>At Funko, we hold a deep respect and appreciation for indie games, indie gamers, and indie developers. We’re fans of fans, and we love the creativity and passion that define the indie gaming community.
>Recently, one of our brand protection partners identified a page on http://itch.io imitating the Funko Fusion development website. A takedown request was issued to address this specific page. Funko did not request a takedown of the
@itchio
platform, and we’re happy the site was back up by this morning.
>We have reached out to
@itchio
to engage with them on this issue and we deeply appreciate the understanding of the gaming community as the details are determined. Thank you for sharing in our passion for creativity.
A few years ago, my bank mailed me a letter basically saying "A partner got hacked and lost your personal information. It was totally the partner's fault, not ours! We care about keeping your identity safe!"
And guess which company I was mad at? The company I bank with, or the generically-named sub-contracted company that the bank only partnered with so they didn't have to be held liable for potential breach of PCI and various laws? (Spoiler: It was the bank.)
Point being, Funko can try to cover their vinyl butts as much as they want. The bad PR is going where it belongs. I only wish the finical repercussions would too for things like this.
I don't know the proper terminology, but I think there's a similar legal concept of: "I'm suing you for the damages, if it was someone you contracted with who is really at-fault, you can sue them in turn. The indirect cause is not-my-problem, and I might not even be able to go around you even if I wanted to."
Sometimes this manifests in odd ways, like lawsuits between loving family members in order to activate some sort of insurance-claim.
Right? There is no such thing as a ‘company’ doing something, anyway… it is always a decision by an individual or individuals at a company who makes the poor decision… why do I care if you paid that person on your own payroll, or if you paid them indirectly by paying a company that employees that individual… in either case, they are acting on behalf of the company when they act.
As much as I enjoy and share that link, I don't think it's quite the same: It would actually be more honest if banks had said: "Our deliberately insecure processes were exploited by scammers, but it's some contractor's fault."
In contrast, "identity theft" is trying to re-characterize the type of failure in order to blame the consumer.
> It was garbage, but it had been cooked by an expert. [...] The Grand Trunk’s problems were clearly the result of some mysterious spasm in the universe and had nothing to do with greed, arrogance, and willful stupidity. Oh, the Grand Trunk management had made mistakes—oops, "well-intentioned judgments which, with the benefit of hindsight, might regrettably have been, in some respects, in error"—but these had mostly occurred, it appeared, while correcting "fundamental systemic errors" committed by the previous management. No one was sorry for anything, because no living creature had done anything wrong; bad things had happened by spontaneous generation in some weird, chilly, geometric otherworld, and "were to be regretted."
Yes, but they're also saying "A takedown request was issued to address this specific page". A fraud report to a domain registrar is categorically not something one does to address a "specific page", whether it's done by a partner or by them.
It’s very typical to report to a site’s host or provider on a specific page under the DMCA. The way this works is that the host will ask you to take down the page, and if you don’t, the host needs to take action or they become liable. This is conceptually covered as “DMCA safe harbor”, and the rules around it protect service providers from liability of their clients actions.
AWS has a well-oiled machine for these kinds of complaints, but some registrars are located in corners of the earth and getting a line of communication to them is challenging. Notion’s worst outage to date happened because of a breakdown of forwarding complaints between a complainant, our DNS NIC in Somalia (.so), and the middlemen between us and Somalia - NameCheap, then some company in Germany who dropped the ball.
Source:
- I worked on UB Berkeley’s systems for handling takedown notices for infringing clients (students running BitTorrent in their dorms), we got lots of lectures on our legal duties as employees of CA state institutions
- I worked how we protect Notion from liability & damage from misbehaving clients to ensure we never had another outage that threatened our main app domain
It usually all goes through the same kinds of process pipeline. Complain about URL to provider, provider sends complaint to you, you remedy complaint, then notify provider. In this case it seems provider totally dropped the ball. It’s a bad look for the agency etc but also I would terminate relationship with the provider who can’t be trusted to be a functioning part of the system, and when you migrate to a new provider make sure you know every link in the chain and have a relationship or trust the link to escalate for you.
