Copyleft trolls, robosigning, and Pixsy.
Here’s a supreme irony: the Creative Commons licenses were invented to enable a culture of legally safe sharing, spurred by the legal terror campaign waged by the entertainment industry, led by a literal criminal predator who is now in prison for sex crimes.
But because of a small oversight in old versions of the licenses created 12 years ago, a new generation of legal predator has emerged to wage a new campaign of legal terror.
To make matters worse, this new kind of predator specifically targets people who operate in good faith, only using materials that they explicitly have been given permission to use.
What a mess.
Statutory Damages: A Tale of Moral Hazard
I’m talking about copyleft trolls. This is a phenomenon that’s been on my radar since 2019, when Metabrainz, a charitable nonprofit whose board I’ve volunteered on for more than 15 years, successfully defended itself against a $10,000 “speculative invoice” that we received from a guy who is widely considered to be a copyleft troll.
To understand how the copyleft troll scam goes, you first need to understand how copyright trolls operate.
Start with this: US copyright law provides for $150,000 in statutory damages for “wilful infringement.” If you violate someone else’s copyright and they can prove you knew you were breaking copyright law, they can hit you for up to $150,000, even if they can’t show that they’ve lost a dime in the process.
Enter the copyright troll, who uses the statutory damages system to engage in highly automated, mass-scale extortion.
To turn troll you need five things:
- A law degree;
- A client who can lay claim to some kind of copyrighted work that might be reproduced online;
- A search tool that can identify copyrighted works as they are posted online;
- An automated “speculative invoicing” tool that sends legal threats and demand letters to anyone the system identifies as having posted a copy of your client’s work;
- A group of “customer service reps” who field complaints, ignore pleas of innocence, negotiate and collect payment, and “cool the mark” after the money is collected.
So if you’ve posted a still from a movie to social media or participated in an infringing Bittorrent download or quoted a news article on a message board, you might someday hear from a copyright troll, who’ll send you an email demanding, say, $10,000 as a “license fee” for your use of their client’s copyrighted work; if you don’t pay, the troll will threaten to take you to court, demanding that $150,000 in statutory damages, plus legal fees.
The Depraved Creativity of the Copyright Troll
The 2010s were the decade of the copyright troll, as a small number of extremely prolific troll firms made tens of millions of dollars while ruining thousands of everyday internet users’ lives. The copyright troll industry was a disgusting cesspool, and it selected for sleaze. The most successful copyright trolls were the slimiest, and it was only a matter of time until they went to prison.
It’s really hard to overstate the creative depravity of the copyright trolls: for example, one bunch acquired the rights to a library of pornographic videos and then secretly uploaded those videos to the Pirate Bay, then targeted downloaders with speculative invoices, threatening to expose their porn-viewing habits in the process.
Another bunch went even further: they uploaded gay porn to the Pirate Bay, but labeled it as if it were top-40 music collections, then demanded huge payouts in exchange for not filing lawsuits that would permanently link their victims’ names with extremely explicit gay porn video titles in online searches.
Creative Commons: Permissioned Permissionlessness
21 years ago, Larry Lessig, Hal Abelson and Eric Eldred and their team launched Creative Commons, a nonprofit that was supposed to create a DMZ for the copyright wars. I was there, both literally and figuratively: I suggested both Matt Haughey and Lisa Rein to Larry for the organization’s founding team, and I worked with them and Aaron Swartz on the launch. My first novel, Down and Out in the Magic Kingdom, was the first commercial work to use a CC license. A couple years later, I moved to London, in part to serve as Creative Commons’ European director.
Creative Commons was supposed to solve a serious copyright problem, namely, that there were a lot of people who wanted to share their work with others, but there was no way to formalize that sharing agreement without spending vast fortunes on copyright lawyers to negotiate the sharing terms.
Creative Commons’ solution to this was a kind of robo-lawyer: a simple online tool that a creator could use to specify the terms on which they were willing to share their work — whether commercial use was okay; whether new, “derivative” works could be made from it; and whether the resulting works were required to be shared under the same terms — and out would pop valid copyright license. That license was in three parts: a “lawyer readable” legal contract; a “human readable” summary; and a “machine readable” metadata block that would facilitate searching for CC-licensed materials.
