It was a Linux ISO, officer —

Downloading Ubuntu via BitTorrent gets Comcast customer a DMCA warning

Put down your pitchforks—it looks like the DMCA warning was bogus.

This week, Redditor u/NateNate60 got a nasty surprise in his inbox—a DMCA infringement warning from his ISP, Comcast Xfinity. The notice warned him that Comcast had "received a notification by a copyright owner, or its authorized agent, reporting an alleged infringement of one or more copyrighted works."

The strange thing about this warning was the "infringed work" in question: Ubuntu 20.04, which is free to redistribute by any means desired. Adding insult to injury, the hash listed on the notice is the same one associated with Canonical's own torrent for Ubuntu 20.04.2—u/NateNate60 was getting dinged for torrenting an unmodified copy of an open source operating system.

DMCA, P2P, and you

Typically, DMCA infringement warnings are sent as a result of an ISP customer using BitTorrent to acquire media or software illicitly. While the customer is attached to the swarm, their public IP address is advertised—this allows other members of the swarm to request pieces of the files being torrented from that user.

Rights owners and "authorized agents" can connect to an illegitimate swarm themselves, harvest the IP addresses of all parties involved, and send DMCA takedown notices to the ISPs responsible for those IP addresses.

The ISP uses this information to send a warning to the customer who had that public IP address at the time, and things proceed from there. If the customer continues triggering DMCA takedown notices for long enough, the ISP will eventually begin escalating from warnings to service suspensions—or even an outright ban.

A distinct odor of rodent

Ars reached out to u/NateNate60, Comcast Xfinity, and OpSecSecurity, the anti-piracy firm that allegedly sent the DMCA takedown notice to Xfinity in the first place. OpSecSecurity was the first to respond and categorically denied having sent the notice:

OpSec Security’s DCMA notice sending program was spoofed on Wednesday, May 26, 2021, by unknown parties across multiple streaming platforms. The content in question all appears to be Ubuntu Linux ISO. We have incontrovertible evidence that proves these DMCA notices were not perpetrated by or originated with OpSec Security. OpSec’s enforcement efforts are occasionally spoofed by a third party in an attempt to damage OpSec’s reputation. These attempts are easily identifiable and easily disproven.

We are notifying the appropriate authorities about this incident.

Ars asked OpSecSecurity to expand on its incontrovertible evidence, but we received no further reply. It took a little longer to get an answer from Comcast. The representative we spoke to was aware of the issue, by way of u/NateNate60's original Reddit post. Unfortunately, the screenshot u/NateNate60 took was heavily redacted—too heavily redacted for Comcast to easily look up the incident.

We asked Comcast to search for any DMCA warnings sent associated with the hash listed as "Infringing Work" instead—if possible, this would get us closer to the bottom of the story one way or another. Any such warning would either be a bogus takedown for downloading Ubuntu or would demonstrate that a (very unlikely) hash collision had taken place and that the Ubuntu torrent shared a hash with a torrent for something unrelated.

Comcast's team found no evidence of sending a DMCA warning associated with the hash in question—but the search effort was seriously hampered by the lack of an associated case number.

Who spoofed what, and to whom?

Since OpSecSecurity says it was already aware of its DMCA notice-sending program being spoofed "by multiple unknown parties across multiple streaming platforms," it seems safe to take u/NateNate60 at his word—that is, he got what appeared to be a DMCA warning from his ISP concerning his download of Ubuntu 20.04 via BitTorrent.

Comcast probably did send the DMCA infringement warning, even though its team wasn't able to find it. It wouldn't be hard to spoof Comcast's warning, and most people don't know how to check an email's headers for authenticity—but it seems unlikely that anyone but Comcast would have been able to discover u/NateNate60's email address in the first place.

This leaves OpSecSecurity's explanation as by far the most likely—rather than the "spoofed notice" being sent directly to u/NateNate60 by the attacker, it was most likely sent to Comcast, which passed the warning on in accordance with its DMCA policy.

Update: Ars was able to review the headers of the email from Comcast to u/NateNate60, and confirm their authenticity. The DMCA warning he received did come from Comcast, not a third party.

DMCA counter-notices

The standard procedure upon receiving a fake DMCA infringement notice—such as a notice claiming you don't have the right to download Ubuntu—is to file a DMCA counter-notice. Comcast outlines the procedure in its DMCA policy:

If a user receives a DMCA notification of alleged infringement and believes in good faith that the allegedly infringing works have been removed or blocked by mistake or misidentification, then that user may send us a counter notification. When we receive a counter notification that satisfies the requirements of the DMCA, we will provide a copy of it to the person who sent the original infringement notification... all counter notifications must satisfy the requirements of Section 512(g)(3) of the U.S. Copyright Act.

This sounds pretty straightforward—but there's a catch. Section 512(g)(3) states that a valid DMCA counter-notification must include the subscriber's name, address, and telephone number. Up until this point, the ISP's customer is shielded from the copyright claimant; all the claimant has is the subscriber's IP address, which is insufficient information for the claimant to file suit against the subscriber.

Filing the counter-notice, unfortunately, means identifying yourself to the claimant in full. A particularly wily and unscrupulous third-party copyright enforcement agency could theoretically use a fake DMCA infringement warning as a sort of Trojan horse—getting the subscriber's legal identity via the obviously bogus warning and then using it for litigation regarding an unrelated swarm that the same subscriber had also been part of.

Listing image by SOPA Images

Channel Ars Technica