What Evidence Do BitTorrents Leave Behind?

What Evidence Do BitTorrents Leave Behind?

The recent online piracy debate in Australian courtrooms has raised many questions about how consumers are being monitored. Just what sort of trail do you leave behind when you use technology to access illegal copies of movies and other copyrighted material?

Back in 2015, the Federal Court of Australia ruled that iiNet and a number of other internet service providers (ISPs) were required to disclose details of 4726 of their account holders alleged to have been used to illegally download the movie Dallas Buyers Club. As we all know, the court case was eventually dismissed due to rights holders’ refusal to rule out speculative invoicing, which would have seen alleged pirates slugged with penalty notices in the mail.

The industry has since moved on to a URL blocking approach – but the targeting of individual infringers remains a distinct possibility, particularly if the current method fails to curb piracy levels. One way this may come to pass is via the monitoring of BitTorrents, which remains one of the most popular ways to access and share copyrighted material over the internet without permission.

BitTorrent is a protocol (i.e. a detailed procedure) for transferring files — including, but not limited to, music and video files — between networked computers. It was invented in the early 2000s by Bram Cohen, a programmer who went on to found a company called BitTorrent Inc that produces official BitTorrent software, which implements the protocol. Many other organisations have written compatible software.

To explain what BitTorrent does and how its users can be traced, it’s first worth examining more common examples of file transfer protocols. HyperText Transfer Protocol (HTTP) and its more secure cousin HTTPS are two of many other file transfer protocols.

But there are some key differences between “client-server” protocols such as HTTP and HTTPS, and peer-to-peer protocols like BitTorrent.

The client-server approach

When a browser retrieves a web page or other resource from a web server, the page to retrieve is defined by a Uniform Resource Locator (URL). For example, one of my previous articles at the The Conversation has the following URL:


In this URL, the “https” indicates the protocol and “theconversation.com” is the host name. The remaining part of the URL denotes a specific resource (file) on the host server.

When you access a URL, the web browser (i.e. the client) examines the host name (theconversation.com) and contacts a name server to find out the Internet Protocol (IP) address of the server responsible for hosting “theconversation.com”.

It’s just like looking up a person by name in a phone directory to get their phone number.

Once the browser knows the IP address of the server, it contacts the server and asks for the content as indicated by the rest of the URL. The server retrieves the content and sends it, in its entirety, to the client’s IP address.

It’s worth noting that the client also has an IP address, but that only has to remain stable for a relatively short period of time, and doesn’t have to appear in any directory.

Most home ISPs only provide IP addresses to their customers on a temporary basis. Furthermore, that “visible” IP address is shared between all the devices connected to a home network. This might include a couple of PCs, a few tablets and smartphones or even internet-connected appliances, possibly owned by different people.

Client-server file transfer protocols work well for many purposes. Unfortunately, media files — particularly high-definition video for movies — can be very large. A high-quality full length movie runs to hundreds of megabytes of data that needs to be transferred to the client. Multiple simultaneous requests for them will overwhelm most standard internet servers.

Companies such as Netflix and YouTube therefore need large “server farms” with extremely fast and expensive network connections to meet peak demand.

Sharing the load

But there is an alternative approach. We don’t need to ask the original server for the file — any intact copy will do. All we need is a mechanism for finding out which computers have a copy of the file we want and are willing to share it, at this particular moment, and what their IP addresses are so we can contact them and ask for a copy.

And that’s precisely what early peer-to-peer file sharing mechanisms such as Napster and Gnutella did. Rather than one server providing the files, Napster and Gnutella had central servers that kept track of the IP addresses of computers (i.e. peers) currently offering particular files on a minute-by-minute basis, and a mechanism for requesting a file from another peer.

BitTorrent has an additional refinement. When your software makes a BitTorrent request, you get a list of the IP addresses of a swarm of peers who either have a complete copy of the file (“seeders”, in BitTorrent’s terminology ), or are in the process of retrieving the file (non-seeder peers, or “leechers”).

