
CipherCloud used DMCA Takedown on StackExchange discussion of their cryptography - rdl
http://meta.crypto.stackexchange.com/questions/250/ciphercloud-dmca-notice
======
moxie
What's interesting is that there is a whole ecosystem of companies like
CipherCloud that do the minimum required to provide solutions for those
interested in "compliance," not "security."

My sense has been that their customers are predominately those bound by things
like HIPPA or PCI, who want to use cloud services, but can't do it with a
straight face unless they can say they're "encrypting" their data.

What their customers want isn't security; it's the minimum required that will
allow them to use salesforce.com. Incriminating details on StackExchange
aren't a problem because their customers don't already know CipherCloud is
insecure, they're a problem because it would make it harder for customers to
say they're in compliance with a straight face.

~~~
iuguy
I've mirrored Emil Vokstrom's mirror[1] here[2] and I encourage HNers outside
of the US to do the same and post here.

[1] - <http://lajm.eu/emil/dump/ciphercloud-security.html>

[2] - <http://securitybookreviews.eu/ciphercloud/>

~~~
shared4you
Mirror of Google's webcache, including images:

<http://bdsatish.in/math/crypto-se-3645/>

------
ck2
I think "used" needs be replaced with the word "abused". It's appropriate
here.

With no penalty for false DMCA claims, it's a "stop us if you can" mentality.

The real reason may have been the conclusion that "Ciphercloud is NOT doing
homomorphic encryption" ?

(but google cache still works)

~~~
dangrossman
The penalty for materially misrepresenting a DMCA claim is actual damages plus
costs and attorney fees. That's automatic, written into the bill, unlike many
other torts/crimes where you need exceptional circumstances to get attorneys
fees in addition to the damages.

~~~
cft
Except that 512(f) of DMCA is practically unenforceable [1], since the
standard is to prove that they "knowingly materially" misrepresented:

[1]
[http://blog.ericgoldman.org/archives/2013/04/another_512f_cl...](http://blog.ericgoldman.org/archives/2013/04/another_512f_cl_1.htm)

~~~
DannyBee
So, it's not practically unenforceable. The case Eric is citing appears to be
a case where Someone has an actual good faith but unreasonable belief that
they have a cause of action.

That eliminates the "knowingly" part. A lot of DMCA claims, including the one
in the OP, are being filed by lawyers or companies who will have a much harder
time showing they have a good faith but unreasonable belief. They are
basically going to have to argue they are idiots. The second you can show bad
faith, i have trouble believing (and I don't know of any cases where ..) a
court would not impute knowledge.

Basically, you want them to have to consider your affirmative defenses (which
is what fair use is). While i don't necessarily disagree, to be fair, this
would be wholly inconsistent with almost every other area of law.

For example, if i file a negligence claim against you, _you_ bear the burden
of proving any affirmative defense to my claim, such as assumption of risk. I
don't have to consider it at all when I file my claim, and if you don't prove
your defense, i win. This is true no matter _how valid_ your defense may be.

~~~
analog
But what are the 'actual damages' in this case, it would be hard to argue a
monetary damage to Stack Exchange. So the most you could 'win' from
CipherCloud for their abuse would be your legal costs. Hard to justify taking
that action.

~~~
DannyBee
Yes, you would get some nominal damages, plus any actual loss you could prove
(IE the money of the people who spent time processing your DMCA request, plus
how much you would have earned from ads on the post) or, and if they did it
repeatedly, you may get something more (Punitive damages are rare in contract
law, but possible).

Look, as much as I don't like it, this is a tradeoff. On one side, you have
the fact that websites like this would normally be liable for _everything_
they publish. DMCA says "we'll fix that for you", the cost being "if you want
safe harbor, and someone with a good faith belief sends a takedown notice, you
honor it".

If StackExchange really believed the material was non-infringing, they could
always ignore the DMCA takedown, and force CipherCloud to sue them. They
didn't choose to take that risk. Newspapers have the same issue, FWIW: They
get threatened all the time by bad actors (and not just for defamation of
public figures, which the are mostly protected from). They just often choose
to take the risk and force bad actors to sue them.

It's not at all clear what you think the solution is. If you institute harsh
penalties for filing "bad" DMCA requests, all that would happen would be large
numbers of lawsuits over DMCA requests, bad or good, because it would likely
be profitable. You really think torrentfreak/isohunt/et al wouldn't just start
filing suits over every single DMCA request they receive? What do they have to
lose? They wouldn't have to win many suits to make money off it.

If you have a good solution, i'd love to hear it :)

I realize how odd this sounds, and i really do hate the way content
companies/et al abuse the DMCA process, but one doesn't need to look very hard
at history to see what lawyers in general will do if you make it profitable
(see the history of rule 11 sanctions, particularly, the period from 1983 to
1993, or you know, recent prop 65 litigation, resulting in everything in the
world having "the state of California believes this may cause cancer" labels
on it ).

