Voltage Holdings is one of many mostly American movie companies that have attempted to turn piracy into profit over the last 15 years. A lawsuit the company filed in Canada is broadly the same as others filed elsewhere but the same cannot be said about the outcome.

Background

In 2017, piracy monitoring company Maverickeye collected IP addresses of BitTorrent users sharing the Voltage-owned sci-fi movie ‘Revolt’. Canada operates a so-called ‘notice-and-notice’ regime so Voltage identified the ISPs related to the IP addresses and warning notices were sent to the relevant subscribers. Second notices were sent after Maverickeye found the same IP addresses sharing the same work a week or more later.

In March 2018, Voltage filed a statement of claim against 110 ‘Doe’ defendants, identified only by their IP addresses. Voltage later obtained a so-called Norwich order which compelled the ISPs to disclose the names and addresses of the subscribers.

Voltage labeled a subset of those subscribers “the worst of the worst” and since they failed to respond, the company requested default judgment at Canada’s Federal Court.

Justice Angela Furlanetto agreed the defendants were in default but since Voltage only presented IP address-based evidence, questions remained over who had actually shared the movie.

The Judge said that there wasn’t enough evidence to show a direct link to the subscriber or draw an adverse inference. Voltage argued that if the subscriber wasn’t the infringer, the fact that they had already received warnings under Canada’s ‘notice-and-notice’ regime, among other things, meant that they should be held liable for ‘authorizing’ infringement carried out by others.

In June 2022, Justice Furlanetto declined default judgment but also refused to dismiss the case. Voltage was given more time to present evidence to support direct infringement or authorization but the company took its case to the Federal Court of Appeal instead.

Basis for Voltage’s Appeal

In its 36-page memorandum filed in November 2022, Voltage outlined two legal theories; either the billpayers pirated the movie themselves (direct infringement), or they authorized someone else’s direct infringement by allowing them to continue pirating Voltage’s movie, despite receiving warning notices from their ISPs.

Arguments were heard on March 28, 2023, and three appeal court judges (Justices Donald J. Rennie, David W. Stratas, Wyman W. Webb) handed down their judgment last week.

The judgment says that the appeal engages two issues: the jurisprudence on what constitutes direct infringement and authorizing infringement, and the burden of proof and circumstances under which an adverse inference can be drawn.

“These issues are closely interrelated. The jurisprudence with respect to the law of copyright determines the minimum evidentiary requirements to establish the asserted types of infringement; in other words, the jurisprudence constrains the extent to which an adverse inference may be drawn in the context of online copyright infringement,” the judgment reads.

Judgment Guided By Supreme Court Ruling in 2022

According to Voltage, once it had presented all “technologically available” evidence to the Court, a “tactical burden of proof” shifted to the internet subscribers. This effectively meant they had to show they were not the infringers. In respect of its authorization claims, Voltage said that Justice Furlanetto was wrong to insist on more evidence; the fact that the subscribers received notices yet failed to control their internet connections was sufficient.

The judgment deals with the authorization claims first, guided by a Supreme Court decision handed down in 2022 in Society of Composers, Authors and Music Publishers of Canada v. Entertainment Software Association .

“The Supreme Court endorsed the Copyright Board’s determination that ‘it is the act of posting [the work] that constitutes authorization’ because the person who makes the work available ‘either controls or purports to control the right to communicate it’ and ‘invites anyone with Internet access to have the work communicated to them. The authorizer is the individual directly engaging with the copyrighted material,” the judgment clarifies.

As a result, the Court of Appeal says that whoever used the subscribers’ internet connections to make Voltage’s movie available for download, authorized the infringement. The Supreme Court found that an authorizer permits reproduction but Voltage claims that an authorizer is someone who permits someone to permit reproduction.

The difference in opinion would prove fatal.

Collisions in Copyright Law

Justice Rennie says the Voltage appeal fails to show “any reversible error” in the Federal Court’s decision. Furthermore, Voltage’s arguments on authorization are “inconsistent” with the Supreme Court’s 2022 decision. Voltage’s claims of direct infringement also run into trouble.

“Although it accepted that individuals using each respondents’ IP address had infringed the appellant’s copyright by uploading the Work, the Federal Court found that it could not conclude at this time that the respondents were themselves those particular
individuals. I agree,” Justice Rennie writes.

On the question of a subscriber’s failure to defend, the Judge agrees that can lead to an adverse inference. However, just because a defendant is found to be in default at an early stage, it does not necessarily follow that an adverse inference should be drawn at the same stage.

“If the fact that a defendant was in default automatically allowed for adverse inferences at the second stage of the test for motions for default judgment, plaintiffs on ex parte motions for default judgment would need to present no evidence to the court in order to be successful. Some evidence is required,” Justice Rennie continues.

Indeed, the Federal Court held that “something more is needed than the bare assertion that a subscriber is, by default, the user responsible for infringement.” Voltage failed to provide sufficient evidence, the Court of Appeal notes, so no adverse inference could be drawn.

