.png)
4 months ago
1
This morning, I awoke to find an email from Copytrack in my inbox.
If that name sounds vaguely familiar, it's because they made a bit of a name for themselves as a copyright troll in the early 2020's (including by trying to enforce "rights" on a photo of a postcard from the 1900s and threatening a White house reporter with legal action over his own photos).
Although their name has come up less frequently since then, Copytrack didn't stop operating and were, apparently, investigated by the Italian Competition and Market Authority last year.
The way that Copytrack works is:
- Someone signs up for their services (it's even free!)
- That person uploads images that they want Copytrack to "enforce" rights on
- Copytrack performs reverse image searches to identify usage
- The user marks usage as "legal" or "illegal"
- Copytrack contacts those who've used it, seeking proof of license or settlement
- Copytrack take a 45% commission
You'll notice that there seems to be quite an important step missing: Copytrack do not appear to independently check whether the user's claim is valid (or whether the use might be permissible), outsourcing that effort and stress onto the poor schmucks at the other end.
More than a few of those claiming to have been affected over the years had done the right thing by paying for images on stock photos site, only to be targeted years later. Anecdotally, it sounds like they're prone to targeting smaller operations and individuals (i.e. those less likely to have the resources and appetite for a fight).
Copytrack's email was quite strongly worded, but looking into it quickly raised concerns about the veracity of their claims.
In fact, the more that I looked into Copytrack the shoddier things seemed to be. So, I thought "fuck 'em" and decided to play around to see just how robust their offering actually is.
In this post, I'll start by discussing the issues with their claim and then I'll move onto talking about what creating a claim on their system as a purported copyright holder looks like.
Their Claim
The claim email is quite long, so I'll just quote the relevant parts (I've also added line breaks as some of their paragraphs are fairly dense)
We, COPYTRACK, are writing to you on behalf of our client CONCEPT-PRODUCTION, who has assigned us the monitoring and protection of their licenses and image rights.
On April 25, 2025 we have been informed that recipebook bentasker is likely using an image without permission and the client has exclusively commissioned us with the clarification, administration of the image rights for the territory of the Federal Republic of Germany and, if necessary, the enforcement of any copyright infringement through our partner lawyers.
Images are protected by copyright law almost worldwide and infringements are actionable under the respective national law.
Please see the attachment below for details.
It's worth noting here that the email had no attachment - if you've read some of the historic stories about them, you'll have seen that they used to attach a PDF detailing their claim. Presumably, the final sentence is a sign that they've not updated their template since then.
They insist that the email's recipient is obliged to do the legwork for them:
Please note that you are obliged to provide the necessary information about the usage of the image to allow our client and us to verify the lawfulness of such usage.
This, frankly, is bollocks: You are not actually obliged to do anything, however if you don't they're going to keep nagging and might even instruct solicitors (sounds quite a lot like TV Licensing under Crapita).
The strong wording seems to be designed to help push people into panicking and blindly complying.
They promise that, if proof is provided, they'll close the case off.
Show us proof of your license by uploading it or providing any other legal justification to use these images and if it is valid, we will close your case immediately;
They note that, if the usage isn't authorised, there are a couple of ways in which you can settle the complaint:
Payments are made by logging into portal.copytrack.com.
They go on to explain that the amounts requested are not random and instead that
We calculate these fees based on our client's license history, as well as the duration of use and type of rights infringement.
This does seem to mostly be true (when submitting a claim, Rightsholders are asked how much they want and then what percentage of that they consider the minimum).
To ensure a sense of urgency, a relatively tight deadline is set:
To avoid further action, including legal action, provide proof of a valid license or any other relevant information by May 19, 2025, or acquire it by making payment in our online portal.
Strong wording, monetary demands and deadlines... no wonder so many people think "scam".
The Rights Are Held By Who Exactly?
The opening paragraph of their email asserts that the rights to the image in question are held by CONCEPT-PRODUCTION.
A quick bit of searching for them, though, doesn't yield any obvious results (though there was a post warning about both Copytrack and CONCEPT-PRODUCTION).
Reverse image searching the image with CONCEPT-PRODUCTION doesn't yield any results at all.
