that the drafters of the DMCA actually were cognizant enough of the different types of players here. As I noted just recently, things get really funky when policymakers and courts fail to distinguish between different providers of different services. And here, the judge doesn’t even seem to care.

From the above list, you’ll see that it’s pretty clear that Cloudflare is covered under section (b) as it’s providing CDN services to the sites in question. Oddly, however, the “takedown notice” that the bridal dress companies provide doesn’t even appear to be addressed to Cloudflare and doesn’t appear designated for Cloudflare at all. Indeed, it appears to be addressing a hosting provider. Not a CDN. In fact, in the letter, it references 512(c) and not 512(b) and talks about sites “your company hosts” (Cloudflare doesn’t host any sites).

As Cloudflare explained to the court, everything about this is just wrong.

Moreover, while the plaintiffs claim that Cloudflare “failed to take the appropriate action required by law in response to these notices,” see Complaint ¶ 32, the plaintiffs neither offer sufficient facts about any communications nor allege facts showing what “appropriate action” Cloudflare was supposed to take, the failure of which would constitute clear expression or other affirmative steps to foster infringement.7 The sample communication the plaintiffs attach as Exhibit B does not contain any reference to Cloudflare at all; the language suggests that the plaintiffs’ agent directed the communication to a hosting service, not a provider of pass-through and caching services such as Cloudflare: “please be advised that this message serves as the 4th formal notice under the DMCA that a website that your company hosts . . . is illegally duplicating and reproducing at least one copyrighted work . . . .” Dkt. 1-2 (emphasis added). The communication also identifies itself explicitly as a notification “under Section 512(c) . . . .” But Cloudflare is a system caching provider under section 512(b), not a hosting provider under section 512(c), and notifications of claimed infringement under section 512(b) require essential additional information that Exhibit B lacks. See 17 U.S.C. § 512(b)(2)(E)(ii) (requiring statement that the source website of the cached material has removed or disabled access to it at the source or that a court has ordered it to do so). The information in Exhibit B is thus irrelevant to Cloudflare. Because the plaintiffs identified Exhibit B as a sample of their communications, they cannot cure a pervasive defect in both their communications and their allegations that rely upon those communications.

This is actually a pretty big deal. Other courts have tossed out DMCA cases entirely for deficient notices.

Finally, one other element in this case. It was originally filed in the Central District of California, but along the way got moved to the Northern District. Along with the move, the bridal dress companies filed an amended complaint, in which they tried to fix some of the many deficiencies in the original, and this just gave Cloudflare a second chance to explain why the whole thing was nonsense. In this motion, Cloudflare dives deep on the difference between the different parts of DMCA 512 and what it covers:

The core defect of the plaintiffs’ case is their misunderstanding of the significant difference between web hosting services, which Cloudflare does not provide, and Internet security and website optimization services, which Cloudflare does provide. (Cloudflare explains its services more fully below.) The plaintiffs cannot allege that their notifications of claimed infringement were adequate for Cloudflare or that Cloudflare failed to take any simple measures that were available in the face of their communications… which the plaintiffs describe as a “sample” of “takedown notices” they sent to Cloudflare, lays bare the plaintiffs’ error…. The notice does not refer to Cloudflare. It simply identifies an (allegedly) “infringing domain,” speaks “To Whom it May Concern,” and then discusses “a website that your company hosts.” … The exhibit also expressly references section 512(c) of the Digital Millennium Copyright Act (DMCA), a provision that relates to web hosting services and not to Cloudflare’s services. See 17 U.S.C. § 512(c). It thus fails to contain additional information that is necessary for notifications of claimed infringement to services like Cloudflare under 17 U.S.C. § 512(b)(2)(E). The amended complaint repeatedly makes clear that Cloudflare provides services to websites, which use other hosting services. Cloudflare does not itself host its customers’ websites.

In responding to this, the lawyer for the dress makers simply doubles down on the false claim that Cloudflare is hosting the content. It’s… quite incredible. Also, the dress makers try to get around the lack of inducement by saying that the actual standard is “material contribution” and not “inducement.”

