While listing some domains that may well live up to that less-than-flattering billing, the authors of Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions, also decided to include New Zealand-based Mega.

Mega was founded by Kim Dotcom but the site bears little resemblance to his now defunct Megaupload. Perhaps most importantly, Mega was the most-scrutinized file-hosting startup ever, so every single detail simply had to be squeaky clean. As a result the site took extensive legal advice to ensure that it complies with every single facet of the law.

Nevertheless, NetNames took the decision to put Mega in its report anyway, bundling the site in with what are described as some of the market’s most dubious players. This was not received well by Mega CEO Graham Gaylard. In a TorrentFreak article he demanded a full apology from NetNames and Digital Citizens Alliance and for his company to be withdrawn from the report. Failure to do so would result in “further action”, he said.

TF asked NetNames’ David Price whether his company stood by its allegations. The response suggested that it did and no apology was forthcoming. It’s been a week since that ultimatum and as promised Mega is now making good on its threats.

“Mega’s legal counsel has written to NetNames, Digital Citizens Alliance and The Internet Technology & Innovation Foundation (ITIF) stating that the report is clearly defamatory,” Mega CEO Graham Gaylard told TorrentFreak this morning.

Given NetNames’ and Digital Citizens Alliance failure to respond, it comes as little surprise that Mega’s formalized demands now go beyond an apology and retraction.

Firstly, Mega’s legal team are now demanding the removal of the report, and all references to it, from all channels under the respondents’ control. They also demand that further circulation of the report must be discontinued and no additional references to it should be made in public.

That’s a tough one. NetNames’ effort is currently the most-circulated report in the ‘piracy’ space and TorrentFreak is also informed that the paper is set to become the supporting documentation to Hollywood and the labels’ follow-the-money anti-piracy drive.

Mega are also demanding a list of everyone who has had a copy of the report made available to them along with details of all locations where the report has been published. Again, that will be an interesting one to see Mega’s targets fulfill.

Finally, Mega is demanding a full public apology “to its satisfaction” to be published on the homepages of the respondents’ websites. What form that could take without discrediting the rest of the report is probably up for negotiation, but having Mega in there at all was bound to be a controversial and potentially damaging move.

Mega has given the companies seven days to comply with the above requests. No official line has been provided as to what will happen if Mega is met with a refusal, but it seems that the company is serious about protecting its reputation and will do whatever it takes to do that.

It’s perhaps of note that to our knowledge none of the other sites listed in the report have come out publicly to protest their inclusion in it. That’s not to say that some weren’t wrongfully included of course, but when a company like Mega stands up in order to protect its brand that should set off alarm bells.

Do ‘pirate’ sites with “shadowy” business models ever bother to publicly defend their reputations unless they’re the ones being hauled into court?

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Titled “Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,” the report attempts to detail the activities of some of the world’s most-visited hosting sites.

While it’s certainly an interesting read, the NetNames study provides a few surprises, not least the decision to include New Zealand-based cloud storage site Mega.co.nz. There can be no doubt that there are domains of dubious standing detailed in the report, but the inclusion of Mega stands out as especially odd.

Mega was without doubt the most-scrutinized file-hosting startup in history and as a result has had to comply fully with every detail of the law. And, unlike some of the other sites listed in the report, Mega isn’t hiding away behind shell companies and other obfuscation methods. It also complies fully with all takedown requests, to the point that it even took down its founder’s music, albeit following an erroneous request.

With these thoughts in mind, TorrentFreak alerted Mega to the report and asked how its inclusion amid the terminology used has been received at the company.

Grossly untrue and highly defamatory

“We consider the report grossly untrue and highly defamatory of Mega,” says Mega CEO Graham Gaylard.

“Mega is a privacy company that provides end-to-end encrypted cloud storage controlled by the customer. Mega totally refutes that it is a cyberlocker business as that term is defined and discussed in the report prepared by NetNames for the Digital Citizens Alliance.”

Gaylard also strongly refutes the implication in the report that as a “cyberlocker”, Mega is engaged in activities often associated with such sites.

“Mega is not a haven for piracy, does not distribute malware, and definitely does not engage in illegal activities,” Gaylard says. “Mega is running a legitimate business alongside other cloud storage providers in a highly competitive market.”

The Mega CEO told us that one of the perplexing things about the report is that none of the criteria set out by the report for “shadowy” sites is satisfied by Mega, yet the decision was still taken to include it.

Infringing content and best practices

One of the key issues is, of course, the existence of infringing content. All user-uploaded sites suffer from that problem, from YouTube to Facebook to Mega and thousands of sites in between. But, as Gaylard points out, it’s the way those sites handle the issue that counts.

“We are vigorous in complying with best practice legal take-down policies and do so very quickly. The reality though is that we receive a very low number of take-down requests because our aim is to have people use our services for privacy and security, not for sharing infringing content,” he explains.

“Mega acts very quickly to process any take-down requests in accordance with its Terms of Service and consistent with the requirements of the USA Digital Millennium Copyright Act (DMCA) process, the European Union Directive 2000/31/EC and New Zealand’s Copyright Act process. Mega operates with a very low rate of take-down requests; less than 0.1% of all files Mega stores.”

Affiliate schemes that encourage piracy

One of the other “rogue site” characteristics as outlined in the report is the existence of affiliate schemes designed to incentivize the uploading and sharing of infringing content. In respect of Mega, Gaylard rejects that assertion entirely.

