For those who value their privacy this is a problem, so many sign up with a VPN provider or torrent proxy service. This is fine, but some people then forget to check whether their setup is actually working.

While it’s easy enough to test your web IP-address through one of the many IP-checking services, checking the IP-address that’s broadcasted via your torrent client is more complex.

There are a few services that offer a “torrent IP check” tool, but for the truly paranoid there’s now an Open Source solution as well.

The developer, who goes by the nickname “cbdev”, found most of the existing tools to be somewhat “fishy,” so he coded one for himself and those who want to run their own torrent IP checkers.

“I’d rather have something I can control entirely,” cbdev tells TF.

“So, I wrote a tool people can install on their own servers, with the added bonus of it using magnet links, so ‘Tracking torrent’ files are required,” he adds.

The ipMagnet tool allows BitTorrent users to download a magnet link which they can then load into their BitTorrent client. When the magnet link connects to the tracker, the user’s IP-address will be displayed on the site, alongside a time-stamp and the torrent client version.

Alternatively, users can check out the tracker tab in their torrent clients, where the IP-address will be displayed as well.

For users who are connected to a VPN, the IP-address should be the same as the one they see in their web browser, and different from the IP-address that’s displayed when the VPN is disconnected.

Proxy users, on the other hand, should see a different IP-address than their browser displays, since torrent proxies only work through the torrent client.

People are free to use the ipMagnet tool demo here, but are encouraged to run a copy on their own server. The whole project is less than 500 lines of code, so those with basic knowledge of PHP, JavaScript and HTML can verify that it’s not doing anything nefarious.

If you’re setting up a copy of your own, feel free to promote it in the comments below. Those who want more tips can read up on how to make a VPN more secure, and which VPN providers and torrent proxies really take anonymity seriously.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Whatever your stance, the UFC and its aggressive approach to copyright enforcement matters to you, because where they tread today, others may tread tomorrow. And it’s a scary path indeed, one that would tick all the boxes of “overly-paranoid file-sharer”, if such a meme existed.

The file-sharing site honeytrap is a much-feared beast, set up to ensnare unsuspecting users in order to subject them to an awful but largely undocumented fate. But while in 2005 the MPAA were believed to have obtained the database of then-famous torrent site LokiTorrent, nothing has been publicly done with that data. Almost certainly, no one has been sued.

Since then dozens of sites have come and gone, many along with whispers that some evil entity or other has secured access to thousands of user’s details. No proof has ever surfaced to show a grain of truth in that notion, but now – not for the first but for the second time – the UFC is claiming to have done just that.

In 2012, the UFC announced that it had obtained the user database of a site called Greenfeedz, along with a promise it would chase down its members for watching unauthorized UFC streams.

While the announcement caused concern at the time, little was known about the outcome. However this week the UFC were back again, categorically stating they were going to sue people who watched unauthorized streams on another site. But how were those people identified? By the UFC obtaining the site’s database, that’s how.

“As part of the on-going initiative against online piracy, Zuffa, LLC, owner of the Ultimate Fighting Championship® (UFC®) organization, successfully took down and seized the records of www.cagewatcher.eu, a website that illegally streamed two UFC pay-per-view events,” the UFC announced.

“UFC has obtained details of the streaming site’s userbase, including email addresses, IP addresses, user names and information pertaining to individuals who watched pirated UFC events including UFC 169. Also recovered were chat transcripts from the website. Using this data, UFC will work with Lonstein Law Office to prosecute identified infringers.”

If the UFC is to be taken on face value, anyone watching an unauthorized video on YouTube or Vimeo for example, can be subjected to legal action by the UFC. However, rather than go through the messy process of subpoenas and the like, the UFC can turn up at any unauthorized site, threaten the owner, and walk away with the site’s entire database and use it for legal action.

The UFC says it’s carried through with its threats too, stating that Lonstein Law Office has “successfully prosecuted hundreds of claims for the UFC organization for sites illegally streaming content and individual users since 2007.”

In order to find out more, MMA site Bloody Elbow did some digging and found a case dating to just after the UFC made its Greenfeedz announcement. It turns out the UFC did indeed have some success against one individual. However, the case navigated an extremely unusual track.

Probably understanding they were on delicate ground in respect of a regular copyright infringement prosecution, the UFC took action under Title 47 of the United States Code, Section 553, which prohibits people from intercepting or receiving “any communications service offered over a cable system, unless specifically authorized to do so.” Basically the UFC claimed that the individual had received a PPV signal without paying for it.

Since the defendant didn’t show, the court noted this was an admission of guilt, even though it was established that “there is no evidence that defendant obtained any financial gain from his illegal receipt of the copyrighted broadcasts since he viewed them on his home computer.”

Case won by the UFC via default judgment, with the target landed with a bill for $11,948.70.

How the UFC is intimidating others into settling isn’t clear, but it seems very likely that this judgment will be waved in front of users from sites where the databases have been obtained, with the threat that they will suffer the same fate unless they pay a few thousand dollars.

And this is why the UFC’s actions are important to everyone.

