Obtained by entertainment industry companies, largely in the movie, TV and music sector, traditional orders target torrent, streaming and file-hosting platform websites, with ISPs taking measures to prevent subscribers from accessing them by ordinary means.
More recently, sports companies such as The Premier League, Matchroom Boxing, and Queensbury Promotions have obtained injunctions to block live sports broadcast by unlicensed streaming providers, mostly IPTV services.
While the aims of these injunctions are broadly similar, blocking pirated IPTV broadcasts is a more complex affair since the targeted servers and systems are less static than traditional websites. Nevertheless, the anti-piracy vendors involved in these projects enjoy a level of success but how they actually achieve this is largely shrouded in mystery.
Today we can reveal one interesting aspect that has been hinted at previously but never fully explored – the cooperation of at least one major ISP in the UK.
Court Documents Provide a General Background
As far back as 2017, there were indications that despite being defendants in blocking injunction legal action, one or more ISPs actively helped the sports company applicants in their quest to have pirate streams blocked in the UK.
Then, two years ago, we reported on comments made by Friend MTS, a UK-based anti-piracy company that works with the Premier League and ISPs, which also confirmed a level of ISP cooperation.
However, limited information made available as part of a blocking injunction obtained by UEFA in 2020 put even more meat on the bones, suggesting that Sky had been monitoring the traffic of subscribers accessing pirate servers.
In recent weeks, an anonymous source shared a small trove of information relating to the systems used to find, positively identity, and then ultimately block pirate streams at ISPs. According to the documents, the module related to the Premier League work is codenamed ‘RedBeard’.
The activity appears to start during the week football matches or PPV events take place. A set of scripts at anti-piracy company Friend MTS are tasked with producing lists of IP addresses that are suspected of being connected to copyright infringement. These addresses are subsequently dumped to Amazon S3 buckets and the data is used by ISPs to block access to infringing video streams, the documents indicate.
During actual event scanning, content is either manually or fingerprint matched, with IP addresses extracted from DNS information related to hostnames in media URLs, load balancers, and servers hosting Electronic Program Guides (EPG), all of which are used by unlicensed IPTV services.
Confirmed: Sky is Supplying Traffic Data to Assist IPTV Blocking
The big question then is how the Premier League’s anti-piracy partner discovers the initial server IP addresses that it subsequently puts forward for ISP blocking.
According to documents reviewed by TF, information comes from three sources – the anti-piracy company’s regular monitoring (which identifies IP addresses and their /24 range), manually entered IP addresses (IP addresses and ports), and a third, potentially more intriguing source – ISPs themselves.
“ISPs provide lists of Top Talker IP addresses, these are the IP addresses that they see on their network which many consumers are receiving a large sum of bandwidth from,” one of the documents reveals.
“The IP addresses are the uploading IP address which host information which the ISP’s customers are downloading information from. They are not the IP addresses of the ISP’s customer’s home internet connections.”
The document revealing this information is not dated but other documents in the batch reference dates in 2021. At the time of publishing date, the document indicates that ISP cooperation is currently limited to Sky Broadband only. TorrentFreak asked Friend MTS if that remains the case or whether additional ISPs are now involved.
“While the details of our content protection technology engagements with our customers are strictly confidential, we can confirm that neither Sky nor any other ISP provides Friend MTS with any customer data, and they never have done so,” a spokesperson said.
It appears that instead of monitoring customer IP addresses, Sky is compiling data on which IP addresses subscribers are pulling most data from during (and potentially before) match or event times. Sky then uploads the highest-trafficked IP addresses along with the port the traffic is streamed on to the S3 bucket mentioned above, every five minutes. It is then accessed by the anti-piracy company which, every five minutes, extracts the IP, bandwidth rate, and the port number that bandwidth is on.
At the time of the document’s publication, the Sky ‘Top Talker’ threshold for the Premier League’s ‘RedBeard’ module was 100mbps. The IP address information provided by the ISP that exceeds this limit then appears to be cross-referenced by IP address and port number with data obtained during game week scanning at Friend MTS. It is then processed accordingly.
Sky today, more ISPs tomorrow?
While the documents indicate that ISPs (plural) provide ‘Top Talker’ IP address lists, as far as we can see only Sky is cooperating at the moment. However, the Premier League is reportedly seeking cooperation from additional ISPs too. This would prove obviously helpful in identifying potential ‘pirate’ servers and infrastructure so they can be tested and subjected to blocking, when appropriate.
In summary, it appears that Sky subscribers aren’t being directly monitored per se, but the servers they draw most bandwidth from are being noted by Sky and that data is being forwarded for anti-piracy enforcement. This means that Sky subscribers’ piracy habits are directly providing information to support Premier League, Matchroom Boxing, and Queensbury Promotions blocking efforts.
Whether that will affect IPTV providers’ attitudes towards Sky customers moving forward remains a question.