Anyone Can Play Big Brother With BitTorrent

An anonymous reader writes "I was at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats yesterday, and there were people from the French Institute for Computer Science who have continuously spied on most BitTorrent users on the Internet for 100 days, from a single machine. They've also identified 70% of all content providers; yes, those guys that insert the new contents into BitTorrent. As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

Copyright laws.

[headkase]

If copyright law was more sane we wouldn't have to argue so much about privacy.

Re:Copyright laws.

[DarkKnightRadick]

I care about privacy and I only use bit torrent for legitimate purposes.

Re:Copyright laws.

[jeffmeden]

Is privacy invaded because of people pursuing copyright violators, or is privacy pursued because people want to evade copyright enforcers? Seems that if you decide it's the latter you are prepared to give away the privacy of many (those who arent copyright thieves) for the protection of the few (those that own IP that is being copied)...

You know giving up the first little bit is always the easiest...

Re:Copyright laws.

[Red+Flayer]

I dunno about that.

Privacy isn't just about keeping your illegal activities hidden from an authority that can punish you for those activities. I don't want anyone to be able to glean the details of my day-to-day habits, be they bittorent use, physical locations, or anything else. Even if we had NO copyright laws, I'd still have a problem with people being able to track my actions. And FWIW, I have nothing to hide, AFAIK[1], other than routinely exceeding the speed limit in my car. I refuse on principle to violate copyrights.

[1] the AFAIK is a big problem. There's probably a good chance I violate some law or other occasionally, but I have no idea since there are so many laws on the books. But that just feeds into the privacy issue... I'm no Randian, but the massive amount of laws we have on the books that make innocuous behavior illegal means that I'm probably a criminal without knowing it. The best way to protect against this extant situation is to make sure I maintain the privacy of my activity. Better not to have that situation in the first place, but that's a topic for a different discussion.

Re:Copyright laws.

Same AC here. I didn't say that everyone only cares about privacy because they don't want to get caught doing anything illegal, I said it was interesting and saddening to see one person admit as such. I personally don't download anything illegally anymore, though i'll admit that at one time i did so often and freely. i do however care deeply about my right to privacy. and you have to admit that there are a large number of people jumping on the internet privacy bandwagon, yet they have absolutely no real belief or feelings about the cause. they simply like stealing shit, and are scared that they're going to get caught, so they scream privacy violation till they're blue in the face. and honestly, i feel this is one of the biggest threats to privacy we currently face, because the actions of these cheap childish assholes degrade the cause in its entirety. to the average person on the street privacy advocate is becoming synonymous with pirate and various agencies and corporations are more than happy to fuel that fire.

Re:Copyright laws.

[commodore64_love]

I don't lie to myself.

I steal. Rather than go out and buy the DVDs, I steal the content. And no I don't care. Movie companies steal from their workers all the time ("Sorry Mr. Cameron, actors, and crew... Titanic made no profit, so your profit share check will be zero."). If the movie is any good (like Star Trek) then I will buy it.

Re:Copyright laws.

[betterunixthanunix]

You are lying to yourself. Copying something is not the same as stealing it; there is a fundamental difference, in that theft involves depriving someone else of the thing that is stolen, whereas copying creates more of whatever that thing is. Please, the copyright lobbyists' propaganda is bad enough, we don't need non-lobbyists to start spreading it.

Re:Copyright laws.

[Chirs]

The enlightened argument is not that the act of copying is theft, but that illegal copying deprives the copyright owner of monetary gains which would otherwise have been earned.

It is those monetary gains which have effectively been "stolen", not the item itself.

Of course this assumes that the "thief" would have bought the item had they not copied it.

Re:Copyright laws.

[JesseMcDonald]

YOU are denying the person who created the content the sale. YOU have denied them the money they would have made. YOU have TAKEN from them something that was rightfully theirs. THE SALE.

<sarcasm>Just think of how much you've stolen by not-buying all those CDs you don't own! You must owe the RIAA more than the GDP of the United States by now!</sarcasm>

Choosing not to buy something is not theft. No one owns "THE SALE". They own their physical property, because it is scarce. And they have not been deprived of that property.

Re:Copyright laws.

[nmb3000]

I'm not going to get into the copyright violation vs theft argument (again), but this is just plain WRONG. Drivel like this reeks of **AA and artist entitlement whining.

YOU are denying the person who created the content the sale.

No, because I had no plans on buying whatever it was I'm downloading. If I can get X for free, I'll grab it. If I can't, I'll do without. No sale lost.

YOU have denied them the money they would have made.

They wouldn't have made any money, ergo I denied them nothing.

YOU have TAKEN from them something that was rightfully theirs. THE SALE.

Again, there was no sale to be made. 0 - 0 = 0.

If you want to argue on the basis of morals then I imagine most people would agree that violating a (sane) copyright is wrong. When you start talking about 120-year old copyrights or trying to prevent what most feel is fair use then people will start to disagree.

Regardless of all that, the monetary value of a potential sale is exactly $0.00.

Re:Copyright laws.

[JesseMcDonald]

The enlightened argument is not that the act of copying is theft, but that illegal copying deprives the copyright owner of monetary gains which would otherwise have been earned.

So does simply choosing to go without. Should that be illegal now as well?

You can't "steal" the expectation of income. Only that which is owned is subject to theft, and theft only occurs when one is deprived of its use. If one cannot be deprived of the use of a thing—as is the case for everything subject to copyright, since mere duplication cannot deprive anyone of use of the original copy—then that thing cannot be stolen.

Re:Copyright laws.

There is nothing left to even consider of your reply

100% of the time someone says something like this, what they really mean is "I can't think of anything that will refute your point, but I'm not honest enough to admit it". There has never been an exception.

Re:Copyright laws.

[betterunixthanunix]

"In some (not all) cases the content owner is deprived of a sale."

Except that it is really impossible to prove such a thing. If we are willing to set aside the fact that the sale never really existed (how can you be deprived of something that does not exist), there are a lot of confounding factors. The downloader might have decided to go out to a store to buy the media, had it not been available for download, and then seen something better to spend money on, and not purchase the media. Or, perhaps the downloader never even had the money to spend on the media, and the sale never even had a chance of happening. Or perhaps the media was not even available to purchase, and the copyright holder did not feel like spending the money on making further copies.

Even if we ignore all of the above, there is a new problem with declare "deprivation of sales" to be a form of theft. Maybe my business attracts more customers than your business -- does that now make me a thief, because I am depriving you of the sales you would have had if I had not been in business? What if I go around telling people not to buy your products -- is that thievery too?

This is the problem with trying to claim that imaginary things like "potential sales" can be "stolen." In general, "stealing" something that is intangible, whether it is some sort of media, or potential sales, or an idea, or whatever else, is illogical. The term "theft" is only used by people who want "copyright" to be considered the equivalent of "real estate," which it was never intended to be.

Re:Copyright laws.

[JesseMcDonald]

If you're arguing that copyright could be transmuted into a contract governing access to the physical copy—not the abstract pattern which copyright currently covers—then I agree with you in theory but do not believe this transmutation to be likely, or effective. The contract would be similar to an NDA, with the same weaknesses. NDAs are only effective when distribution of the information is limited; copyright must cover the case where content is to be distributed to the public at large. Enforcement (tracking) costs would be high, and recovery limited to the individual who first broke the contract. Buyers would be skeptical of agreeing to formal contracts over a mere few hours of entertainment. Content providers are welcome to try it, but I don't think it would work.

If you are instead saying that there is a property right in the value of a secret, such that duplication (devaluation) becomes a violation of the owner's property rights—just think about that for a moment. That would mean that all production (and all decreases in demand) must violate the property rights of existing owners in the values of their goods. This way lies madness.

Property rights can only apply consistently to the goods themselves, not their values.

However, even taking the value-as-property approach, the change in market value of that copy, or any additional copies, is no different than if I had simply decided against having/using the "thing" entirely, or even created something which competes against it. If not-buying and competition do not infringe on this "property right" in the value of the good, then neither can the making of a copy, since the effect on the value is identical.

