Last month TorrentFreak took a look at the information being held on users by the operators of private BitTorrent trackers. We questioned whether it was time to take another look at the way that data is being handled in order to better protect site members. In our second article on the issue we look not only at the data stored by individual trackers, but also claims that the information is being shared with dozens of other sites.
When it comes to keeping their privacy, many file-sharers like to think of themselves as a secretive bunch.
The ever popular VPN is showing no signs of decline and as time goes on the interest in joining private torrent communities grows.
Last month we took a look at the large amounts of data being stored by private torrent sites on their users, alongside the question of whether that information could be better handled in future.
That article prompted an individual, ‘X’, to contact us with information on what is perhaps the private tracker scene’s dirtiest and relatively open secret.
For those unaware, ‘X’ was talking about the phenomenon whereby losing an account or misbehaving on one torrent site can affect a user’s status on another. It’s been going on for some time now but it’s definitely worth mentioning in light of current concerns over data privacy.
X asked to keep him anonymous, and for good reason. He is the former sysop, admin and coder of at least two well known private torrent sites and the founder of another. He asked us simply – what do we know about how much information is being passed between torrent sites?
“I could take a username/email address/IP address and get information about any matching users on 30+ different sites. Some of it was automatic, some of it was request ticket based,” X explained.
So what kind of information is being shared? According to X, a staggering amount.
“Once a user was banned on one of the member private trackers, every IP they ever used for the site, RSS feed/API, and announces (even transversing HTTP proxies if they didn’t properly hide their origin IP), their email address, and their username was used to build a profile of them by combining shared data between the collective sites,” he revealed.
X told us that the databases are so rich in information that it’s possible to build detailed profiles of users, some of which are associated with more than a thousand IP addresses including access dates and times, plus a hundred usernames/email addresses and details of their supposed misbehavings.
“Everything from being a dick, being/acting suspicious, cheating/trading, letting someone else use their account, to staff running off with donation money could get a user on this database,” X said.
So how does this PRISM-like system work? According to X, it’s professionally constructed.
“All of these user profiles were accessible by all member sites via API, and quite a few sites kept their own copy of the database, pulling down information updates at regular intervals, and sending profile updates/creations on matching or requested information,” he revealed.
The security implications of holding local copies of full databases are a serious concern.
“If any of these sites got raided or hacked, data about users who never even used the site would be in the hands of the invader.”
We’ve discussed the reasons why these kinds of systems are in place in previous articles. Private sites have an ‘economy‘ to preserve and need to be able to keep tabs on damaging users in order to keep their sites healthy.
Of course, this is the kind of reasoning also employed by the NSA when it tries to justify spying on everyone. Are these excuses acceptable or not? Does the end justify the means?
“The NSA leaks have shed a new light on what I regularly did at my post [X says he wrote some of the code allowing the sites to communicate], and while I can’t deny the good it did in keeping [our site] from falling to shit, the way the information is handled and the secrecy behind this are things that need to be exposed and reworked,” X concludes
It is unlikely that the participating trackers will give up their intelligence systems just like that since the information they provide is a crucial part of keeping their sites healthy. But equally, these kinds of databases could become hugely problematic should they fall into the wrong hands.
What happens next is up to the sites running the operation but coordinating change and introducing a better system could prove almost impossible.