(Reuters) – Apple Inc (AAPL.O) and Amazon.com Inc (AMZN.O) denied a Bloomberg Businessweek report on Thursday that said their systems had been infiltrated by malicious computer chips inserted by Chinese intelligence agents.FILE PHOTO: The Apple Inc. store is seen on the day of the new iPhone 7 smartphone launch in Los Angeles, California, U.S., September 16, 2016. REUTERS/Lucy Nicholson/File Photo
Bloomberg cited 17 unidentified sources from intelligence agencies and business to support claims that Chinese spies had placed computer chips inside equipment used by about 30 companies and multiple U.S. government agencies, which would give Beijing secret access to internal networks.
China’s Ministry of Foreign Affairs did not respond to a written request for comment. Beijing has previously denied allegations of orchestrating cyber attacks against Western companies.
Security experts who have worked for government agencies and large corporations told Reuters that they were surprised by the stark discrepancy between the claims in the Bloomberg article and the strongly worded denials from Apple and Amazon.com Inc’s (AMZN.O) Amazon Web Services. Some said that certain allegations were plausible, but that the strong denials from companies cited in the piece left them with doubts about whether the attacks had happened.
“There is no truth” to claims in the story that Apple found malicious chips in its servers in 2015, the said in a statement. “This is untrue,” Amazon said in a blog post.FILE PHOTO: The logo of Amazon is seen at the company logistics centre in Boves, France, August 8, 2018. REUTERS/Pascal Rossignol/File Photo
Bloomberg defended its reporting.
“Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks,” Bloomberg said in a statement. “We stand by our story and are confident in our reporting and sources.”
The report said that a unit of the Chinese People’s Liberation Army infiltrated the supply chain of computer hardware maker Super Micro Computer Inc (SMCI.PK) to plant malicious chips that could be used to steal corporate and government secrets.
Super Micro Computer shares fell 38 percent to $13.26 in Pink Sheet trading.
San Jose, California-based Super Micro strongly denied that it sold servers to customers contained malicious microchips in the motherboards of those systems. It said it has never found any malicious chips, had not been informed that such chips were found by any customer, and never been contacted by government agencies on the matter.
Bloomberg reported that Amazon uncovered the malicious chips in 2015 when examining servers manufactured by a company known as Elemental Technologies which Amazon eventually acquired.Apple Inc223.77AAPL.ONASDAQ–(–%)
The investigation found that Elemental servers, which were assembled by Super Micro, were tainted with tiny microchips that were not part of their design, Bloomberg said. Amazon reported the matter to U.S. authorities, who determined that the chips allowed attackers to create “a stealth doorway” into networks using those servers, the story said.
AWS told Bloomberg it had reviewed its records related to the Elemental acquisition and “found no evidence to support claims of malicious chips or hardware modifications.”
Bloomberg also reported that Apple in 2015 found malicious chips in servers it purchased from the hardware maker, citing three unidentified company insiders.
Apple denied the account, saying it had investigated Bloomberg’s claims.
Representatives with the Federal Bureau of Investigation and the U.S. Department of Homeland Security did not respond to requests for comment. A U.S. National Security Agency spokeswoman said she had no immediate comment.
While the companies disputed the facts in the story, security experts noted that there is growing concern that hackers could launch cyber attacks by inserting malicious chips into hardware sold to government agencies and businesses.
“Extended, complex, global supply chains create a risk for malicious cyber activity that companies must take into account,” said Michael Daniel, chief executive of the non-profit Cyber Threat Alliance.
Microsoft unveiled a bunch of Surface hardware during a press event in New York City last night. While matte black Surfaces, headphones with Cortana, and a new Surface Studio were the highlights of the hardware side, Microsoft unveiled an interesting change to its Windows operating system. Windows 10 will soon fully embrace Android to mirror these mobile apps to your PC.
The Android app mirroring will be part of Microsoft’s new Your Phone app for Windows 10. This app debuts this week as part of the Windows 10 October 2018 Update, but the app mirroring part won’t likely appear until next year. Microsoft briefly demonstrated how it will work, though; You’ll be able to simply mirror your phone screen straight onto Windows 10 through the Your Phone app, which will have a list of your Android apps. You can tap to access them and have them appear in the remote session of your phone.
Adults, not teens. Messaging, not Stories. Developing markets, not the U.S. These are how Snapchat will make a comeback, according to CEO Evan Spiegel . In a 6,000-word internal memo from late September leaked to Cheddar’s Alex Heath, Spiegel attempts to revive employee morale with philosophy, tactics and contrition as Snap’s share price sinks to an all-time low of around $8 — half its IPO price and a third of its peak.
“The biggest mistake we made with our redesign was compromising our core product value of being the fastest way to communicate,” Spiegel stresses throughout the memo regarding “Project Cheetah.” It’s the chat that made Snapchat special, and burying it within a combined feed with Stories and failing to build a quick-loading Android app have had disastrous consequences.
Spiegel shows great maturity here, admitting to impatient strategic moves and outlining a cohesive path forward. There’s no talk of Snapchat ruling the social app world here. He seems to understand that’s likely out of reach in the face of Instagram’s competitive onslaught. Instead, Snapchat is satisfied if it can help us express ourselves while finally reaching even meager profitability.
Snapchat may be too perceived as a toy to win enough adults, too late to win back international markets from the Facebook empire and too copyable by good-enough alternatives to grow truly massive. But if Snap can follow the Spiegel game plan, it could carve out a sustainable market through a small but loyal audience who want to communicate through imagery.
Here are the most interesting takeaways from the memo — and why they’re important:
1. Apologizing for rushing the redesign
There were, of course, some downsides to moving as quickly as a cheetah We rushed our redesign, solving one problem but creating many others . . . Unfortunately, we didn’t give ourselves enough time to continue iterating and testing the redesign with a smaller percentage of our community. As a result, we had to continue our iterations after we launched, causing a lot of frustration for our community.
Spiegel always went on his gut rather than relying on user data like Facebook. Aging further and further away from his core audience, he misread what teens cared about. The appealing buzz phrase of “separating social from media” also meant merging messaging and Stories into a chaotic list that made both tougher to use. Spiegel seems to have learned a valuable lesson about the importance of A/B testing.
2. Chat is king
Our redesigned algorithmic Friend Feed made it harder to find the right people to talk to, and moving too quickly meant that we didn’t have time to optimize the Friend Feed for fast performance. We slowed down our product and eroded our core product value. . . . Regrettably, we didn’t understand at the time that the biggest problem with our redesign wasn’t the frustration from influencers – it was the frustration from members of our community who felt like it was harder to communicate . . . In our excitement to innovate and bring many new products into the world, we have lost the core of what made Snapchat the fastest way to communicate.