~~~
AnthonyMouse
>You really think torrentfreak/isohunt/et al wouldn't just start filing suits
over every single DMCA request they receive? What do they have to lose?

Money? Time? It wouldn't make any sense for them to litigate the cases they
would obviously lose when they could choose the subset of cases where the take
down issuer clearly has no copyright in the material in question -- which is
the whole idea.

You're also giving the money to the wrong party. It doesn't make any sense to
give YouTube or Tumblr the right to sue for bad take downs, if they thought
they were bad they could just not execute them. The right for redress should
be for the user who posted the material, not the intermediary. Which solves
your problem with torrent sites filing frivolous claims. Do you honestly think
release groups are going to get into the business of filing frivolous lawsuits
against content owners? As soon as they identified themselves and consented to
jurisdiction they would be counter-sued for infringement or arrested.

~~~
tptacek
You're not following his reasoning to its conclusion. The people who run
Isohunt surely don't want to spend their time writing court filings. But
they'd be sitting on top of a mountain of potential claims, which would prove
lucrative if even a tiny percentage resulted in damages. Unscrupulous law
firms would notice and send Isohunt offers; at some point, it would become
irrational of Isohunt not to accept one of them.

~~~
AnthonyMouse
Isohunt is the intermediary. If they don't like a takedown notice then they
can just not execute it; they don't need any redress from the courts. The
plaintiffs with standing should be the end users who posted the material that
was removed.

>But they'd be sitting on top of a mountain of potential claims, which would
prove lucrative if even a tiny percentage resulted in damages.

Setting aside that Isohunt is the wrong party, yes, there are a mountain of
take downs from which some small percentage should result in damages. But you
can identify those cases ahead of time -- you know perfectly well you aren't
going to win a case where you posted Fast & Furious 6 to Isohunt and Universal
Studios issued a take down for it, there is no point in even trying. And if
you do try then you're effectively admitting your own liability for copyright
infringement when you have to assert you posted that material in order to get
standing to sue.

The cases lawyers will want to take are the ones they think they can win --
and as long as they're right, that's what they're _supposed_ to do. That's the
whole idea.

Are you arguing that the situations where the take down is in a grey area
(e.g. fair use) will create too much litigation? I don't really see that
happening. On the one hand, the existence of penalties would create a
disincentive for copyright holders to wantonly issue take downs in
questionable cases, and if there was no take down then there is nothing to
litigate. Then, in the consequently much reduced number of edge cases, in
order to claim a take down was fraudulent a plaintiff would have to admit in
court to posting the material and thus to liability for copyright infringement
if the take down was legitimate.

------
greenyoda
Note that the answer below the question contains this link to the Google cache
of the original article that was taken down:

[http://webcache.googleusercontent.com/search?q=cache:FYBbAFU...](http://webcache.googleusercontent.com/search?q=cache:FYBbAFUycYQJ:crypto.stackexchange.com/questions/3645/how-
is-ciphercloud-doing-homomorphic-encryption+&cd=1&hl=en&ct=clnk&gl=us)

There doesn't seem to be anything in there that looks like an infringement of
anyone's copyright.

~~~
ghayes
Aren't DMCA takedowns required, under penalty of perjury, to assert a non-
frivolous copyright claim? Is there any recourse for what appears to be clear
abuses of the DMCA?

~~~
dangrossman
There is recourse against truly false claims made in bad faith, but it's not
the penalty of perjury part. All you swear under penalty of perjury is that
you are authorized to act on behalf of the owner of some copyright allegedly
infringed (i.e. you're not filing a claim about someone else's work).

Here's the actual recourse created by the bill:

> (f) MISREPRESENTATIONS- Any person who knowingly materially misrepresents
> under this section-- (1) that material or activity is infringing, or (2)
> that material or activity was removed or disabled by mistake or
> misidentification, shall be liable for any damages, including costs and
> attorneys' fees, incurred by the alleged infringer, by any copyright owner
> or copyright owner's authorized licensee, or by a service provider, who is
> injured by such misrepresentation, as the result of the service provider
> relying upon such misrepresentation in removing or disabling access to the
> material or activity claimed to be infringing, or in replacing the removed
> material or ceasing to disable access to it.

