Wednesday, February 07, 2007

Big Media DMCA Notices: Guilty until proven innocent

It's no secret that media companies have started to hire companies such as BayTSP to automatically find file sharers and send letters to their ISPs. The goal of this is to use fear to persuade people to use legal methods of getting digital content.

Many ISP's, especially universities, trust the good faith of these companies and will automatically deactivate the Internet connection of those who they get notifications for. As a personal project, and with the help of Carnegie Mellon's Information Security Office (which employs me to work on various computing security tasks), I decided to investigate the reliability of notices from companies such as BayTSP. The answer: the companies do not actually gather the data they claim to. Their standards for sending DMCA notices are very low.

In order to understand the issues, it's first necessary to have a basic understanding of BitTorrent. In order to download something via BitTorrent you download a ".torrent" file from any number of sites that index the content. This file contains a fingerprint for every piece of the file that you are attempting to download. It also contains a reference to a tracker. This tracker is the way that peers (the people downloading the content) find each other. After contacting the tracker, you contact each of the potential peers that the tracker shares with you (and other peers may contact you). The client then begins swapping parts of the file with each of the peers. What the media companies object to is that in the process of downloading the file, your client will offer parts of their copyrighted content to other users -- a violation of copyright law. In order to catch these violations, BayTSP advertises fake clients to the Bittorrent tracker and uses the list of peers which it gets back to find violations

For my investigation, I wrote a very simple BitTorrent client. My client sent a request to the tracker, and generally acted like a normal Bittorrent client up to sharing files. The client refused to accept downloads of, or upload copyrighted content. It obeyed the law.

I placed this client on a number of torrent files that I suspected were monitored by BayTSP (For my own protection I don't want to identify the torrents used for this research. I used the fact that NBC is a client of BayTSP to find trackers. If you want to check if BayTSP is monitoring a torrent, look for IPs coming from ranges in Because the university's information security office is very diligent about processing DMCA notices, I would be able to tell if the BayTSP folks sent notices based on this. With just this, completely legal, BitTorrent client, I was able to get notices from BayTSP.

To put this in to perspective, if BayTSP were trying to bust me for doing drugs, it'd be like getting arrested because I was hanging out with some dealers, but they never saw me using, buying, or selling any drugs.

The fact that BayTSP does not confirm that the client it is accusing actually uploads illegal content could cause false identification of innocent users. BitTorrent trackers work via a standard HTTP request request, for example:

GET /announce?info_hash=579CC43E4D66D35AE22312985EA04275939AB477&peer_id=asdfasdfadfasdf&port=12434&compact=1

One easy way to make somebody look likea bittorrenter would be to get them to go to a website with the code <img src=";amp;amp;port=12434&compact=1" />. They'd be on the tracker, and BayTSP would see their IP address, and might send them an infringement notice. BayTSP might check that they are listening on the port they advertise (maybe even check for a BitTorrent handshake). If the user is using bittorrent for legal usages, you could just advertise a port they were listening on. More investigation is needed into exactly what triggers the notice.

One even easier trick you can use: the BitTorrent clients BayTSP uses support Peer Exchange. You can give them the name of another peer for them to rat out to the ISP.

At the end of the day, BayTSP (and probably other similar companies) are sending DMCA notices which claim that they detected a user uploading and downloading copyrighted files. This is a lie. They didn't catch the user in the act of downloading. A lying tracker, a peer using peer exchange, hostile web page, or buggy BitTorrent client could all result in a false DMCA notice.

If your ISP forwards a DMCA notice from these guys, point them here. This research suggests that they have no evidence of wrong-doing. If ISPs learn that the folks sending them DMCA notices are not being completely honest, they may be willing to reconsider their position about how they respond to the notices. The people I work with at Carnegie Mellon seemed willing to reevaluate their policies given this evidence. I believe that ISPs should require that any peer-to-peer related DMCA notice include a statement regarding exactly what evidence of sharing was found. Ideally, the notice should contain evidence that could be corroborated with log files (for example, "we found that the client at uploaded 1 MB of file X to". The ISP may be able to check that there was 1 MB of traffic between these two clients).

A piece of good news for anybody who has gotten a bittorrent related notice from BayTSP: it doesn't seem like a studio could do much in terms of court action with the evidence BayTSP gives them.

