Tag: facebook

Transformative use of Serin Jameson's Star Trek Shitposting 6th Anniversary artwork

Copyright Troll & DMCA Abuser Serin Jameson Learns About Fair Use

Updated 2021-11-26 to change Serin’s pronouns to be ambiguous (and thus more degrading) based on a comment whining about them. Be sure to read the comment for a great example of “tolerance.”

Serin Jameson is the founder and artist for a Facebook group called “Star Trek Shitposting.” I discussed the group and its toxicity in an unedited, rambling video six weeks prior to this post. It took that long for someone in the group to notice the video. What followed was a 109,000-person Facebook group descending upon my video to attempt to make me feel bad for mocking them, with literally thousands of comments being posted, many of which proved that the loudest and most accepted people in that group are indeed horribly toxic and evil people.

Sadly for them, I don’t care what they think about me, and their insults either resulted in pity or amusement on my end.

However, Serin Jameson is the lone figure who stands above all others for taking a good old-fashioned pile of internet banter way too far, jumping straight into the realm of brazenly breaking the law.

Serin Jameson's copyright abuse
Serin Jameson’s copyright abuse

To understand the problem, one must first understand the concept of “fair use” within United States copyright law. In general, copyright law grants the rightsholders of a work the exclusive right to distribute their work for a limited period of time to encourage the ongoing creation of new works. (There are several issues with existing copyright law, including the “limited” term being insanely long, but that’s a conversation for another post.) U.S. copyright law explicitly carves out exceptions to this exclusive right, and the only one that’s important for most people is what is known as the Fair Use Doctrine. This portion of the law lays out four factors by which a fair use exception is judged. A fairly comprehensive explanation of the “four factor test” is available from the University of Texas. I won’t go over too many of the details here, but suffice it to say that my use of Serin Jameson’s artwork for the purpose of criticism and commentary combined with my heavy transformative use of the work place my use squarely within the bounds of the Fair Use Doctrine.

Transformative use of Serin Jameson's Star Trek Shitposting 6th Anniversary artwork
Transformative use of Serin Jameson’s Star Trek Shitposting 6th Anniversary artwork; from top left: original, transparency added, upper/lower layers added, completed image

Serin Jameson used (via a YouTube form) a provision of the Digital Millennium Copyright Act (DMCA) that allows rightsholders to send a DMCA takedown notice to an online service provider to notify them of posts that infringe on their copyright and have them taken down. My work constitutes plainly obvious fair use, so this action was inappropriate, and Serin Jameson knew this to be the case, and has thus stomped into Section 512(f) of the DMCA, which states (irrelevant portions excluded):

Misrepresentations.

Any person who knowingly materially misrepresents under this section…that material or activity is infringing…shall be liable for any damages, including costs and attorneys’ fees, incurred by the alleged infringer.

Serin Jameson is invoking U.S. law regarding material stored on U.S. company servers by a U.S. citizen, jurisdiction here is clearly and exclusively within the United States, despite Serin Jameson apparently being in Australia. United States case law requires that Serin Jameson perform a fair use analysis of the work in question prior to filing a DMCA takedown request (Lenz v. Universal Music Corp., 801 F.3d 1126 (9th Cir. 2015)). Failure to do so violates the declaration of the good faith required by the DMCA in any DMCA takedown request.

Based on the publicly available communications of Serin Jameson, my email notifying him it of his its failure to conduct a fair use analysis, and his its public confirmation of receipt of that message, Serin Jameson fits all of the requirements under the DMCA to be held legally liable for filing a false DMCA takedown against my content. I have already sent a counter-notification to YouTube.

I am posting this as both a lesson and a warning: you should not abuse the law to silence people you don’t like.

Also, for the curious: yes, United States judgments are enforceable in Australia. Serin Jameson could find itself on the receiving end of some Hauge secret sauce.

Finally, as they say on the internet, I’ve brought receipts.

Serin Jameson Facebook post 1 - planning a false DMCA takedown
Serin Jameson Facebook post 1 – planning a false DMCA takedown
My email to Serin Jameson to resolve the conflict
My email to Serin Jameson to resolve the conflict
Serin Jameson Facebook post 2 - confirming receipt of my email
Serin Jameson Facebook post 2 – confirming receipt of my email

Service providers that store user data need to GIVE USERS THE KEYS!

Comments on this post are welcome and strongly encouraged.

