EU and Copyright : Anatomy of a Political Hacking

  • -Aktualisiert am

Beim Ringen um ein neues Urheberrecht wird Europa von Bot-Netzwerken angegriffen. Bild: dpa

September, 12th, the European Parliament will vote on a new policy regarding copyright law. MEPs are being bombarded with emails and phone calls – supposedly from worried constituents. A closer look paints a very different picture.

          The New Testament attributes a myriad of miracles to Jesus Christ. One of them is the wondrous feeding of the multitudes, in which Jesus takes a small amount of bread and fish and multiplies it so that thousands of people are fed by it. A similarly miraculous multiplication took place in the debate on the EU Copyright Directive at the end of last June. Only it wasn’t bread or fish that was multiplied, but protest. Or rather, something meant to look like protest.

          In September of 2016, EU Commissioner Günther Oettinger proposed a policy on copyright law in the Digital Single Market. Oettinger’s tenure as Commissioner for Digital Economy and Society ended soon after, but as time passed, bureaucracy took its course until it was time for the European Parliament’s Committee on Legal Affairs to vote on the proposal.

          In the run-up to the vote, one could observe what’s come to be known in German policy-making as Struck’s Law, named for the former SPD politician Peter Struck: the rule that no law emerges from the parliament the way it enters it. Many changes and additions were made, which the appointed rapporteur, Axel Voss (CDU/EVP), was allowed to negotiate.

          Very early in the process, the only MEP from the Pirate Party, Julia Reda, began to fight the propositions. For her campaign, she made very strong use of distortion and simplification. The word „link tax“ (Linksteuer), by way of which Reda wanted to stop Article 11 of the policy, may be catchy, but there is something unwittingly comical to the earnest suggestion that there is a tax, collected by the tax office, on using links to online pieces of writing.

          (See the German version of the essay.)

          The polemical buzzword „upload filter“, to oppose Article 13 of the policy, wasn’t much better. Upload filters are not, and were never, part of the proposal, but the word works well in fueling fears. Indeed, Julia Reda managed to convince some of her supporters that if the policy on copyright law is passed, everything on the internet will be filtered, and memes – yes, those beloved memes – will be forbidden altogether.

          The fact that the policy says something completely different was of no more than marginal interest. According to the actual proposal, web platforms – and only web platforms – would have been obliged to enter into license agreements with the individual right owners of user-uploaded content or the copyright collectives by which the content is maintained.

          In this scenario, it’s the platforms who are responsible for license payments; users have nothing to do with it. It would simply have meant a duty for the platforms to be transparent in order to comprehensively account for the licensing and to correctly forward the payments to the respective right owners. If a platform didn’t want to enter such a license agreement, the EU policy would at least hold that platform responsible to keep its own website clean. How it achieves that is up to the platform itself, as long as it prevents copyright infringements.

          So far, so good on the significance of the copyright policy’s Article 13. Unfortunately, though, many of those who have joined the discussion have refused to put in the intellectual effort to read the proposal in its updated form and understand its intention. This goes for everyone all the way from web associations of political parties to journalist Sascha Lobo, who wrote of „censorship machines“ (Zensurmaschinen) in „der Spiegel“. If only they had read what they publicly decry! Then maybe they would have realised that for the first time, users of platforms that don’t license content would have had substantial leverage, including a right to mediation in the case of the blocking of content. At that point, at the latest, it should have become clear that the term „censorship“ misses the mark. Perhaps it was simply too complicated to get hold of and understand the current version of the document?

          But let’s talk about the platforms, since they are the ones affected by this. More specifically, let’s talk about one of the most successful platforms: Youtube. It’s exclusively platforms like Youtube that the policy addresses. Not start-ups, not online shops, and not open source platforms.

          For years, Youtube has used a system called Content ID, which allows right owners who have uploaded their content to the platform to decide what happens to it if and when it’s used. This ranges from monetarisation – if, for instance, a user uploads a video which includes music, the right owner of that music receives a portion of the video’s ad revenue – to the blocking of the video. Above all else, it’s meant to prevent third parties from making money using other people’s content.

          But it gets better still. A system called Copyright Match, which Youtube developed for its channel owners, is just now ready to be put into practice. It is, as it were, a „Content ID“ light, and is mainly intended to assist Youtubers in reacting to identical videos. The user who uploaded the video first automatically receives a message and gets to decide what happens to the duplicate, including the possibility to block it.

          Is there anybody out there who’d brand this „censorship“? Apparently not – after all, there have been no demonstrations against Content ID and Copyright Match. We haven’t seen public outrage against Youtube’s „censorship machine“. Julia Reda, Sascha Lobo, or the similarly indignant Youtuber LeFloid haven’t yet deleted their Youtube channels or put black ribbons on them to protest against these upload filters.