CC, and its sister international organization, iCommons, worked with lawyers around the world to create a set of compatible licenses that were enforceable under non-US copyright systems, and wove language into each license making them all interchangeable. That meant you could create a video that used stock footage from a French creator and music by a Canadian creator to create a short video that adapts a story by a Japanese writer.
This is objectively cool.
It’s also incredibly successful. CC licenses are used to facilitate all kinds of collaborative endeavor, from Wikipedia to Thingiverse to Github to Flickr. Anywhere people gather with the desire to share and build on one another’s work, CC licenses make it possible to do so, without spending hundreds of thousands of dollars on lawyers.
But the drafters of the Creative Commons licenses made a small oversight, one that was not rectified for 14 years after the project’s launch. That oversight has given rise to a new kind of copyright troll: the copyleft troll, a copyright predator that exclusively targets people who haven’t violated copyright.
Like I said, what a mess. What an awful, awful mess.
Crossing the Tees: They Get You With the Fine Print
The first three versions of the Creative Commons license contained a small, significant oversight, one that now exposes millions of people to effectively unlimited legal risk.
The original version of the CC license stated that the license would “terminate automatically upon any breach.” That meant that if you failed to live up to the license terms in any substantial way, you were no longer a licensed user of the copyrighted work. Any uses you had made of that work were no longer permitted under the license, so unless you had another basis for using it (for example, if your use qualified as “fair use”), then you were now infringing copyright.
Recall that “willful” copyright infringement carries a statutory penalty of $150,000.
These two facts — automatic termination on breach, statutory damages of $150,000 — created the copyleft troll.
Copyleft trolls are a combination of entrepreneurial individual extortionists and law-firms that actively recruit would-be extortionists with a pitch that’s very similar to the copyright troll’s come-on: sign up with us and we’ll find people who made minor errors in their use of your Creative Commons works, and then send them a speculative invoice for a “license,” on threat of a copyright lawsuit that could run them $150 grand plus legal fees. We’ll split the take.
It’s even more of a pure predator play than the copyright troll racket, because the targets of these extortion demands are people who understand (correctly) that they are allowed to use the work they are being threatened over. The basis for the threat isn’t that they infringed copyright — rather, it’s that they made the equivalent of a typo, like failing to dot an i or cross a t.
What’s more, the Creative Commons license has a pretty technical— if lightweight — set of administrative requirements that are easy to get wrong. Specifically, all CC licenses (save for the Public Domain dedication) require that users:
- Name the creator (either as identified on the work, or as noted in instructions to downstream users)
- Provide a URL for the work (either as identified on the work, or as noted in instructions to downstream users)
- Name the license
- Provide a URL for the license
- Note whether the work has been modified
Get any of this attribution wrong and you’re potentially a copyright infringer, and looking at $150,000 in damages.
Creative Commons users really don’t get this, by and large — neither the technical requirements for attribution nor the potential risk of getting it wrong. I have posted more than 28,000 photos to Flickr under very generous CC licenses and I’m constantly finding users who have failed to correctly attribute them. Like, I’ve repeated emailed the contact address for “Fintech Zoom” to request that they fix the attribution on this photo and all I get is crickets.
I see that failure to correctly attribute as a minor annoyance, but copyleft trolls see it as a payday.
The Honeypot: Weaponizing Administrative Ignorance
Given the dismal state of attribution literacy in the world, it’s inevitable that anyone who uploads a lot of works under Creative Commons licenses will get a lot of incorrect attributions. If you’re a copyleft troll, then, all you need to do is generate a bunch of works, slap superannuated Creative Commons licenses on them, upload them to a popular CC repository like Flickr or Wikimedia Commons, and wait for your prey to make minor attribution errors, then send them invoices for thousands of dollars on threat of a $150,000 statutory damages claim.
Like the copyright trolls who actually baited people into committing copyright infringement, copyleft trolls aren’t content to passively sit by and wait for small textual errors to monetize. They actively seek to create these errors.
Take Marco Verch, who may just be the most prolific copyleft troll operating today. Verch hires low-waged photographers overseas to create work-made-for-hire photos of common stock images, often responding to current news hooks (he posted a wealth of stock images of PPE and other medical images during the first wave of the pandemic).
Verch’s images are licensed under CC Attribution 2.0, a license that was produced in 2005 and superseded in 2007. This license application has to be performed manually because Creative Commons no longer offers tools to apply this license to new works. The 2.0 license has the strictest attribution requirements, making it easy to slip up.
Verch uses an automated tool to scour the web for out-of-compliance attribution strings, then he pounces, sending legal threats with demands $250 and up. He says the money this brings in allows him to work a four-hour week and focus on his hobby, running.
The images whose use he polices are created through gig-work platforms like Upwork, in a largely automated process that simply takes top headlines from international news sites, then offers small-dollar commissions to gig photographers to create photo illustrations. These are then used by unsuspecting and naive users who get whacked with Verch’s speculative invoices — in at least one case, paying Verch’s ransom was so back-breaking for a small Dutch charity that it closed its doors forever.
Timely photo-illustrations are excellent bait for a copyleft troll’s trap, but there are other tactics for the enterprising copyleft troll.
Take Larry Philpot, a country music photographer who has pivoted from merely selling photos of performers to media outlets to posting those photos to Wikimedia Commons with a very specific, nonstandard attribution demand, then sending letters demanding large sums ($10,000, in the case of Metabrainz) to forestall a $150,000 damages award for anyone who misses his fine-print. Philpot’s 150+ copyright suits have angered federal judges to the point where more than one of them has called him a copyright troll.
They’re wrong, though! Philpot is a copyleft troll. Copyright trolls target people who know, or should know, that they’re not allowed to use or copy a work. Copyleft trolls target people who correctly believe that they are allowed to use a work, but who make minor administrative errors.
They Picked the Wrong Guy To Mess With
All of this was something I understood in an abstract way, but didn’t devote too much thought to, until I was targeted by a copyleft troll.
On January 4, I received the following email:
From: Pixsy Case Management Team <email@example.com>
Subject: Second Notice: Unauthorized Use of Image (Case 002–143592) ref:_00D24Jcz7._500084PdfYR:ref
By email: firstname.lastname@example.org
Second Notice: Unauthorized Use of Mr. Stojkovic’s Image — Case Reference: 002–143592
January 4, 2022
Attn: Cory Doctorow,
You were previously notified of an unauthorized use of Nenad Stojkovic’s images on your webpage. To date we have not received payment for your license fee.
Details of the unauthorized use are set out in the attached Unauthorized Use Report and Evidence Report. Please refer to these documents and the enclosed FAQ guide if you have any questions or require further clarification regarding why you received this email.
Payment can be made through our secure online portal at the following URL, and alternate payment options are available to you in the attached PDF: https://my.pixsy.com/resolve/619e6fa4a8570c004ed70a5e
In the event that resolution with a fair license fee is not possible, our next steps are to forward this matter to our partner attorney to secure the highest fees recoverable for copyright infringement and to commence legal proceedings. Should legal escalation become necessary, this licensing offer will no longer be available.
XXXXXX, Case Manager
Pixsy Case Management Team
Phone: +1 (323) 284–9404
Post: Pixsy Inc., 340 S Lemon Ave, Walnut CA 91789, United States
Email: email@example.com (please always reply to the email thread and include the case reference number)
System ID ref:_00D24Jcz7._500084PdfYR:ref
There are a lot of things wrong with this email.
Here’s the use that I was being threatened over: Nenad Stojkovic’s picture of hand clicking on a mouse. If you followed that link, you’ll see that I credited Stojkovic, provided a link to the full-rez image, named the license and linked to it, too. I did that in multiple places: both in the Twitter thread and in the alt text of the image.
I mean, of course I did. I was there when Creative Commons was born! I was the organization’s European director! I keynoted an iCommons conference where this very subject was under discussion! What’s more, Flickr — where Stojkovic posted his image — was founded in part because I asked for it, and I served as an advisor to the company when they set up their Creative Commons licensing system.
So this is beyond copyleft trolling: they’re not threatening someone who made a small attribution error and was technically in violation of their license: rather, they sent repeated threats (I missed the first one) to someone who correctly attributed their client’s image. I am an attribution stickler. Each and every time I used that image, I correctly attributed it.
What’s a Pixsy and Why Is It Sending Me Legal Threats?
Sharp-eyed readers will have noted that the legal threat I received originated from “Pixsy.”
According to their website, they’re “an online platform for creatives and image owners to discover where and how their images are being used online,” with a “global and growing network of 25 expert legal partners and law firms,” and “investment and support from leading North American & European investors and partners.”
I’ve heard from photographers who use them for straightahead copyright enforcement, catching commercial users of their pictures who published their photos, profited from them, and never asked permission or paid for a license.
Maybe all that’s true, but they’re also copyleft trolls.
Remember Marco Verch, the runner who works for four hours a week, who uses an automated process to commission photos from gig-workers in poor countries that he uses as bait in a copyleft racket that has victimized more than a thousand people, and even put a charity out of business for making a small textual error in their attribution string?
Pixsy provides Verch’s US legal representation and has filed dozens of suits on his behalf.
They wanted $600 from me.
Do As I Say, Not As I Do
Pixsy’s position, in other words, is that I made a minute, inconsequential error, and that as a result, I owed their client $600, and if I didn’t pay, they were going to sue me for $150,000.
But Pixsy made a gross, and extremely consequential error.
Actually, a whole passel of errors.
First, and most importantly, they were wrong. I had, in fact, attributed their client’s image correctly. That fact is obvious to anyone who checked, and what’s more, it was clearly visible in the supercilious “Evidence Report” they sent me.
The errors didn’t stop there. For example, they addressed their email to me as if I lived in Canada. I haven’t lived in Canada since 1999. When I pointed out their error, I got an email from them apologizing…an email they addressed to Colin, not Cory.
These are precisely the kinds of errors that Pixsy’s lawyers tell judges should lead to millions of dollars in statutory judgments.
Pixsy Does Not Care About Copyright
The point of a system is what it does. Pixsy sends speculative invoices to people who correctly understand they have the right to do what they have done, threatening them in order to obtain “license fees” they shouldn’t owe, or don’t owe.
If you put a CC license on your work, its explicit message is, “I want you to re-use this.” Not “I am a pedantic asshole with a fetish for well-formed attribution strings.” The point of CC is not to teach the world to write attribution strings: it is to facilitate sharing and re-use. If you are a good-faith user of CC licenses, then your response to an incorrect attribution string should be a request to correct it, not a threat to sue for $150,000 in statutory damages.
If you send threats instead of requests for correction, you are a terrible person and you should feel really bad about yourself.
The point of Creative Commons is to allow copyright holders to exercise their copyrights — specifically, to exercise their copyrights in a way that facilitates sharing and re-use. If you are a lawyer who responds to minor CC license errors with legal threats instead of requests for correction, then you are a predator in violation of your own code of professional ethics and you should be shunned by your peers for bringing the law into disrepute.
Shame on you. No, really.
Shame on you.
In case there was any doubt that the purpose of Creative Commons licenses is to facilitate sharing and reuse, and not speculative invoices and lawsuits, it is this: in 2015, the CC organization released the current licenses, Version 4.0, including a “cure provision” that gives people who make attribution mistakes the legal right to a 30-day grace period after notification of the error to make it right.
If Pixsy cared about enforcing photographers’ copyrights, they’d stick to actual copyright infringement, not extracting money for minor administrative errors.
The Pixsy Mystery: Law on a First-Name Basis
Pixsy is something of a black box. For one thing, all their legal threats are sent pseudonymously, signed with generic first names. My first response from Pixsy — the one that called me “Colin,” was signed by “XXXXXX.” A followup email apologizing for the “internal oversights that led to [me] being contacted” (“contacted” in this case is a euphemism for “repeatedly threatened”) was signed by “YYYYYYY.”
To put it bluntly, this is a very bad sign. Legitimate legal correspondence is signed by actual named parties. It’s not conducted on a first-name basis.
Even worse is what YYYYYYY wrote to me:
Our clients submit cases of unauthorised use to us for review, and it’s up to the case manager to individually review and check whether there is a claim for financial compensation in the submitted case. In this specific case, the case manager did not take the time to fully review the scope of the use before making a decision to accept the case and send a license fee request. I also note that the case manager incorrectly addressed you by name in this case.
This is not the high quality service that we strive to provide our clients in their fight against image theft. We’re taking this opportunity to review our case handling processes and to see how we can provide additional support and training to our licensing team to avoid such occurrences in future.
