Google’s Dirty DMCA Secret: Anyone Can Nuke Your Content Anonymously and Google Won’t Stop Them

Google went from “Don’t Be Evil” to letting anonymous trolls delete your content from the internet in minutes — and has no incentive to fix it

In 2000, Google adopted an internal motto that would become one of the most famous phrases in corporate history: “Don’t be evil.” It appeared in their corporate code of conduct, served as the Wi-Fi password on employee shuttles, and was cited by Google’s own founders in their 2004 IPO letter as a guiding principle. It was, for a time, one of the few examples of a tech company articulating a moral compass in plain language.

Then, in 2018, Google removed almost every mention of it.

The phrase had lived at the top of the company’s code of conduct for nearly two decades. Following a corporate restructuring under parent company Alphabet in 2015, Alphabet adopted the softer “Do the right thing” as its own code. Google initially kept “Don’t be evil” — until late April 2018, when a revision scrubbed it from the preface entirely. One lonely mention survives at the bottom of the document: “And remember… don’t be evil.” A whisper where there used to be a declaration.

The timing was notable. The removal coincided with a wave of employee resignations over Google’s involvement in Project Maven, a partnership with the U.S. Pentagon to develop AI for military applications. Over 4,000 employees signed a petition against the project. A dozen left entirely. Google’s former Head of International Relations, Ross LaJeunesse, would later write that the motto “was no longer a true reflection of the company’s values; it was now nothing more than just another corporate marketing tool.”

You might wonder what any of this has to do with a copyright law written in 1998. The answer is everything. Because the same company that decided “Don’t be evil” was no longer worth saying out loud has also built the single most exploitable content-removal system on the internet — and has made deliberate choices to keep it that way.

The Weapon Google Hands to Fraudsters

Here’s what bad actors can do today: submit DMCA requests that look valid on paper, then let Google’s default “remove first” machinery do the rest. In practice, that can mean pages vanish from search results fast, with little friction up front and no meaningful verification that the filer is who they claim to be.

That isn’t a hypothetical. That’s how Google’s DMCA takedown process works right now. And while the Digital Millennium Copyright Act itself has serious structural problems, Google has made a series of deliberate choices that go far beyond what the law requires, turning a flawed system into a weapon optimized for abuse.

This is what a fraudulent-looking DMCA notice can look like: generic sender, vague work identification, and a sprawling URL list — exactly the kind of filing that makes abuse hard to detect at scale.

Who’s Getting Hurt

The damage isn’t theoretical. It’s happening to real people, and it cuts two ways.

First, there are the creators whose identities are being weaponized against them. Top OnlyFans creators have discovered that unverified filers are impersonating them to file fraudulent copyright claims, using the creator’s own name and content as the basis for takedowns against publishers who feature them. Many creators without professional representation are watching their traffic collapse and have no framework for understanding why. The mechanism of attack is invisible to them. They see the symptom. They never see the cause.

“My agent brought these fake reports to my attention — I didn’t even know this could happen,” says Kayla, a top 1% OnlyFans creator. “I was shocked. It’s almost as bad as finding out you’ve been leaked. Other creators who don’t have agency representation lose traffic to their pages and have no idea why it’s happening or what to do.”

Then there are the publishers. Ad networks, roundup sites, and independent media outlets whose legitimately published content gets ripped out of Google search results overnight. They lose time, money, and traffic fighting bogus claims — and by the time they successfully counter one fraudulent takedown, the damage has already been done and hundreds more notices are waiting.

Matt M., a top creator agency owner, describes the operational reality: “We lose time and money fighting these bogus claims. In the end, it’s the creator who suffers. Some of them have been manipulated into paying for takedowns to protect their brand. What really happens is they lose access to the promotion they’re paying for from ad networks, so they’re effectively paying twice and losing traffic. I don’t blame the creators for this — these scammers make it sound like they’re some kind of intellectual property lawyer protecting the creator against theft.”

