
BitTorrent study finds most file-sharers are monitored - anons2011
http://www.bbc.co.uk/news/technology-19474829
======
teagoat
I was interested in how they were detecting monitors and whether they were
just picking out any anomalous peers (say ones that don't accept connections).
I was also wondering if the paper was going to be obviously flawed and funded
by some copyright agency with the aim of articles such as the one we just read
being created. I still wouldn't rule it out, but I feel that the methodology
was sound.

To summarize for others indicators were:

"""

1\. The proportion of a subnet that has been seen in BitTorrent swarms.
Monitoring agencies may use a large proportion of their subnet for monitoring.

2\. The length of time a peer spends in a swarm. Monitors may spend more time
in the swarm than regular ﬁle-sharers.

3\. The number of diﬀerent (IP, port, infohash) combinations per IP address.
Monitoring agencies may operate many clients from a single IP address.

4\. Whether a peer reported by a tracker accepts incoming connections.
Monitors may block all incoming connection attempts. (((This was discarded as
an unreliable indicator)))

5\. The number of swarms in which IP addresses from a particular subnet
appear. Monitoring agencies may monitor many torrents from their subnet.

6\. The number of times the same (IP, port) pair is observed concurrently in
different swarms.

... we found 1,139 IP addresses that were in the top ﬁrst percentile for all
four features (((1,2,3 and 5))) IP addresses assigned to a company named
Checktor [3], which oﬀers commercial BitTorrent monitoring services, and 16
addresses assigned to a medium-sized computer security consultancy company
that does not publicly acknowledge monitoring BitTorrent. Another subnet,
which we saw in over 500 swarms, belongs to a company that advertises itself
as providing “intellectual property advice” ... We also found two subnets
assigned to hosting companies ... We speculate that copyright enforcement
companies are using these hosting companies as a front to disguise their
identities. We also identiﬁed a number of IP addresses allocated to large
ISPs, such as Vodafone, Etisalat and SingNet. ... This feature (((6))) found
IP addresses assigned to Peer Media Technologies [16] (a well-known copyright
enforcement agency) monitoring seven Harry Potter ebook and movie torrents,
and the INRIA research institution [10], which had been overlooked by features
1–5 because so few torrents were being monitored, and because a very small
proportion of INRIA’s subnet was being used for monitoring """

I didn't read too much further into their methodology for detecting "direct
monitoring" other than to see a pretty graphic showing peer lying about their
download completion.

~~~
fludlight
Direct link to the paper:
<http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf>

You can find the lead researcher's other papers here:
<http://www.cs.bham.ac.uk/~tpc/home.html>

------
pervycreeper
>researchers found that nearly every file-sharer they monitored, was
monitored.

~~~
bluetidepro
Haha, I cracked up when I read this. This just seems like a (very typical) BBC
scare tactic article.

~~~
klearvue
Tactic suggests an objective. So to what ends might BBC use such (according to
you, very typical) tactics?

~~~
zimbatm
BBC gets it's TV series published on the torrent networks. That would be one
incentive.

------
fluxon
Aren't there bittorrent clients which autodetect and autoblock clients which
connect, but neither upload nor download? Doh! Link to a somewhat more
informative, less beeby, story:
[http://www.newscientist.com/blogs/onepercent/2012/09/honeytr...](http://www.newscientist.com/blogs/onepercent/2012/09/honeytrap-
catches-copyright-co.html) And the lead researcher
<http://www.cs.bham.ac.uk/~tpc/home.html> Published paper link snaked below!
:)

(A previous paper: Analysis of BitTorrent Peers' Behavior and Monitoring
Trends
[http://www.kaspersky.com/images/camilo_andr%D1%83s_gonzalez_...](http://www.kaspersky.com/images/camilo_andr%D1%83s_gonzalez_toro-10-75858.pdf)
which was based on the Snark Project, updated)

~~~
brazzy
It would have to be the tracker, not the client, and at best it could somewhat
reduce the number of other clients' IP addresses available to suspicious
clients, since the classification is based on how they interact with other
clients, whose IP addresses they of course have to know.

------
synctext
<http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf>

Link to 18-page scientific article by University of Birmingham. This is the
actual meat behind the BBC article.

Not an alarmist paper, just boring work with Bittorrent download progress
bitmap monitoring.

Some juicy bits on their usage of Tor, from the paper:

"we created our own indirect monitoring client that gathers newly-published
torrent files from the Top 100 in each category on The Pirate Bay, and
continually contacts each of the trackers and stores (IP address, port number,
infohash, time) tuples from the peer lists that are returned; it then attempts
to establish a TCP connection with each host and sends a handshake message to
ensure that the host is in fact a BitTorrent peer. [..] We collected data from
July 21–28, 2009, routing our traffic through the Tor anonymity network."

------
octopine
The original paper without all of the scaremongering:

"The Unbearable Lightness of Monitoring: Direct Monitoring in BitTorrent"

<http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf>

------
notimetorelax
Except that it is illegal to collect IP addresses in some European countries
(Switzerland for example). Here's the link:

[http://www.edri.org/edrigram/number8.18/collecting-ip-
addres...](http://www.edri.org/edrigram/number8.18/collecting-ip-addresses-
illegal-switzerland)

~~~
tsahyt
It's the law in others

------
sedachv
Some tips on anonymizing VPNs from a previous HN discussion:
<http://news.ycombinator.com/item?id=3913985>

------
ansman
This feels like a scare tactic to get people scared, they could never go after
all downloaders.

~~~
jiggy2011
Couldn't they? Letters are cheap to send.

They could simply send out a few million or so letters, maybe costing a
million £ or so. Offer everyone a settlement of a few hundred £ to cover all
past transgressions with the threat of suing for a much greater sum if there
is a repeat offence or if they do not comply.

If you work on the basis that about 50% just pay up straight away that's quite
a lot of money. This money can be used to subsidize going thermonuclear on at
least a few thousand of those who don't.

Besides, they don't need to sue everyone to make people scared enough to avoid
pirate sites.

~~~
marvin
Pretty sure that the justice systems of most sane nations would crack down on
an effort like this. It certainly wouldn't fly where I live (Europe).

------
pessimizer
A lot of it is definitely for consulting purposes. I thought of going into
that line - seeing how what movies, TV, and music wouldn't be taken even for
free would be interesting to the producers of that content.

Looking at activity on torrents gives you a really good idea of relative
interest in something, and in addition, on membership torrent sites, it could
be cross referenced with the other interests of the downloader simply by using
their history to give you some idea of demographic and to guide marketing
strategies.

~~~
jiggy2011
That's an interesting point, I imagine stuff that is popular with a more tech
savvy demographic (sci-fi etc) is more frequently pirated.

It might be interesting to know if your show is unpopular because nobody wants
to watch it or if everyone who wants to watch it prefers bittorrent.

On the other hand , I don't know what you would do with this information
unless you had a strategy for monetising bittorrent.

~~~
pessimizer
I mean more like "People who pirate your show also pirate _Breaking Bad_ and
_Sons of Anarchy,_ but of the people who pirate _Breaking Bad_ and _Sons of
Anarchy,_ there's more pirating of _Futurama_ than your show." or "Though you
think your show appeals to _Friends_ fans, the people who pirate your show
tend to pirate _2 Broke Girls_ more significantly than they pirate _Friends._
"

Even more interesting to me are the surprising highly trafficked music and
movies that are long out of print. Might be a good indicator of when to bring
them back, and what fora to announce that in.

------
TazeTSchnitzel
I was worried, then remembered that the only things I tend to pirate are
anime. And I expect the fansubbed torrents are not quite so well-monitored.

~~~
maurits
Have a peek at the peers next time. You might be unpleasantly surprised.

~~~
TazeTSchnitzel
True. But even so, it's usually torrents with very few peers.

------
ivanbernat
It's a little know fact, but all telcos here in Croatia monotor and store all
torrent traffic info of their customers. They have massive rooms with monotors
dediated to showing which customer in which building is currently using
torrents.

And all of this data is stored for once the Gov decides to "crack-down" on
illegal file downloads, they will have massive amounts of evidence.

~~~
jiggy2011
This strikes me as unlikely. Perhaps they can track some of it, but IIRC many
torrent clients will use random ports and end to end encryption which is there
to evade traffic shaping.

My router has various features to block P2P traffic, as an experiment I tried
enabling these features and then downloading torrents (Linux distro ISOs).
Every time I enabled these the data rate on the torrent client would start to
drop, but then within minutes it would be right back to full power again. At
the end of the day you can just make a bunch of connections to port 443 on a
remote host, start an SSL session and you are now indistinguishable from HTTPS
traffic.

The only way I could effectively block it was to disable NAT and force
everything to go through an HTTP proxy.

------
rm999
This shouldn't be a surprise. It is trivial to capture that kind of data from
large bittorrent clouds like piratebay, and that data may have some useful
applications. For example, getting statistics on what movies, tv shows, and
music people are interested in (often before commercial release) with really
precise geographic information.

------
Zirro
This should not come as a surprise to anyone who has been following the
developments within the P2P-world. If you still care about privacy while you
connect to a large amount of computers, a proper VPN or a similar service to
mask your origin is the way to go.

