Web “security” provider Sucuri helps online pirates cloak criminal activities

As piracy has evolved and enforcement efforts increase, pirate entrepreneurs have been forced to set up shop in far offshore to avoid the long arm of U.S. law. What’s troubling is how U.S. companies help them evade the law by providing cover for their illegal piracy business while at the same time pocketing their own dirty profits in the process. 

I previously wrote about U.S. based Cloudflare and its link to piracy websites. Unfortunately, Cloudflare is not alone in assisting online pirates.

Follow along as I take an obstacle course–the type creators face every day trying to protect their work–to see the way U.S. companies–in this case GoDaddy owned Sucuri–help criminals cloak their activities and keep their illegal sites operating smoothly.

Start the hunt with Google Search

While Google claims to have cleaned up its act, the reality is that with a single search I quickly found a website featuring a cache of pirated movies.  It wasn’t difficult.

No surprise, the 2nd Google result led directly to a site offering a cornucopia of pirated popular lesbian-themed films and television shows, both Hollywood and indie fare.

I chose an indie feature and with a click began my journey through the maze to uncover where the stream for the stolen movie was actually hosted.

Finding the actual source code is a huge pain….I was forced to click through a series of popup ads–after all, that’s how these online pirates make money. Finally, I used Firefox’s web developer tools to scan through the source code as the movie streamed and eventually uncovered the pirate link I was looking for.

When I clicked that link, I ended up at the actual full stream for the film.

You find the source. Now what?

Turns out the file is hosted on site called “gounlimited.to” but isn’t much help. As I discovered, and Torrent Freak has previously noted, this particular pirate website brags that it ignores the DMCA. and uses that fact as a selling point.  Per Torrent Freak, this isn’t the operators only rodeo either, “Faced with a lack of stable ‘takedown resistant’ hosting providers to stream videos from, Bader decided to start one of his own, GO Unlimited.”

Of course, like all piracy sites, this operation is in the business of making money off stolen goods so its content is populated thanks to minions worldwide enticed by a cash rewards with payouts based on the number of eyeballs each illegal upload attracts.  It’s the typical cyberlocker scenario.  For the record, I will also be contacting PayPal to ask why they remain affiliated with this criminal operation, but I digress….

Since Go Unlimited brags about ignoring the DMCA and offers no contact information, the next step is to investigate registrar and host. The .to domain is popular among shady sites for a reason and information isn’t listed in the typical WHOIS database. The .to domain offers its own search, but offers little in the way of actual information.  The registrar cares little about criminal enterprises.

What next? Turns out a U.S. based company, GoDaddy’s Sucuri is listed as the IP provider. Sucuri does business with a pirate website, but explains that its not responsible in its disclaimer (poor spelling aside) this way:

The Sucuri Firewall is a passthrough proxy WAF & CDN service. Sites using our service will point their DNS records at Sucuri IP’s, but all content is actualy (sic) hosted outside of the Sucuri network.

The excuse that they don’t “host” the content is a bit weak considering that the pirated data does flow through Securi servers on their way to the end user. Essentially the excuse goes like this, “We only provide the ingredients used to bake the cake, not the finished cake.” Pretty lame excuse. While perhaps legal, it certainly doesn’t seem moral. The question is, WHY do we allow U.S. companies to do business with sites that ignore U.S. copyright law?

In a further insult, Sucuri lists publisher Harper Collins as one of its customers. Ironic that Sucuri PR folks see no conflict of interest in servicing a piracy operator aside one of its potential victims.  (Note book publishers and authors are suffering mightily due to e-book piracy).

So what’s the solution? Once again the DMCA needs to be updated for the 21st century. I’ve written about this issue extensively in the past, and you can read those thoughts here.  Clearly, third parties who are knowingly complicit providing infrastructure for criminal enterprises need to be held to greater account when a client ignores the law. 

Once again a possible path forward can be found by looking at the European Union.  Last month a court in Italy ruled against Cloudflare, ordering the company to cease doing business with an illicit website.

The courts used the EU’s Electronic Commerce Directive 2000/31/EC,   to justify its judgement against Cloudflare.  The law cited provides a legal “framework” for electronic commerce.  It’s time for U.S. lawmakers to enact similar safeguards for U.S. creators.  Participating as a for profit player in the piracy ecosystem should not be a legal business model in the United States.