On the publisher side, the operational toll is just as brutal. Benjamin, a COO at a web publishing company, describes a business that’s been forced to build an entire role around fighting fraud: “We manage dozens of niche websites where humans compose longform editorial content and perform investigative journalism. We’re overly cautious about ensuring the graphics on our sites are eligible and fair use. And yet, we now have to have a full-time employee who does nothing but receive DMCA takedown notices, respond to explain our position, and then track and follow up on each one because Google is only reinstating our pages about 60% of the time on the first attempt.” The economics of abuse have made it even worse: “We’ve seen a huge increase in unethical providers on websites like Fiverr who will file DMCA takedowns anonymously for less than $10. This DMCA fraud is a daily struggle.”

What connects all of it is the same structural failure: Google processes takedowns from unverified filers at scale — and the people on the receiving end have no fast, affordable way to fight back.

Seven Things Google Could Do Tomorrow (But Won’t)

The DMCA requires platforms to process takedown notices “expeditiously” to maintain safe harbor protection, but nowhere does the law require Google to accept unverified notices, prohibit identity confirmation, or prevent flagging suspicious patterns. Google has chosen to do none of the things the law would allow. Every change below is legally permissible. They choose not to because the current system costs them nothing.

1. Verify the identity of complainants. Anyone can file a DMCA takedown with a self-attested name and zero identity verification. Fraudulent senders routinely use generic names like “DMCA Manager,” burying their filings in a sea of identical-looking notices. Google could require verified accounts or confirmed business entities before processing notices. The law requires a perjury statement that the filer is authorized to act on behalf of the copyright holder, but Google never actually verifies that claim. This is the single highest-leverage change Google could make, because every other reform depends on knowing who is actually filing.

2. Create a trust scoring system and verified publisher whitelist. Google processes millions of takedown requests annually. They have more than enough data to flag patterns of abuse — high-volume filers who get counter-noticed, notices that consistently target competitors rather than actual pirates. Google already does this in other contexts: think Google Ads quality scores, think search spam detection. The technical infrastructure exists. The will does not. Taking it further, Google could create a verified publisher whitelist — trusted publishers with clean compliance records receive “notice and review” treatment rather than instant “notice and takedown.” When a takedown targets content from a verified publisher, Google holds it pending brief review instead of auto-removing it. Unverified filers and unknown entities get standard processing. The current system doesn’t bother to distinguish between a publisher and a pirate. Google could make that distinction tomorrow.

3. Add a review window for suspicious notices. Instead of removing content the instant a notice arrives, Google could hold flagged notices for 24 to 48 hours of review. The DMCA says “expeditiously.” It does not say “instantly.” Google already takes days to process many notices anyway.

4. Require specific identification of the copyrighted work. Fraudulent takedowns are routinely vague about what’s supposedly being infringed. The law already requires identification of the copyrighted work — if it’s missing, the notice is technically deficient and Google has no obligation to act. In practice, they process incomplete notices because it’s easier to take things down than to push back.

5. Make counter-notices frictionless. Filing a takedown takes minutes through Google’s web form. A counter-notice requires the victim to provide personal contact information (which gets forwarded to the attacker), submit legal declarations, and wait 10 to 14 business days. Google could streamline this with an equally simple form and a one-click counter-notice option. They don’t.

6. Penalize repeat abusers. Google has a repeat infringer policy for people whose content gets taken down, but no meaningful repeat abuser policy for people who file fraudulent notices. There’s precedent for this: the Telephone Consumer Protection Act (TCPA) imposes fines of $500 per violation for unsolicited robocalls — real financial consequences that changed the economics of spam overnight. Google could apply the same logic: track abuse, escalate consequences, suspend filing privileges for filers whose notices are consistently bogus.

7. Publish transparency data at the complainant level. Google’s Transparency Report shows aggregate data but doesn’t reveal which complainants have high rates of rejected claims. Publishing that data would let the public (and courts) see who’s actually weaponizing the system.

The common thread: Google has optimized entirely for minimizing their own legal risk and operational cost. Their safe harbor protection doesn’t depend on accuracy. It depends on speed of removal. They’ve outsourced 100% of the consequences to everyone else.

