Cloud storage firm flags malware as “Copyrighted Material,” boots security researcher

Cloud storage firm flags malware as "Copyrighted Material," boots security researcher

A malicious software researcher finds herself in company with First Lady Michelle Obama and science fiction author Neil Gaiman: booted from the web by hard-headed copyright protection algorithms.

Mila Parkour, a researcher who operates the Contagio malware blog, said on Thursday that she had been kicked off the cloud-based hosting service Mediafire, after compressed and encrypted Windows patches and malware samples she stored on its site were flagged as “copyrighted material.”

Locked account

Parkour said that she was notified on Thursday that her account on Mediafire was suspended and content she posted had been flagged and removed for violations of the U.S. Digital Millennium Copyright Act (DMCA).

In particular, Parkour said the site objected to her post of a Microsoft patch and what she described as “an old, malicious PDF attachment” linked to phishing attacks in 2010. Parkour wrote about the malicious attachment on her blog here.

Parkour, an independent security researcher based in Washington D.C., is a noted expert on malicious software. Her Contagio website, is an oft-cited resource for analysis of malicious code and attacks.

Suspension notice

Information posted on Mediafire indicated that the company had received a complaint from a French firm, LeakID, a Paris-based firm that describes itself as a “digital agency …founded by experts from the world of radio, television and Internet.”

LeakID markets “Leaksearch,” an “ownership tool that will alert you within seconds if your content…is being pirated.”

According to Parkour, Mediafire received a notice from LeakID claiming that it was “acting on behalf of the copyright owners,” though the owners and presumed copyrighted content weren’t named.

Under the DMCA, organizations that receive notices of copyright infringement must prevent the file from being shared, regardless of the legitimacy of the complaint.

Parkour said that she appealed to Mediafire upon receiving the copyright violation, but that all questions on the issue were referred to LeakID. The researcher filed a counterclaim protesting the copyright infringement claim using an online form, but had not received any response from LeakID.

LeakID flagged three files for what the company considered three copyright violations: a link to a Microsoft Office patch file related to an August, 2011 blog post on Contagio and two encrypted ZIP files containing malicious PDFs used in online phishing scams that Contagio examined in separate posts in April and August, 2010.


In an instant message conversation with Naked Security, Parkour said that she doubts the malicious PDFs contain any copyright violations. LeakID seems to have a business model to “scout the web for all they find and then offer it for sale to copyright owners… there is no explanation of WHY and HOW they decided it was copyrighted,” she wrote.

Both copyright owners and firms that host content are increasingly relying on algorithms to spot content online that may violate laws like the DMCA. That has led to a rash of head scratching “takedowns.”

In just the last week, an online video stream of the annual Hugo Awards on the online streaming service Ustream was blocked, preventing internet viewers from seeing star author Neil Gaiman accept an award.

Ustream blamed the content filtering service Vobile for the error – a charge that Vobile denied, blaming, instead, its customers who “must decide for (themselves) what it does with” the information Vobile’s monitoring system gives them.

Michelle ObamaThat scenario played itself out again on Tuesday, when a live stream of First Lady Michelle Obama’s address to the Democratic Convention was unceremoniously yanked from YouTube for suspected copyright violations.

A search of the internet reveals countless complaints from other bloggers and website owners about fishy LeakID takedown notifications.

Parkour said the incident has shaken her faith in cloud-based services. In addition to malware samples, her Mediafire account hosted other, personal data as well – all of which is now inaccessible to her.

She said that, in the wake of the incident, she has received offers from other anti-malware websites and said she will switch hosting providers, but is weighing her options carefully.

Update: Mila has regained access to her files, although future access is still unclear.