Tracking the Trackers

Frequently Asked Questions

Background

Q: What is a P2P file sharing network?
Q: What is BitTorrent?
Q: What is a DMCA takedown notice?
Q: Who are the major copyright enforcement agencies?
Q: Could a person receive a DMCA takedown notice and actually be innocent?


Methodology and experiments

Q: Why is this happening?
Q: Can you give us some examples of how this could be happening today?
Q: Your paper mentioned one way in which innocent users might incorrectly receive a DMCA takedown notice. Could there be other ways in which this is happening?
Q: Your paper says that your study is unique in that you intentionally try to receive DMCA takedown notices for your machines. Is that true?
Q: Do your current experiments apply to all copyright enforcement agencies?
Q: The title of your paper indicates that you received DMCA complaints for a printer, but printers can't even run P2P software. How is that possible?


Implications

Q: What’s the most important conclusion to draw from your study?
Q: How can these problems be addressed?
Q: Have you notified enforcement agencies of your work?
Q: I use P2P software, but I also installed software that blocks communication with monitoring agencies. Can I avoid detection?
Q: I’m a network operator working at an ISP. Should I be suspicious of DMCA takedown notices?
Q: Suppose the copyright enforcement agencies fix the particular problems that you identified. Will we now all be able to have confidence in the accuracy of DMCA takedown notices?
Q: Do your results mean that all DMCA takedown notices are invalid?
Q: Whose side are you on? Are you helping the copyright enforcers? Are you helping people circumvent copyright?

Background

Q: What is a P2P file sharing network?
A P2P file sharing network is a service for downloading files on the Internet. Usually, downloading a file is just like downloading a webpage: your computer obtains the entire file from a single webserver. In a P2P file sharing network, files are downloaded from many servers. Further, once a user downloads parts of a file, his or her computer can act as one of these servers.

Our study focuses on one particular P2P file sharing network: BitTorrent.

Q: What is BitTorrent?
BitTorrent is one type of P2P file sharing network that is extremely popular today and is the focus of our study. BitTorrent can be used to share any type of file and is used today to share both legal, freely available content as well as material protected by copyright.

Q: What is a DMCA takedown notice?
A DMCA takedown notice is a formal request to stop a particular file from being shared on the Internet. The name 'DMCA' comes from the Digital Millennium Copyright Act, a 1998 law which limits the liability of Internet Service Providers (ISPs) for copyright infringement and defines a new legal framework for copyright enforcement on the Internet. Check out a sample DMCA takedown notice.

Q: Who are the major copyright enforcement agencies?
Generally, complaints are sent by third parties on behalf of content producers. Over the course of our entire study (corresponding to our August, 2007 and our May, 2008 experiments), we have received complaints from both individual companies focused on monitoring P2P networks and larger industry associations. These agencies represent a diverse set of content producers.

Q: Could a person receive a DMCA takedown notice and actually be innocent?
Up until now, many people assumed that they were guilty. While others have suggested that the results might not be conclusive, we are the first to provide scientific evidence that people could be receiving DMCA notices today for allegedly illegally sharing content when in fact they were not. Given this potential for false positives, there is a pressing need for the development of more robust monitoring techniques as well as greater transparency and openness on the practices of the monitoring agencies.

Methodology and experiments

Q: Why is this happening?
Our results uncovered one way that this could be happening today. Downloading a file from BitTorrent is a two step process. First, a new user contacts a central coordinator that maintains a list of all other users currently downloading a file and obtains a list of other downloaders. Next, the new user contacts those peers, requesting file data and sharing it with others. Actual downloading and/or sharing of copyrighted material occurs only during the second step, but our experiments show that some monitoring techniques rely only on the reports of the central coordinator to determine whether or not a user is infringing. In these cases whether or not a peer is actually participating is not verified directly. In our paper, we describe techniques that exploit this lack of direct verification, allowing us to frame arbitrary Internet users.

To draw on a real-world analogy, consider the ride-share bulletin boards common on many university campuses. People post requests for and offers of rides to various locations and contact information. Suppose a monitoring agency wanted to keep track of anyone who shared a ride from Seattle to Portland. One method would be to simply take a picture of the bulletin board each day, noting the names of people that requested a ride to Portland. The problem with this approach is that anyone can post to the bullet board claiming to be anyone else; there is no way to know if the person named in the request actually made that request unless that person is directly observed getting in the car. Unfortunately, several copyright enforcement agencies appear to rely only on the analog of the former approach (taking a picture) and do not directly observe users sharing files (getting in the car).

Q: Can you give us some examples of how this could be happening today?
Here are two examples of how the above-mentioned technical flaw could potentially lead to erroneous DMCA takedown notices to innocent users:

We have experimentally verified the former and outline settings where the latter scenario could occur. But, we stress that focusing on just these particular examples misses the point. The point is that DMCA takedown notices can and are being sent erroneously. The bigger picture question is: What can we do to ensure that all future DMCA takedown notices are actually well-founded? We argue that this requires more openness in the monitoring and enforcement process.

