Protecting 'Funko' Brand, AI-Powered 'BrandShield' Knocks Itch.io Offline After Questionable Registrar Communications (polygon.com) 48
Launched in 2013, itch.io lets users host and sell indie video games online — now offering more than 200,000 — as well as other digital content like music and comics. But then someone uploaded a page based on a major videogame title, according to Game Rant. And somehow this provoked a series of overreactions and missteps that eventually knocked all of itch.io offline for several hours...
The page was about the first release from game developer 10:10 — their game Funko Fusion, which features characters in the style of Funko's long-running pop-culture bobbleheads. As a major brand, Funko monitors the web with a "brand protection" partner (named BrandShield). Interestingly, BrandShield's SaaS product "leverages AI-driven online brand protection," according to their site, to "detect and remove" things like brand impersonations "with over 98% success. Our advanced takedown capabilities save you time..." (Although BrandShield's CEO told the Verge that following AI reports "our team of Cybersecurity Threat hunters and IP lawyers decide on what actions should be taken.") This means that after automatically spotting the itch.io page with its web-crawling software, it was BrandShield's "team of Cybersecurity Threat hunters and IP lawyers" who decided to take action (for that specific page). But itch.io founder Leaf Corcoran commented on social media: From what I can tell, some person made a fan page for an existing Funko Pop video game (Funko Fusion), with links to the official site and screenshots of the game. The BrandShield software is probably instructed to eradicate all "unauthorized" use of their trademark, so they sent reports independently to our host and registrar claiming there was "fraud and phishing" going on, likely to cause escalation instead of doing the expected DMCA/cease-and-desist. Because of this, I honestly think they're the malicious actor in all of this.
Corcoran says he replied to both his registrar (iwantmyname) and to his site's host, telling them he'd removed the offending page (and disabled its uploader's account). This satisfied his host, Corcoran writes — but the registrar's owner later told him they'd never received his reply.
"And that's why they took the domain down."
In an interview with Polygon, Corcoran points out that the web page in question had already been dealt with five days before his registrar offlined his entire site. "No communication after that.... No 'We haven't heard from you, we're about to shut your domain down' or anything like that."
Defending themselves over the incident, BrandShield posted on X.com that they'd identified an "infringement" (also calling it an "abuse"), and that they'd requested "a takedown of the URL in question — not of the entire itch.io domain." They don't say this, but it seems like their concern might've been that the page looked official enough to impersonate Funko Fusion. But X.com readers added this context. "Entire domains do not go down on the basis of a copyright takedown request of an individual URL. This is the direct result of a fraudulent claim of malicious activity."
And Corcoran also posted an angry summation on X.com: I kid you not, @itchio has been taken down by @OriginalFunko because they use some trash "AI Powered" Brand Protection Software called @BrandShieldltd that created some bogus Phishing report to our registrar, @iwantmyname, who ignored our response and just disabled the domain.
The next day Funko's official account on X.com also issued their own statement that they "hold a deep respect and appreciation for indie games, indie gamers, and indie developers." (Though "Added Context" from X.com readers notes Funko's statement still claimed a "takedown request" was issued, rather than what Corcoran says was a false "fraud and phishing" report.)
Funko.com also posted that they'd "reached out" to itch.io "to engage with them on this issue." But this just led to another angry post from Corcoran. "This is not a joke, Funko just called my mom." Cocoran then posted what looks like a screenshot of a text message his mother sent him. Though she doesn't say which company was involved, his mother's text says she "Got a strange call from a company about accusatory statements on your social media account. Call me..."
Thanks to ewhac (Slashdot reader #5,844) for sharing the news.
