> The lawsuit describes Automattic and Mullenweg’s conduct as an abuse of the open-source internet architecture, alleging that “a single individual (Matt Mullenweg) exercises apparent singular control over what they claim to be more than 40% of all websites in the world through his personal website (WordPress.org).” It calls this level of control “an appalling deception” that is “contrary to every conceivable public policy.”
That seems like a specious argument to me. There's no deception involved as far as I can tell, and I can't see how public policy has anything to do with this. It sucks for many reasons that Wordpress powers so much of the web, but it's pretty rich for someone whose business is built on Wordpress to claim its success is an existential threat. I will not comment on what I think about a cybersecurity business that is built on a Wordpress site, as it's simply not relevant.
When you file a lawsuit you initially make every argument you might possibly want to use in your initial filing, knowing some of them will be whittled down. Pretty much every lawsuit ever includes some claims that are a bit of a stretch, because the lawyers need to CYA. If you fail to make the argument you may be precluded from introducing it later, so it's just safer to include it now.
I think it's more about running up the legal bill of the defendant. It costs virtually nothing to include a spurious claim in a complaint (it can literally be a sentence or two). The defense has the burden of getting the weak claim dismissed with pages and pages of arguments (because they don't want any chance of it slipping through).
The bar for a "shotgun" complaint is way too high in the legal system.
I sort of suspect it's also a case of bluffing. You can't know for sure which aspect of a complaint is the one that makes the defendants soil themselves, and you might trigger a settlement or make them behave strangely in ways that give you clues about where exactly it is they're ticklish.
I've been told before that some people will settle a case to avoid setting a legal precedent, which might trigger giant class action suits.
> There's no deception involved as far as I can tell
Whether it is germane to the case or not, there was plenty of deception:
When the rights were transferred to the WPF, Matt didn't disclose that the Foundation was essentially just him, and the two other nominal members were effectively absent.
When the rights were transferred, and a big deal was made of this, "It now belongs to the WPF, which ensures that no commercial entity or interest can affect what should be a community project", there was no mention of how, on that same day the WPF silently granted a "irrevocable, non-expiring, exclusive universal commercial licence" to Automattic.
Matt repeatedly would refer to wp.org as a community resource and not his, until push came to shove, and "no, actually, it's exclusively mine and has nothing to do with Automattic or the WPF".
And several other examples. Apropos of anything else, there has been deception.
Matt didn't attest under oath that he was transferring the rights to an arms-length organization; others might have assumed that, but I'm not sure why they would. Isn't the WPF-Automattic relationship more or less the norm with companies that have 'open-source business models'?
I suggested that the WPF-Automattic relationship was “the norm”, and you countered with a post where Drupal describes itself as “unique and groundbreaking within the Open Source community”. While Drupal might be better (or worse), this post doesn’t disagree with my message.
It is not the norm. Open source projects sponsored by a commercial organization tied to that project might be nominally controlled by a foundation, but that foundation isn’t effectively controlled by a single person in their private capacity, who has secretly granted the commercial entity an exclusive, irrevocable commercial license.
I don’t know if there is past precedent, but it’s certainly not the norm.
What would be more normal is a company more or less owning the open source software and simply licensing it under a permissive license and then having a closed source or open core fork. An example there would be any number of Red Hat projects.
It actually does, but in a bit non-obvious way if you have been tricked by Matt's/Automattic's wording.
The very core of free software (as in beer, not the fsf definition) is, well, dramatic reduction of cost for customers. Opening the source for modification is merely in expectation that some of the customers would contribute something back. The relationship is highly asymmetrical. Therefore, Takers in Drupal lingo are inherent, consequential part of the deal.
Drupal's system just goes one step above in recognizing those who contribute back in a mostly good faith, unbiased effort.
The typical business models behind FOSS are professional services (support and training) and commercial extensions (open-core model). In the latter model (or both), the governing body makes the majority of contributions and consequentially (key word) steers the project. For example chromium is the way it is not because Google said it should be that way, but rather they put the effort to implement their wishes.
Some FOSS-on-the-surface projects reject contributions that do not align with their commercial vision and even go as far as to chase legal action against forks. Both examples have been discussed in this very forum quite thoroughly.
This brings us to the problem with wordpress, wordpress foundation and Matt/Automattic. The governing foundation is generally established so that the major Makers and Takers (remember, entities can exist in Maker-Taker duality) do not go into open warfare and in turn sabotage the whole FOSS project. Wordpress itself is a FOSS project, directly enabling both Automattic and WPE. WPE is a clear Taker here, no objections to this judgement. However, Foundation is for all intents and purposes Matt/Automattic. When Matt and WPE did go into open warfare, this lack of separation between commercial and charitable operations meant that Matt abused his powers over WPF, weaponized it and used it against WPE in Automattic's fight against WPE.
This is where WPF-Automattic relationship is totally out of the norm in open-source/open-core business models.
Per my comment on another message, it seems like Matt was telling the truth, but not the whole truth, which is probably more than he was legally required to do.
At times, it can be. But the transfer of rights to the WFP was made as being about the community, and not allowing any commercial organization to have rights to that app ecosystem.
That press release was made the very same day as the WFP then silently granting back exclusive rights to Automattic.
The WFP has never, until this court case, acknowledged that any org has such commercial rights, let alone "irrevocable, exclusive and universal" rights. For the best part of a decade.