How Google Weaponizes “Transparency” Through Lumen

Google sends copies of DMCA takedown notices to the Lumen Database, a Harvard Law School Library–affiliated research archive housing nearly 70 million takedown notices referencing well over 10 billion URLs. In theory, this creates transparency: the public can see who is requesting content removal and why.

In practice, the transparency is far thinner than it appears, and that’s by Google’s design.

Google’s own policy states that it generally shares the requestor’s name on copyright and trademark notices sent to Lumen. But “shares a name” isn’t the same as “verifies an identity.” The system still allows completely self-attested identities — names like “DMCA Manager” — to flood the record unchecked. Google never confirms that the person behind the name is real, that they represent who they claim to represent, or that they have any standing to file in the first place. The result is a database full of names that may as well be pseudonyms, with no mechanism to connect patterns of abuse across filings or hold repeat offenders accountable.

This matters because the DMCA statute itself requires that a takedown notice include the identity of the complainant. The entire premise is accountability: someone is making a legal claim under penalty of perjury, and the target should be able to evaluate who filed it and whether to counter-notice. When the name attached to a filing is functionally meaningless — self-attested, unconfirmed, and shared by thousands of other notices — that accountability collapses. The filer’s identity exists on paper. It doesn’t exist in practice.

Compare this to other platforms. When Reddit, GitHub, Medium, or Vimeo submit notices to Lumen, the sender information is often verifiable and intact. Google, by far the largest source of notices in the database, accepts whatever name a filer types into a form and passes it along without verification. The sheer volume of unverified Google notices dilutes the entire dataset, making Lumen’s research mission exponentially harder.

And Lumen’s own researchers have documented exactly what this enables. In 2022, Lumen Research Fellow Shreya Tewari identified more than 33,000 DMCA notices that appeared to be part of a coordinated campaign of fraudulent takedowns built on back-dated articles used to suppress legitimate journalism. Follow-up research brought the total to over 89,000 apparently fraudulent notices, used to suppress news coverage of corruption, drug trafficking, and political misconduct. The playbook is repeatable, scalable, and — thanks to Google’s lack of verification — virtually risk-free.

Lumen’s stated mission is to provide transparency on who sends content removal requests, why, and to what ends. Google undermines that mission not by hiding names but by treating self-attested identities as “good enough,” flooding the system with filings that technically have a name attached but offer no real path to accountability.

Why This Is an Antitrust Issue

In August 2024, a federal judge ruled that Google illegally maintained a monopoly in search. Judge Amit Mehta held that Google monopolized the markets for general search services and text advertising, controlling nearly 90% of computer searches and approximately 95% of smartphone searches. In April 2025, a second federal court found Google had also unlawfully monopolized the digital advertising market, with the DOJ declaring that Google’s “unlawful dominance allows them to censor and even deplatform American voices.”

As of March 2026, the fight continues. The case has moved into the remedies phase, where the DOJ has proposed major structural changes, including limits on Google’s search distribution agreements and the potential divestiture of Chrome. Google is simultaneously appealing the monopoly ruling. The case is expected to move to the D.C. Circuit Court of Appeals.

Those rulings are what elevate Google’s DMCA choices from a policy problem to a structural one. When a single company controls the doorway to the entire internet — and two federal courts have confirmed that they do — running a sloppy, easily exploited takedown system isn’t just negligent. It’s a weapon that any third party can pick up and use to destroy a competitor.

Take the Button Away

Google doesn’t need Congress to stop making this easy. It can verify complainant identity privately, rate-limit high-volume filers, build an abuse score, and give verified publishers “notice and review” instead of instant deindexing. None of that requires a new statute — just the decision that the people who depend on Google’s index are worth the engineering hours.

Right now, Google’s DMCA pipeline is optimized for the only metric that protects Google: speed. Everyone else eats the consequences. They took “Don’t be evil” off the wall. The least they can do is stop handing strangers the button that makes people’s work disappear.