
My open source API client was taken down by a phony DMCA complaint - contrahax
https://github.com/github/dmca/commit/9863d528780c193cd2aead22264318aaa73ea418
======
rawrly
Most people who are first interacting with the DMCA law are unfamiliar with
the fact it has protections against people files false notifications.

Without knowing details about this (and not providing legal advice) this may
be how it would work:

If the claim is in fact BS, go lawyer up. File a counter notification, wait 10
days and your content will be put back online (unless they file an injunction
to keep it offline), then you file suit against the alleged infringer for the
statutory damages of $150,000 per false alleged infringement claim. Likely
they'll settle out of court for some number less than their legal costs/time.

Pay your lawyer, use the rest to fund your project.

Go out for a pint, and tell the story to tell on how your project was funded
by out witting a scammer.

~~~
rsingel
That sounds really great, but the courts have been very lenient to those who
file false DMCA notices and the burden of proof falls on you to prove that it
was filed falsely _intentionally_.

So, I'd say, don't lawyer up yet. File the counter-notice and if they come
after you, then get a lawyer and publicity.

~~~
Dylan16807
Yep, there is no penalty whatsoever for gross negligence, it sucks.

~~~
jlgreco
So basically it is in the best interest of any company that is interested in
filing these claims without regard for publicity to hire a complete imbecile
to do it.

No wonder we see so many idiotic claims.

~~~
krichman
Who do you think wrote this law?

------
drostie
(I am not a lawyer, this is not legal advice.)

I understand that you want to extend professional courtesy to the lawyers and
programmers involved, and by all measures, I think you should do so. However
you must understand that the DMCA takedown procedure is not a human; it is a
legal robot. By invoking DMCATakedownBot, they have not extended _you_ proper
courtesy, and probably the correct action is to file the counter-notification.

Your counter-notification can point out that the original legal letter to
GitHub was largely not a 'notification of claimed infringement' under 17 USC §
512 (c) (3) (A) [the "safe harbor"/"takedown" requirement of GitHub] --
because it claimed that the injury was a violation of 17 USC § 1201, which is
not about copyright infringement. You should point out that there _is_ a
claimed infringement in this notice -- "He has taken proprietary source code
from inside of our application" -- but that this claimed infringement is
outright false, you have not copied any source code from inside of their
application. So the 'safe harbor' DMCA takedown notice (§ 512) is probably not
a proper venue for the legal discussion to occur. Rather, the proper venue is
described in § 1203; they should bring a civil action against you in a US
district court for the actual damages and any additional profits of the
violator, or statutory damages per violation.

You can then add to this notice something about how you'd much rather attempt
to sort this out in a one-to-one discussion with the aggrieved programmers at
the company, rather than in court. You can also tell them that section 1203
(c) (5) allows a court to remit the total award of damages if you can prove to
the court's satisfaction that you were not aware and had no reason to believe
that your acts constituted a violation.

Since this is not legal advice so much as "advice on what you can say to
lawyers to get them off your back", I will recommend that you read the
relevant laws here:

<http://www.law.cornell.edu/uscode/text/17>

I also recommend that if they do sue you under section 1203, you contact a
lawyer. You might also consider contacting a copyright lawyer right now, if
it's not too much hassle.

------
citricsquid
This is literally the funniest thing I have seen in weeks. Grooveshark is a
company that is only able to operate because of DMCA safe harbors.

~~~
milkshakes
And not for long at that :(

[http://torrentfreak.com/groovesharks-future-in-doubt-
after-s...](http://torrentfreak.com/groovesharks-future-in-doubt-after-
settlements-with-big-music-130517/)

------
DevMonkey
The interesting thing is that they say the library used proprietary code. From
talking to Contra, they are just using a REST API which is not documented
(Undocumented API !== Proprietary). If you publish a publicly accessible API
then expect it to be used by everyone and everything.

~~~
dangoldin
By that reasoning, can't one make the argument that what weev did was use an
undocumented API though? The endpoints were publicly accessible but obfuscated
(and quite poorly at that).

~~~
Dylan16807
That access route was unintentional, which is rather different from
intentional but undocumented.

~~~
gingerlime
Absolutely.

I wonder if by that token you could find a security exploit in an API that
causes undesired behaviour (e.g. elevated privileges) and claim you're simply
accessing an undocumented API?

Or another way of looking at it - does accessing an undocumented API
constitute hacking/unauthorized access? (which is probably an even more
serious violation than copyright infringement in most countries)

(disclaimer: I don't even know what this particular API is doing, or what's
the alleged infringement, I'm just wondering about the principles in general)

~~~
GhotiFish
I had this philosophy for every single crack.

Computers do what they're programmed to do, they do what you told them to do,
if you didn't want your computer to respond to a buffer overflow by writing
over the stack and executing a sequence of commands that escalated the
defendant to an administrator, you shouldn't of programmed that feature in.

When you inserted that string directly into that SQL command, you gave your
users access to a wide range of features. Now all of a sudden you don't like
that feature any more because someone used it? You gave the users the ability
to ask for arbitrary tables in your database, why should a hacker go to court
for asking for a "user table"? Shouldn't you be the one in court?

That's how I saw things when I was ~15, anyway. I still kinda think that
way... Though I've figured out that just because someone left their safe open,
doesn't mean you get to steal the gold.

~~~
jlgreco
> _Though I've figured out that just because someone left their safe open,
> doesn't mean you get to steal the gold._

True. Though on the other hand, if somebody figures out they they get free
sodas when they hold down both the coke and sprite buttons, as far as I am
concerned they get to have their free soda.

~~~
kivikakk
There is surely some cognitive dissonance here.

> > Though I've figured out that just because someone left their safe open,
> doesn't mean you get to steal the gold.

> True. Though on the other hand, if somebody figures out they they get free
> sodas when they hold down both the coke and sprite buttons, as far as I am
> concerned they get to have their free soda.

So, if the safe is left open, you don't get to take it, but if you press
buttons that unintentionally make it open up, you get you have your free gold?
uh.

~~~
jlgreco
If the teller gives you free money, that is on the teller, not you. Whether
that teller is human or an automated machine doesn't particularly matter to
me.

Just don't take money that the teller, automated or otherwise, does not
volunteer. Regular safes and vaults, with no teller, have no agency and are
not capable of giving you money.

~~~
jacalata
Does 'inserting a coat hanger into a vending machine' count as 'pressing the
coke and sprite buttons together' or 'they left their safe open'?

------
kevinpet
If you read the notice carefully, you'll see they do not claim the target of
the takedown was infringing their copyright, but only claim that it is an
illegal circumvention method. Which is interesting because I've never seen a
DMCA takedown that didn't claim infringment.

Looking through wikipedia's description, it looks like anti-circumvention
isn't even in the same section of the act as the the rules for taking down
infringing content.

~~~
fernandotakai
According to one grooveshark software engineer on twitter "@jameshartig:
@fernando_takai Groovr was abusing our internal API to provide download links.
We have a public API for developers that is free to use."[1]

[1]<http://twitter.com/jameshartig/status/337307876890648576>

~~~
voidlogic
>>According to one grooveshark software engineer on twitter "@jameshartig:
@fernando_takai Groovr was abusing our internal API to provide download links.

Its not an "internal API" if it is publicly accessible and doesn't require
credentials other than the user's own. Did this API client have stolen creds
embedded?