          But speaking of demonstrations – it’s worth talking about them. In reaction to the policy proposal, there was one, on 24 June, in Berlin. Unfortunately, it rained that day. Otherwise one might have considered the usual herds of tourists visiting the Brandenburg Gate as part of the protest.

          As it was, though, about 150 people showed up. A similar number to that of a previous demonstration against the proposal for a German law on ancillary copyright for press publishers, although in that demonstration, there were probably more press photographers than activists.

          Such initiatives suffer from the internet’s 1-per-cent rule. No matter how big the association organising the demonstration, 90 per cent of users use the internet in a completely passive way; nine per cent „like“ something every now and then; and just one per cent is active and uploads things to the internet.

          But this didn’t mean that the opponents of the policy proposal had shot their bolt. Because now came the time of the bots, of automatically generated emails, of phone calls made in automatised processes – and with it the wondrous multiplication of protest, or what one is meant to perceive as protest. Because in the week before the vote took place, email inboxes of MEPs were flooded with automatically generated emails. Some MEPs said they received around 60,000 emails. In total, 6 million emails were allegedly sent to MEPs in this way. Compare this to the grouplet of protesters in Berlin.

          Nearly all emails were identical in content, pre-formulated, and pre-formatted. Many of them were sent several times by the same sender; after all, they were meant to appear multitudinous. One of the domains the sender used most frequently was, a website bare of any content. It’s registered by an English company which mostly belongs to an American corporation dealing in domain trading and services. A civil rights initiative it is not. In the end, maybe those responsible were too worried about being held accountable for the email bombardment? Similarly, accounts on Twitter were flooded, not just with spam, but also with threats.

          What had happened? Pages such as provided the tools for creating the bomb carpet of emails. Among the supporters of the page are a number of internet lobbyists, such as the Electronic Frontier Foundation (EFF).

          And who is behind The campaign was organised by the organisation Copyright for Creativity (C4C) and its administrative office, N-Square. C4C has 42 members and is financed largely, according to itself, by George Soros’s Open Society Foundation and the Computer & Communications Industry Organization. Among the members of this U.S. industrial association are Amazon, Cloudflare, Facebook, Mozilla, Google, and Uber.

          For the execution of the campaign, N-Square, a lobbying company of the KDC Group, which works for Google and others, provides links to several campaign pages. It’s unclear who is behind them, because only half of them include site notices detailing the publishers‘ information. Not even has one, and instead only offers further links. The obligation to provide a site notice, as required by the e-commerce policy, is simply ignored.

          Only at second glance, namely through a Whois Lookup, do you learn that is registered by C4C. Moreover, the conglomerate C4C, the KDC Group, N-Square has registered further websites that played a role in this hacking: and Again, both websites do not offer information on who created them. Again, only a Whois Lookup attributes them to the KDC Group.

          A further analysis of the traffic on is very insightful. Most of its visitors up to late June came from Poland. This could have to do with the fact that advertising banners for the campaign were placed on Polish webpages. Those banners were booked through the dubious English-Russian advertising network PropellerAds. According to a 2015 study by the British company Incopro, PropellerAds was number 2 in advertising networks that finance piracy websites via advertisements. It’s an integral part of the advertisement system on illegal pages that breach copyright as part of their business model. Through the tools used, American page visitors, who notably made up the 4th-biggest visitor group during the campaign, were able to contact Members of the European Parliament.

          On his blog „TheTrichordist“, the American blogger David Lowery describes how he was able to speak to UK MEPs on the phone. As several MEPs have told us, they received, as previously mentioned, 50,000 to 70,000 emails.

          Let’s assume that an order for 50,000 emails, plus an encore of 25,000 emails, was placed with the company New/Mode, for their Full Toolkit (Best Value). This would mean that the cost of the entire DDoS attack amounted to a mere 549 U.S. Dollars, or 470 Euros. That’s 0.60 Euro per MEP, assuming that several MEPs were bombarded with emails simultaneously through one click.

          Wikipedia, too, joined the campaign, despite the fact that it’s not affected by the directive. So, Wikipedia focused on the more broadly applicable claim of an attack on the free internet, of which Wikipedia sees itself as a contributor. Imagine if the German federal agency for motor vehicles scrutinised certain VW models, and BMW drivers would react by protesting against an attack on vehicle drivers in general. The close connection between Julia Redas office manager, Matthias Schindler, and his former employer – he was project manager at Wikimedia until 2014 – was without a doubt helpful in this move.

          Even Mozilla got involved. Subscribers to their newsletter were encouraged to call MEPs, and a „call now“ button was included four times in the newsletter. The phone call, of course, was free of charge. For an organisation which, in 2016 alone, made more than 500 million U.S. Dollars in royalties for the embedding of search engines into its browser Firefox, the cost of this is negligible.

          MEPs have said that callers used conversation manuals, so here, too, pre-formulated phrases were used. When asked questions in return or presented with counterarguments, the callers offered little in the way of answering back. In isolated instances, MEPs even received death threats.

          The terror through email, Twitter and phone calls didn’t remain without consequence. Many MEPs remained absent during the vote, perhaps because they took the death threats seriously. MEPs who formerly supported the directive now voted against it, perhaps because they thought the outcry was real.

          What do these events mean for political processes? Every citizen has the right to tell their representative his or her worries, fears, and problems. In the case at hand, however, this right is drawn into the absurd. Every message formulated by real constituents was drowned out by the flood of automatically generated emails. But this was exactly the aim of the campaign: to silence other voices and simulate a gigantic outcry. A wondrous multiplication, just like it is in the Bible. Though in this case, it wasn’t a miracle, and instead the use of technology, more precisely DDoS.

          Does this mean, then, that in the future those will win who have the better technology, and not the better argument? If that happens, it will become very difficult for minorities to be heard at all – not to mention participate in the process of political decision-making – as long as they can’t afford the required technology. And even if they could, it must be the consideration of arguments that counts, not the number of pre-formatted spam messages, threats, or ready-made phone calls.

          In the end, American internet corporations financed a substantial portion of a campaign in Europe in order to influence EU policy-making. The campaign is meant to look like a grassroots movement from the outside. In reality, it’s no more than astroturfing designed to simulate a big movement.

          Because there is no monitoring of the participants – and because there is an active marketing effort for this campaign outside of the EU – it remains entirely unclear how big the part played by citizens of uninvolved countries and/or bots generating automatised or half-automatised messages against Articles 11 and 13 of the copyright policy truly was. The campaign relies on dubious advertising marketers, and many of the involved websites don’t fulfil even the minimal requirements when it comes to the inclusion of the publisher’s information and as a result violate the General Data Protection Regulation. Conceivably, this was done because this way responsibility is diffused, as it’s not immediately obvious who is behind the campaign.

          This campaign, then, was developed and run to create confusion about its sources, supporters, and modalities, and to prevent a clear understanding of its true nature.

          It’s high time for the EU to closely analyse what happened, and to take measures in ensuring that such political hackings don’t occur again. A Governance by Shitstorm cannot be in the interest of democratically elected governments, and even less that of their voters. The EU must think about how it reacts to such clandestine attacks on its democratic institutions, and how it makes sure that such lobby-driven attacks don’t imperil its ability to work fairly for EU citizens and their interests. There is ample reason for the assumption that the same parties will use similar, if not identical, tactics until the vote on the policy in September. Therefore, it’s vital that steps are taken now in order to prevent the manipulation of our political processes by foreign and non-human players.

          Volker Rieck is chief executive of FDS File Defense Service, a company that advocates for the protection of internet content and copyright. He blogs regularly at

          Weitere Themen

          Gottes Geißel

          Assyrer-Austellung in London : Gottes Geißel

          Eine große Ausstellung im Britischen Museum widmet sich dem Assyrerreich und seinem mächtigen König Ashurbanipal. Sie zeigt eine Kultur, die hohe Kunstfertigkeit mit großer Grausamkeit vereinte – und schließlich im Feuer unterging.


          Amtsenthebung von Trump? : „Mit jedem Tag länger richtet er Schaden an“

          Im amerikanischen Magazin „The Atlantic“ forderte Yoni Appelbaum ein Amtsenthebungsverfahren gegen Donald Trump und sorgte damit für Aufsehen. Ein Verfahren sei jetzt, zur Mitte der Amtszeit, überfällig, um Amerikas Demokratie zu schützen, findet der Journalist und frühere Harvard-Dozent. Ein Interview.


          Immer auf dem Laufenden Sie haben Post! Abonnieren Sie unsere FAZ.NET-Newsletter und wir liefern die wichtigsten Nachrichten direkt in Ihre Mailbox. Es ist ein Fehler aufgetreten. Bitte versuchen Sie es erneut.
          Vielen Dank für Ihr Interesse an den F.A.Z.-Newslettern. Sie erhalten in wenigen Minuten eine E-Mail, um Ihre Newsletterbestellung zu bestätigen.