How FOSS Projects Handle Legal Takedown Requests(f-droid.org)
108 pointsby mkesper13 hours ago5 comments
  • s1mplicissimus9 hours ago
    > One FOSS organization, for example, requires all legal correspondence to be submitted by postal mail in the national language and citing local law. Most complaints evaporate once asked to comply.

    Pure gold.

  • brian_cunnie9 hours ago
    I typically get a takedown notice a couple times a week, usually from my registrar (Namecheap) or from Netcraft, about 100 so far.

    I keep a public (transparent) list of takedowns, on a public repo on GitHub. The commit messages are the logs. [0]

    I have a way to dispute: raise a GitHub issue. I've only had two people dispute: one was legit, and I unblocked him, and the other ran a WordPress site which he didn't know was compromised. I did not unblock him. [1]

    Please don't judge me harshly for honoring the takedowns immediately, but I do so because the remedy is simple: register your own domain, and don't rely on my nip.io / sslip.io service (which maps IP addresses to hostnames as a convenience for developers, e.g. 127.0.0.1.nip.io → 127.0.0.1).

    Dealing with takedown requests is the least pleasant aspect of running FOSS project. I want to spend my free time coding, not blocking phishers, scammers, and grifters.

    [0] https://github.com/cunnie/sslip.io-blocklist [1] https://github.com/cunnie/sslip.io/issues/100

  • politelemon11 hours ago
    This seems like a well balanced approach. I do love the abuse mitigation measures in place to dissuade casually malicious actors. The fact that providing evidence itself is a deterrent just goes to show how ill intentioned most of them are.
  • ignoramous6 hours ago
    TFA goes: A window for response (commonly 14 days) is offered, unless unfeasible due to seriousness and time restraints of the request itself. If the developer disputes the claim and provides supporting information (e.g. license, public domain status, fair use justification), the claim is reviewed.

    As someone who has had multiple FOSS projects take down by companies / app stores (happens when we go viral in some country), DDoS'd by rouge actors (thanks for saving our bacon, Cloudflare!), visits from law enforcement etc; F-Droid's post on "appeals process" comes as a surprise. Here's the email I received from them:

      Dear The Rethink DNS Authors,

  The F-Droid platform has received an official order from Roskomnadzor (RKN), Russia's Federal Service for Supervision of Communications, IT, and Mass Media, regarding Rethink (Registry Entry #3133609-РИ) https://f-droid.org/ru/packages/com.celzero.bravedns/
  ...

  F-Droid took technical measures to block your website app page for the Russian site visitors to avoid the risk of limited access to F-Droid as a whole. For further queries or concerns, contact legal@f-droid.org.

  Thank you for your cooperation.
    Nothing in there informs me that I had the opportunity to appeal.
    • thedevilslawyer2 hours ago
      Maybe depends on whether the national authority (RKN here) allows appeals from either f-droid or you?
  • its-summertime12 hours ago
    How does it make sense to ask an app developer to appeal on behalf of a platform they have zero control over?
    • vetrom11 hours ago
      It doesn't, but platforms basically do everything they can to claim the various common-carrier liability shields in DMCA-like laws. In the U.S. that means they forward the takedown request to whomever generated the content, and in theory should allow that generator to comply, or publish a counterclaim.

      The whole system falls on the floor though when the common carriers aren't, and have low quality processes that don't actually enable the counterclaim half of this process.

      • behringer11 hours ago
        Don't be fooled. These so called low quality processes are designed by large corporations in order to abuse their positions and retain control over all content being shown. The providers have no interest in providing legal protections to their small content creators. They want to focus on pleasing the big players.
    • SpicyLemonZest9 hours ago
      The entire concept of a "takedown request" is a compromise solution. Platforms would ideally like to be a public square, where third parties can say whatever they want and the platform doesn't have to do much about it. Copyright holders, revenge porn victims, etc. would prefer to hold the platforms strictly liable, because on the Internet it's extremely hard to actually find the third parties. So in a variety of contexts we've found it's useful to meet in the middle: platforms are exempt from liability, but in return they have to process takedown requests, unless the third party challenges the takedown and makes themselves available for possible legal proceedings.