In the continuing saga of 4chan vs copyright, on Friday, following widespread coverage of ACS:Law’s spectacular implosion, another UK legal firm decided to announce they’d be continuing the fight against the Internet. The firm is called Gallant Macmillan. To call this a misguided announcement would probably be generous to the intellect of the person making it. 4chan hasn’t ceased its attacks since ACS:Law, it has continued DDoSing various organisations (none so spectacularly as ACS:Law, but regardless sites have gone down, which is a successful DDoS attack), and Friday also saw a bomb threat against the office of the then current target. This sounds like they’ve crossed the line but bomb’s a sensationalist word and you have to put in perspective the effect both sides have had. 4chan made them evacuate their office for a few hours, while the firm has sent letters to ordinary people, which have caused genuine prologued distress and financial damage. One can’t condone bomb threats of course, but 4chan still has a way to go before it causes as much psychological trauma as its targets have. Anyway, unsurprisingly, while nobody before had heard of Gallant Macmillan, within a few hours they were selected as the next DDoS target.
The DDoS officially starts at 7pm GMT (8PM local UK time, 3PM EST), but it looks like a few people were eager to get in ahead of the crowd and GM’s site is down already and has been since I checked at 11 this morning. gmlegal.co.uk is HTTP 400ing (Bad Request (Invalid Hostname) — not entirely sure what this means, not familiar with Windows servers, but I think it may mean the host intentionally disabled their site) and http://www.gmlegal.co.uk has no IP address. They are due in court tomorrow to try to get a court order to pursue file sharers on behalf of the ‘ministry of sound’ (annoying electronic music guaranteed to drive even the most resilient person insane in about 8 bars). I am not a lawyer so maybe I mangled this a bit, but as I understand it this was delayed a week or so as the judge in charge admitted he didn’t understand the technical issues and he was concerned that there was a lot of public opposition to these practices, which, in the judge’s mind, probably wouldn’t exist if these firms were operating legitimately. A very public and organised and large attack on their website isn’t really going to quell the judge’s fears, but the outcome remains to be seen.
The trend seems to be that a lot of these firms are very small and have very inadequate IT facilities which fold up very easily when put under pressure. This of course, along with inadequate talent, proved catastrophic to ACS:Law. I think this highlights the problem of this kind of business model. Letter-sending has a high failure rate which is a difficult optimisation problem because if you’re not aggressive enough then people will disregard you and if you are too aggressive then people will band together and encourage defiance, and you will also attract formal complaints to regulatory bodies which may hamper your legal credibility. It might even encourage file sharing as an act of defiance (there’s a few ‘forbidden’ compilations on BitTorrent now as a result of ACS:Law’s media coverage, sharing collections of titles which rights’ holders were paying ACS:Law to prevent from being shared), AKA the Streisand effect, which will disincline sensible rights’ holders from viewing their relationship with you as having an overall benefit.
Going from letter-writing/extortion/speculative invoicing (delete as appropriate) into actual lawsuits is also a waste of time and money because even if you do end up with a settlement which equates to a net profit, suing randomly selected individuals on the basis of their alleged musical taste isn’t a profitable pastime because 1) on average, they don’t have much money to give you and 2) they’re going to have a lot less after they’ve employed a lawyer to defend them. The only highly publicised (and perhaps just ‘only’) case of an actual such copyright lawsuit in the UK was a few years ago, Davenport Lyons were awarded £16k against a woman for sharing a pinball game. Unfortunately, the woman never turned up in court so it was a default judgement. Pretty good result for Davenport Lyons, you think? Well, I remember reading about this at the time on Slashdot and I thought it was awful she was going to have to pay so much simply because she didn’t defend herself and the merits and flaws of the case were never heard. But as time goes on, DL’s victory seems less sensational: Not only did this woman never turn up in court, but there’s growing scepticism of her actual existence. There’s not a single known quote, statement, interview by her or her family or her friends, no pictures, no social networking profiles, nothing. The only place her name appears on the Internet is in all the cloned reporting of the case at the time, and in subsequent discussions thereof. Some think she was a Polish immigrant who went back to Poland several months before the court case, and has never been traced (I don’t know if there is any hard evidence for this), but Occam’s razor warns us against making up complicated stories about people who might not exist, so a cynic might be tempted to suspect some form of fabricated identity and publicity stunt. Whatever became of her, it seems unlikely that Davenport Lyons saw any of that money they were awarded.
So to turn a profit, you want to keep the outfit small and have everyone directly contributing to getting letters processed. Things like IT, as long as the computer system basically works, are an unnecessary expense if you don’t really understand how important they are. This of course means such firms are probably not in compliance with data protection laws (hello ACS:Law), not because they don’t understand the law, but because their overall IT experience is “I know how to press buttons” and they don’t really understand how the data are being stored. And as soon as 4chan decides they don’t like you, your website goes offline and unless you had a professional set the whole thing up in the first place, your email probably does as well. If they can keep you down for a few days, it’s a big reputation hit: people receiving letters are going to Google your name and see if you’re legitimate. If you’ve got no reachable web presence they’re going to be suspicious that you’re not a real firm, and they may be tempted to disregard your letter as a basic scam.
Secondly, you may have to explain to your clients over the phone that the reason they can’t communicate with you via email is because you’re being attacked. They might accept this for a few hours but after a few days they’re going to start have doubts about whether you’re really running a professional outfit or whether you’re a bunch of cowboys, an association with whom is a liability.
Similarly it attracts all sorts of negative attention. The sheer weight of these DDoS attacks shows just how strongly a lot of people feel about this kind of behaviour. It should deter all but the seediest of clients from doing business with you because clients with good reputation stand to suffer damage if they associate with you. I don’t think it’s a coincidence that a lot of ACS:Law’s money came from pornography cases, clients who don’t really have any reputation to lose. If you’re a ‘legitimate’ law firm you might well find your non-file sharing related clients deciding to dump you when you start to get a bad reputation. This is what seems to have happened to Davenport Lyons (the precursor to ACS:Law); they were a real law firm who got into the letter-writing business then took a lot of criticism then withdrew from it, probably because it was hurting them overall (it appears that some of their employees transferred to ACS:Law at this point to continue.).
And should a case ever come to court and the defendant says “well you say you’re technical experts who can evaluate this evidence and collect it reliably, but isn’t it true your site was attacked by some teenagers and it went down in about a minute and you didn’t manage to get back online for x days?” I’m not quite sure what your rebuttal can be to that.
Update: it appears maybe GM realised they couldn’t take a DDoS and took their site down willingly. It may also be that their provider decided GM’s custom wasn’t worth a DDoS and took them down. It is unclear exactly why it’s down. In any case, the denial of service was successful. Accordingly, 4chan shifted the official DDoS target to ministryofsound.com. It’s now 15 minutes into the attack and it’s hopelessly offline. Their digital download subdomain is a secondary target and it’s also down, which means no one can purchase anything from them at the moment. I’m really impressed at 4chan’s ability to shift the target relatively late and yet still take it down very quickly after the attack officially commences. I’m sure a part of their resources are still hitting Gallant Macmillan right now, but even not at full power, they’re still powerful enough to easily take down a fairly big site like MoS. I suspect the media coverage has got 4chan a lot of new firepower from people who have never been actively part of 4chan before. It shows the strength of the anti aggressive copyright sentiment. MoS is the big customer of GM, hence the reasoning behind targeting them.
Update2: 11PM — nslookup for gmlegal.co.uk is now returning 127.0.0.1. huh? Is that universal or just some kind of default fail case?