Honeypot reveals mass surveillance of BitTorrent downloaders

Silk Road reboots: for real, or just a honeypot?

Files and the cloud, courtesy of ShutterstockEver used BitTorrent to download a song? A book? How about a film or a TV show?

It’s highly likely that within 3 hours of doing so, the copyright enforcement people were on to you, monitoring your IP address, according to new research.

Security researcher Tom Chothia and his colleagues at the University of Birmingham, UK, conducted a three-year study that revealed “massive monitoring” of BitTorrent download sites, such as the PirateBay, that’s been going on for at least that long.

For the study, researchers developed a fake pirate server: software that acted like a BitTorrent file-sharing client that logged all connections made to it.

Tom Chothia, who led the research, says that popular content downloads were monitored within hours.

The BBC quoted Chothia:

"You don't have to be a mass downloader. Someone who downloads a single movie will be logged as well."

"If the content was in the top 100 it was monitored within hours. Someone will notice and it will be recorded."

The researchers unveiled their findings this week at the SecureComm conference in Padua, Italy, according to New Scientist.

According to their study (PDF), 40% of the monitors that communicated with the team’s clients made the initial connection within 3 hours of the client having joined the swarm; the slowest monitor took 33 hours to make its first connection.

The copyright enforcers might not distinguish between hardcore downloaders and casual/new file sharers, but they definitely put their resources behind monitoring highly popular content.

From the paper:

The average time [for a connection to be monitored] decreases for torrents appearing higher in the Top 100, implying that enforcement agencies allocate resources according to the popularity of the content they monitor.

How exactly do the monitors monitor us?

The study considers two approaches: indirect monitoring, which traces indirect clues about a peer’s sharing activity (e.g., its presence in a tracker’s peer list), and direct monitoring, which establishes connections with peers to estimate their participation in sharing activity.

Spying on computer, courtesy of ShutterstockPrevious research has focused only on how people monitor us indirectly – a less expensive approach for the monitors, both in terms of cost and computing resources – but the Birmingham researchers considered both methods.

Research has shown that enforcement agencies use indirect monitoring extensively.

The problem with this approach, however, is a high rate of false positives. As shown in a 2008 study, indirect monitoring nabs perfectly innocent devices – and that’s how printers and wireless access points end up receiving cease-and-desist letters.

More recent studies have shown that, unfortunately, those sloppy monitoring methods are still in use.

Who’s monitoring us, and why?

The “who” is not altogether clear. The researchers were able to identify about 10 monitoring firms logging content, out of which a few could be identified as copyright-enforcement organisations, security firms or even other research labs.

About six of the monitors doing the heaviest monitoring were tougher to identify, since the companies relied on third-party hosting firms to run searches.

The “why” may have to do with “because we can,” Chothia told the BBC:

"Many firms are simply sitting on the data. Such monitoring is easy to do and the data is out there so they think they may as well collect it as it may be valuable in future."

It’s actually valuable now, as evidenced by mass piracy lawsuits.

I’m not asserting that file sharing is justifiable for any reason, be it that music or books or video are too expensive or that some file sharing is actually legal.

No, what’s most interesting about these file sharing stories isn’t so much the question of whether file sharing is good or bad, it’s that monitoring without a court order could be construed as being a breach of civil rights.

Commenter #77 on the BBC’s coverage of the story put it this way:

"Okay illegal downloading is stealing, but what of monitoring my internet use without a court order. Can I demand a copy of all their info under data protection? Can I correct errors? Can I sue the monitors for breech [sic] of privacy? Doesn't all this sound slightly one sided? Once again big business rides over the rights of the little guy who can do nothing to stop them."

That sounds about right.

It’s certainly not like we haven’t seen businesses use copyright-infringement monitoring services to shake people down in what clearly looks like extortion.

Case in point is a recent Kentucky class action suit that accused porn studios of extorting BitTorrent users, looking for payouts of $1,000 to $5,000 from victims too embarrassed or shamed to defend themselves in court.

As the Kentucky lawsuit claims, this isn’t simply a war on piracy; rather, it’s a “new business model” that’s not set up to deter illegal downloads but is instead set up simply to squeeze profit from its victims.

Multicoloured files, courtesy of ShutterstockHow do you defend yourself from monitoring? The University of Birmingham’s paper promises to provide means of doing so, but it wasn’t easily gleaned, so I looked around.

New Media Rights, for one, has published a guide for defendants in mass copyright lawsuits.

As far as fending off tracking goes, there are proxies that shield you by routing your traffic through another server, such as BTGuard.

There are also IP-blocking applications such as PeerGuardian or IP Blocker that use a constantly updated blacklist of IP addresses known to track your activity, but beware: they rely on blacklists, and those have issues.

And here’s the least fun thing I’ve written all day:

If you really want to stay within the realm of legality, fend off predatory mass lawsuits and avoid having your file sharing be monitored, you could always just avoid file sharing altogether.

Honey, files and the cloud, multicoloured files and spying on computer images courtesy of Shutterstock.