Something strange has been happening to several popular Facebook pages in recent weeks: they’ve disappeared. According to the affected page owners, they’re victims of bogus DMCA claims. The DMCA, or Digital Millennium Copyright Act, is a piece of (arguably broken) legislation which allows copyright owners to protect their copyrighted works from infringement. Over the years, it’s been used to remove content from Google’s search index, from YouTube and Yahoo Video, and by entities like Major League Baseball, record labels, doctors who don’t like bad reviews, software companies, and many, many others, in opposition to what most would claim is “fair use” of such content.
But while the DMCA has a long history of misuse, or perhaps, heavy-handed use, the law itself is not the main concern here with these Facebook pages’ takedowns – it’s Facebook’s process for handling such complaints. Because the social network does not validate the identity of anyone submitting a DMCA takedown notice, nor does it check to see if the report was sent from a legitimate email address, anyone with an ax to grind can fill out a form with bogus information to see a Facebook Page disappear, sometimes for good.
A word from our sponsor:
Twiends is the number 1 service for growing your online social network. Hundreds of thousands of members have already joined, and are growing their Twitter, Facebook and YouTube communities every day
We asked Facebook about these situations and a spokesperson told us the company takes all IP claims seriously. It provided us with the following statement:
We want Facebook to be a place where people can share and discuss openly while respecting the rights of others. We take seriously both the interests of people who post content and those of rights holders. We work to ensure that we don’t take content down as a result of fraudulent notices. However, when a rights holder properly completes our notice form alleging intellectual property (IP) infringement, we will take appropriate action including removing or disabling access to the relevant content. When we do this, we notify the person who shared the content so he or she can take appropriate action, which may include contacting the reporting party or following up with Facebook.
Submitting an IP notice is no trivial matter. The forms in our Help Center require statements under penalty of perjury, and fraudulent claims are subject to legal process.
Facebook Could Do More
But Facebook isn’t doing enough to protect these victims, says Graham Cluley, a security research at Sophos, who has previous experience documenting Facebook scams. Facebook could set a higher bar for complainants to jump over, he said. For instance, they could confirm that the email address being used is “legitimate and contactable,” he suggested. Facebook could do this easily simply by replying to the email, and requesting the complainant to click on a link to prove they really did sent the email, for example.
Facebook could also choose to insist that throwaway email addresses (e.g. Hotmail, Gmail, Yahoo, etc.) cannot be used for these sorts of complaints – that a domain name associated with the brand which claims to being breached is used instead, says Cluley. Or it could even request these claims were sent in on headed letter paper via snail mail or fax.
Dirk Knop, a Technical Editor at security firm Avira, agreed with Cluley, saying, “reacting blindly without verifying whether the sender of the complaint even really exists and uses an existing email address is not how it should be done.” He said Facebook needs to “react fast and correct this error.”
That said, neither Cluley, Knop, nor two other researchers at security firms we contacted were aware of this sort of fake takedown notice being used in scams or for spamming purposes, nor was it known to be a common cybercrime trend.
No Recourse for Page Owners Without Lawyers
But Ars Technica, which is now the most recent victim, notes this problem has been around for some time. Last year, for example, sex blogger Violet Blue’s Facebook page was taken down through similar fake claims.
To make matters worse, when the targeted individuals are public figures or small-time bloggers, without access to the legal counsel Facebook recommends they use to resolve the matter, they have almost no recourse in resolving the problem.
Here’s what a typical Facebook response to an innocent victim suggests:
While we appreciate your concerns, as we hope you can understand, we are not in a position to adjudicate disputes between third parties. When we receive an allegation of infringement, or a suitable report of a violation of our Statement of Rights and Responsibilities, our procedures require that we take action appropriate to the report. If you believe these reports are not being made in good faith or are inaccurate, we suggest you or your legal counsel contact the complaining party to discuss this further. If the reporting party withdraws their complaint or you prevail in court, we would be happy to follow up about restoring the removed material.
But when the complaining party is a ghost, page restoration is difficult, if not impossible.
We’ve seen several of these form emails from Facebook, and they seem to be automated responses, or, at best, form letters, despite being signed with a “real” Facebook employee’s name. In some cases, the form letter writer appears to have no knowledge of actions being taken by another Facebook employee, such as is the case when the victim “knows someone at Facebook” who is helping. This leads to even more confusion in what’s already a complex situation.
How to Protect Yourself
For what it’s worth, Dar says he found a workaround that allows legitimate page owners to protect themselves until Facebook’s policy changes: submit a claim against yourself. Once it’s taken down, ask Facebook for support in migrating your fans to a new page. When the migration is complete, you can use the new page safely. If anyone ever reports the page again, you can use your first complaint as proof that the page is yours. “I know it’s crazy,” he says. But it worked for him.
However, other sources say Facebook has stopped assisting in the migration of fans. There is no way for a page owner to manually migrate fans, either. In other words, this workaround may be iffy and ill-advised.
We asked Facebook why it didn’t validate email addresses, but the spokesperson never responded to that question directly.