The article buried the lede, which I think is this-- Google as email provider had information all along that DMCA notices it was sending to its YouTube property were not legitimate. Google even went so far as to flag and reject some of those notices because of false personalities, but instead of going to the root cause to stop abuse of its systems it allowed the same user to plug along long enough to manipulate YouTube in a way that caused Bungie an alleged $7.6m in damages. Then the icing is that when Bungie came knocking Google initially resisted a court-related request to allow Bungie to identify the user and stop the abuse. Wow.
But basically all of those actions would be things that would generate negative headlines. Would any of the following Hacker News stories surprise you?
* Google Shut Down British Teen's YouTube Account, Kid Loses Access to GMail
* Google Giving Out User Information to Companies Without Court Order or Protest
* Google Is Sharing GMail User Information with Game Publishers Out For DMCA Revenge
Every step along the way, there'd be an article and 100 Hacker News comments talking about how evil Google is and talking up how Duck Duck Go really isn't so bad as long as you remember the shortcuts that make it use Google.
Resisting requests from big companies demanding that they give out user information is a good thing. Changing their mind when they had clear evidence that the user was up to no good is a good thing. Not immediately shutting down someone's GMail account because they're doing something that upsets YouTube is a good thing.
The thing that's missing in all those headlines is context. Google has context and I like to imagine Hacker News readers would understand the context too (or at least find a top comment talking about the context). So Google refusing to do anything or make life extremely hard when they're the ones with all the data is really frustrating.
But if Google is deciding that avoiding those potential headlines is of higher priority than protecting its users from getting abused by the unfair system they put in place, we are justified to attach a derogative label to the company.
And it's cumulative, with all the other ones. The labels, I mean.
I just hope people will not forget them in 20 years after they make a giant PR campaign to become the good guys again, like with Microsoft.
> Then the icing is that when Bungie came knocking Google initially resisted a court-related request to allow Bungie to identify the user and stop the abuse. Wow.
A big corporation came asking for data on an individual GMail user, and Google told them, "we're not giving that to you without a proper subpoena." That's exactly what you want your email provider to do.
Maybe, but that's not the point. It's not about the owner of the Gmail account, it's about the identity of whoever sent the DMCA request. Google should have had more than just an email, should have verified at least a registered company or domain or trademark, and should have willingly gave up the verified contact information to anyone who asks.
Google shouldn't just hand over someone's information, but when Bungie provided evidence of abuse, Google _should_ have kicked off a robust internal abuse investigation. Knocking people off their platform for being jerks is absolutely within their ToS and purview under law.
The fact that they harbored the jerk for so long, even in the face of credible evidence and actual harm, suggests that, as another headline on the frontpage right now says, "If your [platform] is full of assholes, it's your fault."
Back a decade ago, century link kept disabling my isdn line based of spammed dmca takedowns. I wrote them several letters demanding proof, even pointing that their abuse form was entirely open to anyone and asking for any substantive proof. It took them a third time to actually send some printouts which amounted to again random spammer on their dmca form.
They "solved" the problem by firewalling connections and a lame gateway asking you to admit to whatever.
They didn't just bury the lede, they didn't cover google's barn door security hole on the DMCA submission process that allowed this guy to submit a hundred or so DMCA takedown requests with no need to prove his identity.
And then there's this:
> Bungie had to devote significant internal resources to addressing it and
helping its players restore their videos and channels – an effort complicated by the fact
that while YouTube has a form that allows anyone to claim to represent a copyright
holder and issue copyright strikes, it has no dedicated mechanism for copyright holders
who are being impersonated to let YouTube know about the DMCA fraud
Small content creators have only been complaining about this for, oh, ten years or so?
> This meant that Bungie had to work through several layers of YouTube contacts over a period of several days before it could adequately communicate and begin addressing the problem.
Days? Several layers? Gasp! Fetch the vapors!
Now imagine you're not a billions-of-dollars-in-revenue worldwide-known gaming company - and thus you have zero ability to reach a human.
To my mind it's far more concerning that Google did so little to confirm the identity of the guy sending the fake notices, let alone establish whether he had any right to be sending the notices in the first place.
IANAL but I think they might be able to pursue a case of "vexatious litigancy" against the person. That essentially strips them of some ability to use the legal system because they've rampantly abused it in the past.
It's a high bar to pass, but literal thousands of fake claims might indeed pass it.
> On March 22, the Reynolds account logged out of Google and less than a second later, the Wiland account logged in, suggesting the same person was behind both accounts.
I've always wondered how often timing analysis is used in practice by surveillence big tech. I suspect that as people become more privacy aware, and start using VPNs, pseudonames, multiple accounts, etc, that big tech will start using timing analysis more and more to correlate traffic and identify users. Like if your friend sends you a Reddit link on WhatsApp, and you immediately open it in your browser, that Reddit session is now linked to you.
Another more complex example: let's say Google has already identified your Reddit account. You open a Reddit discussion, and deep in the discussion it links to a Youtube video, and you open it in your browser. Now even if you weren't logged into Youtube, Google could guess that it's you based on the timing of when your Reddit account opened the discussion, and when the linked Youtube video was accessed. And not just that video, but now every Youtube video watched in the same browsing session, is now linked back to you (assuming you have first-party cookies enabled, which is basically required if you ever want to log into anything).
Seems a bit paranoid, but I actually suspect this happened to me a few months ago. I was using a FOSS reddit client and clicked a youtube link buried deep in a reddit thread, and opened it in Newpipe (a FOSS youtube client). I wasn't logged in, and was using a VPN, and yet the next day on my Youtube feed I started getting recommendations based on that video (and those recommendations were very different from my usual ones). Scary stuff.
> I've always wondered how often timing analysis is used in practice by surveillence big tech
Books written about the NSA, GCHQ, CSE etc talk about them using things like timestamp logs/traffic analysis/time of day analyzing commercial and government telecom links going back to the 1960s, so in the modern era even if your crypto is absolutely unbreakable, there's a huge amount of analysis and correlation that can be done based on timing analysis.
Then you combine your timing analysis with things like correlating geolocation of blocks of IP addresses, netflow and traffic analysis, metadata obtained from other adjacent/nearby users on same ISPs at either end, a whole fire hose of other data that's still useful even if the crypto is solid.
> let's say Google has already identified your Reddit account. You open a Reddit discussion, and deep in the discussion it links to a Youtube video, and you open it in your browser. Now even if you weren't logged into Youtube, Google could guess that it's you based on the timing
Not just timing but also cookies, client device/browser fingerprinting, IP address/what ISP you're on, and the usage patterns and logged in activity (and app-collected telemetry data on android and ios devices) of all the other persons in your household and neighbors.
I guess part of my hope was that big tech didn't think timing analysis was worth the effort. But it's rather scary if they are truly scaling up their timing analysis efforts. Now, if you care about privacy, it's not enough to just use a VPN or stay logged out or use anonymous accounts. You have to worry about _when_ you open every webpage. Be wary of immediately opening links that your friend sends you, or sharing webpages that you had just opened to your friends. And that's not even factoring in fingerprinting attacks
> I've always wondered how often timing analysis is used in practice by surveillence big tech
Temporal correlation is the difference between regular network analysis, and dynamic network analysis. Just search "dynamic network analysis" on Google Scholar, and look at who's writing the papers :)
But to back up a step — every SaaS company does this on some level. If you have an backend audit-log for e.g. user registrations, and you eyeball it every so often to notice event clusters of people trying to bulk-register accounts in order to block their IPs — well, that's timing analysis!
I don't have an expert understanding of how cookies or VPNs function, but these are the two categories of causes that I came up with. Both seem more likely than Google having timing data from a third-party service.
Within the first category, possibilities include that the phone logged into your Google account while using the VPN, that there was a Google tracking cookie on your phone and that phone wasn't always connected to the VPN so it related 2 ip addresses, and that your other device on same network shared a VPN session with your phone.
The 2nd category I'm including for posterity even if it's unlikely based off your stated usage of FOSS on your phone. That your phone isn't a degoogled OS or other device with Google integration. Smart devices with microphones aren't supposed to collect voice data when not explicitly activated, but it is a potentiality.
At this point I feel like I should have used a throwaway with how many details I'm giving away here haha, but I have never attached a google account to my phone (I access any google services via browser), and while I don't run a degoogled OS but I have disabled play services and all google features + apps. I'm aware that there's still a chance that Google has trackers, but those trackers would (1) have to detect which reddit account I was using inside my FOSS reddit client (2) detect which video I watched on my FOSS youtube client. It's possible but I decided that this level of surveillance was both more nefarious and less likely than them using timing analysis.
In your example how does google correlate your particular reddit account with the link you clicked? YouTube can't access your reddit session cookie so how would google be able to disambiguate your reddit session from arbitrary traffic flowing through the reddit page?
That's where the timing comes in. The reddit discussion I clicked the link from was an old one, and so was the youtube video (though it did have hundreds of thousands of views). I was probably the only person who opened them up within the same hour
There was an article about how easy it is to find out if 2 of your Facebook friends are dating just by analyzing when your Facebook friends are online, and there isn't any effective way of stopping it from working other than disabling presence notifications.
Though worrying if it's done, I doubt that it's done at any scale in the way you're suggesting. Linking accounts is PII and the GDPR would require consent, right to view the information, right to correct the information and so on.
I think it was only doable in the end in the article because the data were released as part of a legal process.
Regarding your YouTube story, there are lots of examples of things like this (e.g. "I talked to someone about X in person then saw X in Facebook ads") but I haven't yet seen hard evidence. So far I've written it off as coincidence at scale.
The GDPR considerations are interesting, and it does seem like GDPR can cover things like behavioral data [1]. I'm not sure how it works in regards to Newpipe, the FOSS youtube client I use though. I assume whatever scraper Newpipe uses in the background has already accepted the cookie consent dialog, which would allow Google to start scraping data like IPs and other behavioral data. Not an expert on GDPR law though obviously.
As far as it being a coincidence, that's usually something I assume as well. But it really comes down to a game of probabilities. Is it more likely that it's a coincidence, or that Google is doing timing analysis? In this case, a coincidence just felt less likely. I check my youtube feed at least once a day, so I know what my recommendations look like. This recommendation was so out of the ordinary that it stood out to me in a sea of my usual recommendations. And it stood out so much that it prompted me to go back and check my Newpipe history and Reddit history, and spend like an hour investigating and trying to figure out what was most likely. I even wrote down notes about the incident. Also I should probably mention now that earlier I had said that I got those youtube recommendations the next day, but checking my notes now, it was actually within an hour. The video that was recommended to me was not some trending video, it was already a few months old. I also searched my Youtube history to see if I had watched anything else from the same channel, and I had only watched 2 videos from that channel total, and over a year prior.
I know that timing analysis seems very nefarious, more high-effort and nefarious that I would expect from even a company like Google. But my guess is that they aren't doing it intentionally, they instead just feed a bunch of analytics data (that they have user consent to collect) into some giant ML model, and that ML model has learned to use timing in its predictions.
My understanding is that if you wanted to hurt a YouTube channel, you could do so like this
1. Use a VPN create a gmail address.
2. Use that address to file a DMCA notice on each channel video.
3. Google auto-accepts; the channel challenges each notice.
4. You deny all challenges.
And just like that, you can destroy any YouTube channel, without any accountability. Is this correct?
How does Google know you're on a VPN? I'd assume that it could only be inferred from the source IP address of your UA, which implies Google keeps track of well-known VPN source IPs. However, apart from the fact this is imperfect (I assume IP blocks are shifting all the time?) you could easily spin up a VPN of your own on a cloud VPS, in which case tracking IP blocks wouldn't work.
Perhaps simplest of all, you could always sign up for the email on a semi/public wifi access point, or even from a shared computer, as from an internet cafe or even a friends phone.
Its funny how people are siding with Bungie that Google should have given them the details but these same people complain about google knowing too much about them and its privacy implications. From the looks of it Google did the right thing where it comes to siloing data of different departments. Youtube dmca should not know the ip address of someone that send the email using gmail that is the correct way to go about it.
Genuine question: for Google to offer free services, economic constraints dictate they can't offer human support. If we just assume for a moment this is valid, there is a possible solution:
You can pre-pay $50/hour (in 30 minute increments) for live human access that can fix your problem. The fee is paid no matter whose fault it is -- it's basically a "competent, in-your-country, rep fair wage fee". How much take up would there be? Would that fix the complaints with these free services not offering support?
Except I don’t assume that is valid. Google has plenty of money, they can easily afford support personnel, they’re just more interested in making money.
But for YouTube creators it's NOT a free service, they're uploading videos for YouTube to monetize so both YouTube and the content produces get revenue.
> A smaller content creator might not have even overturned a false DMCA claim
In the YouTube DMCA process, they always, 100% restore your video if you submit a DMCA counterclaim. It'll only stay down if the claimant informs YouTube they are pursuing a lawsuit against you.
> let alone get information about the copyright troll submitting it.
You receive the full information of the copyright holder if you receive a DMCA takedown. You obviously don't get IP log information unless you subpoena Google, though.
What is "after some work" here alluding to (I know it's verbatim from the article but very cryptic)? Can Google arbitrarily share account details with anyone who asks without a subpoena? Does that not violate even their own ToS?
The First Amended Complaint linked in the article indicates that Google required a subpoena (paragraphs 112-114) and were unwilling/unable to provide information informally.
Can anyone explain the below? Did he DMCA strike himself, and then get angry about it? Or am I reading something wrong...
> The clickable emblem link was sent to PerfectNazo1@gmail.com and during the chaos of fake notice campaign, a YouTuber called ‘Lord Nazo’ was hit with fraudulent DMCA notice, sent by the Wiland Google account.
> Apparently angered by this injustice, Lord Nazo fired a DMCA counternotice back at YouTube in which he criticized the wave of fake notices and claimed his video was not infringing since it was a “transformative case of fair use.”
He got legitimately DMCA stricken, then he manufactured a campaign of illegitimate DMCA strikes and hoped he could get his own strike overturned as part of the reversal of illegitimate strikes.
And that idiot revenge campaign served him with over $7M in damages. Assuming he can't pay even a fraction of that amount, what is going to happen to this genius? Will he land in jail for some time?
I have mixed feelings about this however: pretty sure that if they inverted the roles, that is, it was the big company that sent bogus DMCA take down requests, the outcome wouldn't change: the small fish would still be eaten.
He posted the soundtrack from the game to youtube and got a real DMCA takedown notice. Then he created fake email accounts similar to the those used by the lawfirm bungie hired and started sending out fake notices
Does anyone else have any other interesting court case filings to share, off the top of their head, that documents the evidence trail used to unmask litigants?
This doesn't have much of an 'evidence trail' but I thought last year's court filing about the Maryland nuclear engineer was interesting: https://www.justice.gov/opa/pr/maryland-nuclear-engineer-and... (click on the "Download Toebbe Complaint" link to see the full PDF)
not on the topic of unmasking anyone, but the judgment on Meads v. Meads is required reading on the topic of what's going on now with "sovereign citizens / freeman on the land", an increasingly common thing.
Readit News
* Google Shut Down British Teen's YouTube Account, Kid Loses Access to GMail
* Google Giving Out User Information to Companies Without Court Order or Protest
* Google Is Sharing GMail User Information with Game Publishers Out For DMCA Revenge
Every step along the way, there'd be an article and 100 Hacker News comments talking about how evil Google is and talking up how Duck Duck Go really isn't so bad as long as you remember the shortcuts that make it use Google.
Resisting requests from big companies demanding that they give out user information is a good thing. Changing their mind when they had clear evidence that the user was up to no good is a good thing. Not immediately shutting down someone's GMail account because they're doing something that upsets YouTube is a good thing.
But if Google is deciding that avoiding those potential headlines is of higher priority than protecting its users from getting abused by the unfair system they put in place, we are justified to attach a derogative label to the company.
And it's cumulative, with all the other ones. The labels, I mean.
I just hope people will not forget them in 20 years after they make a giant PR campaign to become the good guys again, like with Microsoft.
These comments are always the pièce de résistance of HN absolutism.
Dead Comment
Google already had a policy of doxxing YT users, only DMCA abusers get protection by default.
A big corporation came asking for data on an individual GMail user, and Google told them, "we're not giving that to you without a proper subpoena." That's exactly what you want your email provider to do.
The fact that they harbored the jerk for so long, even in the face of credible evidence and actual harm, suggests that, as another headline on the frontpage right now says, "If your [platform] is full of assholes, it's your fault."
They "solved" the problem by firewalling connections and a lame gateway asking you to admit to whatever.
And then there's this:
> Bungie had to devote significant internal resources to addressing it and helping its players restore their videos and channels – an effort complicated by the fact that while YouTube has a form that allows anyone to claim to represent a copyright holder and issue copyright strikes, it has no dedicated mechanism for copyright holders who are being impersonated to let YouTube know about the DMCA fraud
Small content creators have only been complaining about this for, oh, ten years or so?
> This meant that Bungie had to work through several layers of YouTube contacts over a period of several days before it could adequately communicate and begin addressing the problem.
Days? Several layers? Gasp! Fetch the vapors!
Now imagine you're not a billions-of-dollars-in-revenue worldwide-known gaming company - and thus you have zero ability to reach a human.
It's a high bar to pass, but literal thousands of fake claims might indeed pass it.
> On March 22, the Reynolds account logged out of Google and less than a second later, the Wiland account logged in, suggesting the same person was behind both accounts.
I've always wondered how often timing analysis is used in practice by surveillence big tech. I suspect that as people become more privacy aware, and start using VPNs, pseudonames, multiple accounts, etc, that big tech will start using timing analysis more and more to correlate traffic and identify users. Like if your friend sends you a Reddit link on WhatsApp, and you immediately open it in your browser, that Reddit session is now linked to you.
Another more complex example: let's say Google has already identified your Reddit account. You open a Reddit discussion, and deep in the discussion it links to a Youtube video, and you open it in your browser. Now even if you weren't logged into Youtube, Google could guess that it's you based on the timing of when your Reddit account opened the discussion, and when the linked Youtube video was accessed. And not just that video, but now every Youtube video watched in the same browsing session, is now linked back to you (assuming you have first-party cookies enabled, which is basically required if you ever want to log into anything).
Seems a bit paranoid, but I actually suspect this happened to me a few months ago. I was using a FOSS reddit client and clicked a youtube link buried deep in a reddit thread, and opened it in Newpipe (a FOSS youtube client). I wasn't logged in, and was using a VPN, and yet the next day on my Youtube feed I started getting recommendations based on that video (and those recommendations were very different from my usual ones). Scary stuff.
Books written about the NSA, GCHQ, CSE etc talk about them using things like timestamp logs/traffic analysis/time of day analyzing commercial and government telecom links going back to the 1960s, so in the modern era even if your crypto is absolutely unbreakable, there's a huge amount of analysis and correlation that can be done based on timing analysis.
Then you combine your timing analysis with things like correlating geolocation of blocks of IP addresses, netflow and traffic analysis, metadata obtained from other adjacent/nearby users on same ISPs at either end, a whole fire hose of other data that's still useful even if the crypto is solid.
> let's say Google has already identified your Reddit account. You open a Reddit discussion, and deep in the discussion it links to a Youtube video, and you open it in your browser. Now even if you weren't logged into Youtube, Google could guess that it's you based on the timing
Not just timing but also cookies, client device/browser fingerprinting, IP address/what ISP you're on, and the usage patterns and logged in activity (and app-collected telemetry data on android and ios devices) of all the other persons in your household and neighbors.
I think the technique, itself, is decades old, but has been vastly improved, using AI and algorithms.
It can be used to match things like anonymous rants, to individuals.
Temporal correlation is the difference between regular network analysis, and dynamic network analysis. Just search "dynamic network analysis" on Google Scholar, and look at who's writing the papers :)
But to back up a step — every SaaS company does this on some level. If you have an backend audit-log for e.g. user registrations, and you eyeball it every so often to notice event clusters of people trying to bulk-register accounts in order to block their IPs — well, that's timing analysis!