For the technically minded, I though I'd share some observations of the behavior of BayTSP's clients

  • BayTSP's clients don't don't accept incoming connections, only send outgoing ones. I wonder what exactly this is for.
  • Some of the BayTSP clients claim to be using Azureus (and support Azureus extensions), while others run libtorrent. I'm not sure why they are doing this
  • When BayTSP's clients connect to a BT user, they claim to not have downloaded any of the file, but refuse uploads. Not only does this behavior not make any sense for an actual user, but it seems like BayTSP would want to accept data, which might provide proof of infringement.
  • Some of the IP ranges I noticed coming from BayTSP were: 154.37.66.xx, 63.216.76.xx, 216.133.221.xx. Sometimes, they make themselves really obvious on the tracker. For example, 154.37.66.xx and 63.216.76.xx will send 10 clients to the same tracker all claiming to listen on port 12320. Maybe trackers should block these folks


crf said...

For some other of these kind of companies, using the gnutella or ed2k protocols, they do not necessarily match a hash with a particular file. I read a report from a user that deliberately made a fake file with a name that might make you think it was illegally pirated. He was forwarded a copyright infringement notice by a company similar to BayTSP along with a threat of service cancellation by his ISP. This makes me think that such companies may either troll a user's computer of shared files, or search the network, looking for certain suspicious file names, and assume from the names of the files alone that the underlying content is represented by the name, and thus an infringement.

That's another test you may wish to try. You may be assuming too much by noting that this company could have checked that the hashes represented in the .torrent file actually match a particular copyrighted file they're authorized to protect. Try uploading some torrents with either fake, or perhaps useful and legal-to-share content, but give the torrent a suspicious name. See if you get take-down notices. (Although other torrenters may be fooled as well -- so if you want to conduct an experiment like this, you might also ask, in confidence, the tracker's admin for cooperation in any experiment.)

(Interestingly, the user I mentioned was Canadian, and the IP protection organisation sending the infringement letter to the ISP was American. The allegation of infringement by the protection organisation was untrue (certainly, they didn't do a modicum of analysis necessary to make it stand up in court), possibly defamatory, and repeated to a third party (the ISP): the gist: this may meet the definition of libel, except for the fact that the user was, in this case, trying to entrap the content protection organisation.)

Anonymous said...

Your article on these BayTSP notices reminds me of when large parts of the Windows NT4/2000 source code were leaked. I created a fake "Windows Longhorn Source Code" file which was about 1.2GB in size and full of zeroes, and then shared it on eMule to see how far it spread (quite far, initially.)

A couple of weeks later I received a copyright infringement notice from my ISP for this fake file. They had been contacted by one of Microsoft's agents who obviously conducted their analyses using a method of similar incompetence to BayTSP's.

Anonymous said...

it'd be like getting arrested because I was hanging out with some dealers

More to the point, it'd be like getting busted just because you were standing on the street corner, any street corner, because we (BayTSP, RIAA, MPAA, DirectTV, etc) all know drug dealers are the only ones who stand on street corners.

Anonymous said...

Your report is very interesting, but it would carry several orders of magniude more weight if the Carnegie Mellon Information Security Office were to officially publish it. I hope they will do so, as this kind of information is greatly needed.

Anonymous said...

Yes, indeed. Please see what you can do to get CM to publish this officially.

Anonymous said...

It could also be construed (in light of the claims made on their website) that BayTSP is defrauding their own customers. Hmmmmmmmmmmm.

Ben Maurer said...

Its unlikely that CMU will post this report officially (I'd really like to do that). Lots more time and effort is needed to fully pin down what these people are doing. For example, I only investigated one of the media companies and one protocol. I don't really have the time to give this effort the love it needes. I'd be happy to help put somebody on the right track though.

Troy said...

OK lets try this on Kazaa since its just a kiddy network anyway. Maybe we can put an end to this crap.

However this may be only a plot to get others to post fakes and ruin p2p. I wouldn't fall for that too much. However Kazaa has sucked since 2003 and no one will care if you use Kazaa as an experiment.

Voodoohippie said...

Well its about time we stop this crap. We can use Kazaa to experiment with since I believe this could be a ploy to get everyone to experiment on regular p2p apps.

Please do not use good networks to try this crap. If you want to try this crap please use Kazaa or maybe some other network that no real user with be trying to download anything good.

Anonymous said...

I work in an european university NOC. Our ISP (an academic consortium) is flooding us with alleged piracy incident reports from BayTSP and the likes, that are largely unsubstantiated and unveryfiable.

If we get an incident report from the ISP, we must comply the law and investigate every case dutyfully, but it just sucks to waste our time with this trivialities while we have real work to do.

Juhaz said...

It's worse than that, I'm afraid. The ISPs have no choice but to comply even if they know perfectly well it's bogus claim, because if they fight that, they may lose their position as "safe harbor" and can then be directly targeted. Not particularly surprising that they don't want that to happen.

Anonymous said...

Could they even bust you at all since if they don't provide any content, have you committed a crime?
It would be like handing a drug dealer money and not getting any product, you made a transaction but there is nothing illegal about giving that person money..?

Anonymous said...

Interesting research, but I have to ask: how many bittorent users have a tweaked client or upload fake files of copyrighted content just to fool BayTSP-like snoopers? Sure you're not doing anything lawfully wrong, but you're showing strong signs that you are. You know, it's like going to the airport wearing a belt of fake dynamite sticks and complain that the cops arrest you. Not to say that I condone what BayTSP is doing, but I'm not sure you have proven that their method is completely flawed in a typical P2P usage context.

Anonymous said...

Or, if you like to play with fire, download and share copyrighted stuff under a legit filename (Knoppix Linux Live System for example).
You can always complain you thought you were downloading legal stuff if they bust you.

To refer to the example of the airport, it's like taking the plane with a soda can you bought on the street filled with explosive stuff you don't know about : they probably won't find it until they search you for good, but you didn't mean to do something wrong with it.

Anonymous said...

I wonder if they can do the same for FTP transfers and Rapidshare, etc, downloads? Rapidshare and other similiar services has so much copyrighted material on their servers, and this seems to have taken the place of clients like Kazaa, eDonkey, eMUle, etc.

Anonymous said...

"To put this in to perspective, if BayTSP were trying to bust me for doing drugs, it'd be like getting arrested because I was hanging out with some dealers, but they never saw me using, buying, or selling any drugs."

I disagree. It would be like getting arrested for asking for drugs. You asked for the content. You didn't take delivery of it, but that doesn't matter to a police officer. You would need to convince the district attorney or judge.

That is the way the legal system works in the United States. The police arrest based on evidence of a crime. They can't possibly wait to prove it before they arrest you. Same here - the ISP was notified based on evidence of a crime. You won't be successfully convicted without your opportunity to explain why you believe it wasn't a crime.

I see nothing wrong with how BayTSP reacted, and feel that you got exactly what you were asking for (literally).

Oh yeah, and I work for a University. And I think a good portion of the DMCA is a pile of crap, even going so far as to violate existing consumer rights laws. I just wanted to point out the error in your analogy. You asked for it. You said "yes, I'll help you sell these drugs". Just because you didn't follow through with it (even though you had no intention or capability of following through) is not a reason to avoid arrest - just perhaps a reason to avoid conviction.

Anonymous said...

"A piece of good news for anybody who has gotten a bittorrent related notice from BayTSP: it doesn't seem like a studio could do much in terms of court action with the evidence BayTSP gives them."

A piece of bad news for anyone who actually gets sued: they can and likely will subpoena your computer and forensically analyze your hard drive. They will likely be able to show intent, *if* it was there.

If you scrub your hard drive or otherwise destroy evidence, you may be found guilty of tampering with evidence, and be in even more trouble. Plus, since they would likely be filing a civil suit, proof of guilt beyond a shadow of a doubt isn't required - that is only true for criminal proceedings. If they produce evidence that you were guilty, and you can't produce evidence that you didn't do it, because you wiped your hard drive, you might get a double-whammy: Charged with evidence tampering (a criminal offense) and ruled against in the copyright case (a civil offense).

Kelly said...

This is a very nice post, and I want to see how others react to this.

Anonymous said...

I wonder if BayTSP needs to be 100% accurate. What they seem to have found is either:

1) a copyright violation under the law, or

2) someone pretending to make a copyright violation in order to prove a point.

