Brian Ladd’s Blog – Notes on Life

Just another WordPress.com weblog

Tracking the Trackers – DMCA Takedown notices

Original Content:http://dmca.cs.washington.edu/

Tracking the Trackers

Overview | FAQ | Sample complaint | Paper | People | Acknowledgments

Overview

As people increasingly rely on the Internet to deliver downloadable music, movies, and television, content producers are faced with the problem of increasing Internet piracy. To protect their content, copyright holders police the Internet, searching for unauthorized distribution of their work on websites like YouTube or peer-to-peer networks such as BitTorrent. When infringement is (allegedly) discovered, formal complaints are issued to network operators that may result in websites being taken down or home Internet connections being disabled.

Although the implications of being accused of copyright infringement are significant, very little is known about the methods used by enforcement agencies to detect it, particularly in P2P networks. We have conducted the first scientific, experimental study of monitoring and copyright enforcement on P2P networks and have made several discoveries which we find surprising.

  • Practically any Internet user can be framed for copyright infringement today.
    By profiling copyright enforcement in the popular BitTorrent file sharing system, we were able to generate hundreds of real DMCA takedown notices for computers at the University of Washington that never downloaded nor shared any content whatsoever.Further, we were able to remotely generate complaints for nonsense devices including several printers and a (non-NAT) wireless access point. Our results demonstrate several simple techniques that a malicious user could use to frame arbitrary network endpoints.
  • Even without being explicitly framed, innocent users may still receive complaints.
    Because of the inconclusive techniques used to identify infringing BitTorrent users, users may receive DMCA complaints even if they have not been explicitly framed by a malicious user and even if they have never used P2P software!
  • Software packages designed to preserve the privacy of P2P users are not completely effective.
    To avoid DMCA complaints today, many privacy conscious users employ IP blacklisting software designed to avoid communication with monitoring and enforcement agencies. We find that this software often fails to identify many likely monitoring agents, but we also discover that these agents exhibit characteristics that make distinguishing them straightforward.

While our experiments focus on BitTorrent only, our findings imply the need for increased transparency in the monitoring and enforcement process for all P2P networks to both address the known deficiencies we have exposed as well as to identify lurking unknown deficiencies.

More details about our findings and our experimental methodology are available in our online FAQ. A more thorough treatment is available in our technical report.

Paper

Challenges and Directions for Monitoring P2P File Sharing Networks –or– Why My Printer Received a DMCA Takedown Notice [ pdf ]

Michael Piatek, Tadayoshi Kohno, Arvind Krishnamurthy
Technical report #08-6-01, University of Washington, Department of Computer Science & Engineering.

People

Contact us

Graduate student Faculty
Michael Piatek Tadayoshi Kohno
Arvind Krishnamurthy

Acknowledgments

This work is supported by the NSF (CNS-0720589, 0722000, 0722004) and UW CSE.

uw | cse | systems, networking, & security

Frequently Asked Questions

Background

Q: What is a P2P file sharing network?
Q: What is BitTorrent?
Q: What is a DMCA takedown notice?
Q: Who are the major copyright enforcement agencies?
Q: Could a person receive a DMCA takedown notice and actually be innocent?


Methodology and experiments

Q: Why is this happening?
Q: Can you give us some examples of how this could be happening today?
Q: Your paper mentioned one way in which innocent users might incorrectly receive a DMCA takedown notice. Could there be other ways in which this is happening?
Q: Your paper says that your study is unique in that you intentionally try to receive DMCA takedown notices for your machines. Is that true?
Q: Do your current experiments apply to all copyright enforcement agencies?
Q: The title of your paper indicates that you received DMCA complaints for a printer, but printers can’t even run P2P software. How is that possible?
Implications

Q: What’s the most important conclusion to draw from your study?
Q: Have you notified enforcement agencies of your work?
Q: I use P2P software, but I also installed software that blocks communication with monitoring agencies. Can I avoid detection?
Q: I’m a network operator working at an ISP. Should I be suspicious of DMCA takedown notices?
Q: Suppose the copyright enforcement agencies fix the particular problems that you identified. Will we now all be able to have confidence in the accuracy of DMCA takedown notices?
Q: Do your results mean that all DMCA takedown notices are invalid?
Q: Whose side are you on? Are you helping the copyright enforcers? Are you helping people circumvent copyright?

Background

Q: What is a P2P file sharing network?
A P2P file sharing network is a service for downloading files on the Internet. Usually, downloading a file is just like downloading a webpage: your computer obtains the entire file from a single webserver. In a P2P file sharing network, files are downloaded from many servers. Further, once a user downloads parts of a file, his or her computer can act as one of these servers.