~~~
contrahax
No - it loaded grooveshark.com with the node module "request" and used cheerio
to get the session id from the page source. Then API calls are made with the
session id and client info. The APIs don't require a login or any
authentication

~~~
andreasvc
In other words it simulates browsing the grooveshark website, instead of using
their public API. I think it's this that they are upset about, but it makes
little sense because if people can see something on their browser then that
user should just as well be allowed to see it through a script.

------
fastest963
Hey guys, I'm an Engineer at Grooveshark and I handle developer relations.

Unfortunately, groovr appears to circumvent internal copyright protections for
content hosted at Grooveshark. The groovr library offered a way to get, and
subsequently allow you to easily download, song mp3s via a call
(groovr.getSongFile). It was able to provide these services by using our
internal authentication methods and internal API.

Grooveshark offers a public API (<http://developers.grooveshark.com/>) which
allows you to search for content, authenticate users, view popular music, and
more, all for free. Developers are encouraged to register for a key and use
our content for their applications.

~~~
teraflop
OK, so what about the allegation that the developer in question "has taken
proprietary source code from inside of our application and posted it as a
GitHub project"? Was there any of GrooveShark's actual code that was
distributed without permission? Because that's what your lawyer told GitHub in
order to get it taken down.

~~~
RobAley
You'll find that fastest963 is posting that boilerplate reply across the web,
and then failing to reply to the very question that you ask, which everyone
else is asking too.

Grooveshark PR clearly thought that by rolling out a "one of us" developer to
make a "shucks, it sucks, but what choice did we have?" type statement, the
wider dev community would be pacified and wouldn't keep asking the hard
questions.

One day they will learn.

------
javis
Just created a mirror of the repo from Google Cache.

Link: <https://github.com/joshryandavis/groovr>

------
taf2
[http://webcache.googleusercontent.com/search?q=cache:s43ODsn...](http://webcache.googleusercontent.com/search?q=cache:s43ODsntyuMJ:https://github.com/wearefractal/groovr+&cd=8&hl=en&ct=clnk&gl=us)

~~~
pygy_
The package.json is still up in the cache too, but I couldn't reach the
index.js.

I tried Google, Yahoo, Bing, the Coral CDN, Gigablast and WebCite).

package.json:
[http://webcache.googleusercontent.com/search?output=search&#...</a>

------
zero1zero
I'm going to use this api when it gets put back up. Anyone have a snapshot of
the code before it was taken down? Streisand Effect.

~~~
zevyoura
There are several similar projects linked in the comments if you just want to
get started.

------
thezach
It appears Groveshark has some poor coding practices.

It appears that Groveshark innacuraltley filed a DMCA.

However it appears that the orriginal poster is in violation of DMCA, for DRM
Violations. The DMCA provides groveshark protection against your "API" which
is actually a way to circumvent grovesharks DRM.

While Groveshark didn't state this in the orriginal DMCA, they can file
another and have you taken down for correct issues.

Your "API" does violate copyright law.

------
hawkharris
I don't know much about law and I'm not qualified to speak on behalf of
Grooveshark. Having said that, I interned as a developer for the company for
over a year. During that time I got to know its true culture and learned a a
bit how it operates.

All of the folks I worked with saw it as their mission to support both
independent music and independent software development. Everyone in the office
brainstormed ways to help broaden their fan bases. (For example, giving
artists Flattr accounts & letting them live-broadcast their music as they
chatted with fans.) At the same time, many of the Grooveshark engineers I know
contributed to open-source projects in their free time.

The API has never allowed users to download songs, and it seems clear to me
(by browsing the comments in the code on Github) that one element of the
project in question performed that function. That seems to be the crux of this
problem.

Again, I'm not qualified to speak on behalf of Grooveshark, but I know from
experience that its engineers are extremely supportive of these kind of open-
source projects.

~~~
laurent123456
From the repository copy:

    
    
      groovr.getSongFile songs[0].SongID, (err, file) ->
         ###
         file.url is an mp3 url you can download
         the file object also contains some meta info like song length
         ###
    

That indeed confirms what the Grooveshark developer was saying on the DCMA
notice comments. Even though the API doesn't provide the MP3 file directly,
it's trivial to get it through this function call.

~~~
wnight
file.url (a property of the file object) is an MP3 url _YOU_ can download.

Could that be any clearer?

------
nilved
This is why you don't use GitHub (or, more generally, American companies.) The
prospect that someone can arbitrarily take down your repository until you go
out of your way to provide a counternotice is beyond absurd.

~~~
JoshTriplett
If you care about this, also keep your hosting provider and domain name
provider in mind as well, since they can simply cut off access to your entire
site in response to a DMCA complaint.

------
CptCodeMonkey
What did your API provide ( downloads or just search?)

~~~
contrahax
The API client just let you search, get popular songs, and get individual song
info. There was no downloading included in the API client - if you wanted to
download a song based on the info from their APIs you would have to write your
own code to do that

~~~
sauerbraten
Do you know about the tinysong API?

<http://tinysong.com/api>

It provides only basic search functions of course, but it is publicly
documented and I'm sure Grooveshark can't complain if you use it. I wrote a Go
package for it years ago (literally, 2010 I think) and it still works fine.
You get tinysong.com shortlinks, which lead to the song on Grooveshark.

~~~
contrahax
That is pretty neat! Thanks for the link.

------
toomuchtodo
Why does Github not have a workflow to file a counter-notice?

~~~
viraptor
It has both workflows described - claim and counter-claim:
[https://help.github.com/articles/dmca-takedown#b-counter-
not...](https://help.github.com/articles/dmca-takedown#b-counter-notification-
policy)

~~~
contrahax
Counter-claim is for after you have removed the content. I am not going to
remove the content just because a fuzzy DMCA was issued. Apparently there are
no options besides taking it offline or going into a legal battle

~~~
rsofaer
By filing a counter claim you aren't really starting a legal battle, you're
giving them 10 days to start a real legal battle by going to a court. Your
content is already offline. File a counter claim and it will be back up in a
week and a half.

~~~
pyre

      | you're giving them 10 days to start a real
      | legal battle by going to a court
    

To be clear, that's 10 days _before the content goes back up_ to take you to
court to prevent it from going back up. Nothing stops them from suing you over
it after the content is restored.

~~~
hfsktr
Just out of curiosity. Is there a time limit of how long they can sue for
after it's restored? Could they wait for you to get a huge user base or
revenue and then strike to get the most out of you or is there protection
against that?

I don't see myself ever creating anything that would get taken down but I
imagine most people don't when it happens to them.

Any time I hear about DMCA it seems so very one sided that there is just about
no recourse.

~~~
pyre
Well, they can sue you at any time. They don't really need to issue a DMCA
notice first. The issue is that:

1) Most of the time they don't know your real identity from your (e.g.)
YouTube username. IIRC, you have to use your real name or contact information
when filing a counter-notice.

2) If they sue you, the content stays up until they can convince the judge to
order it to be taken down.

The point of the DMCA was to allow for things to be taken down quickly, and
then sorted out in court later if need be. The content is taken down quickly.
If you push back (counter-notice), then the (claimed) content owner has 10-14
days to start court proceedings to keep it down; otherwise, it goes back up.
None of this precludes a suit being filed at any point.

The real issue with this process is that there is little relief for negligence
in filing DMCA notices. All you have to do is have a good-faith belief that
you are the content owner, and this violates your rights. So acting like
you're ignorant of the law is actually a defence against being held
accountable for filing a bogus notice.

If bogus DMCA notices were punished more often, and people were required to
consult a lawyer before firing at the hip (e.g. people that don't understand
copyright law, and just say, "I don't like X take it down! DMCA!"), then maybe
it would be working better.

------
namuol
Grooveshark filing a DMCA notice? The irony is palpable.

------
namuol
Good thing I never released the source code to my project.
(<http://spiffyshark.com>)

------
VMG
Textbook irony.

------
kbar13
Isn't it interesting that the internet is severely misinformed about a law
that they love to hate?

~~~
andreasvc
How so? I think it's quite clear that this notice is mistaken, or in any case
not specific enough to have merit. Is it infringing on their source code?
Which code, then? Is it circumvention of their DRM? That doesn't fall under
DMCA takedowns. Is it a TOS violation for not using the public API? Again,
doesn't fall under DMCA.