I appear to have had the image in question since about 2019, so it wasn't immediately obvious to me where I might have acquired it from.
A reverse image search brought me to Dreamstime:
The author's name is in the bottom right of the image and is not CONCEPT-PRODUCTION.
I had a little bit of a search around, and although I found the author's profile on a number of (more modern) sites, I couldn't find anything to link that author back to the name of the org that Copytrack claimed to be acting on behalf of.
Out of curiosity, I logged into Copytrack's portal and found that it provided some information which hadn't been included in the original email:
It's not clear what "Assignment Received On" indicates: at first I assumed that it was when the image was uploaded to Copytrack, but that date falls a couple of weeks after Copytrack claim to have received a complaint.
The line that I've highlighted is more interesting though, as it provides the filename of the image that the "rightsholder" uploaded (Fotolia_7042846.jpg). This is useful because we can see that it begins with the name of a stock-image site (though Fotolia no longer really exists, having been borged by Adobe).
The number at the end of the filename appears to be an ID.
If you go to https://en.fotolia.com/Info/Images you'll be redirected to Adobe's stock image site (https://stock.adobe.com/images/).
By choosing an image and looking at the URL, we can see that the site constructs URLs using the following format
https://stock.adobe.com/images/<meaningless slug>/<id>This means it's possible to construct a URL which led to the original listing: https://stock.adobe.com/images/are-copytrack-taking-the-piss/7042846:
So even on (what was) Fotolia, the listed author was not the one that Copytrack claimed to be acting on behalf of.
I sent them an email which laid this out and explained that, given the inconsistencies in their claim, I didn't feel comfortable providing them with too much information
Given that your claim appears to be erroneous and, on closer inspection, seems to meet the pattern of behaviour associated with copyright trolling, I do not feel particularly comfortable providing further information.
I explained that, if they wished to proceed further, they would need to provide proof that their client actually holds the rights
Given the apparent issues with your claim, I do not feel it would be wise to release any additional details to you until and unless you are able to provide adequate proof that you are in fact representing the true copyright holder and that this is not, instead, the result of a poorly targeted dragnet operation.
I did however send them a very tightly cropped screenshot of a license to use the item in question - no point in having them hang around.
Their Setup
Beware of Scams
With my response sent, there wasn't much for me to do but grumpily toot about it. Unfortunately, in the process of doing so, I nerd-sniped myself.
At time of writing, when you visit www.copytrack.com you receive a big warning that they are aware of an active scam using a typo-squat domain:
Note the addition of a hyphen in [email protected].
You see, it seems that these self professed experts in online rights protection failed to recognise the threat posed by typo-squatters and so did not pre-emptively acquire copy-track.com.
The result of this oversight is that there are now scammers apeing Copytrack's own scam-esque behaviour. Wunderbar...
Dodgy Website Links
You would, of course, hope that recipients could still tell the difference between the "legitimate" provider and others through the sheer quality of their site.
Unfortunately, Copytrack do not seem to have invested very much effort into proof-reading their own site (under Muphrys law, I've just guaranteed myself a typo), to the extent that their own FAQs manage to include a link pointing not to a domain, but to an IP (and using plaintext HTTP at that):
Worse, the link even works, switching the user to an insecure connection.
What's particularly curious about this is that requests to the root are redirected back to HTTPS:
GET / HTTP/1.1 Host: 3.72.104.87 User-Agent: curl/7.81.0 Accept: */* HTTP/1.1 301 Moved Permanently Date: Sat, 10 May 2025 17:49:26 GMT Server: Apache X-Redirect-By: WordPress Location: https://www.copytrack.com/ Content-Length: 0 Content-Type: text/html; charset=UTF-8Whereas requests to non-existent paths redirect to a domain that no longer exists:
GET /foo HTTP/1.1 Host: 3.72.104.87 User-Agent: curl/7.81.0 Accept: */* HTTP/1.1 301 Moved Permanently Date: Sat, 10 May 2025 17:50:32 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://copytrack-gxzmht2vp9.live-website.com/de Content-Length: 0 Content-Type: text/html; charset=UTF-8Paths that exist are served up:
GET /about-us HTTP/1.1 Host: 3.72.104.87 User-Agent: curl/7.81.0 Accept: */* HTTP/1.1 200 OK Date: Sat, 10 May 2025 17:54:23 GMT Server: Apache Link: <https://www.copytrack.com/wp-json/>; rel="https://api.w.org/", <https://www.copytrack.com/wp-json/wp/v2/pages/10592>; rel="alternate"; title="JSON"; type="application/json", <https://www.copytrack.com/?p=10592>; rel=shortlink Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8All in all, this has the smell of an ageing Wordpress install that's not been competently maintained when moving the site between domains.
Even their privacy notice contains (mis-written) references to this IP
If you have any questions, please contact us using the form provided on the website (http://http://3.72.104.87/de/kontakt/).
Much like their email template, their privacy notice doesn't appear to have received much love over the years, with a note implying that it might not have been reviewed since 2019.
To put this into context, email recipients are being asked to part with money based solely on the word of a company who's website is being actively (and predictably) typo-squatted, is poorly maintained and has the sort of typos and mistakes that even modern phishing sites don't feature.
Signing Up For The Service
Each of the site's pages contain a call to action:
Given that Copytrack appeared to be trying to assert rights on behalf of an org who didn't appear to own those rights, I decided I'd sign up and see just how careful Copytrack actually are.
So, I signed up with (fairly obviously) fake details
Arthur Chex, geddit?
Once signed up, you're asked to detail what type of user you are:
I chose "Photo Enthuisiast"
Copytrack asks you to confirm that you are the author and/or that you have exclusive rights:
I clicked Skip to see if it would ask me again later.
I started by uploading a copy of a distinctive images that is very definitely mine:
Disappointingly, the platform doesn't immediately start generating matches. However, it turns out that it's also possible to manually submit violations:
Upon submitting, the report is validated in the background (Copytrack's website suggests that they use AI). If a report isn't considered valid (for example, the reported image is different or doesn't load), nothing happens (not so much as a notification).
If it does validate, the violation shows up in the dashboard and even suggests how much you can extor^H^H^H^H^H claim from the victim
To see what the process looks like, I hit Submit Claim.
It begins by making you provide address and bank details, so that they can pay out your gains.
Next, you're presented with a checklist requiring that you declare that you hold the rights:
The first two questions don't seem to matter, it's only the question on whether you're entitled to claim compensation which is able to block the process (being commission based, Copytrack aren't interested in handling claims where there's no chance of a payout).
So, Copytrack do technically ask whether you have the rights to the image. All the same, it's not a particularly robust check and feels very much like this:
I didn't hit submit on the claim, because it would bring CopyTrack's enforcement terms and conditions into effect and I didn't really fancy exposing my image to some of those terms.
What seems clear, though, is that there is very little to stop someone from creating a Copytrack account, uploading someone elses images and using Copytrack to launch a speculative campaign - pocketing whatever is paid by hurried and panicked webmasters.
Uploading Other's Work
In fairness, it might be quite difficult for Copytrack to assess whether a customer does or does not own the rights to an image (although, IMO, that doesn't absolve them of the responsibility to try).
What they should be able to do, is to ensure that any image in their index only has one "rightsholder" active at any one time.
So, I wanted to see whether Copytrack at least prevent multiple accounts from claiming the same image.
Knowing there was a "hit" on the image that they had emailed me about, I grabbed a fresh copy from the Adobe Stock photos and tried uploading that.
The platform didn't even bat an eyelid, so I decided to try uploading something a bit more recognisable
Despite talking a lot about their image index, Copytrack's platform doesn't appear to be set up to be able to handle even the most basic of abuse.
In fact, it turns out that Copytrack don't even prevent matching against their own site and assets
I did hit Submit claim on that one.
Information leakage
In the images above, you may have noticed that there are clickable links to the "infringing" content.
However, Copytrack's interface doesn't make use of Referrer-policy, which means that there's potential for a bit of information leakage. The user's browser will send a referer header, allowing us to identify requests which occurred as a result of activity in the Copytrack portal.
I headed to my access logs and searched for app.copytrack.com (the domain of their user portal)
# grep app.copytrack.com access.log.2025042* access.log.20250428-0600:156.59.126.78 - - [28/Apr/2025:05:56:19 +0000] "GET /posts/dessert/chocolate-orange-sauce.html HTTP/1.1" 200 5676 "https://app.copytrack.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36" "136.158.x.x"The IP that we care about is in the X-Forwarded-For header at the end (I've redacted the last two octets)
A quick whois shows that this is in a block operated by an ISP in the Philipines. Given the timing, it seems likely that this was someone reviewing the page on behalf of Copytrack rather than the original customer.
However, it's also possible to identify when a user is adding a "manual violation", because the portal attempts to hotlink the "infringing" image
This, of course results in entries in access logs. But, because it uses onkeydown events, it attempts to hotlink on every keystroke, leading to requests for invalid paths
[10/May/2025:16:31:09 +0000] "GET /BENTEST. HTTP/1.1" 404 958 "https://app.copytrack.com/" "Mozilla/5.0,(X11; Ubuntu; Linux x86_64; rv:138.0),Gecko/20100101,Firefox/138.0" "<MY IP>" [10/May/2025:16:31:10 +0000] "GET /BENTEST.j HTTP/1.1" 404 958 "https://app.copytrack.com/" "Mozilla/5.0,(X11; Ubuntu; Linux x86_64; rv:138.0),Gecko/20100101,Firefox/138.0" "<MY IP>" [10/May/2025:16:31:10 +0000] "GET /BENTEST.jp HTTP/1.1" 404 958 "https://app.copytrack.com/" "Mozilla/5.0,(X11; Ubuntu; Linux x86_64; rv:138.0),Gecko/20100101,Firefox/138.0" "<MY IP>" [10/May/2025:16:31:10 +0000] "GET /BENTEST.jpg HTTP/1.1" 404 958 "https://app.copytrack.com/" "Mozilla/5.0,(X11; Ubuntu; Linux x86_64; rv:138.0),Gecko/20100101,Firefox/138.0" "<MY IP>"The result is that Copytrack's user portal is (unnecessarily) leaking information about it's customers to those that it may then go on to accuse of copyright infringement.
Image Formats
It seems worth saying: Copyright exists (or is supposed to exist) for the public good.
So there is an argument that, run responsibly, services like Copytrack could perhaps be beneficial and defend creative rights.
The problem, though, is that Copytrack's offering isn't actually all that good anyway.
For all their talk of advanced scanning (and using AI because, of course) they only support a handful of formats:
Any theoretical benefit brought by Copytrack's offering immediately disappears if an infringer uses any other format.
Their system also needs Support intervention to be able to handle scenarios where the embedding page and the image do not use the same domain (so www.example.com embedding cdn.example.com/foo.jpg wouldn't be caught):
- The domain of the page URL and the domain of the image URL are the same. If this is not the case, you will get an error message and you cannot proceed. You can contact us and send us both the link to the page URL and the image URL. We will check them and connect them within our system to make the manual submission possible.
With the platform having such limited capabilities, it's probably no surprise that most reports of interactions with Copytrack seem to err towards copyright trolling.
If you receive an email
If you've received an email from Copytrack it's probably not wise to ignore it: Copytrack aren't lawyers, but reports online suggest that they do sometimes instruct legal teams (and they certainly post about "wins").
At the same time, though, don't panic and rush to give them the money that they demand.
To deal with them, reply to their original email (don't use the portal, it doesn't send you a copy and only allows for limited responses).
You should
- Insist that they provide proof that their client owns the copyright in question (as we've seen above, they won't have checked in any meaningful way)
- Work out where you acquired the image - is the copyright holder the one Copytrack have listed?
- Grab proof that you licensed the image (if you can)
The odds seem to be in favour of this causing them to quickly close the case - the model relies quite heavily on scaring and bullying people into paying over the odds.
If for some reason they don't back down, at the very least, it seems that they'll often offer a reduction from the original demand.
Going forward though, make sure you keep meticulous records (along with proof) of where the images that you use are licensed from.
Personally, though, I've started the process of replacing and removing stock images: their widespread use makes them an attractive target for copyright trolls and I don't fancy spending future money on something that leaves me open to this kind of hassle.
Conclusion
There are quite a few posts on the web about Copytrack and their lacklustre record. Some of those posts refer to Copytrack as a scam, but I don't think that's entirely the right label, because they seem to be something worse.
Copyright claims come via Copytrack, but they're not generally launched by them.
Instead, Copytrack provide a platform which, through lax checks, enables others to easily conduct copyright trolling campaigns.
Unless a recipient challenges a claim, there doesn't seem to be anything to stop someone from creating a Copytrack account and laying claim to a wide assortment of other peoples images.
In other words: Copytrack's platform facilitates much more widespread abuse than that achievable by a simple copyright troll. If copyright trolls are mercenaries, then Copytrack are the arms dealers.
This undesirable reputation isn't really helped by the fact that their website doesn't instil much confidence - their claim emails lean heavily on the side of "trusts us because we said so" but they can't even review their Privacy Policy properly.
In comments to the media, Copytrack talk about their social good - they're fighting for the rights of photographers dontchaknow - but the limitations of their platform do seem to suggest that they're unlikely to be quite as effective as they claim.
20250520 Update
Copytrack came back last week, once again insisting that I must show them proof
Unfortunately, since we have determined that you have made use of a copyright-protected image, we must ensure that you possess the necessary authorization to make use of the image.
I responded and re-stated that I would not be providing anything further until they were able to show that they were acting on behalf of the true .rightsholder:
The request is a simple one: please provide proof that you have standing - i.e. that your customer does in fact hold the rights to the image in question.
If you do that, I will be more than happy to demonstrate that I have authorisation.
If you cannot do that, then I strongly suggest you close the case because, if you try to take further action, the very first thing that I will be pointing out is that you have been unable to demonstrate the authenticity and legitimacy of your own request and instead expect me to assume that the author of an unsolicited mail is acting in good faith.
Presumably, you have the means to ask you customer to demonstrate that they hold the rights?
Unsurprisingly, having performed no apparent due diligence, they had to go back to their customer and request it.
Five days later, they replied, attaching a couple of documents.
The first was a document confirming that CONCEPT-PRODUCTIONS are assigning the right to enforce to Copytrack (I was expecting this as my test account received a blank one):
The other is a declaration that CONCEPT-PRODUCTION is entitled to assert claims on the image as the result of a license agreement with the author (correctly listed as Mikael Damkier):
What you'll notice though, is that both of these documents are Copytrack originated: they haven't asked their client for proof of rights, but simply asked that they sign a declaration to state that they hold the rights.
If this were some remote copyright troll, they'd likely be more than happy to sign that declaration: it's not like there could ever be any meaningful come-back so long as the claim was settled or abandoned before documents got anywhere near a court.
More research indicates that Concept-Production do appear to be a business and their homepage even notes that they use Copytrack. Ernest Dayang also has a profile on the site.
The site claims that they've existed since 2015 and whois confirms that their domain was registered around then. So, it's fairly clear that this isn't some fly-by-night organisation.
Their reviews page on Trustpilot makes fairly interesting reading, not least because they've put quite a defensive message at the top (translated from French):
VERY IMPORTANT | LEGAL STATEMENT | Protection of Intellectual Property CONCEPT-PRODUCTION would like to remind you that any infringement of intellectual property, including the unauthorized use of our visual, audiovisual, or textual content, constitutes an offense punishable by civil and criminal prosecution, in accordance with applicable national and international laws.
We reserve the right to take any necessary legal action against individuals or legal entities who have published defamatory or false opinions or who have exploited our works without prior authorization.
Furthermore, any attempt at public defamation or publication of misleading content aimed at harming our reputation may be reported to the relevant platforms as well as to the competent authorities in the author's country of residence.
Update: they mean it, too!.
The reviews, unsurprisingly, show various people complaining of having been targeted despite having legitimate licenses:
We have been an Elements member for nearly 5 years and support a lot of small creators, but shady tactics from this company are now making us consider even using stock images going forward.
They are wasting a lot of our time with aggressive copyright claims for images - and unrealistic threatening demands for hundreds of pounds required in compensation.
Obviously, there's no way for me to verify the veracity of this statement, but it does seem to align with what I've described above.
This goes back to what I was saying earlier in this post: Copytrack (and their customers) are effectively outsourcing effort and cost onto the recipients, whether they're legitimate users or not.
We know that Copytrack's workflows require the customer to make a "legal/illegal" determination, yet reports seem to suggest that they are repeatedly going after people who've shown that they have a license.
These aren't the only reports, either, with another blogger (another Envato Elements user) reporting having been pursued. That blogger tracked down the original author of his image, who confirmed that they knew nothing about it:
After contacting the Romanian photographer through his website, he confirmed: He owned the photo, had never transferred rights to anyone else, and had never heard of Ernest Dayang or CONCEPT-PRODUCTION.
Copytrack's reviews on Trustpilot make similar claims:
This reviewer, clearly, is quite unhappy and uses quite strong and definitive terms.
I can't endorse that, because there's no way to definitively say whether Copytrack's customer is acting in bad faith - they could as easily be someone who doesn't understand how Copytrack works, or someone who's bought the rights (or believes they have) from some other org.
What is clear, though, is that Copytrack really aren't doing the kind of anti-abuse due-diligence that you'd hope someone in their position would (Euronews found similar after Copytrack went after them).
Although it was still not clear that the claim is legitimate, I was fed up of having Copytrack in my inbox (with their ever present instructions on how to pay), so emailed over the uncropped screenshot that they'd asked for.
We are very pleased to hear that you have a valid license.
We have checked the license that you have sent us and will now close the case.
Thank you for your cooperation.
Checking my Rightsholder account
In the meantime, Copytrack's system had been busy and populated my inbox with automated hits against my test images, including one which indicating that the BBC could be misusing their own logo:
Of additional interest in that screenshot is the label provensuccess - it seems that Copytrack adds that label onto matches for domains that have paid out in the past. So, much like scammers are known to maintain lists of known-vulnerable victims, it seems that Copytrack also mark "soft" targets so that their own customers know that it's worth trying.
The result also includes an address. Some results have them, some do not. At least one result had what appears to be a home address.
It's not clear where these addresses are sourced from (I couldn't find reference to it on the linked site, and it doesn't appear in whois). However, the portal that Copytrack tries to get recipients to use to pay requests an address. Speculatively, I'd be inclined to think that some of these addresses might be sourced from there.
Either way, the inclusion of an address is entirely unnecessary (Copytrack's terms prohibit customers from contacting site owners directly - they want their cut after all - so the address does not serve any purpose that does not include a breach of service terms).
I suspect that it'd cause them some GDPR woes if it turned out that EU residents aren't excluded.
In amongst the results are hits for the chocolate image which had brought me here in the first place, so they seem to be letting me lay claim to it as well.
In fact, Copytrack's dashboard tells me that I could be looking at a 22 grand payout:
There really doesn't seem to be much, if anything, in Copytrack's product to dis-incentivise chancers.
20250607 Update
Yesterday, Ernest Dayang filed abuse complaints with some of my service providers in an attempt to get this page and/or my site taken offline.
In his complaint email, he alleged
- Defamation
- GDPR violation
- Violation of the Acceptable Usage Policy of an unrelated company
You can read about this in more detail in this followup post.
20250623 Update
Earlier in this post, I linked to a post by another blogger.
Over the weekend that blogger contacted me to ask whether I had had any contact from Ernest Dayang (which, of course, I had). As a result of me linking to their post, Mr Dayang had also targeted their site and even briefly managed to convince their DNS registrar to suspend service.
Whilst it's a little concerning that a DNS provider decided to suspend first, ask questions later, happily they seem to have concluded that the post is not problematic and have now restored service.
If you've reached this page after searching for information about Concept Production and Ernest Dayang (particularly in relation to Copytrack), you probably need to be aware that talking publicly about your experience may well result in him sending unfounded nuisance abuse complaints to your service providers.
Unfortunately, this doesn't seem to be a one-off: if we go back to Concept Production's Trustpilot Reviews we can see that this is part of a pattern of behaviour, and something that Concept Production have threatened before:
If you continue this behavior, you may face legal action, domain suspension, and host-level sanctions that extend well beyond a simple copyright dispute.
Unfortunately, it does seem that he may have a penchant for legal theatrics.