Within the first category, possibilities include that the phone logged into your Google account while using the VPN, that there was a Google tracking cookie on your phone and that phone wasn't always connected to the VPN so it related 2 ip addresses, and that your other device on same network shared a VPN session with your phone.
The 2nd category I'm including for posterity even if it's unlikely based off your stated usage of FOSS on your phone. That your phone isn't a degoogled OS or other device with Google integration. Smart devices with microphones aren't supposed to collect voice data when not explicitly activated, but it is a potentiality.
See:
https://resources.infosecinstitute.com/topic/timing-analysis...
Or the academic research on the domain https://scholar.google.com/scholar?hl=en&as_sdt=0%2C14&as_vi...
I think it was only doable in the end in the article because the data were released as part of a legal process.
Regarding your YouTube story, there are lots of examples of things like this (e.g. "I talked to someone about X in person then saw X in Facebook ads") but I haven't yet seen hard evidence. So far I've written it off as coincidence at scale.
As far as it being a coincidence, that's usually something I assume as well. But it really comes down to a game of probabilities. Is it more likely that it's a coincidence, or that Google is doing timing analysis? In this case, a coincidence just felt less likely. I check my youtube feed at least once a day, so I know what my recommendations look like. This recommendation was so out of the ordinary that it stood out to me in a sea of my usual recommendations. And it stood out so much that it prompted me to go back and check my Newpipe history and Reddit history, and spend like an hour investigating and trying to figure out what was most likely. I even wrote down notes about the incident. Also I should probably mention now that earlier I had said that I got those youtube recommendations the next day, but checking my notes now, it was actually within an hour. The video that was recommended to me was not some trending video, it was already a few months old. I also searched my Youtube history to see if I had watched anything else from the same channel, and I had only watched 2 videos from that channel total, and over a year prior.
I know that timing analysis seems very nefarious, more high-effort and nefarious that I would expect from even a company like Google. But my guess is that they aren't doing it intentionally, they instead just feed a bunch of analytics data (that they have user consent to collect) into some giant ML model, and that ML model has learned to use timing in its predictions.
[1]: https://blog.rsisecurity.com/what-is-considered-pii-under-gd...
Perhaps simplest of all, you could always sign up for the email on a semi/public wifi access point, or even from a shared computer, as from an internet cafe or even a friends phone.
I definitely did that in past.
https://www.youtube.com/watch?v=1Jwo5qc78QU
Yet another example of justice for me, but not for thee.
A smaller content creator might not have even overturned a false DMCA claim, let alone get information about the copyright troll submitting it.
You can pre-pay $50/hour (in 30 minute increments) for live human access that can fix your problem. The fee is paid no matter whose fault it is -- it's basically a "competent, in-your-country, rep fair wage fee". How much take up would there be? Would that fix the complaints with these free services not offering support?
[1] https://one.google.com/about
In the YouTube DMCA process, they always, 100% restore your video if you submit a DMCA counterclaim. It'll only stay down if the claimant informs YouTube they are pursuing a lawsuit against you.
> let alone get information about the copyright troll submitting it.
You receive the full information of the copyright holder if you receive a DMCA takedown. You obviously don't get IP log information unless you subpoena Google, though.
That’s not exactly helpful if it’s a fraudulent claim.
Deleted Comment
> The clickable emblem link was sent to PerfectNazo1@gmail.com and during the chaos of fake notice campaign, a YouTuber called ‘Lord Nazo’ was hit with fraudulent DMCA notice, sent by the Wiland Google account.
> Apparently angered by this injustice, Lord Nazo fired a DMCA counternotice back at YouTube in which he criticized the wave of fake notices and claimed his video was not infringing since it was a “transformative case of fair use.”
I have mixed feelings about this however: pretty sure that if they inverted the roles, that is, it was the big company that sent bogus DMCA take down requests, the outcome wouldn't change: the small fish would still be eaten.
> My channel even got terminated because of all these fake takedowns. Is there anything you can do about this?
His bright idea was to get his account unbanned by hoping Bungie would think it was part of the fake notices.
https://www.canlii.org/en/ab/abqb/doc/2012/2012abqb571/2012a...