Forensic Investigator Outlines BitTorrent Detection Technology

NewYorkCountryLawyer writes "In one of the many BitTorrent download cases brought by pornographic film makers, the plaintiff — faced with a motion to quash brought by a "John Doe" defendant — has filed its opposition papers. Interestingly, these included a declaration by its 'forensic investigator' (PDF), employed by a German company, IPP, Limited, in which he makes claims about what his technology detects, and about how BitTorrent works, and attaches, as an exhibit, a 'functional description' of his IPTracker software (PDF)."

Re:IPTracker Based on Shareaza 2.4.0.0

[JoshuaZ]

My understanding is that one is only required to give the source if one is distributing the product to other people. As long as the individual keeps the software for themselves, there's no requirement to make the source available.

Re:I2P/Freenet

[girlintraining]

Try tracking us there.

Encrypt all you want. Traffic analysis still screws you every time. The network tries to keep latencies low, so it forwards whatever it receives onto the next hop as soon as it gets it. If you're monitoring the source and the destination, then when it gets decrypted at the destination, you can correlate that with the traversal time through the 'black box' of Tor, Freenet, or whatever... and viola, you know who sent it, when, and what it was.

This is a known problem. It's discussed at length on EFF's website. If your connections are made in bulk, at regular intervals, instead of interactively, then it's a lot harder to do traffic analysis if all the other nodes exhibit the same behavior. But as long as you're trying to be anonymous by simply using a series of proxies that are set to store-and-forward... you're still screwed.

Re:I2P/Freenet

[nurb432]

Read up on how Freenet works and you will see its not just about data encryption. Due to how it routes, and that data chunks are scattered about It also hides the source and requestors to the point that even if you are on the same LAN and sniffing packets directly you wont know for sure. Sure you can be caught using it which could be a legal problem for you depending on where you live, but they wont know if you are doing the requesting of file parts or you are just passing requests along.

I2P i believe has something similar in place but i'm still learning how their stuff works.

Re:I2P/Freenet

[lister king of smeg]

that is why there is garlic routing. garlic routing is a modification of onion routing used by tor, what it does is bundle packets together so as to make traffic analysis useless. it does have greater latency but should not be a problem unless you are streaming

Re:Nothing new

[Grumbleduke]

It cant prove who, but it can prove who's ISP account was used, and you can possibly claim that they are responsible as either they allowed it to happen, or didn't secure their systems properly.

Possibly, possibly not. Being a legal thing, this will vary hugely by jurisdiction, but in general I'm not aware of any contested case where an individual has been found liable, either jointly/vicariously, or through negligence, for the mere actions of another using their Internet connection.

A while back TorrentFreak looked into this, getting a couple of US lawyers to argue for [torrentfreak.com] and against [torrentfreak.com] this sort of liability. Unfortunately the "for" one only discusses negligence, and the "against" only looks into indirect and vicarious liability, so both could be perfectly correct...

Sort of like if you left your rifle on the front seat of your car, with the doors unlocked, and then it was stolen and used in a crime. You would be partially responsible too.

This is where the tests for "negligence" come in (ignoring any statute law on the handling of firearms; obviously, where I'm from, possessing a rifle would probably be illegal in the first place). In common law negligence generally requires that there be some duty of care owed by the defendant to the claimant/plaintiff, that the defendant fell below the appropriate standard of care, which caused damage to the claimant that wasn't too remote.

Wrt allowing someone to use your Internet (or not securing it), it seems possible that there may not even be a duty in place (due to a lack of proximity, unless children are involved), and it would be easy to argue that the standard wasn't breached by simply having an unsecured or weakly secured network, or letting someone use a computer unsupervised (that would be far too onerous).

It would be an interesting, if pointlessly expensive, case to argue, and afaik, that hasn't been argued either in the US or the UK (the first article references a case, but I have a strong feeling that may be a summary judgment).

Re:GUID

[Jahava]

It is not possible that an allocated GUID is allocated to another user again.

I would look into this. As it is written it sounds, at least, misleading. Even if it is true this GUID thing for all P2P protocols (which I sincerely doubt), I would say that it should be spoofable directly or indirectly (compromising the machine if public key cryptography is used).

He is technically correct, assuming that the act of "GUID allocation" involves the correct use of a valid GUID generation algorithm by the software in question. That said, as you noted, it's remarkably easy to spoof such a GUID (in this case). His statement implies that a GUID positively identifies a user, which it does not, and is thus a misleading statement.

Re:I2P/Freenet

[Anonymous Coward]

Freenet sends constant same size chunks. There's no way to tell if you're actively downloading something or not because the node's activity is always the same. Same upload/same download. When it's not fetching stuff for you it's fetching stuff for storage, when it's not uploading your stuff it's uploading "random" stuff from storage. At least that's my understanding of it.

Re:Well

[Grumbleduke]

Indeed. My understanding of the situation (having followed some of these cases etc., including attending court hearings) is that the tech companies get paid by the IP. Most other parties involved (the copyright owner, the legal team, the holding company that brings the case) get either a percentage of net profit, or a fixed fee. As such, it's in the tech. groups interests to provide as many IPs as they can, as cheaply as possible.

This is why they have been known to cut corners (such as just scraping a list of IPs from a tracker, rather than checking that any given IP is actually sharing the file at the particular time), or spend too much time actually looking into the technology. Interestingly, an "expert witness" in a recent English case noted that he"did not have [the software he was testifying with regard to] installed on his computer, and did not concern himself with how it worked").

In the ACSLaw leaked emails, one thing that was noted was that around 1 in 4 IP addresses that had been identified as infringing weren't even assigned by the ISP at the time when the alleged infringement occurred. That statistic, to me, suggests that something is pretty screwed up is going on with data gathering.

Re:Does The IPP Company Exist?

[eruza]

Found their website for you: IPP International Unternehmensgesellschaft [ippint.de]

Re:IPTracker Based on Shareaza 2.4.0.0

[Mashiki]

Sure but this would be the same whether it was GPL'd or not. I seem to recall a breathalyzer lawsuit awhile back where the closed-source designs to the breathalyzers were subpoenaed by the defendants.

You're correct. There's some info on that right here. [broward-dui-lawyer.com] (I'm too lazy to look for another link.) But, something interesting I bumped across while reading one of the lawyer quarterlies. Is increasing amounts of digital evidence is being applied to the "hearsay" rule, because the technical understanding of said evidence is beyond the general scope of the court without an expert witness to explain it. Though to a point, the quarterly was two years old, so how accurate that is today I have no clue. And that was from Canada.