Matt may not have been under oath but the announcement on behalf of WPF was entirely factually inaccurate, because a commercial organization absolutely did and would have those rights over "WordPress". And he can't even claim ignorance, because he was the one granting those rights, that same day.
> There's no deception involved as far as I can tell
155 pages of deception here: https://wpengine.com/wp-content/uploads/2024/11/51-2.pdf Page 32 "Defendants Conceal the Truth Regarding the WordPress Directory" and page 73 "Wrongfully Expropriate WPE’s
Most Popular Plugin" are particularly related. (The part where Matt decides to take over WP Engine's popular plugin and rename it, taking all their customers and reviews is particularly egregious)
I'm not an expert or part of the community and haven't been following too closely.
But I vaguely remember there was a story where he said he transferred control of some aspect of WP to a non-profit organization not controlled by him, with a press release and everything, but then later that day control was transferred back to him without telling anyone.
In any case, I believe it's pretty clear that most people who rely on WordPress had no idea that it is almost singularly controlled by him. Whether this was done via deception or not is indeed a good question.
I love how the top comment on every single HN post is some contrarian "nuh uh!" take from someone who is lightyears away from being an expert in that thing.
I'm not a lawyer, but the legal claim made appears to me to be on shaky ground. In my understanding, there has to be actual damages arising out of an action. "I could have been hacked, so I had to spend time/money on it" isn't actual damages unless they were _actually_ hacked.
Why aren't costs involved with a mitigation actual damages?
I'n not sure this is the correct lawsuit to demonstrate this.
So hypothetically, if say you lent a key to a handyman and then they posted a photo on it to twitter it seems pretty reasonable for them to cover the costs of replacing the locks. As opposed to having to wait for somebody to rob you and then trying to show that the robber did so from the photo.
> Why aren't costs involved with a mitigation actual damages?
They are. If you ever look at the damage caused by a hack it's in the millions and that's because they're including the time used to investigate and repair and mitigate further attacks is included.
I have received class action settlement payments from Verizon, Apple, and others for things I hardly noticed at the time. So maybe your idea of what precedent considers “damages” here is incomplete.
Realistically, this is just going to piggy back on WPEngine's lawsuit.
However, there were customers who migrated to other hosts because of the potential security risk. That is an actual damage. There are people who lost contracts because their potential client chose software other than WordPress. That is an actual damage. There are lots of actual damages that occurred.
> Sure it is. Money was spent that wouldn't have been if the situation didn't happen.
There are two problems with this.
First, for normal damages, there is some limitation on the costs. If someone breaks the lock on your door and does nothing else, you replace the lock, damages of maybe $40. If someone gets into your servers, you what? Spend ten minutes to check the logs and rotate keys? Wipe and rebuild all the servers? Does the reasonableness of that depend on whether that's an automated process or a manual one? Maybe you should delete your entire code repository and have it rewritten from scratch, in case knowledge of the code could have helped some attacker? There is no upper limit to the amount of resources you could spend investigating something, and then companies with unlimited resources would effectively get to use it as a cudgel against someone who embarrassed them, because $10M is nothing to them but is a life-destroying amount of damages to some kid who made a mistake.
It's like claiming that someone broke the lock on your door so now you're not sure if someone might have been inside and you have to strip the whole building to the rafters to check if someone has planted a listening device or hidden some crypto mining hardware inside the walls, even though you're a company that sells tile and carpets.
Second, if doing the latter was in some way actually justifiable then the company should be periodically doing it anyway, because if a vulnerability existed then it could have been exploited whether anyone was detected or not, so if spending that level of resources could be justified "just in case" then it isn't money that was spent that wouldn't have been if the situation didn't happen. Unless they're full of crap that all of it was actually necessary.
>There is no upper limit to the amount of resources you could spend investigating something
The upper limit is what the courts decide is reasonable, based on the factors of the case, your justification of the requested damages, precedent of similar cases, etc.
>$10M is nothing to them but is a life-destroying amount of damages to some kid who made a mistake.
Again, the courts make these determinations literally all the time. We don't need to figure out what "reasonable" and "damages" mean from first principles.
>It's like claiming that someone broke the lock on your door so now you're not sure if someone might have been inside and you have to strip the whole building to the rafters to check if someone has planted a listening device or hidden some crypto mining hardware inside the walls, even though you're a company that sells tile and carpets.
This type of claim is not approved by the courts, because it is clearly unreasonable.
> The upper limit is what the courts decide is reasonable, based on the factors of the case, your justification of the requested damages, precedent of similar cases, etc.
"The judge will render a decision" still requires you to have some rule for the judge to apply or the result is entirely subjective. You don't want the winner of every case to be the one who can afford to spend the most on lawyers.
> This type of claim is not approved by the courts, because it is clearly unreasonable.
I feel like you're only making my point. It isn't reasonable in the physical case, so why should it be reasonable in the digital case?
>still requires you to have some rule for the judge to apply
Good thing they can examine a century or two of case law, including lengthy debates on what constitutes “reasonable” and “damages”, to help make their decision.
>You don’t want the winner of every case to be the one who can afford to spend the most on lawyers.
That is pretty much how it works already. Better lawyers typically make better arguments and, on average, get better results. They also want more money because they are better.