The software then requests “chunks” of the file from both seeders and leechers. Other leechers can request the parts you do have even before you have a complete copy.

Because of this cooperation, a very large number of computers can simultaneously get copies of very large files, without putting undue load on any one computer or network link.

Legal and not-so legal sharing of files

This has a number of very useful non-controversial applications. For instance, Facebook uses the BitTorrent protocol to transfer software updates to the thousands of servers it uses.

But it’s undeniable that BitTorrent is also very useful for those who want to share copyrighted material. The only permanent infrastructure required is a server that has links to “torrents” — the originating seed which maintains a list of the computers in a swarm.

Not only is this not particularly costly, it maintains a level of indirection to the possibly copyright-infringing files being shared.

This has not stopped authorities — with the strong encouragement of the movie, television and music industries — using the law to attempt to shut down torrent directories for copyright-infringing material such as the Swedish-based The Pirate Bay.

It’s worth noting that BitTorrent Inc itself is not associated with The Pirate Bay or any other copyright-infringing torrent directory. It is not a party in the present lawsuit about the alleged use of BitTorrent technology for copyright infringement.

Despite periodic shutdowns and arrest of The Pirate Bay’s creators, it and other torrent directories remain available.

Representatives of copyright holders have resorted to another approach: suing BitTorrent users who have shared copyright-infringing files. To do so they must identify those users, both to contact them and to provide sufficient certainty that they will be held legally liable.

IP addresses revealed

Identifying the IP addresses of the members of a BitTorrent swarm is extremely simple. When a new client connects to the swarm, the IP addresses of the members of the swarm are transferred to the client, and existing clients are updated as new clients enter or leave.

Therefore, if an organisation wishes to identify those participating in trading a particular infringing file, they merely need to write a modified BitTorrent client that connects to the relevant swarm and records the list of participants.

University of Birmingham researchers have reported on the extent of such monitoring, which indicated that at the time of their study in 2012, participants in high-profile torrent swarms would be logged within three hours.

In the current court case, the recording of IP addresses was performed by a product called Maverik Monitor, written by the German firm Maverickeye. The court decision makes amply clear that Maverik uses the general approach outlined above. The judge was satisfied:

[…] that there is a real possibility that the IP addresses identified by Maverik Monitor were being utilised by end-users who were breaching copyright in the film by making it available for sharing on-line using BitTorrent participating in a torrent swarm […]

The judge therefore decided that this was sufficient reason to permit “discovery” and ordered that several Australian ISPs turn over their records.

Proving copyright infringement

The fact that the judge accepted the possibility that the IP addresses might be being used for infringing copyright, however, does not necessarily mean that the ISP account holders identified will automatically be held liable for copyright infringement.

The judge authorised handover of IP records for three purposes:

  • seeking to identify end-users using BitTorrent to download the movie
  • suing end-users for infringement
  • negotiating with end-users regarding their liability for infringement.

But identifying the end-user responsible for BitTorrent use to a sufficient degree of certainty may prove challenging in many cases, to an extent not clearly articulated in the judge’s decision.

For instance, home Wi-Fi networks are often left “open” (not requiring a password to access the network), allowing any device within range to use the network, including for BitTorrent. That range can often extend considerably beyond the boundaries of a person’s property.

It’s clearly going to be a challenge to identify all the actual people responsible for accessing illegal copies if our courts ever decide to go after them.

Evading the BitTorrent monitors

There are a number of technical measures that determined pirates can use to avoid BitTorrent IP monitoring, aside from taking advantage of open Wi-Fi networks.

Virtual Private Networks (VPNs) are one such measure. They provide an encrypted “tunnel” between an Australian computer and a proxy in a country with a less conducive legal framework for copyright infringement lawsuits.

Many VPN providers take payment by near-untraceable means such as pre-paid credit cards, or Bitcoin, and claim not to keep logs tying the visible IP address from their systems to the Australian IP address at the other end of the tunnel.

Like BitTorrent itself, VPN technology has many legitimate uses, not least in providing secure remote access to corporate and governmental networks for employees. As such, banning or restricting the technology would be costly and impractical.

The Conversation

KickassTorrents Has Been Blocked In Australia, Achieving Nothing

The Federal Court has ordered Australian internet service providers to block access to Kickass Torrents websites. The order comes at the behest of several major music labels who have been pushing for the blocks in court since April last year. </p><p>ISPs now have 15 days to comply with the order. Of course, none of this really matters if you know how to get around a DNS block.

Read more

Robert Merkel is Lecturer in Software Engineering at Monash University.

This story has been updated since its original publication.

This article was originally published on The Conversation. Read the original article.


  • Hello –

    my post below is half informed / a little off topic / and raises a geek question I don’t know the answer to. All this is my fault so I accept all//some//partial//no responsibility…. 🙂

    Here is the story :
    BTW if you can answer the geek question below, thanks in advance.

    Ok. Very recently, I signed up for a shiny new vpn service. Like probably a few other people.

    Anyway I got my new IP (from the vpn provider) and went to : http://ipleak.net/#webrtcleak
    Which is a great site and showed my real IP address, brilliant (Ummm not really) !!

    It turns out its a WebRTC leak. Try it for your self with your vpn. I don’t really follow how it works but from the website;
    WebRTC implement STUN (Session Traversal Utilities for Nat), a protocol that allows to discover the public IP address.

    The geek question I have is does this matter at all ? It (the leak) can be avoided using firefox BUT should I worry about it if (the whole point beingis that) I want to hide my IP address? In other words does this leak “sink the boat” or instead just “wet the shoes” ?

    Firefox is a truly great browser but not my preference. Thanks for reading…………..

    • Wetting the shoes.
      -Only web browsers (and only the major ones at that) implement WebRTC, and it can be blocked for each
      -WebRTC connections require permission from the user to run
      -A site would need to use JS to request the connection, so basic JS blocking also circumvents it
      -Only compromised sites, or sites which actually use WebRTC, will even prompt you

      So if KAT or TPB or w/e suddenly prompts you for a WebRTC connection, all you have to do is decline.
      And even if you accept, at worst they’ll be able to see that your IP visited the page on which the script runs; the site would have to be quite malicious or completely compromised already (tracking clicks, sending the info via AJAX to another server, etc.) for the info to do any good.

      In the case of BitTorrent traffic, since that’s what this article is about, there aren’t any torrent clients that support WebRTC, and I can’t see any reason why they would do so in the future.
      So worst-case scenario, a compromised site tracks your VPN IP, real IP, and the torrent/hash you download, the ones behind it then monitor the torrent in question for the IP, and argue to a judge that it must have been you; a very tall order with many flaws.

      • A way around that is to obtain the link to the torrent using one VPN IP, then reconnect the VPN and obtain another VPN IP and download the torrent.

  • Keeping in mind IANAL; the below may not be 100% but it’s fairly close to the truth as far as I know.

    One thing the article does not mention which is worth keeping in mind.

    Australian law is (currently) fairly lenient on private individuals breaking copyright for private purposes. Generally speaking, for simply copying a file, you can’t be sued for more than a small multiple of the cost of obtaining the media legitimately.

    However, if you may copies “on a commercial scale” the rullebook goes out the window. Criminal sanctions may apply. Hundreds of thousands of dollars and possible jail time.

    BitTorrent sends out copies of your file to all the leechers pulling fragments from your system, which may be tend, hundreds or in extreme cases thousands of peers. It’s quite arguable that this puts it into the “commercial scale” category. In fact, the copyright information document on the Attorney General’s web site uses this as an example: “A court may take into account the high probability of likely infringements in assessing damages in relation to commercial scale electronic infringements, such as peer-to-peer file sharing.”

    In other words, if you are torrenting, not only are you telling everybody else on the torrent your IP address (and an ID for the torrent software you’re using), you’re also effectively telling them that the fines that may apply to you are enormous.

    You’re far better off either using a trustworthy VPN or downloading directly.

    • Or seedbox. The only thing I worry about now is if the seedbox is compromised possibly due to a court order on their end and the meta data from searching for a torrent to copy paste.

    • In the US they was some group of people that distributed some music between themselves with bittorrent. There were 10 of them. Each one was charged with making 10 unauthorised copies. So they don’t care if it’s a complete file.
      Thankfully our courts are a little more sane and most people get away scot free. I think Nintendo did get some kid who ripped the latest Wii game and put it online though.

  • So if they use their own bittorrent client to download and verify that a computer is sharing a file, then tell the court what they found. Isn’t it their word against the IP address user? Isn’t it like me saying “I saw this car speeding, please book him” or “this guy swore at me from his car, please give me his address so that I can sue him”. I don’t get why the court is allowing this. What if they got the IP wrong for example and are threatening/suing the wrong people. The court will have no idea.

    • This happens all the time. Grandmothers that are completely tech illeterate and just use email have been caught up in these.

      They basically go to court with a bunch of IP addresses and say “These IP addresses did naughty things” and then they get a court order to send to ISP’s to reveal who they are.

    • how does the speed/latency compare to a direct connection andye? i assume you’d be using the australian vpn server as the entry point?

      im on the verge of signing up but don’t want my already average adsl2 connection to become even slower

      • I use PIA and my speed / latency when I was with TPG wasn’t too bad (yes, even TPG) on ADSL2+. Recently switched telcos to … someone else … and have seen speeds plummet which is a bit of a concern. That being said the PIA ‘exit node’ you use seems to make a difference too – California or Midwest seem to be the fastest, while Seattle and Florida generally a bit slower (and I think lately the client has been defaulting to Seattle – will need to change the node selection back to manual methinks).

        PIA have recently (well … could be anytime in the last year … but I only NOTICED recently) added an Australia ‘exit node’ which gave me a bit of a ‘WTF’ moment. One can only assume they’ll be turfing that exit node again soon, given their stated commitment to not keeping logs (and one would imagine with data retention here now being mandatory, keeping the Australian exit node could make things REAAAL tricky).

        Don’t know how the other exit nodes outside the US fare speedwise – I’ve used Canada once or twice back on TPG, and I think I’ve used UK once, but all the other weird and wonderful options (Romania, Singapore, anyone ?) haven’t really grabbed me …

  • In answer to the Q about the impact of PIA on connection speeds. Your pings will take a hit (18 ms to 500+ ms) unsurprisingly since this is just the physics of geography. Whereas in my experience DL speeds are compromised by about 10% from Sydney to California & around 20% Sydney to London.

  • I’ve read that the torrent protocol was never designed for anonymous access so, as a result, it discloses your real IP address in the headers…hence a VPN is of limited value because if you are connected to a MPAA peer or tracker then they will see your real IP address as well as the VPN address…I defer to those more technically capable to verify\refute this?

    • They will only see the VPN IP address, not your real one.

      You request a torrent chuck. It goes through your VPN, then exits somewhere and hits the open net. The tracking company catches the IP address of the VPN exit node. The chunk reaches the VPN exit note, then enters the VPN network and is routed to you.

      You are fairly safe unless the exit node is compromised.

  • Back in the day I used to use a program that had a collated list of IP addresses that it would not connect to that were known blocks used by governments and rights holder companies trying to sue people. Forget what it was called but if you are downloading over the open net, at least install that. Peerguard or something.

  • Has anyone had any experience with TorrentSafe? Is it any good? Just wondering if it’s worth giving it a try, and how “safe” it would be. Wouldn’t any file download, including the name of the file, still be visible to you IP?


Show more comments

Comments are closed.

Log in to comment on this story!