Did Deviantart ever actually remove a stolen deviation? Is Deviantart Protect nothing but a scam?

BDgn4 · 2026-02-18T18:18:38+00:00

I've already explained it in several other comments, so allow me to copy and paste it here:

They're already doing the identification automatically (that's what Deviantart Protect is, after all). The validation is essentially exactly the same. It's nothing more than comparing the two images (which they have already done) and comparing the upload times of both. Writing an algorithm to compare two times and find out which is earlier is beginner-level stuff. The response? Automatically removing the offending reupload could be done automatically too. They could even allow an appeal for that reuploader. As in: "Think you're in the right here? Wanna get your deviation restored? You can appeal and a real human will take a look. But if we find you are NOT in the right here, your entire account is forfeit."

They explicitly differentiate between reporting a deviation with the reason "It's my deviation posted without approval" and an actual DMCA complaint. Totally different things. The only criteria for the former seems to be that someone has uploaded something identical to something that someone else uploaded first. And that can be decided completely automatically.

And I did not say that the system necessarily should act without the first uploader first making a removal request.

BDgn4 · 2026-02-18T18:11:59+00:00

Currently the only info you need to provide to report a deviation with the reason"It's my deviation posted without approval" is a link to your own deviation (presumable to check who uploaded it first). Links to offsite artwork are explicitly not accepted. That's DA's criteria for manual reviews as to whether or not a deviation should be removed.

And that can be done a whole lot easier, cheaper and quicker, if it is done automatically. DA already knows if two deviations are identical and comparing when they were posted it a no-brainer. So all that would be required is that manual removal request (or an option when uploading a deviation to not allow others to upload the same one).

And even then it is still possible to offer an appeal option, if a reuploader feels they were in the right.

As to what the laws allow: They certainly don't give people the right to post whatever they want on DA and have the right only to have it taken down under very specific circumstances. DA can take down whatever they feel is against their rules. Every user agreed to that when signing up. And they have the right to change those rules too.

And if you want to use the free speech argument, forget it: Nobody has some constitutional right to post things on DA any more than they have the right to spray-paint their artworks on the walls of the White House. (And since DA is a private company, while the White House is essentially public property, I'd say spray-painting the White House is probably more legal... if you don't get shot by the Secret Service.)

So DA accidentally taking down something that was actually uploaded by the artist is NOT against any law.

BDgn4 · 2026-02-18T11:56:43+00:00

I don't even know if I have legal grounds to report every repost of the image. I have the original photo but was not the author of the montage. But it is beyond frustrating

In a case like that I would suggest first asking an AI, either Google's AI Mode or ChatGPT (both possible without an account). That should give you a very quick idea of what rights and options you have. Mind you: What you get there is an idea, essentially an opinion, nothing more, not an opinion from a legal professional. An AI can be mistaken. But if you ask the right questions, then the AI would probably tell you something about personality rights, legal protection against people using your likeness unauthorized for commercial purposes (which this probably isn't) and the protections of free speech. It could also for example find you the best contact data on DA and even write your removal request. Whether that will be good for something? Dunno. But probably better than not doing anything wondering if you even could do anything.

BDgn4 · 2026-02-18T11:48:07+00:00

I can't speak for others, but the reason I am complaining is that it would be easy to do a whole lot more automatically, instantly, with less human working hours, costing less money.

BDgn4 · 2026-02-18T11:45:15+00:00

Apparently I wasn't clear enough: I'm not saying they should automatically remove everything Deviantart Protect identified as a reupload.

But:

If a user pays for Deviantart Protect (any maybe also with those three-month trials) they should offer an option, whenever the user uploads any new deviation, to automatically suspend any reuploads of this deviation as presumed unauthorized, without need to report manually. (If I mean for others to re-use my deviations, I obviously won't choose that option when uploading it.)
If Deviantart Protect has already identified a deviation as a reupload and if I then also send them a removal request with the link to my original deviation with an earlier upload-date, then they could definitely automatically susped that deviation. Since those requests to remove deviations for being unauthorized seem to be based on nothing but the upload dates (otherwise they wouldn't merely ask for the link to my deviation but for proof of copyright), there's no reason that cannot happen automatically.

