In response to a call for evidence from the House of Lords Committee on the Fraud Act 2006 and Digital Fraud, various companies, groups and organizations have been submitting their views on how the UK can tackle the rise in fraud.
The consultation closed last month and among the submissions is one headed up by the MPA with support from various entities including BBC, BPI, BSkyB, Premier League, FACT, IFPI, ITV, Publishers Association and UK Music.
The submission paints a picture of companies attempting to fight back against piracy (and by extension fraud) but subsequently facing investigative hurdles as they attempt to identify their targets.
Absence of Reliable Information
The MPA says that in order for commercial-scale pirates (such as IPTV providers & streaming platforms) to operate, they need access to legitimate services such as online hosting, advertising, payment processing and e-commerce platforms. During an investigation, these legal services are potentially important sources of information but it doesn’t always work out that way.
“[T]he problem frequently comes down to the fact that the online intermediaries providing the business infrastructure that enables the operation of the illicit service cannot supply any information that allows for the verification of the illegal service provider. That, or the information they can provide has clearly been stolen, falsified, or is incomplete or otherwise misleading,” the MPA writes.
“The ease with which nefarious actors can remain anonymous in their underlying business transactions actively facilitates both digital piracy and potentially other crimes perpetrated online, including acts of digital fraud.”
The MPA says that the lack of accurate information helps so-called Piracy-as-a-Service (PaaS) platforms to thrive. These range from ready-made pirate streaming site templates, databases containing tens of thousands of movies and TV shows, IPTV dashboards and infrastructure, through to video hosting services that obscure links to infringing content.
These services significantly lower the barriers to entry for people looking to get into the piracy business – in some cases the time to set up a piracy platform can be measured in minutes rather than days or weeks. The MPA says this provides fuel for even more fraud so the government should help by imposing strict Know Your Business Customer (KYBC) rules.
The means to achieve this goal are available in the Electronic Commerce Regulations 2002 but currently there’s no enforcement. Rightsholders would like to see an amendment introducing penalties for those who currently choose not to comply, hopefully leading to greater due diligence and subsequent rightsholder access to accurate, pirate-identifying information.
“Introducing a KYBC obligation on intermediaries that provide internet services to others would require those intermediaries to ascertain and verify the identity details of their commercial customers, irrespective of their location, before any business can be conducted between the two,” MPA adds.
The submission contains investigation summaries where a solid KYBC regime might have helped rightsholders out. One example is particularly egregious to the point of being incredible, if only from an accounting and taxation perspective.
Openload: Multi-Year Investigation Hit Anonymous ‘Dead End’
Openload was one of the largest file-hosting sites on the Internet but in 2019 and with little warning, the platform suddenly shut down taking related service Streamango with it. With more traffic than Hulu, HBO Go and Sky, that was a very big deal.
Following the initial chaos the Alliance for Creativity and Entertainment claimed responsibility for the sites’ demise. “The operator behind both pirate operations is required to stop operating the services and pay a significant damage award,” the announcement added.
Whether the requirement to pay damages led to anything actually being paid is still unknown but in comments to the UK government, the MPA suggests that due to a lack of KYBC accountability, the Openload investigation didn’t go exactly to plan.
“After a multi-year, resource-intensive investigation by MPA, this service was revealed to be hosted in and operated from within the European Union (EU), with infrastructure from EU service providers,” the MPA explains.
“When the MPA obtained a court order directing the EU hosting provider to identify its customer for Openload and two other pirate services, we hit a dead end: the listed customer was a defunct Hong Kong shell entity.”
MPA Frustration Begins in France, Ends in Asia
Documents dated 2020 seen by TorrentFreak reveal that the three sites were Openload, Streamango and RapidVideo, a file-hosting site that shut down within days of the others back in 2019. All three sites apparently used the same hosting company, described by the MPA in the documents as a “global hyper-scale cloud provider” with 300,000 servers in 28 datacenters across 19 countries.
An order issued in August 2019 by the High Court in Lille, France, required that host to hand over all information “permitting identification of the persons” who created and operated the three sites. Under the kind of KYBC regime the MPA would now like to see in place, that should’ve been possible. In the event, nothing close to that happened.
The host isn’t named by the MPA but it was almost certainly France-based OVH. Responsive documents handed over to the MPA at the time revealed that the three services paid a staggering 19 million euros in hosting fees. Bills sent to Openload and Streamango by the host were paid using either a PayPal account registered to an advertising company in Costa Rica or untraceable credit cards.
A business address provided by Openload to the hosting company led the MPA to a “dead end” in Hong Kong.
In what looks like a follow-up from the host, the MPA was informed that “the data communicated by our client are purely declarative. [Host] therefore does not possess any element permitting verification of authenticity.” Communication from another hosting company in Germany noted that the information it had on file was provided by the customer and had not been checked for accuracy.
“The introduction of KYBC obligations in the UK would address this failure by forcing UK-based intermediaries to know exactly who their business customers are,” the MPA’s submission continues.
“In MPA’s experience, concerted action on transparency in the UK and EU would have the added effect of significantly degrading the quality of the infringing services that pirate operators based overseas can provide to UK consumers by forcing them to use lower quality infrastructure based outside of Europe.”
The MPA’s submission to the Lords Select Committee can be found here