Court of Appeal Tightens the Noose

Voltage’s reliance on infringement warnings to show subscribers’ failure to exercise control – over internet connections and connected devices – fails.

As clarified in the Supreme Court decision, authorization depends on the alleged authorizer’s control over the person who committed the resulting infringement; it does not depend on the alleged authorizer’s control over the supply of their technology.

Furthermore, to establish an infringing activity, there must be evidence to show what the activity does to the work in question.

“Posting a work online and inviting others to view it engages the author’s authorization right; however, sharing internet access after receiving notices of alleged infringement does nothing to the work in question, and does not therefore engage any copyright interest granted to the author exclusively,” the Court of Appeal notes.

Conclusion: Voltage’s Appeal is Dismissed

From the judgment: “In the factual matrix of this case and at this relatively early stage of this case, the defendants’ lack of participation in litigation does not offset the plaintiff’s lack of evidence.

“The Federal Court was not obligated to draw an adverse inference at this stage of the litigation merely because the respondents had, by their silence, not put forward sufficient evidence to rebut the appellant’s allegations,” Justice Rennie concludes.

For these reasons, Justices Rennie, Stratas, and Webb, dismissed the appeal.

The full judgment is available here ( pdf )

From: TF , for the latest news on copyright battles, piracy and more.

Following the creation of its Hadopi anti-piracy agency over 13 years ago, France monitored and stored data on millions of users suspected of infringing copyrights.

The majority were BitTorrent users and the plan was to use evidence of their piracy activities as a basis for escalating actions including warnings, fines, and ultimately, internet disconnections.

Operating the program for a decade cost French taxpayers 82 million euros ($86.5 million) but according to digital rights group La Quadrature du Net, Hadopi’s “mass internet surveillance” destroyed citizens’ fundamental right to privacy.

In its quest to hold Hadopi to account, La Quadrature du Net highlighted one of the program’s implementing decrees, which authorizes the creation of files containing internet users’ IP addresses plus personal identification data obtained from their internet service providers.

In the belief that represents a breach of EU data protection laws, the digital rights group, ISPs, and other like-minded supporters, took their fight to the French legal system.

Referral to the EU’s Highest Court

In the vast majority of cases, senior judges in EU member states have little need to consult Europe’s highest court. At least in theory, all countries are already in compliance with EU law but every now and again, the gravity of specific cases becomes apparent, resulting in a referral seeking clarification on how EU law should be interpreted.

In advance of a full ruling, the conundrum posed by the French referral was evident in a non-binding opinion handed down last October by CJEU Advocate General Maciej Szpunar.

Under EU law, member states may not pass national laws that allow for the general and indiscriminate retention of citizens’ traffic and location data. Retention of such data is permitted on a targeted basis, but only as a “preventative measure” for the purposes of fighting “serious crime.” In respect of the information held by Hadopi, the Advocate General found that when the data points are combined, it’s possible to link French citizens’ identities with the content they access.

The CJEU’s top legal advisor described the Hadopi situation as “serious interference with fundamental rights” but short of accepting “general impunity for offenses committed exclusively online,” something would have to give. The compromise suggested last year would require “readjustment of the case-law of the Court” to allow rightsholders to enforce their rights when an IP address is the only means by which an infringer can be identified (CJEU, pdf ) .

Advocate General Delivers Opinion (Case C-470/21)

The opinion delivered Thursday begins with an overview of Hadopi and the methods it uses to deter online piracy. By monitoring initial and subsequent acts of infringement and maintaining relevant databases, it’s possible to identify repeat infringers eligible for the next deterrent steps. A decree adopted in 2010 allows Hadopi to request subscriber information from ISPs in response to the provision of IP addresses, mostly obtained from BitTorrent swarms.

The legal proceedings brought by La Quadrature du Net and the Federation of Associative Internet Service Providers, French Data Network, and Franciliens.net, seek to establish whether the collection of civil identity data corresponding to IP addresses, and subsequent automated processing of data to protect of intellectual property, are compatible with EU law absent a review by a court or independent administrative body.

The short answer from the AG’s opinion is that Article 15(1) of Directive 2002/58 ( pdf ) must be interpreted as not precluding national legislation which allows ISPs and other electronic communications services to retain, and an administrative authority such as Hadopi to access, civil identity data corresponding to IP addresses for the purposes of identifying suspected infringers.

No court or review body needs to be involved, but use of such data is only permitted when it is the only means of investigation that can enable a suspected infringer to be identified.

Discussion and Reasoning

In the opinion of AG Szpunar, there is a need to reconcile the rights at issue; the protection of private life and personal data on one hand, and the right to property enshrined in Article 17 of the Charter , which the graduated response mechanism seeks to uphold by protecting copyright and related rights.