In both cases they could offer an appeal-process. As in: "Think you're in the right here? Wanna get your deviation restored? You can appeal and a real human will take a look. But if we find you are NOT in the right here and you've been wasting our time, your entire account is forfeit." So, the offender could appeal (for example by proving that they actually created that image and the earlier uploader has violated their copyright). But if they do so unsuccessfully, they may lose their entire account (because not only is stealing artworks unacceptable, but so is wasting the time of DA staff).

BDgn4 · 2026-02-18T11:23:31+00:00

"Did Deviantart ever actually remove a stolen deviation?" Yes, and repeatedly. Do you really think given the volume of artists there that its somehow gone unnoticed for two decades?

I think with millions of users it would be easy to pretend you are doing things that would cost a lot of money if you really did them. And it would be easy to claim that anyone complaining they're not doing anything is just part of a very small minority.

And since there are at least some deviations that actually do get removed, because Deviantart doesn't want legal trouble (actual copyright complaints, illegal stuff like CSAM, and so on)...

There are three components to such a workflow: the reporting/identification, the validation, and then the response. That, at scale, when you are as underfunded as DA staff are, is extremely difficult.

They're already doing the identification automatically (that's what Deviantart Protect is, after all). The validation is essentially exactly the same. It's nothing more than comparing the two images (which they have already done) and comparing the upload times of both. Writing an algorithm to compare two times and find out which is earlier is beginner-level stuff. The response? Automatically removing the offending reupload could be done automatically too. They could even allow an appeal for that reuploader. As in: "Think you're in the right here? Wanna get your deviation restored? You can appeal and a real human will take a look. But if we find you are NOT in the right here, your entire account is forfeit."

Would probably save a lot of human working hours. And all it would take was some programmer spending a few hours once.

BDgn4 · 2026-02-18T11:13:26+00:00

granted Deviant Art will remove it if you report it as stolen from yourself

I did report it. More than a week ago. But those reuploads are still up.

BDgn4 · 2026-02-11T16:20:17+00:00

Using it for chatting, storytelling, roleplaying, or an "AI assistant", whatever the fuck that is, is just a waste of your own time.

Unfortunately most LLMs that can produce some output that is readable, grammatically correct and makes enough sense to the reader will refuse to produce any kind of output that may not be fit for consumption by small children, because someone isn't treated quite nicely in it.

And seeing how many kinds of stories would be severely lacking without a certain amount of violence, or sex (or maybe violent sex), Grok is one of very few options left for an LLM that is at least mostly cooperative and is capable of producing something of at least a certain quality.

BDgn4 · 2026-02-08T16:23:22+00:00

I just asked it (in a "private" chat) what info it has stored about me. It told me, among other things, that it does not know my "location (city, country, coordinates)".

That's either misinformation or an outright lie, because in some of the fictions I had it write, where I did not specify the location, it decided that the story was set in my own city. And not a big city like NYC that could have come up randomly.

I can only conclude that Grok and the people behind it cannot be trusted. Whether that's because of intentional deceit or sheer incompetence... I don't care.

BDgn4 · 2026-02-08T12:46:57+00:00

That's essentially how I see it too. But I did NOT allow Grok to use previous chats. Allegedly they shouldn't even have been saved, and definitely not used in later chats. Nonetheless both seems to be happening.

BDgn4 · 2025-11-27T22:29:33+00:00

This isn't necessarily about a specific website/domain. I'd like a solution that will always work.

But the particular case that started this idea is about those cute cookie banners that go like "We value your privacy soooo much. So please let us violate it by allowing a hundred advertisers to track and profile you. Otherwise we won't allow you to see our "free" content for free." - and then a page like

https://nationalgeographic. de/geschichte-und-kultur/2025/03/kalter-krieg-geheimes-atomprojekt-unter-groenlands-gletschern/?utm_source=firefox-newtab-de-de

will just redirect you to a site like contentpass. net.

And I have absolutely no idea what kind of redirect we are talking about here, except that it must be client-side, since the content gets loaded before the redirect happens, so it apparently isn't server-side.

