If Private Trackers Aren’t Then What Are They?

It’s a fact of life it seems. Find any news article about bittorrent sites being closed down, blocked, someone getting in trouble for using one or just notices, or a new client comes out; at some point in the comments you’ll get at least one comment of this kind.

private trackers 1

It’s all crap.

Seriously, it’s crap.

The whole term ‘private tracker’ is a misnomer, designed to mislead you. There’s nothing private about it at all. It’s actually a quite deceptive piece of marketing, that came about some 9 years ago, and it’s usage is quite correct, though not what most people understand. Here it is in a nutshell.

The term ‘private’ has nothing at all to do with any privacy, but is all about DHT.

Understand? Well, if not, relax, I’ll explain in more detail.

When bittorrent first started, trackers were everything. Most could only handle ten thousand or so peers, so there were lots of small trackers out there. One day, someone decided that a closed community tracker setup might be better. So they set one up.

Now the way they figured to do that was by IP. You logged in, the system noted your IP address, associated that with the account you logged in with, and thus allowed you access to the tracker. If you had a seedbox (very rare) you had to contact a staff member to have that box IP added to your account.

It kinda worked, especially given the clients at the time. The whole ‘keys’ system used nowadays wasn’t commonly used (in fact I don’t recall any example) in those early years, because processing keys was an extra load on trackers. To give you an idea of the kind of load issues trackers had back then, the Youceff tracker banned client scrapes (the name given to getting the stats of seeds and peers) so that it could handle 40% more peers, going up to around 200,000, which made it one of the bigger trackers at the time. The system already used IP addresses, so it was a natural fit.

So what happened? Well, in short, DHT happened, with DHT that wouldn’t work anymore. So they moved fully ontot he passkey system (which some had already started to use, mainly because of seedboxes). But it still didn’t stop the ‘threat’ of DHT ruining their nice data logging.

So they pushed for a flag. This was a simple binary flag in the data section of the torrent, so when set it would alter the hash. Thus two otherwise identical torrents, but one with the flag and the other without, would have radically different SHA1 hashes.

A client would see the flag, and disable DHT, and PEX (and Local peer discovery if it had it) for that torrent. The flag was called ‘the private flag’, because it didn’t announce itself on DHT.

Thus all torrents with the flag set were called ‘private torrents’ and the sites that dealt with them, ‘private trackers’.

Simple

Now, there’s still a lot of ignorance and hysteria about this, especially from the admins of such sites. You’ll see many still saying ‘you have to disable DHT in the client or we’ll ban you because it leaks’.
Utter Crap. It’s just a power trip (same with the massive client blacklists – that many clients have issues with your tracker, it’s your tracker that’s at fault)

There was ONE client that had issues with the flag, and even then it was blown out of proportion. BitComet 0.60 would ‘failsafe’ if the trackers listed failed a number of times, and the flag was set. I think it was 4 times (or 20 minutes) with the tracker failing and it would enable DHT for the torrent for that session. Perfectly reasonable you’d think, especially since it requires the tracker to go offline.

Of course, if anyone wanted to they could just use the hosts file to make it seem like it’s offline by pointing it to an invalid address, but unless someone else who is a member also does it, you’re not going to find anyone anyway. It is, in fact, the exact same issue with changing the tracker address to point to another tracker (also via the hosts file) or adding another tracker. Every method of getting around it requires a member acting in concert to spread it, and even then you’d only get that one peer.

Basically the fear and ‘damage’ is vastly overblown.

So, what about the ‘privacy’ aspect?

Well, in short, there is no privacy aspectThese sites are businesses, and not a business that is focused on your privacy.

In fact, as far as ‘privacy’ goes, you have less than if you were on The Pirate Bay. The trackers typically used on ‘public torrents’ by necessity record very little information, but the same is not true of “private trackers”. In fact the sheer amount of data they collect it staggering. As well as the obvious of upload/download figures and torrent activity, there’s other things like your IP address (both browser and client), clients, and of course, email address, username and [hopefully salted and hashed] password.

But it’s all worth it, advocates say, because of ‘privacy’. Yeah…

Seriously, it’s often trivial for people who really want to, to get on these sites, especially if they want to pay, or have some leverage. Sites will often try and pay off copyright holders to keep a torrent on the site, even giving them ‘ratio’, but you can bet the torrent isn’t marked as such, and any users can be easily collected and prosecuted. It’s not like they’re going to report back to the site that often.

Then there’s the other risk – just who are you trusting to run the site anyway? How do you know that ‘ReallyCoolDude69’ that runs that site, is a guy that likes whatever the site covers, and not John Smith Esq. of Sue’em, Kwic & Howe, attorneys-at-law? Or that new moderator IM2Ys4U isn’t collecting evidence, just in case someone catches on, and he needs a bargaining chip?

You don’t. There’s not even any basic knowledge requirement for running such a site, which is why you have so many repeating myths about DHT, or ‘clients are bad’, when there’s nothing but ignorance and incompetence to fuel it.

And meanwhile, all that information is stored in a big database, ‘the Bittorrent PRISM’, available for anyone they trust (and thus to anyone they trust, trusts). It can show activity across multiple sites, and for months if needed. All you need to form the basis of a prosecution – civil or criminal.

Some companies, like MarkMonitor, have made claims about their detection technologies. They’ve claimed the ability to get multiple hits on the same account, across a time period, which sounds hard, until you realise how easy it is to do with this system.

It was already fairly easy to do without this system on so-called ‘private sites’, mainly by exploiting their nature. Even the biggest is only a few hundred thousand peers total, and not all go for any specific torrent. So, pick a fairly unique series of related torrents, say a ‘quite’ popular TV show, and monitor all the IPs on it. The next week, do the same again. For more accuracy, do so for more weekly periods. Eventually you’ll have a list of ‘regular’ users. If you’ve logged client details it’s even easier, as you sort each batch by ISP. Since the swarm is constrained to members, there may only be a few (say 5-10) members from a particular ISP or region, so focus there. Now crosscheck with client versions, and even if the IP’s changed, you’ve got good odds of the same people.

In fact, the IP changing boosts the case, as you could claim misidentification, but multiple hits, on multiple occasions, to different IPs each time coming back to the same account – It’s going to be VERY difficult to convince anyone that they picked up your IP at random, or as a mistake on multiple occasions.

This doesn’t work so well with public torrents, where there is less of a constraint on usage, although it’s still possible. The larger swarms possible for public torrents also mean they’re more likely to miss you sometimes.

So there’s absolutely nothing ‘private’ about these sites, what should they be called? Well, pre-DHT they were known as ‘registration trackers’, but they’ve gone far beyond that now. So we need a more appropriate term. Given the monitoring and sharing of activity, there are several possible answers, all variants on a theme, but my preference is this

Activity Logging Trackers

Of course, the big problem is that that name undermines much of the ‘perceived value’ of these sites, so their cheerleaders will continue to try and push the name, but now you know it’s a lie. So do yourself, and your friends a favour, don’t call them “Private Trackers” any more, call them ‘Activity Monitoring Trackers’.

Because Friends don’t let Friends be deceived about security.