Last week, it appeared that Defense Distributed's battle against the State of New Jersey over a recently enacted "ghost gun" law had new life. This week, a filing from the New Jersey Attorney General's Office puts one of the new lawsuit's inciting incidents into question.

In a February 12 letter (PDF) to District of New Jersey Judge Anne Thompson, NJ Assistant AG Glenn J. Moramarco writes that a recent takedown notice submitted to Cloudflare and aimed at the website CodeIsFreeSpeech was faked.

"A key document supporting Plaintiff's TRO application—a 'takedown notice' purportedly sent by [New Jersey AG's Division of Criminal Justice] to CloudFlare, Inc., which hosts one of the plaintiff's websites, CodeIsFreeSpeech.com—was not in fact issued by DCJ," the NJ AG's office writes in the filing. "[It] appears to have been issued by some entity impersonating the Attorney General's Office."

What’s going on?

The potentially impacted case is Defense Distributed v. Grewal, now a pair of lawsuits involving the firearms tech company and New Jersey Attorney General Gurbir Grewal. Defense Distributed believes NJ's fall 2018 "ghost gun" law is unconstitutional, and it previously filed the first lawsuit in Texas over the issue. That iteration of the case was ultimately dismissed on January 30 for jurisdiction reasons, leaving the central question unanswered.

But beyond Defense Distributed, other sites had hosted the gun files at the center of this saga—like the Firearms Policy Coalition-run website CodeIsFreeSpeech. On February 2, that site received an email from Cloudflare's abuse team. According to the corresponding legal complaint (PDF), the NJ AG's office had sent Cloudflare a letter notifying the network provider that it was serving a site potentially in violation of New Jersey law.

"This is a notice to Cloudflare that you are serving files consisting of 3D-printable firearms in violation of NJ Stat. Ann. § 2C:39-9 3(I)(2)," the letter stated. "These files are accessible via Cloudflare's New Jersey datacenter. You shall delete all files described within 24 hours or we will be forced to press charges in order to preserve the safety of the citizens of New Jersey."

This action presented Defense Distributed and its co-plaintiffs a new opportunity to file a legal complaint in New Jersey rather than in Texas. Looking through the initial complaint in Defense Distributed v. Grewal round two, the false takedown demand is the only new exhibit included. All other supporting documents come from the situation between Attorney General Grewal and Defense Distributed from summer 2018.

CodeIsFreeSpeech learned of what it believed were legal threats against it due to the New Jersey statute in "an email from 'Cloudflare Abuse,'" not through a direct notice from the Garden State, according to the complaint. (Cloudflare doesn't host information like GoDaddy or other services, so it typically forwards abuse complaints to users for them to decide on potential action.) Soon after the message from Cloudflare, CodeIsFreeSpeech took precaution by restricting access to the CAD files and digital instructions.

At the time, the NJ AG's office had no comment about the new legal filing. It only directed media toward statements from AG Grewal regarding the initial lawsuit in the summer of 2018.

A Slovakian impersonator

New Jersey detective Kevin Madore, of the state's Computer Crimes Unit in the Financial and Computer Crimes Bureau, submitted a written declaration in this week's filing that details his findings on the matter. Madore writes that he first learned of the lawsuit from CodeIsFreeSpeech et al. on February 7. On February 8, he and another detective were formally assigned to look into where the Cloudflare letter came from.

Madore reached out to Cloudflare for Internet protocol logs, and the network provider sent the information along that day. Using the open source tool IPlocation.net, "I learned that the IP address resides in the Slovak Republic," Madrone writes. "Using other open source tools, I confirmed that the geo-location was the Slovak Republic. Also, I confirmed that this IP address is reserved for that provider based in the Slovak Republic. Based upon this investigation, as well as my training and experience, the complaint sent to Cloudflare regarding CodeIsFreeSpeech.com did not originate from the New Jersey Office of Attorney General or its Division of Criminal Justice."

On Wednesday, Cloudflare published a blog post detailing its findings. The company writes that the lawsuit sparked them to take "a closer look," during which Cloudflare "immediately noticed a few anomalies with the complaint."

To start, Cloudflare typically asks law enforcement to use a specific email line dedicated for abuse. This particular takedown note instead came through the general abuse report form. Cloudflare then also noticed the geo-location in Slovakia and that the contact information listed matched what New Jersey makes public for reporting crime tips. The company eventually found other likely forged notices from the offending IP address in "a clear pattern."

"The person filing this misattributed abuse report likely hopes that the party who controls that email address will then initiate some type of investigation or action based on that abuse report," the company wrote.

This is far from the first time company goodwill toward takedowns has been abused. Cloudflare points to bad actors maliciously using "copyright strikes" over at YouTube, and TechDirt's Mike Masnick notes how this type of attack can become even more potent due to laws elsewhere, like the EU's Terrorist Regulation (where terrorist content needs to come down within an hour to avoid fines and possible liability).

The identity behind the Slovakian IP address remains unknown at the moment, and it's impossible to say what the intent behind the forgery may be as such. (Someone opposed to gun laws could be trying to complicate the New Jersey AG's life; someone in favor could be trying to scare CodeIsFreeSpeech into inactivity.)

For now, the first hearing in Defense Distributed v. Grewal has been set for March 20. The NJ AG's office declined further comment, only pointing to both the hearing date and the new filing.

The Firearms Policy Coalition acknowledged the new filing and said its legal team "is conducting an investigation into the matter." Attorneys on behalf of the plaintiffs also provided Ars with a copy of a separate letter sent this week to the NJ AG's office that insists the questions at the center of this legal dispute remain unchanged.

"The letter you filed with the Court on Tuesday disclaimed one of the threats that had apparently been made by Attorney General Grewal against the Plaintiffs. But the letter did not disclaim any of the other threats that have been made against the Plaintiffs by the Attorney General," attorney Chad Flores writes. "So, we pose the case's most immediate question in no uncertain terms: If Defense Distributed, the Second Amendment Foundation, or CodeIsFreeSpeech.com publish the computer files at issue, will Attorney General Gurbir Grewal bring civil or criminal enforcement actions against them for it?"

The letter ultimately asks for the NJ AG's office to respond by February 19 with potential disputes with the legal complaint's claims. Plaintiffs must submit any amended filings next week ahead of the March preliminary injunction hearing on the calendar.