They even clearly state they used the only tool available to them, DCMA. From all the current summaries on this, DMCA does not apply to a line entry in easylist. A domain can be trademarked.
This should be added back in. And if github cannot standup to DMCA abuse, then well, easylist and all other developers should be giving a clear hard though to their continued use of the github platform.
So, they made a github account the same day they made the "request" with an account that in no way indicates where the request is coming from? The github profile bio reads "Help all parties understand and resolve DMCA issues efficiently and effectively to minimize file and repository impacts."
Perhaps they should have used a bit more transparency when asking for the offending url to be removed from the repo, instead of acting like a spammy copyright boogyman, then immediately resorting to a dubious DMCA takedown request.
It may not be a bad idea to report this user via GitHub's "block or report" feature when viewing that account: https://github.com/dmcahelper
That type of behavior can only be bad for open source software. Threats like "to minimize file and repository impacts" are going to push more folks toward private repositories if they don't understand that it's not an actual authority pressing them into making changes on a given platform.
Additionaly, this account is borderline with regards to GitHub's TOS¹: “While using GitHub, you agree that you will not under any circumstances: […] impersonate any person or entity, including any of our employees or representatives, including through false association with GitHub, or by fraudulently misrepresenting your identity or site's purpose”. They haven't explicitly impersonated GitHub, but I bet I'm not the only one to have wondered for a few seconds whether this was an official GitHub account or not and I'd hardly believe this wasn't intended.
I just filled a complaint, they have a "report this use" link. Took only a minute, whatever it takes to keep people from abusing people and collaboration, especially using the ugly DMCA hammer.
Agreed. I just reported that account (https://github.com/dmcahelper) for submitting spurious DMCA takedown requests. GitHub personnel responded promptly:
Hi Justin,
Thanks for writing in. We're looking at the account.
All best,
(GitHub employee name redacted)
GitHub is listening. Please consider reporting this account, which can be done via the link above. Look for Block or report user link under the user description at left.
How does that non-response (the same one they pasted to me) give you the impression they're listening? For one, they have done nothing to address the issue of flagrant DMCA abuse. For two, the account is still active. For three, the commit hasn't been reverted.
This is not the first time this has happened.[0] GitHub's response has been woefully inadequate and OSS maintainers should consider using another platform. Everyone using GitHub is vulnerable to suddenly and arbitrarily losing their repository.
The beauty of git and similar DVCS's is that you essentially can't lose the repository. You can only lose the github namespace for that repository. And using a different platform has the same effect. If you are worried about losing the Github namespace for the repository then moving to a different platform doesn't seem like a solution.
issues, pull requests, deploy keys, access control. None of those the repository. They are associated with the repository and it would be annoying to lose them But with the exception of the issues all of them are replaceable with mostly minimal effort unless you did something really wrong.
And again switching to a different platform doesn't solve that problem either. You'd still lose the issues that are in github.
I wonder if folks could get sneaky and change the design from a literal url to a regular expression tailored to single out that url but would also include additional sites that are just gibberish and could be relaxed if useful sites ever do fall into the URL overlap. This might be a new line of research to craft regExs to filter out a specific string while also throwing out a bunch of sister gibberish strings that would be unlikely to be adopted simply by virtue of language.
If it turns out that this type of DMCA use is legally valid, adblockers could be modified to reject pages that embed URLs that have filed such requests.
So if a particular site uses admiral to protect its ads, it loses traffic.
users of your list will not get this. And will stop using your list. This ending up not serving your purpose nor theirs.
For instance, let me go out on a limb and point out how some distros of linux insist on shipping without any non-free software. So, a user ends up having to go through hoops to just get an audio of video file playing. I think the analogy Im going for is, you don't want to play by our rules (our license, etc), we'll not use your software (or correspondingly block your site).
I'm trying to point out what I think is likely consequence of such an action
> users of your list will not get this. And will stop using your list.
I don't think that's universally true. For me, if a site is broken because blocking ads also makes the content inaccessible, I just close the browser tab and move on with my day. (For a while the LA Times was blocking content in this way, so I just refused to visit their site. I guess it worked; they don't do this anymore.)
I don't claim to be the common case, but frankly I don't know what the common case is, and I suspect you don't either, so it could go either way.
You're definitely right. Our ability to ignore our ideals when we're slightly inconvenienced is why content paired with invasive ads is so effective in the first place.
> users of your list will not get this. And will stop using your list. This ending up not serving your purpose nor theirs.
I disagree. Users use adblock lists to protect themselves. This company has proven that they are actively hostile to users. Blocking their entire site, all of their domains, etc, is a sensible precaution for users to take. I have no doubt that this company serves JavaScript (i.e. executable code) that serves their purposes, not users'. And any other sites that insist on using their services are also hostile to users, and blocking them is sensible as well.
If some users just have to see that site, they can either find another list (who cares, no one's doing this for Internet Points), or they can click the "Add Exception" button.
We need not submit ourselves to be effectively held hostage by hostile content providers. It's just content.
> Many GNU/Linux distributions do not contain libdvdcss (for example, Debian, Fedora, SUSE Linux, and Ubuntu) due to fears of running afoul of DMCA-style laws, but they often provide the tools to let the user install it themselves. For example, it used to be available in Ubuntu through Medibuntu, which is no longer available.
You probably did not understand the issue. The domain in question is a part of a copyrigth protection scheme. Blocking access to it is a circumvention of copyright protection scheme and it is illegal under DMCA. No, you cannot block hosts that are a part of a copyright protection scheme and you cannot distribute the software that does that.
How you block the domain - with a simple string or an automatically trained neural network - doesn't matter.
I can block anything I like. And I can do whatever I like to help others do that. And I'll make sure that nobody can stop me, or them, or threaten me about it.
> The domain in question is a part of a copyrigth protection scheme. Blocking access to it is a circumvention of copyright protection scheme and it is illegal under DMCA.
You're asserting things to be true that are very much in question, and the assertion borders on the absurd.
Is it also a DMCA violation to add firewall rules to ones own network equipment?
Then they would purge it from the repo. In fact, it's questionably the case that they have abided by the DMCA order, for the very reason that it still exists in the repo history. As far as I know, DMCA takedowns normally lead to closing the entire repo.