Service providers such as Gmail, Yahoo, Facebook, Twitter…all of these, they need to offer users a data encryption option that does the following:

  1. It disables the password recovery system, so that no one else can exploit it or any weak links to it to get into our accounts, but if we “forget” our password then we can’t either; and
  2. Our passphrase encrypts a larger key which encrypts our non-public data on their servers with 256-bit AES encryption.

In light of the fact that General Petraeus was brought down by someone other than him and a personally trusted party accessing the data in his Gmail account, I think the users need to be handed the keys to our accounts and service providers need to give them up. By far the largest method for hackers to steal highly important or sensitive data is the “forgot password?” link at any given website.Our email accounts are almost universally used as a skeleton key to our other accounts. Mat Honan’s Gmail, Twitter, and Apple ID accounts were all hacked into in the space of an hour this way, and the hackers deleted all of the data on his MacBook, iPhone, and iPad when they got in.

For services that offer this encryption option, there should be an additional option to unlink all email accounts as well. There are some services that exist already which allow you to open an account for which an email account is optional, but they’re not very common and typically are also obscure and small.

Obviously, this is something that won’t do much with services like Facebook and Twitter, because in order for the service to show tweets or posts to anyone else, they have to be readable by the service provider itself. However, if you’re on Facebook and change a post or picture to be visible to “only me,” the media should be encrypted with your encryption key, then all unencrypted copies deleted from the provider’s servers, including its content delivery network.

Another feature that absolutely needs to be in place is for all mail service providers to support mail delivery and hopping over SSL or TLS, so that plaintext email does not go over the wire without any encryption. If email is encrypted on Gmail and encrypted on Yahoo! Mail, then the end-to-end link between them also needs to have encryption. Ultimately, the amount of time an email spends stored or transmitted as plaintext should be minimized. It would also be nice if mail applications such as Mozilla Thunderbird had built-in encryption for the entire user profile (stored/locally cached mail, stored account passwords, configuration settings, etc.) utilizing a master password, though it seems that most people point to workarounds that don’t ask Mozilla to add such support directly into Thunderbird. (What if I don’t want to install full disk encryption software, or can’t do so, or want to use Thunderbird in a portable fashion on a flash drive?)

Yet another feature that would be very nice to have is a “lockdown” feature, where you can log into your encryption-enabled account on a service like Facebook or Twitter, go to some sort of security settings page, press a button called “lock down account,” confirm that you really meant to lock down the account, and all media that is stored in your account automatically gets changed to “only me” privacy and encrypted in one shot, plus any attached “escrow” methods of password retrieval such as cell phones or email addresses are rendered unusable. If you have reason to believe that your data needs to be locked down quickly, having a feature like this is critica

The biggest downside to this system is that if you lose or forget your password, you lose everything. The most common response to this “downside” will be “that’s a great feature to have!” and I strongly agree: if I don’t want anyone accessing my account, I desperately need to be able to lose the password with no means of recovery. However, another downside is that if someone gains access to your account, they can lock you out of your own data in the same way that you can lock others out. The most obvious answer to this would be some form of two-factor authentication, but adding TFA to the mix would imply such things as if you lose your second factor, you can’t lock down your account or change your encryption password, so it’s a bit of a double-edged sword.

The major reason that “encrypt everything” has not been adopted by knowledgeable users is that it’s not available as an option, and where it is available, you have to jump through ridiculous hoops to get it set up and working. Things like the HTTPS Everywhere extension and Google switching its services to use HTTPS by default are steps in the right direction. The fact that anyone can get online and dig up your maiden name, social security number, city you were born in, first vehicle you owned, and much more within minutes and for small fees means that password recovery options with security questions and whatnot are the equivalent of locking your five deadbolts and leaving the key under the WELCOME mat. Furthermore, if the FBI, CIA, NSA, or some other three-letter agency decides they want to read your mail without your knowledge, there’s nothing at all stopping them from doing so.

One of the big arguments against encryption is that it allows bad people to hide bad things. News flash: bad people can use encryption even if you DON’T allow it. The only thing that happens when you don’t have encryption available is that GOOD people can’t protect themselves and their privacy so easily, but the bad guys have an extraordinary motivation to jump through the extra hoops required and certainly will do so to avoid being caught. This argument against providing encryption has no substance in a practical world.

In summary: Service providers need to give us the keys to our data.