The page was about the first release from game developer 10:10 — their game Funko Fusion, which features characters in the style of Funko's long-running pop-culture bobbleheads. As a major brand, Funko monitors the web with a "brand protection" partner (named BrandShield). Interestingly, BrandShield's SaaS product "leverages AI-driven online brand protection," according to their site, to "detect and remove" things like brand impersonations "with over 98% success. Our advanced takedown capabilities save you time..." (Although BrandShield's CEO told the Verge that following AI reports "our team of Cybersecurity Threat hunters and IP lawyers decide on what actions should be taken.") This means that after automatically spotting the itch.io page with its web-crawling software, it was BrandShield's "team of Cybersecurity Threat hunters and IP lawyers" who decided to take action (for that specific page). But itch.io founder Leaf Corcoran commented on social media: From what I can tell, some person made a fan page for an existing Funko Pop video game (Funko Fusion), with links to the official site and screenshots of the game. The BrandShield software is probably instructed to eradicate all "unauthorized" use of their trademark, so they sent reports independently to our host and registrar claiming there was "fraud and phishing" going on, likely to cause escalation instead of doing the expected DMCA/cease-and-desist. Because of this, I honestly think they're the malicious actor in all of this.
Corcoran says he replied to both his registrar (iwantmyname) and to his site's host, telling them he'd removed the offending page (and disabled its uploader's account). This satisfied his host, Corcoran writes — but the registrar's owner later told him they'd never received his reply.
"And that's why they took the domain down."
In an interview with Polygon, Corcoran points out that the web page in question had already been dealt with five days before his registrar offlined his entire site. "No communication after that.... No 'We haven't heard from you, we're about to shut your domain down' or anything like that."
Defending themselves over the incident, BrandShield posted on X.com that they'd identified an "infringement" (also calling it an "abuse"), and that they'd requested "a takedown of the URL in question — not of the entire itch.io domain." They don't say this, but it seems like their concern might've been that the page looked official enough to impersonate Funko Fusion. But X.com readers added this context. "Entire domains do not go down on the basis of a copyright takedown request of an individual URL. This is the direct result of a fraudulent claim of malicious activity."
And Corcoran also posted an angry summation on X.com: I kid you not, @itchio has been taken down by @OriginalFunko because they use some trash "AI Powered" Brand Protection Software called @BrandShieldltd that created some bogus Phishing report to our registrar, @iwantmyname, who ignored our response and just disabled the domain.
The next day Funko's official account on X.com also issued their own statement that they "hold a deep respect and appreciation for indie games, indie gamers, and indie developers." (Though "Added Context" from X.com readers notes Funko's statement still claimed a "takedown request" was issued, rather than what Corcoran says was a false "fraud and phishing" report.)
Funko.com also posted that they'd "reached out" to itch.io "to engage with them on this issue." But this just led to another angry post from Corcoran. "This is not a joke, Funko just called my mom." Cocoran then posted what looks like a screenshot of a text message his mother sent him. Though she doesn't say which company was involved, his mother's text says she "Got a strange call from a company about accusatory statements on your social media account. Call me..."
Thanks to ewhac (Slashdot reader #5,844) for sharing the news.
Funko (Score:2)
Wish I had thought of selling over priced plastic shit to fan bases.
Re: Funko (Score:2)
Re: (Score:2)
How would've you secured the licensing deals with companies like Disney, et al., and afforded the upfront costs associated with promoting your products widely enough that they'd ultimately prove profitable?
It's not much different than the idea of running a legitimate MP3 store. The tricky part was getting the rights holders to agree to your plan, otherwise your "idea" is basically just a variant of that scheme by that guy who decided to set up a paid pirate streaming service.
Re: (Score:1)
I do wonder what percentage of microplastics in me are old beanie babies and funko pops...
Turn it around... (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Re:Turn it around... (Score:4, Insightful)
I'd send them a bill for damages due to lost sales and any negative perception created by the false allegations. They and their terrible brand management company can work out who screwed the pooch and has to pay up, but the quickest way to stop this kind of behavior is to punish transgressors. Waiting around for the government to fix their awful laws and regulations isn't going to help.
Now, I admit my OP wasn't serious. But the problem with monetary fines is that for rich people/corporations, they just become part of the cost of doing business. Elon Musk can get a speeding ticket every trip for the rest of his life and as long as it isn't a severe enough infraction to get his license taken away, it has no visible impact on his bank account.
