BitTorrent study finds most file-sharers are monitored

I was interested in how they were detecting monitors and whether they were just picking out any anomalous peers (say ones that don't accept connections). I was also wondering if the paper was going to be obviously flawed and funded by some copyright agency with the aim of articles such as the one we just read being created. I still wouldn't rule it out, but I feel that the methodology was sound.<p>To summarize for others indicators were:<p>"""<p>1. The proportion of a subnet that has been seen in BitTorrent swarms. Monitoring agencies may use a large proportion of their subnet for monitoring.<p>2. The length of time a peer spends in a swarm. Monitors may spend more time in the swarm than regular file-sharers.<p>3. The number of different (IP, port, infohash) combinations per IP address. Monitoring agencies may operate many clients from a single IP address.<p>4. Whether a peer reported by a tracker accepts incoming connections. Monitors may block all incoming connection attempts. (((This was discarded as an unreliable indicator)))<p>5. The number of swarms in which IP addresses from a particular subnet appear. Monitoring agencies may monitor many torrents from their subnet.<p>6. The number of times the same (IP, port) pair is observed concurrently in different swarms.<p>... we found 1,139 IP addresses that were in the top first percentile for all four features (((1,2,3 and 5))) IP addresses assigned to a company named Checktor [3], which offers commercial BitTorrent monitoring services, and 16 addresses assigned to a medium-sized computer security consultancy company that does not publicly acknowledge monitoring BitTorrent. Another subnet, which we saw in over 500 swarms, belongs to a company that advertises itself as providing “intellectual property advice” ... We also found two subnets assigned to hosting companies ... We speculate that copyright enforcement companies are using these hosting companies as a front to disguise their identities. We also identified a number of IP addresses allocated to large ISPs, such as Vodafone, Etisalat and SingNet. ... This feature (((6))) found IP addresses assigned to Peer Media Technologies [16] (a well-known copyright enforcement agency) monitoring seven Harry Potter ebook and movie torrents, and the INRIA research institution [10], which had been overlooked by features 1–5 because so few torrents were being monitored, and because a very small proportion of INRIA’s subnet was being used for monitoring """<p>I didn't read too much further into their methodology for detecting "direct monitoring" other than to see a pretty graphic showing peer lying about their download completion.

&#62;researchers found that nearly every file-sharer they monitored, was monitored.

Aren't there bittorrent clients which autodetect and autoblock clients which connect, but neither upload nor download? Doh! Link to a somewhat more informative, less beeby, story: <a href="http://www.newscientist.com/blogs/onepercent/2012/09/honeytrap-catches-copyright-co.html" rel="nofollow">http://www.newscientist.com/blogs/onepercent/2012/09/honeytr...</a> And the lead researcher <a href="http://www.cs.bham.ac.uk/~tpc/home.html" rel="nofollow">http://www.cs.bham.ac.uk/~tpc/home.html</a> Published paper link snaked below! :)<p>(A previous paper: Analysis of BitTorrent Peers' Behavior and Monitoring Trends <a href="http://www.kaspersky.com/images/camilo_andr%D1%83s_gonzalez_toro-10-75858.pdf" rel="nofollow">http://www.kaspersky.com/images/camilo_andr%D1%83s_gonzalez_...</a> which was based on the Snark Project, updated)

<a href="http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf" rel="nofollow">http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf</a><p>Link to 18-page scientific article by University of Birmingham. This is the actual meat behind the BBC article.<p>Not an alarmist paper, just boring work with Bittorrent download progress bitmap monitoring.<p>Some juicy bits on their usage of Tor, from the paper:<p>"we created our own indirect monitoring client that gathers newly-published torrent files from the Top 100 in each category on The Pirate Bay, and continually contacts each of the trackers and stores (IP address, port number, infohash, time) tuples from the peer lists that are returned; it then attempts to establish a TCP connection with each host and sends a handshake message to ensure that the host is in fact a BitTorrent peer. [..] We collected data from July 21–28, 2009, routing our traffic through the Tor anonymity network."

The original paper without all of the scaremongering:<p>"The Unbearable Lightness of Monitoring: Direct Monitoring in BitTorrent"<p><a href="http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf" rel="nofollow">http://www.cs.bham.ac.uk/~tpc/Papers/P2PSecComm2012.pdf</a>

Except that it is illegal to collect IP addresses in some European countries (Switzerland for example). Here's the link:<p><a href="http://www.edri.org/edrigram/number8.18/collecting-ip-addresses-illegal-switzerland" rel="nofollow">http://www.edri.org/edrigram/number8.18/collecting-ip-addres...</a>

Some tips on anonymizing VPNs from a previous HN discussion: <a href="http://news.ycombinator.com/item?id=3913985" rel="nofollow">http://news.ycombinator.com/item?id=3913985</a>

This feels like a scare tactic to get people scared, they could never go after all downloaders.

A lot of it is definitely for consulting purposes. I thought of going into that line - seeing how what movies, TV, and music wouldn't be taken even for free would be interesting to the producers of that content.<p>Looking at activity on torrents gives you a really good idea of relative interest in something, and in addition, on membership torrent sites, it could be cross referenced with the other interests of the downloader simply by using their history to give you some idea of demographic and to guide marketing strategies.

I was worried, then remembered that the only things I tend to pirate are anime. And I expect the fansubbed torrents are not quite so well-monitored.

It's a little know fact, but all telcos here in Croatia monotor and store all torrent traffic info of their customers. They have massive rooms with monotors dediated to showing which customer in which building is currently using torrents.<p>And all of this data is stored for once the Gov decides to "crack-down" on illegal file downloads, they will have massive amounts of evidence.

This shouldn't be a surprise. It is trivial to capture that kind of data from large bittorrent clouds like piratebay, and that data may have some useful applications. For example, getting statistics on what movies, tv shows, and music people are interested in (often before commercial release) with really precise geographic information.

This should not come as a surprise to anyone who has been following the developments within the P2P-world. If you still care about privacy while you connect to a large amount of computers, a proper VPN or a similar service to mask your origin is the way to go.

"Most" does not seem to mean much here, while it probably is correct. According to the paper they only used thepiratebay as originating tracker. Right now the homepage lists 30 million peers. what.cd shows 9 million peers. I do not know how many peers Demonoid had, probably a similar or higher number. Some smaller trackers I checked all had around 100k peers. So just think of 60 smaller trackers like that and poof, the "most" is not true anymore.<p>This also only covers Bittorrent, not "most file-sharers".

All the monitors were checking whether the file sharer used BT software? Why? I mean, there's not much of a reason to connect to a swarm if you're not seeding or leeching. Then again, does that mean that spoofing the name/id/whatever of the software gets you off the monitors radar?

What does 3 hours mean? I don't need that long to download anything.<p>And I doubt that if I download some rare indie music stuff, that anyone would care to monitor this torrent.

People know that I'm downloading the new Fast and Furious movie from TPB?

Please let's never forget: An IP-Adress is not a person[1]<p>[1] <a href="http://torrentfreak.com/judge-an-ip-address-doesnt-identify-a-person-120503/" rel="nofollow">http://torrentfreak.com/judge-an-ip-address-doesnt-identify-...</a>