You don’t want the winner of the case to be the one who made a worse argument just because they have less money.
>It isn’t reasonable in the physical case, so why should it be reasonable in the digital case?
Your extremely stretched example is not analogous to the situation.
> Good thing they can examine a century or two of case law, including lengthy debates on what constitutes “reasonable” and “damages”, to help make their decision.
"A status quo exists" is not an argument for what rule the law should use unless your argument is that status quo bias is the only acceptable mechanism for choosing policy.
> That is pretty much how it works already.
Is/ought dichotomy.
> You don’t want the winner of the case to be the one who made a worse argument just because they have less money.
No, what you want is for the law to be clear and reasonable so that spending millions on lawyers to argue over excessive ambiguities is not a prerequisite to attaining a just outcome.
> Your extremely stretched example is not analogous to the situation.
For some reason, you've started talking about what the law hypothetically should be and how court cases should be handled. I wish we had a perfect court system, too. But can we shift back to reality?
>In what way is it not analogous?
The first hint is that it's purposefully formulated to come across as absurd (crypto as an appeal to emotion? really?). It's unnecessarily exaggerated and lacks any context. This Automattic stuff has months of history that will be considered. It fails to map just about anything to the digital equivalent, represented in the lawsuit.
Analogies typically suck anyways, so why don't we just discuss what's actually happening? Some companies were obligated to implement manual security controls during the period where Automattic disabled their automated ones. In some cases they had to conduct additional (unscheduled, previously unnecessary) security assessments solely due to the actions of Automattic during their fued with another company about trademarks. Companies had to take time to assess if, how, and when they would move their websites. All of this costs money.
If you are an unrelated third-party caught in the crossfire of a frivolous dispute between two companies, seeking reimbursement for that money is reasonable.
> For some reason, you've started talking about what the law hypothetically should be and how court cases should be handled. I wish we had a perfect court system, too. But can we shift back to reality?
All of these discussions are always about what should happen, because it hasn't happened yet, which means people can still affect the outcome, e.g. by changing the law or convincing a judge to do something different.
What would be the point of talking about something if there is nothing anybody can do about it?
> The first hint is that it's purposefully formulated to come across as absurd (crypto as an appeal to emotion? really?).
This is a thing that commonly happens in the actually analogous situation, i.e. someone who breaks into your servers installs crypto miners on them if they get in. And that was your objection? The point of that example was to provide something that could incur real measurable costs if it actually happened, i.e. giving the other side the benefit of the doubt that a genuine harm is hypothetically possible. The issue is that even assuming that, it's still purely speculative that it would have actually happened.
Moreover, you don't seem to like hypotheticals, but the hypothetical is the basis of the claim. "We had to spend money on this mitigation or otherwise hypothetical bad things could have happened." If they spent money in order to prevent nothing then it was wasted money and they were the ones who decided to waste it.
> Analogies typically suck anyways, so why don't we just discuss what's actually happening?
Analogies are fairly important because the law operates on the basis of analogies, and in particular, cases like this can set precedents that will be used in analogous cases.
Which means we might want to consider what happens if the defendant is a kid instead of a large business and whether you really want to level that amount of damages on them.
> All of this costs money.
All of everything costs money. If you're using some Google service as an important part of your business and then they discontinue it as is their custom, it could cause you a lot of trouble. Does that mean you should be able to sue them when they do that?
People are allowed to be petulant and your main recourse is to stop doing business with them. You can also get companies to promise in writing not to be petulant, but in general getting them to guarantee that requires paying them a buttload of money and people are often more inclined to risk the consequences than buy the insurance.
This "where do we draw the line" talk is always so exhausting to he for me. The suggested answer inevitably boils down to "let's not have a line at all", instead of trying to draw a reasonable line and deciding on a case-by-case basis what is and isn't reasonable.
While trying to be reasonable might have unexpected outcomes for either side sometimes, not having a line at all always unfairly skews the damages to one side.
Suppose you've designed your systems according to sound and efficient practices. You have offsite and offline backups, monitoring systems, zero trust architecture, well-documented systems that can be rebuilt from scratch using automated processes, etc. If some compromise happens the scope is extremely limited and well-defined and the mitigation is swift and inexpensive. Also, there probably wouldn't have been one to begin with.
Now suppose you're a disaster. There is a combination lock on the front door with the combination already punched into it and if anyone walks through the door they have full access to everything from your employees' bank routing numbers to the VPN credentials providing access to your suppliers' networks, with no logs of any kind. If someone gets inside and you want to know what they did you'll have to shutter the company for a year while a team of full-time engineers and forensic accountants tries to reconcile the numbers in each set of systems with the others and resolve any inconsistencies through some combination of vibes and whimsy.
Your costs in the second case are going to be dramatically higher, but that isn't a consequence of anything the person who walked through the door did. That's something you did to yourself.
Failure to mitigate is a thing. The damages in the first case would be zero or close to zero, which implies the damages in the second case should be the same because the party claiming the damages is the one responsible for the difference.
Moreover, this is the incentive we want, because we want organizations to minimize damages and suffer consequences if they don't.
“I want to drive my car without airbags, but I have all these other stupid people on the road who might hit me, so I have to invest in airbags. Maybe I should just preemptively sue them for forcing me to invest in my safety.”