Now, when you take down a company's domain, that'd have impact. To keep picking on Sony as a random company, you know there's got to be more than 24 hours a day of someone stuff being down, so sony.com would never be usable. And if they shifted to something like sony-usa.com, that's what would be targeted and taken down. The company wouldn't have e-mail, wouldn't have a sales portal, wouldn't exist in a lot of ways. The outage would disrupt them proportionately more because of their size. I'm looking for ways to make punishment akin to making Elon Musk walk everywhere for a year. No cars, no jets, no boats, no bikes, no rickshaws, no skateboards, no roller blades, no piggyback rides. Summons to appear in court or in front of congressional hearing committees would be... interesting. Note: I'm only picking on him as an illustration.
Re: (Score:2)
Just make each succeeding fine the square of the previous fine...measured in pennies.
Re: (Score:2)
Japan actually does this. Companies can get "jail time" where they are forced to shut down for X days. I think staff still get paid, but they can't do any business.
In the case of a website, it might be better to force them to replace it with a legal notice, except for support pages. Customers shouldn't suffer e.g. not being able to access driver downloads or support tickets.
Re: (Score:2)
Now, I admit my OP wasn't serious. But the problem with monetary fines is that for rich people/corporations, they just become part of the cost of doing business.
My suggestion would be to create a statutory liability for takedowns of online content or restraint on free speech through any wrongful or erroneous legal process involving court filings, summons, or a notice to service providers: in the greater of five-fold damages or $1000 per post per day or $500 per 12 hours during which content remains ta
Re: (Score:2)
On the contrary, a fine is one of the few things that can hurt a company. A fine just needs to be big enough (in particular being bigger than the profits made by breaking the rules, and bigger than the cost of complying with the rules).
Re: (Score:2)
> Elon Musk can get a speeding ticket every trip for the rest of his life and as long as it isn't a severe enough infraction to get his license taken away, it has no visible impact on his bank account.
I'll bet if he ever drives himself around in Norway, he'll be *super* careful to stick exactly to every speed limit there is. Why? Because the fines are means tested.
There's no problem with monetary fines - it's the implementation of them that's the issue. Fining a corporation is easy - they have to publicl
Re: (Score:2)
Re: (Score:2)
Eh, just start charging fines to companies that issue incorrect DMCAs. You can even put it on a 'per offense' basis. Get it wrong once on accident, well that's only $10. This is your 100th time issuing a DMCA that gets reversed? Bam $100,000 fine. If the risk of getting it wrong is that high companies will make sure they double check their DMCA complaints before issuing them.
I've always been a fan of a sliding scale of punishment... First offence = reduced penalty because everyone makes a mistake (don't tell me you've never gone a mile over a speed limit or accidentally found yourself in bus lane), second offence = full penalty. Third offence = increased penalty because you didn't learn from the first two times. Happy for this to reset after a period of time (I.E. 3 years).
As for DMCA takedowns... why are these even free? $100 per request, non refundable. Make the system pay
Re: (Score:2)
Re: (Score:2)
Perjury only happens when you knowingly make a false statement while under oath [legaldictionary.net]. Email is not under oath.
Re: (Score:2)
More like "tortuous interference with business". Or possibly libel.
Re: (Score:2)
Defamation *might* over a reputation harming false representation to the domain host that lead to financial losses. Though its stretch, possibly with a 'truth' defence that there was indeed a violation.
Tortous interference with business, possibly with damages would be my bet. Ie yes, a violation was there, but the response was disproportionate to the point of violation (and clearly not in line with a proper DMCA process)
Re: (Score:2)
Perjury only kicks in with DMCA claims if you knowingly and maliciously claim to hold a copyright you don't own in the course of sending a take down. There's no penalty for doing a spurious take down (the target wasn't actually infringing), nor is there a penalty for accidentally claiming someone else's work as your own. So all you have to do is pinky promise you did a whoopsie doodle on accident and you can copyright troll to your heart's content.
Re: (Score:1)
Re: (Score:2)
Funny how laws always work in favor of the rich or powerful.
Re: (Score:2)
Funny how laws always work in favor of the rich or powerful.