If big companies like Zuffa can intimidate site owners into ratting out their users, those users can be bullied into paying settlements. Remember, there is no official discovery process here, no friendly ISP to contest the handing over of their subscribers’ details. Just an aggressive copyright holder bullying victims over the simple viewing – not distribution – of a video stream.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

With our findings we compiled a report of VPN providers that due to their setup were unable to link their outbound IP addresses with user accounts. Ever since we have received countless emails demanding an update.

Update: New 2014 update is out.

It’s taken a long time but today we bring the first installment in a series of posts highlighting VPN services that take privacy seriously. Our first article focuses on anonymity and a later installment will highlight file-sharing aspects and possible limitations.

We tried to ask direct questions that left VPN service providers with little room for maneuver. Providers who didn’t answer our questions directly, didn’t answer at all, or completely failed by logging everything, were simply left out. Sadly this meant that quite a few were disregarded.

This year we also asked more questions, which are as follows:

1. Do you keep ANY logs which would allow you or a 3rd party to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold?

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

3. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

4. Which payment systems do you operate and how are these linked to individual user accounts?

The list of VPN providers is a tiny sample of the thousands out there today and is not comprehensive by any means. VPN Providers not covered this time around will be added during the coming weeks. All responses listed below are in the words of VPN services themselves and the order of the list does not carry any meaning.

Private Internet Access

1. We absolutely do not maintain any VPN logs of any kind. We utilize shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP. These are some of the many solutions we have implemented to enable the strongest levels of anonymity amongst VPN services.

2. Our company currently operates out of the United States with gigabit gateways in the US, Canada, Germany, France, UK, Switzerland, Sweden, the Netherlands and Romania. We chose the US, since it is one of the few countries without a mandatory data retention law. We will not share any information with third parties without a valid court order. With that said, it is impossible to match a user to any activity on our system since we utilize shared IPs and maintain absolutely no logs.

3. We are in compliance with DMCA as all companies, world-wide, must be. We have proprietary technology and an experienced legal team which allows us to comply without any risk to our users.

4. We accept many payment methods directly, including PayPal, CC, Google, Amazon, Bitcoin, Liberty Reserve, OKPay, and CashU. Further, we would like to encourage our users to use an anonymous e-mail and pay with Bitcoins to ensure even higher levels of anonymity should it be required. We only store the minimal information required to provide customers refunds.

Private Internet Access website

BTGuard

1. We do not keep any logs whatsoever.

2. The jurisdiction is Canada. Since we do not have log files, we have no information to share. We do not communicate with any third parties. The only event we would even communicate with a third-party is if we received a court order. We would then be forced to notify them we have no information. This has not happened yet.

3. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.

4. At the moment we only accept Paypal and Bitcoin. We have plans to accept alternative credit card processing in the near future.

BTguard website (with discounts)

Torguard

1. TorGuard doesn’t store IP’s or time stamps on our VPN/proxy servers, not even for a second. It’s impossible to match what is not there. Since some people tend to misbehave when using a VPN , this raises the obvious question: how do we maintain a fast, abuse-free network? If even our network engineer can’t back track the abuser by IP, then how do we stop it?

Through packet level filtering at the firewall it’s possible to apply rules to an entire shared server, blocking the abuse immediately. For example, let’s say someone decides to use TorGuard to unlawfully promote their Ugg boots business (spam). In order for us to block this one individual, we simply implement new firewall rules, effectively blocking the abused protocol for everyone on that VPN server. Since there are no user logs to go by, we handle abuse per server, not per user.

2. TorGuard recently went through some corporate restructuring and has now moved its parent company to Nevis, West Indies. Our company abides by all International laws and data regulations imposed within our legal jurisdiction. We don’t share any information with anyone regarding our network or its users and won’t even consider communicating with a 3rd party unless they’ve first obtained adequate representation within our legal jurisdiction. Only in the event of an official court ordered ruling would we be forced to hand over blank hard drives. There’s nothing to hand over but an operating system.

3. TorGuard complies immediately (24 hours or less) with all DMCA takedown notices. Since it’s impossible for us to locate which user on the server is actually responsible for the violation, we block the infringing protocol in its entirety, whatever it may be – Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc. This ensures the content in violation is immediately removed from that server and no longer active on our network.

4. We accept all forms of credit card, Visa, Amex, Mastercard, Discover, PayPal , Google Checkout and Bitcoins. We also accept anonymous payments through our pre-paid PIN system. These pre-paid service PIN numbers can be purchased from one of our participating online resellers and redeemed during checkout on our website.

Our client billing area and VPN/Proxy user auth servers are two completely separate systems. This is to ensure the privacy and securities of our customer’s accounts are upheld at all times. While the customer’s chosen payment method will be linked to the client billing area login, this information is kept completely separate from their VPN/Proxy network. In this way, it’s virtually impossible to “connect the dots” of a paying customer with that of someone who is using the servers. This can become a pain for clients as they are required to remember two sets of logins/passwords, but trust us – it’s in the best interest of security.