Why do you keep ignoring the fact that the report was for fraud and phishing? Sending a DMCA complaint or a copyright or trademark complaint to the registrar might've made sense for the reasons you outline here, but that's not what the complaint was.
Why are you so insistent on running defense for them?
I’m sharing my perspective and experience from working on both the provider side and the website side in the hopes it helps any HN readers building something.
Some things you cannot control - people sending takedowns, provider fuckups. Some things you can control - who your providers are, how you structure your site.
I agree that your biggest fuck-up here is iwantmyname who immediately took down the domain of a long-time, well-renouned customer without even contacting said customer. However, that has no relevance to what I've said or what this discussion is about, which is that Funko's actions (or that of their "brand protection partner") doesn't align with the stated goal of taking down the specific page.
If I hire an agent, and authorize them to go around acting on my behalf doing all sorts of shitty things in my name, I don't get to say: "sorry it wasn't me, it was the guy I hired to do things in my name".
They willfully and intentionally gave authority to this agent to go around doing dumb shit with that authority.
Unless they're explicitly cutting ties with the partner, it's hard to take what they say seriously. Even if they _did_ unequivocally say that they were cutting ties, it would be hard to be sure they weren't just unhappy they got noticed rather than not wanting to them to act like this.
Sort of like when you walk out of a store with a security tagged item that is now your legal property and the alarm system goes off, literally accusing you of being a thief. "Wasn't us. It was those darn computers."
We use "you can outsource operations, but you can't outsource risk". The new DORA regulations out of the EU, regardless of its issues, at least is trying to put a legal framework around "you can't blame a third party and ditch your responsibilities".
Obvious, lit up in neon, lie. It's "we show our customers our value by giving them a report every month on all the 'takedowns' we've delivered", and it's a tiny little step to "we get more reliable takedowns by calling it 'fraud' than a simple 'copyright violation', even though that's a lie and we know it. If we could call it 'child molestation' or 'terrorist funding' and get away with it we'd do that too.".
They, in fact, do represent Funko. If you give someone legal authorization to act as your agent, you can't pretend that they aren't your agent when they act like your agent.
Funko might have beef with their agent, but that is between them and the agent. They still have to deal with the fact that they gave someone permission to do legal things on their behalf, and the someone acting on behalf of Funko caused damage to itch.io.
If a McDonalds employee serves me coffee that scalds me, I go after McDonald's, not the guy who McDonald's hired.
Funko says in the statement that they're dealing with it. They've reached out to itch.io to understand who's doing what, which isn't clear at this point. For example, the company itch.io previously identified as responsible for the domain being taken down has publicly stated - perhaps honestly, perhaps falsely - that they requested a takedown of only the one infringing URL. (https://x.com/BrandShieldltd/status/1866200019335794763)
> For example, the company itch.io previously identified as responsible for the domain being taken down has publicly stated - perhaps honestly, perhaps falsely - that they requested a takedown of only the one infringing URL. (https://x.com/BrandShieldltd/status/1866200019335794763)
They submitted a takedown to the domain registrar. That means they requested a takedown of the whole domain, because the registrar has absolutely zero ability to operate on a URL level of granularity. They can only take down the entire domain.
There are three possibilities here:
1. BrandShield submitted a takedown to the domain registrar knowing exactly what that meant, and is now lying about it, demonstrating that they should not be put in a position of power.
2. BrandShield submitted a takedown to the domain registrar not understanding what that meant, demonstrating a total lack of knowledge and/or level of incompetence that means they should not be put in a position of power.
3. BrandShield did not submit the takedown to the domain registrar at all, some other vendor did, and somehow no one has pointed that out yet.
Obviously #3 is unlikely given their public statements, so let's just say at this point there is absolutely no reason to give BrandShield any benefit of the doubt and their clients should be encouraged to find a vendor that isn't either lying or incompetent.
