bram, thievery and the hash

BitTorrent is young, but it's already become the preferred method for small-scale distribution of large files -- that is to say, it's the go-to application for movie pirates. There are good reasons for this. For those of you unfamiliar with BT, here's a quick explanation.

BitTorrent is not like a traditional P2P application. There's no search function, no shared directories, no chatrooms. You install the application and it simply adds some functionality to your system. It's roughly analogous to RealPlayer in that respect: once installed, you can click on a .torrent file and start a BitTorrent download. The download window looks a little fancier, but the experience is a lot closer to using your web browser than it is to using Kazaa.

The difference is behind the scenes. A torrent has a number of "seeds" -- people with a complete copy of the desired file. When you start a download, you connect to what's called a "tracker" -- this keeps tabs on who's participating in the download. Once you're connected to the tracker, you're part of the "swarm" -- people with partial copies. Those partial copies consist of random chunks of the complete copies, so useful data doesn't just come from the seeders, it also comes from other peers with partial copies. Topping it off, the rate at which you can download at a given moment is proportional to your current upload rate, keeping things fair and (relatively) leech-free. This description isn't perfectly accurate, but it paints the general picture.

So why isn't BT being prosecuted? Well, there are a few reasons.

First, it's not a corporate endeavor. The protocol and the first BT application were invented by some weirdo named Bram. He makes money off of it with a paypal link instead of the more traditional MBA-authored bundle of lies (also known as a prospectus). And it's open-source; the first BT link I listed was to BitTornado, a derivative, souped-up BT client. The point is: there's no centralized authority here to go after, no Cayman Islands PO box to which subpoenas can be sent.

Second, it's ad-hoc. People don't have shared folders -- you share the file you're currently downloading. That's it. Users are strongly encouraged to keep their download open for 24 hours or so after it's complete, to help keep the swarm alive and seeded, but nobody keeps their downloads open indefinitely. Consequently, there's a narrow window of liability.

Third, it's been legitimized. A lot of companies are using BT to distribute large files in order to save on bandwidth costs. The videogame industry has embraced it enthusiastically. Sites like IGN weren't going to be able to offer downloads of game demos indefinitely, now that demos regularly clock in at hundreds of megabytes. BT solves that problem. And its use is spreading beyond the nerd ghetto as well. Before the election I downloaded more than one embarassing clip of President Bush through BT from sites like Daily Kos. Folks without huge data pipes can host a .torrent file instead of the video to which it points and wind up using orders of magnitude less bandwidth.

Fourth, it's port-agnostic. When Kazaa needs to contact another client on the network, it sends a packet. But how does the computer know that packet is intended for Kazaa instead of IM, or your web browser, or whatever other applications you're running? Answer: in general, each application gets a port number assigned to it, with which all its packets are marked. This makes things very easy for organizations like the MPAA -- all they have to do is scan a huge chunk of IP addresses, sending a request on the port of a given P2P application. When they get a response, they know a copy of that application -- Kazaa, for instance -- is running, and can flag that IP for more thorough investigation. Or, if you're an ISP, you can easily block all Kazaa traffic by disallowing packets marked with the relevant port number -- this is already being done at many universities.

This isn't the case with BitTorrent. The tracker is identified in the .torrent file, but it can run on any port. And when you connect to it, you can easily specify which ports your client should use -- the client will report these to the tracker, which will keep track of them for as long as you're connected.

The result is that scanning for BitTorrent use is a lot harder than finding users of other P2P applications. Sure, IP owners can build custom applications that connect to a tracker and find out the users currently downloading a file; or they could set up "honeypot" trackers, and keep tabs on who connects to them. But in the case of the former it's unclear, to me at least, whether you could prosecute for partial downloads, and in the case of the latter there are probably some entrapment issues involved. The operation will always be slower. And anyway, the ad-hoc nature of the network will make the collected evidence point to only a single file in most cases. How much of a fine can you reasonably get for that? And what if, when the FBI knocks down the kid's door, they find he already owns the movie on DVD? Can you still drag him to court? Do you want to? The end result will likely be a lot less disincentive for every dollar you shovel into the effort. Better to go after the high-return pirates on Kazaa. Hunting down the folks who run BT trackers makes sense, but again, the app's port-agnosticism prevents that from being an automated process.

So is the movie industry screwed? Well, yes. They can continue to stanch the flow of DVD-quality movies from screeners and other pre-released materials using techniques like steganography to make movie rippers very, very sorry after the fact. But as long as movie executives have miscreant teenage sons the files will be leaked. Unless the industry can shove DRM down our throats, the only thing saving them is that cable and DSL aren't fast enough to make downloading movies convenient. Yet.