Wednesday, September 29, 2010

The Internet Vs. Anti-Piracy

Okay, so this started a few weeks back, when anti-piracy firm AiPlex Software were hire to have torrents of some Bollywood films taken down from indexing/tracking sites (including The Pirate Bay) - which don't host infringing files, but provide links to them.

They made their requests, and when the sites in question didn't comply, AiPlex went a step further than any other anti-piracy company had, and DDoSed the sites (temporarily).

Now setting aside for a second the fact that DDoSing is illegal, this was not the wisest move they could've made.


Anonymous
"This is unacceptable to Anonymous. The time has come to show these fuckers that we will not tolerate this."

"Operation Payback is a Bitch" was devised as a means of retalitation by Anonymous, in close association with infamous image-board site, 4chan (among others).

Anonymous are an interesting group. As internet activists, they may well stand for justice, but their definition of justice isn't always in line with, say, the law's - it's very vigilantist. The important thing to keep in mind though, is that Anonymous is akin to a flash mob, and therefore any given 'mob' is going to vary in membership, and even overall ideology, etc.

But in general, Anonymous will act in favour of whatever gives them lulz, or makes a lamentable person suffer.

This can be seen in their attacks on Scientology, on Sarah Palin, their tracking down of Dusty the cat's tormentor and cat-bin-lady or, perhaps most unsettling of all, their tormenting of an 11 year old girl (who, to be fair, probably had it coming). To name but a few.

Long story short, anyone who knows anything about 4chan and Anonymous will know that no sane person would ever risk incurring their wrath.


DDoS

Denial of Service occurs when a server is overloaded with requests. When this happens, the server in question will either slow to a crawl, and eventually become unavailable to new requests. Or, the server will reset itself. In cases where the site is hosted on the same servers a company's email, backups, assorted storage, etc. this can be quite inconveniencing.

NB/ Facebook's recent outage was an example of a self-induced denial of service.

A Distributed Denial of Service attack (DDoS) occurs when a group of individuals use a program - such as the Low Orbit Ion Cannon (LOIC) - to make hundreds, or even thousands of requests per second.

In the case of the Australian anti-copyright firm AFACT, their site was hosted on a cluster server, so when that site was taken out, all (supposedly) 8,000 other sites on the cluster went down as well, including small business and government websites.

In general, DDoSing is generally more useful in making a statement, since the result is usually only temporary. But sometimes.. well, we'll get to that...

Again, this was simply overwhelming a server by flooding it with requests. This was done mostly by Script Kiddies running LOICs - which is as simple as entering the target IP and hitting "IMMA CHARGIN MAH LAZER".

To call this hacking is being far too generous; and from a legal point of view, inaccurate.


Operation Payback

A call to arms was posted on 4chan, and various other sites, demanding retaliation.

This started with revenge upon AiPlex, along with MPAA and RIAA. Then they went after notorious UK anti-piracy law firm and all-round bastards, ACS:Law, who have been guilty of sending out vast numbers of 'menacing' letters demanding money for copyright infringement.

The first attack on them took the site down for a couple of hours.

Head of the company, Andrew Crossley, made the remark:
"It was only down for a few hours. I have far more concern over the fact of my train turning up 10 minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish."
Now I don't know about you, but antagonising your attackers seems like a poor move. Anonymous attacked again, this time knocking out the server and causing it to reset.

But here's what happened this time:
“Their site came back online [after the DDoS attack] – and on their frontpage was accidentally a backup file of the whole website (default directory listing, their site was empty), including emails and passwords,”
Basically, instead of showing the homepage (as it should have), it showed the file directory, on which was found a zip file containing all the emails, etc., all unencrypted.

Unsurprisingly, the backups were then put of The Pirate Bay, where they've been shared by lots and lots of people, out for revenge.

As of this time, there have been no reports of victim's sensitive data being used maliciously. Rather, downloaders are more interested in destroying ACS. And, in fact, some of the people who have downloaded the emails have tried to contact and alert the victims whose personal information has been exposed.

Oh, and attacks on various other anti-piracy websites are still on going. See here for more information or to participate.


Data Protection Breach


First of all, there's the personal information that's been leaked, including that of thousands of Bskyb customers. This is the part of the story being reported by various outlets.

And if anything, it's that which will get ACS in trouble, since this is a fairly major breach of the Data Protection Act - given that the data was unencrypted and was revealed by a clumsy server, rather than hacking (and PI acknowledge this wasn't hacking).

Word is, the punishment will be around £500,000 worth of fine, plus disciplinary action from the Solicitor Regulation Authority - and this wouldn't be the first time they'd faced disciplinary action from the SRA. So even if the company isn't completely destroyed by all this, they'll still have to pay up more than twice their takings from 'infringers' (~£220,000) - and Crossley might just have to give up that Jeep Compass 2.4CVT he bragged about.

Which is nice. But there was other interesting stuff in there.


Money

It is demonstrably true that ACS cares more about making money for itself than enforcing copyright or protecting artists.

The emails show that ACS were taking approximately 50% of the money retrieved from those accused. And in fact, only about 30% of the money retrieved went to the copyright owners. Which, to me, seems a bit off, in terms of fighting for the rights owners.