The opinion notes that “the great majority” of the IP addresses communicated by Hadopi are dynamic IP addresses, which only correspond to a specific identity at a single moment, which preclude any exhaustive tracking.

“I must emphasise that the protection of fundamental rights on the internet does not in my view justify access to the data relating solely to the IP address, the content of a work and the identity of the person who made it available in breach of copyright not being permitted, but means only that the retention of and access to those data must be accompanied by guarantees,” his opinion continues.

“To my mind, an analogy with the real world is telling: a person suspected of having committed theft cannot rely on his or her right to protection of his or her private life to prevent those responsible for prosecuting that offense from ascertaining what the content stolen is. On the other hand, that person may rightly rely on his or her fundamental rights to ensure that, during the proceedings, access will not be provided to more extensive data than just the data necessary for the classification of the alleged offense.”

No Mass Surveillance But a Proportionate Response

The digital rights groups’ legal action characterizes the Hadopi program as a general surveillance and data retention scheme, operating contrary to fundamental rights. AG Szpunar finds otherwise, noting that there doesn’t even appear to be general surveillance of the users present in peer-to-peer networks.

“That procedure does not involve monitoring their entire activity on a given network in order to determine whether they have made a work available in breach of copyright, but rather determining, on the basis of a file identified as counterfeit, the holder of the internet access through which the user made the content available,” his opinion reads.

“[I]t is not a question of monitoring the activity of all users of peer-to-peer networks, but only that of persons uploading infringing files, as the uploading of those files reveals much less information about the person’s private life because files may be uploaded for the sole purpose of enabling those users then to download other files.”

Inevitable Outcome in Favor of Rightsholders

The overall conclusion reached by the Attorney General considers the purpose for which the data is harvested and the challenges of identifying suspected online infringers by other means. The inability to establish a detailed profile of a person’s private life via a dynamic IP address is cited on one hand, while the critical value of an IP address in an investigation sits somewhat uncomfortably on the other.

“[I]t follows from the actual case-law of the Court that, where an offense is committed exclusively online, such as an infringement of copyright on a peer-to-peer network, the IP address may be the only means of investigation enabling the person to whom that address was assigned at the time of the commission of the infringement to be identified,” the AG continues.

In closing, the retention and access to civil identifying data, corresponding to an IP address for the purposes of prosecuting online infringements, is described as “strictly necessary” and “wholly proportionate” to the objective pursued

“Such an interpretation is in my view inevitable,” the AG notes, “unless it is accepted that a whole range of criminal offenses may evade prosecution entirely.”

The CJEU’s summary and AG Szpunar’s full opinion are available here ( pdf ) and here .

CJEU note: The Advocate General’s Opinion is not binding on the Court of Justice. It is the role of the Advocates General to propose to the Court, in complete independence, a legal solution to the cases for which they are responsible. The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date

From: TF , for the latest news on copyright battles, piracy and more.

In 2003, the World Wide Web was still in its infancy. Dial-up connections were still the default and YouTube, Facebook, and Gmail had yet to be invented.

There was a new technology making waves at the time. BitTorrent made it much easier for people to transfer large files, opening the door to unlimited video-sharing without restraints.

Many people started experimenting with BitTorrent by sharing pirated films and TV shows. These files made their way all over the world and remained available as long as all pieces were shared in the swarm.

Most of these early releases remained available for a few days or weeks, and some lasted well over a year before people lost interest. In extreme cases, some torrents have managed to survive for over a decade.

The Fanimatrix Torrent Turns 20

The oldest surviving torrent we have seen is a copy of the Matrix fan film “ The Fanimatrix ”. The torrent was created in September 2003 and will turn 20 years old in a few days. A truly remarkable achievement.

The film was shot by a group of New Zealand friends. With a limited budget of just $800, nearly half of which was spent on a leather jacket, they managed to complete the project in nine days.

While shooting the film was possible with these financial constraints, finding a distribution channel proved to be a major hurdle. Free video-sharing services didn’t exist yet and server bandwidth was still very costly.

Technically the team could host their own server, but that would cost thousands of dollars, which wasn’t an option. Luckily, however, the group’s IT guy, Sebastian Kai Frost, went looking for alternatives.

Promising New Technology

Frost had a bit part in the film and did some other work as well, but the true breakthrough came when he stumbled upon a new technology called BitTorrent. This appeared to be exactly what they were looking for.

“It looked promising because it scaled such that the more popular the file became, the more the bandwidth load was shared. It seemed like the perfect solution,” Frost told us earlier.

After convincing the crew that BitTorrent was the right choice, Frost created a torrent on September 28, 2003. He also compiled a tracker on his own Linux box and made sure everything was running correctly.

Today, more than twenty years have passed and the torrent is still up and running with more than a hundred seeders. As far as we know, it’s the oldest active torrent on the Internet, one that deserves to be in the history books.

A Proper Celebration for the 25th?