[http://thomas.loc.gov/cgi-
bin/query/F?c105:6:./temp/~c105aLN...](http://thomas.loc.gov/cgi-
bin/query/F?c105:6:./temp/~c105aLNxl3:e57148):

~~~
comex
Note that the EFF is trying to prosecute a case over this clause [1]. IANAL,
but it seems to be hard to hold someone responsible for a bad DMCA notice
unless they specifically knew that it was bad (rather than merely being sloppy
and sending notices without adequately considering fair use). Whether that is
the case for this notice could theoretically be found out through discovery.

[1] <https://www.eff.org/cases/lenz-v-universal>

------
PeterisP
If something can be destroyed by the truth, then it should be.

If a crypto company abuses DMCA to fight this, then they deserve the Streisand
effect. You should send the materials to someone in a free country where DMCA
doesn't apply and speech is still free, and they can host the documents and
discussion.

~~~
DanBC
I haven't seen the DMCA notice. I think the screenshots are the things being
DMCAd. If so, they clearly fall under fair use.

Someone should issue a counter notice. And get them put back up.

What's interesting to me is what happens if StackExchange put these back up,
and then the cryptocompany sends a DMCA to SE's hosts.

~~~
AnthonyMouse
Isn't it the same thing then? Just send a counter-notice to SE's hosts?

Of course, that doesn't stop all of Stack Exchage from being down for "10
business days" in the meantime. Should be interesting to see the public
response to that if it actually happens.

------
danbruc
Now let the Streisand effect do its work...

(I made a snapshot of the page from Google's cache only to discover that at
least two others used the very same service within the last hour to do exactly
the same...and there are a few services to snapshot web pages.)

~~~
rubbingalcohol
Here's one. DMCA claim is bullshit. This is fair use:
[http://static.rubbingalcoholic.com/images/temp/ciphercloud.p...](http://static.rubbingalcoholic.com/images/temp/ciphercloud.png)

------
sergiotapia
Google cache of question in...question (lol):
[http://webcache.googleusercontent.com/search?q=cache:FYBbAFU...](http://webcache.googleusercontent.com/search?q=cache:FYBbAFUycYQJ:crypto.stackexchange.com/questions/3645/how-
is-ciphercloud-doing-homomorphic-encryption+&cd=1&hl=en&ct=clnk&gl=us)

~~~
danbruc
That looks really horrible and I am somewhat tempted to write and publish a
GreaseMonkey script that does bad things to CipherCloud protected pages...

~~~
sergiotapia
Why would you (or anyone) deliberately try to hurt a company? Just because
their tech is not 'on par'? Please think about how it would hurt that company
and the employees (and their families!).

~~~
danbruc
Why would a company (deliberately) try to sell a false sense of security to
anyone whose knowledge of cryptography is not 'on par'? Please think about how
it might hurt these customers and their employees (and their families!).

------
mleach
Putting the merits of their technology aside, I've had numerous unpleasant
experiences working with the CipherCloud Founders as both a Salesforce Partner
and Customer. They use fear tactics to scare prospects into believing a) their
data is unsafe in the cloud and b) their competition uses inferior encryption
algorithms.

This DMCA takedown is unfortunately just another of their "just try and stop
us" tactics.

------
patrickyeon
In a situation like this, who files the counter-claim(s) to get the content
restored?

I would SE as an organization cannot, as they are the safe harbor in this
case, but it sounds like the takedown notice wasn't specific enough for the
relevant users to know what they can leave up. Does each user involved need to
counter-claim so that SE can put the question and answers back up? Can one
user claim that nothing on the site was infringing and have that be enough to
protect SE?

------
goronbjorn
When a company does something like this, whether or not the claims/criticisms
are actually true, their actions tacitly imply that they believe that the
claims are true. In other words, terrible PR/technical brand management.

------
caf
The original question and answers has been put back up, without the
CipherCloud screenshots.

[http://crypto.stackexchange.com/questions/3645/how-is-
cipher...](http://crypto.stackexchange.com/questions/3645/how-is-ciphercloud-
doing-homomorphic-encryption)

------
pi18n
We should start a collection of these kinds of stories as case studies in why
laws allowing any entity to legally compel removal of content are ripe for
abuse.

DMCA as a law isn't even that ridiculous or reprehensible; it mostly offers
protection for websites that have user-submitted content. And yet here we are.

The damages clause needs to be strengthened if we wish to continue having free
speech on the internet.