TorGuard website

(Use the promo / coupon code TorrentFreak to get a 20% discount at Torguard.

TorrentPrivacy

1. We don’t store any logs, it’s impossible to track users’ activity through our VPN.

2. Our company is based on Seychelles. We do not disclose any information to 3rd parties and this can be done only in case of a certain lawsuit filed against our company.

3. If we receive a notice about DMCA infringement, our team of lawyers solves it immediately without any blocking of servers or protocols. We don’t store any content on our servers, users are anonymous, so, there are no problems with it. We promise our customers that they will not have problems with the DMCA.

4. PayPal and CommerceGate.

TorrentPrivacy website

IPVanish

1. IPVanish has a no-log policy. We keep no traffic logs.

2. IPVanish is headquartered in the US and thus operates under US law.

3. We do not host content of any kind and have nothing to take down or remove.

4. We currently accept all major credit cards, PayPal and UltimatePay (which includes 85 different payment methods from 190 countries). UltimatePay also provides many anonymous cash payment options like Western Union, Alipay, Skrill and PaySafeCard.

IPVanish website

Privacy.io

1) We do not keep any logs on our servers. Neither us nor 3rd parties are able to match IPs to a username.

2) Privacy IO is an Australian Registered business. Under no circumstances will we provide any 3rd party information about our users. We are unable to comply with DMCA or equivalent as we have no access or power to do anything about it. As we keep no logs we can not link it to a user to apply said request. If the law attempts to make us do such things, we will move our business to a location where that can not occur, and if that fails we will close up shop before we provide any information.

3) See answer to question 2

4) At present we only accept PayPal and CC (processed by PayPal), but we are looking into alternative types of payments. We go out of our way to make sure that PayPal transactions are not linked to the users, we generate a unique key per transaction to verify payment for the account is made, and then nuke that unique key.

Privacy.io website

VikingVPN

1) We do not log any user activity at all. We don’t know what IP addresses our own users connect from. We have a shared IP address for our users, further increasing their anonymity We also generate false traffic.

2) We currently operate out of the United States. The United States does not have any mandatory data retention laws, which allows us not to log anything. If we receive a valid warrant, we will turn over all required records, that we have available; we don’t have any records available, because we don’t log anything.

3) DMCA notices have some legal requirements that basically make them not apply to us. We don’t host any content at all, we only provide bandwidth. Also, a DMCA notice requires the notifier to positively identify an infringing individual – which is impossible given our security model. Basically, it’s impossible to send us a valid DMCA notice.

4) We’re just getting started, so we’re currently simply taking credit cards. Accepting bitcoin is a near term goal for us. We’d also like to start accepting really exotic forms of payment like cash.

VikingVPN website

Anonine

1. We store a users E-mail and username, that´s it. This means that we do not store, or have access to, any traffic logs of any kind. By traffic logs we mean, any kind of data that has the potential to, directly or indirectly, match a users original ip or identity with one of our IPs.

2. It is important to remember that we do not store any traffic logs, and therefore it would be physically impossible for us to hand something like that over to a 3rd party. This, next to the encryption, is the core of the entire anonymity aspect of the service. This is possible by the fact that we operate under Swedish jurisdiction and Swedish law.

3. Our no logging policy has never really caused us any trouble since we never have received any official requests to hand over any traffic logs.

4. We accept credit card payments through Paypal and Payson. For Swedish users we also accept payments through sms and phone. We do not store data from these services. However, each of these services store various types and amounts of data related to the payment, and the payment only, which we do have access to. This is what allows us to perform refunds, or to provide adequate support services etc.

Anonine website

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

In theory, however, there’s always a possibility that certain agencies are operating several steps ahead of the game. For example, the NSA and others might be capable of cracking more advanced encryptions when data streams are stored for future decoding.

And then there’s the possibility of VPN providers being forced to hand over customer data. While no-logging policies protect against traditional court orders, things get more complicated when government agencies issue gag orders, such as those contained in United States national security letters.

To explore these issues TorrentFreak talked to BlackVPN, IPredator, Private Internet Access, VikingVPN and TorGuard.

Below is an overview of the responses we received. On the one hand they address which encryption schemes are still safe, and which ones should be avoided. Separately, the U.S. based providers shared their thoughts on the discussions regarding national security letters.

The first question is whether encryption still works. A few weeks ago many VPN users got concerned after they read that the NSA had compromised privacy software and cracked encryption algorithms.

So does that mean VPNs can no longer be trusted? While the various providers all have different opinions, they agree that the most secure encryptions are impossible to crack on the fly. Similarly, most providers warn that PPTP is flawed and should be avoided wherever possible.

BlackVPN

“OpenVPN is the best choice when available on your device. It’s easy to check that your VPN provider is using strong encryption algorithms and keys (like 256bit keys and AES encryption) by looking at the OpenVPN configuration files supplied by your VPN provider. Also it can be configured to use TCP on port 443 which makes it extremely difficult to block as it looks like standard HTTP over SSL traffic.”