In a clever sleight of hand, Cloudflare tries to sidestep the fact that it stores client website content, including infringing content, on its data servers in order to provide internet users with quicker, safer access to the infringing content. Ignoring the settled law which distinguishes between the “inducement” and “material contribution” pillars of contribution liability, Cloudflare conflates these two pillars in arguing that Plaintiffs’ claims, which are based only on the material contribution theory of contributory copyright infringement, do not satisfy the more demanding standard used to evaluate the inducement theory for contributory infringement. Cloudflare’s entire motion is therefore a strawman.

Except, literally all of that is wrong. This is not a question of different interpretations or different ways of looking at the law. This argument is just wrong. Indeed, as Cloudflare pointed out to the judge in response, the “material contribution” standard was used before Grokster in the 9th Circuit, but since that ruling came down, the 9th Circuit (as instructed by the Supreme Court in Grokster) now says that the proper test is whether or not there was inducement:

Before Grokster, the Ninth Circuit’s standard included “material contribution” language, but the Ninth Circuit has since conformed its standard to the Supreme Court’s teaching. (“Our tests for contributory liability are consistent with the rule set forth in Grokster.”) There is no third category of contributory infringement beyond what the Supreme Court articulated….

[….]

Material contribution is not a separate “theory” of contributory infringement but instead a way of characterizing imputed intent.

There is so much about this case that is just… bizarre and ridiculous. And yet, the judge basically shrugs about all of this and says the case may continue. And, incredibly, he gives no real reasons why other than basically saying that the (very wrong) arguments of the bridal dress shops are correct. The entire order denying the motion to dismiss is three paragraphs. Literally, that is it.

Cloudflare’s main argument – that contributory liability cannot be based on a defendant’s knowledge of infringing conduct and continued material contribution to it – is wrong. See Perfect 10, Inc. v. Visa Int’l Serv., Ass’n, 494 F.3d 788, 795 (9th Cir. 2007) (“[O]ne contributorily infringes when he (1) has knowledge of another’s infringement and (2) either (a) materially contributes to or (b) induces that infringement.”); see also Perfect 10, Inc. v. Giganews, Inc., 847 F.3d 657, 671 (9th Cir. 2017) (“[A] computer system operator is liable under a material contribution theory of infringement if it has actual knowledge that specific infringing material is available using its system, and can take simple measures to prevent further damage to copyrighted works, yet continues to provide access to infringing works.” (internal quotations and italics omitted)). Allegations that Cloudflare knew its customer-websites displayed infringing material and continued to provide those websites with faster load times and concealed identities are sufficient to state a claim.

2. The notices allegedly sent by the plaintiffs gave Cloudflare specific information, including a link to the offending website and a link to the underlying copyrighted material, to plausibly allege that Cloudflare had actual knowledge of the infringing activity. This is sufficient, at least at the pleading stage. A prior judicial determination of infringement was unnecessary.

3. Cloudflare’s challenge to the sufficiency of the notices under 17 U.S.C. section 512 is misplaced. Section 512 limits available relief based on certain safe harbors. Cloudflare has not shown that its conduct should be considered under one safe harbor rather than under another safe harbor (and thus has not shown that the alleged notice would need to be formatted in one way rather than another). In any event, this issue is neither dispositive to the action nor appropriate for resolution at this stage of the case.

This… is, again, simply incorrect. It completely misreads the law and previous cases. Paragraph three here is the most troubling of all. As noted above, Cloudflare is not a hosting service. It is not relying on the 512(c) safe harbors, but the 512(b) safe harbors, because it is a 512(b) service. And the judge literally ignores that and says that the company “has not shown that its conduct should be considered under one safe harbor rather than under another safe harbor” even though that’s exactly what its filings repeatedly do.

I’m at a near total loss as to how the judge made this decision, because it is so far outside what the statute and case law (especially in the 9th circuit) say, that I can only conclude he decided to go with Eric Goldman’s concept that when there’s some infringement somewhere, all precedent and the letter of the law go out the window.

Permalink | Comments | Email This Story

Techdirt.

Vermont’s Revenue Porn Law Ruled Constitutional… With An Incredibly Confused Ruling

Revenge porn — or, more accurately, “non-consensual pornography” — is unquestionably bad. We’ve spent plenty of time mocking the jackasses who have been involved in these awful sites, and have been happy to see them flail around as the stench of their association with these sites sticks.