When Snap first revealed the changes, we predicted that “Teen Snap addicts might complain that the redesign is confusing, jumbling all content from friends together.” That made it too annoying to dig out your friends to send them messages, and Snap’s growth rate imploded, with it losing 3 million users last quarter. Expect Snap to optimize its engineering to make messages quicker to send and receive, and even sacrifice some of its bells and whistles to make chat faster in developing markets.
3. Snapchat must beat Facebook at best friends
Your top friend in a given week contributes 25% of Snap send volume. By the time you get to 18 friends, each incremental friend contributes less than 1% of total Snap send volume each. Finding best friends is a different problem than finding more friends, so we need to think about new ways to help people find the friends they care most about.
Facebook’s biggest structural disadvantage is its broad friend graph that’s bloated to include family, co-workers, bosses and distant acquaintances. That might be fine in a feed app, but not for Stories and messaging where you only care about your closest friends. With friend lists and more, Facebook has tried and failed for a decade to find better ways to communicate with your besties. This is the wedge through which Snapchat can attack Facebook. If it develops special features for luring your best friends onto the app and staying in touch with them for better reasons than just maintaining a Snap “Streak,” it could hit Facebook where it can’t defend itself.
4. Discover soars as Facebook Watch and IGTV stumble
Our Shows continue to attract more and more viewers, with over 18 Shows reaching monthly audiences of over 10M unique viewers. 12 of which are Original productions. As a platform overall, we’ve grown the amount of total time spent engaging with our Shows product, almost tripling since the beginning of the year. Our audience for Publisher Stories has increased over 20% YoY, and we believe there is a significant opportunity to continue growing the number of people who engage with Discover content . . .We are also working to identify content that is performing well outside of Snapchat so that we can bring it into Discover.
Discover remains Snapchat’s biggest differentiator, scoring with premium video content purposefully made for mobile. What it really needs, though, are a few must-see tent-pole shows to drag in a wider audience that can get hooked on the reimagined digital magazine experience.
5. But Discover is a mess
Our content team is working hard to experiment with new layouts and content types in the wake of our redesign to drive increased engagement.
Snapchat Discover is an overcrowded pile of clickbait. News outlets, social media influencers, original video Shows and aggregated user content collections all battle for attention in a design that feels overwhelming to the point of exhaustion. Thankfully, Snapchat seems to recognize that more cohesive sorting with fewer images and headlines bombarding you might make Discover a more pleasant lean-back consumption experience.
6. Aging up to earn money
Most of the incremental growth in our core markets like the US, UK, and France will have to come from older users who generate higher average revenue per user . . . Growing in older demographics will require us to mature our application . . . Many older users today see Snapchat as frivolous or a waste of time because they think Snapchat is social media rather than a faster way to communicate. Changing the design language of our product and improving our marketing and communications around Snapchat will help users understand our value . . . aging-up our community in core markets will also help the media, advertisers, and Wall Street understand Snapchat.
Snapchat can’t just be for cool kids anymore. Their lower buying power and life stage make them less appealing to brands. The problem is that Snapchat risks turning off younger users by courting their older siblings or adults. If, like Facebook, users start to feel like Snapchat is a place for parents, they may defect in search of the next purposefully built app to confuse adults to stay hip.
7. Finally prioritizing developing markets
We already have many projects underway to unlock our core product value in new markets. Mushroom allows our community to use Snapchat on lower-end devices. Arroyo, our new gateway architecture, will speed up messaging and many other services . . . It might require us to change our products for different markets where some of our value-add features detract from our core product value.
Sources tell me Snapchat’s future depends on the engineering overhaul of its Android app, a project codenamed “Mushroom.” Slow video load times and bugs have made Snapchat practically unusable on low-bandwidth connections and old Android phones in the developing world. The company concentrated on the U.S. and other first-world markets, leaving the door open for copycats of Stories built by Instagram (400 million daily users) and WhatsApp (450 million daily users) to invade the developing world and dwarf Snap’s 188 million total daily users. In hopes of a smooth rollout, Snapchat is already testing Mushroom, but it will have to do a ton of marketing outreach to convince frustrated users who ditched the app to give it another try.
8. Fresh ideas, separate apps
We’re currently building software that takes the millions of Snaps submitted to Our Story and reconstructs parts of the world in 3D. We can then build augmented reality experiences on top of those models and distribute them as Lenses . . . If our innovation compromises our core product of being the fastest way to communicate, we should consider create [sic] separate applications or other ways of delivering our innovation.
Snapchat has big plans for augmented reality. It doesn’t just want to stick animations over the top of anywhere, or create AR art installations in a few big cities. It wants to build site-specific AR experiences across the globe. And while everything the company has built to date has lived inside of Snapchat, it’s willing to spawn standalone apps if necessary so that it doesn’t bog down its messaging service. That could give Snapchat a lot more leeway to experiment.
9. The freedom of profitability
Our 2019 stretch output goal will be an acceleration in revenue growth and full year free cash flow and profitability. With profitability comes increased autonomy and freedom to operate our business in the long term best interest of our community without the pressure of needing to raise additional capital.
Urmila Mahadev spent eight years in graduate school solving one of the most basic questions in quantum computation: How do you know whether a quantum computer has done anything quantum at all?6
In the spring of 2017, Urmila Mahadev found herself in what most graduate students would consider a pretty sweet position. She had just solved a major problem in quantum computation, the study of computers that derive their power from the strange laws of quantum physics. Combined with her earlier papers, Mahadev’s new result, on what is called blind computation, made it “clear she was a rising star,” said Scott Aaronson, a computer scientist at the University of Texas, Austin.
Mahadev, who was 28 at the time, was already in her seventh year of graduate school at the University of California, Berkeley — long past the stage when most students become impatient to graduate. Now, finally, she had the makings of a “very beautiful Ph.D. dissertation,” said Umesh Vazirani, her doctoral adviser at Berkeley.
But Mahadev did not graduate that year. She didn’t even consider graduating. She wasn’t finished.
For more than five years, she’d had a different research problem in her sights, one that Aaronson called “one of the most basic questions you can ask in quantum computation.” Namely: If you ask a quantum computer to perform a computation for you, how can you know whether it has really followed your instructions, or even done anything quantum at all?
This question may soon be far from academic. Before too many years have elapsed, researchers hope, quantum computers may be able to offer exponential speedups on a host of problems, from modeling the behavior around a black hole to simulating how a large protein folds up.
A quantum computer is very powerful, but it’s also very secretive.
Umesh Vazirani, University of California, Berkeley
But once a quantum computer can perform computations a classical computer can’t, how will we know if it has done them correctly? If you distrust an ordinary computer, you can, in theory, scrutinize every step of its computations for yourself. But quantum systems are fundamentally resistant to this kind of checking. For one thing, their inner workings are incredibly complex: Writing down a description of the internal state of a computer with just a few hundred quantum bits (or “qubits”) would require a hard drive larger than the entire visible universe.
And even if you somehow had enough space to write down this description, there would be no way to get at it. The inner state of a quantum computer is generally a superposition of many different non-quantum, “classical” states (like Schrödinger’s cat, which is simultaneously dead and alive). But as soon as you measure a quantum state, it collapses into just one of these classical states. Peer inside a 300-qubit quantum computer, and essentially all you will see is 300 classical bits — zeros and ones — smiling blandly up at you.
“A quantum computer is very powerful, but it’s also very secretive,” Vazirani said.
Given these constraints, computer scientists have long wondered whether it is possible for a quantum computer to provide any ironclad guarantee that it really has done what it claimed. “Is the interaction between the quantum and the classical worlds strong enough so that a dialogue is possible?” asked Dorit Aharonov, a computer scientist at the Hebrew University of Jerusalem.
During her second year of graduate school, Mahadev became captivated by this problem, for reasons even she doesn’t fully understand. In the years that followed, she tried one approach after another. “I’ve had a lot of moments where I think I’m doing things right, and then they break, either very quickly or after a year,” she said.
But she refused to give up. Mahadev displayed a level of sustained determination that Vazirani has never seen matched. “Urmila is just absolutely extraordinary in this sense,” he said.
Now, after eight years of graduate school, Mahadev has succeeded. She has come up with an interactive protocol by which users with no quantum powers of their own can nevertheless employ cryptography to put a harness on a quantum computer and drive it wherever they want, with the certainty that the quantum computer is following their orders. Mahadev’s approach, Vazirani said, gives the user “leverage that the computer just can’t shake off.”
For a graduate student to achieve such a result as a solo effort is “pretty astounding,” Aaronson said.
Mahadev, who is now a postdoctoral researcher at Berkeley, presented her protocol yesterday at the annual Symposium on Foundations of Computer Science, one of theoretical computer science’s biggest conferences, held this year in Paris. Her work has been awarded the meeting’s “best paper” and “best student paper” prizes, a rare honor for a theoretical computer scientist.
In a blog post, Thomas Vidick, a computer scientist at the California Institute of Technology who has collaborated with Mahadev in the past, called her result “one of the most outstanding ideas to have emerged at the interface of quantum computing and theoretical computer science in recent years.”
Quantum computation researchers are excited not just about what Mahadev’s protocol achieves, but also about the radically new approach she has brought to bear on the problem. Using classical cryptography in the quantum realm is a “truly novel idea,” Vidick wrote. “I expect many more results to continue building on these ideas.”
A Long Road
Raised in Los Angeles in a family of doctors, Mahadev attended the University of Southern California, where she wandered from one area of study to another, at first convinced only that she did not want to become a doctor herself. Then a class taught by the computer scientist Leonard Adleman, one of the creators of the famous RSA encryption algorithm, got her excited about theoretical computer science. She applied to graduate school at Berkeley, explaining in her application that she was interested in all aspects of theoretical computer science — except for quantum computation.
“It sounded like the most foreign thing, the thing I knew least about,” she said.
But once she was at Berkeley, Vazirani’s accessible explanations soon changed her mind. He introduced her to the question of finding a protocol for verifying a quantum computation, and the problem “really fired up her imagination,” Vazirani said.
“Protocols are like puzzles,” Mahadev explained. “To me, they seem easier to get into than other questions, because you can immediately start thinking of protocols yourself and then breaking them, and that lets you see how they work.” She chose the problem for her doctoral research, launching herself on what Vazirani called “a very long road.”
If a quantum computer can solve a problem that a classical computer cannot, that doesn’t automatically mean the solution will be hard to check. Take, for example, the problem of factoring large numbers, a task that a big quantum computer could solve efficiently, but which is thought to be beyond the reach of any classical computer. Even if a classical computer can’t factor a number, it can easily check whether a quantum computer’s factorization is correct — it just needs to multiply the factors together and see if they produce the right answer.
Yet computer scientists believe (and have recently taken a step toward proving) that many of the problems a quantum computer could solve do not have this feature. In other words, a classical computer not only cannot solve them, but cannot even recognize whether a proposed solution is correct. In light of this, around 2004, Daniel Gottesman — a physicist at the Perimeter Institute for Theoretical Physics in Waterloo, Ontario — posed the question of whether it is possible to come up with any protocol by which a quantum computer can prove to a non-quantum observer that it really has done what it claimed.
Within four years, quantum computation researchers had achieved a partial answer. It is possible, two differentteamsshowed, for a quantum computer to prove its computations, not to a purely classical verifier, but to a verifier who has access to a very small quantum computer of her own. Researchers later refined this approach to show that all the verifier needs is the capacity to measure a single qubit at a time.
And in 2012, a team of researchers including Vazirani showed that a completely classical verifier could check quantum computations if they were carried out by a pair of quantum computers that can’t communicate with each other. But that paper’s approach was tailored to this specific scenario, and the problem seemed to hit a dead end there, Gottesman said. “I think there were probably people who thought you couldn’t go further.”
It was around this time that Mahadev encountered the verification problem. At first, she tried to come up with an “unconditional” result, one that makes no assumptions about what a quantum computer can or cannot do. But after she had worked on the problem for a while with no progress, Vazirani proposed instead the possibility of using “post-quantum” cryptography — that is, cryptography that researchers believe is beyond the capability of even a quantum computer to break, although they don’t know for sure. (Methods such as the RSA algorithm that are used to encrypt things like online transactions are not post-quantum — a large quantum computer could break them, because their security depends on the hardness of factoring large numbers.)
In 2016, while working on a different problem, Mahadev and Vazirani made an advance that would later prove crucial. In collaboration with Paul Christiano, a computer scientist now at OpenAI, a company in San Francisco, they developed a way to use cryptography to get a quantum computer to build what we’ll call a “secret state” — one whose description is known to the classical verifier, but not to the quantum computer itself.
Their procedure relies on what’s called a “trapdoor” function — one that is easy to carry out, but hard to reverse unless you possess a secret cryptographic key. (The researchers didn’t know how to actually build a suitable trapdoor function yet — that would come later.) The function is also required to be “two-to-one,” meaning that every output corresponds to two different inputs. Think, for example of the function that squares numbers — apart from the number 0, each output (such as 9) has two corresponding inputs (3 and −3).
Armed with such a function, you can get a quantum computer to create a secret state as follows: First, you ask the computer to build a superposition of all the possible inputs to the function (this might sound complicated for the computer to carry out, but it’s actually easy). Then, you tell the computer to apply the function to this giant superposition, creating a new state that is a superposition of all the possible outputs of the function. The input and output superpositions will be entangled, which means that a measurement on one of them will instantly affect the other.
I was never thinking of graduation, because my goal was never graduation.
Next, you ask the computer to measure the output state and tell you the result. This measurement collapses the output state down to just one of the possible outputs, and the input state instantly collapses to match it, since they are entangled — for instance, if you use the squaring function, then if the output is the 9 state, the input will collapse down to a superposition of the 3 and −3 states.
But remember that you’re using a trapdoor function. You have the trapdoor’s secret key, so you can easily figure out the two states that make up the input superposition. But the quantum computer cannot. And it can’t simply measure the input superposition to figure out what it is made of, because that measurement would collapse it further, leaving the computer with one of the two inputs but no way to figure out the other.
In 2017, Mahadev figured out how to build the trapdoor functions at the core of the secret-state method by using a type of cryptography called Learning With Errors (LWE). Using these trapdoor functions, she was able to create a quantum version of “blind” computation, by which cloud-computing users can mask their data so the cloud computer can’t read it, even while it is computing on it. And shortly after that, Mahadev, Vazirani and Christiano teamed up with Vidick and Zvika Brakerski (of the Weizmann Institute of Science in Israel) to refine these trapdoor functions still further, using the secret-state method to develop a foolproof way for a quantum computer to generate provably random numbers.
Mahadev could have graduated on the strength of these results, but she was determined to keep working until she had solved the verification problem. “I was never thinking of graduation, because my goal was never graduation,” she said.
Not knowing whether she would be able to solve it was stressful at times. But, she said, “I was spending time learning about things that I was interested in, so it couldn’t really be a waste of time.”
Set in Stone
Mahadev tried various ways of getting from the secret-state method to a verification protocol, but for a while she got nowhere. Then she had a thought: Researchers had already shown that a verifier can check a quantum computer if the verifier is capable of measuring quantum bits. A classical verifier lacks this capability, by definition. But what if the classical verifier could somehow force the quantum computer to perform the measurements itself and report them honestly?
The tricky part, Mahadev realized, would be to get the quantum computer to commit to which state it was going to measure before it knew which kind of measurement the verifier would ask for — otherwise, it would be easy for the computer to fool the verifier. That’s where the secret-state method comes into play: Mahadev’s protocol requires the quantum computer to first create a secret state and then entangle it with the state it is supposed to measure. Only then does the computer find out what kind of measurement to perform.
Since the computer doesn’t know the makeup of the secret state but the verifier does, Mahadev showed that it’s impossible for the quantum computer to cheat significantly without leaving unmistakable traces of its duplicity. Essentially, Vidick wrote, the qubits the computer is to measure have been “set in cryptographic stone.” Because of this, if the measurement results look like a correct proof, the verifier can feel confident that they really are.
“It is such a wonderful idea!” Vidick wrote. “It stuns me every time Urmila explains it.”
Mahadev’s verification protocol — along with the random-number generator and the blind encryption method — depends on the assumption that quantum computers cannot crack LWE. At present, LWE is widely regarded as a leading candidate for post-quantum cryptography, and it may soon be adopted by the National Institute of Standards and Technology as its new cryptographic standard, to replace the ones a quantum computer could break. That doesn’t guarantee that it really is secure against quantum computers, Gottesman cautioned. “But so far it’s solid,” he said. “No one has found evidence that it’s likely to be breakable.”
In any case, the protocol’s reliance on LWE gives Mahadev’s work a win-win flavor, Vidick wrote. The only way that a quantum computer could fool the protocol is if someone in the quantum computing world figured out how to break LWE, which would itself be a remarkable achievement.
Mahadev’s protocol is unlikely to be implemented in a real quantum computer in the immediate future. For the time being, the protocol requires too much computing power to be practical. But that could change in the coming years, as quantum computers get larger and researchers streamline the protocol.
Mahadev’s protocol probably won’t be feasible within, say, the next five years, but “it is not completely off in fantasyland either,” Aaronson said. “It is something you could start thinking about, if all goes well, at the next stage of the evolution of quantum computers.”
And given how quickly the field is now moving, that stage could arrive sooner rather than later. After all, just five years ago, Vidick said, researchers thought that it would be many years before a quantum computer could solve any problem that a classical computer cannot. “Now,” he said, “people think it’s going to happen in a year or two.”
As for Mahadev, solving her favorite problem has left her feeling a bit at sea. She wishes she could understand just what it was about that problem that made it right for her, she said. “I have to find a new question now, so it would be nice to know.”
But theoretical computer scientists see Mahadev’s unification of quantum computation and cryptography not so much as the end of a story, but as the initial exploration of what will hopefully prove a rich vein of ideas.
“My feeling is that there are going to be lots of follow-ups,” Aharonov said. “I’m looking forward to more results from Urmila.”
When building applications that display untrusted content, security designers have a major problem— if an attacker has full control of a block of pixels, he can make those pixels look like anything he wants, including the UI of the application itself. He can then induce the user to undertake an unsafe action, and a user will be none the wiser.
In web browsers, the browser itself usually fully controls the top of the window, while pixels under the top are under control of the site. I’ve recently heard this called the line of death:
If a user trusts pixels above the line of death, the thinking goes, they’ll be safe, but if they can be convinced to trust the pixels below the line, they’re gonna die.
Unfortunately, this crucial demarcation isn’t explicitly pointed out to the user, and even more unfortunately, it’s not an absolute.
For instance, because the area above the LoD is so small, sometimes more space is needed to display trusted UI. Chrome attempts to resolve this by showing a little chevron that crosses the LoD:
…because untrusted markup cannot cross the LoD. Unfortunately, as you can see in the screenshot, the treatment is inconsistent; in the PageInfo flyout, the chevron points to the bottom of the lock and the PageInfo box overlaps the LoD, while in the Permission flyout the chevron points to the bottom of the omnibox and the Permission box only abuts the LoD. Sometimes, the chevron is omitted, as in the case of Authentication dialogs, and as of Chrome 70, the chevron appears to have been removed entirely for all UI.
Alas, even when it was in Chrome, the chevron is subtle, and I expect most users will fall for a faked chevron, like some sites have started to use1:
The bigger problem is that some attacker data is allowed above the LoD; while trusting the content below the LoD will kill your security, there are also areas of death above the line. A more accurate Zones of Death map might look like this:
In Zone 1, the attacker’s chosen icon and page title are shown. This information is controlled fully by the attacker and thus may consist entirely of deceptive content and lies.
In Zone 2, the attacker’s domain name is shown. Some information security pros will argue that this is the only “trustworthy” component of the URL, insofar as if the URL is HTTPS then the domain correctly identifies the site to which you’re connected. Unfortunately, your idea of trustworthy might be different than the experts’; https://paypal-account.com/ may really be the domain you loaded, but it has no relationship with the legitimate payment service found at https://paypal.com.
The path component of the URL in Zone 3 is fully untrustworthy; the URL http://account-update.com/paypal.com/ has nothing to do with Paypal either, and while spoofing here is less convincing, it also may be harder for the good guys to block because the spoofing content is not found in DNS nor does it create any records in Certificate Transparency logs.
Zone 4 is the web content area. Nothing in this area is to be believed. Unfortunately, on windowed operating systems, this is worse than it sounds, because it creates the possibility of picture-in-picture attacks, where an entire browser window, including its trusted pixels, can be faked:
When hearing of picture-in-picture attacks, many people immediately brainstorm defenses; many related to personalization. For instance, if you run your OS or browser with a custom theme, the thinking goes, you won’t be fooled. Unfortunately, there’s evidence that that just isn’t the case.
Back in 2007 as the IE team was launching Extended Validation (EV) certificates, Microsoft Research was publishing a paper calling into question their effectiveness. A Fortune 500 financial company came to visit the IE team as they evaluated whether they wanted to go into the EV Certificate Authority business. They were excited about the prospect (as were we, since they were a well-known-name with natural synergies) but they noted that they thought the picture-in-picture problem was a fatal flaw.
I was defensive– “It’s interesting,” I conceded, “but I don’t think it’s a very plausible attack.”
They retorted “Well, we passed this screenshot around our entire information security department, and nobody could tell it’s a picture-in-picture attack. Can you?” they slid an 8.5×11 color print across the table.
“Of course!” I said, immediately relieved. I quickly grew gravely depressed as I realized the implications of the fact that they couldn’t tell the difference.
“How?” they demanded.
“It’s a picture of an IE7 browser running on Windows Vista in the transparent Aero Glass theme with a page containing a JPEG of an IE7 browser running on Windows XP in the Luna aka Fisher Price theme?” I pointed out.
“Oh. Huh.” they noted.
My thoughts of using browser personalization as an effective mitigation died that day.
Other mitigations were proposed; one CA built an extension where hovering over the EV Lock Icon (“Trust Badge”) would dim the entire screen except for the badge. One team proposed using image analysis to scan the current webpage for anything that looked like a fake EV badge.
Personally, my favorite approach was Tyler Close’s idea that the browser should use PetNames for site identity– think of them as a Gravatar icon for salted certificate hashes– not only would they make every HTTPS site’s identity look unique to each user, but this could also be used as a means of detecting fraudulent or misissued certificates (in a world before we had certificate transparency).
The Future is Here … and It’s Worse
HTML5 adds a Fullscreen API, which means the Zone of Death looks like this:
The Metro/Immersive/Modern mode of Internet Explorer in Windows 8 suffered from the same problem; because it was designed with a philosophy of “content over chrome”, there were no reliable trustworthy pixels. I begged for a persistent trustbadge to adorn the bottom-right of the screen (showing a security origin and a lock) but was overruled. One enterprising security tester in Windows made a visually-perfect spoofing site of Paypal, where even the user gestures that displayed the ephemeral browser UI were intercepted and fake indicators were shown. It was terrifying stuff, mitigated only by the hope that no one would use the new mode.
Virtually all mobile operating systems suffer from the same issue– due to UI space constraints, there are no trustworthy pixels, allowing any application to spoof another application or the operating system itself. Historically, some operating systems have attempted to mitigate the problem by introducing a secure user gesture (on Windows, it’s Ctrl+Alt+Delete) that always shows trusted UI, but such measures tend to confuse users (limiting their effectiveness) and often get “optimized away” when the UX team’s designers get ahold of the product.
It will be interesting to see how WebVR tries to address this problem on an even grander scale.
Of course, other applications have the concept of a LoD as well, including web applications. Unfortunately, they often get this wrong. Consider Outlook.com’s rendering of an email:
When Outlook has received an email from a trusted sender, they notify the user via a “This message is from a trusted sender.” notice. Which appears directly inside a Zone of Death:
Enterprising phishers have taken advantage of this and generate their own fake “trusted sender” notifications atop their phishing content. Similar attacks exist against email-signing mechanisms.
The Azure Data Lake service was released on November 16, 2016. Azure Data Lake is built on the learnings and technologies of COSMOS, Microsoft’s internal big data system. COSMOS is used to store and process data for applications such as Azure, AdCenter, Bing, MSN, Skype and Windows Live. COSMOS features a SQL-like query engine called SCOPE upon which U-SQL was built.
Alphabet Inc.’s Google has decided not to compete for the Pentagon’s cloud-computing contract valued at as much as $10 billion, saying the project may conflict with its corporate values.
The project, known as the Joint Enterprise Defense Infrastructure cloud, or JEDI, involves transitioning massive amounts of Defense Department data to a commercially operated cloud system. Companies are due to submit bids for the contract, which could last as long as 10 years, on Oct. 12th.
Google’s announcement on Monday came just months after the company decided not to renew its contract with a Pentagon artificial intelligence program, after extensive protests from employees of the internet giant about working with the military. The company then released a set of principles designed to evaluate what kind of artificial intelligence projects it would pursue.
“We are not bidding on the JEDI contract because first, we couldn’t be assured that it would align with our AI Principles,” a Google spokesman said in a statement. “And second, we determined that there were portions of the contract that were out of scope with our current government certifications.”
The spokesman added that Google is “working to support the U.S. government with our cloud in many ways.”
The Tech Workers Coalition, which advocates for giving employees a say in technology company decisions, said in a statement that Google’s decision to withdraw from the cloud competition stemmed from “sustained” pressure from tech workers who “have significant power, and are increasingly willing to use it.”
Google is behind other technology companies such as Amazon.com Inc. and Microsoft Corp. in obtaining government cloud-security authorizations that depend on the sensitivity of data a service is hosting.
The JEDI contract attracted widespread interest from technology companies struggling to catch up with Amazon in the burgeoning federal government market for cloud services. Final requirements for the project were released in July after a months-long lobbying campaign in Washington by tech companies including Microsoft, International Business Machines Corp. and Oracle Corp. that opposed the Pentagon’s plans to choose just one winner for the project instead of splitting the contract among a number of providers.
“Had the JEDI contract been open to multiple vendors, we would have submitted a compelling solution for portions of it,” the Google spokesman said. “Google Cloud believes that a multi-cloud approach is in the best interest of government agencies, because it allows them to choose the right cloud for the right workload.”
In a report to Congress, the Defense Department said making multiple awards under current acquisition law would be a slow process that “could prevent DoD from rapidly delivering new capabilities and improved effectiveness to the warfighter that enterprise-level cloud computing can enable.”
The department also said it expects “to maintain contracts with numerous cloud providers to access specialized capabilities not available under the JEDI Cloud contract.”
Eric Schmidt, who has been the CEO of Google and executive chairman of its parent company, Alphabet, predicts that within the next decade there will be two distinct internets: one led by the U.S. and the other by China.
Schmidt shared his thoughts at a private event in San Francisco on Wednesday night convened by investment firm Village Global VC. The firm enlists tech luminaries — including Schmidt, Jeff Bezos, Bill Gates and Diane Green — as limited partners, then invests their money into early-stage tech ventures.
At the event, economist Tyler Cowen asked about the possibility of the internet fragmenting into different sub-internets with different regulations and limited access between them in coming years. “What’s the chance, say, 10 to 15 years, we have just three to four separate internets?”
“I think the most likely scenario now is not a splintering, but rather a bifurcation into a Chinese-led internet and a non-Chinese internet led by America.
If you look at China, and I was just there, the scale of the companies that are being built, the services being built, the wealth that is being created is phenomenal. Chinese Internet is a greater percentage of the GDP of China, which is a big number, than the same percentage of the US, which is also a big number.
If you think of China as like ‘Oh yeah, they’re good with the Internet,’ you’re missing the point. Globalization means that they get to play too. I think you’re going to see fantastic leadership in products and services from China. There’s a real danger that along with those products and services comes a different leadership regime from government, with censorship, controls, etc.
Look at the way BRI works – their Belt and Road Initiative, which involves 60-ish countries – it’s perfectly possible those countries will begin to take on the infrastructure that China has with some loss of freedom.”
The Belt and Road is a massive initiative by Beijing to increase China’s political and economic influence by connecting and facilitating all kinds of trade, including digital trade, between China and countries in Europe, Africa, the Middle East and Asia.
Schmidt’s predictions come at a time when his successor at Google, CEO Sundar Pichai, has stirred up controversy around the company’s strategy in China.
Reportedly, Google has been developing “Project Dragonfly,” a censored version of its search engine that could appease authorities in China. The project allegedly included a means to suppress some search results, booting them off the first page, and a means to fully block results for sensitive queries, for example, around “peaceful protests.”
Pichai has said that Google has been “very open about our desire to do more in China,” and that the team “has been in an exploration stage for quite a while now,” and considering “many options,” but is nowhere near launching in China.
In a separate discussion last night between Schmidt and several start-up founders, he lauded Chinese tech products, services and adoption, especially in mobile payments. He noted that Starbucks in China don’t feature a register. Customers order ahead online and pay with their phones before picking up their lattes.
A business development leader with Facebook, Ime Archebong, asked Schmidt if large tech companies are doing enough good in the world.
Schmidt replied: “The judge of this is others, not us. Self-referential conversations about ‘Do I feel good about what I’m doing?’ are not very helpful. The judge is outside.”
At several points in the private discussion, Schmidt urged entrepreneurs to build products and services that are not merely addictive, but valuable. He also said not enough companies “measure the right things.” Too many focus on short-term revenue growth and satisfying shareholders, rather than what’s best for their users, society and the long-term health of their companies.
Schmidt was the CEO of Google from 2001, when he took over from co-founder Larry Page, through 2011, when Page reclaimed the reins. He remained as executive chairman of Google and then Alphabet until earlier this year.
Correction: Eric Schmidt did not specify a date by which he believed the internet would bifurcate. He was responding to a question from Tyler Cowen which specified “in the next 10 to 15 years.”
There are over 1.5 billion websites on the world wide web today. Of these, less than 200 million are active. The milestone of 1 billion websites was first reached in September of 2014, as confirmed by NetCraft in its October 2014 Web Server Survey and first estimated and announced by Internet Live Stats (see the tweetfrom the inventor of the World Wide Web, Tim Berners-Lee). The number had subsequently declined, reverting back to a level below 1 billion (due to the monthly fluctuations in the count of inactive websites) before reaching again and stabilizing above the 1 billion mark starting in March of 2016. During 2016, the total number of sites has grown significantly, from 900 million in January 2016 to 1.7 billion in December 2016. From 1 website in 1991 to 1 billion in 2014, the chart and table below show the total number of websites by year throughout history:Total number of WebsitesWebsites2000200120022003200420052006200720082009201020112012201320142015201620170500,000,0001,000,000,0001,500,000,0002,000,000,000Year2011Websites:346,004,403
By “Website” we mean unique hostname (a name which can be resolved, using a name server, into an IP Address). It must be noted that around 75% of websites today are not active, but parked domains or similar. 
Source: NetCraft and Internet Live Stats (elaboration of data by Matthew Gray of MIT and Hobbes’ Internet Timeline and Pingdom)
Periodic drops in the total count can depend on various factors, including an improvement in NetCraft’s handling of wildcard hostnames. For example, in August 2012, over 40 million hostnames on only 242 IP addresses were removed from the Survey.
The first-ever website (info.cern.ch) was published on August 6, 1991 by British physicist Tim Berners-Lee while at CERN, in Switzerland.  On April 30, 1993 CERN made World Wide Web (“W3” for short) technology available on a royalty-free basis to the public domain, allowing the Web to flourish.
The World Wide Web was invented in March of 1989 by Tim Berners-Lee (see the original proposal). He also introduced the first web server, the first browser and editor (the “WorldWideWeb.app”), the Hypertext Transfer Protocol (HTTP) and, in October 1990, the first version of the “HyperText Markup Language” (HTML).
In 2013 alone, the web has grown by more than one third: from about 630 million websites at the start of the year to over 850 million by December 2013 (of which 180 million were active).
In 2016, the number of websites has almost doubled: from 900 million to 1.7 billion. However, the more reliable active website count was stable at around 170 million throughout the year.
Over 50% of websites today are hosted on either Apache or nginx, both open source web servers. As of June 2014, Microsoft has got very close to Apache in terms of market share (only a 0.15% difference separates the two). If the trend continues, Microsoft could soon become the leading web server developer for the first time in history.
Over the course of the summer, I have been researching notices pertaining to the little-known “stolen article” copyright scam that has been used to successfully remove an unknown number of unwanted URLs from the Google’s search results. The scam is relatively easy to execute, and has grown in popularity since 2013. Below, I discuss the nature of this content removal tactic, and present my findings from a preliminary dataset of 42 DMCA notices targeting a total of 52 allegedly infringing URLs.
Businesses have become increasingly creative in their attempts to misuse the DMCA to remove negative reviews from the Internet. They have gone to great lengths to falsely claim copyright infringement with the intent of taking down content from Google’s search results and review sites.
One such tactic is the “stolen article” scam, which uses fake websites and backdated articles to remove content online. As described in a previous blog post, the scam typically plays out as follows:
A company (or individual) will come across some undesirable content online, which they believe will cause them reputational harm. Desperate to censor the content at any cost, and lacking a valid case for defamation, they will often seek the assistance of a “reputation management” agency. These agencies will proceed to create a website masquerading as a legitimate news source, whose sole purpose is to host the very content their client is seeking to remove, usually disguised in the form of a news article. The article is then backdated to give it the appearance of being published prior to the allegedly infringing content. The reputation management agency then files a DMCA notice on behalf of the “journalist” who wrote the review, claiming it was stolen from their client’s website, all the while shielding the true client’s name with an alias designed to make it difficult to trace back to them.
The goal of this research project was to gather a varied sample of notices from the Lumen Database, which appeared to be using the stolen article scam to silence negative publicity online. Each notice was thoroughly investigated to ensure it was sufficiently “suspicious” to include in the dataset. The search for notices was not limited by date of submission, as this has shown to be a fairly new phenomenon in the world of digital copyright fraud.
In order to find notices that bear a close resemblance to those using the stolen article scam, I searched for several combinations of the following words directly into the Lumen Database: “copied,” “review,” “stole,” “stolen,” “text,” “article,” “copyright,” “journalist,” in addition to the names of some well-known review sites like “Ripoff Report,” “Yelp,” and “TripAdvisor.” Results were then filtered by topic to only show DMCA notices.
Google Transparency Report
Once I had gathered the names of some of the “journalists” or “news sites” submitting DMCA takedowns to Google, I could then search Google’s Transparency Report for more of them. Under the section for “content removals due to copyright,” I was able to search for additional DMCA takedown notices submitted on behalf of the fraudulent websites.
Although there is little written about this particular scam, I was able to find some examples in the press which served as a good starting point. Some notable mentions involve a UK home renovation company, a prominent Google executive, and an online gadget retailer, all allegedly attempting to remove negative reviews or articles by creating and backdating fake news articles online. WebActivism, a crowdfunded website dedicated to exposing online scams, was also tremendously helpful in my search for fake DMCAs.
DomainTools is an incredibly useful resource which allows you to look up historical WHOIS data of a particular domain.
For instance, let us examine a notice filed by “Fox18 News Network LLC” as a model for researching fake DMCAs. Fox18 News Network LLC sent a DMCA takedown notice to the New York Daily News claiming its article about a teen therapy program, Trails Carolina, was stolen from its website. The New York Daily News article was published on November 26, 2014. Fox 18 News Network LLC claims its article was published on November 25, 2014, one day prior.
By looking at the historical WHOIS data, we can see that the domain registration for fox18news.com at the time the DMCA takedown notice was filed, was last updated on August 24, 2015 to a new registrant by the name of “Registration Private” residing in Scottsdale, Arizona. This is most likely the date the domain was purchased by its new owner.
WHOIS registration for fox18news.com courtesy of DomainTools
The IP address history shows an IP change on September 1, 2015. The name server history also shows a change of server on August 27, 2015.
IP address history of fox18news.com courtesy of DomainTools
Name server history of fox18news.com courtesy of DomainTools
Listed below are the relevant dates in chronological order:
November 26, 2014: New York Daily News publishes article about Trails Carolina. August 24, 2015: WHOIS registration data for fox18news.com is updated with a new owner. August 27, 2015: fox18news.com hosting server is changed. September 1, 2015: IP address shows a change. April 12, 2016: DMCA takedown notice filed against New York Daily News. Today: Fox 18 News no longer exists. The domain belongs to a new owner, and there is no trace of the news site or article in question.
As you can see, Fox 18 News’ domain history paints a very different picture than the one they are trying to portray in in their DMCA notice. Based on this information, we can therefore conclude that the domain name was likely acquired on August 24, 2015, nine months after the New York Daily News article was written, meaning their “news site” did not belong to them when the supposedly infringing article was published. Fox 18 News’ article was clearly backdated to make it appear as if it was written before the original one.
The Wayback Machine reveals no archived webpages for fox18news.com from May 2006 until March 2016, when it first appeared as a “news site.” There are a several snapshots in 2014 and 2015 although they ultimately lead to dead links.
A look back at a snapshot of the article captured by WebActivism shows it was “published” on November 25, 2014, one day before New York Daily News allegedly stole it from them on November 26, 2014.
After taking the website’s domain history and archived pages into account, we can conclude with some certainty that the Fox 18 News article was published over a year after the New York Daily News article, and that it was backdated to give the impression that it was published first.
I was able to gather a sample of 42 individual notices fitting the profile of the stolen article scam in the Lumen Database, targeting a total of 52 URLs to be removed from Google’s search results. Each notice was thoroughly investigated, as to only include the ones that had a strong indication of being fraudulent.
The notice descriptions revealed some wording patterns frequently used in these kinds of scams. The world cloud below provides a visual representation of the most commonly used words included in the DMCA notices.
Word cloud of DMCA notice descriptions created on TagCrowd
References to specific business names or individuals, as well as quoted texts from the infringing articles, were removed from the world cloud analysis in order to have a clearer picture of the generic language used by the reputation companies in question.
Based on my observations, the DMCAs loosely stuck to the following format:
“I am a journalist from [fake website]. My article about [topic] was copied without my permission. The whole work was stolen and posted on [real website] without my permission. Please remove it from Google’s search results.”
There are of course, many ways to phrase the same message, but that is generally the approach taken.
Another pattern of interest was the regularity with which notice descriptions had an unnecessary space before punctuation such as periods and commas. Below are some examples of these kinds of notices. I have replaced the quoted portions of the text with ellipses for simplicity’s sake in the following notice descriptions:
Lumen Notice: 12051102 Global Feminism Inc -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: Amena Capital Ltd (Australia)
“I am online journalist . Working for a reputed magazine . My article is copied as it is .Please look into this matter”
Lumen Notice: 12040318 Frankfort Herald News Corp -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: The Event (Pennsylvania, USA)
“Every single word is copied from my article . they used my source to publish their article with their unethical practices .”
Lumen Notice: 12097756 Frankfort News Corp -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: Brad Kuskin (New York, USA)
“Infringing the text excerpted on the site, beginning with the text “… ” till the last word on this particular url . It’s a totaly xerox of my article”
Lumen Notice: 12051109 Seiworld News Corp. -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: Ventana Capital (Colorado, USA)
“I am senior editor and my article is copied . Just to harm my reputation online . The article owner anonymously copied my content . Please look into this matter .”
Lumen Notice: 10908865 SeiWorld Broadcasting Networks Inc -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: Daniel J. Scavone – Attorney (New Jersey, USA)
“The article on the judgement given years ago had been covered by me . Please look into this matter and you see the whole content is copied .”
Lumen Notice: 11996205 Atha News Corp. -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: ATEL Development (Washington DC, USA)
“I am journalist . My whole article is copied from the beginning to the end along with the images .It is only done to harm my reputation online.”
Lumen Notice: 10997131 Seiworld Broadcasting Network -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: Indian Member of Parliament (India)
“I am journalist and work for breaking news section . My article on politician which was published a year back was part of breaking news has been copied . Please look into this matter”
Lumen Notice: 10909263 Seiworld Broadcasting Inc. -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: Indonesian Politicians (Indonesia)
“I am journalist and work for breaking news section . My article on politician which was published a year back was part of breaking news has been copied . Please look into this matter”
Lumen Notice: 12185604 Tom Middleton -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: APW Asset Management (UK)
“An investigation report on bankcrupty of a wine company is covered by me , wjich requires special reports with stats . My article is said and being published but , its being copied as it as onto other site without any legal documentation to republish . I request you to please look into this matter .”
Lumen Notice: 12224947 Amelia Hoghern -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: Trails Carolina (North Carolina, USA)
“the article about the missing boy through a therapy program is copied without going through any legal documentation work to redistribute my article . The article is copied , even the title aswell . I would request you to please look into this matter”
Lumen Notice: 12082585 Fox18 News Network LLC -> Google Inc. Domain Location: Scottsdale, AZ Subject of Article: Trails Carolina (North Carolina, USA)
“the source of my article is being used here . Everything is copied and even the image . Please look into this matter .”
As you can see, 11 out of the 42 notices have this peculiar punctuation error, for completely unrelated articles. Takedowns for articles written about companies and individuals from the UK, Australia, India, Indonesia, as well many different states within the US, filed on behalf of several seemingly random domains, all have the same style of writing, and were all registered to same exact address in Scottsdale, Arizona. This is probably not a coincidence.
The patterns in punctuation, language, and domain registration strongly suggest that there is a single reputation management company, registered in Scottsdale, using the stolen article scam to remove undesirable search results for a wide variety of businesses from all around the world.
Dates of Submission
The earliest instance of the stolen scam in my dataset appeared on April 3, 2013. The takedown notice was using a fake website, wereviewwebsites.com, in an attempt to remove a Yelp review about a real estate brokerage firm from Google’s search results.
From the collection of notices examined, only two of this kind were submitted in 2013. Three were submitted 2014, and eleven in 2015, with the remaining majority of notices submitted the following year. A total of eighteen notices were submitted in 2016 (excluding similar notices attempting to remove the same content).
Notices from the Lumen Database plotted by month
Domain Registry Location
Out of the 28 unique fake websites found in the dataset, 10 of them were all registered in Scottsdale, Arizona. The breakdown is as follows:
Once again, we see that a large majority of the fake websites with an accessible domain history were registered in Scottsdale, Arizona.
According to Google’s Transparency Report, 16 out of the 52 URL takedown requests were approved (as of August 15, 2017). That means that approximately 30 percent of the likely fraudulent DMCA notices from the sample were successful in censoring content from Google’s search results by claiming copyright infringement with fake websites.
This number does not include URLs that were initially removed, then re-indexed once the scam was publicized on the news. Some examples of Google reversing their decisions include the BuildTeam scandal, as well as the AdWeek article about Google executive, Torrence Boone.
Although the sample size is admittedly small, the scam’s remarkably high success rate could indicate widespread abuse of the DMCA to unlawfully censor content on a much greater scale.
Fake articles were backdated an average of 72 days (median = 8 days) before the original article was published. This is based on data collected from 28 URL removal requests, where both the fake and original article publish dates are available.
Scammers obtained their fake websites an average of 682 days (median = 341 days) after the “infringing” articles were posted online. This is based on data collected from 29 URL removal requests where both the domain histories and publish dates are available.
DMCA notices were sent to Google an average of 121 days (median = 100 days) after the fake websites were obtained. This is based on data collected from 35 URL removal requests with available domain histories.
While there has been some discussion about the existence of the stolen article scam in legal circles, no comprehensive study has been conducted to investigate its prevalence and rate of success. Although this particular dataset only includes a total of 52 URLs (primarily due to time constraints), I would not be surprised to find several hundred or more additional DMCAs of this nature.
From the limited sample size, we can assume there is a high likelihood that one specific reputation management agency is filing the majority of these notices on behalf of clients all around the globe.
The people behind the online activist website, WebActivism, have claimed to have identified three major agencies responsible for this illegal behavior. Additionally, attorneys Marc J. Randazza and Alex J. Shepard recently filed a lawsuit on behalf of Pissed Consumer against a large number of these notoriously fake websites, and the individuals linked to their domain names. A settlement has reportedly been reached between Pissed Consumer and one of the accused reputation management agencies.
The low-risk, high-reward nature of this scam makes it extremely tempting to resort to in a desperate situation. The ease with which one could use it as a weapon against free speech, paired with the clear upward trend in the number of notices we have seen over the years, warrants further investigative research into which agencies are filing these fraudulent DMCAs, and what specifically can be done to stop them in the future.
Since these scammers are primarily relying on human error on behalf of Google’s removals team, a crowdsourced effort to identify and report abuses of the DMCA is encouraged as it would spread awareness to the OSPs being deceived by them. As I have demonstrated in this blog post, anybody willing to dig up additional notices of this nature can do so with freely available online tools, in conjunction with the Lumen Database.
Please note that this research project is a work in progress, and may be updated as I continue to source more fraudulent notices in the future. The dataset can be accessed here as a Microsoft Excel file for those interested in exploring some of the notices (last updated: August 15, 2017).