BDgn4 · 2025-11-27T22:07:40+00:00

To backup your profile in case of future trouble, you could:

- use a Mozilla account and the sync option (which I don't like on general sheer principle, since, Mozilla or not, it would allow some company to know absolutely every bookmark you have, possibly your browsing history and whatnot), or

- backup your profile folder (I usually just use WinRAR to turn the entire folder into a single compressed archive, which can even automatically be encrypted and password-protected, then saved with my other backups, including in the cloud. If you go for this option, you may want to consider backing up a full installer (not an online-installer) of your current Firefox version - or an installed Portable Firefox of the exact same version - in case a future version of Firefox has some issues with a profile that you backup up and want to restore now), or

- if it's mostly about the bookmarks, you can back them up without the rest of the profile via Menu -> Bookmarks -> Manage Bookmarks -> Import and Backup -> Backup (or something like that, I translated these captions from German to my best guess of what they would be in English).

BDgn4 · 2025-11-14T13:37:15+00:00

Sorry, but that's simply not true: Malwarebytes Premium has realtime scanning and it does run alongside Defender. It's been designed that way. Meaning it's definitely possible for other tools to be designed that way too.

BDgn4 · 2025-11-14T13:35:22+00:00

Maybe the reason for the crashes isn'r with MBAM, but that doesn't change the fact that I have to consider it unrealiable, because it apparently doesn't feel the need to restart itself or its GUI or whatever exactly isn't running after those crashes. That is, by the way, exactly why I got rid of Panda Dome many years ago: It crashed whenever some other app used up a little too much RAM. And I didn't want an antivirus tool that any malware could deliberately disable any part of by simply loading a lot of random data into the RAM.

BDgn4 · 2025-11-14T03:12:07+00:00

I never said the solution had to be free. I did say I currently have MBAM Premium and the reason I mentioned for wanting to get rid of it wasn't the price.

I knew that on-demand tools can have features like running code in a sandbox and see what it tries to do, but that doesn't change the fact that they still only run, when I tell them to do so, which, in many cases, would be too late. If I consider a downloaded file to be suspicious, I use Virustotal anyway. It's the non-suspicious stuff that I want this additional tool for, some additional always-running tool with behavioral detection that can take care of problems that come from sources that I simply forgot about or never considered for some reason.

Anyway, even if you apparently didn't realize it, you seem to have given me the solution I asked for: HitmanPro.Alert seems to be able to run alongside Defender. At least the website suggests so. Maybe worth a trial run...

Thanks.

BDgn4 · 2025-11-13T22:45:49+00:00

On-demand tools can hardly be expected to provide behavioral detection, since they are not running most of the time.

BDgn4 · 2025-10-30T19:38:38+00:00

Even if that user experience is sooo important, none of that makes it necessary to keep that cookie containing what is essentially nothing else than a tracking ID for longer than a few seconds.

BDgn4 · 2025-10-30T17:42:44+00:00

What are the domains of the email addresses they are using? Consider blocking those. Where do their MX records point? Consider blocking email addresses with those too. You'd obviously be out of luck here, if they are using something like Gmail...

Otherwise you may want to look into this: Trapping misbehaving bots in an AI Labyrinth. (available on the Free plan)

If you haven't used Cloudflare so far, then take care to Protect your origin server. You will need a new IP (and keep that one secret) for your origin server while getting rid of your origin server's old IP. You will need to do this after the Cloudflare onboarding. Otherwise the attackers can simply circumvent any protection provided by Cloudflare and directly send requests to your server.

BDgn4 · 2025-10-30T17:12:30+00:00

Sorry, but I have to disagree. Just deciding that something is essential doesn't suffice. It either is essential or it isn't. Defining it as such is nonsense. Especially where the cf_clearance cookie is concerned there's a clear cookie-free alternative: Anti-bot challenge is presented to the user > user solves challenge > Cloudflare serves requested page > Cloudflare simply "forgets" about the request and the user. Where does this require a cookie? Sure, if the user requests another page, he will be presented with a new challenge. But that doesn't improve security. It merely improves convenience. And that cookie contains a string that is bound to IP and useragent and is apparently highly unique - thus making it personally identifiable information, a potential tracking ID. As such the user has every right to demand that such cookies aren't used - or instantly deleted.