“Mega’s affiliate program does not reward uploaders. There is no revenue sharing or credit for downloads or Pro purchases made by downloaders. The affiliate code cannot be embedded in a download link. It is designed to reward genuine referrers and the developers of apps who make our cloud storage platform more attractive,” he notes.

The PayPal factor

As detailed in many earlier reports (1,2,3), over the past few years PayPal has worked hard to seriously cut down on the business it conducts with companies in the file-sharing space.

Companies, Mega included, now have to obtain pre-approval from the payment processor in order to use its services. The suggestion in the report is that large “shadowy” sites aren’t able to use PayPal due to its strict acceptance criteria. Mega, however, has a good relationship with PayPal.

“Mega has been accepted by PayPal because we were able to show that we are a legitimate cloud storage site. Mega has a productive and respected relationship with PayPal, demonstrating the validity of Mega’s business,” Gaylard says.

Public apology and retraction – or else

Gaylard says that these are just some of the points that Mega finds unacceptable in the report. The CEO adds that at no point was the company contacted by NetNames or Digital Citizens Alliance for its input.

“It is unacceptable and disappointing that supposedly reputable organizations such as Digital Citizens and NetNames should see fit to attack Mega when it provides the user end to end encryption, security and privacy. They should be promoting efforts to make the Internet a safer and more trusted place. Protecting people’s privacy. That is Mega’s mission,” Gaylard says.

“We are requesting that Digital Citizens Alliance withdraw Mega from that report entirely and issue a public apology. If they do not then we will take further action,” he concludes.

TorrentFreak asked NetNames to comment on Mega’s displeasure and asked the company if it stands by its assertion that Mega is a “shadowy” cyberlocker. We received a response (although not directly to our questions) from David Price, NetNames’ head of piracy analysis.

“The NetNames report into cyberlocker operation is based on information taken from the websites of the thirty cyberlockers used for the research and our own investigation of this area, based on more than a decade of experience producing respected analysis exploring digital piracy and online distribution,” Price said.

That doesn’t sound like a retraction or an apology, so this developing dispute may have a way to go.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

In the wake of the NSA scandal the usefulness of encryption has really come to the forefront and MEGA is now placed to release encrypted messaging and email services utilizing similar technology. However, the company’s claims also mean that it becomes a target for those seeking to point out potential weaknesses in its system.

A few hours ago a software developer called Michael Koziarski released a new tool which he claims highlights a fundamental issue with the encryption mechanism implemented by Mega.

The software, known as MEGApwn, is a Javascript bookmarklet that runs in a web browser. Once a user is logged into MEGA it claims to reveal that user’s MEGA master key. Koziarski says that this proves that the master key itself is not encrypted and that anyone with access to a MEGA user’s computer can access it.

However, this is not the most controversial claim. Koziarski says that MEGA itself is able to grab a key and use it to access a user’s files.

“Your web browser trusts whatever it receives from MEGA, which means they can grab your master key whenever you visit their site and then use it to decrypt and read your files. You’d never know,” Koziarski explains.

The revelations provoked an exchange with MEGA programmer Bram Van der Kolk, who questioned how MEGA would stop anyone gaining access to a user’s computer.

“You seriously want MEGA to protect users against this?” he said.

“No, I want users to understand just how easily you could read all their files if you wanted to,” Koziarski responded.

“You mean how easily the user himself can read his own files. How exactly can an external attacker take advantage of this?” der Kolk questioned.

“So you agree MEGA is only secure against external attackers, that you can read my files if you wanted to?” Koziarski fired back.

“Are you seriously suggesting that we will serve trojaned JavaScript? Install one of our browser extensions and turn off auto-updates,” der Kolk countered.

To try and get a clearer idea of how serious (or not) this issue is, TorrentFreak contacted both MEGA and Koziarski for comment on the new tool. We are yet to receive a response but in the meantime the latter is suggesting that while any site uses Javascript for security, the highlighted problem cannot be overcome.

“Does this code hack or break into MEGA? No, it simply demonstrates one of the many serious and insoluble problems you face when doing cryptography in Javascript web applications. There are many other problems like this which is why numerous respected cryptographers have warned against doing this for years,” he concludes.

Update: Both MEGA and Koziarski are preparing answers to our questions so those will be published here as soon as we have them.

Update 2: Comments from Michael Koziarski

I made the tool because I’d noticed that people fell into one of two camps when it came to MEGA’s encryption. If they knew about the limitations of in-browser JavaScript cryptography, they understood that MEGA’s cryptography could easily be bypassed by MEGA or anyone else with access to their web servers. But users who didn’t know anything about cryptography seemed to think that there was something amazingly secure about MEGA.

It’s important people understand that.

Update 3: Comments from Bram Van der Kolk of MEGA

We would like to thank a high-profile member of the MEGA community for highlighting two of the potential security risks associated with using computers in general and JavaScript-based cryptography in particular. All of these issues have been covered in our FAQ from the start, but we would like to use the opportunity and reiterate them here in case you have missed that:

It is a common misperception that JavaScript is inherently insecure and that native machine code is a much better choice for cryptography. While it is true that full access to the host machine’s features allows for some additional degree of security (such as preventing keys from being sent to swap space), malicious JavaScript executing in your browser’s sandbox (assuming, of course, that no known browser vulnerabilities exist — an admittedly rather weak assumption) at least cannot take over your entire user account or, if you work as root/Administrator, system!

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.