Q: Your paper exposed one flaw in existing monitoring practices which could lead to innocent users incorrectly receiving DMCA takedown notices. Could there be other ways in which this is happening?
Yes. Unfortunately, there's still very little known regarding the practices of many copyright enforcement agencies. We found one way in which DMCA takedown notices could be sent incorrectly to users of one type of P2P file sharing network. But, many more faults might exist that remain undiscovered. We believe that public review of an open and well-documented enforcement process is critical to building confidence in the accuracy and legitimacy of P2P monitoring and copyright enforcement.

Q: Your paper says that your study is unique in that you intentionally try to receive DMCA takedown notices for your machines. Is that true?
Yes. As a result of our experiments, we've collected more than 400 DMCA complaints, all without downloading or uploading a single file!

Q: Do your current experiments apply to all copyright enforcement agencies?
In truth, we can't be certain. Our experiments show that deficiencies exist in the enforcement practices of some agencies, but not necessarily all.

We do know that at least the RIAA has started to become more open in describing parts of their processes. We commend them for this, and we hope our work encourages them to continue to become increasingly open. The fact remains, however, that at least some copyright enforcement agencies are using a fundamentally flawed technique when they accuse users of illegally sharing content. We hope that our research will serve as a wake-up call for the entire industry to be more open about their processes.

We further wish to draw a distinction between indirect detection and direct detection methods. We refer the reader to the paper for additional information, but mention here that direct detection methods–like what at least one content enforcement agency claims to use when monitoring Gnutella–have the potential for being much more conclusive than indirect detection methods.

Q: The title of your paper indicates that you received DMCA complaints for a printer, but printers can't even run P2P software. How is that possible?
Surprisingly, it is possible. We have received DMCA complaints for several printers and even a wireless access point! (Please note that these are printers directly connected to the Internet and have their own IP addresses.) This is possible because some monitoring agencies don't verify that a user reported to be sharing a file actually is sharing that file. This allows a malicious person to frame any device connected to the Internet: whether a printer, a wireless access point, or an innocent user's computer.

 

Implications

Q: What’s the most important conclusion to draw from your study?
The fact that we can generate DMCA complaints for arbitrary users regardless of whether or not copyright infringement actually occurred casts doubt on the current approach to copyright enforcement on P2P networks. As a result, Internet users and ISPs should not interpret DMCA complaints as foolproof; false positives are a very real possibility. Going forward, we believe our work shows a compelling need for increased transparency in the P2P monitoring and enforcement process.

Q: How can these problems be addressed?
We hope that these problems will be addressed in two ways. First, we encourage monitoring and enforcement agencies to adopt best practices such as those used by the RIAA to monitor Gnutella. These practices include greater openness and transparency regarding the processes used. Second, we hope that network operators will sanity check information provided in DMCA complaints to eliminate false positives to the greatest extent possible.

Q: Have you notified enforcement agencies of your work?
Yes. In 2007, our university's DMCA response team contacted several enforcement agencies and indicated that our work did not involve the sharing of any file data and that their complaints were spurious. In our current study (2008), we continue to receive complaints from several of these enforcement agencies.
We thank Daniel Schwalbe, Head of Outreach & Special Projects, Office of the CISO, and member of UW's DMCA response team, for all his help here.

Q: I use P2P software, but I also installed software that blocks communication with monitoring agencies. Can I avoid detection?
Not necessarily. In our study, we found that the lists used by some popular blacklisting software cover only some peers that are likely monitoring agents. Several likely monitoring agents are not included. Further, because enforcement agencies often send complaints without having communicated directly with users, whether or not communication with monitoring agents is avoided has little impact on whether a complaint is sent. More details are available in the paper, but in short: current blacklists do not guarantee that P2P users will avoid complaints for copyright infringement.

Q: I’m a network operator working at an ISP. Should I be suspicious of DMCA takedown notices?
Yes. Our results show that some methods used to generate DMCA takedown notices in BitTorrent are not conclusive and may misidentify users. This may also be true for other P2P networks. We therefore think that network operators should sanity check complaints as much as possible.

Q: Suppose the copyright enforcement agencies fix the particular problems that you identified. Will we now all be able to have confidence in the accuracy of DMCA takedown notices?
Unfortunately not. This is another reason why openness and transparency on the part of copyright enforcers is so important.

We’ve discovered one way in which users might falsely get DMCA takedown notices. Without more transparency, our concern is that–even if the copyright enforcers fix the problems we've identified–there might still be many other flaws remaining and new mistakes introduced in the future.

In our view, enforcement agencies need to make their processes open and transparent in order to increase confidence in the accuracy of DMCA takedown notices.

Q: Do your results mean that all DMCA takedown notices are invalid?
No, many are still valid. Further, while we found a flaw in how enforcement is done in BitTorrent, we re-emphasize that we did not study other P2P file sharing networks and hence cannot speak authoritatively about enforcement flaws in those other systems.

But, again, we stress that focusing on any particular flaw misses the most important point. The fact that any flaw exists is a serious concern. More hidden flaws could exist, masked by the general lack of transparency in current processes. Our work therefore highlights the need for greater transparency.

Q: Whose side are you on? Are you helping the copyright enforcers? Are you helping people circumvent copyright?
We are not taking sides on this particular issue, except to note that we do not wish to condone or support any illegal activities. Rather, we’re exploring from a scientific perspective the tension between P2P users and enforcement agencies. The results in our paper can be used to help all the parties involved in different ways. Please read the paper for additional information.