Some in effect gaming the system in order to prove ... what exactly? That the reporter was wrong so therefore the illegal activity is OK?

Whats that prove?

And more to the point, why should an ISP care whether you're a self appointed protector of others' rights to commit copyright violations (under the law as it is currently written). Isnt the real issue here that people continue to break the law?

Stuff like this probably hardens opinion against your cause, quite honestly. Half ass, ill thought out, illigical protesting is worse than none.

free ps3 said...

Thanks for the nice post!

Anonymous said...

so i went over to bayTSP and it says in one of the faqs:

"The time stamp in the notice reflects the time that BayTSP detected the file on your computer, not necessarily when it was downloaded. "



"The information on your notice provides you with details, including the name of the file, the time that the file was seen and the file size."

the two quotes seem to indicate that they do have proof that someone (whoever the notice was sent to) downloaded the file in question??

so i dont see how you can argue that they arent doing their jobs properly unless i am missing something

(note i am a relative newbie so i may have gotten wrong end of the stick)

Anonymous said...

dude, i just realized how to make money with copyrigt bull shit. Okay make a dumb movie but with a cool name, spread it on the net then sue people for downloading it.

Anonymous said...

"the two quotes seem to indicate that they do have proof that someone (whoever the notice was sent to) downloaded the file in question??

so i dont see how you can argue that they arent doing their jobs properly unless i am missing something"

Yes, you are missing something. BayTSP are LYING. This very article is all about someone who ran an experiment that proved those statements to be lies. BayTSP sent false notices CLAIMING they saw / have_proof someone was infringing when in fact that person (or even a printer) in fact did not infringe anything. BayTSP merely carelessly collects IP addresses and spams out infringement accusations.

Tilo said...

Good Job! :)

Anonymous said...

so... if you leech torrents and never seed or upload in any way, baytsp can still contact your isp and get it shut down?

Anonymous said...

If you received a notice for using BT and you do not even have the file in your hard drive, what do you do with the notice? I had a notice forwarded by my Universities' dormitory's ISP. They said they were going to terminate my internet in 24hours, but then it has been over 24hours, and my internet is alright. Should I reply to the E-Mail? Many people said to ignore it, but I am not sure.

潇洒光头、 said...

代孕 淘宝刷信用
北京发票 代开发票
餐饮发票 住宿发票
广告发票 对讲机
传世私服 传奇世界私服
新开传世私服 传奇私服
天龙八部私服 天龙私服
手机窃听器 手机窃听器
代写论文 代写论文
北京办证 办证
代孕 代孕网
代孕 代孕
代孕 试管婴儿
代写论文 代写论文
代写代发 论文代写 dhl