We have withdrawn and closed the case, and have notified the client about our reasons for doing so.
Please accept our apologies for the contact, and thanks for your time and attention.
There are two giant flashing warning signs in this “apology.” The first is that YYYYYYY claims that they only threatened me because Nenad Stojkovic told them to, and that no one from Pixsy actually investigated the matter before they threatened to sue me.
That is not something a law firm should do. In actual law firms — even sleazy bottom-feeders, but especially reputable firms — legal correspondence isn’t just reviewed by “case managers” and other glorified customer service reps.
Legal correspondence is reviewed by a lawyer or other legal professional. Legal threats are always overseen by a lawyer. If you ever hire a lawyer to work for you and their office sends legal correspondence to third parties on your behalf without actually having someone with a formal legal credential review it, you should fire that lawyer and lodge a formal complaint with your state Bar Association.
Speaking of hiring lawyers, let’s talk about the other warning sign in that email: did you see how YYYYYY threw her client under the bus? She says that her company sent me multiple legal threats not as the result of an automated process gone wrong, but because their client, Nenad Stojkovic, demanded that they do so.
It is my opinion that this is not true.
Pixsy’s own marketing materials describe its processes: the company sends bots around the web looking for its clients’ images, they figure out who posted those images, then they send legal threats to those people.
I think that’s exactly what happened here. I asked YYYYYY if that was the case (I also asked her if Pixsy’s legal threats were supervised by counsel, and who that counsel was, and where they were licensed to practice law) and she sent me a terse note referring me to the company’s website. Needless to say, the website brought no clarity to any of this and YYYYYY didn’t reply to my followup email.
There’s one other party that could shed light on this: Nenad Stojkovic. I contacted him multiple times through his Flickr account, but never heard back. Mr Stojkovic, if you have any clarity to bring to this matter, please send me an email, I’m at firstname.lastname@example.org.
Just to be clear, here’s what I think is going on: I think Pixsy runs a robosigning mill, a system where legal threats are generated and dispatched without due care or legal supervision, through largely automated means. I think they’re not in the business of protecting copyrights, they’re in the business of terrorizing the public into sending license fees to them, which they split with their clients.
Creative Commons invented a robo-lawyer that did good: made it easier for copyright holders and users to reach agreements with one another. I think Pixsy has created a robo-lawyer whose purpose is to terrorize innocent people into paying money for minor administrative errors.
Pixsy, the same goes for you as goes for Mr Stojkovic: if you want to actually answer my questions about this, rather than stonewalling, send me a line. Remember, though, it’s “Cory,” not “Colin,” and I haven’t lived in Canada since the previous millennium.
Stop Manufacturing Ammunition for Copyleft Trolls
The misery that copyleft trolls inflict on the world is all the more perverse because they rely on CC licenses for the ammunition in their campaign of legal terror.
What’s more, there are billions of CC works with old licenses hanging around out there — if any of those creators ever turns troll, then anyone who recently used their work with a malformed attribution could face legal threats (the statute of limitations for copyright infringement is, mercifully, three years, which reduces the danger of some “entrepreneurial” copyright lawyer seeking clients in order to go after decades-old uses).
Everywhere CC licensed works are hosted, the pre-4.0 versions of the Creative Commons licenses — the ones without the “cure” provision — should be disfavored.
What would that look like?
- Upgrade on Upload: Anytime someone tries to upload a CC image with a pre-4.0 license to a repository like the Internet Archive, Wikimedia Commons, Thingiverse or Github, they should be asked if they are the creator, and, if so, should be prompted to upgrade the license to the current version;
- Upgrade in Place: Every repository that hosts CC works that carry pre-4.0 licenses should send an email to every account holder urging them to opt into a process to upgrade them immediately to the latest license.
- Warnings: Every repository that hosts CC works that carry pre-4.0 licenses should place a prominent warning on every page that includes these works, explaining that this work uses an outdated and disfavored license and that a failure to correctly attribute it could attract a $150,000 statutory damages awards.
- Automated Attribution: Every repository that hosts CC works should have a one-click system to create an attribution string for each of the works it hosts, which is transferred to the user’s clipboard.
Thankfully, some of this is already underway. The Creative Commons organization has published a new set of Principles for License Enforcement, and I’m told they’re about to release further materials that will make it clear that trolling is illegitimate and counter to the spirit of the license, and the CC image-search tool that they recently transferred to Automattic has an excellent attribution string generator (that search tool still needs prominent warnings on images with old licenses, though!).
Flickr, too, is finally moving on this. Flickr, you may recall, was bought by Yahoo and run into the ground for more than a decade, then transferred to Verizon for further malign neglect. Today, it is under new management by SmugMug, who are slowly but surely digging out from under the technological debt left behind by Yahoo and Verizon’s mismanagement.
In correspondence with Flickr management, I learned that they are planning to implement all the measures I outline above: one-click upgrading, warnings on 2.0 licensed images, and automated attribution generation.
Mercenaries Have No Conscience
Part of me feels for Nenad Stojkovic (assuming I’m right and he didn’t personally insist that I be sent repeated, baseless legal threats). I know what it’s like to be ripped off online.
There are so many scammers out there: not a month goes by without someone uploading one of my books to Amazon, claiming it as their own, and selling it through the Kindle store.
On multiple occasions, scammers have tricked narrators into recording entire audiobooks of my novels for Amazon’s self-serve ACX platform, with the promise of a revenue share. Of course, this is a real, substantial violation of my CC licenses (which prohibit commercial use for my novels) and so I get them taken down, and the poor narrators are left holding the bag.
The people who pull these scams are remorseless sociopaths and I, too, would like to hold them to account.
But if you hire mercenaries to hunt down copyright infringers, you share the blame when they go after innocents. You set that landmine, so you have some responsibility for the legs it blows off.
The reality is that the automated enforcement tools that Pixsy uses will always generate false positives, and the people who operate those tools have no incentive to look too closely at the accusations they generate. False accusations merely terrorize random strangers, who can’t punish you in any way, except, perhaps, by embarrassing you.
Stojkovic is an individual photographer in Serbia. It’s possibly he just hasn’t been around this kind of operation enough to anticipate this outcome. But there are plenty of others who should absolutely know better, who keep hiring fishermen to hang out their tuna-nets without regard to the dolphins they know they’ll catch.
Take HarperCollins (one of the four largest publishers in the world) and Penguin Random House (the largest publisher in the world, in the process of acquiring Simon & Schuster). They definitely should know better.
And yet: HarperCollins and PRH hired Link-Busters, an “anti-piracy” company, to send legal notices to Google in order to flense the internet of pirate editions of their books (disclosure, I have books in print from both publishers).
You can probably guess what happened next. Link-Busters’ automated process misidentified the book reviews at Fantasy Book Critic, a noncommercial site whose volunteers have reviewed over 1,000 books in its 15 year history. Link-Busters, acting on behalf of HarperCollins and PRH, lied to Google and claimed Fantasy Book Critic was full of infringing material, and Google deleted the site, which was hosted on its Blogger platform.
Link-Busters is culpable here, obviously, but HarperCollins and PRH must shoulder part of the blame. Fantasy Book Critic embodies millions of hours of volunteer labor from their own best customers, all in service promoting their books. HarperCollins and PRH knowingly put those volunteers — and every other online book-lover — in harm’s way.
Ironically, the one place where reviewers can be certain they won’t face capricious removal thanks to off-the-leash mercenaries employed by giant publishers is Goodreads, the monopoly review platform owned and operated by Amazon, which serves as a powerful funnel that drives dedicated readers to Amazon, strengthening its commercial control over HarperCollins and PRH.
The good news is that Fantasy Book Critic is now back online, because authors and readers flooded Google with complaints and pleas (this is generally the only way to get Google to address its own mistakes, and obviously it doesn’t scale).
It could get much, much worse. Rightsholder groups are backing a Copyright Office plan to make this kind of robosigning into law, forcing all online platforms to institute filters that automatically remove materials that an algorithm finds to be infringing, without human oversight or judgement.
It’s a recipe for a world where the mercenaries are robotic, remorseless, and act with utter impunity. When a first-name-only Pixsy rep calls you Colin and threatens to sue you for $150,000, at least you can call them out publicly. But when the robosigners are baked into every public forum, even that small measure of accountability is denied to you.
Nenad Stojkovic (modified)