|Home » Learning Curve » Red Hat Diaries
Antipiracy Bureau Guilty of Data Intrusion
Infiltrators, black money, secret tactics - a typical workday for the copyright industry. By André Rickardsson.
Right after midnight 1 April 2009, the day IPRED went into effect, the investigators at the Swedish Antipiracy Bureau performed a dozen file downloads from an FTP server. This in order to get evidence that the files on that server were protected by copyright.
The evidence was found in the petition Peter Danowsky submitted to the court in Solna the following morning. The purpose of the petition was to get the court with the help of IPRED to force the Internet provider to divulge the identity of their account holder with the IP address used by the FTP server.
Danowsky claims his evidence points to 'widespread file sharing available to the public at large'. But I claim the opposite - that no file sharing has occurred and that the evidence actually proves the Antipiracy Bureau are guilty of data intrusion against a private FTP server as well as theft of a dozen files.
The Antipiracy Bureau petition claims that 'the intrusion shows, amongst other things, that these materials have been made available to the public at large. This has occurred on a large scale and through a single IP address. Our petition thereby outweighs the possible damages a raid would otherwise cause.'
But there's no support in the technical evidence for this. The only thing one can conclude is that the Antipiracy Bureau have in a way they refuse to reveal connected to a private FTP server and thereafter downloaded a dozen files.
According to the information I've received this FTP server is a private server which is password protected and for which users must obtain permission from the owner. The claim 'materials were made available to the public at large' is therefore false. There are no grounds for the petition inasmuch as no file sharing for the public at large has taken place.
The Antipiracy Bureau have in their zeal to avail themselves of the new IPRED legislation again used 'unconventional' methods in their hunt for file sharers. But in contrast to authorities who function under the watchful eyes of democratic checks and balances the players in the copyright industry do not have the right to use secret methods - even if they think they do.
The petition of the Antipiracy Bureau makes it clear they used their own computer to connect to the FTP server. But if my information is correct then the FTP server is not accessible to the public at large but rather requires an account and a password to prevent unauthorised visitors from gaining access.
How the Antipiracy Bureau gained access to the FTP server is not revealed. Or as Henrik Pontén put it: 'we never reveal our methods'.
Should the court accept this evidence based on secret undisclosed methods? In my experience secret methods in this context are usually illegal or highly questionable methods.
Access to a protected server can be achieved in several ways. The easiest way is to get permission from the owner. I however find it unlikely the Antipiracy Bureau got permission from the owner.
Another way is to hack into the server. I also find this unlikely because of the lack of IT competence at the Antipiracy Bureau. The most likely is that the Antipiracy Bureau have used an infiltrator to get access to an account on the server - one of the 'unconventional' methods the Antipiracy Bureau often use.
Peter Danowsky helped Sweden's Liberal Party investigate the data intrusion into the Social Democrats' network. He and the local copyright industry should therefore be well versed in the fact that it's a crime of data intrusion to use someone else's account to gain access to a protected server - even if one obtained the login information from a 'real' account holder.
'We have used infiltrators on numerous occasions and remunerated them for their work', Henrik Pontén told realtid.se.
If the Antipiracy Bureau did not have permission from the owner of the FTP server then their actions were not permitted and they are guilty of the crime of data intrusion. If this is the case then there's already ample evidence in black on white in the petition Danowsky submitted to the court in Solna.
Wouldn't IPRED have been more legally secure if there'd been a dissenting voice present in the court who could have offered objections to the petition and alternative interpretations to the supposed evidence of the copyright industry?
I can only hope the magistrates in Solna consider this and are able to deliberate impartially with respect to the facts - and not solely rely on Danowsky's uncorroborated claims.
André Rickardsson is a security consultant for Bitsec. Previously he was a consultant for the Swedish security police and the department of state.