This isn't a legal issue in that the laws are bogus (I mean, they are but it is not the issue here). The real issue is that this company is bully and using the legal system as a bludgeon. These abuses should be penalized and they would happen less.
This IMHO is the most sensible thing. There I think are a gazillion ways of serving your list which are out of reach of such laws (not necessarily US laws)
This is a good question. At least at a location where the US does not have an immediate jurisdiction. It's kinda lame, really, that the whole world has to bend over because all of these services are right there in the US. Make them work, at least. Germany, Sweden come to mind.
I concur, I think until the world catches up with the innovation happening in the US (I'm guessing that's why this content is hosted on US services), we'll have to put up with this
The DMCA is a US law, so, anywhere outside jurisdiction of US law. GitLab on a C1 Scaleway instance would probably get you pretty far along the way. The lists really aren't that large in size but there are so many requests. It may be better to build in something like [WebTorrent](https://github.com/webtorrent/webtorrent) to propagate updates.
The downside is that some sites/patterns are removed from the list for legitimate reasons (for example, in the case where a rule is overly broad and breaks sites that it shouldn't). If you can make the software distinguish between "good" and "bad" old rules in the history, then you absolutely have not complied with the DMCA takedown notice anymore.
Why is it that the tech set always forgets that CS pedantry != legal pedantry? Have we forgotten about intent? You can't just change the line to a regex that /just happens/ to match that URL and go "neener neener neener it's not the same!" Are you willing to argue in court that that line was changed and it /just so happened/ to match the domain from before? Do you have a plausible explanation for why that change would've been made that doesn't involve "well, we were trying to creatively skirt a DMCA takedown request"?
I'm not sure if its a matter of forgetting but about not knowing the contours of the boundaries of what's permissible and seeing a straightforward workaround as a proposition which also serves to give feedback regarding why or why not the proposition would be tenable. Evaluating a concrete technical solution in light of some legal matter should do well to illuminate and draw attention to the crux of the problem.
I guess the bottom line is whether one is forced to blacklist/whitelist a site and what means are permissible. If its simply about the site name appearing literally then a workaround would seem easy enough and one couldn't claim uniquely singling out because the filter applies more broadly. Of course the intent is the same in both, but I'm not versed enough on DCMA issues to know how intent plays a role in this field. Your point actually makes me curious about the legal field more generally and just how pervasive intent is and what areas of law it plays a role and which is does not.
It's not specifically about the DMCA; it's about legal issues in general. Intent matters in the vast majority of law. You'd be hard-pressed to argue in front of a judge that your intent wasn't to block this specific site, based on the sequence of events:
1. Site added to block list.
2. Site removed from block list due to DMCA takedown request.
3. Site block by new rule added that doesn't target it directly.
I can't imagine any judge or jury looking at that sequence events and then taking you seriously when you say "I didn't intend to block the original site".
The parent's point was more along the lines of: people in the tech world need to stop looking for technical solutions to all problems. Some problems are social problems, or legal problems. They should be solved directly, not with awkward (or possibly illegal or at least tort-worthy) workarounds. We talk about chilling effects and corporations engaging in anti-social behavior when they threaten open source and the open web in particular, but attacking social/legal problems with technological workarounds is itself also anti-social.
Not saying that technological solutions are not useful sometimes. In the short-term, you can often make a bad social or legal problem less bad by using a tech workaround, while simultaneously taking the long slog toward fixing the root of the problem. But putting tech band-aids over our problems and then walking away will only hurt us in the long run.
This is one of those areas where I'd say it comes down to your lawyer. I agree with the general premise being presented, that sometimes the tech community tries to use technology to circumvent problems that aren't technological. That being said, in this specific instance the most effective defense would probably be something to the extent of "Your honor, based on the advice of my legal staff and my own understanding of the law, I was not in direct violation of the DMCA. For this reason, it seemed only logical that the issue must have been that the manner in which I was operating was the problem and not the outcomes of my operation. For this reason, in an attempt to comply with the notice I received, I revised my software to remedy what I understood to be the problem."
I think it's about what exactly is the DMCA used against. My first thought was as well that they claimed the act of writing down the domain name somehow violated the copyright of their domain. That sounds kind of silly and if it were actually the case, I think a hash/regex solution would make sense.
However I think what actually happened was that the business is operating paywalls/"anti-adblocker-walls" for other sites - so they claim that blocking them constitutes "circumvention of protection devices" for their customers - which indeed would be far severe for adblockers if confirmed by a judge.
(That's my understanding, though I might have gotten it wrong)
OK, why not circumvent the "argue in front of a judge" aspect? Instead of a list hosted on GitHub, put it on some server that's very hard to take down, leased anonymously. You could get EasyList, and then add back whatever's been removed. And make sure that no logs are retained concerning user input.
Well, first of all, blocking a URL is not against the DMCA.
So one argument to do is this is because it is NOT illegal, and the purpose would be to stop frivolous lawsuits.
So yes, it would be trying to creatively skirt frivolous lawsuits.
Another legit reason though, is obfuscation. The company that tried to threaten this frivolous lawsuit may have not even noticed, if it was some weird regex. And they'd either not complain, or have to spend a bunch of money tracking down the problem. Both are wins, in my book.
Blocking a URL is, in and of itself, not illegal, sure.
Blocking a URL that allows you to break a copyright-protection mechanism[1,2]? Well, that's not so clear. It's also unclear whether or not Admiral falls under the umbrella of a copyright-protection mechanism.
I really really really want EasyList to be in the right here, and be able to re-add the block without fear, but it's far from clear what all the implications of this are. I'm glad the EFF has stepped in to help them out; I'm content to wait for their opinion (or the opinion of an actual lawyer versed in the subject at hand) on this.
In the end, this is just another example of why the DMCA needs to go.
[1] Yes, you could say that this is bad design that the mechanism can be broken so easily, but that's not the point: the DMCA doesn't care how good or bad the mechanism is. If you break it, you're in violation.
[2] I suppose there's another point to be made: DMCA takedown notices are only for removing content or links to content that contain actual material where copyright has been infringed, not for removing circumvention tools.
>Well, first of all, blocking a URL is not against the DMCA.
But you'd significantly help the legal case of those claiming it is by trying to obfuscate that you're doing so; they would argue in court it's an implicit admission you "knew it was illegal."
> they would argue in court it's an implicit admission you "knew it was illegal."
So you'd argue in reply that although you maintain that it's legal, you knew that it'd likely be something that bad actors would file frivolous suit over. Even when you win, being hauled into court is incredibly disruptive.
That's a funny thought, but the company making the complaint could probably prove that the ad blocker was interfering with their ads even without looking at the source code.
Moreover, the DMCA covers unauthorised access to copyrighted content, and the ad blocker cannot claim ownership of the ROT13'ed domain name, just as the domain name itself is not copyrightable.
In theory the ad blocker could use a more complicated scheme to obfuscate their source code, but I'm not sure whether they could combine a "do not de-obfuscate this code" rule with an open source / Free Software license.
This is a crucial point: the software is not blocking their ads, neither are the software's authors--the users of the software are. And the users have every right to not connect their computers to any other computer they please.
It's interesting to compare this to Second Amendment arguments. Do ad blockers block ads, or do users? Do users have a right to keep and bear ad blockers? Of course it's silly, and ad blockers are passive tools, but there are some striking parallels.
Not looking up a domain name cannot constitute circumvention.
Imagine a DVDCSS-like system that used remote servers to convey permission and defaulted to ALLOW. Would users who unplugged their DVD players from the Internet be guilty of circumvention? Now imagine that DVDs for said player were handed out freely on the street, stuffed into people's mailboxes, etc. Would people who played those DVDs without connecting their players to the Internet be guilty of circumvention?
That's the same thing, in principle, that's going on here. Claiming that it's circumvention (whoever makes that claim; I don't know if you are) is preposterous. This is obviously an abuse of the DMCA (not hard to do, considering the DMCA itself is an abuse, but I digress).
The claim is about copyrighted material thus DMCA, right? the only reason that string appears is for matching. The intent is for identification, not stealing someone else's copyrighted material. If there's a better way to match than comparing to a literal copy then we should do that. Ideally, one regex that matches all offending domains and no others.
Does it really matter? If they cannot send takedown notice they still are allowed to sue Github so Github might want to remove the offending code rather than enter a legal battle with unclear consequences.
The admiral website has a copy of a notice [1] if you are interested.
Oh, that's way more interesting. So they have standing? I can see the argument that altering the execution of the program sent to the users computer is a DMCA violation (i vehemently disagree, but i can see it). But i don't think they didn't actually wrote the page that's delivered to the user.
I'd imagine it would technically need to be the publisher or the agent that took legal action. This was clearly an experiment though. Expect much more widespread use and, I'd assume, a court case soon.
instead of blocking requests, replace the domain name with something funnily invalid, with a play on words on each original domain. then in case of any dmca, claim satire fair use.
I've done a bit of research, now. You can trademark a domain name, but it appears they can't be copyrighted. I am pretty sure the DMCA is silent in regards to trademarks.
To reply to myself, I need to first state that I am not a lawyer. I have, however, taken a number of courses on both law and procedures. Please keep that in mind.
I have also now spent more time on this than I'd expected.
One of the DMCA provisions, is that (as others have mentioned) that software to circumvent copyright is also prohibited.
I do not believe that EasyList meets the legal definition of software. It's not software, I don't believe. It is a list used by software. Basically, it is a configuration file. By itself, it performs no functions.
Its pretty much a 'dumb' plain text file. It is not executable, in and of itself. By itself, it does exactly nothing except take up space.
Computer software is defined in 48 CFR 2.101 and, unless my reading is incorrect (and it may be), this doesn't enable a program to be produced, created, or compiled.
I can find no rulings on this subject, however.
I am not a lawyer, this is not legal advice, and you should check with a qualified legal professional in your jurisdiction before acting.
That said, this does make for a potentially interesting case. It's probably a good thing to get some decision handed down. That and, well, it'll be pretty easily circumvented regardless of potential rulings.
By itself, any software performs no functions. Software is just instructions, and a config file is, too, just instructions. Sure, a difference is whether it's instructions for hardware or instructions for other software, but that doesn't sound material to me. Especially when hardware can be emulated by software.
However, circumvention tools (software or otherwise) require suing, not merely issuing a takedown notice, as another commenter pointed out.
I'm not sure it meets the definition of a circumvention tool, which appears to be a reference to 'computer software.' As in, the legal definition for such. The courts use a specific definition, found by the entry in the above reply. The few cases I found made use of the specific terminology.
DMCA is not the appropriate tool for this. Filing a DMCA takedown notice when you know that there is not any copyright infringement going on in the document you are asking to be taken down is a misuse of the DMCA, and an entity filing such a takedown can be liable for any monetary damages or attorney fess of the other party. Although I don't know that's ever happened, it's in the law as a penalty for intentional misuse of a DMCA takedown notice. https://www.law.cornell.edu/uscode/text/17/512
It may very well be that the URL should have been removed, with regard to Easylist policies, github policies, or even some other law. But not DMCA takedown notice. If DMCA takedown notice was the only tool available to them, then they had no tools available to them, because DMCA was not a tool legally available for asking someone to remove a URL from a list. A URL in a list is not possibly copyright infringement.
(I am not a lawyer, this is not legal advice, just my understanding for sake of discussion of a hypothetical)
The DMCA doesn't just let you request the takedown of copyrighted content. It lets you request the takedown of tools which can be used to "circumvent technological restrictions" on accessing other, unrelated copyrighted content.
So for instance, when the CSS encryption on DVDs was broken, there were DMCA takedown requests issued to sites hosting the deCSS decryption code, even though the copyright of that code itself wasn't at issue.
ETA: a comment below corrects me, saying that the DMCA prohibits distribution of circumvention tools (i.e. makes it illegal and even criminal I think), but doesn't allow takedown notices for such tools: you have to actually sue them in court. So this takedown notice seems to have been incorrect even if the DMCA is invoked.
That could be, cite to the law or description of it? I'm interested in learning more. What I see in the law (https://www.law.cornell.edu/uscode/text/17/512) is that a "notification of claimed infringement" must include "Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site."
If the notice did not identify a work believed to have been infringed, then why did Github respond to it? Why don't they follow their own process? If the notice did identify a work being infringed, then they are probably wrong because you can't infringe a copyrighted work by listing a URL in a list. I guess actually getting damages might require proving they _knew_ that, and be generally infeasible/cost prohibitive.
Part of the challenge here is that "the DMCA" is a number of clauses. People who are "against the DMCA" often turn out to have an incoherent position, at least from a legal standpoint, when it turns out they just disagree with one of the contentious clauses.
This would in fact be the most contentious clause, the one about being able to take down tools that enable circumvention, the one that is historically the one that perturbs techies and HN-types the most. I think what we see here isn't so much a DMCA takedown of a single line, but a single line modification in an attempt to prevent someone trying to take down the entire ad blocker, by making it so this particular person doesn't have any standing (in the legal sense) to make claims against the ad blockers anymore.
The copyright takedown clause would be number two, but it has a mitigating factor; the DMCA copyright takedown process that you might see on a hosting site or HN itself [1] has a positive element as well, which is that by conforming to the DMCA a site like HN is able to host user content like our comments while discharging from themselves the responsibility of having to pre-filter every comment for copyrighted content. This clause has certainly been abused, and there is a justifiable case that the Feds have not been adequately aggressive about chasing them down, but on the net I still approve of this clause, personally.
(You also have to distinguish between "the DMCA" and a site's policy, which may go above and beyond. Many or most of the things that people complain about for YouTube, for instance, are their own elaborations on the theme, not the legal requirements themselves. Not all of them, though; YouTube tends to favor the big media companies very strongly when it comes to defining "fair use". But things like taking away your monetization and giving it to somebody else is a YouTube policy, not the DMCA. Or at the very least, it's a penumbric emanation of the DMCA and not the DMCA itself.)
Were I the developers or anyone with any ownership in this software, I would hesitate on putting too much stock in the idea that this was an improper use of the DMCA claim process. It was. But the reward for aggressively pushing back on that may be a proper lawsuit for violation of the anti-circumvention clauses, for which there is not a notification process but simply a legal basis for lawsuits granted, IIRC. Your reward for armchair-lawyering this DMCA takedown request could be a true lawsuit.
The DMCA does make distributing circumention measures illegal, but I can't find anything in the law, or discussions of it, saying that the takedown process applies to circumvention measures. The takedown process says an ISP like Github is not liable for copyright infringement if they respond to takedown notices, which is what creates the takedown process. It doesn't say anything about circumvention measures and liability with regard to notices though.
What the DMCA says about circumvention measures:
> (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—
> (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
> (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
> (C) is marketed by that person or another acting in concert with that person with that person’s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
It seems obvious to me that Easylist is not such, I don't think it meets A, B, or C. But it'd be an expensive court process and who knows what the court would end up doing.
In this example, it seems like Easylist has no desire to include that URL anyway, as it is not an ad server.
It may be true that Github can decide to refuse to host the thing anyway, but it's not a DCMA takedown notice process.
As I added after you replied, I agree that this is an improper use of the takedown procedures. However, your reward for successfully armchair-lawyering that may be a full-on Federal lawsuit.
Also, I agree that Easylist itself may still not be a lawsuit target. It simply makes a claim about a certain domain, it doesn't do any access circumvention itself based on that claim. But if Easylist isn't, the ad blockers using it certainly would be. And that alone would change the dynamics of the situation quite a bit.
I hate to say it because I like adblockers too, but it is frankly very likely that when the advertising industry finally makes the push against them that by current law, it will indeed turn out that it is illegal to use ad blockers on sites that take active measures to ensure you view ads [1]. Again, don't mistake me saying this for endorsing it, but I think it's a very plain and obvious reading of not just the DMCA, but even something as fundamental to our legal system as common-law contracts... if a website wishes to make viewing their content conditional on viewing an ad, they can do that, just as they can make viewing their content conditional on paying them money, joining a club, or anything else that qualifies as "consideration" [2]. They can also place further restrictions on that content as part of that content. Any argument in favor of ad blocking that would also explain why either Netflix customers have the legal right to retain copies of the movies, or in the most extreme cases, explain why everybody has the legal right to retain copies of Netflix movies, should be discarded as an argument that proves too much [3].
I'd suggest the ad blocking community and the interested tech community at least wargame out the plan for if they lose the legal cases, because I would personally put that at somewhere around 90% probability if any of them ever go to court. Even with the EFF supporting it, I fear the EFF would pretty much be reduced to making very handwavy arguments about fundamental rights and basically pounding on the table, because in my considered opinion they really won't have much else. And even if they are correct, courts tend not to take much account of those arguments.
[1]: If the judgment goes really bad, it could even be illegal to bypass sites that don't try anything explicit. However there is a very good argument here that there is a history on the internet of assuming more rights rather than fewer if you don't assert yourself, such as the fact that browsers generally render things differently anyhow, the long history of search engines, the needs for accessibility software to render pages fundamentally differently anyhow, etc. I think there's a good chance no judge would want to overturn that consensus as it's now around 25 years old.
I understand I'm arm chair lawyering, but the purpose of a user agent is to display what the user wants it to, not what the site wants it to. I can't be sued for not watching commercials.
Actively circumventing access restrictions is another issue entirely, but if I'm sent data, there is no reason or guarantee it must be displayed as intended. What about blind folk, or those who don't run JavaScript? Is turning off just now illegal? What about not downloading images?
If a site can't make me pay, and doesn't want it's content to be viewed unless I pay, simply don't send me the content.
Again, circumventing access control, even terrible ones, is one thing, but if you send me the data, then you sent me the data, what the issue?
> If a site can't make me pay, and doesn't want it's content to be viewed unless I pay, simply don't send me the content.
I'm fully on your side here, but to play devil's advocate, I think it's fair to consider an analogy like "if a restaurant doesn't want its food to be consumed unless I pay, simply don't serve me the food."
You ask a server (of the web or the hospitality variety) to serve you the usual. The server gives it to you and reminds you that the deal hasn't been fully executed yet: you're to next [ask the cashier by the door to ring you up || ask the ad server to serve you an ad], and then [pay when asked || render the ad amongst the rest of the content]. Sure, you could forego talking to the [cashier || ad server] instead.
