Help: FBI criminally charged me with $6MM loss for hotlinking. I didn't do it

41 点作者 your_username大约 3 年前

Throwaway for obvious reasons.I’ll try to be as concise as possible. Some details have been changed to protect myself.I used to operate a website that hotlinked to an asset from $company’s S3 bucket. When $company was made aware of my doing from the FBI, the FBI asked them to calculate the loss amount. They did this by looking at IPs that hit the bucket over a span of 1 month, and the IPs that logged into $company’s service. The number of IPs that they didn’t recognize (about 25,000), multiplied by some multiplier, came out to about $6MM.The problem: I know how many people I had on my website that hit that asset. It was in the hundreds, not the thousands, definitely not tens of thousands. I know this because my site required a subscription and I know how many subscribers I had. There were (and still are!) hundreds of sites that hotlink to $company’s S3 bucket today, causing them loss, that are free and easily accessible. I can show this.When I told my lawyer that this couldn’t possibly have been calculated correctly, he said that I’m pretty SOL in arguing this loss amount. He’s not technical so I don’t know if he really understands. Regardless, I’m in the process of discharging him because he’s failed me multiple times in this case so far.This reeks of all sorts of wrong. $company is an organization known to probably 95% of HNers, they’re a technical organization, and they could not have possibly made the calculation in good faith.If anyone has any advice, I’d appreciate it. I’ll be checking this thread closely, but I can also be reached by email at hotlinking@protonmail[.]com.

15 条评论

smoyer大约 3 年前

First, I understand your technical arguments above (but IANAL.) Find a technical lawyer who understands that your logs and/or subscribers list sets a hard limit to the damage you might have caused. I'm a bit curious about why you're being charged at all if the S3 bucket was publicly available - there are easy ways for the company to secure their bucket if they choose (one example - <a href="https://www.msp360.com/resources/blog/how-to-prevent-hotlinking-of-imaged-hosted-on-amazon-s3/" rel="nofollow">https://www.msp360.com/resources/blog/how-to-prevent-hotlink...</a>).You're headline states that you didn't do it but your descriptions admits you did, but maybe not all of it. You need to be completely honest with this. The journalist in Missouri who identified teachers SSNs on the state's web-site was in a similar situation and, while he's ultimately not going to be charged, his legal fees are hefty.

评论 #30589754 未加载

otterley大约 3 年前

IAAL, but am not providing legal advice here.If this is a criminal case (I assume it is, given the FBI's involvement), the presiding judge has pretty wide discretion to set the terms of the punishment for a conviction, subject to the specific penalties imposed by law and federal sentencing guidelines. Unlike in a civil case, monetary penalties are intended to be punitive, not restorative. The best your attorney can do is make the case as best as they can and plea bargain with the AUSA to get the penalty as low as possible; and failing that, beg the court for mercy, and be thankful if you manage not to go to prison.You can also plead innocence, go to trial, and hopefully avoid conviction altogether.(BTW, this post can be admitted into evidence if it comes to the AUSA's attention.)

Canada大约 3 年前

Why are you facing any liability whatsoever for linking to public resources?If the owner of that S3 bucket is facing losses from serving files to the public, why don't they revoke public access? S3 prints big warnings that you are making things public, so it's unreasonable for a company to claim "We didn't mean to make this public"What was in the bucket? In any case, sounds like you need a better lawyer, I don't see how HN can help you without you going public and telling the whole story.

评论 #30592566 未加载

评论 #30590966 未加载

评论 #30594220 未加载

replygirl大约 3 年前

IANAL but it sounds like the fact that you offered a subscription service for access to $company's asset puts you in more trouble. you may have only gotten x dollars from your subscribers, but it's hard to dispute that you intended to extract y dollars in potential lifetime revenue from those 25k monthly visitors, especially if your revenue growth hasn't been trending negative. it's arguable those free sites didn't cause $company any loss, as those people may not have been interested in the asset had they had to pay for it, but if someone pays you instead of the owner of the IP...

faangiq大约 3 年前

This sucks and shouldn’t be a crime. But the iron fist of Uncle Sam has struck and you’re screwed basically. Try to get a very good lawyer, I’d focus your efforts on that.

vgeek大约 3 年前

As little as 10 years ago, the most common solution to hotlinking was swapping out the hotlinked images with something different/offensive to shoo away the hotlinker. Or various anti-hotlinking scripts. Or maybe even check request headers against your own domain at the server level. Now the solution is a 7 figure cry of foul enforced by the FBI? Was the offense more egregious and involved hotlinking of novel IP, leading to more aggressive enforcement?

评论 #30595130 未加载

rosndo大约 3 年前

This story doesn’t really make sense. What would you risk by truthfully telling us what company and what kind of assets you’re talking about?You shouldn’t be having this conversation with the FBI anyway, these details are figured out in courts.

评论 #30591465 未加载

ffhhj大约 3 年前

> Instead of communicating a copy of the image, Google provides HTML instructions that direct a user’s browser to a website publisher’s computer that stores the full-size photographic image.<a href="https://en.m.wikipedia.org/wiki/Inline_linking" rel="nofollow">https://en.m.wikipedia.org/wiki/Inline_linking</a>It seems Google saved its butt with that explanation. Can you do the same?

评论 #30595229 未加载

psygnisfive大约 3 年前

Contact the Electronic Frontier Foundation. This is literally what they do. I don't know if they'll take up the case, but talk to them.

评论 #30596319 未加载

giantg2大约 3 年前

"he said that I’m pretty SOL in arguing this loss amount."That's how I see it. The government has obscene resources and power to prosecute you. Even if you win, you'll likely be screwed with the cost to defend. The law generally favors the victim and in many cases judges seem to accept any amount that can explained, even if it's not fair.

nextlevelwizard大约 3 年前

Murica is pretty fucked up country if you can get sued for linking to a public resource on the web.

评论 #30592288 未加载

segmondy大约 3 年前

Why will the FBI just randomly tell a company you linked to their site? There's more to this, but get a better lawyer, and the FBI won't be the one to calculate/charge you. Sorry, but your story doesn't add up.

spansoa大约 3 年前

Aren't cases like this a rare exception and you're let away with a slap on the wrist by Amazon and they will look the other way? If you keep doing it, you will have to cough up the funds, so just learn from the lesson?

ss108大约 3 年前

You shouldn't be posting on here, you should be looking for another lawyer.Sounds like you have a good argument to lower the restitution you'd owe if convicted. Great. But a) ideally you're not convicted; b) somone has to take your argument and prove it in courtYou need a solid lawyer. That is it.

jrc2022大约 3 年前

This is not legal advice. IANAL.Please seek better legal representation.There's legislated protection for you and also already US case law as precedent.

评论 #30594900 未加载