There's little reason to give BrandShield the benefit of the doubt, but there's plenty of reason for Funko to pause and collect all the right information before making specific statements about what happened.
Remember that there's some specific set of nontechnical people running comms at Funko, and they've probably never heard of a domain registrar before today. At a minimum they have to gather the stories they're hearing from both BrandShield and itch.io, identify who at Funko has the technical background to judge between the two, and convince that person to take time away from her normal responsibilities to evaluate some weird drama she doesn't care about.
Don't get me wrong, I find Funko's products to be overpriced trash that I don't understand why it fills up stores anywhere vaguely related to any kind of fandom, and I wish they would disappear, but that's neither here nor there.
BrandShield on the other hand I believe at this point we can reasonably have the pitchforks out for them and any other companies of their kind. Companies that exist to issue takedown requests, ironically, need to be taken down. Destroy them all. The world is a worse place for their existence.
When the system is riddled with holes, inefficiencies and micro-bureaucracies, and dealing with them it handled by outsourcing, it's incredibly easy to pass the buck around for all involved parties, in an effective game of Keep Away until any moderately frustrated invdividual simply gives up.
Occam’s razor suggests it’s the rich company that decided to take his website offline yesterday You know the only
People who don’t seem to like or know what itch even was
Brandshield has been deleting and rewriting their non-statement deflecting responsibility repeatedly while hiding all the comments calling out their cascade of BS. Here is their current statement blaming iwantmyname and link to the hidden replies:
> We want to address recent reports surrounding a website takedown.
> BrandShield serves as a trusted partner to many brands. Our AI-driven platform detects potential threats and provides analysis, and in this case, an abuse was identified from an @itchio subdomain.
> We identified and reported the infringement, and requested a takedown of the URL in question – not of the entire http://itch.io domain. The temporary takedown of the website was a decision made by the service providers, not BrandShield.
> BrandShield remains committed to supporting our clients by identifying potential digital threats and infringements. We encourage platforms to implement stronger self-regulation systems that prevent such issues from escalating.
Note: they are non specific about how the "abuse" was submitted to iwantmyname as "fraud and phishing", not "copyright infringement", so they are covering up their fuckup.
"You as the innocent party should have prevented us from shitting on you. This is really on you.". Like, "if you didn't want to get hit by a car you shouldn't have been walking on the sidewalk".
If to that page, the request should gave gone to the owner of the site (through eg whois) and not to the owner of .io.
Time for Funko to reconsider their use of BrandShield
This is a non-answer without content. They fucked up because their legal department used third parties they didn't have under control and who harass people that aren't involved in this in their stead.
Until they clean up their shit, the Funko copyright mafia should pay with PR goodwill until they apologized and reimbursed the damaged parties. Everyone profits if companies like AI brand protectors suffer for it as a side effect.
If that were true, they wouldn't make such a partnership. Such companies exist merely to launder the bad reputation that accumulates from this kind of behaviour. It is right and proper that any company that engages firms like that should face reputational damage, if not for moral reasons, then to correct the incentive structures.
In high school I got pulled over for speeding. The cop lectured me then told me he was calling my mom. I think his plan was to get me in trouble at home then send me off with a warning. I don’t think I laughed at the suggestion but I knew what was going to happen.
He attempted to lecture her about what her son was doing but her only response was something like “ok, why are you calling me?” I think she may have also admonished him for wasting her time on the morning of a workday. He came back red faced but I’m not sure it was anger or embarrassment. Either way I got a ticket.
I mean, there is a reading here where the cop - though self-righteous - was trying to avoid you getting a ticket which for some (if not most?) people is a worse outcome than having their time wasted
Yes it’s obvious what he was doing but let’s not pretend it was generous. He had his own idea of justice but it relied on everyone playing along. When he didn’t get his way I got the punishment he could control.
Santa doesn't exist. I have the lawsuit to prove it.
I sued my parents with the help of Brandshield because they lied to me, and the fact that my younger self was naive enough to believe a lie (provably! my parents have video evidence of my being excited after they told me he was coming to visit) damaging to my brand: If I could believe a lie, then my followers might believe that my cryptocurrency predictions could be based on false information.
(most of the above is fantasy that amused me to create)
At this point, imagemagick and ffmpeg will be taken down due to copyright since there are cloud servers who trademarked converting from a file type to another.
Similar to Stross' Accelerando (a book released just after the Napster era), where russian mafia legal bots went around suing everyone for whatever reason they could get their hands on.
Ironically, people doing this en masse would probably force some attention from those with power and might cause the scales to be a little more balanced. One can dream I guess.
You don't even need a company, just pretending that you represent one is enough.
The DMCA completely ignores how the digital world works; it was written in an age where interacting with the American legal system required you to have somebody physically located in the US.
Back then, you didn't need any technical safeguards against this kind of abuse. As long as such abuse was illegal, and there was police to arrest those committing the crimes, it was enough. In technical terms, the security was implemented on a completely different layer of the stack.
This is no longer the world we live in. There's nothing stopping somebody from e.g. Russia from pretending they're a relevant copyright agent, and forcing Youtube to remove anti-Putin videos.
Funny thing is it didn't have to be Funko or Brain Shield, anyone could have impersonated them in a takedown notice, it could have been a way more bogus notice too by the looks of it.
It's definitely the registrar who's at fault here.
They meant “made a business out of converting files between formats”, I.e. those “mp4 to mov” sites. Supposedly they’d be on the hook for converting copyrighted content, in this Funko world where basically touching their IP in some user-done way torches the whole business.
> It’s so wrong that it makes me wonder “does this person understand anything at all about the bare fundamentals of intellectual property?”
You really don’t have to assume the worst or attack them for using the wrong word here.
Given that three of the four kinds of intellectual property are mentioned (and simultaneously conflated) in one statement, I think the author was trying for a satirical statement about intellectual property... but this falls hard into Poe's Law territory, I just can't tell if it was meant to be satire or if it was actually an honest belief.
Why is no one talking about the registrar actually accepting, without verification, the takedown request? It seems much worse than Funko filing the request.
They probably wouldn't have for a DMCA complaint, but for _fraud_, frivolous complaints are rarer, and the consequences of _not_ acting promptly are potentially more serious.
I suspect as the flow of 'AI'-powered 'brand management' spam grows, registrars will stop taking fraud complaints at all seriously, and the internet will get a little worse (because there certainly are legitimate cases).
About 5 or 6 days ago, I received these reports on our host (Linode) and from our registrar (iwantmyname). I expressed my disappointment in my responses to both of them but told them I had removed the page and disabled the account. Linode confirmed and closed the case. iwantmyname never responded. This evening, I got a downtime alert, and while debugging, I noticed that the domain status had been set to "serverHold" on iwantmyname's domain panel. We have no other abuse reports from iwantmyname other than this one. I'm assuming no one on their end "closed" the ticket, so it went into an automatic system to disable the domain after some number of days.
> for _fraud_, frivolous complaints are rarer
Yet, there is no liability shield for fraud allegations. The registrar is liable for all damages due to this downtime, which they wouldn't have been for a DMCA complaint.
Exactly this! This is common. Corporations are afraid only and exclusively of lawsuits from other corporations or the government. They would literally prefer to do something unethical or even break the law (including constitutional law) as long as they avoid lawsuits from major players. The customer and the well-being of individuals do not matter
They fucking suck too, I miss when the collectibles shelf at game stores was filled with a bunch of cool looking action figures, now it's a wall of funko pops and maybe 10 non funko figures somewhere else.
Because the post said "Funko called my mom" and it sounded like someone's internet alias. I guess that was more believable than the company doing it, which speaks for itself.
Kinda funny that they're doing this over "brand protection" when their entire "brand" is just regurgitating worse versions of existing brands' characters.
It wouldn't surprise me if "takedown requests" and "debt collection" services merged into the same companies. Both try to threaten and scare their targets. Both usually won't follow through on their threats when ignored. Both take a shotgun approach of targeting a lot of people, hoping at least a few give in.
itch.io is over 10 years old, so my guess is that the owner was living with his parents when he registered the domain, and he never bothered updating the WHOIS when he presumably moved out in the intervening decade
Sorry for off-topic, why people want to share twitter.com link when it's already changed to x.com? When I click to that links, it's redirected anyway... It's just wasted time and for nothing, isn't it?
One of the most glaringly broken things about society is that abuse of power is not punished harshly enough. We need Finnish speeding ticket style systems across the board.
> One of the most glaringly broken things about society is that abuse of power is not punished harshly enough.
Maybe it's just me getting older but it seems like this has always been true across cultures and history. People like to believe that once they get power, they will act differently than the ones who came before. But in the overwhelming majority of cases, they end up being just like the people they replaced, if not worse.
Every once in a while you get an exception but that's why we remember those people - because they were the exception.
It's why I think the lottocracy people might have a point. Rocketing people from zero to power keeps you from experiencing the traumas associated with attaining or being given success and keeps your ego to a minimum because you know you literally did nothing to deserve it.
We actually have that, called "civil grand juries", but they don't do very much. It'd work a lot better than the current urban planning system, which is hearings where only retirees with a lot of free time who are opposed to the project shows up.
I think the fundamental problem with the current political systems is that they combine two completely different things into one office that should really be separate. Namely what a politician promises to achieve and how they intent to achieve it.
This can cause the actual result of policies to be wildly different from the claimed intended outcome. We’ve seen plenty of examples of this in the past, e.g. claim that you want to make sure everyone will be better off by lowering taxes for the rich (trickle down economics), which of course had the exact opposite effect.
This can be completely malicious, i.e. claim that your proposed policy will have outcome X while knowing it will have outcome Y. It can also be due to flawed ideology, i.e. your policy is based on your idea how the world should work instead of how it actually does work. Or it can be sheer incompetence.
What I would like to see is a system where the goal and the method of achieving it are separated from each other: a democratic technocracy. In this system politicians would only set the intended outcomes, and their relative priorities (in cases where policies would affect different intended outcomes in opposite directions). Then, government workers would decide the policies that would result in the desired outcomes (based on science, evidence based methods, etc.) They would be normal unelected workers subject to performance reviews (did their policies result in the intended outcome) and positions should be completely merit-based.
That way politicians have to be honest about what they want to achieve, people have a clearer idea what they are actually voting for and there is a system in place that will try to achieve those outcomes based on what actually works.
> because you know you literally did nothing to deserve it.
This greatly underestimates the level of vanity. Look only at the number of people who inherited their wealth, or received substantial financial support, yet still consider themselves self-made. I would also expect this to concentrate deistic thinking as people with a religious mindset will see being chosen as God's will and use the gained power to reinforce that.
I don't think I'd want to live in a country governed by the Dunning-Kruger effect. (Or maybe I already do?)
That's a problem of the Rules for Rulers. You think once you rule you have power, but unless you are literally Goku, you don't have power if nobody follow your orders.
> People like to believe that once they get power, they will act differently than the ones who came before. But in the overwhelming majority of cases, they end up being just like the people they replaced, if not worse.
I just re-listened to "Machine"[0] by the Violent Femmes because I wanted to subject a work colleague to it because he mentioned Blister in the Sun.
I suspect that BrandShield is about to discover how much a lost day of sales costs Itch.io, plus some punitive damages thrown in.
then they are about to discover that IP properties don't want to be associated with companies that get them involved in public lawsuits on the wrong side of their fandoms.
> According to the cybernetician, the purpose of a system is what it does. This is a basic dictum. It stands for bald fact, which makes a better starting point in seeking understanding than the familiar attributions of good intention, prejudices about expectations, moral judgment, or sheer ignorance of circumstances. - Stafford Beer
If a system prioritizes copyright claims from the largest firms as casus belli against independent creators, and there are no attempts to reform such system and no recourse for independent creators, than we can only conclude such criminal negligence as intention, formalized within the priorities encoded within such a system.
I just saw this a few days ago with Youtube channel Esoterica, which had a 10-second public domain recording of Chopin which was falsely flagged as copyright infringement. Dr. James Justin Sledge of Esoterica, despite having fair use of the clip, ended up commissioning an artist with an original recording (complete with unique changes to the public domain work) to avoid any confusion, but still got a takedown from UMG's copyright AI. As with any law, if public domain fair use isn't enforced, and to contest it is prohibitively expensive (as legal battles are often wars of attrition), then the public domain is useless, and major firms such as UMG can just function as feudal lords demanding the proceeds of any tenant peasant's work. As economist Yanis Varoufakis says, capitalism has been subsumed by techno-feudalism.
As an American the most surprising thing about the reaction to the CEO being killed is supposedly the system is bad enough where killing people is okay but I don't know many people who vote in primary elections or care about local elections (which are where many people have the most influence on the system) and I also know some people who didn't even vote in the general election.
To be clear: This isn't me saying we shouldn't kill CEOs, this is me saying I think more people should vote in primaries and also try to make change on a local level
You probably should be saying that. As you point out, people haven't really exhausted the reasonable recourses so there is no reason to resort to unreasonable ones. Gunning people down on the street to exercise political pressure is barbaric and intolerable.
I think the political pipeline is too slow for local activism to meaningfully impact state and national politics. People want to see change now, or at least progress in a 1-2 year timeframe.
Be careful extrapolating from what you see on social media or—even worse—from news outlets' coverage of social media content. Social media is not representative of the real world, and the news media isn't incentivized to accurately describe the reactions on social media, so taking news stories about social media reactions is seeing the world through two bad filters, both of which will tend to exaggerate extremes.
Not two bad filters, just one. The mainstream media is not acknowledging what is going on in social media. One is a vox that can be target of suggestion, the other is outright instruction. So mainstream media will never be a good indicator of what people think and social media sometimes can be. It's important to ask: "who would feel the assassination is bad? Why would they feel that way? Who would share those principles?" I think the answers at the end point towards the assassination being a popular act. That should be raising hairs.
I would hazard a guess that most Americans or someone they know have had a negative brush with healthcare, and that CEO was an ideal personification of the cause of their troubles, so the social media picture is probably not that far from reality.
Because of the breakdown where insurance companies have separate per-state operations with varying amounts of independence, it’s hard to come by agreeable numbers on who is largest, but UHG covers about 50 million people, and depending on if you lump all of the blue cross umbrella or not, UHG is either the #1 or #2 largest health insurer in the country.
> most Americans or someone they know have had a negative brush with healthcar
This can be much more specific, most Americans or someone they know have probably had a negative brush with United Healthcare specifically. (they also have the highest rate of claims denials of any of the insurers)
Have you really not talked to anybody in real life about this? This is a case where the online reaction matches IRL. I've never seen such universal adulation across the spectrum. Everybody in the USA's been fucked, knows someone who's been fucked, or has lived in fear of being fucked by health insurance. It's as bad as it's ever been, and it's certainly not getting better with the Oompa-Loompa grifter in office.
I'd just like to point out, in case GP sees it, that no one here is advocating murder and that their comment wasn't flagged by advocates of murder.
It was an inflammatory comment that broke the guidelines, so it got flagged. I didn't personally flag it, but I would've for that reason. That's all there is to it.
If you don't feel like your relationship with HN is healthy or helpful for you, that's perfectly understandable, I have had to take many breaks from HN. But no, this community is not, by and large, pro murder. Occasionally there will be an unhinged troll literally calling for murder, but it's rare and I suspect most of it comes from a single individual (based on a hunch about writing style).
Well it’s obviously not hilarious in a „haha funny“ kind of way. It’s hilarious in a „I can’t believe this is real life“ kind of way. It’s a headline you’d expect to read on The Onion.
https://news.ycombinator.com/item?id=42363727 - Itch.io Taken Down by Funko (15 hours ago)