No. ACS:Law have jumped on copyright infringement as a way to make a quick buck for themselves, and frankly they deserve everything they get.

A lot of this has been classed as "legal blackmail". We see letters and emails from a vast number of people who, quite obviously, have been wrongfully accused - including old people who are very confused by the claims - that are still paying up because they don't want to be taken to court. And in a lot of the cases the victims having to ask if they can pay in installments, since they can't afford to pay the lump sum.

NB/ Consumer group Which?, local councils and judges (amongst others) have reported receiving large numbers of complaints from people who have been harassed by ACS.

From what I understand, the victims are being accused of infringing individual (porn) movies or individual songs, and in each case ACS are offering a settlement payment of £495 - just below the "psychological barrier" of £500.

This being the 'claimed' damages resulting from sharing one movie - therefore implying that each infringer shared the move with, on average, ~49 people. How do they justify this figure? They don't, and indeed can't (see below).

£495 is also low enough that it wouldn't be worth an accused individual disputing the claim in court, given the legal fees would be much higher than that amount - supposedly around £10,000.


IPs and ISPs

In terms of tracking down file-sharers, ACS pays 'monitoring companies', who will find by various methods, what IP address is sharing a given file, and at what time. ACS then contacts ISPs asking for the physical addresses (supposedly) linked with the 'infringing' IPs.

The main ISP that's gotten very upset by the email leak is BskyB, though there are others, including BT and PlusNet.

ISPs Virgin Media and TalkTalk, on the other hand, have both refused to give out such information.

To quote a commenter on Slashdot:
"ACS:Law were using Norwich Pharmacal civil orders against the ISPs; they basically demand information relevant to a future court case from a third party, in this case the ISP. Sky broadband chose not to contest these court orders, and just supinely handed over the data. Nor did they notify their subscribers that such an order was taking place, so they could fight it if they chose.

In fact, ACS:Law were combining these requests into huge tranches of data - one such recent was 25,000 BT Broadband IP addresses, expected to ID 15,000 subscribers.

Virgin and Talk Talk refused to go along with these orders without a fight - potentially forcing ACS:Law to do a Norwich Pharmacal order per individual IP, which would be ruinously expensive - so the leaked emails reveal that ACS:Law specifically did not target them."

If only other ISPs had the balls to say no as well...


The Revelation

If you'd seen the numbers, you'd be wondering why ACS don't persue those who dispute the infringement claims, or just out right ignore them. In fact, only 30% of those sent letters settle and pay the £495.

The reason - ACS are aware of how flimsy their case would be, and how easy it would be to contest the claim of infringement.

So their problem is two-fold. First, an IP address isn't always very useful. First of all, IP addresses can be spoofed, or a smart user can hide behind a proxy - both meaning the IP address obtain will not match the one at the physical address of the infringer.

Or conversely, if the owner of a given IP address uses an unsecured wi-fi connection, for example, then again someone's going to get wrongfully accused.

But secondly - and this really is interesting - in one email, Crossley's own legal adviser says the following:
"establishing damages beyond the value of the gross profit of one copy of the work is problematic."

Basically, because of the way the way the monitoring works, they can only prove that the 'infringer' was downloading a copy of the infringing file to their computer.

In other words - while they can assume a user was 'sharing' the file, they can't prove prove it. And they certainly can determine the number of people (if any) the user in question was 'sharing' with.

A law firm could (and do) demand greater damages. But if an infringer could prove, for example, that they 'leached' the file - that is, downloading without uploading (sharing) to other users - then the only damages they can claim is for one copy of the file.

To Quote Ars Technica*:
"under UK law, damages are fixed at "economic loss, either realised or potential." When it comes to music tracks, the loss equals "the approximate market value of the track as a single download—79p.""

They would have been fools to take anyone to court, knowing that a defendant could potentially pull that defense, considering how the legal fees would far out-weight that pay-off. And on top of that, if they lose one case, they'd no longer be able to demand £495 - the end of their little extortion business.


Warning

Don't think this renders pirating essentially risk-free. It doesn't. Especially not if you're in America.

Since, in America, copyright holders don't need to prove actual economic harm to demand (outrageously large) statutory damages, the RIAA and MPAA are still milking (alleged) infringers for every last penny they have - and then some.

NB/ The RIAA even tried to sue a deceased woman, who didn't even own a computer while alive(!).

But if you are ever accused of infringement and believe it to be wrongful, tell them so. If you need more advice, visit Being Threatened.

If, on the other hand, the accusations are true, use your best judgement. If you think the settlement is just, pay it. If not, you can either try ignoring it, or seek legal advise in so far as disputing the amount demanded.

And in fact, if you're going to pay up the value of the files you downloaded, you may as well do so by buying physical copies, rather than giving the likes of ACS ~50% of that money.

But if you are summoned to court, you'd better show up AND get yourself a good solicitor, or you could find yourself paying up to the thousands.

Or, you know, you could just not do it in the first place..


Oatzy.


* This quote and lots more details about what bastards ACS:Law are can be found here.

No comments: