If Private Trackers Aren’t Then What Are They?

It’s a fact of life it seems. Find any news article about bittorrent sites being closed down, blocked, someone getting in trouble for using one or just notices, or a new client comes out; at some point in the comments you’ll get at least one comment of this kind.

private trackers 1

It’s all crap.

Seriously, it’s crap.

The whole term ‘private tracker’ is a misnomer, designed to mislead you. There’s nothing private about it at all. It’s actually a quite deceptive piece of marketing, that came about some 9 years ago, and it’s usage is quite correct, though not what most people understand. Here it is in a nutshell.

The term ‘private’ has nothing at all to do with any privacy, but is all about DHT.

Understand? Well, if not, relax, I’ll explain in more detail.

When bittorrent first started, trackers were everything. Most could only handle ten thousand or so peers, so there were lots of small trackers out there. One day, someone decided that a closed community tracker setup might be better. So they set one up.

Now the way they figured to do that was by IP. You logged in, the system noted your IP address, associated that with the account you logged in with, and thus allowed you access to the tracker. If you had a seedbox (very rare) you had to contact a staff member to have that box IP added to your account.

It kinda worked, especially given the clients at the time. The whole ‘keys’ system used nowadays wasn’t commonly used (in fact I don’t recall any example) in those early years, because processing keys was an extra load on trackers. To give you an idea of the kind of load issues trackers had back then, the Youceff tracker banned client scrapes (the name given to getting the stats of seeds and peers) so that it could handle 40% more peers, going up to around 200,000, which made it one of the bigger trackers at the time. The system already used IP addresses, so it was a natural fit.

So what happened? Well, in short, DHT happened, with DHT that wouldn’t work anymore. So they moved fully ontot he passkey system (which some had already started to use, mainly because of seedboxes). But it still didn’t stop the ‘threat’ of DHT ruining their nice data logging.

So they pushed for a flag. This was a simple binary flag in the data section of the torrent, so when set it would alter the hash. Thus two otherwise identical torrents, but one with the flag and the other without, would have radically different SHA1 hashes.

A client would see the flag, and disable DHT, and PEX (and Local peer discovery if it had it) for that torrent. The flag was called ‘the private flag’, because it didn’t announce itself on DHT.

Thus all torrents with the flag set were called ‘private torrents’ and the sites that dealt with them, ‘private trackers’.


Now, there’s still a lot of ignorance and hysteria about this, especially from the admins of such sites. You’ll see many still saying ‘you have to disable DHT in the client or we’ll ban you because it leaks’.
Utter Crap. It’s just a power trip (same with the massive client blacklists – that many clients have issues with your tracker, it’s your tracker that’s at fault)

There was ONE client that had issues with the flag, and even then it was blown out of proportion. BitComet 0.60 would ‘failsafe’ if the trackers listed failed a number of times, and the flag was set. I think it was 4 times (or 20 minutes) with the tracker failing and it would enable DHT for the torrent for that session. Perfectly reasonable you’d think, especially since it requires the tracker to go offline.

Of course, if anyone wanted to they could just use the hosts file to make it seem like it’s offline by pointing it to an invalid address, but unless someone else who is a member also does it, you’re not going to find anyone anyway. It is, in fact, the exact same issue with changing the tracker address to point to another tracker (also via the hosts file) or adding another tracker. Every method of getting around it requires a member acting in concert to spread it, and even then you’d only get that one peer.

Basically the fear and ‘damage’ is vastly overblown.

So, what about the ‘privacy’ aspect?

Well, in short, there is no privacy aspectThese sites are businesses, and not a business that is focused on your privacy.

In fact, as far as ‘privacy’ goes, you have less than if you were on The Pirate Bay. The trackers typically used on ‘public torrents’ by necessity record very little information, but the same is not true of “private trackers”. In fact the sheer amount of data they collect it staggering. As well as the obvious of upload/download figures and torrent activity, there’s other things like your IP address (both browser and client), clients, and of course, email address, username and [hopefully salted and hashed] password.

But it’s all worth it, advocates say, because of ‘privacy’. Yeah…

Seriously, it’s often trivial for people who really want to, to get on these sites, especially if they want to pay, or have some leverage. Sites will often try and pay off copyright holders to keep a torrent on the site, even giving them ‘ratio’, but you can bet the torrent isn’t marked as such, and any users can be easily collected and prosecuted. It’s not like they’re going to report back to the site that often.

Then there’s the other risk – just who are you trusting to run the site anyway? How do you know that ‘ReallyCoolDude69’ that runs that site, is a guy that likes whatever the site covers, and not John Smith Esq. of Sue’em, Kwic & Howe, attorneys-at-law? Or that new moderator IM2Ys4U isn’t collecting evidence, just in case someone catches on, and he needs a bargaining chip?

You don’t. There’s not even any basic knowledge requirement for running such a site, which is why you have so many repeating myths about DHT, or ‘clients are bad’, when there’s nothing but ignorance and incompetence to fuel it.

And meanwhile, all that information is stored in a big database, ‘the Bittorrent PRISM’, available for anyone they trust (and thus to anyone they trust, trusts). It can show activity across multiple sites, and for months if needed. All you need to form the basis of a prosecution – civil or criminal.

Some companies, like MarkMonitor, have made claims about their detection technologies. They’ve claimed the ability to get multiple hits on the same account, across a time period, which sounds hard, until you realise how easy it is to do with this system.

It was already fairly easy to do without this system on so-called ‘private sites’, mainly by exploiting their nature. Even the biggest is only a few hundred thousand peers total, and not all go for any specific torrent. So, pick a fairly unique series of related torrents, say a ‘quite’ popular TV show, and monitor all the IPs on it. The next week, do the same again. For more accuracy, do so for more weekly periods. Eventually you’ll have a list of ‘regular’ users. If you’ve logged client details it’s even easier, as you sort each batch by ISP. Since the swarm is constrained to members, there may only be a few (say 5-10) members from a particular ISP or region, so focus there. Now crosscheck with client versions, and even if the IP’s changed, you’ve got good odds of the same people.

In fact, the IP changing boosts the case, as you could claim misidentification, but multiple hits, on multiple occasions, to different IPs each time coming back to the same account – It’s going to be VERY difficult to convince anyone that they picked up your IP at random, or as a mistake on multiple occasions.

This doesn’t work so well with public torrents, where there is less of a constraint on usage, although it’s still possible. The larger swarms possible for public torrents also mean they’re more likely to miss you sometimes.

So there’s absolutely nothing ‘private’ about these sites, what should they be called? Well, pre-DHT they were known as ‘registration trackers’, but they’ve gone far beyond that now. So we need a more appropriate term. Given the monitoring and sharing of activity, there are several possible answers, all variants on a theme, but my preference is this

Activity Logging Trackers

Of course, the big problem is that that name undermines much of the ‘perceived value’ of these sites, so their cheerleaders will continue to try and push the name, but now you know it’s a lie. So do yourself, and your friends a favour, don’t call them “Private Trackers” any more, call them ‘Activity Monitoring Trackers’.

Because Friends don’t let Friends be deceived about security.

  • x86disassembly

    If private trackers were not more private than ThePirateBay, I’d be banned from my ISP by now due to DMCA cease and desists. So to me that alone makes them more worth while, as a user.

    A dozen items I downloaded and seeded in the past 24 hours could’ve yielded at least 12 DMCA requests, and I know for a fact DO for US IPs on public torrent peer lists. That sounds good enough to me that I can download these without paying for a VPN or seedbox.

    I am sure law enforcement agencies are on these trackers, but as someone who justs downloads and seeds that matters very little to me. What DOES matter to me is not losing my internet access because bots connect to the swarm and send automated DMCA takedowns to my ISP within seconds of me finishing a piece and becoming a listed peer on a PUBLIC torrent.

    I’ve been doing this for over a decade, and the only time I ever had a DMCA takedown was from a torrent I was on that was on a public tracker/website.

    This, along with the fact that hitting and running/leeching has consequences, is why me and so many others prefer private trackers.

    • ktetch

      A dozen items I downloaded and seeded in the past 24 hours could’ve yielded at least 12 DMCA requests, and I know for a fact DO for US IPs on public torrent peer lists.

      No, you don’t. You’re making a guess based on what you’ve been told.
      It’s absolutely not the case. Not even close.

      The instances of notices based on public trackers are still at the level of ‘being struck by lightning’, I know *that* for a fact, because it’s kinda my job to know.
      It’s the business of the people behind these activity logging trackers, to overstate and exaggerate the threats for not using them, overplaying the risk much like the companies that send the dmca notices. The reason is the same – to discourage people’s use of torrents (or in this case, public torrents).

  • docgerbil100

    Hi, Ktetch. 🙂

    This is a bastard-long reply. I apologise for this. I work for a living, when I’m not on holiday, so if you’re busy and can’t be arsed, I’ll understand. 🙂

    I’ve thought long and hard about private trackers, both now and in the past when they’ve come in for stick on TF articles or their comments. I’m not wholly convinced by what I’ve read. I don’t dispute the basic, objective facts of what you say – I’m sure you know vastly more about it than I do – but there are a few things about articles like this that seem… well… a little ‘off’, for want of any better way of putting it.

    Just so I’m clearly understood, nothing here is meant as any kind of personal attack – please don’t take it that way. I don’t know you, except through what I’ve seen of your writing. You don’t seem like a bad sort, generally. I’m also quite capable of being totally wrong about a seemingly-infinite number of things. So.

    – – – – –

    To start with, whenever the subject comes up, I get the overwhelming impression that this is something with a lot of emotional baggage behind it. Perhaps I am reading more into the matter than is actually there, but what you’ve written seems motivated only partly by impartial, journalistic interest and as much by personal dislike for private trackers. I’m inclined to guess that at some point, you’ve had proper, serious arguments about this – possibly with a great many people – and it’s left its mark: I may be quite wrong, but on this topic, I strongly suspect you’re something of a Mental. If so, I’ll have a lot more sympathy for what you’re writing if you write honestly and openly about it.

    I would also consider that level of emotional involvement to be something that needs a clear and explicit disclaimer, just as much as a source of professional or financial bias. Where it involves sites and site admins, etc, I would also be far more likely to value an honest accounting of such issues than what you’ve actually written. At the end of the day, people are an interesting and motivating story – especially if it’s your own personal experience – and machines are just its furniture, albeit furniture I find interesting.

    – – – – –

    I also note a surprising amount of deference on articles like this. For all that you seem happy to condemn private sites as a concept, you seem unwilling to even identify the sites involved, much less the admins. I assume this is to maintain good relations with the provider-side community, but it’s an obvious and incongruous omission and the absence feels wrong, just reading it, if that makes sense. The guilty should be named and shamed. A site that is allowed to bullshit its user-base, without explicit, authoritative, outside condemnation, is a site that has no incentive whatsoever to improve its behaviour. That’s not good enough for anybody, especially not me.

    Beyond that, there is a principle of professional ethics involved. One of the best lessons of the Snowden revelations is the fact that journalists really only come in two varieties: Real Journalists and Courtiers – and the price of being a Real Journalist is that you must sometimes rip the shit out of your friends as well as your enemies. Are you really no more than a torrent-site courtier? I have your site bookmarked. That means I want you to be better than that.

    – – – – –

    Regarding the technical issues, I’m not a coder or a network professional (I’ve knocked together a few office LANs and that’s about it) and I find it difficult to tell who’s right and who’s wrong.

    On the one hand, BT-client-writers should be an authoritative voice on what their clients are doing – but, more often than not, they (and by “they”, I really mean µTorrent’s developers) seem to go out of their way to completely deny even the existence of serious bugs – often blaming the user, the users connections, the trackers they’re on and the price of biscuits in Borneo – right up until they finally find the bug and release a fixed client.

    On the other hand, tracker-staff have no reason to blacklist clients, unless at least some of those clients actually are somehow misbehaving – but as you say, not all staff at private sites are technically competent, with a great many openly deferring to WhatCDs acceptable client list – and while WhatCD is, frankly, a work of art in many respects, I have no way of telling whether their testing procedures are better than anyone elses.

    Nothing I know helps me decide. It’s hard to push someone to do their jobs properly, when you’ve no idea if they’re doing it wrong in the first place. An independant, rigorous testing-system would seem the sensible way to resolve such issues, but I’m not aware of anyone of influence pushing for one, which is a shame.

    – – – – –

    Regarding privacy, I agree very strongly with you that sites shouldn’t be logging any more information than they need to do their jobs, much less sharing it around in such profligate and indiscriminate fashion. However, privacy issues are not a problem limited solely to private sites, as I’m sure you know. Writing as though this is only an issue for them seems like not much more than propaganda – and all that it does is make me want to question the accuracy and honesty of everything else you’ve written, which I’m sure wasn’t your intention.

    There’s also no reason why the likes of, say, John Steele can’t monitor and profile users on large public sites with just as much accuracy, given enough PCs, internet connections and modified BT clients. As a user, there is no reason at all for me to assume that open sites are any more trustworthy than private ones, other than blind faith that someone, somewhere isn’t throwing stupid money at the problem (or that the NSA / GCHQ won’t suddenly get involved, in which case we’re probably all shafted, no matter where we download from).

    Beyond this, I would like to know why we’ve never seen the obvious follow-up: we’ve read the articles about VPNs and what they log, so why do we never see equivalent articles about what individual torrent-sites (both public and private) are actually keeping and sharing? Even writing about a widespread refusal to co-operate with such a survey would be telling and at least as convincing as what I’ve read so far – and the few that did respond would find themselves in much better standing with users like myself.

    – – – – –

    Speaking of the NSA, in the wake of the Snowden revelations – and given that some government, at some point, is likely to sic its intelligence community onto us all big time – does any of this actually matter?

    – – – – –

    Last thing. I like private sites, or at least some of them. I would go so far as to say I’ve loved a few of them. I like big, comprehensive, carefully-curated collections. I like peers who actually keep and seed the obscure things I enjoy. I like the obscure things. I like the small, close-knit communities I tend to find on the right sites, with people I can talk to.

    I like public sites too, but not as much. There’s been some lovely ones, especially original Demonoid, one of the best communities I’ve ever been a part of. Most public sites, not so much. Too hard to find the precise things I want. Too many dead torrents. Too much noise. I have no voice in the vast and faceless crowd.

    Ktetch, if you wanted to build a torrent site that met both my needs and yours, how would it work? What can private sites do that will make them better for all of us? I would really like to know.

    Many thanks for your time, sir. 🙂

    PS: I hate the term ‘private tracker’ as well, on account of it being bullshit, but I’m not sure your replacements will gain much traction – at eight to ten syllables versus four, they’re a little too ungainly. I’m sure there must be something better. I shall think on it.

  • Pingback: DRM, the Private Flag, and BitComet | Politics & P2P()