We are the latest victim of the Getty Image extortion scam

[jot]

Sorry for not posting sooner, but I have been doing some extensive research since we first got our letter on November 19th claiming an image that is on 229,000+ websites (as of a few days ago) was a copyrighted work and that we pony up $875 (By the way, if they were collecting $875 from every website that was supposedly infringing on this copyright image, they would collect over $200 billion dollars)

I will have to admit, I first went into panic mode when I first received the 14 page letter from Getty Images, but after calming down and finding info about this “scam” and finding the extortionletterinfo.com site, my panic quickly turned into anger on how companies like Getty Images prey upon small business owners, people with blogs, and even nonprofit organizations that have mistaken used an image that supposedly may be copyrighted for a website.

Not only am I angry about companies like Getty Images and their unethical business practices, but I am upset on how the copyright laws are so antiquated and ambiguous that the common person who posts to a forum or blog, or has a webpage can be targeted by companies “trolling” the Internet for profit.

I am on a quest to stop companies like this from preying upon innocent people.  I am currently collecting information on how PicScout, a company acquired by Getty Images in 2009, accesses files on our personally hosted web server.  I have security settings in place to stop spiders and robots from accessing certain files, and from what info I have found, PicScout has a special algorithm to bypass these settings, go to all image folders, and then download these files for comparison in there database.

The Computer Fraud and Abuse Act (Title 18 U.S.C. § 1030) states (a) Whoever-- (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—(C) information from a protected computer.   Further definitions of “protected computer” surmise that any computer connected to the Internet is protected.  So by this definition, PicScout has violated the CFAA.

Currently I am reviewing 4 years of firewall logs as every bit of traffic to and from our webserver was logged.  I have the domain names that are used by PicScout and the other “trollers” along with their IP addresses.  Once I review all of the logs and can identify when they accessed the server and caused excessive bandwidth to be used, I will be presenting this information to the state and federal authorities.  I have already filed a claim to our state fraud division and one of our employees is also a state legislator who is putting me in touch with the right people to have this thoroughly looked into.

I will have more to post in a few days once I have done a little more research and compiled some more info.  These trollers messed with the wrong person!

[Robert Krausankas (BuddhaPi)]

welcome Jot!! your mission is a noble one for sure, but you're thinking "may be" flawed in several areas..

a. Picscout operates out of Israel, and does not follow the laws of the US. Getty may own it, but it's a separate entity...
b. in order to access a computer without authorization, the machine in question would need to be password protected.. I don't buy into or surmise that "any computer connected to the internet is protected"

It's also worth noting that Getty Images spends  a big chunk of change lobbying the asshats in DC..please do keep us posted in any event..

[stinger]

Jot,

Keep the passion and don't let anyone dissuade you from fighting for what is right in this world.  I too am appalled by the fact that companies like Getty can use copyright laws as they were never intended to be used.

What's more, they often claim to be on the side of right, when any Google search of the term "copyright troll" makes it clear how wrong what they do is.

My philosophy is that each and every complaint, letter to a lawmaker, article exposing the wrong in what trolls do, survey, piece of copy printed or interview is just one piece of straw in a sack that will eventually break the troll's back.

Although the contributing members of this forum don't always agree on how to wage the fight, we are all passionate that it be waged and hopeful that even some attack that we do not expect to work will turn out to be wildly successful.

Keep us apprised of your efforts.  Their are people here who feel strongly enough about this to want you to succeed beyond our wildest imaginations.  By staying connected to this group, you will have their support when you need it.

[Robert Krausankas (BuddhaPi)]

I certainly wasn't trying to dissuade anyone, i was just stating my opinion. No matter how one looks at it, or how we fight it, it will be an uphill battle for the long term..the more idea the better.. Again I apologize if i came off in a a negative way..

[stinger]

Robert, I didn't mean anything by that.

I wasn't sure how jot would take what you said.  My belief is that even trying things that didn't work before or that you or I don't expect will work, might work now for some unforeseen reason. 

And I also believe that your willingness to share your experience is helpful.  It might help Jot tweak the plan so to speak.

So, it's all good!

[Greg Troy (KeepFighting)]

Welcome Jot, it sounds like you are off and running and have a plan. If you are looking to send your research information beyond the state level may I recommend sending it to be Congressional Research Service. This is a group within Congress that examines issues like this and this year they have already taken a look at patent trolls. Perhaps your information could get them interested in the copyright troll side as well.

I like to see when someone stands up for what they believe in and is not afraid to fight the trolls. Definitely please keep us posted as to your progress.