“OpenVPN is slightly more effort to setup (download and install a client for Windows, OS X, IOS 5+ & Android 4+) but it should be the default way for most people to connect to their VPN. We have been using OpenVPN securely (2048 bit RSA keys and AES-256) since our beginning in 2009 so previous traffic should still be secure from decryption.”

“L2TP/IPSec is a good choice if you want a quick and easy setup. However the encryption algorithms and keys used depend on your VPN provider and your device, and it is difficult to know if secure or insecure encryption is being used. Your data could be encrypted with AES-256 (more secure) or with 3DES (not secure) and you wouldn’t know. An evil or silly VPN provider could force all clients to use 3DES. Also Windows XP does not support AES and would use 3DES encryption instead.”

“PPTP has known security weaknesses and should only be used as last option or where nothing else works with your device. There are no good reasons to use PPTP unless IPSec traffic is being blocked and you cannot install openVPN on your device. We would recommend only use PPTP if your security and privacy are not a concern – for example if you just want to access websites or content blocked in your country.”

IPredator

Sweden-based IPredator is also clear on the point that PPTP should be avoided by users who are looking for the most secure setup, but in common with many other VPN providers, they still offer these connections.

“We explicitly tell users that PPTP is insecure and that it’s not suitable for privacy related things anymore to protect against a government attacker. We could just turn it off BUT then people would just go to other providers who still offer it, so in my opinion it’s better to educate them.”

According to iPredator, OpenSSL with ECDHE + AES and without RC4 is the most secure option for VPN users at the moment.

TorGuard

According to TorGuard many of the strongest encryptions can still be trusted, and the company sees Open Source Software as a key element to keep intelligence agencies for implementing backdoors.

“Encryption still works and nothing has been mathematically broken. What has been broken is the consumer trust relationship between government and big business. The NSA has attempted to undermine VPN encryption not by brute force or mathematics, but by sabotaging secure technologies at the corporate level.”

“Open source software is in the driver’s seat, everyone else is just along for the ride. Community driven code like what powers OpenVPN is continuously subject to scrutiny, making it virtually impossible for an outside agency to implement a secret backdoor.”

“It is also important to point out that there is no known method that even comes close to breaking 128bit Blowfish encryption. For the ultra-paranoid, TorGuard offers AES-256 bit ‘Stealth’ connections that actually disguise packets as regular HTTP traffic on the network. We will soon be offering these stealth AES-256 connections on all servers as standard options.”

“True privacy in this digital age requires sound cryptography and companies who are willing to back it up – no matter the cost. If we expect to have any privacy in the future, the entrepreneurs and cypherpunks of today must work together in continuing to develop effective privacy solutions for tomorrow.”

Aside from the worries about broken encryption and backdoors, there’s also the possibility that providers might find themselves served with a national security letter by U.S. security agencies or a foreign equivalent. Yesterday VPN provider CryptoSeal shut its doors in the belief it could no longer guarantee the privacy of its users following the Lavabit ordeal.

TorrentFreak asked three prominent U.S. based VPN providers to share their thoughts on this issue.

Private Internet Access

“Prior to the entire Lavabit ordeal, we had begun reaching out to the EFF, ACLU and FFTF in order to better understand the legal climate in which the internet operates such that we would better understand how we could hedge the company to better protect our ‘way of the internet’. Our CTO/co-founder, who many know as coderrr, the developer of privacy extensions from the early years of Bitcoin, moved out of the US along with our entire admin/development team.”

“Moving or establishing a VPN company outside of the US/EU would do little to protect against these kinds of issues as long as anyone with access to the machines remains within said regions. As such, he and the entire admin/development team are committed to remain outside of the US, and in fact, the team in its entirety are decentralized across the globe in countries that have historically been very reluctant to assist the US. Simultaneously, our research team has been implementing and increasing our available crypto-suite.”

“As for myself [Andrew Lee], I love my country. Please do not misunderstand, as a minority born, raised and living in the US, I am certainly not screaming, ‘MERIKA FUK YAH!’ However, this country has provided a climate in which people can work hard to better their lives and, as well, enjoy great liberties which, in reality, most/many countries fail to match. As such, I, myself, remain in the US in order to help see to it that this country is able to continue/return to being a land of liberty and freedom. To this extent, we’re really putting our money where our mouths are.”

“However, to remain in the US, meant, as well, the relinquishing of my access to the PIA systems/network. Administrators, developers and co-founders everywhere can relate to the difficulty of doing so, but the reality is that it was a requirement if I was to remain here. This policy is in place, and relinquished access I have.”

“With regard to the gag orders, recently a US judge ruled the gag order provision to be unconstitutional, in violation of First Amendment rights. We do consider this to be a win for our side, in our quest to bring our privacy and civil liberties back to levels which we as a society can decide for ourselves. With that said, it’s not the end of the battle, as the ruling is currently being appealed, and as such, no decision is certain at present.”

“However, we’re a company that operates, as we said on our privacy policy, within the spirit and letter of the law. As such, we believe in constitutionally provided privacies and liberties and, to this extent, I’d like to make it unequivocally clear that we will fight any gag order to the fullest extent given that it clearly undermines First Amendment rights and the transparency of governmental interactions with private entities.”

“While I’d like to yell some kind of statement as many have before that most certainly could never be upheld, our customers and TorrentFreak readers deserve to know that we’re fighting to the best of our abilities, within the confines and maturity of the existing societal infrastructure. This is not the only way, but this is currently the best way for us to make a meaningful broad impact.”

TorGuard

“Lavabit’s actions to suspend operations and preserve its client’s privacy were truly inspiring. This serves as an excellent example for other companies to not let big government push them around and stand up by legally challenging unlawful data requests or gag orders. Curbing the power of government surveillance on the corporate sector won’t be easy, but it needs to start now with increased transparency and corporations that take an oath of privacy no matter the cost to business. In Lavabit’s case – if you can’t leave Texas then burn the servers.”

“A big misconception going around is that one’s data is far safer from scrutiny with foreign based corporations. Unfortunately, the US isn’t the only country with a spy agency and they certainly are not confined by domestic borders. We’ve seen countless incidents in the recent past where both domestic and international surveillance agencies abused power to gain access to servers and customer data – no gag order required.”

“Just because a company is incorporated in ‘Timbuktu’ doesn’t mean the third-party data centers they lease servers from won’t open the door when federal agents come knocking. That’s why more transparency is needed on a global scale, not just from US service providers, but also by these international based ISPs, Data Centers, Domain Registrars and Merchant Providers..(the list goes on).”

“While TorGuard does have US-based representation, we are an internationally owned company with 90% of our employees and server resources based abroad. As owner/operator, I’ve pledged an oath of privacy to our client base and I intend to uphold this promise to the best of my abilities, even if it means temporarily suspending services or relocating company assets. We have backup plans for our backup plans, and travel light.”

VikingVPN

“Knowing whether or not a company has been compromised by a national security letter is deceptively simple. All you have to do is ask. Right now, I can confidently say that VikingVPN has not been served a National Security Letter. Feel free to ask me again later. If I don’t reply at some point in the future when you ask me, then you’ll know. See how easy that was?”

“The reason this works is that the Govt. cannot compel you to lie, but they can (apparently) compel you to remain silent. I would actually argue that the national security letters, and indeed the entire PRISM/XKeyScore system are illegal and unconstitutional, but obviously I don’t sit on the FISA court or Supreme Court, so my opinion holds little weight.”

“I would encourage TorrentFreak to reach out to all the US VPN providers and simply ask them if they have received a national security letter. If they don’t reply within a reasonable time-frame you will have your answer. I would even encourage you to keep a running list of VPN providers that reply. You could ask them once a month.”

“Further, VPNs have always been about trust. You’re entrusting your data to the VPN service provider, and hoping they don’t betray you. Any VPN service provider could be secretly logging and passing your data to a 3rd party without your permission. Some of this trust can be gained (or lost) from reputation.”

“Do users of the service report betrayals in the form of legal notices? Some of the trust has to come from knowing just who runs the VPN service. VikingVPN has been very transparent about this. You can see who myself and my partners, Justin Greene & Derek Zimmer, are. You can see that we’re not connected to any Intelligence Agencies or Copyright bodies. You can also view the kinds of political speech we engage in. We’re vehemently anti-spying and anti-PRISM.”

“US VPNs can still be trusted because you can place a honeypot anywhere in the world when it comes to VPN services. The paranoia surrounding US-based VPNs simply is not thought through very well. The UK and Sweden both have similarly intrusive dragnet programs, and there seems to be little concern for VPN services out of those nations. Furthermore, you can save all the packets you want, unless the VPN itself is compromised it isn’t going to matter.”

Conclusion

The conclusion brings us right back to the start of this article. No VPN provider can guarantee that any type of encryption is 100% secure. Hopefully the above has given people some pointers on what to avoid, and what the more secure alternatives are.

But even if people pick the strongest encryption possible, one still has to trust VPN providers to keep his or her data safe, regardless of where the company is located.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Until recently these were the kinds of issues pondered by those with an interest in Internet security and the very paranoid. In the post Edward Snowden world, these are things that are starting to matter to everyone.

Security is a pretty big issue among file-sharers for a number of reasons. Obviously there are many who would like to keep their activities private, but it’s common for file-sharers to be tech-savvy users who are generally more aware of online privacy issues.

Public v Private

By now, those using public BitTorrent sites should be well aware that their activities are, to put it bluntly, extremely public. At any time spies of all kinds can jump into a torrent swarm and start gathering data. The most important pieces of data – times and IP addresses – can be scooped up in an instant and are often enough for trolls to start filing lawsuits.

Private torrent sites, on the other hand, offer a walled garden environment. They are often very hard to gain access to which means that generally speaking there are less spies and fewer chances of being monitored or busted – or so the anecdotes go. Truth is no one is sure how many undesirables may exist on these sites but it’s likely that very few sites will have a completely clean bill of health.

The public vs private security debate has been done to death over the years but what is not often discussed is how sites – private ones in particular – handle the data entrusted to them by their users.

When someone signs up to a site via invite they hand over both their email and IP addresses. Immediate checks are made – has this email or IP address been used on this site before? If so, in many cases the chances of getting account are already reduced to near zero. If there’s no match, the user making the application is in – congratulations.

This is where the fun starts and something less entertaining kicks in behind the scenes. You can buy a zero-logging VPN incredibly simply these days but the same cannot be said about private torrent sites. At every opportunity they log just about everything they can.

Private site logging

Obviously, a certain level logging is required for people to merely have an account. As a matter of course sites log their sign up date along with users’ email addresses, passwords and everything said in their forums. No surprises so far really.

However, sites also log every single torrent downloaded and every IP address used to do so. They log how much data was downloaded and how much was uploaded. Not only that, sites know which other users the downloads came from and to which users the uploads were sent and in what quantity.

Once this information is logged (often against hundreds of torrents per user), sites know all there is to know about their users, real-life identities aside. And the worrying thing is that in many cases the information is never deleted, even when users have left the site. So why is that the case?

The answer is simple – it’s all about keeping the site and its file-sharing ecosystem functioning in an optimal fashion.

Sites rely on users playing fair, such as sharing content in a way determined by the sites rules. When this breaks down so does the site, so site logs are used to weed out the bad players. These include those who damage the ecosystem by not doing their part or – heaven forbid – those evil users who try to cheat the ratio system.

Once these users are found (which is only possible by keeping detailed logs on the activities of all users) they are kicked out. However, their accounts are not usually deleted because they carry useful information which will be used to ensure that the same user doesn’t try to get back on the site in future. To combat these users many sites also ban the use of VPNs, which means that not even good users can enjoy the security they offer.

Logs can be used to keep the enemy out

Site logs are also used to hunt down the private tracker’s worst enemies – anti-piracy companies and those users who make a business out of buying and selling site invites. These two groups can be closely related, since when an invite seller offers his product in public, it’s possible that spies can pick them up for a few dollars and gain access to an otherwise private site in a matter of minutes.

So, as we can see, site logs are there to protect the health of the tracker. However, it would be an absolute nightmate if they fell into the wrong hands. While that doesn’t happen often, it does happen.

Just this week the UFC announced that it had targeted a site called BestFreeUFC and as a result has obtained the site’s database which includes email addresses, IP addresses, user names and chatlogs of individuals who have illegally accessed UFC events. UFC owners Zuffa say they will now go after the infringers.

The future – encryption?

So what can be done to increase site security? TorrentFreak spoke with a couple of admins who informed us that while they would prefer not to carry logs, they are essential for maintaining a healthy tracker and keeping undesirables out. Passwords on Gazelle trackers are encrypted, which is welcome, but currently no other data is encrypted as standard.

One admin told us he would like to add full encryption but from a technical perspective it would seriously complicate matters. Furthermore, much more grunt in both the software and hardware departments would be required, along with a fresh view of the entire situation.

So while email providers start adding encryption as standard and companies like Dotcom’s Mega have security built in from the ground up, the question now is whether private torrent sites will maintain their positions or continue as normal.

This might just be another case of citizens having to sacrifice some of their privacy in order to obtain a valuable service, or perhaps in the overall scheme of things, security is tight enough already…..

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The latest bill to gain attention online is CISPA, or the Cyber Intelligence Sharing and Protection Act. As the title suggests the main goal of the bill is to deal with “cybersecurity,” but with a lack of definition as to what that actually entails, it’s also one of the major weaknesses.

In short CISPA would allow companies to spy on Internet users and collect and share this data with third-party companies or Government agencies. As long as the company states that these privacy violations are needed to protect against “cybersecurity” threats, they are immune from civil and criminal liabilities.

Some have described the bill as a new SOPA, but it’s nothing like it. Where SOPA was focused on the shutting down of copyright infringing websites, CISPA is directly targeted at individual Internet subscribers, including copyright infringers.

While the definition of a cybersecurity threat is rather vague, intellectual property is specifically mentioned in the bill. For example, among many other descriptions CISPA defines a cybersecurity purpose as follows.

“A system designed or employed to [...] protect a system or network from [...] theft or misappropriation of [...] intellectual property.”

In other words, the bill would make it possible for ISPs to actively monitor the private communications of subscribers to detect and censor the transfers of copyrighted content. In addition, the personal details of these users could then be freely shared with third parties.

It’s hard to not interpret the above as a huge problem for people’s right to private communications.

While there is little known about how companies and authorities plan to use the bill, it is the vagueness and broad definitions that get people worried. Copyright holders should have tools to protect their rights, but as it stands CISPA completely destroys people’s right to privacy under certain circumstances.

This has caused great concern among the public, and a few days ago digital rights group EFF also sent out an alarming message warning people about the looming threat posed by CISPA.

“There are almost no restrictions on what can be collected and how it can be used, provided a company can claim it was motivated by ‘cybersecurity purposes’,” EFF writes.

“That means a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats.”

In recent weeks CISPA has gained support from over 100 lawmakers in Congress, anti-piracy lobby groups such as the BSA and US Chamber of Commerce, but also tech companies including Facebook, Microsoft and Verizon.

These supporters are likely to argue that the bill wont be used as a massive spying machine, but if that’s the case the text should be amended to reflect that. To a certain degree CISPA faces the same problem as SOPA, in that the vagueness of the definitions give rise to speculations, in this case horrific 1984-like spying systems.

In its current form CISPA serves only to fuel the paranoid concerns of the public in which ironically the bill itself exists as the security threat.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Although the XS admin denied begin connected, he did admit renting out a server to “a guy who rented it out,” a suggestion that he perhaps had suspicions about potential connections, intended or otherwise.

XtremeSpeeds then disappeared completely and a promised August update from the site’s admin never materialized. What followed was an information black-hole, a common feature of ongoing piracy investigations where authorities aren’t yet ready to shout about their achievements and lawyers advise their clients to keep their mouths shut.

Now the rumor mill is turning again. According to reports, IMAGiNE – one of the P2P scene’s most prominent release groups – have been busted by Immigration and Customs Enforcement. The reports, which have proven impossible to confirm from any official source at this stage, state up to nine arrests.

Last year, IMAGiNE launched their own “secret” private BitTorrent tracker that remained under the radar for roughly 10 minutes. The site, UnleashTheNet, also known by its acronym UtN, was hosted in Canada but in the last few days it simply disappeared.

This morning TorrentFreak spoke with the site’s host who informed us that they haven’t heard anything about any raids or arrests. A traceroute timed-out at the site’s IP address.

However, there is one person who claims to know the details of IMAGiNE’s fate and he spoke with us just a few hours ago. So, has IMAGiNE really been busted?

“Yep,” says DiGiTALiNK, founder of P2P release group EP1C. “ICE joint operation got them.”

In an email to TorrentFreak, DiGiTALiNK went on to say that 9 people were arrested including IMAGiNE members Spunky, HoD, Jason, Tank, TheStash and Spangy, all of them within the United States. [See update below]

If these words do indeed turn out to be true, this latest development marks yet another event in a turbulent few months for EP1C, IMAGiNE, and associated sites and individuals.

In June this year, IMAGiNE published a warning on their site which declared that EP1C members had been banned and that anyone inviting them back would share their fate. It was claimed that DiGiTALiNK, EP1C’s founder, had “turned in one if not more of his members to the feds” and that a private FTP site of his was being watched by the authorities.

In the hugely political world of private trackers, claims like this are not unusual. In many file-sharing circles paranoia reigns supreme but, as they say, just because you’re paranoid it doesn’t mean they aren’t out to get you.

When EP1C’s DiGiTALiNK delivered his response to IMAGiNE’s claims, the focus was on escalating the conflict.

“They crossed paths with the wrong person, they lie, cheat, steal and have a fake identity to make people think they care about there [sic] safety, but in fact many of there [sic] source providers have been busted because they have no regard for your safety, only want the fame of that release,” the response began.

“Within the next few releases I will be providing proof of all this to the public and including all there [sic] personal identification information.. haha if I was a snitch they would have already been busted. IMAGiNE, are [expletives removed].”

Immediately some details related to the identity of one IMAGiNE member were released followed by the locations of others along with the words: “Get ready for a War.”

But those hoping to learn more from future EP1C revelations would be left disappointed. EP1C made their final releases on June 14th and 15th, dates which to within a week coincided with the accusations made by IMAGiNE.

TorrentFreak pointed out the history of bad-blood between EP1C and IMAGiNE to DiGiTALiNK and asked if he had a comment. We also asked how he came by the more specific details of the alleged arrests. At the time of publication we’re yet to receive a response.

After making releases of high-profile movies every few days for the last few months, last week on September 9th IMAGiNE made their most recent release – The.Guard.2011.DVDSCR.XViD.AC3-IMAGiNE. Nothing has been heard from them since.

The group did not respond to correspondence sent to a secure account so only time will tell if this release turns out to be their last.

Update: Fresh sources confirm that four people were visited by ICE

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

“You are worse than the MAFIAA’s scare tactics,” one annoyed reader wrote to me in response. “Why all the paranoia, nothing is this bad? You make people terrified.”

Three years on and not only are the points in the article even more relevant than they were in 2008, but in hindsight should have been taken on board by more than just admins.

Earlier this month the Swedish authorities and local anti-piracy outfit Antipiratbyran revealed that a major uploader to the now-defunct Swebits tracker – one the oldest BitTorrent sites – had been arrested by the police. The 25-year-old now stands accused of uploading more than 1,000 movies and, if prosecutor Henrik Rassmusson is to be believed, catching him was a breeze.

“He had been using his personal Internet account, and he had a static IP address associated with an ISP, so it was not hard to get hold of him,” Rassmusson told Swedish Radio yesterday.

While trying to be sympathetic to this guy (who is undoubtedly in pretty serious trouble) isn’t conducting this kind of activity unencrypted or without some level of anonymity simply crazy these days? Isn’t using a VPN or proxy in a foreign land a standard requirement now? Isn’t presuming and preparing for the worst a required skill in 2011? Perhaps it should be.

In the 2008 article our friendly admin said he would never pick up his emails without hiding his IP address and again, some people said that was going too far. The recently arrested admin of ChannelSurfing.net might disagree. Google coughed up his records to the feds last month in the blink of an eye.

Going even further, the admin said he took precautions to hide his IP address not just on his own site, but when on those operated by others too. Some people laughed – the admin was clearly a paranoid fool, they argued.

But roll on to 2011 and many completely innocent fans of PS3 hacker Geohotz are about to have their IP addresses handed over to Sony by Google, YouTube and Twitter. Suddenly it’s not so amusing anymore.

When Internet users aren’t even free to watch videos on YouTube and read comments on Twitter without being exposed to the prying eyes of big corporations like Sony and their aggressive lawsuits, isn’t it time to consider some level of anonymity as a prerequisite to even going online?

No? We’ll report back in another 3 years. You will have changed your mind – guaranteed.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

A few days ago FastCompany reported that BitTorrent Inc. has started work on a new and quite intriguing project. The company has been gathering detailed statistics reported by uTorrent users in order to create an overview of the network speeds of nearly all Internet providers worldwide.

BitTorrent’s VP of Product Management Simon Morris explains it as follows:

“We have download traffic, upload traffic, BitTorrent traffic, and we have HTTP traffic. So we can answer questions like: I live in this city in the world–it could be anywhere, literally anywhere–which ISP should I use? Which is the fastest? Which ISP is messing with BitTorrent traffic? Because we have this data, we can see the difference in speeds by time of day.”

For now, the results of this huge dataset are only visible to the BitTorrent team, but in the near future they might decide to open them up to the public. This would then allow people to look for the most BitTorrent-friendly ISPs in their area, and potentially avoid those providers that throttle traffic. A very rough graph is provided below.

Although this kind of data can actually benefit BitTorrent users, the revelation by the BitTorrent team also raised concerns among a sub-group of naturally paranoid file-sharers. Graphing data by ISP and region requires uTorrent to send the IP-addresses of users to the San Francisco headquarters. This, in addition to detailed info on transfer speeds and download times.

Since the announcement a few concerned users asked TorrentFreak what data BitTorrent Inc. actually stores. A good question. The privacy policy posted on uTorrent.com says the following on the data collected via uTorrent.

“We also aggregate some data from our software applications (including µTorrent) regarding total traffic flows and content delivery performance of our Applications as well as other data collected in the use of our products or services in order to understand usability and monitor network conditions and compare the performance of Bittorrent and HTTP protocols on the public internet, it reads.

It further states that end users may opt out of providing this information through a preference setting in uTorrent (“send back detailed info”).

What’s not apparent from reading the privacy policy is what kind of data is sent back to BitTorrent Inc. In an attempt to find out more and address the concerns of some users, we contacted BitTorrent’s Simon Morris, who assured us that they value the privacy of their users.

“We restrict our technical performance monitoring to data which tells us how well our BitTorrent clients are behaving – we have no interest in and do not collect any more private data about what people are doing with their BitTorrent clients,” he said.

We wouldn’t expect to hear anything else, of course, but it still says little about the kind of data that’s collected. Morris said that a fuller technical disclosure may be an option, but that this has to be discussed internally first. He was willing to share 4 broad categories where the collected data falls into.

* Software and system configuration (client version, country code, OS version, etc.).
* Bytes transfer details (how much, how fast, what time of day, etc.).
* Software feature usage stats (transfer cap, scheduler usage, labels usage, etc.).
* Other technical protocol details (TCP connections, closes, resets, UT connections, etc.).

The above also includes the IP-address of the sender, which is used to compare the data across cities, countries and ISPs. To the more paranoid BitTorrent users this might sound worrying, but it is not much different from the type of data most websites on the Internet collect. If BitTorrent decides to post anything in public – which is not certain yet – all data will be aggregated and no individual information will be revealed.

Although we believe that every BitTorrent client should ideally provide a transparent and full disclosure of the data being logged, we are rather excited about the possibilities BitTorrent Inc’s plan offers. At the moment most ISPs are rather secretive about their bandwidth management practices. A speed comparison tool for BitTorrent users can therefore be a great help in choosing an Internet provider.

TorrentFreak will keep an eye on the developments, and provide an update and hopefully a preview of the project when more information becomes available.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

“My team and I just released the pilot episode of Your Face is a Saxophone, an animated series about the advertising industry and people with inanimate objects for heads. It’s free to share, copy, modify, and released under Kopimi with CC-BY in the fine print, in case some paranoid lawyer wants something legally binding.”

“In addition to streaming it on YouTube, we’ve made it available on BitTorrent.”

“We’re taking a similar route to Pioneer One and raising money through Kickstarter to produce a full season. The difference between us and Pioneer One, of course, is that we’ve only started funding after finishing a whole pilot.”

More information is available at Yfias.com.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.