Hacker News new | past | comments | ask | show | jobs | submit login
CipherCloud used DMCA Takedown on StackExchange discussion of their cryptography (stackexchange.com)
249 points by rdl on Apr 20, 2013 | hide | past | web | favorite | 81 comments

What's interesting is that there is a whole ecosystem of companies like CipherCloud that do the minimum required to provide solutions for those interested in "compliance," not "security."

My sense has been that their customers are predominately those bound by things like HIPPA or PCI, who want to use cloud services, but can't do it with a straight face unless they can say they're "encrypting" their data.

What their customers want isn't security; it's the minimum required that will allow them to use salesforce.com. Incriminating details on StackExchange aren't a problem because their customers don't already know CipherCloud is insecure, they're a problem because it would make it harder for customers to say they're in compliance with a straight face.

I've mirrored Emil Vokstrom's mirror[1] here[2] and I encourage HNers outside of the US to do the same and post here.

[1] - http://lajm.eu/emil/dump/ciphercloud-security.html

[2] - http://securitybookreviews.eu/ciphercloud/

Mirror of Google's webcache, including images:


I've mirrored everything I can find[0].

[0] http://scala.sh/ciphercloud/

Is it really that simple? Or is it that crypto is difficult and buyers have no knowledge and thus are wide open for people selling snake-oil?

It can be both. There are going to be companies that are serious about actually protecting their customers (but don't have the technical know-how to be an informed customer), and there are companies that see these laws/rules (PCI, HIPPA) as hindrances to cast aside with the least possible effort.

On some level, the fact that compliance regulations exist is an indication that security is not a priority for many of the entities that it applies to.

Certainly snake-oil is a problem, but I think this particular area is one where buyers are most concerned about being able to effectively claim that they made what seemed like reasonable efforts.

For reference, it's HIPAA not HIPPA. Common mistake.

I think "used" needs be replaced with the word "abused". It's appropriate here.

With no penalty for false DMCA claims, it's a "stop us if you can" mentality.

The real reason may have been the conclusion that "Ciphercloud is NOT doing homomorphic encryption" ?

(but google cache still works)

The penalty for materially misrepresenting a DMCA claim is actual damages plus costs and attorney fees. That's automatic, written into the bill, unlike many other torts/crimes where you need exceptional circumstances to get attorneys fees in addition to the damages.

Except that 512(f) of DMCA is practically unenforceable [1], since the standard is to prove that they "knowingly materially" misrepresented:

[1] http://blog.ericgoldman.org/archives/2013/04/another_512f_cl...

So, it's not practically unenforceable. The case Eric is citing appears to be a case where Someone has an actual good faith but unreasonable belief that they have a cause of action.

That eliminates the "knowingly" part. A lot of DMCA claims, including the one in the OP, are being filed by lawyers or companies who will have a much harder time showing they have a good faith but unreasonable belief. They are basically going to have to argue they are idiots. The second you can show bad faith, i have trouble believing (and I don't know of any cases where ..) a court would not impute knowledge.

Basically, you want them to have to consider your affirmative defenses (which is what fair use is). While i don't necessarily disagree, to be fair, this would be wholly inconsistent with almost every other area of law.

For example, if i file a negligence claim against you, you bear the burden of proving any affirmative defense to my claim, such as assumption of risk. I don't have to consider it at all when I file my claim, and if you don't prove your defense, i win. This is true no matter how valid your defense may be.

But what are the 'actual damages' in this case, it would be hard to argue a monetary damage to Stack Exchange. So the most you could 'win' from CipherCloud for their abuse would be your legal costs. Hard to justify taking that action.

Yes, you would get some nominal damages, plus any actual loss you could prove (IE the money of the people who spent time processing your DMCA request, plus how much you would have earned from ads on the post) or, and if they did it repeatedly, you may get something more (Punitive damages are rare in contract law, but possible).

Look, as much as I don't like it, this is a tradeoff. On one side, you have the fact that websites like this would normally be liable for everything they publish. DMCA says "we'll fix that for you", the cost being "if you want safe harbor, and someone with a good faith belief sends a takedown notice, you honor it".

If StackExchange really believed the material was non-infringing, they could always ignore the DMCA takedown, and force CipherCloud to sue them. They didn't choose to take that risk. Newspapers have the same issue, FWIW: They get threatened all the time by bad actors (and not just for defamation of public figures, which the are mostly protected from). They just often choose to take the risk and force bad actors to sue them.

It's not at all clear what you think the solution is. If you institute harsh penalties for filing "bad" DMCA requests, all that would happen would be large numbers of lawsuits over DMCA requests, bad or good, because it would likely be profitable. You really think torrentfreak/isohunt/et al wouldn't just start filing suits over every single DMCA request they receive? What do they have to lose? They wouldn't have to win many suits to make money off it.

If you have a good solution, i'd love to hear it :)

I realize how odd this sounds, and i really do hate the way content companies/et al abuse the DMCA process, but one doesn't need to look very hard at history to see what lawyers in general will do if you make it profitable (see the history of rule 11 sanctions, particularly, the period from 1983 to 1993, or you know, recent prop 65 litigation, resulting in everything in the world having "the state of California believes this may cause cancer" labels on it ).

>You really think torrentfreak/isohunt/et al wouldn't just start filing suits over every single DMCA request they receive? What do they have to lose?

Money? Time? It wouldn't make any sense for them to litigate the cases they would obviously lose when they could choose the subset of cases where the take down issuer clearly has no copyright in the material in question -- which is the whole idea.

You're also giving the money to the wrong party. It doesn't make any sense to give YouTube or Tumblr the right to sue for bad take downs, if they thought they were bad they could just not execute them. The right for redress should be for the user who posted the material, not the intermediary. Which solves your problem with torrent sites filing frivolous claims. Do you honestly think release groups are going to get into the business of filing frivolous lawsuits against content owners? As soon as they identified themselves and consented to jurisdiction they would be counter-sued for infringement or arrested.

You're not following his reasoning to its conclusion. The people who run Isohunt surely don't want to spend their time writing court filings. But they'd be sitting on top of a mountain of potential claims, which would prove lucrative if even a tiny percentage resulted in damages. Unscrupulous law firms would notice and send Isohunt offers; at some point, it would become irrational of Isohunt not to accept one of them.

Isohunt is the intermediary. If they don't like a takedown notice then they can just not execute it; they don't need any redress from the courts. The plaintiffs with standing should be the end users who posted the material that was removed.

>But they'd be sitting on top of a mountain of potential claims, which would prove lucrative if even a tiny percentage resulted in damages.

Setting aside that Isohunt is the wrong party, yes, there are a mountain of take downs from which some small percentage should result in damages. But you can identify those cases ahead of time -- you know perfectly well you aren't going to win a case where you posted Fast & Furious 6 to Isohunt and Universal Studios issued a take down for it, there is no point in even trying. And if you do try then you're effectively admitting your own liability for copyright infringement when you have to assert you posted that material in order to get standing to sue.

The cases lawyers will want to take are the ones they think they can win -- and as long as they're right, that's what they're supposed to do. That's the whole idea.

Are you arguing that the situations where the take down is in a grey area (e.g. fair use) will create too much litigation? I don't really see that happening. On the one hand, the existence of penalties would create a disincentive for copyright holders to wantonly issue take downs in questionable cases, and if there was no take down then there is nothing to litigate. Then, in the consequently much reduced number of edge cases, in order to claim a take down was fraudulent a plaintiff would have to admit in court to posting the material and thus to liability for copyright infringement if the take down was legitimate.

Right. Think of prenda law, just on the other side. It still wouldn't be a good thing, even if we happen to like the targets.

Oh I don't have a solution, was just pointing out how the penalties for DMCA abuses end up not being enforced. I actually agree that DMCA takedown notices are surprisingly efficient.

The outrageous thing is that even though this is a very clear-cut case of abuse you are probably right.

So years later you can get content restored?

Are there lawyers who will take on cases for consignment only?

It's a calculation that little people will not be able to take on the big people.

This is why corporations have zero fear of incorrectly killing individual content on youtube, little chance of penalty and they can smother any attempt to fight them.

> So years later you can get content restored?

Nope, all you are supposed to have to do to get the content restored is submit a counter-notice. And it should be back in two weeks, not years.

But you can be sued by the rightsholder for posting infringing material.

The DMCA is really about protecting the ISP/host. The ISP can't be sued for hosting your infringing material -- so long as they take it down when receiving a takedown notice; and even when they put it back up after receiving the counter-notice from the original poster.

But YOU (the poster) can still be sued.

I am not sure how often ISPs/hosts have clearly identified counter-notice procedures, but that's the way the law is written.

See for some further explanation: http://www.dmlp.org/legal-guide/responding-dmca-takedown-not...

Not years. It's back up ~10 business days after you file a counternotice or the service provider loses their safe harbor. The DMCA is designed so that disputed content is not taken down permanently without an actual injunction signed by a judge.

YouTube is not responding to DMCA notices, it's given media companies direct access to take down content through their own system, and it can do this because it has no obligation to host your material for free in the first place, infringing or not.

But surely neither is Stackexchange obliged to host any discussions online. So this content may never reappear - counterfiling or not.

That's not how it works. If StackExchange wants safe harbor from being sued itself, it must put the content back online if it receives a counternotice. YouTube doesn't have this problem because it's not receiving DMCA notices in the first place. One can't send a counternotice when there was never a notice to begin with. Since Google gives all the major media companies direct access to their system, they don't have to use the DMCA process to remove content from the site.

Sure it is. Upon receiving the counternotice, StackExchange can just say "OK, we're no longer have the question offline because of the DMCA notice; as a separate matter we have decided that we decline to host this question". To believe otherwise would be to believe that a DMCA notice and counternotice somehow privileges the subject content above all other content on the site.

But it does privilege that content above all other if the service provider wants the liability protection. You either treat that content specially or you are open to being sued for having hosted it before you took it down. To meet the requirements of the act, they must actually "replace the removed material and cease disabling access to it" (H.R.2281 Sec. 501(g)(2)(C)). Doing what you said would fail to meet that, as would some kind of "it was available for a split second but you didn't see it" prank. Real judges don't take kindly to trying to weasel around the intent of a law.

Just like in many states you can fire an employee for no reason but you can't fire them for a discriminatory reason, you are in violation if you take down the content from the notice despite the counter.

OK, that makes sense (in a twisted way). But then, aren't Google and the media businesses balancing on the edge of something very nasty here? They have effectively made their own legal system alongside the real one. I'm not entirely sure how the US legal system works, but it sounds like something an EU court could strike down on.

This will only ever be enforced in the case of someone sending a request under a false name.

Anything else is impossible to prove

A lawyer sending a 'copyright' claim over a trademark dispute (for example) would have to argue that they are an idiot about the law (I would think).

no, but someone contesting this would have to prove that the original request was ill intentioned. which is pretty much impossible to prove.

Using the same example, if it's a lawyer that sends a bogus takedown notice (at least in clear-cut cases), you could always notify the relevant bar association to look into the idea that this person might be unfit to practice law in that area (either too stupid of the law to be allowed to practice, or abusing it and needs to be stopped).

Note that the answer below the question contains this link to the Google cache of the original article that was taken down:


There doesn't seem to be anything in there that looks like an infringement of anyone's copyright.

Aren't DMCA takedowns required, under penalty of perjury, to assert a non-frivolous copyright claim? Is there any recourse for what appears to be clear abuses of the DMCA?

There is recourse against truly false claims made in bad faith, but it's not the penalty of perjury part. All you swear under penalty of perjury is that you are authorized to act on behalf of the owner of some copyright allegedly infringed (i.e. you're not filing a claim about someone else's work).

Here's the actual recourse created by the bill:

> (f) MISREPRESENTATIONS- Any person who knowingly materially misrepresents under this section-- (1) that material or activity is infringing, or (2) that material or activity was removed or disabled by mistake or misidentification, shall be liable for any damages, including costs and attorneys' fees, incurred by the alleged infringer, by any copyright owner or copyright owner's authorized licensee, or by a service provider, who is injured by such misrepresentation, as the result of the service provider relying upon such misrepresentation in removing or disabling access to the material or activity claimed to be infringing, or in replacing the removed material or ceasing to disable access to it.


Note that the EFF is trying to prosecute a case over this clause [1]. IANAL, but it seems to be hard to hold someone responsible for a bad DMCA notice unless they specifically knew that it was bad (rather than merely being sloppy and sending notices without adequately considering fair use). Whether that is the case for this notice could theoretically be found out through discovery.

[1] https://www.eff.org/cases/lenz-v-universal

Their likely justification is the use of those image snippets which appear to come from their manual. Realistically, those small captures represent fair use (though I am not a lawyer so can't speak legally).

I assume it would fall under commentary[1], esp. as it's one a single image and it has literally been written over to show the material that the comment is referencing.

[1] http://fairuse.stanford.edu/Copyright_and_Fair_Use_Overview/...

I don't think it's on copyright grounds, I think it's on circumvention grounds.

The DMCA notice/counternotice system is only about copyright infringement. They wouldn't get one for the circumvention prohibitions; or if they did, it would be an illegal use of those notices.

Good point.

If something can be destroyed by the truth, then it should be.

If a crypto company abuses DMCA to fight this, then they deserve the Streisand effect. You should send the materials to someone in a free country where DMCA doesn't apply and speech is still free, and they can host the documents and discussion.

I haven't seen the DMCA notice. I think the screenshots are the things being DMCAd. If so, they clearly fall under fair use.

Someone should issue a counter notice. And get them put back up.

What's interesting to me is what happens if StackExchange put these back up, and then the cryptocompany sends a DMCA to SE's hosts.

Isn't it the same thing then? Just send a counter-notice to SE's hosts?

Of course, that doesn't stop all of Stack Exchage from being down for "10 business days" in the meantime. Should be interesting to see the public response to that if it actually happens.

Now let the Streisand effect do its work...

(I made a snapshot of the page from Google's cache only to discover that at least two others used the very same service within the last hour to do exactly the same...and there are a few services to snapshot web pages.)

Here's one. DMCA claim is bullshit. This is fair use: http://static.rubbingalcoholic.com/images/temp/ciphercloud.p...

Google cache of question in...question (lol): http://webcache.googleusercontent.com/search?q=cache:FYBbAFU...

That looks really horrible and I am somewhat tempted to write and publish a GreaseMonkey script that does bad things to CipherCloud protected pages...

Why would you (or anyone) deliberately try to hurt a company? Just because their tech is not 'on par'? Please think about how it would hurt that company and the employees (and their families!).

Why would a company (deliberately) try to sell a false sense of security to anyone whose knowledge of cryptography is not 'on par'? Please think about how it might hurt these customers and their employees (and their families!).

It's not about deliberately hurting a company; if it's possible to make such a script, it will be made. Period.

The question is: do you want the script publicly available, or in the hands of your adversaries without anyone knowing? There's a third alternative: fix the problem.

Fraudster companies SHOULD be hurt. And their employees should have been the ones that bring this to light - otherwise, they are accomplices and deserve whatever they get.

Exposing charlatans is commonly accepted. Elsewhere in the thread it was implied they hold peoples medical data (hipaa).

I guess it's not about hurting a company but about hurting fraudsters. Their tech isn't "not on par" - it's pure nonsense and they know it.

So they use AES as a building block of substitution cipher?

One would think that if something is insecure anyway they could at least make it efficient.

Putting the merits of their technology aside, I've had numerous unpleasant experiences working with the CipherCloud Founders as both a Salesforce Partner and Customer. They use fear tactics to scare prospects into believing a) their data is unsafe in the cloud and b) their competition uses inferior encryption algorithms.

This DMCA takedown is unfortunately just another of their "just try and stop us" tactics.

In a situation like this, who files the counter-claim(s) to get the content restored?

I would SE as an organization cannot, as they are the safe harbor in this case, but it sounds like the takedown notice wasn't specific enough for the relevant users to know what they can leave up. Does each user involved need to counter-claim so that SE can put the question and answers back up? Can one user claim that nothing on the site was infringing and have that be enough to protect SE?

When a company does something like this, whether or not the claims/criticisms are actually true, their actions tacitly imply that they believe that the claims are true. In other words, terrible PR/technical brand management.

The original question and answers has been put back up, without the CipherCloud screenshots.


We should start a collection of these kinds of stories as case studies in why laws allowing any entity to legally compel removal of content are ripe for abuse.

DMCA as a law isn't even that ridiculous or reprehensible; it mostly offers protection for websites that have user-submitted content. And yet here we are.

The damages clause needs to be strengthened if we wish to continue having free speech on the internet.

EFF has a collection of DMCA abuses: https://www.eff.org/takedowns

Now stackexchange forwarded the DMCA notice to the involved users. http://meta.crypto.stackexchange.com/q/250/180

CipherCloud claim copyright infringement on the three images used to evidence the posts.

They also claim that certain statements in the posts are false, misleading defaming. While some statements look indeed wrong, others (in particular the determinism claim) are clearly evidenced in screenshots. They hint that their actual product might use different encryption from the demo video.

Before takedown: http://imgur.com/8r9cDxS

More comments are on the duplicate (now dead) submission [1].

[1] https://news.ycombinator.com/item?id=5579615

Freedom of speech must include that random company x cannot take down your internet discussion using some strange acronym as an excuse.

Encryption and security does usually not get any better by pretending its secure and not letting anyone dig around the solution.

Encryption and security does usually not get any better by pretending its secure and not letting anyone dig around the solution.

Indeed. Schneier has some excellent discussion on this topic, singling out closed source encryption as always eventually being cracked, and the security world's consideration of open source as a pre-requisite for security:


I've never understood how anyone with at least an ounce of intelligence can claim that something is more secure just because it's closed source.

DMCA'd CipherCloud discussion on stackexchange online again (minus images). The Copyright part of the notice only covered the images and stackexchange apparently didn't consider the text part of the posts a ToS violation.

I expanded my analysis, but you'll need to check the original material for evidence since the embedded images were subject to the notice.


Situations like this really highlight how out of step the DMCA is with peoples' right to free speech and fair use. DMCA takedowns put too much compliance burden on individuals who are unaware of or intimidated by the counter-notice process.

At the very least, there should be more stringent requirements for legitimate takedown claims and stricter penalties for abusing the process.

I wonder if doing something similar to Ciphercloud, using a homomorphic encryption library like libScarab[0], would actually make it secure. I guess I still don't understand what Ciphercloud does.

[0] https://hcrypt.com/scarab-library/

FHE is far too slow for any practical use. In a few more years, things might be different, but for now anyone marketing a practical FHE solution is probably lying.

I'm still trying to find performance numbers that prove it impractical. Otherwise, it just sounds like a problem that could be mitigated by clustering.

Here are some results from a research team that has been on the forefront of FHE implementations; note that this has been improved on significantly since last August, but you are still looking at minutes of computation for relatively small functions:


Also, throwing "clustering" at every problem is misguided. Not all problems are easily parallelized:


Don't forget Amdahl's law and Gustafson's law on the limits of parallelizing when the problem isn't P-complete. Either way, I disagree with your conclusion that it is misguided.

Just have someone put it on wikileaks?

Or snapshots in a torrent file...


Has a version from Apr 12, 2013 15:33:47 GMT.

So wrong answers (assuming they're wrong) and speculation are now speech that can legally be suppressed? You can't say anything that's wrong or a guess?

Did CipherCloud get Google's permission to use the GMail logo on their website?

Or Microsoft's permission to use the MS Office 365 logo?

Just listen to Cryptography I in coursera.

Never ever, use your own algorithm for encryption. Always use tried, tested and known algos. And don't even change it one bit (literally!).

Only the key remains secret.

long story short, stackexchange didn't want to lose a potential ad sale. It's not good for their business to have users question products advertised on stackexchange network.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact