BitTorrent Monitors Watching Popular Files, But Researchers Know How To Spot Them

Pirate flag skull and cross bones
Pirate flag skull and cross bones

How well are digital pirates being hunted online? In the wake of the arrest and likely deportation of Pirate Bay co-founder Gottfrid Svartholm in Cambodia, a new study attempts to answer that very question.

Researchers at the University of Birmingham have published a study claiming that users of popular file-sharing sites are likely to have their IP addresses logged by monitoring agencies within three hours of downloading a file. These IP addresses can then be used to track the computers of those who use those file-sharing or "torrent" sites.

Grim as this may look for torrentheads, the study may actually help the pirates more than the trackers in what's sure to be a new stage of the "arms race" between pirates and copyright enforcers.

Study head Tom Chothia and his team completed their examination of BitTorrent tracking by creating a tool to detect and watch the monitoring agents on Torrent sites like The Pirate Bay. The researchers discovered that monitoring agents can be distinguished from normal torrent users in a number of ways: foremost, the extreme frequency of connection observed by a small portion of IP's on torrent networks.

Subnets belonging to monitoring firms tend to have a large fraction of the IP addresses connected to BitTorrent networks, they tend to stay connected to the network for long periods of time, and each IP address tends to connect to many different swarms. Few ordinary users use the BitTorrent network so intensively.

Moreover, the researchers noted that suspected monitors rarely completed downloads, "while the majority of peers reported steady progression towards completing the download, peers in 20 small subnets always reported completions of between 45 percent and 55 percent," according to the study, per Ars Technica.

In the study's conclusion, Chothia is critical of public blocklists used by cautious downloaders to identify suspicious or risky IPs. (These lists can help illegal downloaders to identify IPs that may belong to copyright enforcement agencies, for instance). Chothia calls such lists "speculative" and not based on "empirical research". But the techniques his team used -- including detection of inconsistent or abnormal bitfields and extreme connection frequency -- could be used by savvy coders to create new, more accurate blocklists, as well as tools for detecting monitors in action.

While the writers of the study chose not to expose any of the currently anonymous copyright enforcement agencies monitoring popular torrent sites, they did reveal that agencies who wished to keep secret their presence on Torrent sites use large hosting companies as "a front to disguise their identities". The paper also named a number of Autonomous Systems that appeared "to host large numbers of monitors," including Speakeasy Inc. and Qwest LLC.

But even before new blocklists are drawn up or new software created, changes in content-download habits may help Torrent users slip under monitors' radar. Chothia reports that he detected monitors only "in the Top 100 torrents" of any category; of those, movie and music torrents were monitored significantly more than other varieties of Torrent. And, claims Chothia, the frequency of IP logging that's made so many headlines may not be as worrying as it seems. In comments to the BBC, Chothia said, "Many firms are simply sitting on the data."

"Such monitoring is easy to do," he goes on to tell the BBC, "and the data is out there so they think they may as well collect it as it may be valuable in future."

Chothia further speculates that many firms might sell the data for marketing purposes -- ironically, often back to the copyright holders themselves.