BitTorrent monitoring discovers file-sharers within 3 hours

Copyright holders are increasingly aggressive in their attempts to thwart illegal downloading of their material. A common method is to monitor BitTorrent, use a subpoena to get the physical address of the user from the ISP, and send that user a cease-and-desist letter. This letter frequently demands a payment to ‘settle’ the copyright holders claim, with the threat of court action if it is not paid.

A research team from Birmingham University School of Computer Science has investigated the two possible methods, indirect and direct, that are used by the rightsholders and/or their agents to undertake this monitoring. It measured the activity of 1033 BitTorrent swarms across 421 trackers for 36 days over two years – collecting more than 150GB of traffic. Its primary conclusion is that while indirect monitoring is still being used, direct monitoring is increasing – but that “direct monitoring, in its current form, falls short of providing conclusive evidence of copyright infringement.”

Indirect monitoring relies on the analysis of ‘clues’, such as the presence of an IP address in the swarm sharing a file. The weakness, however, is the high volume of false positives produced: printers and wireless access points have received cease-and-desist letters in the past.

Direct monitoring can be active (“if the monitor establishes connections with peers to confirm that they are sharing a file”), or passive (“if the monitor advertises its IP address to a tracker and waits for peers to connect to it”). The report suggests that at least one copyright agency is using direct monitoring, but doesn’t know whether direct monitoring is yet in widespread use.

In its own tests, the team found that “40% of the monitors that communicated with our clients made their initial connection within 3 hours of the client joining the swarm,” and that the enforcement agencies appear to allocate greater resources to the more popular content. Basically, BitTorrent users should assume that they are being monitored, and that if they share popular content, their discovery will be very rapid.

Further analysis highlighted a number of firms engaged in this monitoring. Some are known to be connected to the rightsholders, while others have no immediately recognizable connection. Overall, the analysis takes no sides. It demonstrates how the rightsholders could improve their own techniques. But it also demonstrates how monitors can be detected, and how BitTorrent users can better evade being monitored. For example, ‘blocklists’ of peers suspected to be monitors are in common use by BitTorrent users; but the report notes a high prevalence of both false positives and false negatives in these lists. It recommends instead “that blocklists based on empirical research are used over speculative ones.” This report is a demonstration of how empirical research can be used to detect such monitors.

What’s Hot on Infosecurity Magazine?