> The lawsuit describes Automattic and Mullenweg’s conduct as an abuse of the open-source internet architecture, alleging that “a single individual (Matt Mullenweg) exercises apparent singular control over what they claim to be more than 40% of all websites in the world through his personal website (WordPress.org).” It calls this level of control “an appalling deception” that is “contrary to every conceivable public policy.”
That seems like a specious argument to me. There's no deception involved as far as I can tell, and I can't see how public policy has anything to do with this. It sucks for many reasons that Wordpress powers so much of the web, but it's pretty rich for someone whose business is built on Wordpress to claim its success is an existential threat. I will not comment on what I think about a cybersecurity business that is built on a Wordpress site, as it's simply not relevant.
> There's no deception involved as far as I can tell
Whether it is germane to the case or not, there was plenty of deception:
When the rights were transferred to the WPF, Matt didn't disclose that the Foundation was essentially just him, and the two other nominal members were effectively absent.
When the rights were transferred, and a big deal was made of this, "It now belongs to the WPF, which ensures that no commercial entity or interest can affect what should be a community project", there was no mention of how, on that same day the WPF silently granted a "irrevocable, non-expiring, exclusive universal commercial licence" to Automattic.
Matt repeatedly would refer to wp.org as a community resource and not his, until push came to shove, and "no, actually, it's exclusively mine and has nothing to do with Automattic or the WPF".
And several other examples. Apropos of anything else, there has been deception.
Matt didn't attest under oath that he was transferring the rights to an arms-length organization; others might have assumed that, but I'm not sure why they would. Isn't the WPF-Automattic relationship more or less the norm with companies that have 'open-source business models'?
> There's no deception involved as far as I can tell
155 pages of deception here: https://wpengine.com/wp-content/uploads/2024/11/51-2.pdf Page 32 "Defendants Conceal the Truth Regarding the WordPress Directory" and page 73 "Wrongfully Expropriate WPE’s
Most Popular Plugin" are particularly related. (The part where Matt decides to take over WP Engine's popular plugin and rename it, taking all their customers and reviews is particularly egregious)
When you file a lawsuit you initially make every argument you might possibly want to use in your initial filing, knowing some of them will be whittled down. Pretty much every lawsuit ever includes some claims that are a bit of a stretch, because the lawyers need to CYA. If you fail to make the argument you may be precluded from introducing it later, so it's just safer to include it now.
I think it's more about running up the legal bill of the defendant. It costs virtually nothing to include a spurious claim in a complaint (it can literally be a sentence or two). The defense has the burden of getting the weak claim dismissed with pages and pages of arguments (because they don't want any chance of it slipping through).
The bar for a "shotgun" complaint is way too high in the legal system.
I sort of suspect it's also a case of bluffing. You can't know for sure which aspect of a complaint is the one that makes the defendants soil themselves, and you might trigger a settlement or make them behave strangely in ways that give you clues about where exactly it is they're ticklish.
I've been told before that some people will settle a case to avoid setting a legal precedent, which might trigger giant class action suits.
I love how the top comment on every single HN post is some contrarian "nuh uh!" take from someone who is lightyears away from being an expert in that thing.
I'm not a lawyer, but the legal claim made appears to me to be on shaky ground. In my understanding, there has to be actual damages arising out of an action. "I could have been hacked, so I had to spend time/money on it" isn't actual damages unless they were _actually_ hacked.
Why aren't costs involved with a mitigation actual damages?
I'n not sure this is the correct lawsuit to demonstrate this.
So hypothetically, if say you lent a key to a handyman and then they posted a photo on it to twitter it seems pretty reasonable for them to cover the costs of replacing the locks. As opposed to having to wait for somebody to rob you and then trying to show that the robber did so from the photo.
> Why aren't costs involved with a mitigation actual damages?
They are. If you ever look at the damage caused by a hack it's in the millions and that's because they're including the time used to investigate and repair and mitigate further attacks is included.
“I want to drive my car without airbags, but I have all these other stupid people on the road who might hit me, so I have to invest in airbags. Maybe I should just preemptively sue them for forcing me to invest in my safety.”
> Sure it is. Money was spent that wouldn't have been if the situation didn't happen.
There are two problems with this.
First, for normal damages, there is some limitation on the costs. If someone breaks the lock on your door and does nothing else, you replace the lock, damages of maybe $40. If someone gets into your servers, you what? Spend ten minutes to check the logs and rotate keys? Wipe and rebuild all the servers? Does the reasonableness of that depend on whether that's an automated process or a manual one? Maybe you should delete your entire code repository and have it rewritten from scratch, in case knowledge of the code could have helped some attacker? There is no upper limit to the amount of resources you could spend investigating something, and then companies with unlimited resources would effectively get to use it as a cudgel against someone who embarrassed them, because $10M is nothing to them but is a life-destroying amount of damages to some kid who made a mistake.
It's like claiming that someone broke the lock on your door so now you're not sure if someone might have been inside and you have to strip the whole building to the rafters to check if someone has planted a listening device or hidden some crypto mining hardware inside the walls, even though you're a company that sells tile and carpets.
Second, if doing the latter was in some way actually justifiable then the company should be periodically doing it anyway, because if a vulnerability existed then it could have been exploited whether anyone was detected or not, so if spending that level of resources could be justified "just in case" then it isn't money that was spent that wouldn't have been if the situation didn't happen. Unless they're full of crap that all of it was actually necessary.
Realistically, this is just going to piggy back on WPEngine's lawsuit.
However, there were customers who migrated to other hosts because of the potential security risk. That is an actual damage. There are people who lost contracts because their potential client chose software other than WordPress. That is an actual damage. There are lots of actual damages that occurred.
I have received class action settlement payments from Verizon, Apple, and others for things I hardly noticed at the time. So maybe your idea of what precedent considers “damages” here is incomplete.
> In my understanding, there has to be actual damages arising out of an action.
Depends on the specific tort, but actual damages aren't the only thing for which there can be liability. Statutory damages, punitive damages, and non-damages based liability (unjust enrichment, disgorgement of profits, etc.) are all things that exist for various torts.
> "I could have been hacked, so I had to spend time/money on it" isn't actual damages unless they were _actually_ hacked.
Why wouldn't reasonable costs incurred to determine or rule out adverse effects of a wrongful act be considered actual damages of that act?
If you break my door lock I'm pretty sure I can't just leave my door wide open for months and then sue you for all of my stuff that got stolen. I need to fix the lock. And ask you to pay for that. Also not a lawyer, but pretty sure you've got to proactively mitigate your damages.
In your scenario, someone _could've_ broken the lock because you're renting a lock from a locking agency Lock Engine, who copied a lock design from LockPress, and LockPress decided not to mail them design flaws anymore.
In the real world, vulnerable locks don't ever get fixed. At worst, locks get recalled, and you get your money back. Lock designs don't get shared freely, and if they do, there is no expectation of informing people that may have copied designs of potential flaws.
If your house got broken into, you should sue Lock Engine, because they're not providing the service you're paying for. Suing LockPress for the lock design Lock Engine decided to copy wholesale is pure nonsense.
> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Warranty disclaimers may (or may not, depending on the law of the effected jurisdiction) limit liability for claims on an implied warranty theory, but they certainly don't apply to tortious interference or unfair competition claims.
I’m not saying the claims here are valid, but the warranty disclaimers don't seem at all relevant to the bases of liability asserted.
I haven’t bothered to look at the actual filing, but none of the causes of action mentioned in the article were about warranty, merchantability, or fitness for purpose.
Readit News
That seems like a specious argument to me. There's no deception involved as far as I can tell, and I can't see how public policy has anything to do with this. It sucks for many reasons that Wordpress powers so much of the web, but it's pretty rich for someone whose business is built on Wordpress to claim its success is an existential threat. I will not comment on what I think about a cybersecurity business that is built on a Wordpress site, as it's simply not relevant.
Whether it is germane to the case or not, there was plenty of deception:
When the rights were transferred to the WPF, Matt didn't disclose that the Foundation was essentially just him, and the two other nominal members were effectively absent.
When the rights were transferred, and a big deal was made of this, "It now belongs to the WPF, which ensures that no commercial entity or interest can affect what should be a community project", there was no mention of how, on that same day the WPF silently granted a "irrevocable, non-expiring, exclusive universal commercial licence" to Automattic.
Matt repeatedly would refer to wp.org as a community resource and not his, until push came to shove, and "no, actually, it's exclusively mine and has nothing to do with Automattic or the WPF".
And several other examples. Apropos of anything else, there has been deception.
155 pages of deception here: https://wpengine.com/wp-content/uploads/2024/11/51-2.pdf Page 32 "Defendants Conceal the Truth Regarding the WordPress Directory" and page 73 "Wrongfully Expropriate WPE’s Most Popular Plugin" are particularly related. (The part where Matt decides to take over WP Engine's popular plugin and rename it, taking all their customers and reviews is particularly egregious)
The bar for a "shotgun" complaint is way too high in the legal system.
I've been told before that some people will settle a case to avoid setting a legal precedent, which might trigger giant class action suits.
Deleted Comment
Anyways, here it is: https://storage.courtlistener.com/recap/gov.uscourts.cand.44...
Middlemen hate to show you what they actually do.
Speaking from personal experience, the number of people who click on links for raw documents is an _extremely_ small subset.
Most people don't even read past the headline let alone the lede.
Or because they’ve got it via a back door and don’t want to link to it and reveal that.
I'n not sure this is the correct lawsuit to demonstrate this.
So hypothetically, if say you lent a key to a handyman and then they posted a photo on it to twitter it seems pretty reasonable for them to cover the costs of replacing the locks. As opposed to having to wait for somebody to rob you and then trying to show that the robber did so from the photo.
They are. If you ever look at the damage caused by a hack it's in the millions and that's because they're including the time used to investigate and repair and mitigate further attacks is included.
Deleted Comment
Sure it is. Money was spent that wouldn't have been if the situation didn't happen.
There are two problems with this.
First, for normal damages, there is some limitation on the costs. If someone breaks the lock on your door and does nothing else, you replace the lock, damages of maybe $40. If someone gets into your servers, you what? Spend ten minutes to check the logs and rotate keys? Wipe and rebuild all the servers? Does the reasonableness of that depend on whether that's an automated process or a manual one? Maybe you should delete your entire code repository and have it rewritten from scratch, in case knowledge of the code could have helped some attacker? There is no upper limit to the amount of resources you could spend investigating something, and then companies with unlimited resources would effectively get to use it as a cudgel against someone who embarrassed them, because $10M is nothing to them but is a life-destroying amount of damages to some kid who made a mistake.
It's like claiming that someone broke the lock on your door so now you're not sure if someone might have been inside and you have to strip the whole building to the rafters to check if someone has planted a listening device or hidden some crypto mining hardware inside the walls, even though you're a company that sells tile and carpets.
Second, if doing the latter was in some way actually justifiable then the company should be periodically doing it anyway, because if a vulnerability existed then it could have been exploited whether anyone was detected or not, so if spending that level of resources could be justified "just in case" then it isn't money that was spent that wouldn't have been if the situation didn't happen. Unless they're full of crap that all of it was actually necessary.
However, there were customers who migrated to other hosts because of the potential security risk. That is an actual damage. There are people who lost contracts because their potential client chose software other than WordPress. That is an actual damage. There are lots of actual damages that occurred.
Depends on the specific tort, but actual damages aren't the only thing for which there can be liability. Statutory damages, punitive damages, and non-damages based liability (unjust enrichment, disgorgement of profits, etc.) are all things that exist for various torts.
> "I could have been hacked, so I had to spend time/money on it" isn't actual damages unless they were _actually_ hacked.
Why wouldn't reasonable costs incurred to determine or rule out adverse effects of a wrongful act be considered actual damages of that act?
If you break my door lock I'm pretty sure I can't just leave my door wide open for months and then sue you for all of my stuff that got stolen. I need to fix the lock. And ask you to pay for that. Also not a lawyer, but pretty sure you've got to proactively mitigate your damages.
In your scenario, someone _could've_ broken the lock because you're renting a lock from a locking agency Lock Engine, who copied a lock design from LockPress, and LockPress decided not to mail them design flaws anymore.
In the real world, vulnerable locks don't ever get fixed. At worst, locks get recalled, and you get your money back. Lock designs don't get shared freely, and if they do, there is no expectation of informing people that may have copied designs of potential flaws.
If your house got broken into, you should sue Lock Engine, because they're not providing the service you're paying for. Suing LockPress for the lock design Lock Engine decided to copy wholesale is pure nonsense.
Is that ok for you that Apple appropriated the app? They offered the platform, the ecosystem and the store. Is it within their right?
That's what happened here.
Dead Comment
Dead Comment
https://github.com/WordPress/WordPress/blob/master/license.t...
I’m not saying the claims here are valid, but the warranty disclaimers don't seem at all relevant to the bases of liability asserted.
Deleted Comment
Deleted Comment