Initially, there was a plan to celebrate the 20th anniversary but that hasn’t come to fruition. Some of the original cast members have fairly successful careers now and are scattered around the world, so getting the team back together is a challenge.

Director and writer Rajneel Singh, who is still active in the film industry, would like to do something special for the 25th anniversary. Frost says that there is a plan to get the cast together to shoot and release a new clip, perhaps coupled with some fresh “Fanimatrix” merchandise.

Whether the torrent will still be going by that time is unclear, but Frost will do everything in his power to make that happen.

“I never expected to become the world’s oldest torrent but now it’s definitely become a thing I’d love to keep carrying on. So I’ll be keeping this active as long as I physically can,” Frost tells us.

There were a few times that the torrent almost died but after the news broke that this was the oldest active torrent, dozens of people stepped forward to donate their bandwidth.

“It’s really heartening seeing the community pull together around this torrent, despite its usually low transfer count, and work together to keep it alive and kicking. It warms my heart on the daily.”

“We’re super pumped that it’s still going and that people still take an interest in it. Looking forward to the 25th and having something special to share with the world,” Frost concludes.

From: TF , for the latest news on copyright battles, piracy and more.

While BitTorrent client functionality hasn’t fundamentally changed over the past 20 years, developers of leading clients haven’t let their software stagnate.

A good example is the excellent qBittorrent , a feature-rich open source client which still receives regular updates. In common with similar clients, qBittorent can be found on GitHub along with its source and installation instructions.

Elsewhere on the same platform, users were recently trying to work out how a standard qBittorrent install suddenly led to the appearance of unwanted cryptocurrency mining software on the same machine.

Proxmox and LXC

For those unfamiliar with Proxmox VE , it’s an environment for virtual machines that once tried becomes very useful, extremely quickly. It’s also free for mere mortals and in most circumstances, very easy to install and get up and running.

With help from various Proxmox ‘helper scripts’ offered by tteck on GitHub (small sample to the right), even beginners can install any of dozens of available software packages in a matter of seconds using LXC containers .

Even if none of that makes sense, it doesn’t matter. Those who want qBittorrent installed, for example, can copy and paste a single line of text into Proxmox…and that’s it. Given that the whole process is almost always flawless, user issues are very rare, so to hear of a possible malware infection came as a real shock recently

Cryptominer Discovery

In summary, a Proxmox user deployed a tteck script to install qBittorrent and then a month later found his machine being worked hard by cryptomining software known as xmrig . While he investigated the problem, tteck removed the qBittorrent LXC script as a basic precaution, but it soon became clear that neither Proxmox or tteck’s script had anything to do with the problem.

The unwelcome software was indeed installed maliciously, but due to a series of avoidable events, rather than a genius hack.

When a qBittorrent installation like this completes and the software is launched, access to qBittorent takes place through a web interface accessible from most web browsers. By default, qBittorrent uses port 8080 and since many users like to access their torrent clients from remote networks, qBittorrent uses UPnP (Universal Plug and Play) to automate port forwarding, thereby exposing the web interface to the internet.

Having this working in record time is all very nice, but that doesn’t mean it’s safe. To ensure that only the operator of the client can access the web interface, qBittorrent allows the user to configure a username and a password for authentication purposes.

This generally means that random passers-by will need to possess these credentials before being able to do damage. In this case, the default admin username and password were not changed and that allowed an attacker to easily access the web interface.

Attacker Told qBittorrent to Run an External Program

To allow users to automate various tasks related to downloading and organizing their files, qBittorrent has a feature that can automatically run an external program when a torrent is added and/or when a torrent is finished.

The options here are limited only by the imagination and skill of the user but unfortunately the same applies to any attacker with access to the client’s web interface.

In this case the attacker told the qBittorrent client to run a basic script on completion of a torrent. The script accessed the domain http://cdnsrv.in from where it downloaded a file called update.sh and then ran it. The consequences of that are explained in detail by tteck , but the main points are a) unauthorized cryptomining on the host machine and b) the attacker maintaining root access via SSH key authentication.

Easily Avoided

The default admin username for qBittorrent is ‘admin’ while the default password is ‘adminadmin’. Had these common-knowledge defaults been changed following install, the attacker would still have found the web interface but would’ve had no useful credentials for conventional access.

More fundamentally, possession of the correct credentials would’ve had limited value if the qBittorrent client hadn’t used UPnP to expose the web interface in the first place. Taking another step back, if UPnP hadn’t been enabled in the user’s router, qBittorrent would’ve had no access to UPnP, and wouldn’t have been able to forward ports or expose the interface to the internet.

In summary: disable UPnP in the router and only enable it once its function is fully understood and when absolutely necessary. Never leave default passwords unchanged, and if something doesn’t need to be exposed to the internet, don’t expose it unnecessarily.

Finally, it’s worth mentioning that tteck ‘s response, to a problem that had nothing to do with Proxmox or his scripts, has been first class. Anyone installing the qBittorrent LXC from here will find the default admin password changed and UPnP disabled automatically.