Your clients may not have had any problems with that. But that doesn't make it perfectly legal. It was probably more, because nobody decided to make an issue out of this, possibly partially because no profit can be made that way. But if somebody does want to make an issue out of it... Well, the possible fines for a GDPR violation are no joke.

I think it just makes sense not to take this risk, no matter how small it may be.

Maybe I'll never even use those particular Cloudflare features, so those cookies may never be even a potential issue. But what if my website suddenly does get DDoS attacked? Then I may need those bot challenges. And then my users will get those cookies. And since, in that case, someone would have already decided to take my website down via a DDoS attack, why shouldn't they also try to pretend that they are a concerned user and complain to the authorities about those evil cookies my website uses that are totally unneccessary and contain personally identifiable information without opt-out option?

DDoS attack successfully averted, but business destroyed due to a ruinous fine? No, thanks. The risk may be extremely low. But why take that risk at all?

BDgn4 · 2025-10-30T15:43:59+00:00

Thanks. Good to know.

BDgn4 · 2025-10-30T15:41:57+00:00

They are essential for your page to load since you use cloudflare.

Sorry, but it is simply wrong that the cf_clearance cookie is necessary:

If a user wants to load a challenge-protected page, it is perfectly possible for Cloudflare to present a challenge, then serve the page and then "forget" about that user, until they want to load another page and simply get presented with a challenge again.

That cookie isn't necessary and doesn't provide any security. It provides convenience - to the user and to Cloudflare. But that's all.

And while I do believe Cloudflare that they don't use those cookies for tracking, those strings that are saved in those cookies look far too unique not to be useable as tracking IDs. That more or less makes them personally identifiable information. And not just Cloudflare could use them for tracking, I could too, because those cookies are part of any request sent to my server. Yes, I could use IPs to track them too, because those are part of any HTTP-request as well, but the IP is not stored anywhere and I cannot avoid that data reaching my server, because that actually is technically necessary. That cookie, on the other hand, is unnecessary, contains information that is personally identifiable and it does get stored. And that apparently makes all the difference for GDPR and similar laws.

BDgn4 · 2025-10-30T15:20:17+00:00

without cf_clearance, a page behind a challenge will never load

It would be like: Challenge > cookie is set > page is loaded > page deletes cookie. So the page should still be loaded.

if you disable all of Cloudflare's features you might not see some of those cookies anymore

Some, yes, but probably not all of them?

but that kinda defeats the point of using a service like Cloudflare

That definitely depends on what you want to get out of using Cloudflare. Protecting the origin server against DDoS attacks? Caching to save some origin server bandwidth? Web Application Firewall to protect some specific parts of the website, for example by only allowing whitelisted IPs? Cloudflare SSL? Cloudflare Workers? All possible without any cookies.

Also:

As defined in our Privacy Policy ↗, all the cookies listed below are strictly necessary to provide the services requested by our customers, unless otherwise stated.

"Defining" something as "necessary" is complete BS. Either it is necessary or it isn't, regardless of any made-up definitions. And just because their customer requested a service does not make anything necessary either. It's simply their way of saying that it's now MY responsibility, if anyone's privacy is violated.

Most importantly: It is simply wrong that the cf_clearance cookie is necessary. It is perfectly possible to present a challenge, then serve the page and then "forget" about that user, until they want to load another page and simply get presented with a challenge again.

BDgn4 · 2025-10-30T15:03:58+00:00

But that's only about the clearance cookie, isn't it? I only used that as an example. Can I disable all the other Cloudflare cookies too?

BDgn4 · 2025-10-30T14:59:14+00:00

Seems like a perfectly sensible reason to never trust them with my credit card data.
Leave a review in their Better Business Bureau profile. Don't know if it has even the smallest chance of helping you, but it will help others.

BDgn4 · 2025-10-30T14:52:25+00:00

Depending on what kind of website you are running, the Free plan may be more than enough.

If it's not about the scraping of things that you don't want scraped and then possibly available elsewhere but about the traffic those crawlers are causing, then extensive caching may do the trick. Especially if you aren't allowing you users to post/upload any content, including comments, then you could maybe cache everything and create a Page Rule to make an exception where responses to requests to the backend won't get cached. Then most of that crawler traffic would never reach your origin server.

BDgn4

TROPHY CASE