So, you heard about the new “WiFi Hack,” or “WiFi vulnerability” or “KRACK attack,” and you’re worried. Good, you should be worried. But you shouldn’t panic. Here’s a quick, totally non-technical explanation of what’s going on and what you can do about it. (If you want a technical explanation, go to this website: https://www.krackattacks.com.)
Now for the non-technicals: Meet Alice.
Alice is the package delivery driver who delivers to your company, MyCo. (Or who delivers to your house, whichever.) You know, the cool one, who’s always on time, is super-nice, and will cheerfully wait a second if you are just finishing up a label. She’s awesome.
Alice has just arrived at MyCo, and she’s going up to R&D on the seventh floor to pick up a package. Bob, the intrepid security guard in the lobby, recognizes Alice. He sees her every day and knows she’s cool. So he lets her on the elevator. If there were any packages in the lobby waiting to go out he’d let her grab them, and if she had any to drop off, he’d let her bring them in.
In this analogy, Bob is your WiFi router, or the WiFi card in your computer, phone, tablet, or other wireless internet gizmo. He “knows” Alice, so he’ll let her onto your network. He doesn’t ask her for ID every single time she goes in and out, because he knows her.
That’s not really Alice!
It’s TED! Ted, the notorious black-hat hacker and ne’er-do-well! But sadly, Bob forgot to put his contacts in, and Alice’s package delivery company includes black hats as part of its uniform. So Bob lets Ted in, thinking he’s Alice.* Ted is now on the elevator and heading up to R&D, having already grabbed any packages in the lobby that looked especially interesting, and dropped off a few filled with limburger cheese and rotten eggs. OH NO!
In this analogy, Ted is a hacker using the “KRACK” WiFi attack. He’s bypassed Bob, the Guardian of WiFi, and is now on your network or has access to your device through its WiFi card. He can see things that are going in and out through your WiFi, and in some cases can intercept and read them, or send things into your network that normally he couldn’t.
So, Ted is headed straight for R&D on the seventh floor. Once he gets there, he can steal anything he wants. It looks bad for MyCo!
Ted did not reckon with Carol!
Carol is the even more intrepid security guard on the seventh floor, protecting all the secrets of the R&D department. Man, MyCo is lucky she’s on the case! She’s asking Ted for an ID which is on her “allowed to access R&D” list – which of course, he does not have. Remember, he’s not pretending to be Alice: Bob just didn’t realize that he wasn’t Alice, so Bob let him in. Ted’s dastardly scheme is foiled! (Scene where Carol tazes Ted and turns him in, scoring the thanks of a grateful MyCo and a sweet bonus, available on Director’s Cut DVD.)
In this analogy, Carol is the password protection for the devices inside your WiFi network, like individual computers and file servers, or the data on your phone or tablet – which are all stored behind that door marked “R&D”. It doesn’t matter that Ted got in the building and reached the right floor: if he can’t get past Carol, he’s out of luck. He can still see what’s going in and out, so hopefully MyCo uses that nifty tamper-resistant tape on its packages. But he can’t get in to where all the real goodies are, and he can’t drop off any stink bombs inside R&D.
So to sum up, what this new KRACK (it stands for Key Reinstallation something something) WiFi attack does is let hackers who are in range of your WiFi network or device past the password that normally protects WiFi connections. It doesn’t tell them what the password is, and absent further hackery it doesn’t let them change it. It just lets them bypass that part of the security “ecosystem,” as we say. So there’s no need to change your WiFi passwords.
Once they’re in, they’re that much closer to your actual data. They’re through the lobby and off the elevator on the floor where you keep your important and/or embarrassing secrets. So now it’s that much more important to have Carol on the job. And make sure that all your packages are properly sealed.
As for what you can do about it:
- MAKE SURE ALL YOUR DEVICES ARE PASSWORD PROTECTED. Every computer. Every phone. Every tablet. If you don’t know how, ask a friendly geek. But you HAVE TO TURN ON PASSWORD PROTECTION. Yes, I know it’s annoying. But you have to do it.
- Update your devices. You should always update your devices but now you should REALLY update your devices. And keep updating your devices. The industry has been aware of this for a little while because the researcher who discovered the vulnerability quietly notified them so companies could start fixing it before they announced it to the public. Patches are rolling out and will keep rolling out.
- Be extra SUPER careful when using public WiFi. You should avoid it anyway. (Turn on the feature that keeps your device from connecting to WiFi networks automatically and KEEP IT ON.) But until you know your device is secure, no hotel WiFi, no Starbucks WiFi, no airport WiFi. None of it.
- This is a REALLY good time to learn to use email and file encryption. If your communications and files are encrypted, it doesn’t matter that Ted can look at them as they go in and out of your WiFi network. Without the right encryption password he still can’t read them.
A lot of lawyers follow me: this is especially critical for them. You are putting not only your information but your clients’ information at risk if you do not address this issue. Don’t do that.
*This analogy has a problem that some InfoSec people are not going to like, in that what I’m describing might be a better analogy for a “Man in the Middle” attack. But as is so often true when I mix metaphors, I don’t care. Also the better analogy includes things like leaving windows open and losing your keys and that’s too hard to draw.
(Note: I am an attorney, but I may or may not be licensed in the jurisdiction of any particular reader. Nothing in this post constitutes legal advice. Consult an attorney licensed in your jurisdiction and familiar with the relevant law before making legal decisions. In some jurisdictions, this post may be considered ATTORNEY ADVERTISING.)
This post was written for IndieGamerTeam – which you should check out!
All right, you’re really going to make me do this, aren’t you? I tried to tell you not to play stupid legal tricks with DMCA notices. But oh no, you wouldn’t listen.
*opens emergency cabinet marked IN CASE OF FAIR USE ARGUMENT, takes out and dons helmet which has a picture of an adorable mini-lop rabbit with a switchblade*
Let’s rock, nerd-person.
First of all, if you didn’t see my previous post about literally using DMCA notices as a Stupid Legal Trick, there’s a primer linked there on The DMCA Takedown Notice Demystified. You should read at least that primer, because it is informative, and preferably my post, because it is awesome. The summary? Don’t use DMCA notices as a Stupid Legal Trick.
Those of you who are plugged in to the Twitters probably know what inspired this post, but let me sum up a hypothetical:
- Developer posts Notice on their website that anybody who wants to can stream or post videos of people playing their games.
- NetPersonality posts a vid wherein they are playing a game from Developer.
- NetPersonality does something Bad, which Developer does not like, totally unrelated to Developer’s game and the aforementioned vid.
- Developer, without taking down Notice, DMCA’s NetPersonality’s vid, hosted on Host.
Who can tell me why this is a bad idea? Anyone? Anyone?
That’s right: it’s playing a Stupid Legal Trick with a DMCA notice.
And that is, ALWAYS, a horrible, terrible, no good, very bad idea.
Now, in this case, as opposed to the situation I discussed last time, we’ll assume that most people would probably agree that what NetPersonality did was Bad. We’ll even assume that I myself would say it was Bad. But DMCA notices are not. For. Punishing People! Using them in that fashion just gives ammunition to the forces opposing the rights of small and independent creators, who would like nothing better than for DMCA notices to Go Away.
“But wait,” I hear you say. (I keep telling you to pitch that Google Home, but do you listen? No. I do, though.) “You put on your FAIR USE helmet! Why did you do that if you were just going to yell at a hypothetical Developer for abusing DMCA notices?”
Well, first of all, it is a very cool helmet. Secondly, because what Developer did in my hypothetical is an interesting reason to think about Fair Use. Ultimately, NetPersonality has to believe in good faith that they have some legal grounds to use the game in their vid. Since they did literally copy Developer’s game, or at least portions of it, Fair Use is really the only grounds they have to counter-notice. So buckle up: here we go.
There are four Fair Use factors, plus the Zeroth Factor. The Zeroth Factor (“Is the alleged Fair Use bad?“) weighs against Developer, because the alleged Fair Use is unrelated to the Bad thing. But it also weighs in favor of Developer, because we’ll assume it was pretty Bad and therefore NetPersonality is assumed to be a Bad Person and we don’t like Bad People. I’m going to call it a wash and move on to the actual factors.
First Factor: The purpose and character of your use.
Essentially, this question boils down to “Is the use transformative?” If it is, this factor weighs in favor of the use being fair, because we want to encourage people to create new art. If not, it doesn’t, because we are not as concerned about people who just copy stuff. What transformative means is… complicated. But in this context, any use we might care about, be it a playthrough or a straight up game review, is probably not transformative. For purposes of my hypothetical, I have decreed it thus. So this one weighs against NetPersonality .
Second Factor: The nature of the copyrighted work.
This refers, basically, to two sub-questions.
First, is the infringed work mostly factual (for instance, a biography of Abraham Lincoln) or mostly original (for instance, a comic book about Abraham Lincoln secretly being a vampire hunter?) If it’s mostly factual, the use is more likely to be fair, because facts cannot be copyrighted, and there are only so many ways to describe a given set of facts.
Second, did the creator of the infringed work publish it before the infringement? If not, the use is less likely to be fair, because the decision as to whether to publish a work is a very important one and we want to protect creators against having that decision taken away from them by infringers.
Developer published the game (point: NetPersonality ) but it is a largely original work of fiction (point: Developer.) This factor probably weighs slightly in favor of Developer, but it’s really not a huge win for either side.
Third Factor: the amount and substantiality of the portion taken.
You will note that in my hypothetical I didn’t say whether the vid was a drive-by, a full review, or a complete playthrough. That makes a huge amount of difference and in many cases of this type will be largely determinative of the outcome, especially when the fourth factor is added in.
“Amount” just means “How much, percentagewise, of the work did you copy?” Please note that there is NO magic number, for any type of work. There is no “eight bar rule,” no “twelve second rule,” and no “ten percent rule.” The more you copy, the more likely that the use is not fair, and vice versa. After that it is determined case by case.
“Substantiality” means “How important was what you took to the work?” Think of this, if you like, as the “Courts Hate Spoilers” rule. If you just take some random screenshot and put it up to show the general graphics style and production quality of the game, no big. If you show the six-minute cut scene that reveals the resolution of the entire plot, even if the game has six hours of cut scenes and six hundred hours of main storyline play, you are probably not making a Fair Use, you spoiling so-and-so.
If the vid is a playthrough, this factor weighs in favor of Developer. If it’s a straight review, it probably weighs in favor of NetPersonality unless the review includes extremely substantive copied material. If it’s a drive-by, it almost certainly weighs in favor of NetPersonality .
Now, pay attention: law is complicated. Despite what I said before, spoilers in and of themselves are okay, but copying substantial portions of the work which might contain them isn’t, largely because of the fourth factor. Namely…
Fourth Factor: The effect of the use upon the potential market.
Now this is where this hypothetical really gets interesting. Usually, this is about whether the alleged Fair Use will reduce the likelihood that people will buy the original work (or otherwise make it harder for the original creator to exploit it.) Making cheap, identical prints of someone else’s original artwork makes it harder for them to sell their own prints – that’s an easy one. Probably not a fair use.
Showing the play of the game including the ending makes it less likely that people will buy it because the ending has been spoiled – that’s a little harder. Arguably, the sort of person who watches a Let’s Play in its entirety wasn’t going to play the game anyway – or might still buy it because the playthrough looked like fun and they want to experience it themselves. Still probably not a fair use, but arguable.
Here, though, Developer demonstrably does not care if people post playthroughs. They have authorized the posting of playthroughs. It’s going to be very difficult for them to argue that another playthrough, more or less, will have any significant effect on the market. (Fancy Legal Term of the Day: “Estoppel.” Look it up.)
They could raise a different objection. Specifically, that allowing NetPersonality to associate themselves with the game will, somehow, harm the market for the game. I think that this argument is novel, in terms of copyright law. Would it work? Hell if I know. I think it’s a desperation argument, but that doesn’t make it an automatic loser. Until we know, I think that in context, this factor weighs heavily in favor of NetPersonality .
Okay, let’s sum up our factorial analysis. (I have a degree in math and that was a brilliant pun. Fight me.)
Factor Zero: Wash.
Factor One: Developer by a mile.
Factor Two: Developer, barely.
Factor Three: Depends on nature of vid. Playthrough: Developer. Review: (Probably) NetPersonality .
Factor Four: Absent success of novel legal theory, NetPersonality in a walk.
Result: Who knows? Are you asking me if the host should honor the DMCA notice, or whether Developer would win a copyright infringement case? Or what kind of damages Developer would be entitled to if they did in fact win a copyright infringement case? (In the legal biz, if you win the case and get no damages, that may or may not be considered a win.) You didn’t even tell me if the vid was a playthrough or a review, for crying out loud. How am I supposed to know these things?
Okay, seriously. I will say the following:
- In my opinion there was a much, much better way for Developer to proceed than by filing a cold DMCA notice, and it wouldn’t have been hard (or that expensive.) Note that this is in my hypothetical. I do not know what the developer in the situation which inspired my hypothetical did. For all I know they did exactly what I would have advised. Or something even cleverer, impossible as that seems. (NOTE: While nobody’s talking, for once, good for them, at this point it is not clear if the developer did anything at all or if the net personality took down the video of their own accord.) Will I tell you what it was? No. That would constitute legal advice. Any good copyright attorney would probably arrive at it very quickly, and almost nobody who wasn’t a good copyright attorney would come up with it at all. This is why you should hire an attorney before you attempt Stupid Legal Tricks.
- If I were counsel for Host in my hypothetical, I would advise Host to honor the takedown notice. If NetPersonality filed a counter-notice I would advise the host that they should honor the counter-notice. NetPersonality isn’t required to justify the counter-notice, nor is Host required to evaluate it for legal sufficiency other than that it must meet all technical requirements for a counter-notice.
- If Developer hired me to sue NetPersonality for copyright infringement in my hypothetical, I would advise them that the suit was not a slam-dunk, which is what I tell all my clients, and that recovery of significant damages would be particularly tricky as the facts of the case are very unusual.
In any event, I hope you understand a little more than you did before about this kind of thing. As always, questions or comments are welcome. If this sort of thing interests you, there are more post at my blog, Legal Inspiration!, and you are welcome to check me out on Twitter.
Thanks for reading!
Yes, you heard right: this chatbot will ask you questions and give you basic information on how to protect your ideas with IP law. This was just me doing a little experimenting with chatbot software. I probably need more to do.
Anyway, check it out!
Note: it’s on a free chatbot host with a limited number of messages. If it won’t work, I’m probably out of free messages. Either try again later or send me some money so I can buy more.
Thanks for coming to one of my panels at Anime Midwest! Or, if you didn’t, thanks for visiting my blog anyway.
Here are the materials from my panels at Anime Midwest 2017. Just click a link, and the presentation will open as a PDF in a new window. You can also download the presentation to your own hard drive.
These materials are copyrighted: you are free to use them for your own private use, but if you want to share them with others, please don’t remove the attributions, and a link to this post would be great. As always, comments are appreciated. If you have any questions, please feel free to contact me!
Also, a shoutout to Baast Wildcat, definitely the funniest, and the angriest, cheetah I have ever encountered. See her art at http://alasnow.tumblr.com.