Again, I don't like that one bit, but I think it's the kind of "reasonableness" that holds up in court. IANAL.
But there is no expectation that a restaurant will serve you without paying. There is an expectation that a website will ask for payment/authorization if required, otherwise I'm not required to pay.
Moreover, there is no way to know if the content you're requesting will require a transaction (unlike a restaurant where the prevailing expectation is payment for service, even if prices are left off the menu). It has always been the case that I need to request the resource and then be told if it costs money, otherwise it's given to me.
Likewise, there has never been, and I would argue can't be, an expectation that a user agent render all content as expected. Would custom style-sheets violate the law? Do Lynx, Links, Links2, w3m, mutt, and pine all of a sudden become illegal? How does a screen reader render an ad? How does a braille interface render an ad? Am I now legally required to run a graphical interface otherwise I'm playing legal roulette?
What happens if the adserver malfunctions and doesn't send me an ad? Am I now put in a legally bad spot? What if an ad is sent in swf and I don't have flash installed? I also feel like there are legal implications to forcing someone to execute code sent to them. Do ad servers all of a sudden become responsible for drive-by malware? Can we sue them for damages?
I feel that the crux is that there is no way to know if "payment" is required before requesting a resource. You can't send me something and then say, "oh, yeah, hey, you need to pay me for that" when the (vast) majority of the time I'm sent things without any expectation of payment.
Perhaps the better analogy, then, is that it's kind of like an unattended farm stand with an honesty box. Except the honesty box isn't visible on the way in, it's located on the back of the enter sign so you only see it on the way out, and the driveway is so long that surely you've already started munching on the fruit while starting to leave. Since I'm still on a food kick the whole expectation-of-paying thing is still clouding the analogy a bit, but at least this is closer to the situation than a sit-down restaurant analogy. Oh, and of course our hypothetical farmer needs to have primarily fixed costs, little or no variable costs based on the amount of fruit taken.
It may very well be more common for such hypothetical farmers to forego having an honesty box hiding where you don't see it until you've consumed the fruit, but for those who do choose to have one, are you stealing the fruit if you don't drop in a few bucks?
More on topic: I also think courts would see quite a difference in intent between using a mainstream graphical browser with an ad blocker vs using things like a text mode interface, a screen reader, a braille display, or libcurl. The former is like driving past the honesty box while chuckling; the latter is like not even knowing it was there.
I seem to have hit the max reply depth, so sibling posts will have to do.
> disable JS and images
> They're all the same thing. I'm deciding how I want to consume content; I'm not circumventing a access control mechanism.
I guess the difference I am trying to highlight is:
* a lack of ads for hard technical and/or compatibility reasons (JS not enabled, images not enabled, graphics subsystems not existing, not having sufficient eyesight, etc.), versus
* a lack of ads because screw you.
This line in the sand may be stupid, but I'm afraid it's not "the same thing." I'm afraid this difference could be argued successfully in court, and that is my point.
Hn removes the reply for an increasing amount of time per level, I think.
But it's not "screw you" it's "I don't want to waste the bandwidth I pay for and am metered on with things I don't want to download and could potentially harm my computer". Viewing those ads costs me money as well, money which isn't going to the person serving the ads, not to mention the risk of malware.
> Perhaps the better analogy, then, is that it's kind of like an unattended farm stand with an honesty box
The issues is that there is normally a expectation of paying for things like produce. Unless there was explicitly a "Free Produce" sign, I would expect to have to pay.
There is no expectation that you need to pay for the data sent to you later; if payment is required for access, you're told so and need to provide it to continue to the resource (or otherwise provide proof that you had paid, e.g. logging in).
There hasn't historically been and can't be an expectation of payment later because that would be untrue for many, if not the vast majority, of websites. Additionally, there has never been an expectation that the client will render everything you send to them. All browsers have the option to disable JS and images, and always have.
It's these differences in expectation and culture that I believe provide the difference between your examples and the web. Violating these constraints would cause legal issues in the vast majority of systems, would mean running old software would be illegal (Chrome preloads links under certain circumstances, but doesn't render them), and would also end up forcing users to run code they didn't choose to run (there is no expectation or knowledge of what code the server will send and choosing to not run harmful code would be illegal), which would be an interesting thought experiment as a civil rights violation. It would also force me to, say, accept a EULA for Flash, even if I disagree with it because I visited a site that randomly sent me a flash payload. Or what about something without a linux runtime; I would have no ability to avoid committing a crime, because I don't have the choice to accept the rest of the content that came with the content I can't run, but am legally required to run.
Violating the very assumptions of how the web works would have terrible ramifications.
> More on topic: I also think courts would see quite a difference in intent between using a mainstream graphical browser with an ad blocker vs using things like a text mode interface, a screen reader, a braille display, or libcurl.
Why? They're all the same thing. I'm deciding how I want to consume content; I'm not circumventing a access control mechanism.
Because what a court does isn't always logical or even reasonable. Especially on IP stuff, especially on IP stuff involving software. Did you pay attention to Oracle v. Google?
So far in the Oracle v Google case it's been ruled that apis are covered under copyright, but that implementing them from scratch is covered by fair use. I mean, that's not wholly unreasonable.
Oracle has appealed, would we'll see what happens.
At the risk of destroying my efforts at being reasonable, suppose it's an "if you eat the whole thing, it's free" situation, except there is no "$19.99 if you can't finish" else clause. You know that they didn't offer an else, yet you eat anyway, and you slip your onions into the plant in the corner.
Then they can make other ridiculous rules too, for example "you should pay 100x the price in menu unless you can stand on your head for an hour". That would probably increase the income dramatically.
"I understand I'm arm chair lawyering, but the purpose of a user agent is to display what the user wants it to, not what the site wants it to."
This is an assertion that is commonly made on the internet, but I see no reason to believe it carries any legal force, or even necessarily any moral force. In fact it's not that hard to read it as an argument made solely to come to the desired predetermined conclusion rather than any sort of principled argument. It implies that the sender loses all rights to anything they send to you, which is definitely legally untrue; I gave examples above already.
Also, if you win on this point, you will not experience a glorious utopia in which ad blocking is OK and you can save whatever streams you want and so on... you'll experience a world in which all this content gets removed from the web and locked behind even more proprietary clients that will come with what the publishers want. What may seem to you to be a simple bugbite back in favor of what you believe your rights to be may cause a much larger allergic response than you'd anticipate.
"I can't be sued for not watching commercials."
You haven't signed a contract saying you will. That may not be the case online.
The questions about whether such contracts should be something that even can be offered, or whether simply clicking through a EULA or accessing a bit of content can bind one to a contract, or the nature of what such a contract may be allowed to be, are all separate matters of interesting discussion. However I don't foresee any world arising in which the "the purpose of a user agent is to display me what I want to see and therefore any manipulation of the content other people own the rights to is within my rights" is going to hold up. There's too many rights and rights-holders that won't stand for it, and even if you did somehow win that case, they'll simply retreat and retrench in whatever it takes to recover those rights for themselves. If you rewrite the terms of the contract, you have to account for the other side of the contract reacting to it, not just passively sitting back and going "Oh, gosh, I guess I'm stuck then, I'll just keep doing what I'm doing without changing anything."
> The questions about whether such contracts should be something that even can be offered, or whether simply clicking through a EULA or accessing a bit of content can bind one to a contract, or the nature of what such a contract may be allowed to be, are all separate matters of interesting discussion.
But you can't accept a contract just by visiting the site. Especially since the in the same action as becoming aware of the exist of the contract also makes you breach the contract.
> However I don't foresee any world arising in which the "the purpose of a user agent is to display me what I want to see and therefore any manipulation of the content other people own the rights to is within my rights" is going to hold up.
Why? This has always been the purpose of the user agent and it's difficult to impossible to actually make sure things will always look the same in all browsers. Could viewing a site in FireFox or Edge become illegal? Again, how would I know that _before_ taking the action. What about systems such as links2, w3m, elinks, and lynx?
> f you rewrite the terms of the contract, you have to account for the other side of the contract reacting to it, not just passively sitting back and going "Oh, gosh, I guess I'm stuck then, I'll just keep doing what I'm doing without changing anything."
Which terms? The UA has always been the agent of the user, not the site whose content is being displayed.
I just find it very difficult to believe that the court will accept that I've broken a "contract" I can't know exists without breaking it.
> However, your reward for successfully armchair-lawyering that may be a full-on Federal lawsuit.
I assume Github has a whole bunch of non-armchair lawyers.
But this is indeed the problem with the whole system, it comes down to who can pay the legal bills.
It seems obvious to me that Easylist is neither "primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access", "has only limited commercially significant purpose or use other than to circumvent", nor "is marketed.. for use in circumventing a technological measure that effectively controls access."
But it could take a whole lot of legal fees to determine that in court, and as we saw in Oracle v Google, the courts don't always decide what seems obvious to us. For better or worse, any sane person or entity wants to stay out of court regardless of whether their lawyers think they have a great case. Unless they have a whole lot of money to burn.
At the least, I think Github should make it's policies clear about what it's doing. If they say a DMCA takedown notice must "Identify the copyrighted work you believe has been infringed" (as the law indeed says), they should not take action to complaints that don't do this. If they want to respond to other types of complaints, they should say so, and explain how. (And ask their lawyers how it effects their liability under DMCA, if at all).
Github appears to be trying for transparency with their docs and practices on DMCA, which is great and important and greatly appreciated. This is one area where it could be improved. Responding to DMCA takedown notices that are not in fact DMCA takedown notices and do not follow Github's own published instructions/requirements for DMCA takedown notices (cause they aren't DMCA takedown notices)... is not transparency. The DMCA regime has plusses and minuses; mis-educating people about the DMCA law doesn't help us evaluate what these may be in order to be engaged citizens.
What you are describing applies only to US where copyright laws are biased towards the interests of publishers. Developing adblockers in other countries might be the solution I think. It is unbelievable that a publisher might decide what I do with content on my computer. No, he cannot or at least should not be able to decide. If he doesn't want me to block the ads then he should not serve the pages to me in the first place.
An adblocker is not a tool which can be used to "circumvent technological restrictions" on accessing other, unrelated copyrighted content. It is a tool to restrict access to content.
At first glance you're right, but it's not hard to imagine an ad system which makes the text of a website invisible (or scrambled) until the advert has loaded, and imagine an ad blocker which is designed to do the unscrambling without rendering the ad.
I don't know if that's the precise situation here, but if the ad blocker is intentionally carrying out a process like this to access the copyrighted work of the website without obeying the restrictions of the technological control process, then I could see that falling well within the bounds of the DMCA.
AFAICT, the relevant provision of the DMCA here is "No person shall circumvent a technological measure that effectively controls access to a work protected under this title".
Is there any elaboration on what "effectively controls access" means (e.g. in case law or in the statute that I missed)? Does a system that fails open (the only thing listed in the EasyList commit was the domain name, so a network error would replicate the same situation) fall within the scope of the provision?
> Is there any elaboration on what "effectively controls access" means
Apple Inc. v. Psystar Corp.[1] involved circumvention of a system that "effectively controls access" to Mac OS X, preventing it from being installed on non-Apple hardware.
Apple's anti-circumvention system is (in part) that some of the important system binaries are encrypted, the kernel transparently decrypts them when they are executed.
The key isn't secret (in fact it's a constant that hasn't changed in 10+ years), but it is only distributed inside the SMC chip on the main board of a real Mac.
There's no question that encryption is generally an effective access control method, it can't be circumvented without either having the key or breaking the encryption system in use.
The court found that regardless of how trivial it was to obtain the key, the fact that it was encrypted made it "effective":
> Psystar contends that Apple's anti-circumvention technology was ineffective because the decryption key for circumvention is publicly available on the internet. This argument fails.
> "The fact that circumvention devices may be widely available does not mean that a technological measure is not, as the DMCA provides, effectively protecting the rights of copyright owners in the ordinary course of its operation." Sony Computer Entm't Am., Inc. v. Divineo, Inc., 457 F. Supp. 2d 957, 942 965 (N.D.Cal.2006).
> Generally, measures based on encryption "effectively control" access to copyrighted works. Here, when the decryption key was not employed, the encryption effectively worked to prevent access to Mac OS X. And that is all that is required.
> See Universal City Studios v. Reimerdes, 111 F. Supp. 2d 294, 318 (S.D.N.Y.2000) (noting that when a decryption program was not employed, the encryption worked to control access to the protected work).
> Accordingly, Psystar has violated the DMCA by circumventing Apple's protection barrier and trafficking devices designed for circumvention. Apple's motion for summary judgment on its DMCA claim must be granted.[4]
Funny how this disclaimer is only found besides legal advice. Really, you should not have to write this. ("I am not a lawyer" is more reasonable, though.)
From what I understand, "legal advice" has a legal meaning, basically requiring it to come from your lawyer, and implying an attorney-client relationship. People want to be clear that they aren't a lawyer, and that they aren't attempting to practice law by offering someone else Legal Advice. Instead, it's more like Uncle Fred saying "You should sue the guy!"
There are many cases of DMCA abuse, and it'd be nice if someone had the resources to go after these, get them fined and help set a precedent to prevent further abuse. Unfortunately, that probably cost more than it's worth.
> And if github cannot standup to DMCA abuse, then well, easylist and all other developers should be giving a clear hard though to their continued use of the github platform.
This. This is the main topic here. The wide use of centralized services (such as Github, but it applies also to Facebook, Google et al.) makes you dependent to corporate decisions, including coward (or maybe rational) decisions towards freedom of their users.
This is also why linux kernel developers will never, ever use a service like Github. Apart from scalability issues, the single point of failure that these services are (not for technical reasons, but for political reasons) is simply scary.
TL;DR: Assholes who send buggy DMCA is not the issue here. Depending on a centralized service is.
It's not Github's job to stand up to DMCA notices. The law requires them to forward them to the account publishing the content without any consideration of the merits. Then, easylist has the option to comply or refuse.
That's besides the point. It's the reason open source projects should not depend on centralized sites like github or any other site that make this kind of disruptive automated dmca take down easy.
It should take much more legal effort and 'application of mind' to effect disruption.
> It's not Github's job to stand up to DMCA notices.
I want to make it clear that I'm not arguing for the legal grounds here. I'm not a lawyer, so I will leave that to them. I'm arguing from a more moral/ethical stance.
I'd like to disagree with you. By allowing you to run under their umbrella, I feel that Github has a responsibility to take care of you, and the data that you put on their site. I feel that it is quite insincere for them to say "Sure, put your code on our site!" but then kick you to the curb as soon as there's any trouble. There's definitely a level of extremity that I don't expect from them: I think that after a certain amount of legal argument, they should pass it to the uploader, but I feel like their default attitude should be "no, you can't just attack the uploader because you feel like it."
It sends a clear message to the FOSS community that they don't care about taking care of their own, which is bad for Github, and bad for the committers.
I'd be curious though: Why do you think that "The law requires them to forward them to the account publishing the content without any consideration of the merits"? It's my understanding that they do have some grounds here as it is their site.
EDIT: I reworded my post as the original was rude, and accusatory.
> With all these dozens of domains (over a hundred), it sure smells like they're incorporating a HSTS fingerprinting attack into their product portfolio. HSTS fingerprinting enables a server to tag every browser with an n-bit (ie: 100 domains is 100 bits) unique identifier so you can track that browser whenever it returns (or wherever it goes). Since users cannot clear their "HSTS cookies" as it were, this fingerprint remains permanently associated with that browser.
>
> Wonderful feature for an ad agency to track each visitor indefinitely. Even while in Private Browsing / Incognito mode.
Okay. Let's eradicate them from the surface of this planet.
Or, more constructively, go after them in the EU, where such practices would surely be illegal under the so-called cookie law (which is actually about storing information in a user's browser more generally, and not specific to cookies at all).
As long as that really is what they're doing, of course.
Couldn't they just use 100 subdomains for their 100 bits?
Maybe we need a browser extension (or just a website) that instructs your browser to make requests to the HTTPS version of domains that are found to be used to set HSTS cookies, thus "blowing the fuses" and making those domains unusable for providing bits of entropy.
In fact, rather than blowing all the fuses, the extension/website could blow just a random few, as a bit mask, giving you someone else's ID number and ruining the ad company's profiling/analytics. That way you would be helping people who weren't using this defence, rather than just having your visits not added to any profile.
It's not clear how trademarks would apply here. I can write "General Motors". I can write about General Motors. I just can't impersonate General Motors or their products. That's trademark.
That was my point. GP mentioned trademarks for no reason and I said that the DMCA is a copyright law (that's what the C stands for), and that trademark law is irrelevant to this discussion. I also agree that even if trademarks mattered in this case, it still wouldn't be infringement.
On the other hand, it looks like it was an improper use of the DMCA because they're claiming that EasyList is an anti-circumvention tool (effectively arguing that it breaks DRM).
So is their argument that by including their hostname in easylist, you are circumventing copyright controls because they validate copyrighted material usage? The takedown notice didn't seem to be related to the domain name per se, but rather the effects of including it in easylist. IOW in order to view our client's copyrighted material, we are providing access controls and by denying the code access to our server, you are circumventing those access controls.
Tangentially related, the author of that project has also created uMatrix. Well, it's the micro symbol, but you get the idea.
uMatrix is pretty much like an old school software firewall, except it is just for your browser. It works by whitelisting, instead of blacklisting. There is a bit of a learning curve, but after you've visited your most visited sites, it becomes a fairly easy solution. As you fist visit sites, you configure it to only allow what is needed to get the functionality you want. Once done, you don't generally have to muck with it further.
As stated, there is a learning curve. There are many choices of what to allow and block, but you can surely figure it out. You can even export and share your configuration.
I am not affiliated. There is a version for Firefox, Chrome, and my beloved Opera. It'll probably work in Pale Moon, Vivaldi, etc...
It eliminates the need for multiple extensions. I've been very happy with it.
I use ad-blockers in every browser and I would have no problem if that were part of the headers my browser emits ( have no idea if it is or not). If websites don't want to serve me because I'm blocking ads, so be it.
GitHub is just the platform. If they get a DMCA complaint, procedure says they should contact the repository owner. The repository owner receiving a fraudulent notice sends a one-line email stating "consider this my DMCA counter notice". The content stays online, the DMCA notice does nothing and the only avenue now is for Admiral to sue, which of course they are not prepared to do.
You post an entry on your blog ridiculing them and their VC funded shenanigans and HN gets a good laugh out of it.
This might create a new front in the war against ads. You'll have ad blockers, then they'll build in a component to block anti-adblock mechanisms, which will force the ad makers to employ more countermeasures... I don't see how the content providers will ever win this war. They have more to lose here.
>A companion extension to uBlock Origin: to gain ability to foil early anti-user mechanisms working around content blockers or even a browser privacy settings.
I think /u/gorhill is the lord of this particular war, and his followers are armed to the teeth. I type this on Firefox on Android with uBlock Origin.
I check his github occasionally to see if he accepts donations, and I donate to a couple of the lists occasionally.
In the war analogy, we have the best arms dealers. They other side is fighting a losing war.
I have checked multiple times and gorhill doesn't appear to accept donations. I seem to recall reading a thread where they indicated they didn't want to ever be considered to be beholden to anyone.
As mentioned above, uMatrix is my favorite. Once configured, it is easy... There is a learning curve.
I'd donate regularly, but that doesn't appear likely. I greatly appreciate their work.
Even if we take for granted the absurd premise that this is "copy protection circumvention", it's still nonsense for the same reason that gun manufacturers aren't sued for murders.
Good to hear. I sincerely hope this turns into a lawsuit to scare off others who may be watching the outcome of this to decide if they should try the DMCA route, too.
The DMCA is United States-specific. Copyright laws are very widespread and harmonized to some extent by international treaties such as the Berne Convention; a Google search for that term can lead you down the right path. (I'm not trying to explain anything, just give you some good search pointers if you're interested in researching yourself.)
anywhere but US, already EU countries definition of legality of streaming should be enough to safely just filters lists
from what i remember Spain and Central Europe are very laid back regarding your rights to non-commercial steaming of copies of works you don't actually own
However, that defense is a bit flimsy to me since the fall back to having the paywall blocked could/should be a "Paywall blocked, please disable your addblocker to gain access to our content" msg.
Anyhow, that is immaterial because so long as they don't actually serve adds, Easylist could/would have removed the line no problem. Admiral should have just said "Our domain doesn't serve adds, we work on paid content access" and they would have been removed without all this hassle.
It's their fault for delivering data they want restricted. I'm under no obligation to make every HTTP request they want me to or execute any untrusted JavaScript. Nor am I obligated to render their HTML as intended. If they want these things then they need every user to enter onto a binding contract agreeing to those terms.
ah, but you might be. This gets into a crazy area where we're talking about some entity offering up information via HTTP and you choosing how to represent that data. You could use Lynx, Firefox, Chrome, IE or even just browse everything with Python/BeautifulSoup in a console. Does the provider get to chose how you represent that data?
Well it turns out they kinda do. Sites have terms of service people supposedly agree to, all the time, without reading, because it's fucking impossible.
I posted this argument before and got the following comments which make a good argument:
However the comments get into implementations like Netflix and rendering that data, but it's a bit different because in that case you are paying for access.
Will we be in a world one day where sites can require specific web browsers, by law?
That is not a problem because there will be competitors without this requirement. The problem is laws that are not well balanced and are biased towards interests of one party.
This argument really gets old. Morally you know what you're doing. Most people would be fine blocking the big dozen or so of the most offensive ad networks but this extreme approach (especially when the publisher is trying to offer you choices) just comes off as ridiculous.
What entire industry? Advertising? And how is the world worse because of it?
Do you realize just how much advertising funds? It's a 12 figure global industry and 99% of the content you consume is funded in part by it - and that's before we get to how advertising drives the economy by efficiently matching businesses to customers. Every company relies on advertising (whether paid, word-of-mouth, etc) to succeed.
It's irrational to see so much hate and it's likely your complaint is really only about intrusive ad formats and data privacy. That is something I agree with and I'm for every change that makes for safer, better, and more private ads, but that is vastly different than calling for the elimination of advertising in any sensible reality.
It's not advertisers as much as a complex supply chain with bad incentives in a 12-figure global industry.
We say the same things with government waste over military and healthcare. And we can fix it in the same ways with better trust, accountability and regulation.
I think it's worth mentioning that even if an easylist filter entry counts as "circumventing a technological measure that effectively controls access" -- which I think is debatable for multiple reasons -- the DMCA takedown procedure only covers copyright infringement. It does not apply to anti-circumvention measures.
As Admiral's blog post points out, Github recommends using the same contact procedure for anti-circumvention takedown requests as for normal DMCA takedowns. But as far as I can tell, they're doing so purely on their own initiative; such a takedown request doesn't have the force of law in the same sense that a claim of copyright infringement does.
> Github recommends using the same contact procedure for anti-circumvention takedown requests as for normal DMCA takedowns
I made this mistake to, Admiral's blog post does imply it. However, they were making a DMCA take down request, based off the reasoning it was for anti-circumvention.
I don't understand how your comment is a response to mine. Could you please clarify?
The DMCA is a set of laws. The DMCA takedown procedure is a part of those laws, defined in a fairly rigid way: it has specific notification requirements, timeframes, and is clearly defined to only apply to copyright infringement. Just because the DMCA also prohibits circumvention, it doesn't automatically follow that circumvention is the same as copyright infringement. And the Wikipedia section that you linked to doesn't mention the takedown process at all.
The only hope against the DMCA is that eventually the takedowns get so ridiculous that courts are forced to strike it down as the unconstitutional garbage it is.
To that same logic any operating system that allows editing the hosts file or running your DNS service and routing a domain name to loop-back or some other server is also liable for producing circumvention tools.
They even clearly state they used the only tool available to them, DCMA. From all the current summaries on this, DMCA does not apply to a line entry in easylist. A domain can be trademarked.
This should be added back in. And if github cannot standup to DMCA abuse, then well, easylist and all other developers should be giving a clear hard though to their continued use of the github platform.
Edit: it looks like EFF has gotten in touch with easylist. Good. https://torrentfreak.com/dmca-used-to-remove-ad-server-url-f...