
How Turtl has no idea when you're sharing copyrighted stuff - orthecreedence
http://turtlapp.tumblr.com/post/81222024691/how-turtl-has-no-idea-when-youre-sharing-copyrighted
======
brownbat
Please, for the love of counsel, do not use moments like these to advertise
your service's viability for the distribution of copyrighted materials.

"We hold that one who distributes a device with the object of promoting its
use to infringe copyright, as shown by clear expression or other affirmative
steps taken to foster infringement, is liable for the resulting acts of
infringement by third parties."

\- Justice Souter, writing on behalf of the Supreme Court of the United States
in MGM Studios, Inc. v. Grokster, Ltd.

~~~
orthecreedence
Great point. It's worth noting that Turtl is a _storage_ tool, not a means of
distribution. The article is not promoting infringement, but instead gives an
overview of how it's just not an issue with Turtl, because Turtl has no
knowledge of the data being stored.

~~~
catshirt
law evaluates intent. i'm not a lawyer, but i'm not an idiot either and it's
pretty easy to read between the lines here.

if the intent is to illustrate security and encryption, there is no reason to
invoke "copyrighted material" at all.

~~~
mden
Unless you are using it as an example of how your solution works differently.
Which they are.

I don't see anywhere that they are claiming their business is for copyright
infringement, in fact, it doesn't seem like it's for mass distribution at all
unless you give out your key, and then you just defeat the point of the
service.

~~~
mjs7231
They are not claiming you should use it for infringement. They are however
advertising that it works great for infringement. "That’s how [they] like it"

It doesn't really matter what you or I think anyway. If it came down to being
sued by a copyright holder, a blog post like this is definitely not going to
help their case.

~~~
ivanca
Of course it's not going to help; but mostly because humans are driven by
emotion.

Sharing copyrighted material is not a crime unless is an illicit sharing, that
is, when you do not hold a license that allows you to do so. So there are many
exceptions such as: when you download a song that explicitly allow copies for
any of your own devices; the same applies when you are the copyright holder,
or when the license does not cover the country where you live.

------
ChuckMcM
While I like the efforts you've gone to in order to hide what is inside the
service, I hope that you also appreciate the level of force arrayed against
you.

It seems that one of the challenges of these services is that in order to
avoid the copyright goons _everyone you know_ , even those folks you only know
by some IRC handle, have to be willing to go to jail for you. Because
otherwise one of them will get turned, they will then be pressured to get you
to indict yourself. This is how it worked against Anonymous, and how it works
on most disobedience rings (civil or otherwise). One of your friends will
share with you a folder that has copyrighted material in it, once they are
sure you have accessed it they will re-iterate that some (or all) of the
material there is copyrighted. At this point the most common thing that
happens is that thinking they are 'safe', someone will say something stupid
like 'don't worry, its our secret' or something like that.

And almost simultaneously the door will explode open as the SWAT guys come in
and put them in cuffs and read you your rights. All because someone you
thought you knew, was unwilling to spend time in jail rather than help the FBI
with their investigation.

Law enforcement has a number of tools (many dubious like the CFAA) which they
can employ against you, and they will.

The best you can hope to achieve is to keep a solid (and I mean solid, no slip
ups anywhere) public front of respecting the copyright holders rights and your
willingness to protect them. Otherwise you will be served papers to decrypt
other buckets and you will be sent to jail for contempt if you do not
facilitate rooting out copyright infringement on your service. Not even
keeping your servers and company in a foreign country will help unless it is a
country which doesn't care about its relationship with the US.

~~~
orthecreedence
I have to ask: why not just email someone a copyrighted file? Once the file is
downloaded to their email client, they are in the same position as they would
be in if you shared it via Turtl.

As a Turtl user, you'd have to be careful about who you share with (or accept
shares from). We even outline this on our security page
([https://turtl.it/docs/security#when-is-turtl-not-
secure](https://turtl.it/docs/security#when-is-turtl-not-secure)).

It seems at some point the app you're using becomes irrelevant and what you
actually do with it becomes much more relevant (such as a bittorrent client).

~~~
ChuckMcM

       > why not just email someone a copyrighted file? Once the 
       > file is downloaded to their email client, they are in 
       > the same position as they would be in if you shared it 
       > via Turtl.
    

Not exactly, there have been a couple of ultimately unsuccessful cases which
are similar (but not exact) with people getting mailed kiddie porn and the
federal agents tried to arrest them when the mailman handed over the
letter/package.

The successful prosecutions I've read about involved three things, 1) an
opportunity, 2) an _awareness_ of the legality, and 3) the follow through even
when there is no reasonable doubt.

Bittorrent is a good example here, and cassette tapes are as well. All of the
outward facing material from these folks are focused on legitimate uses of the
service, it doesn't keep people like cassette makers from being sued, but it
gives them a pretty credible defense. In the linked article you mentioned
using Turtl specifically to avoid copyright enforcement, a judge or jury
reading that could be persuaded that you _intended_ to facilitate copyright
infringement and that intent would make you liable for any copyright
infringement that occurred by anyone using the Turtl service. The point I was
trying to make is that you are doing the prosecution's job for them when you
write

 _" So how does Turtl deal with copyrighted material?

We don’t. We don’t know what you’re storing. Neither do copyright holders.
Neither does the government.

That’s how we like it =]"_

It will not be difficult for a prosecutor to use your words to a Jury and show
that you _like_ that people can violate copyright with your service and that
you _made_ the service so that they could.

And once the prosecution has made the jury understand that, you will be
convicted of abetting copyright infringement and either broke for the rest of
your life paying off an infringement judgement from hell, or serving time in
prison.

All for stuff _other_ people did using your service, because you _made_ it so
they could. See how that works?

~~~
thaumasiotes
I find your point (2) very weird.

Child porn is strict liability (meaning, there's no requirement to show you
did anything on purpose). The law generally doesn't require that you be aware
of the _legality_ of what you're doing ("ignorance of the law is no excuse").

Now, it's easy for me to believe that if you can show affirmatively that you
received child porn by accident, for example through the unknown-to-you
malicious actions of others, the judge might let you off, but that's not
actually encoded in the law; the federal agents you mention have an accurate
view of things.

Can you point out a case where someone knew they were in possession of or
receiving child porn, but got off because they were under the impression it
was legal?

~~~
EGreg
Sounds like you can get people easily arrested by mailing them child porn
without a return address and anonymously tiping off police.

Kind of like destroying someone's reputation via sybil attacks, on an app like
lulu or yelp or whatever. The NSA had slides on how fake victims could write
blogs about being raped or mistreated or whatever.

~~~
gamblor956
Yes, that's actually happened before. It's never turned out well for the
actual perpetrator.

The mail service has a remarkable ability to track mail packages, even those
not sent by certified or registered mail. Additionally, police stations log
all calls received--there's no such thing as an anonymous call. The use of a
pay phone, prepaid cell phone, or online burner number is a huge red flag--it
supports the recipient's defense that someone is attempting to ruin their
reputation. Plus, almost all child pornography cases are coordinated with a
special DOJ task force, due to the international scope of this offense.

Once it's been established that the recipient is being framed, the police--and
the FBI--turn their attention to finding the actual perpetrator. The use of
the postal service makes the frame-up a federal crime.

This is actually how the FBI actually cracked one of the more infamous child
porn rings a few years ago--some idiot tried to frame his neighbor over some
stupid dispute and they traced it back to him quite easily.

------
patio11
You should probably avoid saying "We are a _wink_ _nudge_ plausibly deniable
file locker!" until you have asked your lawyer "What does contributory
infringement mean? Are US judges typically very lenient with parties who
attempt to evade the law with wink-and-nod mechanisms that can be seen through
by the average tadpole?"

------
forrestthewoods
For now. Host a "mystery file" that gets 100,000 downloads with all referrers
coming from a site that posts download links to copyright infringing movies
and things may change quite suddenly.

------
korzun
Even if they do not 'know' what you are storing, posting that will pretty much
label your company as a 'kiddie cesspool' by anybody who values their data.

I'm not in need of their service, but they will never have me as a serious
client after a blog post like this.

------
selectout
Been using turtl (free) for a little while now and love it so far. It's made
huge leaps and bounds over the past several months and I'm excited to see
where it continues to grow.

~~~
orthecreedence
I'm glad you've been having a good experience! It's been fun building it and
I'm excited to to keep growing it and making a viable platform for the more
privacy-conscious.

------
eudox
And it's written in Common Lisp! What's not to like?

------
cordite
I honestly think this is one of the best times to advertise something like
this.

There have been posts here before about alternative services getting a 51%
customer increase on days where a breach in security or general trust is
broadcasted to the world.

------
matttah
On the phone is there a way to get to your main site from the blog? Was
curious on your service but no easy way to jump to the main site, but maybe I
missed it?

~~~
orthecreedence
There should be a link on the top left (a logo of a turtle shell). If you
click that it will take you to the main site.

~~~
snowwrestler
The shell is centered on my iPhone; tapping it takes me to the blog homepage.
There doesn't seem to be any way for me to get to the actual service without
Googling the name myself.

~~~
orthecreedence
Thanks for the heads up, apparently I have a mobile template I didn't know
about/check before publishing the blog. I'll fix this shortly.

------
typicalbender
I don't know anything about how Dropbox or Turtl handle data and when they do
their encryption but it would still be possible for Turtl to do hash level
checking even with client side encryption. They could just hash the file and
encrypt it all client side and then send both back to the server. It seems
that this article is insinuating that Dropbox has full access to your data
(which I dont know is true or not).

~~~
umanwizard
How will they know the hash coming back from the client hasn't been
manipulated?

~~~
typicalbender
The request can be signed and then checked for authentication on the back end.
Using public key encryption it would be sent safely to the server and checked
for authenticity.

~~~
icebraining
Signed by whom? The app running on the client's machine? One should know
better than to trust that.

------
carlosdp
I mean, is not being able to take action on illegal file sharing when the feds
come knocking really something to be proud of? It's a liability from a company
perspective, not a strength IMO.

~~~
orthecreedence
I'm proud that I'm building something that combats the unconstitutional spying
of American citizens, and also helps others around the world avoid
surveillance.

This app is largely a response to the overreach of the US government. While I
believe in fighting for our constitutional rights politically, private
solutions are also a viable means of protest.

We probably _will_ have liability issues down the road. Nobody said this would
be easy. However, being completely transparent and publishing all our code
open-source will help mitigate a lot of these issues. On top of this, by
making the clients able to secure their own data, the company itself can
respond to any government information requests without actually revealing any
customer data.

~~~
jacquesm
I'm not sure if I follow you, this seems a lot like attacking Iraq to me.

~~~
orthecreedence
Would you mind elaborating? Is "attacking Iraq" a metaphor/figure of speech
that I'm not aware of? If so, wouldn't that imply the project is based on
completely false grounds (ie, "WMDs" that don't exist)? It's been shown pretty
clearly that mass surveillance exists and is a part of our every day lives
now.

~~~
jacquesm
Mass surveillance and copyright have nothing whatsoever to do with each other.
If you're going to attack copyright in order to rid us of mass surveillance
that's like attacking Iraq in order to get rid of Al Qaeda.

~~~
orthecreedence
Thanks for clarifying. Admittedly, the article was a PR move to show the
inherent security weakness in apps like Dropbox, using copyright as an
example. I touched on the actual surveillance aspects of the app here because
the original comment asked if doing what I'm doing is something to be proud
of. Violating copyright holders' rights is not (and I don't condone it), but
providing storage for people who need/want privacy _is_ something to be proud
of.

~~~
jacquesm
Then don't position yourself as a mechanism to evade copyright law or as a
champion against that. Those are different goals with different consequences
and it opens you up to a whole pile of attacks that would otherwise be a non-
issue.

------
jzelinskie
The pricing is not clear if files up to size 200MB are free, or you only get
200MB of total space for free.

~~~
orthecreedence
Thanks, I'll make that more clear.

------
mixologic
I find bittorrent sync to be a vastly superior way to share files with people.
([http://www.bittorrent.com/sync](http://www.bittorrent.com/sync)).

~~~
orthecreedence
I'm actually very interested in the service (been hearing a lot about it
lately). Does it require one of your computers to be on at all times? Or is
there some sort of storage conduit that doesn't decrypt your data, but only
acts to make it available to your other devices (mobile, desktop, etc)?

------
ztratar
Quality PR move here and all around great article on security.

------
jobigoud
I'm not too convinced about the plausible deniability here, could someone that
has reviewed their tech comment on the following:

\- Encryption works by blocks and do not generally hide the size of the
plaintext.

\- Once I get the encrypted material, I thus approximatively know the size of
the original file within a few bytes (uncertainty is due to padding to block
size).

\- I collect a few candidates files with size in the right range (There might
be only one but it's still deniable).

Knowing your login information and the algorithm used to "derive the key from
the login information", can't I encrypt the candidate and test against the
encrypted material ?

~~~
orthecreedence
> Knowing your login information

I'm not sure how much more clear I can be. Turtl doesn't _know_ your login
information, and doesn't know any of the keys derived from your login
information. That's the point of the login...it's a familiar way people use to
authenticate themselves with a service, but with the added benefit that it's
actually generating a master key for them.

Also, not sure how many files there are floating around the internet (and off
of it) but it's quite a bit, so comparing file sizes isn't going to give any
real information (at least in regards to copyright protection).

------
plicense
What an example of "Make hay while the sun shines".

------
einhverfr
My immediate concern is whether this could be construed as advertising the
service of copyright violation. If so, there may be the same concerns that
ultimately lead to the downfall of grokster.

If I were to launch a service like this, I would describe this issue in terms
of general privacy, and the fact that the nobody else has any idea of what is
going on. With Snowden, the obvious point is that it is private from the
NSA.....

------
yanowitz
Does anyone here have experience with turtl? Pros/cons? Confidence in security
model?

~~~
foobarqux
The security model is broken. You can't securely do encryption in server side
javascript.

~~~
orthecreedence
Incorrect, my friend! There's no server-side javascript. Turtl is a
downloaded, self-contained app, and all encryption happens in that app.

~~~
foobarqux
Sorry, my mistake. I guess I just assume everything is a webapp these days.

------
Raticide
So it works the same as Mega?

------
limsup
Am I the only one who was totally onboard until I saw it was written in lisp?
Can't trust non-pragmatic people.

~~~
m0g
You mean like the people who wrote HN, the site you are reading, right?

