Home > Articles > Security > Network Security

📄 Contents

  1. Worst Case: Innocence Lost
  2. Enter the Scientists: Throwing the Book at a Laser Printer
  • Print
  • + Share This
Like this article? We recommend

A group of academics at the University of Washington, including two professors and a PhD candidate, published a study on June 5th, 2008 entitled "Challenges and Directions for Monitoring P2P File Sharing Networks –or- Why My Printer Received a DMCA Takedown Notice." In their study, the researchers provide evidence that the copyright-enforcement rent-a-cop companies send DMCA takedown notices in many cases where there is no infringement, even implicating devices incapable of running peer-to-peer client software or downloading protected content in the first place. The authors provide a table of 403 spurious takedown notices received during their experiments (all in the online movie domain).

One of the user-identification flaws described in the paper hinges on the way some BitTorrent monitors work. Instead of using direct detection to determine whether a user is indeed infringing copyright (and as a side effect participating in the infringement), some rent-a-cop systems work by watching the two step process involved in downloading content. The first step involves contacting a central coordinator (called a "tracker" by most people) which maintains a list of all users downloading/sharing a file. The second step is to contact a peer group to request (and share) file data with others. The spurious monitoring techniques rely on the first step alone to determine the identity of an alleged infringer even if no actual content has been downloaded.

It gets worse. The researchers determined that some versions of the BitTorrent client allow the user to programmatically change the IP number reported during step one. This allows an attacker to implicate an innocent IP-number/person, possibly resulting in rent-a-cop scrutiny (in the worst cases leading to a lawsuit as described above).

At the very least, more evidence than a spoofable IP number should be required before a DMCA takedown notice is invoked. Thanks to the University of Washington group, we now have scientific evidence that DMCA notices can be sent to people (and printers) who are completely innocent. We also know that framing innocent users is possible.

One of my brothers works for Amnesty International, and the other for Microsoft. Which one shall I frame?

  • + Share This
  • 🔖 Save To Your Account