If you break my door lock I'm pretty sure I can't just leave my door wide open for months and then sue you for all of my stuff that got stolen. I need to fix the lock. And ask you to pay for that. Also not a lawyer, but pretty sure you've got to proactively mitigate your damages.
In your scenario, someone _could've_ broken the lock because you're renting a lock from a locking agency Lock Engine, who copied a lock design from LockPress, and LockPress decided not to mail them design flaws anymore.
In the real world, vulnerable locks don't ever get fixed. At worst, locks get recalled, and you get your money back. Lock designs don't get shared freely, and if they do, there is no expectation of informing people that may have copied designs of potential flaws.
If your house got broken into, you should sue Lock Engine, because they're not providing the service you're paying for. Suing LockPress for the lock design Lock Engine decided to copy wholesale is pure nonsense.
> In my understanding, there has to be actual damages arising out of an action.
Depends on the specific tort, but actual damages aren't the only thing for which there can be liability. Statutory damages, punitive damages, and non-damages based liability (unjust enrichment, disgorgement of profits, etc.) are all things that exist for various torts.
> "I could have been hacked, so I had to spend time/money on it" isn't actual damages unless they were _actually_ hacked.
Why wouldn't reasonable costs incurred to determine or rule out adverse effects of a wrongful act be considered actual damages of that act?
> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Warranty disclaimers may (or may not, depending on the law of the effected jurisdiction) limit liability for claims on an implied warranty theory, but they certainly don't apply to tortious interference or unfair competition claims.
I’m not saying the claims here are valid, but the warranty disclaimers don't seem at all relevant to the bases of liability asserted.
I haven’t bothered to look at the actual filing, but none of the causes of action mentioned in the article were about warranty, merchantability, or fitness for purpose.
yeah, this part is where I am confused - the dispute itself is about bad business to business behavior, but the class status of this lawsuit drills down to harm caused to end users. I'm trying to figure out what expectations end users are entitled to since it's obviously not the case that WP users can hold Automattic directly liable when they are hacked.
I _think_ the argument is that WPE gave them the (at the time reasonable) expectation that risk mitigation was handled by them, and Automattic made that expectation impossible to meet retroactively hence tortious interference, but is there language that passes the liability up the chain from the end users? To me it seems like WPE has a case but the end users as a class might face headwinds.
And for everybody angrily downvoting me I agree with you that Matt is an asshole but that doesn't mean I don't want to understand the nuance of a class claim in a case like this.
IANAL. The chain of argument is roughly: WP was transferred to WPorg -> WPorg promised open access to WP ecosystem (including plugins) -> Matt/Automattic retained effective control over WPorg -> Matt/Automattic abused their control over WPorg to sabotage WPE's ability to provide contractual services -> WPE's customers suffered.
EDIT: I think the part causing most confusion is relying on customer's expectation that they are NOT using WPE's product, but rather using WP plus WPE's services. I.e. If X contractor installs a thing to your house/car/whatever and then manufacturer of that thing then uses it to sabotage your business, you get a claim against manufacturer, not you against contractor.
This is not about any warranties at all. The warranty and liability disclaimer applies strictly to those parts and is used to establish
This suit is about unfair business practices: tort and ratchet. The suit raises a claim that Matt publicly boasted of harming WPE through his actions, which should establish intent. The core claim is that Matt/Automattic/WPF acting as a unit intentionally abused their collective power and relationship with WPE to cause harm on WPE and their customers, demanded payment to stop causing harm and on top of that attempted to pull said customers away to their for-profit alternatives.
Before you go and claim "but there are no warranties and SLAs on plugin repository", a supporting claim in the suit is that WPF plugin repository is hard-coded into WP software, therefore part of the overall service (volunteer effort maintaining the WP package) and selectively targeting users of WPF repository constitutes unfair business practice.
A distant analogy could be a tourist spot scam where nefarious party sees a family, offers their child a candy and then harasses parents to pay up. Or similarly with flowers for couples.
> The lawsuit describes Automattic and Mullenweg’s conduct as an abuse of the open-source internet architecture, alleging that “a single individual (Matt Mullenweg) exercises apparent singular control over what they claim to be more than 40% of all websites in the world through his personal website (WordPress.org).” It calls this level of control “an appalling deception” that is “contrary to every conceivable public policy.”
That seems like a specious argument to me. There's no deception involved as far as I can tell, and I can't see how public policy has anything to do with this. It sucks for many reasons that Wordpress powers so much of the web, but it's pretty rich for someone whose business is built on Wordpress to claim its success is an existential threat. I will not comment on what I think about a cybersecurity business that is built on a Wordpress site, as it's simply not relevant.
When you file a lawsuit you initially make every argument you might possibly want to use in your initial filing, knowing some of them will be whittled down. Pretty much every lawsuit ever includes some claims that are a bit of a stretch, because the lawyers need to CYA. If you fail to make the argument you may be precluded from introducing it later, so it's just safer to include it now.
I think it's more about running up the legal bill of the defendant. It costs virtually nothing to include a spurious claim in a complaint (it can literally be a sentence or two). The defense has the burden of getting the weak claim dismissed with pages and pages of arguments (because they don't want any chance of it slipping through).
The bar for a "shotgun" complaint is way too high in the legal system.