The modern political systems, even for the most democratic ones, are only capable of respecting the public opinion of at most 2 to 3 issues at hand. If the rich and powerful conjure up enough number of evil plots, the current democracy system will be crowded out and most of their plots will slip through unquestioned.
Copyright abuse is too minor a issue compared to many other deadly deeds.
Re: (Score:2)
I would say it is not enough.. in this case there ought to be a criminal charge for the company falsely reporting a domain as phishing to a domain registrar. And there should be a fine and sanctions against the domain registrar for improperly shutting down a domain name in the DNS. What I mean is there are two responsible parties for this incident at least. The company that falsely reports them as phishing, And the domain registrar that acts upon it blindly when there is clearly no evidence that
Lesson to be learned (Score:3)
Re: (Score:2)
Re: (Score:2)
You need little skateboards for the turtles. It improves transit times tremendously, and the turtles appear to like it.
Cowabunga.
Re: (Score:2)
Haven't you found that the pigs destroy the antennas?
Re: (Score:2)
Haven't you found that the pigs destroy the antennas?
They usually can't get that high unless you hype them up on cocaine or something.
Funko being idiots. (Score:3)
There is no way both the liability and the bad publicity is worth the couple of cents saved with automated takedowns.
Just say sorry and that you will stop doing automated takedowns entirely. The risk of this happening again with some other popular target is not worth the Funko CEO's ego.
Re: (Score:1)
Why wouldn't it be worth it? Automated takedowns have been the law of the land for a decade or more by now. Issuers face no relevant risks.
Re: (Score:2)
Their contractor just ignoring DMCA and going straight for libel is a legal risk, but apart from legal risk in the days of outrage culture the brand risk isn't worth it. For most companies blatant arrogance is not rewarded, can't all be Apple.
Re: (Score:2)
Their contractor just ignoring DMCA and going straight for libel is a legal risk, but apart from legal risk in the days of outrage culture the brand risk isn't worth it. For most companies blatant arrogance is not rewarded, can't all be Apple.
What? Where did you get this impression? From what we've witnessed over the last decade or so, arrogance is absolutely rewarded. The richest companies on Earth are populated by arrogant assholes telling people that they're holding the product wrong or somehow now behaving the way they want them to, and those companies continue to rake in profits. Honestly, Funko should just make a public statement telling this person to cry more about it, then take down a few fan-sites for good measure. They'd probably make
Welcome (Score:2)
to the new normal.
Re: (Score:2)
Re: (Score:2)
I very highly doubt they got sign offs by the companies that made such things.
Why would you "highly doubt" that a well-known company wouldn't have worked out licensing deals with various rights holders? It's not like the rights holders do it out of the goodness of their corporate hearts... they get money out of the deal.
Dune and Star Trek license their IP to third parties all the bloody time... you don't have to look very far to find it.
Re: (Score:2)
This.
And to expand upon the point: Funko Pop may have only negotiated licenses to produce bobblehead characters of the original IP. The owners of which may desire, at some future date, to negotiate video game licenses with some other developers. That's their right.
So now, 10:10 writes a game that is arguably based on trademarked images. Without securing the rights, either from Funko Pop (who may not have even had them to hand out) or the actual IP owners.
Now, Funko Pop's brand protection service kicks in
Re: (Score:2)
Only obvious trademark violation suit I could find was from Gibson guitars:
https://www.thetmca.com/tune-u... [thetmca.com]
It looks like Funko has their ducks in a row when it comes to licensing agreements (for the most part).
Eew (Score:1)
The Wrongdoer (Score:5, Insightful)
Re: The Wrongdoer (Score:2)
Re: (Score:2)
iwantmyname bad.
GoDaddy also bad.
To my recollection domain owners that are spuriously reported as "spamming" could have their domain turned off suddenly and be required to call in end up having to pay a few hundred dollars in random admin. fees for the "cost of their investigation" before can be turned back on.
Now this is raising the question.. Which domain registrar should you use If you want to be as safe from a spurious takedown as possible?
As far as I know there's no real mandate to shut down a doma