What’s Behind The Unusual DMCA Notices From “Crowdstrike”?

[updated as of August 19, 2024]

As systems began to reboot in the week following the catastrophic July 19 CrowdStrike software update — which brought down airplanes, emergency hotlines, and millions of computers around the globe — three strange copyright takedown notices quietly landed in Lumen’s database. Each alleged copyright infringement against a different cybersecurity firm, each attempted to get that firm’s site removed from Google’s search results, and all purportedly came from the same source: CrowdStrike.

These notices raise potentially troubling questions: Why would CrowdStrike take the time to send a few copyright complaints — generic, sloppy ones at that — in the immediate aftermath of a global cyber-catastrophe? And if CrowdStrike wasn’t responsible, who sent the notices, and why?

Besides their purported origin, something else that makes these notices odd is that they include no description of what was copied. Section 512(c)3 — the piece of US law defining the copyright takedown notice process — requires “identification of the copyrighted work claimed to have been infringed.” This makes sense: if Stephen King complained that someone’s website copied part of his novel, you’d need to know which novel before you could fix the issue or respond appropriately.

The notices in question each allege copyright infringement at a URL belonging to a different cybersecurity company: one URL from Equate Group, one from Trend Micro, and one from Huntress. Only the Trend Micro page has anything to do with CrowdStrike, but it is simply comparing the services of the two companies, with no obvious copyright infringement. And since the notices don’t specify what was copied, it’s unclear what, if anything, these sites allegedly copied from CrowdStrike.

Other reporting suggests that CrowdStrike may have been erroneously using DMCA takedowns to handle trademark violations — a different process entirely. Last week, Ars Technica reported that a company acting on behalf of CrowdStrike had attempted to get Cloudflare to stop hosting a parody site called “ClownStrike,” presumably because of the parody’s use of the CrowdStrike logo (a trademarked work).

In a statement to Ars Technica, CrowdStrike acknowledged they had issued over 500 takedown notices after the outage, though they claimed parody sites were “not the target.” According to them, the notices aimed to “protect customers and the industry from phishing sites and malicious activity.” So perhaps the Huntress, Trend Micro, and Equate Group sites were using CrowdStrike’s logo and have since removed it. But those legitimate competitors — Huntress was recently valued at over $1.5 billion — hardly qualify as phishing sites, making the decision to send copyright takedown notices to deindex their URLs all the more perplexing, especially since these were DMCA notices, which cannot be used to bring trademark claims.

Google does not seem to have de-indexed the sites as of this writing based on conducting test searches, but it is difficult to know for sure. (Google's Transparency Report covers only "requests to delist content from Search results that may infringe on copyright.")

The question remains: who actually sent the notices? The listed sender is CrowdStrike, but this could just as easily be someone posing as the company. (The DMCA process does not include any verification steps, and while 512(c)(3)(vi) does require a DMCA notice to include “a statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner,” enforcement of this is nearly impossible. Even if someone were posing as CrowdStrike, it would be hard to identify or stop them — successful prosecutions for perjury in this context are extremely rare.)

So perhaps CrowdStrike (or a company acting on their behalf?) was trying to stop websites from using its trademarked logo, and improperly and mistakenly (or hopefully) sent copyright notices instead. Or CrowdStrike was scrambling to stop customers from going to their competitors, using whatever means possible.

Or perhaps it was someone trying to make CrowdStrike look bad, or someone trying to get those URLs de-indexed and masquerading as CrowdStrike because of its recent fiasco. With the minimal detail in these notices, there’s really no way to know. Either way, the DMCA takedown process, in large part because of the scale and ease with which it is possible to send a notice, continues to have ample potential for errors and abuse.

[EDIT: This piece was updated on August 19, 2024 to include the detail that Google's Transparency Report covers notices sent regarding content in Google Search, but not for DMCA notices sent with respect to other Google products, such as Google Ads.]