On the other hand, accepting that property rights apply to the goods themselves rather than their market values, the statement "You got value at his expense" is false; I did receive value, but there was no expense to him. He has exactly as much as he had before: the original copy.

Finally, if there is no objective harm then force is not a proportional, or appropriate, response. (Speak up if you disagree...) A rule-of-thumb in determining the existence of objective harm is thus: if you could not determine, by any theoretical means, that an action had taken place simply by observing your own property, then that action does not objectively harm you. When the "property" is the pattern embedded in some physical object, and the action mere duplication, then there is no change in your "property" which would indicate that the action had taken place. Ergo, there is no objective harm, and no justification for the use of force.

After all, what is the difference in outcome which would justify making the production of a deliberate copy illegal, but not the creation of an identical copy by random convergence? Surely the "harm" is the same in either case? Accidental harm is still harm, but accidental creation of a copy is not considered copyright infringement.

Shocked. Shocked!

[guspasho]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

Really? All you have to do is be on the torrent and connect to them.

Re:Shocked. Shocked!

[natehoy]

Yeah, I'm shocked that anyone could be shocked.

P2P means "Peer to Peer". That means your computer makes a direct connection to other users who seed or leech you. In order to do that, you need to give your IP address so they know who to talk back to. IP addresses resolve to a host, which can always identify your ISP and in rarer cases can identify your username on the ISP (this is thankfully very rare any more).

I wonder how shocked the poster of this article would be if he realized that every web page he visits gets the same exact information?

This is not an important security article.

[Spazntwich]

It is an important reminder of just how ignorant most technology users are of the very tools they're using.

Re:This is not an important security article.

[vxice]

Shocking, shocking I say that when I use p2p to upload and download files to other people that someone could possibly be sitting around listening to and recording my requests for data as well as requesting data that I have sourced that they 'want' who would have guessed?

Re:An Opportunity

[poetmatt]

looks like something that won't work for those who understand that plenty of these IP addresses could be spoofed or not even uploading, or knows what I2P does, or uses VPN. This is just a list of IPs that they are assuming are 100% valid because they were listed in the tracker when the content went up. They're saying that if someone is listed on more than one tracker, it confirms who they are.

That= a bad study.

All they're saying is "We can tie an IP to a torrent", but that doesn't mean you can get anything more than that. Judges already don't accept an IP simply being tied to a torrent.

Re:An Opportunity

[Shakrai]

With ISP cooperation you can narrow an IP down to a physical address. At that point, you're screwed.

Speak for yourself. I do all my bittorrenting from open wireless networks ;)

Re:An Opportunity

[wealthychef]

This is actually an argument for buying a wireless router and leaving it open without a password. Sure, you can be owned by your malicious neighbors, but they could also be the ones doing the torrent downloads... hmm. LOL

Re:Can I get a DUH here?

[jch.pgh]

Thank you for that DUH. Bram Cohen originally designed the protocol to be an ultra-scalable file distribution approach, and every attempt to add security, encryption, or whatever is trying to add something against the grain of its origin. (It may still be worth doing it, in the same sense that steganography may still be worth doing.) Bittorrent is for above-board, everyone-knows-you're-doing-it file distribution. If you want to hide what you're doing, do it with something else.

Re:An Opportunity

[Bigjeff5]

If they get enough to get a search warrant, you're screwed, because even if you're masking you're MAC they'll be able to figure that out once they have access to your machine and make a positive link to the IP address.

If you use whole-drive encryption, recent court cases have shown you've opened up a whole new can of worms, and didn't really save yourself any trouble.

If you try hard enough at hiding it, you could be in a situation where the circumstantial evidence is enough to push a jury past the "reasonable doubt" threshold, in which case you've saved yourself nothing.

It really is not easy to shield yourself when you use a protocol that by its very nature must identify your machine uniquely. The best you can do is hide and make your discovery more difficult. You can't completely prevent it completely and still access the internet in any useful way.

Re:An Opportunity

[Bigjeff5]

You do realize that they can track it down to the boarders AP and will know with reasonable accuracy (within 100 meters or so) where the downloader must live, right?

Then it's just a matter of getting a search warrant to find the PC with the right MAC address. Even spoofing your MAC won't protect you at this stage, unless you catch wind of what is going on and remove all traces of spoofing from your machine.

Fortunately, the police aren't that interested in downloaders, and are the only ones with the kind of authority to get a warrant for a whole group of people at a time. Fishing for a defendant is pretty difficult for a civil action, and I can't see it happening if all you have is a list of 50 people who it may be.

Still, technically there is nothing preventing such a situation.

Re:An Opportunity

So you're going to issue warrants to search every domicile within 100 meters? What if the "perp" lives in Manhattan? Do you think a judge is going to sign warrants to search ~30 apartments?

Re:Good!

[plasticsquirrel]

Yeah, some assholes use Tor for BitTorrent, and it's awful for the network. Then people like me who live behind the Great Firewall of China, get slower-than-molasses browsing of censored web sites (terrible things like Google Pages, Blogger, anything from Taiwan, any page containing a string the PRC doesn't like, etc.). The main use for such work-arounds is usually just for my own research and education, and this is the basic reason that Tor exists. Users who run BitTorrent through Tor are really abusing what is basically a charity for people who need it.

I confess I'm a thief: A True Story

[mangu]

He fully expected the sale to anyone that WATCHED that movie.

Let me tell you a true story very much like the theoretical example you posted. When I was a kid there was a Rolling Stones song I loved, but I had no money to buy the album and my parents hated rock music. Our neighbors had that album, and I used to run to the backyard to listen when they played it. Was I stealing?

Re:An Opportunity

[Shakrai]

We are talking about civil actions here, not criminal ones. How would RIAA go about tying your MAC address back to you, even if you weren't smart enough to spoof it? Are they going to file discovery motions on every single house within range of the AP that was used? Heck, for that matter, how would law enforcement do it? No Judge would issue a warrant for "every computer within a 150 meter radius of this location", not for something as mundane as file sharing.

BTW, you can get a lot further than 150 meters with the right antenna setup. I've seen associations made at ranges exceeding two kilometers, under less than ideal conditions.

Talking about shock

[ElusiveJoe]

As a BitTorrent user, I was shocked that anyone with a box connected to the Internet can spy on what everyone is downloading on BitTorrent."

That's nothing! Imagine how shocked were content providers, when they discovered that anyone with a box connected to the Internet can insert the new contents into BitTorrent!

Re:An Opportunity

[mgblst]

You can have your MAC address change every day, by a simple little script.

RTFA, important if you use BT

The article goes into a lot of detail about how they identify those users who are on VPN, Proxy, tor, etc. They've also identified over 10,000 IPs that "monitor" only, from a few data centers in the United States. If you're using BT, you should definitely read this article..

Re:Not very observant?

[gronne]

I was just thinking that in the year 2010, how is it possible for a Slashdot reader not to know that Bittorrent is not private?

Re:Semantics and bullshit

[JesseMcDonald]

Let's say I find myself a man to play the guitar at dinnertime each night. It's now the end of the week, and he has the "expectation" of income. He was deprived of the use of his time, and I enjoyed the fruits of his labour. If I choose to not pay him, have I not stolen from him?

That depends. What does your contract say? If the contract states that you give him a certain amount of money on the condition that he plays for you, and after he plays you refuse to turn over the money, then you are indeed stealing from him—that's his money you're withholding. One can envision other circumstances, including the absence of any contract (not necessarily written), where refusal of payment would not be theft. The expectation is not enough, by itself.

If I'm not stealing in the second case, I'm not stealing in the first.

In the second case you explicitly did not agree in advance to pay him. This changes matters. If you did agree to such in the first case then the situations are not analogous.

he was deprived of the use of his time

Perhaps, but not by you. The decision to spend his time playing or recording his performances was his own. You have not deprived him of any additional time by listening. He was under no obligation to make his recordings available to you without first arranging for payment. Only the existence of a voluntary contract would create an obligation on your part for payment after the fact.