Any time saved can be spent on automated installs of Plex, Tautulli, Emby, Jellyfin, Jellyseerr, Overseerr, Navidrome, Bazarr, Lidarr, Prowlarr, Radarr, Readarr, Sonarr, Tdarr, Whisparr, and many, many more.

From: TF , for the latest news on copyright battles, piracy and more.

Over the past several years, adult entertainment company Strike 3 Holdings has filed thousands of copyright cases in U.S. federal courts.

These lawsuits target people whose Internet connections were allegedly used to download and share copyright-infringing content via BitTorrent.

Rare File-Sharing Trial

Many of these cases result in private settlements and are never heard of again. On occasion, however, a defendant decides to push back. A case that was initially filed against a “John Doe” in Florida, made it all the way to the final trial preparations.

It’s unusual for such a file-sharing case to be so heavily litigated since that’s quite costly for both sides. The prospect of a potential jury trial is even rarer, but neither Strike 3 nor the defendant, who was later named as John Adaire, wanted to give in.

The case has plenty of nuances but, in essence, the main question was whether Adaire downloaded and shared 36 of Strike 3’s porn videos without permission. According to the adult company, the evidence was clear as day.

Opposing Views

Strike 3 previously informed the court that it repeatedly found an IP address, assigned to the defendant, sharing pirated movies. This was backed up by technical evidence as well as other expert testimony.

The adult company further accused the defendant of destroying evidence by wiping data from his desktop computer, mishandling a hard drive, and reinstalling the operating system on his laptop.

For his part, the defendant drew the court’s attention to Strike 3’s piracy evidence, suggesting that it was below par.

The adult company uses tracking software to monitor the IP addresses in BitTorrent swarms. Similar to other rightsholders, this is then recorded in ‘PCAP’ evidence files. However, Strike 3 developed its “VXN” tracking technology in-house, which makes it little more than ‘circumstantial’ evidence.

No Trial

The case was scheduled to go to trial this week, and attorneys and jurors were all getting ready for several days of court action. On Sunday evening, however, there was a sudden breakthrough after the parties reached a confidential settlement.

“Parties have finalized and executed, by way of written agreement, a final settlement resolving all claims raised in this case. Based on such resolution, the Parties notify the Court that a trial would be moot,” they informed the court.

Due to the confidential nature of the settlement, it’s not clear if either party agreed to pay compensation. And the fact that both sides are content with the outcome doesn’t give anything away either.

Everybody Happy?

Defense attorney Curt Edmondson informs us that the dispute was amicably resolved to the satisfaction of all. Strike 3’s lawyer Christian Waugh is also content with how the lawsuit was resolved.

Strike 3 sees the outcome as “historic”, in part due to the permanent injunction agreed as part of the settlement deal.

A case like this, where my client obtained summary judgment on Defendant’s counterclaim and the judge actually found that the Defendant spoliated evidence, is not one that is appropriate for wasting a judge or jury’s time in trial.

This injunction, which has yet to be signed by the Florida court, stipulates that the defendant will have to pay $125,000 in damages if they infringe any of Strike 3’s copyrights in the future.

“The injunction itself is a historic result for content creators and owners like my client,” Waugh tells TorrentFreak. “There are extraordinary penalties, including contempt, if Defendant ever violates the injunction imposed by the Court,”

The defense attorney adds some nuance to the injunction by pointing out that his client never downloaded any of Strike 3’s movies and has no plans to do so. This means that the massive penalty for any future infringements should never come into play.

“An injunction is for future acts. As the defendant did not download Strike 3’s movies, he has no desire or interest to do so in the future,” Edmondson notes.

“I was surprised that Strike 3 wanted to settle,” he adds, noting that earlier this year Strike 3 seemed determined to prove that their evidence was reliable. The defense, however, had a different take.

“The reality was that the raw PCAP data was extremely weak and closed to non-existent. We mapped the PCAPs and recreated .MP4 files from the PCAP data and nothing was playable. Strike 3 could have taken us to trial and they chose not to.”

The fact that improperly accused defendants cannot claim massive damages awards like copyright holders can, settling the matter made the most sense. Especially since one never knows what a Jury will decide.

More Lawsuits Pending

Now that the trial is out of the way, Strike 3 can focus on the many hundreds of open lawsuits filed at U.S. federal courts. The company is currently on track to set a new all-time record for the number of complaints filed in a year.

While some have labeled this activity as copyright trolling , Strike 3 points out that it’s a legitimate copyright holder, merely protecting its rights.

“The point of my client’s litigation is not personal or to harm any defendant, it is to protect its rights under the Copyright Act, which has been done in this case,” Strike 3’s attorney concludes.

—

A copy of the joint notice of resolution is available here (pdf) and the permanent injunction that’s referenced above can be found here (pdf)

From: TF , for the latest news on copyright battles, piracy and more.

The word ‘open’ in a connected world can be something positive. Open source, for example, or open library. On other occasions the opposite can be true; unnecessary ports left open on a router springs to mind.

For millions of people using devices that appear to configure themselves, whether something is open or closed is irrelevant. If a device immediately works as promised, oftentimes that’s good enough. The problem with some internet-connected devices is that in order to immediately work in the hands of a novice, security gives way to ease of use, and that can end in disaster.

Torrent Client WebUI

Many of today’s torrent clients can be operated via a web interface, commonly known as a WebUI. A typical WebUI is accessed via a web browser, with the client’s IP address and a specified port number providing remote access.

In a LAN environment (the part of a network behind the router, such as a home) the torrent client’s web interface serves local users, i.e those with direct access to the local network, typically via Wifi. The problems begin when a torrent client’s WebUI is exposed to the wider internet. In broad terms, instead of the client being restricted to IP addresses reserved for local uses (starting 192.168.0.0 or 10.0.0.0), anyone with a web browser anywhere in the world can access the UI too.

In many cases, a WebUI can be secured with a password or by other means but when users are allowed to do that themselves, many never do, despite the warnings. That could end in disaster if the wrong person decides to let rip from the other side of the world.

Specialized Search Engines

Internet-connected devices are easily found using services such as Shodan , Censys , Fofa and Onyphe.io and those that are poorly configured are in plentiful supply.

The image above shows a WebUI for the Tixati torrent client. With zero security, everything is on full display, just as it is for the person who operates the client, whoever they might be. This means that all downloads and uploads can be browsed, including data related to those transfers, as seen below.

When the French government formed a new anti-piracy agency called Hadopi, the mission was to significantly disrupt BitTorrent and similar peer-to-peer file-sharing networks.

Hadopi was a pioneer of the so-called “graduated response” scheme which consists of monitoring a file-sharer’s internet activities and following up with a warning notice to deter their behavior. Any future incidents attract escalating responses including fines and internet disconnections. Between 2010 and 2020, Hadopi issued 12.7 million warning notices at a cost to French taxpayers of 82 million euros .

The program’s effect on overall piracy rates remains up for debate but according to French internet rights groups, Hadopi doesn’t just take citizens’ money. When it monitors citizens’ internet activities, retains huge amounts of data, and then links identities to IP addresses to prevent behavior that isn’t a “serious crime,” Hadopi violates fundamental rights.

Protecting Rights

Despite its authorization under the new law, the official launch of the Hadopi agency in 2009 met with significant opposition. File-sharers had issues with the program for obvious reasons but for digital rights group La Quadrature du Net , massive internet surveillance to protect copying rights had arrived at the expense of citizens’ fundamental right to privacy.

La Quadrature’s opposition to the Hadopi anti-piracy program focuses on the law crafted to support it. One of the implementing decrees authorizes the creation of files containing internet users’ IP addresses plus personal identification data obtained from their internet service providers.

According to the digital rights group’s interpretation of EU law, that is unlawful.

Legal Challenge in France

With support from the Federation of Associative Internet Service Providers, French Data Network, and Franciliens.net, in 2019 La Quadrature filed an appeal before the Council of State ( Conseil d’État ), requesting a repeal of the decree that authorizes the processing of personal information.

The Council of State referred the matter to the Constitutional Council and its subsequent decision gave La Quadrature the impression that Hadopi’s position was untenable. For their part, Hadopi and the government reached the opposite conclusion.

Legal Challenge Reaches CJEU

The Council of State heard La Quadrature’s appeal and then referred questions to the Court of Justice of the European Union (CJEU) for interpretation under EU law.

EU member states cannot pass national laws that allow for the general and indiscriminate retention of traffic and location data. As a “preventative measure” on a targeted basis, retention of traffic and location data is permitted, but only when the purpose of retaining the data is to fight “serious crime.”

In CJEU Advocate General Szpunar’s non-binding opinion issued last October, friction between privacy rights and the ability to enforce copyrights were on full display.

Hadopi vs. Fundamental Rights

AG Szpunar described Hadopi’s access to personal data corresponding to an IP address as a “serious interference with fundamental rights.” These data points may not be sensitive in isolation but when combined, a person’s identity finds itself attached to the IP address and the content that was accessed behind it.

However, in common with criminal cases where retention is permitted when an IP address is the only means of investigation, the AG concluded that the same should apply in Hadopi’s case, “short of accepting general impunity for offenses committed exclusively online.”

Faced with an opinion that recognizes difficulties faced by rightsholders but runs up against case-law, AG Szpunar proposed “readjustment of the case-law of the Court.” This would ensure that rightsholders retain the ability to enforce their rights, when an IP address is the only means by which an infringer can be identified (CJEU, pdf) .

The first hearing in the case took place on Tuesday with another legal opinion expected late September 2023.

The CJEU is expected to hand down its ruling before the end of the year.

From: TF , for the latest news on copyright battles, piracy and more.

In the United States, consumer ISPs have been handing over the identities of suspected BitTorrent pirates for years, mostly because a court has compelled them to as part of a copyright infringement lawsuit. It’s not particularly difficult for rightsholders to take this route, but it can be expensive.

In the early 2000s, the RIAA hoped to cut costs by obtaining the details of Verizon customers via the DMCA subpoena process. That ultimately failed in 2005 when a court found that subpoenas under section 512(h) only apply to ISPs that directly store, cache, or provide links to infringing material.

That decision settled the waters for years but didn’t prevent BMG and anti-piracy partner Rightscorp from trying to identify 30,000 subscribers of ISP CBeyond in 2014. A year later, a court sided with the ISP and rejected calls for a more progressive reading of the law.

“It is the province of Congress, not the courts, to decide whether to rewrite the DMCA in order to make it fit a new and unforeseen internet architecture and accommodate fully the varied permutations of competing interests that are inevitably implicated by such new technology,” the judge wrote .

Congress Not Needed

Even though Congress still hasn’t rewritten the DMCA, movie studios known for tracking down alleged BitTorrent pirates in pursuit of cash settlements are increasingly using the DMCA subpoena system anyway. During 2022 and early 2023, Voltage Pictures, Millenium Funding, LHF Productions, and Capstone Studios obtained DMCA subpoenas targeting customers of CenturyLink (now Lumen).

The first request of 2022 targeted ‘just’ 13 subscribers , the next sought to unmask 63 .

Last month a court clerk’s signature approved the pursuit of another 150 CenturyLink customers and soon after another ISP’s subscribers would begin feeling the heat.

Billion Dollar Headache

Like competitor CenturyLink, Cox Communications declined to take part in the ‘ Six Strikes ‘ anti-piracy initiative in the United States back in 2013. Eventually a more traditional piracy reduction method would resurface.

In 2019, the major recording labels of the RIAA successfully argued that Cox could be held liable for copyright infringements carried out by its customers. A Virginia federal jury found the ISP contributorily and vicariously liable and awarded the labels $1 billion in damages .

One billion dollars is a huge amount but Cox was also concerned about other things ; being forced to disconnect subscribers “based on a few isolated and potentially inaccurate allegations” and concerns that the interests of rightsholders were being elevated above those of “ordinary, and often blameless, people who depend on the internet.”

To this background of liability for subscribers’ infringements, while defending the public against potentially baseless claims, Cox Communications now finds itself in the middle of another piracy dilemma.

Another Controversial DMCA Subpoena

The same movie studios that have been targeting CenturyLink subscribers for more than a year have decided that Cox subscribers should receive similar treatment.

Last month, Voltage Holdings, Millennium Funding, and Capstone Studios, filed an application for a DMCA subpoena to compel Cox Communications and CoxCom LLC to hand over the details of allegedly infringing customers.

Court documents list 41 IP addresses (four of which are duplcates) alleging that corresponding subscribers can be found in Virginia, Louisiana, Nevada, Arizona, Rhode Island, Oklahoma, California, Connecticut and Kansas. The majority stand accused of downloading and/or sharing the 2022 movie, ‘Fall.’

Most of the alleged pirates are linked with copies of the movie labeled [YTS.MX], a reference to YTS, the most popular torrent site on the planet . Millenium Media was one of the companies behind a lawsuit and subsequent $1m settlement with YTS back in 2020, which didn’t require the site to shut down.

Sign on the Line

Filed in a Hawaii district court, the application for DMCA subpoena follows a now-familiar format. The application notes that since all required paperwork is in order, it’s the clerk’s responsibility alone to act as the law requires.

“512(h)(4) provides that the Clerk, not a Judge should issue and sign the proposed subpoena,” it reads.

In common with the subpoenas against CenturyLink, the Cox application describes in detail how courts have ruled that DMCA subpoenas don’t apply to conduit ISPs. However, the application says that given developments in recent years (specifically, a lawsuit BMG filed against Cox itself ), there’s a belief that the Tenth Circuit will eventually find that 512(h) does apply to conduit ISPs after all.

“For these reasons, the undersigned request that the Clerk of the Court expeditiously issue and sign the proposed subpoena and return it to the undersigned…to be served on the service provider,” it concludes.

The DMCA subpoena application was signed by the clerk the very same day so, in all likelihood, Cox has already been served. Cox hasn’t filed a motion to quash as far as we know, which may suggest it intends to recognize the validity of the subpoena by handing over its subscribers’ details to the movie studios.

512(h) is Ambiguous, Concentrate on the Clerk

In a 2021 submission to the Copyright Office on the CASE Act, the powerful Copyright Alliance noted a submission by Verizon which called for the Office to “create guidance for its Claims Attorneys that any Section 512 (h) subpoenas directed to a Section 512 (a) mere conduit service provider must be issued by a federal judge and not by a clerk of a court.”