modern abstract art sofa manufacturer
净水器 开水器 净水机 净水 软水机 软水 直饮机 家用净水 家用净水器 家用净水机 中央净水 中央净水器 水家装 水家电 水卫士 混合机
过滤机 DHL快递 俄罗斯签证
保险箱 法兰 法兰标准
polycarbonate sheet 回流焊 波峰焊
免烧砖机 注册上海公司 儿童摄影
牛皮癣 皮肤病 制氮机
食堂售餐机 校园一卡通
学校一卡通 ic卡售饭机
食堂售饭机 深圳一卡通
广东售饭机 机电设备安装
北京发票 代开发票
餐饮发票 住宿发票
网络电话 免费网络电话
假发 补发
织发 植发
压滤机 板框压滤机
蒸馏水机 纯蒸气发生器
上海搬家公司 上海搬场公司
大众搬家 大众搬场
张家界旅游 香港旅游
深圳旅行社 打包机
收缩机 对讲机 电源模块
售饭机 水控机 水控器
萎缩性胃炎 neoprene laptop bags
SEO优化 计量泵
胃炎 胃病
冷水机 冰水机
北京特价机票 北京打折计票 北京国际机票
北京机票预定 北京飞机票
北京订机票 北京机票查询 饮料机械
血糖仪 血糖仪
银杏 水培花卉 企业宣传片 空分设备
化工泵 离心机
电话交换机 程控交换机 集团电话 集装袋
混合机 混合机
混合机捏合机 捏合机
捏合机导热油炉 导热油炉
导热油炉 反应釜 反应釜
反应釜 spherical roller bearing
搬运车 搬运车 电动搬运车 油桶搬运车 堆高车 电动堆高车 半电动堆高车 堆垛车
高空作业平台车 电动叉车 平衡重叉车 前移叉车 电瓶叉车
韩国饰品批发 模块电源
X架 超薄灯箱> 易拉宝 展柜制作
代理服务器 游戏加速器 网络加速器
网通加速器 电信加速器 电信网通转换器
电信网通加速器 网通电信互转
网通电信互通 网络游戏加速器
美国VPN代理 美国独享VPN 美国独享IP
pvc ceiling panel Spherical roller bearings
安全鞋 劳保鞋 防砸鞋 电绝缘鞋 上海安全鞋 上海劳保鞋 江苏劳保鞋
服装软件 服装管理软件 进销存软件
进销存管理软件 服装管理系统 服装进销存软件
进销存系统 进销存管理系统 免费进销存软件
吉林中医 东北特产
阳痿 阴茎短小 阴茎增大
早泄 前列腺炎 阴茎增粗 阴茎延长
国际机票 上海国际机票
国际特价机票 国际打折机票
CRM 客户管理软件 客户关系管理
免费客户管理软件 客户管理软件下载 客户信息管理系统 销售管理系统 销售管理
CRM系统 CRM软件 客户关系管理系统
客户关系管理软件 客户管理 客户管理系统 营销管理系统 客户资源管理 销售管理软件 客户资料管理软件 客户资源管理软件
客户信息管理软件 客户资料管理 客户资源管理 客户信息管理 客户资料管理系统
客户资源管理系统 客户管理软件免费版
砂磨机 砂磨机
砂磨机 卧式砂磨机
卧式砂磨机 卧式砂磨机
三辊研磨机 三辊研磨机
三辊研磨机 混合机 混合机
混合机 锥形混合机 锥形混合机 锥形混合机 行星动力混合机 行星动力混合机 行星动力混合机 无重力混合机 无重力混合机 无重力混合机
干粉砂浆设备 干粉砂浆设备
干粉砂浆设备 捏合机 捏合机 捏合机 导热油炉 导热油炉 导热油炉 反应釜 反应釜 反应釜 搪玻璃反应釜 搪玻璃反应釜 搪玻璃反应釜
乳化机 涂料设备 干混砂浆设备 无重力混合机 胶体磨 涂料成套设备 双螺旋混合机
北京婚庆 北京婚庆公司
办证 呼吸机 制氧机
亚都 亚都加湿器 亚都净化器
饰品批发 小饰品批发 韩国饰品 韩国饰品批发 premature ejaculation penis enlargement
破碎机 制砂机 球磨机 雷蒙磨 雷蒙磨粉机 鄂式破碎机 鄂式破碎机 免烧砖机 加气混凝土设备
反击式破碎机 选矿设备
安利产品 马来西亚留学
网站优化 网站推广
论文代写 代写论文
拖链 防护罩 排屑机 塑料拖链 钢铝拖链
深圳装饰 深圳装饰公司 深圳装修公司
特价机票 打折机票 国际机票
新风换气机 换气机 立式新风换气机 风机箱 新风系统 能量回收机
搅拌机 混合机 乳化机
毛刷 毛刷辊 工业毛刷 刷子 钢丝刷
涂层测厚仪 硬度计
兆欧表 激光测距仪
测振仪 转速表
温湿度计 风速仪
噪音计 红外测温仪
硬度计 万用表
美容院 美容加盟
澳洲留学 澳大利亚留学
酒店预定 北京酒店预定 北京酒店
nail equipment nail products nail product nail uv lamp nail uv lamp nail uv lamps uv nail lamp nail brush
nail file nail tool nail tip nail gel curing uv lamps lights
万用表 风速仪
红外测温仪 噪音计
苗木价格 苗木信息 标牌制作 深圳标牌 北京儿童摄影 防静电鞋 淘宝刷信誉
威海凤凰湖 威海海景房 大庆密封件
打标机 淘宝刷信誉 TESOL/TEFL国际英语教师证书 英语教师进修及培训 北京快递公司 北京国际快递