However, we have not supported the attempts by a small group of legal academics to criminalize running such a site for a variety of reasons. First, such an action would make plenty of protected speech illegal causing massive collateral damage to speech and internet platforms. Second, as we’ve repeatedly documented, these revenge porn sites don’t seem to last very long, and those involved with them have a fairly permanent stain on their reputations. Third, in many cases, the type of people running these sites often seem to have already violated other laws, for which law enforcement is able to go after them.

In recent years, the Supreme Court has made it pretty clear that it has little interest in expanding the categories of speech that are exempted from the First Amendment. I’ve often pointed to lawyer Mark Bennett’s 2014 blog post entitled First Amendment 101 in which he details out the very short list of speech that is not protected by the First Amendment. That post is actually about attempts to outlaw revenge porn and claims that it’s not protected by the First Amendment, but the list is a useful one to point to any time anyone suggests that this or that speech shouldn’t be subject to the First Amendment.

Some people insist that revenge porn would clearly be exempt from the First Amendment because it’s so bad. But they ignore that, in recent years, the Supreme Court has made it clear that such awful content as video depictions of cruelty to animals and picketing military funerals with truly hateful signs is protected under the First Amendment. The Supreme Court has it’s very short and narrow list of exceptions, and hasn’t shown any indication that it’s ready to expand that list.

Indeed, the very same Mark Bennett, earlier this year, helped get a Texas revenge porn law declared unconstitutional, as the court there recognized that the law ran afoul of the First Amendment, in that it was criminalizing a new category of speech not currently exempted, and was unable to survive strict scrutiny, as per the Supreme Court, for any legislation that includes content-based restrictions.

But Mark Bennett is now reasonably perturbed that the Supreme Court of Vermont has decided that that state’s revenge porn law is constitutional. And part of the reason he’s so perturbed is that the ruling is truly bizarre. It accurately notes that revenge porn does not fall into one of the delineated exceptions to the First Amendment… but (surprisingly) that it still can withstand strict scrutiny:

For the reasons set forth below, we conclude that “revenge porn” does not fall within an established categorical exception to full First Amendment protection, and we decline to predict that the U.S. Supreme Court would recognize a new category. However, we conclude that the Vermont statute survives strict scrutiny as the U.S. Supreme Court has applied that standard.

That’s… very strange. Usually, once a court recognizes that something is not in an exempted bucket, it finds the law to be unconstitutional. Here, Vermont is carving new territory. Thankfully, as part of saying that revenge porn is not in an already exempted bucket is a good thing, as it wipes out the incorrect claim by some law professors that you could just say that revenge porn is obscene (which would be very problematic). The court correctly highlights how there are massive differences between what is obscene and what is revenge porn, and notes (correctly again) that the Supreme Court is loathe to expand the definition of obscene:

We recognize that some of the characteristics of obscenity that warrant its regulation also characterize nonconsensual pornography, but we take our cues from the Supreme Court’s reluctance to expand the scope of obscenity on the basis of a purpose-based analysis.

Next, the court (correctly!) says it’s in no position to create a new category of exempted speech:

Although many of the State’s arguments support the proposition that the speech at issue in this case does not enjoy full First Amendment protection, we decline to identify a new categorical exclusion from the full protections of the First Amendment when the Supreme Court has not yet addressed the question.

Indeed, the Vermont Supreme Court highlights how frequently the US Supreme Court has been tossing out laws that try to create new categories of unprotected speech:

[W]e decline to predict that the Supreme Court will add nonconsensual pornography to the list of speech categorically excluded. We base our declination on two primary considerations: the Court’s recent emphatic rejection of attempts to name previously unrecognized categories, and the oft-repeated reluctance of the Supreme Court to adopt broad rules dealing with state regulations protecting individual privacy as they relate to free speech.

More than once in recent years, the Supreme Court has rebuffed efforts to name new categories of unprotected speech. In Stevens, the Court emphatically refused to add “depictions of animal cruelty” to the list, rejecting the notion that the court has “freewheeling authority to declare new categories of speech outside the scope of the First Amendment.” 559 U.S. at 472. The Court explained, “Maybe there are some categories of speech that have been historically unprotected, but have not yet been specifically identified or discussed as such in our case law. But if so, there is no evidence that ‘depictions of animal cruelty’ is among them.” Id. A year later, citing Stevens, the Court declined to except violent video games sold to minors from the full protections of the First Amendment. Brown, 564 U.S. at 790-93 (“[N]ew categories of unprotected speech may not be added to the list by a legislature that concludes certain speech is too harmful to be tolerated.”). And a year after that, the Court declined to add false statements to the list. Alvarez, 567 U.S. at 722 (affirming appeals court ruling striking conviction for false statements about military decorations).

More significantly, as set forth more extensively above… in case after case involving a potential clash between the government’s interest in protecting individual privacy and the First Amendment’s free speech protections, the Supreme Court has consistently avoided broad pronouncements, and has defined the issue at hand narrowly, generally reconciling the tension in favor of free speech in the context of speech about matters of public interest while expressly reserving judgment on the proper balance in cases where the speech involves purely private matters. The considerations that would support the Court’s articulation of a categorical exclusion in this case may carry great weight in the strict scrutiny analysis…. But we leave it to the Supreme Court in the first instance to designate nonconsensual pornography as a new category of speech that falls outside the First Amendment’s full protections.

So then why doesn’t the court declare this law unconstitutional? Well, that has lawyers like Mark Bennett and Eric Goldman perplexed. To pass “strict scrutiny,” the court has to find that the law was passed to further a “compelling government interest” and that the legislation must be “narrowly tailored” to address just the issue for which the government has such a compelling reason.

Here, the court finds that there is a compelling government interest, saying that revenge porn images are not a matter of public concern, and serious harms created by revenge porn make it so that the government has a compelling interest in outlawing such content. Fair enough. But what about the “narrowly tailored” part. That seems like where such a law should fall down, but nope:

Section 2606 defines unlawful nonconsensual pornography narrowly, including limiting it to a confined class of content, a rigorous intent element that encompasses the nonconsent requirement, an objective requirement that the disclosure would cause a reasonable person harm, an express exclusion of images warranting greater constitutional protection, and a limitation to only those images that support the State’s compelling interest because their disclosure would violate a reasonable expectation of privacy. Our conclusion on this point is bolstered by a narrowing interpretation of one provision that we offer to ensure that the statute is duly narrowly tailored. The fact that the statute provides for criminal as well as civil liability does not render it inadequately tailored.

But, of course, the real problem is that all of these laws criminalize tons of content that should otherwise be protected. And here, the court more or less ignores that, by saying that the potentially overbroad nature of the law wasn’t raised by the defendant:

The Supreme Court has recognized that in a facial challenge to a regulation of speech based on overbreadth, a law may be invalidated if “a substantial number of its applications are unconstitutional, judged in relation to the statute’s plainly legitimate sweep.” Id. at 473 (quotation omitted). Defendant here does not frame his challenge to the statute as an overbreadth challenge but instead argues that insofar as the speech restricted by the statute is content-based, the statute is presumptively invalid and fails strict scrutiny review.

But, as Mark Bennett highlights, this is the court completely missing that “overbreadth” is the thing you check to see if a statute is “narrowly tailored.” But that’s not what happened. Here, the court said no one raised the “overbreadth” issue, and thus it doesn’t need to bother. So, instead, it says that the law is narrowly tailored based on how the law is written with a “rigorous intent element.” But, that’s not how the test works. As Bennett explains:

To pass strict scrutiny, a restriction must be narrowly tailored. It is logically impossible for a statute to be both overbroad and narrowly tailored. Strict scrutiny and overbreadth are not separate analyses. If a content-based restriction is substantially overbroad—if it restricts a real and substantial amount of constitutionally protected speech—it is ipso facto not narrowly tailored, and it fails strict scrutiny.

This is a confused mess of a ruling. As Eric Goldman notes, it’s possible this could be appealed to the US Supreme Court, though it’s unlikely that such a petition would be granted. It does seem likely that eventually this issue would need to be looked over by the Supreme Court to clarify the confusion. But, in the meantime, the law in Vermont stands.

Permalink | Comments | Email This Story

Techdirt.

When it comes to Internet security and privacy, the public remains confused – Phys.Org


Phys.Org

When it comes to Internet security and privacy, the public remains confused
Phys.Org
The UK government is proposing to follow Australia with the introduction of their version of data retention legislation called the Investigatory Powers bill. This will require Internet Service Providers (ISPs) to maintain records of web addresses

and more »

“internet security” – read more