~~~
sillysaurus
Any recommendations?

~~~
rada
[http://torrentfreak.com/which-vpn-providers-really-take-
anon...](http://torrentfreak.com/which-vpn-providers-really-take-anon..).

My personal choice is privateinternetaccess.com: $40/year, unlimited bandwidth
(cloak and many others limit bandwidth), multiple platforms
(Windows/MAC/*nix/iOS/Android), multiple protocols (PPTP, OpenVPN and
IPSEC/L2TP), multiple gateways (US/UK/Switzerland), and most importantly, NO
user activity logs.

Also, per <http://news.ycombinator.com/item?id=4474529> you could use any vpn
that routes through Switzerland.

------
aw3c2
"Most" does not seem to mean much here, while it probably is correct.
According to the paper they only used thepiratebay as originating tracker.
Right now the homepage lists 30 million peers. what.cd shows 9 million peers.
I do not know how many peers Demonoid had, probably a similar or higher
number. Some smaller trackers I checked all had around 100k peers. So just
think of 60 smaller trackers like that and poof, the "most" is not true
anymore.

This also only covers Bittorrent, not "most file-sharers".

------
tsahyt
All the monitors were checking whether the file sharer used BT software? Why?
I mean, there's not much of a reason to connect to a swarm if you're not
seeding or leeching. Then again, does that mean that spoofing the
name/id/whatever of the software gets you off the monitors radar?

------
webjunkie
What does 3 hours mean? I don't need that long to download anything.

And I doubt that if I download some rare indie music stuff, that anyone would
care to monitor this torrent.

~~~
klearvue
I think it means 3 hours from the initial torrent availability on trackers.

~~~
lgeek
Actually webjunkie appears to be correct. From the paper:

> Average time before monitors connect. 40% of the monitors that communicated
> with our clients made their initial connection within 3 hours of the client
> joining the swarm; the slowest monitor took 33 hours to make its first
> connection. The average time decreases for torrents appearing higher in the
> Top 100, implying that enforcement agencies allocate resources according to
> the popularity of the content they monitor.

------
nvmc
People know that I'm downloading the new Fast and Furious movie from TPB?

~~~
brink
They don't watch tpb traffic so much as actual torrent traffic. Basically, if
you want to be more anonymous, pay to be a part of a vpn.

~~~
nvmc
I was being entirely sarcastic. Where I live, people have been getting stung
by honeypots for at least the last five years. I figured everyone (here on HN)
either used private trackers or a VPN.

------
gitarr
Please let's never forget: An IP-Adress is not a person[1]

[1] [http://torrentfreak.com/judge-an-ip-address-doesnt-
identify-...](http://torrentfreak.com/judge-an-ip-address-doesnt-identify-a-
person-120503/)

~~~
ben0x539
An IP address can be assigned to a person that can be held legally responsible
easily enough, though.

~~~
jdietrich
If someone cracks your WEP, are you responsible for what they do over your
connection?

If someone steals your car, are you responsible if they use it as the getaway
car for a bank robbery?

~~~
jiggy2011
I read something a while ago from an IP lawyer, he said that in such an
occurrence they would instead just sue you for negligence.

There don't seem to be many wireless LANs using WEP anymore anyway because of
the obvious security flaws. Perhaps some grandma with an old router could get
away with claiming ignorance as a defence but the average HN reader probably
couldn't.

As for the car analogy perhaps this would be similar to leaving your car
unlocked knowing full well that it was likely to be stolen by criminals.

~~~
drcube
I don't lock my car, my house or my wifi. This isn't negligence, I do it on
purpose. If somebody steals my car and runs over people with it, THEY are at
fault, not me. And if somebody downloads "infringing" material over my
internet connection, they are at fault. I really don't understand how this
could be otherwise.

Suppose I invited a friend over to my house, and while I was asleep, they
taped TV movies onto my VCR. Am I the one at fault because I didn't lock up my
VCR? Is there any other place in the law where I am considered at fault when
somebody else breaks a law? I'm not talking about "the getaway car", but more
like "the guy who parked across the street from the bank and had his car taken
by the robbers".

~~~
jiggy2011
IANAL , but this depends if we are talking about criminal or civil law.

AFAIK in a civil case there would be more onus on you to prove that you didn't
know what other people were doing with your stuff.

Also this would be affected by your circumstances, so if you work in tech/IT
you might have a job arguing that you didn't know that running an unsecured
wireless AP was a bad idea.

~~~
dllthomas
> Also this would be affected by your circumstances, so if you work in tech/IT
> you might have a job arguing that you didn't know that running an unsecured
> wireless AP was a bad idea.

Pointing to a renowned security expert saying he does the same might help,
though:

[http://www.schneier.com/blog/archives/2008/01/my_open_wirele...](http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html)

