Phishing Scam Targets Photographers Protecting Copyright

The site WallPart has been getting a great deal of attention among photographers over the past week.

The site, which I am not linking to for obvious reasons, claims to be a poster shop where users can get prints of their favorite images. However, in truth, the site is a Google Image Search scraper, that displays results found in search engines for every query.

Though it’s unclear if the site actually sells any prints, no one has been able to find evidence that they do.

However, last week, the Peter & Company blog reported that the site was actually an elaborate phishing scam, but one that targets not buyers, but photographers and artists who seek to have their images removed.

The phishing worked through a Copyright form that users would fill out to report infringing images. Basically, the artist or their representative would fill the form out, but it would capture additional information and pass it along to the site administrators. How this happened is unclear to me but the form has been offline for at least the past few days.

The site itself, however, remains active.

But while WallPart may be the first time a site has been called out for misusing a copyright complaint form to abuse those seeking to remove infringing works, but it won’t be the last. In fact, there’s a good chance that this is only the tip of the iceberg and that other sites may well be doing something very similar.

How WallPart Works

Though WallPart claims to be a Poster Shop, it really functions as a scraper, taking results from Google Image search and sticking the images into a store-like template.

You can prove this easily yourself by searching for unusual things in WallPart and then performing the same search on Google Images, limiting your results to very large images. For example, both WallPart and Google Images have the same photo of a camera for “Plagiarism Today” using those rules.

However, you don’t have to take my word for it, WallPart says it on their “About Us page saying:

We have no base of images, and doesn’t host and store the image on servers. Wallpart.com only helps the user to find the images interesting him, the site uses data of the most known third-party search engines. Process of search happens at user’s browser.

In short, WallPart is admitting that it doesn’t have a catalogue of images, it just pulls them from search engines. However, the site does say that it feels its use of the images is not an infringement, even though they claim to be knowingly making prints of other people’s photos without permission, meaning that they are either lying about making prints or don’t understand copyright law.

Though WallPart’s use of images is almost certainly an infringement of artist copyrights in most of the world, the site has been reportedly based out of Russia but it claims to ship from China. Its servers are protected by CloudFlare, making it difficult to determine where the site is actually hosted.

Unfortunately though, sites like this are fairly common. They’re easy to set up and run and Google does a poor job detecting image scrapers, making them enticing to spammers. As such, it’s the phishing element that has drawn the most attention but it’s also the part that I have the least information on.

Shortly after the initial reports, the site removed its copyright complaint form so I haven’t been able to look at it or test it. Sadly, Archive.org doesn’t have the page and it’s not in the Google Cache. However, user HarperCaliphate at Reddit reported that the form was simply asked for the violating image, your name and email address, nothing more.

So, what phishing attempt took place is unclear, but there’s plenty of reason to distrust a site such as this one and, unfortunately, it’s likely not the only one that will attempt to scam or game copyright holders who seek to lodge complaints.

The Bigger Threat

WallPart, in reality, isn’t the threat. The threat is much more broad and one many who file copyright notices, myself included, fail to think about.

When a rightsholder submits a Digital Millennium Copyright Act (DMCA) notice with a host or a search engine to get infringing material removed, a lot of information goes with it. That info typically includes, name, email, phone number, postal address and more. Though there are steps that can be taken to ensure reasonable privacy when filing a DMCA notice, those steps only go so far.

But while DMCA filers routinely think about what the person they’re filing against will do with that information, rarely do they think about what the company they are filing through will do.

The reason that this information needs to be passed along is pretty clear. A DMCA notice is a legal notice and you have responsibilities when filing it. However, the law doesn’t mention if and how a host can use this information and U.S. laws like CAN-SPAM don’t put many restrictions on it either.

As more and more web hosts move to using forms to make the DMCA process quicker and easier on them, capturing and storing this information gets easier too. This means more and more companies will have ever-growing databases of personal information for rightsholders that we are going to have to trust they will either not use or, at the very least, use responsibly.

While the greater danger remains backlash from angry infringers, as the death threats I’ve received can testify to, that’s still a lot of personal information in the hands of companies.

While I haven’t heard of it being misused yet, the WallPart case is a reminder that we need to continue being careful about where we send our personal information, even when filing out a DMCA notice.

Steps to Take

On that note, if you’re wanting to be more careful about where your data winds and further reduce the risk of being phished, spammed or otherwise have your information misused, there are a few steps you can take in addition to my previous privacy tips (which I still recommend).

1. Never Register for an Account: If a site requires you to sign up for an account to file a copyright notice, find another path. Registering an account means that you have to agree to their terms of service, whatever those might be, and could result in you giving up a great deal of control over your data. Also, as we’ve seen in recent hacks, member data is a prime target for hackers.
2. Avoid Forms if Possible: Forms are good and bad when it comes to DMCA notices. They make it easier for hosts to respond to a notice and ensures that it is complete. However, they make compiling data much easier, take longer to fill out and, depending on the form, may not give you an independent paper trail of your actions. Email is still best for most notices, but more and more hosts are turning to forms as their exclusive means of receiving copyright notices.
3. Only Send Notices to Reputable Companies: Spammers like WallPart aren’t just a danger for your data, they’re also likely a waste of your time. Most people who did send a notice to them said the site never took action. Send your DMCAs only to companies that are reputable. Not only will it help keep your data safe, but improves the odds of the content getting removed quickly.

All in all, it’s important to remember that you need to be responsible when you file a DMCA notice. Not just with the notice itself to make sure that it’s valid and appropriate, but with the data in it.

Your personal information is intangible property, much like your creative works, and it is worth taking reasonable steps to protect, especially from companies like WallPart.

Bottom Line

The more I’ve looked into this case, I’ve not seen any evidence that WallPart has either sold a single print or successfully phished anyone. The evidence shows it to be a spam site, a scraper and a massive copyright infringer, but not much else.

Still, whether it was phishing or not, the story is a good time to evaluate the personal information we put into copyright notices and the people we send it to. With stock letters and a quick email finger, many rightsholders send out their information many times per day. That’s a lot of copies of some very personal information floating around in some uncomfortable places.

I will certainly be reevaluating my approach to takedown notices after this and I encourage others to do the same. While I’m not aware of any abuses yet, this case highlights the danger and the best time to pay attention to a danger is before it strikes.

So, when protecting your work, be careful. It’s not just the infringers that have the potential to misuse your data, everyone in the chain shares at least some of the risk.

Fortunately, such databases are too small to be of much interest to spammers, but, given how hostile some are to creators who strongly protect their copyright, there are real risks if the information gets out.

That’s because, while removing your personal information from data brokers is a common defense against doxing, it’s not exactly an option for rightsholders who file copyright notices. Their information, by law, is sitting in the databases of dozens, or hundreds of hosts and search engines.

Still, a little bit of care can go a long way to reducing the problem.