Sniffing Out Illicit BitTorrent Files

Continued from page 1

This setup means that the contents of files can be scanned directly by tapping into an Ethernet controller buffer, thereby leaving the network's traffic undisturbed. It also means that it's impossible for users to tell if a network is being monitored, Schrader says. "Our system does not modify traffic in any way, nor does it interfere in the delivery of traffic either in or out of a network," he says.

Ross Anderson, a computer-security expert at the University of Cambridge, U.K., says that the idea is nothing new. "Cisco has for years been selling kits to the Chinese government for the 'Great Firewall of China' that does just what these guys propose," he says. Similarly, an Australian firm called Brilliant Digital Entertainment sells a tool called CopyRouter that analyzes hashes to identify illegal files on other kinds of P2P networks.

Schulze adds that the approach relies on having an up-to-date list of illegal files. "The system has to update a huge list of file hashes frequently," he says. "Somebody has to qualify the hashes as copyright infringements or other criminal content."

From a legal standpoint, Schulze says that privacy may be a more significant problem. "Neither the U.S. nor any European country would allow [anyone] to install a device that inspects the traffic of every user just to stop Internet piracy," he says. "In this approach, every user is considered to be suspicious."

Even if the legal framework were to allow the technology, it is not quite ready to go. Tests of the system, details of which will be published later this year in a book called Advances in Digital Forensics V, showed that it was effective at detecting 99 percent of illicit files, but only at speeds of 100 megabits per second.

That's too slow for commercial or law-enforcement purposes, according to Anderson. Schulze agrees: "One gigabit per second or ten gigabits per second are required today to monitor a network." He also says that it is unclear whether the system might produce false positives, incorrectly labeling legitimate files as illegal.

Another drawback is that the system cannot cope with encrypted files. "Today, about 25 percent of BitTorrent traffic is encrypted," says Schulze. If such a tool became widely used, then anyone with something to hide would almost certainly switch to using encryption, he says.