Describing the issue as “highly contested” and 512(h) itself as “ambiguous” according to the Copyright Office, the Copyright Alliance pointed out that it isn’t the Copyright Claims Board’s job to get involved.

“In any event, it is the clerk of a federal district court – not the CCB – who will determine whether to issue a subpoena under Section 512(h),” the Alliance advised.

Presumably this is exactly what Congress intended, or maybe not. Either way, ISPs with repeat infringer lawsuits pending seem unlikely to rock the boat in a rush to find out.

ISPs on firmer footing probably won’t find themselves targeted in future applications but that won’t stop them being filed, most likely in increasing numbers.

The DMCA subpoena application and IP list can be found here ( 1 , 2 , pdf)

From: TF , for the latest news on copyright battles, piracy and more.

After reporting on all things BitTorrent-related for the 13 years leading up to May 2018, TorrentFreak spotted something out of the ordinary .

BitTorrent Inc., the company founded by BitTorrent inventor Bram Cohen, and the owner of uTorrent, the world’s most recognized torrent client, suddenly had a new name. When asked about the change, Rainberry Inc. said it was a “corporate decision” not unlike the Alphabet/Google exercise.

Less than two weeks later, we were able to reveal that TRON founder Justin Sun was planning to buy BitTorrent Inc. Less than a month after that, Sun closed the deal with a reported offer of $140 million .

A shareholder quoted in a TechCrunch report revealed that one of Sun’s aims was to use the BitTorrent acquisition to “legitimize” TRON’s business.

According to a Securities and Exchange Commission announcement published a few hours ago, the plan failed in at least one key area. Most likely, many, many more.

Fraud: SEC Charges Justin Sun and Three Wholly-Owned Companies

Claims that the SEC had already opened an investigation into Sun’s business activities have been around for a long time. An extraordinary article written by Christopher Harland-Dunaway and published by The Verge last year left very little doubt.

In an announcement Wednesday, the SEC revealed charges against Justin Sun and three of his wholly-owned companies – Tron Foundation Limited, BitTorrent Foundation Ltd., and Rainberry Inc. (formerly BitTorrent Inc.) – for the unregistered offer and sale of crypto asset securities Tronix (TRX) and BitTorrent (BTT).

Sun and his companies were further charged with fraudulently manipulating the secondary market for TRX through extensive wash trading, described by the SEC as “simultaneous or near-simultaneous purchase and sale of a security to make it appear actively traded without an actual change in beneficial ownership.”

Alleged Crypto-Shill Celebrities

The SEC also charged eight celebrities for promoting TRX and/or BTT without disclosing they were being paid to do so.

Actress Lindsay Lohan, YouTuber/Boxer Jake Paul, DeAndre Cortez Way (Soulja Boy), and singer/songwriter Austin Mahone, are joined by porn actress Michele Mason (aka Kendra Lust), Miles Parks McCollum (Lil Yachty), Shaffer Smith (Ne-Yo) and Aliaune Thiam (Akon) on the SEC’s list.

The SEC’s complaint alleges that Sun and his companies sold TRX and BTT as investments via unregistered “bounty programs” that saw partners promote the tokens on social media while recruiting others to join Tron-affiliated Telegram and Discord channels.

Sun, BitTorrent Foundation, and Rainberry reportedly sold BTT in unregistered monthly airdrops to investors who purchased and held TRX in Tron wallets or on other crypto trading platforms. The SEC says that every offer and sale violated Section 5 of the Securities Act .

Fraud and Market Manipulation

The SEC alleges that Sun was also the architect of a scheme that sought to artificially inflate the volume of TRX on the secondary market.

During a 10-month period 2018/2019, Sun allegedly directed his employees “to engage in more than 600,000 wash trades of TRX between two crypto asset trading platform accounts [Sun] controlled, with between 4.5 million and 7.4 million TRX wash traded daily.”

Sun is said to have supplied a significant amount of TRX to facilitate the scheme while also selling TRX into the secondary market himself. These “illegal, unregistered offers and sales” reportedly generated $31 million.

Sun’s Stunts Slammed by SEC

“While we’re neutral about the technologies at issue, we’re anything but neutral when it comes to investor protection,” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

“As alleged in the complaint, Sun and others used an age-old playbook to mislead and harm investors by first offering securities without complying with registration and disclosure requirements and then manipulating the market for those very securities.

“At the same time, Sun paid celebrities with millions of social media followers to tout the unregistered offerings, while specifically directing that they not disclose their compensation.”

According to the SEC , six of those celebrities have already paid their way out. Lohan, Paul, Lust, McCollum, Smith, and Thiam agreed to hand over a combined $400,000 in settlements for their alleged roles in a magic bean business we called out almost four years ago .

From: TF , for the latest news on copyright battles, piracy and more.