[cstockwell]

b. in order to access a computer without authorization, the machine in question would need to be password protected.. I don't buy into or surmise that "any computer connected to the internet is protected"

I not so sure I agree with this statement.  I think joee may be on to something because if you jump on your neighbors wireless internet access you can be prosecuted.  The wireless is wide open with no encryption but you are in violation of using their internet.  You may also see any files and folders on their computer because they have no passwords on shared folders. 

These bots are essentially working in the same manner by going beyond the folders used in the actual use of the web page and blog and are in fact scanning folders that are used for basic storage.  The file may not be put out for public viewing and there are no laws (as far as I am aware) that state you can not have a file on your computer (or cloud storage) for your own personal viewing.  Lets put into perspective that we could use the same argument that if they did not password protect their pictures in the first place then we have not committed any copyright infringement.  And back to the issue of cloud computing.  What is to say that these companies do not create a bot that can overide securities in place for cloud storage to scan files?  Since these files are on the "open Internet" per se then where do we draw the line? 

[jot]

welcome Jot!! your mission is a noble one for sure, but you're thinking "may be" flawed in several areas..

a. Picscout operates out of Israel, and does not follow the laws of the US. Getty may own it, but it's a separate entity...
b. in order to access a computer without authorization, the machine in question would need to be password protected.. I don't buy into or surmise that "any computer connected to the internet is protected"

It's also worth noting that Getty Images spends  a big chunk of change lobbying the asshats in DC..please do keep us posted in any event..

They may be based out of Israel, but the Patriot Act expanded the definition of protected computers....

“When Congress passed what is known as the USA Patriot Act after September 11, it dramatically expanded the legal definition of a "protected computer." Previously, the law considered a computer within the United States that was used by the federal government or a financial institution, or for interstate or foreign commerce, to be protected under the Computer Fraud and Abuse Act. But the definition now extends to computers outside of the United States where communications pass through a U.S.-based network.” article from… http://www.thefreelibrary.com/Patriot's+international+implications%3a+The+USA+Patriot+Act+expanded...-a084879167

And USLegal.com’s definition for a protected computer…

Under 18 USCS § 1030 a protected computer is defined as including any computer "used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States."

Because a web server is used for communication (it communicates information through the displaying of web pages} then it would be considered a protected computer.  Also, the fact that PicScout uses a Microsoft Exchange e-mail service at 66.147.242.156 (all publically available information) and that server is located here in the United States (Utah to be exact), they are using US based communications and can they fall under the Patriot Act.  Their scanning servers may be based in Israel, but they still have to go over a US based network to get to our sites here in the US.

And even if criminal charges can not be brought against them, civil suits can be brought against them for violating the CFAA

The CFAA is primarily a criminal statute. However, in 1994 a civil suit provision was added that provides a private cause of action if a violation causes loss or damage, as those terms are defined in the statute. 18 U.S.C. § 1030(g). To state a civil claim for violation of the CFAA, a plaintiff must allege
1. damage or loss;
2. caused by;
3.a violation of one of the substantive provisions set forth in § 1030(a); and
4. conduct involving one of the factors in § 1030(c)(4)(A)(i)(I)-(V).
 
18 U.S.C. § 1030(g).

Persons found to be civilly liable for a CFAA violation can be responsible for compensatory damages and injunctive or other equitable relief.


Because of the security breach from PicScout, our IT department spent two days beefing up the security settings on our web server and on our firewall.  Theoretically, we can charge them for the time spent to resolve the security breach.  Sure, it would not be much, but if they want to play we will sue you for infringement, then we can play, okay, we counter sue for violating the CFAA.

[Robert Krausankas (BuddhaPi)]

"if you jump on your neighbors wireless internet access you can be prosecuted.  The wireless is wide open with no encryption but you are in violation of using their internet.  You may also see any files and folders on their computer because they have no passwords on shared folders."

This is exactly what the P2P trolls attempt to do on a daily basis...without much success. Lets say for example I jump on my neighbors open wifi connection ( shame on him for leaving it open) and Iproceed to download 1000 songs and 2 dozen movies...who is going to get nabbed me or my neighbor??
Not me, the neighbor will be holding the bag.

Maybe i'm looking at it this way....it's a "web" server, whether it's cloud or not is irrelevant.."web" server = web accessible unless password protected. these bots do not adhere to robots.txt nor are they required to by any laws as of now..

I do agree that just because you have files / images stored in a folder for "personal use" would not be an infringement, it would be on the troll to "prove" this, if the files are just there & "orphaned" without any way to get to them thru the normal use of a browser, the troll would be in a bad situation. I have yet to see a letter with an image that was not "on a page" and accessible thru normal channels..

I don't know where to draw the line, and I guess we'll have to agree to disagree, and maybe someday the laws will be changed to be accurate and fair..

[Robert Krausankas (BuddhaPi)]

JOT!!! now you've got me thinking!! and I'm starting to think you may well be onto something...2 things catch my eye...the fact you were able to track down a US based IP from picscout, could have some serious effects on the whole operation.. And the fact you mention the counter suit, we've seen this before and it certainly a good option IF they file suit, which they probably won't.. I'm curious as to what your contacts may come up with here.. I confess I know very little about the patriot act, and I don' think it's been mentioned here in the forums before...

[jot]

Just found their other MX server (mail server)...it is a hosted Microsoft Exchange server located in Redmond, Washington....216.32.180.22

[Jerry Witt (mcfilms)]

This is one of the reasons I keep coming to this site. New people get stung by Getty or Masterfile and they come up with new and innovative ways to fight back.

Welcome Jot. I have to say when I first heard your plan I didn't hold out much hope. But as you lay it out, it begins to make some amount of sense.

Now they may argue that the image was placed on a public-facing web page and its use was confirmed by a human being. But that doesn't negate the fact that they (may have) broke into your "house," snooped around a bit, and then decided to send a person to look for the image.

The uphill battle is the "access a computer without authorization" part. I think it will be tough to claim that tracking down the text and images presented on a public-facing web page somehow constitute "access a computer without authorization." I think the intent of this law was to prevent people from hacking into a database or protected directories, not scanning images.

But I seriously do not want to take the wind out of your sails. I encourage you to keep pushing.

[jot]

This is one of the reasons I keep coming to this site. New people get stung by Getty or Masterfile and they come up with new and innovative ways to fight back.

Welcome Jot. I have to say when I first heard your plan I didn't hold out much hope. But as you lay it out, it begins to make some amount of sense.

Now they may argue that the image was placed on a public-facing web page and its use was confirmed by a human being. But that doesn't negate the fact that they (may have) broke into your "house," snooped around a bit, and then decided to send a person to look for the image.

The uphill battle is the "access a computer without authorization" part. I think it will be tough to claim that tracking down the text and images presented on a public-facing web page somehow constitute "access a computer without authorization." I think the intent of this law was to prevent people from hacking into a database or protected directories, not scanning images.

But I seriously do not want to take the wind out of your sails. I encourage you to keep pushing.

I was thinking of that, but the fact the bypassed settings that were meant to stop particular bandwidth hogging spiders and bots and that they access folders that were hidden from those bots and spiders view to access those files, then download copies of them to analyze them for possible copyright infringement, then they violated the CFAA.

About 4 years ago, our web server was hacked by a Turkish hacker and our website was defaced and replaced with his own message.  Once that happened, we added all kinds of extra security settings and even third party software to stop intrusions and theft.  Even the FBI got involved with that investigation.  We are an insurance agency, so by most definitions, we are considered a financial intuition.  We have 40 to 60 attacks on our network daily, so I am constantly monitoring for an intrusion.  Even though the web server is public facing, it still has measures of protection enabled on it to protect it from unauthorized access.  PicScout.com bypassed those settings plain and simple to get to folders that were not available to them otherwise.  The only way to access the supposedly copyrighted image was to view it on the web page.

As I stated earlier, I have four years of logs to go through before I can present my case to the proper agencies.  I am still in the investigation mode at this time and I appreciate all comments as it helps me look in the right places. 

Because of this mess with Getty Images, I have now started learning Copy Right Laws, the Computer Fraud and Abuse Act, and all other related laws.  I did not realize having a website on the Internet would require me to get a law degree…LOL   

[Robert Krausankas (BuddhaPi)]

I did not realize having a website on the Internet would require me to get a law degree…LOL 

Again welcome to our world!

[Khan]

 "Even though the web server is public facing, it still has measures of protection enabled on it to protect it from unauthorized access.  PicScout.com bypassed those settings plain and simple to get to folders that were not available to them otherwise.  The only way to access the supposedly copyrighted image was to view it on the web page. "

In laymans words: Since picscout is a crawler and not a human beeing it can not see the pictures so they have to "intrude" to see the pictures by going into your files and taking a copy of your files.

Is my understanding correct ?

Khan