I sort of suspect it's also a case of bluffing. You can't know for sure which aspect of a complaint is the one that makes the defendants soil themselves, and you might trigger a settlement or make them behave strangely in ways that give you clues about where exactly it is they're ticklish.
I've been told before that some people will settle a case to avoid setting a legal precedent, which might trigger giant class action suits.
> There's no deception involved as far as I can tell
Whether it is germane to the case or not, there was plenty of deception:
When the rights were transferred to the WPF, Matt didn't disclose that the Foundation was essentially just him, and the two other nominal members were effectively absent.
When the rights were transferred, and a big deal was made of this, "It now belongs to the WPF, which ensures that no commercial entity or interest can affect what should be a community project", there was no mention of how, on that same day the WPF silently granted a "irrevocable, non-expiring, exclusive universal commercial licence" to Automattic.
Matt repeatedly would refer to wp.org as a community resource and not his, until push came to shove, and "no, actually, it's exclusively mine and has nothing to do with Automattic or the WPF".
And several other examples. Apropos of anything else, there has been deception.
Matt didn't attest under oath that he was transferring the rights to an arms-length organization; others might have assumed that, but I'm not sure why they would. Isn't the WPF-Automattic relationship more or less the norm with companies that have 'open-source business models'?
>Isn't the WPF-Automattic relationship more or less the norm with companies that have 'open-source business models'?
No, it's not, and I think that's the crux of most of the controversy. One quick comparison would be Drupal: https://dri.es/solving-the-maker-taker-problem
I suggested that the WPF-Automattic relationship was “the norm”, and you countered with a post where Drupal describes itself as “unique and groundbreaking within the Open Source community”. While Drupal might be better (or worse), this post doesn’t disagree with my message.
It is not the norm. Open source projects sponsored by a commercial organization tied to that project might be nominally controlled by a foundation, but that foundation isn’t effectively controlled by a single person in their private capacity, who has secretly granted the commercial entity an exclusive, irrevocable commercial license.
I don’t know if there is past precedent, but it’s certainly not the norm.
What would be more normal is a company more or less owning the open source software and simply licensing it under a permissive license and then having a closed source or open core fork. An example there would be any number of Red Hat projects.
That quote is referring to the credit system, not the relationship between Acquia and the Drupal Association.
It actually does, but in a bit non-obvious way if you have been tricked by Matt's/Automattic's wording.
The very core of free software (as in beer, not the fsf definition) is, well, dramatic reduction of cost for customers. Opening the source for modification is merely in expectation that some of the customers would contribute something back. The relationship is highly asymmetrical. Therefore, Takers in Drupal lingo are inherent, consequential part of the deal.
Drupal's system just goes one step above in recognizing those who contribute back in a mostly good faith, unbiased effort.
The typical business models behind FOSS are professional services (support and training) and commercial extensions (open-core model). In the latter model (or both), the governing body makes the majority of contributions and consequentially (key word) steers the project. For example chromium is the way it is not because Google said it should be that way, but rather they put the effort to implement their wishes.
Some FOSS-on-the-surface projects reject contributions that do not align with their commercial vision and even go as far as to chase legal action against forks. Both examples have been discussed in this very forum quite thoroughly.
This brings us to the problem with wordpress, wordpress foundation and Matt/Automattic. The governing foundation is generally established so that the major Makers and Takers (remember, entities can exist in Maker-Taker duality) do not go into open warfare and in turn sabotage the whole FOSS project. Wordpress itself is a FOSS project, directly enabling both Automattic and WPE. WPE is a clear Taker here, no objections to this judgement. However, Foundation is for all intents and purposes Matt/Automattic. When Matt and WPE did go into open warfare, this lack of separation between commercial and charitable operations meant that Matt abused his powers over WPF, weaponized it and used it against WPE in Automattic's fight against WPE.
This is where WPF-Automattic relationship is totally out of the norm in open-source/open-core business models.
> but I'm not sure why they would
Because that's the expectation that was set by Mullenwegs words and actions. Who ever said you need to be under oath for deception to take place?
Apparently libel laws aren't a thing because you're not under oath now or something along those lines.
Per my comment on another message, it seems like Matt was telling the truth, but not the whole truth, which is probably more than he was legally required to do.
At times, it can be. But the transfer of rights to the WFP was made as being about the community, and not allowing any commercial organization to have rights to that app ecosystem.
That press release was made the very same day as the WFP then silently granting back exclusive rights to Automattic.
The WFP has never, until this court case, acknowledged that any org has such commercial rights, let alone "irrevocable, exclusive and universal" rights. For the best part of a decade.
Matt may not have been under oath but the announcement on behalf of WPF was entirely factually inaccurate, because a commercial organization absolutely did and would have those rights over "WordPress". And he can't even claim ignorance, because he was the one granting those rights, that same day.
It seems like Matt was telling the truth, but not the whole truth, which is probably more than he was legally required to do.
Deception doesn’t require a misrepresentation is made under oath. Especially when dealing in the world of business or nonprofits.
Now if someone made the claim that he perjured himself that would be different.
> There's no deception involved as far as I can tell
155 pages of deception here: https://wpengine.com/wp-content/uploads/2024/11/51-2.pdf Page 32 "Defendants Conceal the Truth Regarding the WordPress Directory" and page 73 "Wrongfully Expropriate WPE’s Most Popular Plugin" are particularly related. (The part where Matt decides to take over WP Engine's popular plugin and rename it, taking all their customers and reviews is particularly egregious)
Deception with respect to him having full control of Wordpress, which is what the quote was about.
I'm not an expert or part of the community and haven't been following too closely.
But I vaguely remember there was a story where he said he transferred control of some aspect of WP to a non-profit organization not controlled by him, with a press release and everything, but then later that day control was transferred back to him without telling anyone.
In any case, I believe it's pretty clear that most people who rely on WordPress had no idea that it is almost singularly controlled by him. Whether this was done via deception or not is indeed a good question.
I love how the top comment on every single HN post is some contrarian "nuh uh!" take from someone who is lightyears away from being an expert in that thing.
Why do journalists so rarely link to the actual court documents when talking about a complaint?
Anyways, here it is: https://storage.courtlistener.com/recap/gov.uscourts.cand.44...
Because it'd reveal they usually aren't much more than a summarizer run on the court doc.
Middlemen hate to show you what they actually do.
Many journalists do upload/link to documents, and add quite a bit of context to the documents. OC appears to confuse bloggers with journalists.
Speaking from personal experience, the number of people who click on links for raw documents is an _extremely_ small subset.
Most people don't even read past the headline let alone the lede.
Often because they have paid for it via pacer so don’t want to give it away to competitors for free.
Or because they’ve got it via a back door and don’t want to link to it and reveal that.
Because it links away from their site. They want to keep you on the site, clicking more links that can generate revenue for them.
I'm not a lawyer, but the legal claim made appears to me to be on shaky ground. In my understanding, there has to be actual damages arising out of an action. "I could have been hacked, so I had to spend time/money on it" isn't actual damages unless they were _actually_ hacked.
I imagine it would be sufficient to show that he had to spend time or money analyzing the security impact of the event.
Why aren't costs involved with a mitigation actual damages?
I'n not sure this is the correct lawsuit to demonstrate this.
So hypothetically, if say you lent a key to a handyman and then they posted a photo on it to twitter it seems pretty reasonable for them to cover the costs of replacing the locks. As opposed to having to wait for somebody to rob you and then trying to show that the robber did so from the photo.
> Why aren't costs involved with a mitigation actual damages?
They are. If you ever look at the damage caused by a hack it's in the millions and that's because they're including the time used to investigate and repair and mitigate further attacks is included.
I have received class action settlement payments from Verizon, Apple, and others for things I hardly noticed at the time. So maybe your idea of what precedent considers “damages” here is incomplete.
Realistically, this is just going to piggy back on WPEngine's lawsuit.
However, there were customers who migrated to other hosts because of the potential security risk. That is an actual damage. There are people who lost contracts because their potential client chose software other than WordPress. That is an actual damage. There are lots of actual damages that occurred.
>"I could have been hacked, so I had to spend time/money on it" isn't actual damages
Sure it is. Money was spent that wouldn't have been if the situation didn't happen.
> Sure it is. Money was spent that wouldn't have been if the situation didn't happen.
There are two problems with this.
First, for normal damages, there is some limitation on the costs. If someone breaks the lock on your door and does nothing else, you replace the lock, damages of maybe $40. If someone gets into your servers, you what? Spend ten minutes to check the logs and rotate keys? Wipe and rebuild all the servers? Does the reasonableness of that depend on whether that's an automated process or a manual one? Maybe you should delete your entire code repository and have it rewritten from scratch, in case knowledge of the code could have helped some attacker? There is no upper limit to the amount of resources you could spend investigating something, and then companies with unlimited resources would effectively get to use it as a cudgel against someone who embarrassed them, because $10M is nothing to them but is a life-destroying amount of damages to some kid who made a mistake.
It's like claiming that someone broke the lock on your door so now you're not sure if someone might have been inside and you have to strip the whole building to the rafters to check if someone has planted a listening device or hidden some crypto mining hardware inside the walls, even though you're a company that sells tile and carpets.
Second, if doing the latter was in some way actually justifiable then the company should be periodically doing it anyway, because if a vulnerability existed then it could have been exploited whether anyone was detected or not, so if spending that level of resources could be justified "just in case" then it isn't money that was spent that wouldn't have been if the situation didn't happen. Unless they're full of crap that all of it was actually necessary.
>There is no upper limit to the amount of resources you could spend investigating something
The upper limit is what the courts decide is reasonable, based on the factors of the case, your justification of the requested damages, precedent of similar cases, etc.
>$10M is nothing to them but is a life-destroying amount of damages to some kid who made a mistake.
Again, the courts make these determinations literally all the time. We don't need to figure out what "reasonable" and "damages" mean from first principles.
>It's like claiming that someone broke the lock on your door so now you're not sure if someone might have been inside and you have to strip the whole building to the rafters to check if someone has planted a listening device or hidden some crypto mining hardware inside the walls, even though you're a company that sells tile and carpets.
This type of claim is not approved by the courts, because it is clearly unreasonable.
> The upper limit is what the courts decide is reasonable, based on the factors of the case, your justification of the requested damages, precedent of similar cases, etc.
"The judge will render a decision" still requires you to have some rule for the judge to apply or the result is entirely subjective. You don't want the winner of every case to be the one who can afford to spend the most on lawyers.
> This type of claim is not approved by the courts, because it is clearly unreasonable.
I feel like you're only making my point. It isn't reasonable in the physical case, so why should it be reasonable in the digital case?
>still requires you to have some rule for the judge to apply
Good thing they can examine a century or two of case law, including lengthy debates on what constitutes “reasonable” and “damages”, to help make their decision.
>You don’t want the winner of every case to be the one who can afford to spend the most on lawyers.
That is pretty much how it works already. Better lawyers typically make better arguments and, on average, get better results. They also want more money because they are better.
You don’t want the winner of the case to be the one who made a worse argument just because they have less money.
>It isn’t reasonable in the physical case, so why should it be reasonable in the digital case?
Your extremely stretched example is not analogous to the situation.
> Good thing they can examine a century or two of case law, including lengthy debates on what constitutes “reasonable” and “damages”, to help make their decision.
"A status quo exists" is not an argument for what rule the law should use unless your argument is that status quo bias is the only acceptable mechanism for choosing policy.
> That is pretty much how it works already.
Is/ought dichotomy.
> You don’t want the winner of the case to be the one who made a worse argument just because they have less money.
No, what you want is for the law to be clear and reasonable so that spending millions on lawyers to argue over excessive ambiguities is not a prerequisite to attaining a just outcome.
> Your extremely stretched example is not analogous to the situation.
In what way is it not analogous?
>an argument for what rule the law should use
>Is/ought dichotomy.
For some reason, you've started talking about what the law hypothetically should be and how court cases should be handled. I wish we had a perfect court system, too. But can we shift back to reality?
>In what way is it not analogous?
The first hint is that it's purposefully formulated to come across as absurd (crypto as an appeal to emotion? really?). It's unnecessarily exaggerated and lacks any context. This Automattic stuff has months of history that will be considered. It fails to map just about anything to the digital equivalent, represented in the lawsuit.
Analogies typically suck anyways, so why don't we just discuss what's actually happening? Some companies were obligated to implement manual security controls during the period where Automattic disabled their automated ones. In some cases they had to conduct additional (unscheduled, previously unnecessary) security assessments solely due to the actions of Automattic during their fued with another company about trademarks. Companies had to take time to assess if, how, and when they would move their websites. All of this costs money.
If you are an unrelated third-party caught in the crossfire of a frivolous dispute between two companies, seeking reimbursement for that money is reasonable.
> For some reason, you've started talking about what the law hypothetically should be and how court cases should be handled. I wish we had a perfect court system, too. But can we shift back to reality?
All of these discussions are always about what should happen, because it hasn't happened yet, which means people can still affect the outcome, e.g. by changing the law or convincing a judge to do something different.
What would be the point of talking about something if there is nothing anybody can do about it?
> The first hint is that it's purposefully formulated to come across as absurd (crypto as an appeal to emotion? really?).
This is a thing that commonly happens in the actually analogous situation, i.e. someone who breaks into your servers installs crypto miners on them if they get in. And that was your objection? The point of that example was to provide something that could incur real measurable costs if it actually happened, i.e. giving the other side the benefit of the doubt that a genuine harm is hypothetically possible. The issue is that even assuming that, it's still purely speculative that it would have actually happened.
Moreover, you don't seem to like hypotheticals, but the hypothetical is the basis of the claim. "We had to spend money on this mitigation or otherwise hypothetical bad things could have happened." If they spent money in order to prevent nothing then it was wasted money and they were the ones who decided to waste it.
> Analogies typically suck anyways, so why don't we just discuss what's actually happening?
Analogies are fairly important because the law operates on the basis of analogies, and in particular, cases like this can set precedents that will be used in analogous cases.
Which means we might want to consider what happens if the defendant is a kid instead of a large business and whether you really want to level that amount of damages on them.
> All of this costs money.
All of everything costs money. If you're using some Google service as an important part of your business and then they discontinue it as is their custom, it could cause you a lot of trouble. Does that mean you should be able to sue them when they do that?
People are allowed to be petulant and your main recourse is to stop doing business with them. You can also get companies to promise in writing not to be petulant, but in general getting them to guarantee that requires paying them a buttload of money and people are often more inclined to risk the consequences than buy the insurance.
This "where do we draw the line" talk is always so exhausting to he for me. The suggested answer inevitably boils down to "let's not have a line at all", instead of trying to draw a reasonable line and deciding on a case-by-case basis what is and isn't reasonable.
While trying to be reasonable might have unexpected outcomes for either side sometimes, not having a line at all always unfairly skews the damages to one side.
Suppose you've designed your systems according to sound and efficient practices. You have offsite and offline backups, monitoring systems, zero trust architecture, well-documented systems that can be rebuilt from scratch using automated processes, etc. If some compromise happens the scope is extremely limited and well-defined and the mitigation is swift and inexpensive. Also, there probably wouldn't have been one to begin with.
Now suppose you're a disaster. There is a combination lock on the front door with the combination already punched into it and if anyone walks through the door they have full access to everything from your employees' bank routing numbers to the VPN credentials providing access to your suppliers' networks, with no logs of any kind. If someone gets inside and you want to know what they did you'll have to shutter the company for a year while a team of full-time engineers and forensic accountants tries to reconcile the numbers in each set of systems with the others and resolve any inconsistencies through some combination of vibes and whimsy.
Your costs in the second case are going to be dramatically higher, but that isn't a consequence of anything the person who walked through the door did. That's something you did to yourself.
Failure to mitigate is a thing. The damages in the first case would be zero or close to zero, which implies the damages in the second case should be the same because the party claiming the damages is the one responsible for the difference.
Moreover, this is the incentive we want, because we want organizations to minimize damages and suffer consequences if they don't.
“I want to drive my car without airbags, but I have all these other stupid people on the road who might hit me, so I have to invest in airbags. Maybe I should just preemptively sue them for forcing me to invest in my safety.”
This is one of the most stretched examples yet. It’s as if nuance, context, and the concept of “reasonable” have completely left the room.
There is actually an important legal distinction between could and would. He just undermined his own case.
Sounds like actual damages to me.
If you break my door lock I'm pretty sure I can't just leave my door wide open for months and then sue you for all of my stuff that got stolen. I need to fix the lock. And ask you to pay for that. Also not a lawyer, but pretty sure you've got to proactively mitigate your damages.
Physical metaphors rarely work for software.
In your scenario, someone _could've_ broken the lock because you're renting a lock from a locking agency Lock Engine, who copied a lock design from LockPress, and LockPress decided not to mail them design flaws anymore.
In the real world, vulnerable locks don't ever get fixed. At worst, locks get recalled, and you get your money back. Lock designs don't get shared freely, and if they do, there is no expectation of informing people that may have copied designs of potential flaws.
If your house got broken into, you should sue Lock Engine, because they're not providing the service you're paying for. Suing LockPress for the lock design Lock Engine decided to copy wholesale is pure nonsense.
Imagine you open Spotify on your phone, only to (maybe?) realize it's streaming from Apple Music.
Is that ok for you that Apple appropriated the app? They offered the platform, the ecosystem and the store. Is it within their right?
That's what happened here.
> In my understanding, there has to be actual damages arising out of an action.
Depends on the specific tort, but actual damages aren't the only thing for which there can be liability. Statutory damages, punitive damages, and non-damages based liability (unjust enrichment, disgorgement of profits, etc.) are all things that exist for various torts.
> "I could have been hacked, so I had to spend time/money on it" isn't actual damages unless they were _actually_ hacked.
Why wouldn't reasonable costs incurred to determine or rule out adverse effects of a wrongful act be considered actual damages of that act?
I have to assume there is bright-line "swim at your own risk" language that protects Automattic from claims like this.
> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
https://github.com/WordPress/WordPress/blob/master/license.t...
Warranty disclaimers may (or may not, depending on the law of the effected jurisdiction) limit liability for claims on an implied warranty theory, but they certainly don't apply to tortious interference or unfair competition claims.
I’m not saying the claims here are valid, but the warranty disclaimers don't seem at all relevant to the bases of liability asserted.
thank you, now I'm learning the things I wanted to learn when I made my comment
I haven’t bothered to look at the actual filing, but none of the causes of action mentioned in the article were about warranty, merchantability, or fitness for purpose.
yeah, this part is where I am confused - the dispute itself is about bad business to business behavior, but the class status of this lawsuit drills down to harm caused to end users. I'm trying to figure out what expectations end users are entitled to since it's obviously not the case that WP users can hold Automattic directly liable when they are hacked.
I _think_ the argument is that WPE gave them the (at the time reasonable) expectation that risk mitigation was handled by them, and Automattic made that expectation impossible to meet retroactively hence tortious interference, but is there language that passes the liability up the chain from the end users? To me it seems like WPE has a case but the end users as a class might face headwinds.
And for everybody angrily downvoting me I agree with you that Matt is an asshole but that doesn't mean I don't want to understand the nuance of a class claim in a case like this.
IANAL. The chain of argument is roughly: WP was transferred to WPorg -> WPorg promised open access to WP ecosystem (including plugins) -> Matt/Automattic retained effective control over WPorg -> Matt/Automattic abused their control over WPorg to sabotage WPE's ability to provide contractual services -> WPE's customers suffered.
EDIT: I think the part causing most confusion is relying on customer's expectation that they are NOT using WPE's product, but rather using WP plus WPE's services. I.e. If X contractor installs a thing to your house/car/whatever and then manufacturer of that thing then uses it to sabotage your business, you get a claim against manufacturer, not you against contractor.
But in this case the manufacturer does not offer any warranty at all to anybody.
This is not about any warranties at all. The warranty and liability disclaimer applies strictly to those parts and is used to establish
This suit is about unfair business practices: tort and ratchet. The suit raises a claim that Matt publicly boasted of harming WPE through his actions, which should establish intent. The core claim is that Matt/Automattic/WPF acting as a unit intentionally abused their collective power and relationship with WPE to cause harm on WPE and their customers, demanded payment to stop causing harm and on top of that attempted to pull said customers away to their for-profit alternatives.
Before you go and claim "but there are no warranties and SLAs on plugin repository", a supporting claim in the suit is that WPF plugin repository is hard-coded into WP software, therefore part of the overall service (volunteer effort maintaining the WP package) and selectively targeting users of WPF repository constitutes unfair business practice.
A distant analogy could be a tourist spot scam where nefarious party sees a family, offers their child a candy and then harasses parents to pay up. Or similarly with flowers for couples.