Understanding Anti-Piracy Enforcement
There is a great deal of confusion on the net, as to just how people get warning letters and notices from ISPs and copyright holders. In an attempt to clear the murk, we’ve produced this guide to help clarify what actions are taken, by whom, and how to respond to it.
Above all else, right at the start, I will reiterate one thing - I AM NOT A LAWYER. None of what is said is legal advice, nor should it be used as any basis for defense. If you feel the need for legal advice, then get competent legal advice. This is a point most strongly emphasized by the Jammie Thomas trial, where she had legal advice, but it was NOT competent in the subject. Finally, for the most part, this will be referring to US laws, as that’s where the majority of lawsuits occur.
The first thing to remember is, there is nothing on the net that you know of, that anti-piracy organizations don’t. No protocol, or secret piece of software, that you know of but which shouldn’t be talked about ‘in case they get to hear of it’. They employ people who do nothing all day but surf and chat. They act just like you or me - there’s no reason for them to behave in any other way. So, one of the first things to remember is, there’s no such thing as security by obscurity in P2P. If you can find it, what’s stopping someone in the pay of an anti-piracy organization from finding it too? That’s just common sense. Of course, as in the old saying - poachers make the best gamekeepers - quite often the people doing the investigations are not newcomers to p2p, but have been doing it for years themselves. In that respect, over most users, they have the advantage in experience.
The one thing most people seem to fail to understand, is that there are no magic solutions. At the end of the day, you have to get data back to your IP. In order to do that, at some point, your IP has to be known. While this can be obfuscated to the point at which it’s extremely impractical to trace, it is at the expense of bandwidth. This is why torrenting over Tor is a no-no. You could use a VPN service, but they also know your home IP, and also generally billing details for the account. In that way, they’ve not only associated it with a name, as they would with a home IP, but also your financial information, which would be a great way to prove you personally were behind it.
There are some common misunderstandings about anti-piracy activities that seem to be pervasive. So let’s address them.
- There have been very few actual legal cases, as yet, that have involved torrents.
- The majority of copyright cases are CIVIL, not criminal
- What most people think of as being the law, often isn’t.
- The RIAA and the MPAA never get involved in anti piracy evidence collection directly.
- Most of the time, people are going from what someone they have met on a forum had read in an IRC channel.
1) - There have been very few actual legal cases, as yet, that have involved torrents.
Cases involving torrents are rare, as yet. This will probably change over the next few years. Despite the protocol having been around since 2002, it wasn’t until around 2004 that it started to gain widespread acceptance. Since then there have been a few cases, such as the DVDr-core, and the Elitetorrents enforcement activities, but they are in the main, the exception rather than the rule.
The Torrentspy judgment, handed down this past week, is also now heading for appeal, which could significantly change things, or could have it all stay the same. It’s too early to tell at present. Likewise, the ISOhunt case hasn’t even gone that far. Despite there being in excess of 100+ torrent sites active now, and a similar number at least having been opened and closed for various reasons over the past 5 years, that only one has got to an initial judgment says something.
Torrents are a difficult subject to litigate - the ISOhunt case is evidence of that. Unlike most other methods, which rely on a few centralized servers to index and sort, torrents rely on trackers, and on DHT. File names can be used to find torrent files, but owning a torrent file is not actionable. They are metadata (data about data) files and are not covered under the same copyright as the original source, any more than a film review belongs to the movie studio. The error checking aspect has a legitimate use as well, as it could be argued (how successfully I don’t know) that the torrent file is being used to error check existing data legitimately acquired.
Most recently, cases centering around BitTorrent sites have focused more on vicarious infringement, as in the Pirate Bay and oink cases. Basically, this means that the defendant had the right and ability to control the infringer’s acts, by being able to add or delete torrents, and that the defendant gets a direct financial benefit from these acts of infringement. Hence the claims of ‘paying for membership’ given to the police for the OiNK raids, and the focus on advertising in the Pirate bay trial. However, this can be a tricky subject for other companies too - including ISPs and technology companies like Sony, where they have to be certain to not fall foul of the ability+control aspect. This is why bandwidth-choked ISPs are firmly opposed to be involved in any sort of P2P-policing.
2) - The majority of copyright cases are CIVIL, not criminal
Now, civil cases are unlike criminal ones in that there is no ‘innocent until proven guilty’. There are just two groups of litigants. Whoever has the most proof (or preponderance of evidence) is the winner. So, where in a criminal trial, they must prove beyond all reasonable doubt that you did commit the acts, in a civil case, they only have to prove you did it better than you can prove you didn’t. Of course, I refer you to the caveat at the beginning, and note that many countries have differing requirements of proof for a civil case.
Another major factor that sets ‘criminal acts’ from those that are ‘civilly actionable’ is that whilst the former is always against the law, and doing that act means you’ve broken the law. If you punch someone, that’s always assault (with a few exceptions). Running a BitTorrent client, or participating in a BitTorrent swarm is not against any law. The contents of it might however be civilly actionable. If the copyright owners decide to sue, they can, but if they don’t, as the law goes, there’s no complaint to be answered.
3) - What most people think of as being the law, often isn’t.
This is especially common. When we broke the story on Mivii last year, a large number cried “entrapment”. There was a similar response the other day, to our story about the IFPI and limewire. Many people also believe that if a media enforcer is on a torrent, they can’t share data, else they’re complicit in the copyright infringement and are giving you some sort of permission to distribute yourselves. This could not be further from the truth.
First of all, entrapment relates only to criminal cases, in the main, and for that matter, only occurs in a specific set of circumstances. If a law enforcement officer (as in someone with the actual power to arrest you) asks or incites you to commit a crime that you wouldn’t otherwise have done, that’s entrapment. However, if you’re not a law enforcement agency, then it can’t be entrapment, pure and simple.
The implicit permission argument is similarly flawed. Whilst the enforcement agent (’snooper’) might have permission to distribute, by distributing in part of a bit-torrent swarm, it’s hard to argue that he’s similarly giving you permission to distribute. Try telling the judge “he did, so I thought I could” and you’ll not get a very positive reaction - mainly because he can point to his ‘distribution agreement’ from the owner of the copyright, and you can’t. If you want an example, look at alcohol. In most countries, alcohol can only be sold by persons licensed to sell it. If you try and sell it, without a license, you can face penalties under the law. Saying ‘I’m selling it because he’s selling it’ won’t work there, and it’s the same case for copyright and distribution.
4) - The RIAA and the MPAA never get involved in anti-piracy evidence collection directly.
Finally, lets just clear something up we all know at the back of our minds, but forget in the heat of an impassioned board post, or IRC comment. The RIAA and MPAA do not directly get involved with the details of ‘evidence gathering’ in these cases. The MPA and IFPI are lobby mouthpieces, not enforcement agencies. Their existence is not to investigate, or to sue. They exist to bribelobby politicians, to issue press releases, and ’studies’, to hide conflicts between the major studios, and to discourage independent works. Member companies put money into these organizations, in exchange for getting their ideas across to those that make the law, to conduct studies to back up the wants and desires of the members, and to be a face to be interviewed by the media.
The enforcement activities are carried out by companies that exist for this purpose. In effect, they are digital private investigators (although most don’t seem to have bothered applying for the licenses) and like the old fashioned gumshoe, they work for whoever pays them. Some activities of the investigator might be illegal, but that’s nothing new from private investigators. Companies like Safenet, and BayTSP aren’t in it for an ideological reason, it’s just a business. As such they work like any other business, with long hours, and trying new things to get clients and please them.
Think you’ve tried hard to get onto that private tracker? Imagine the guy that got onto it, AND got paid to do so, sitting in a nice air conditioned office. I’m certain there are people who’s only task is to gain memberships to private trackers. To collect evidence, build up contacts, and invites. How do I know this? Well, it’s what I would do, if I were running such a company, and it’s fairly obvious, especially given the evidence of the EliteTorrents bust back in 2005. Sites know this as well, which is why most private trackers heavily discourage trading invites, and why the rule is that you only invite those you “know”.
The lack of knowledge most people have about these subjects, especially in relation to the law, is mind boggling. Also, whilst the power to change laws seems to be solidly with the cartels, the position now is better than it was just three or four years ago. If you want to help improve it, join your local Pirate Party, the EFF, or similar organizations and help them out. It might not be easy, but nothing worthwhile ever was.
5) - Most of the time, people are going from what someone they have met on a forum had read in an IRC channel.
Unlike most, I actually used to work in copyright enforcement - those of you that have read my bio will know that. Of course, this was around 10 years ago, when Napster was just becoming popular, and I dealt with physical copyright infringement (people selling CDs). However, I do have a grasp of the law, and personal experience in making and pursuing a copyright case. So, as you can see, this isn’t someone repeating urban myths, or something read in an IRC channel. It’s based on fact, and experience, which isn’t that common in this area.
What to do about it?
To be frank, there is no way to stop the logging bots that harvest peer info from torrents. They don’t give themselves away, because they don’t have to act any differently than normal clients. With a WebUI, or even a VNC set up, it can easily be controlled from the office, and provides much greater anonymity. After all, the bandwidth and reliability of a co-located server isn’t required.
It is also probably wise to avoid anything considered high profile, initially, and if you’re in the US, avoid any films that hit the net before the cinema. It is also safer, in the long run, to avoid private sites which deal in what could be called ‘mainstream’ material, better known as ‘scene releases’. This is stuff that is most likely to be tracked, and private sites, whilst fast, have the great disadvantage of being part of a very small subgroup. Put another way, you could be one of up to 20 million that use the PirateBay, or you are one of 40,000 that use SceneTorrents. And unlike the PirateBay, a private site has your activities stored (in some form anyway, to generate the ratio) as well as an identifier - the email address you used. Remember, it was the similarity between an email address login, and a kazaa login that was the ‘pivotal’ evidence in the Thomas case, and removed doubt about the identity. If the site displays user names on the torrent though, you might as well never contest any case that you are hit with. Being able to track user names as well as IPs in a torrent means they’re likely to get repeat hits on you, even when you switch IPs. You might be able to convince a court that once was a mistake in their evidence gathering, but if they have you on multiple occasions, with different IPs each time, that argument is out the window.
Some suggest using blocklists, but since there is no way to identify an IP logging you, and no way to tell what IP it’s logging from, they really don’t keep you “safe”. Additionally, the most popular list provider, Bluetack, has added such a large number of IPs to their anti-piracy list (something like 700,000,000) that you are only eliminating legitimate peers slowing you down, and increasing the chance of being logged. Besides that, the people who do the logging are very aware of these blocklists, use proxies, and change IPs all the time. Additionally, the criteria for adding may not quite be at the “a guy that works there’s sister’s neighbor gets her hair done at the same place as the nephew of a guy whose company works for the company that delivers the water for the MPAA’s water coolers” - but it’s getting close (see here and here) as well as blaming hosting companies for the actions of their customers (example). The sad thing is, people run this, see all the blocks that come up, marked as being antip2p, and think “look at all those being blocked, now I’m safe” when the reality is, a group of people has claimed this, and how much do you trust the list makers. however, the final word on this comes from Phrosty, one of the coders of Peerguardian, who told one of our researchers “PG might help it might not. we think it does, but make no guarantees. make your own choice”.
Probably the most important thing you can do is know your rights, and know the truth. Use some common sense, and if in doubt, imagine yourself as an antip2p guy, and think of what you might do in their place. Unless it’s illegal, they’re probably doing it already (and maybe some of the illegal stuff too). The lack of knowledge, however, is to their advantage and not yours.