Gaming platform Itch.io recovers from AI anti-phishing mishap

The indie game platform itch.io experienced a brief but significant service disruption due to an automated brand protection system’s misidentification of potential trademark infringement.

The incident overview: A domain takedown affected itch.io for several hours on Monday morning, stemming from an AI-powered brand protection system’s report about alleged phishing activities.

• The shutdown was triggered by BrandShield, a brand protection service working on behalf of Funko, the company known for Funko Pop collectible figures
• The domain registrar, iwantmyname, disabled itch.io’s domain despite the platform having already addressed the initial complaint
• Users could still access the site directly through its IP address during the outage

Root cause analysis: The shutdown originated from a single user-created fan page for a Funko Pop video game on the platform.

• The fan page contained screenshots and links to the official Funko Fusion game
• Despite itch.io’s prompt removal of the content after receiving complaints, the automated system proceeded with the domain takedown
• BrandShield later clarified that their takedown request was intended only for the specific subdomain, not the entire itch.io platform

Technical response: The situation was resolved when the domain registrar finally acknowledged itch.io’s compliance with the removal request.

• The platform was restored by 7 AM Eastern time
• BrandShield emphasized that the complete domain takedown was executed by service providers, not by their company or Funko
• The incident highlights the sometimes overzealous nature of automated brand protection systems

Broader implications: The event underscores the vulnerability of web-based platforms to DNS and domain registration issues.

• Similar incidents have occurred in the past, including a DNS root server desync in May that affected large portions of the internet
• The situation demonstrates how automated brand protection systems can sometimes create unintended consequences for legitimate platforms
• The incident raises questions about the balance between protecting intellectual property and maintaining stable internet infrastructure

Future considerations: This event exemplifies the growing tension between automated brand protection measures and the normal operation of legitimate online platforms, suggesting a need for more nuanced approaches to digital rights enforcement and domain management.