Our study focuses on one particular P2P file sharing network: BitTorrent.

Q: What is BitTorrent?
BitTorrent is one type of P2P file sharing network that is extremely popular today and is the focus of our study. BitTorrent can be used to share any type of file and is used today to share both legal, freely available content as well as material protected by copyright.

Q: What is a DMCA takedown notice?
A DMCA takedown notice is a formal request to stop a particular file from being shared on the Internet. The name ‘DMCA’ comes from the Digital Millennium Copyright Act, a 1998 law which limits the liability of Internet Service Providers (ISPs) for copyright infringement and defines a new legal framework for copyright enforcement on the Internet. Check out a sample DMCA takedown notice.

Q: Who are the major copyright enforcement agencies?
Generally, complaints are sent by third parties on behalf of content producers. Over the course of our entire study (corresponding to our August, 2007 and our May, 2008 experiments), we have received complaints from both individual companies focused on monitoring P2P networks and larger industry associations. These agencies represent a diverse set of content producers in the movie, television, music, publishing, and software industries.

Q: Could a person receive a DMCA takedown notice and actually be innocent?
Up until now, many people assumed that they were guilty. While others have suggested that the results might not be conclusive, we are the first to provide scientific evidence that people could be receiving DMCA notices today for allegedly illegally sharing content when in fact they were not. Given this potential for false positives, there is a pressing need for the development of more robust monitoring techniques as well as greater transparency and openness on the practices of the monitoring agencies.

Methodology and experiments

Q: Why is this happening?
Our results uncovered one way that this could be happening today. Downloading a file from BitTorrent is a two step process. First, a new user contacts a central coordinator that maintains a list of all other users currently downloading a file and obtains a list of other downloaders. Next, the new user contacts those peers, requesting file data and sharing it with others. Actual downloading and/or sharing of copyrighted material occurs only during the second step, but our experiments show that some monitoring techniques rely only on the reports of the central coordinator to determine whether or not a user is infringing. In these cases whether or not a peer is actually participating is not verified directly. In our paper, we describe techniques that exploit this lack of direct verification, allowing us to frame arbitrary Internet users.

To draw on a real-world analogy, consider the ride-share bulletin boards common on many university campuses. People post requests for and offers of rides to various locations and contact information. Suppose a monitoring agency wanted to keep track of anyone who shared a ride from Seattle to Portland. One method would be to simply take a picture of the bulletin board each day, noting the names of people that requested a ride to Portland. The problem with this approach is that anyone can post to the bullet board claiming to be anyone else; there is no way to know if the person named in the request actually made that request unless that person is directly observed getting in the car. Unfortunately, several copyright enforcement agencies appear to rely only on the analog of the former approach (taking a picture) and do not directly observe users sharing files (getting in the car).

Q: Can you give us some examples of how this could be happening today?
Here are two examples of how the above-mentioned technical flaw could potentially lead to erroneous DMCA takedown notices to innocent users:

  • Framing: One can implicate arbitrary users by registering their identity in the P2P file sharing networks. Monitoring agencies that use indirect evidence – such as taking a snapshot of the set of users found on the P2P network without actually verifying whether the users are actively sharing the copyrighted content – could end up sending erroneous DMCA notices to innocent users.
  • DHCP: In P2P file sharing networks users are typically identified by the IP addresses of their computers. However, most ISPs today assign IP addresses to users dynamically (using the DHCP mechanism). This dynamic reassignment of IP addresses could result in users being falsely accused.

We have experimentally verified the former and outline settings where the latter scenario could occur. But, we stress that focusing on just these particular examples misses the point. The point is that DMCA takedown notices can and are being sent erroneously. The bigger picture question is: What can we do to ensure that all future DMCA takedown notices are actually well-founded? We argue that this requires more openness in the monitoring and enforcement process.

Q: Your paper exposed one flaw in existing monitoring practices which could lead to innocent users incorrectly receiving DMCA takedown notices. Could there be other ways in which this is happening?
Yes. Unfortunately, there’s still very little known regarding the practices of copyright enforcement agencies. We found one way in which DMCA takedown notices could be sent incorrectly to users of one type of P2P file sharing network. But, many more faults might exist that remain undiscovered. We believe that public review of an open and well-documented enforcement process is critical to building confidence in the accuracy and legitimacy of P2P monitoring and copyright enforcement.

Q: Your paper says that your study is unique in that you intentionally try to receive DMCA takedown notices for your machines. Is that true?
Yes. As a result of our experiments, we’ve collected more than 400 DMCA takedown notices from the music, movie, software, publishing, and TV industries, all without downloading or uploading a single file!