~~~
CodesInChaos
EFF has a collection of DMCA abuses: <https://www.eff.org/takedowns>

------
CodesInChaos
Now stackexchange forwarded the DMCA notice to the involved users.
<http://meta.crypto.stackexchange.com/q/250/180>

CipherCloud claim copyright infringement on the three images used to evidence
the posts.

They also claim that certain statements in the posts are false, misleading
defaming. While some statements look indeed wrong, others (in particular the
determinism claim) are clearly evidenced in screenshots. They hint that their
actual product might use different encryption from the demo video.

------
smartwater
Before takedown: <http://imgur.com/8r9cDxS>

------
tzs
More comments are on the duplicate (now dead) submission [1].

[1] <https://news.ycombinator.com/item?id=5579615>

------
acd
Freedom of speech must include that random company x cannot take down your
internet discussion using some strange acronym as an excuse.

Encryption and security does usually not get any better by pretending its
secure and not letting anyone dig around the solution.

~~~
npsimons
_Encryption and security does usually not get any better by pretending its
secure and not letting anyone dig around the solution._

Indeed. Schneier has some excellent discussion on this topic, singling out
closed source encryption as _always_ eventually being cracked, and the
security world's consideration of open source as a pre-requisite for security:

<http://www.schneier.com/crypto-gram-9909.html>

I've never understood how anyone with at least an ounce of intelligence can
claim that something is more secure just because it's closed source.

------
CodesInChaos
DMCA'd CipherCloud discussion on stackexchange online again (minus images).
The Copyright part of the notice only covered the images and stackexchange
apparently didn't consider the text part of the posts a ToS violation.

I expanded my analysis, but you'll need to check the original material for
evidence since the embedded images were subject to the notice.

<http://crypto.stackexchange.com/q/3645/180>

------
rubbingalcohol
Situations like this really highlight how out of step the DMCA is with
peoples' right to free speech and fair use. DMCA takedowns put too much
compliance burden on individuals who are unaware of or intimidated by the
counter-notice process.

At the very least, there should be more stringent requirements for legitimate
takedown claims and stricter penalties for abusing the process.

------
jared314
I wonder if doing something similar to Ciphercloud, using a homomorphic
encryption library like libScarab[0], would actually make it secure. I guess I
still don't understand what Ciphercloud does.

[0] <https://hcrypt.com/scarab-library/>

~~~
betterunix
FHE is far too slow for any practical use. In a few more years, things might
be different, but for now anyone marketing a practical FHE solution is
probably lying.

~~~
jared314
I'm still trying to find performance numbers that prove it impractical.
Otherwise, it just sounds like a problem that could be mitigated by
clustering.

~~~
betterunix
Here are some results from a research team that has been on the forefront of
FHE implementations; note that this has been improved on significantly since
last August, but you are still looking at minutes of computation for
relatively small functions:

[http://www.iacr.org/cryptodb/archive/2012/CRYPTO/presentatio...](http://www.iacr.org/cryptodb/archive/2012/CRYPTO/presentation/17-1-Smart.pdf)

Also, throwing "clustering" at every problem is misguided. Not all problems
are easily parallelized:

<https://en.wikipedia.org/wiki/P-complete>

~~~
jared314
Don't forget Amdahl's law and Gustafson's law on the limits of parallelizing
when the problem isn't P-complete. Either way, I disagree with your conclusion
that it is misguided.

------
plumeria
Just have someone put it on wikileaks?

~~~
plumeria
Or snapshots in a torrent file...

------
jimktrains2
[http://webcache.googleusercontent.com/search?q=cache:crypto....](http://webcache.googleusercontent.com/search?q=cache:crypto.stackexchange.com/questions/3645/how-
is-ciphercloud-doing-homomorphic-encryption)

Has a version from Apr 12, 2013 15:33:47 GMT.

------
a3n
So wrong answers (assuming they're wrong) and speculation are now speech that
can legally be suppressed? You can't say anything that's wrong or a guess?

------
DanBC
Did CipherCloud get Google's permission to use the GMail logo on their
website?

Or Microsoft's permission to use the MS Office 365 logo?

------
anoopelias
Just listen to Cryptography I in coursera.

Never ever, use your own algorithm for encryption. Always use tried, tested
and known algos. And don't even change it one bit (literally!).

Only the key remains secret.

------
volokoumphetico
long story short, stackexchange didn't want to lose a potential ad sale. It's
not good for their business to have users question products advertised on
stackexchange network.

