Degban Hack Leads to Bogus DMCA Takedown Notices

CYBERSPACE—Monday, a comedian and writer named Dave Gorman added a post to his blog with the headline "The Man From Degban, He Say, 'Um... it wasn't us, honest!'" Gorman was rightly upset that an image he had posted to Flickr in 2006 had been removed by the Yahoo!-owned site after it had received a DMCA takedown notice sent on behalf of BDSM producer Wasteland by copyright protection company Degban. "I knew that the copyright for that image was mine, so I got in touch with Yahoo! and worked out how to file a counterclaim," wrote Gorman, "Which means I sent a legal notice—under threat of perjury—asserting that I was the copyright holder and again, Yahoo! has no choice but to follow procedure. They passed my counterclaim on to Wasteland, Inc who then had 14 days to decide if they wanted to continue to fight by sending a court order to restrain me! 14 days later, Yahoo! wrote to me telling me that I could repost the picture. "But reposting it doesn't bring the comments/views/favorites back and nor does it put it back at the same url which would preserve the links," he lamented. "They're all gone for good. The picture's life from January 12 2006 is destroyed... instead it is reborn on March 2, 2012, its history wiped. (At least we share a birthday)." Adding mystery to mayhem, though, Wasteland insisted that it issued no DMCA for that image or for other takedown notices that have been issued in its name during January and February of this year. "We do have Degban handle our DMCAs, but only for torrents and file-sharing sites, and on those only videos with a duration of longer than 5 minutes. They do a very good job on this for a very, very reasonable monthly fee, so all of this pretty much comes out of the blue at me," Wasteland CEO Colin Rowntree told AVN. "Something seems to have gone terribly wrong somewhere as we don't touch the tubes (we have lots of affiliates uploading our clips to those) and certainly not photos on blogs or Flickr posted by comedians featuring artistic photography." And Degban, which after several alleged attempts by Gorman to contact them, replied that they had been a victim of a "phishing/hacking attack," an explanation that Gorman included in his article but, judging from the headline, did not believe. In the post, however, he wrote of the explanation, "Which is either bullshit—which is worrying... or true... which is even more worrying." The email to Gorman was sent by Degban CEO Taban Panahi. It read: Hello Dave I do apologize for the inconvenience, we have been victim of a phishing/hacking attack, which was aimed at reducing our credibility among clients and the public as you can see how, I truly am sorry that you were effected as such, but allow to humbly suggest that you channel a part of your anger at those holier than thou hackers who effect users like yourself by such irresponsible actions we are working hard to fix the matter, but alas we cannot do much as the size of the attack was larger than we could have expected. I am hoping you can manage to get back your traffic and are never affected by such issue ever again" Yours Taban Panahi Degban Ltd. A subsequent thread on GFY ignited a brief firestorm over the incident, which has since died down, but questions remain about the security breach claimed by Degban and also the actions of Flickr, which completely deleted Gorman's original page rather than make it inaccessible in case of a challenge. In this case, Gorman did dispute the takedown, and Flickr allowed Gorman to repost the image after Wasteland failed to reply to the challenge within 14 days, which they did not do because, according to Rowntree, they never received a notice from Flickr because they did not send the DMCA notice in the first place. Late Monday, AVN sent Degban, which is located in London, an email requesting further details on the alleged breach. This comment was waiting in the inbox this morning: "On February 29th, our SMTP server was accessed by an outsider through a password phishing scam," the company said. "The intruder then used our SMTP server to report legitimate content as piracy, using our own Take-Down notice templates. This was done to reduce our credibility with hosting companies. Degban, however, employs digital signature for all emails, except for those that do not accept it. A part of the attack failed, as only those who processed the fake emails, without digital signature, were affected. Since the attack, we have changed all passwords, and implemented an extra layer of security to ensure our SMTP server is only accessible through trusted devices, much like Facebook does. "As the attack rested solely on an human error, it does not seem to have been initiated by any known 'hacktivists,' but rather by a disgruntled file-locker owner or pirate. Our system is set up so that the STMP is actually separate from the Degban core; the service provided to our clients is run and developed by Degban. We have set up our system so that any security breach cannot penetrate to the core. Obviously, we regret that this particular event occurred, and where the protective layers were lacking, we have already implemented extra security. "In terms of damages, only those whose files cannot be retrieved have been affected. We are still contacting hosts, attempting to get their content reinstated. Clients, employees and the rest of the public are unaffected on a technical level. For any clients that experienced downtime during their service, we will refund them the service fees for that time." Gorman does not appear to be mollified, and several posts he made in the comment section of his blog seem to indicate that he maintains serious doubts about not only Degban and its technology, but also the entire copyright protection efforts and the DMCA itself. "There are plenty of things flickr/yahoo could do better in this. I don't believe they have to delete the whole page—taking the comments etc with it. But they do have to delete the photo," he wrote. "The real villains of the piece here are the DMCA—it needs to be changed so that sites become obliged to remove contested content from view until it is sorted rather than deleted wholesale. Y'know, like putting cuffs on people rather than shooting them on sight. "And of course," he added, "Degban and companies like that. They're either incompetent/negligent at their job and sending out bad DMCAs or they're incompetent/negligent at their own internet security (which given their field doesn't speak well of them) and the result is bad DMCAs. Either way, their existence doesn't seem to be good for any of us." The one thing missing from Gorman's summation, however, is legitimate empathy for the amount of piracy that the adult industry has had to deal with, and a balanced understanding of the extreme difficulty copyright owners have protecting their content. He is right to feel victimized, of course, and even has a right to question Degban's security measures, but assuming Degban has put measures into place that will prevent any such occurrence from taking place in the future, damning the existence of "Degban and companies like that" seems to be an extreme response to a situation in which it was Flickr that jumped the gun by deleting years worth of comments in possible violation of the DMCA, which requires the service provider to "restore the takedown material" in the event of a successful challenge. It should also be noted that the DMCA also contains a provision—512(f)—that states that if someone misrepresents themselves as a copyright owner any damages caused by that misrepresentation must be reimbursed. AVN has also inquired if Degban is aware of any other individuals who were impacted by the breach, but has not yet heard back from the company.