Q: Do your current experiments apply to all copyright enforcement agencies?
In truth, we can’t be certain. Our experiments show that deficiencies exist in the enforcement practices of some agencies, but not necessarily all. In August 2007 we received erroneous takedown notices for all major types of content (music, movies, software, books, etc). And, in May 2008, we received such faulty DMCA takedown notices for movies, television, and software. In our May 2008 experiments we did not receive any notices for music and books, but that is far from conclusive evidence that practices have changed.

We do know, however, that at least the RIAA has started to become more open in describing parts of their processes. We commend them for this, and we hope our work encourages them to continue to become increasingly open. The fact remains, however, that at least some copyright enforcement agencies are using a fundamentally flawed technique when they accuse users of illegally sharing content. We hope that our research will serve as a wake-up call for the entire industry to be more open about their processes.

We further wish to draw a distinction between indirect detection and direct detection methods. We refer the reader to the paper for additional information, but mention here that direct detection methods–like what at least one content enforcement agency claims to use when monitoring Gnutella–have the potential for being much more conclusive than indirect detection methods.

Q: The title of your paper indicates that you received DMCA complaints for a printer, but printers can’t even run P2P software. How is that possible?
Surprisingly, it is possible. We have received DMCA complaints for several printers and even a wireless access point! (Please note that these are printers directly connected to the Internet and have their own IP addresses.) This is possible because some monitoring agencies don’t verify that a user reported to be sharing a file actually is sharing that file. This allows a malicious person to frame any device connected to the Internet: whether a printer, a wireless access point, or an innocent user’s computer.

Implications

Q: What’s the most important conclusion to draw from your study?
The fact that we can generate DMCA complaints for arbitrary users regardless of whether or not copyright infringement actually occurred casts doubt on the current approach to copyright enforcement on P2P networks. As a result, Internet users and ISPs should not interpret DMCA complaints as foolproof; false positives are a very real possibility. Going forward, we believe our work shows a compelling need for increased transparency in the P2P monitoring and enforcement process.

Q: Have you notified enforcement agencies of your work?
Yes. In 2007, our university’s DMCA response team contacted several enforcement agencies and indicated that our work did not involve the sharing of any file data and that their complaints were spurious. In our current study (2008), we continue to receive complaints from several of these enforcement agencies.
We thank Daniel Schwalbe, Head of Outreach & Special Projects, Office of the CISO, and member of UW’s DMCA response team, for all his help here.

Q: I use P2P software, but I also installed software that blocks communication with monitoring agencies. Can I avoid detection?
Not necessarily. In our study, we found that the lists used by some popular blacklisting software cover only some peers that are likely monitoring agents. Several likely monitoring agents are not included. Further, because enforcement agencies often send complaints without having communicated directly with users, whether or not communication with monitoring agents is avoided has little impact on whether a complaint is sent. More details are available in the paper, but in short: current blacklists do not guarantee that P2P users will avoid complaints for copyright infringement.

Q: I’m a network operator working at an ISP. Should I be suspicious of DMCA takedown notices?
Yes. Our results show that some methods used to generate DMCA takedown notices in BitTorrent are not conclusive and may misidentify users. This may also be true for other P2P networks. We therefore think that network operators should sanity check complaints as much as possible.

Q: Suppose the copyright enforcement agencies fix the particular problems that you identified. Will we now all be able to have confidence in the accuracy of DMCA takedown notices?
Unfortunately not. This is another reason why openness and transparency on the part of copyright enforcers is so important.

We’ve discovered one way in which users might falsely get DMCA takedown notices. Without more transparency, our concern is that–even if the copyright enforcers fix the problems we’ve identified–there might still be many other flaws remaining and new mistakes introduced in the future.

In our view, enforcement agencies need to make their processes open and transparent in order to increase confidence in the accuracy of DMCA takedown notices.

Q: Do your results mean that all DMCA takedown notices are invalid?
No, many are still valid. Further, while we found a flaw in how enforcement is done in BitTorrent, we re-emphasize that we did not study other P2P file sharing networks and hence cannot speak authoritatively about enforcement flaws in those other systems.

But, again, we stress that focusing on any particular flaw misses the most important point. The fact that any flaw exists is a serious concern. More hidden flaws could exist, masked by the general lack of transparency in current processes. Our work therefore highlights the need for greater transparency.

Q: Whose side are you on? Are you helping the copyright enforcers? Are you helping people circumvent copyright?
We are not taking sides on this particular issue, except to note that we do not wish to condone or support any illegal activities. Rather, we’re exploring from a scientific perspective the tension between P2P users and enforcement agencies. The results in our paper can be used to help all the parties involved in different ways. Please read the paper for additional information.


Advertisements

June 5, 2008 - Posted by | Copyright / P2P / Law

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: