On further investigation, it turns out that there is a reason for the DRM protection on Qtrax downloads… it’s just not to prevent piracy.

When a Qtrax-downloaded file is played, the WMA licensing notifies Qtrax of the act — so that they can divvy up advertising revenue from the site based on what people are listening to.  Since the Windows Rights Management system lets them require a bit of netcode to be run when you listen to a song, this works.

However, it still won’t fix the existing problems with DRM — specifically, that non-DRM-enabled players won’t be able to play the files (they claim they’ll be offering iPod-compatible tracks, and worry about Apple blocking them, but there’s no word from them on how they’ll do this, since WMDRM tracks won’t play on iPods) and mobility between machines is difficult.  People will still be motivated to rip the DRM off the tracks (thus breaking Qtrax’s tracking system) for convenience, or to turn to pirate downloads.

My guess is that Qtrax would prefer to pay labels based on downloads, not song plays, but the labels wouldn’t go for it, or just couldn’t stand the very concept of releasing unencumbered tracks for free no matter how much ad money they got.

If this was the way the labels had released music to begin with, I think consumers would have been happy with it.  But now, after the history of DRM, I think the public perception of “bad juju” around anything DRM-encumbered may sink it.  We’ll see, though — legal and free pulls a lot of weight with consumers.

So, there’s been a lot of news about Qtrax, a new music download service approved by the major record labels. It sounds like a good thing for consumers — a Songbird-based browser lets you select pretty much any song imaginable, including the entire catalog of songs available from iTunes, and download it freely and legally. Now, since it’s peer-to-peer, presumably not every song will be available at first, but they’re all licensed, so as soon as anyone makes them available they will be easy to acquire and free to download. (Though I don’t know for certain; it’s possible that Qtrax has its own server that will share out files if there are no other peers that have them.) The system is ad-supported, with Qtrax turning over most of the ad revenue to the labels in exchange for the licenses.

But here’s the weird part — all the downloads are Windows Rights Management-protected WMA files. There’s DRM on them; you are allowed to put them on a mobile device of your choice, but can’t spread them to other computers. This seems faintly ridiculous — they’re free. What does the DRM prevent you from doing? Copying your free files from one of your computers to another rather than having to pay the price of $0 twice? Giving your free files to others, rather than making them download them for free?

What this will really do is show that customers actually mean it when they say they hate DRM not because it prevents them from pirating media but because it’s simply annoying during the way people use their music. For instance, I place all my music files (ripped from my own CDs) on a central server and then can access them from any computer in the house. With these DRM-protected files, I couldn’t do this; I would have to have a copy of the entire music library on every computer in the house, because each would have different DRM codes.

However, this also demonstrates that the record companies don’t understand how DRM works — they’ve set up the ultimate trusted client scenario. When you download a file, free, from Qtrax, you get both the file and the license key for it. Which means you can just run FairUse4WM (an easy-to-use, free utility) on the file and strip the DRM right off. It’s quick, easy, and instantaneous so long as you have the key — which on a Qtrax download, you do. If you give everyone the keys freely, DRM becomes completely ineffective. In fact, with their Songbird-based architecture, I bet you could even write a plugin for Qtrax that would strip the DRM off automatically using FairUse4WM as you downloaded files.

Anyone who actually wants to pirate music will figure this out. The only people who won’t are, of course, the legitimate end users who just want to listen to music on multiple computers and devices. For those users, getting unprotected music will mean turning to the Pirate Bay.

Updated: it turns out that there is a reason for the DRM, it’s just not to prevent piracy.

The recent news from broadband providers seems to be all about how to make their product less appealing to customers.

First of all, the AP reports that AT&T is still considering filtering backbone traffic. They say they’ve noticed the massive amount of copyrighted data being shared over P2P networks, and feel a need to do something about it — “It’s like being in a store and watching someone steal a DVD. Do you act?” However, I think it’s likely that this is not just AT&T having an attack of conscience (not exactly something Ma Bell is known for), but rather AT&T being pressured by the usual suspects, the MPAA and RIAA.

They’re looking at this as a security problem — how do we stop unauthorized traffic (piracy) while allowing authorized traffic? From this perspective, it’s tractable — the technology exists to do it, albeit clumsily (you either miss a lot of piracy or you throw out a lot of legitimate traffic.) However, this is more than a security problem — there are legal and business problems here that in my opinion should overwhelm the security concern.

I’m surprised that AT&T is actually considering it. Currently, AT&T is shielded from lawsuits over content carried over their network by having “common carrier” status — they do not discriminate based on content. If they begin discriminating based on content, they may cut down on music and movie piracy — but they also render themselves vulnerable to being held liable for what music and movie piracy does occur. Perhaps the MPAA and RIAA have offered to indemnify AT&T in exchange for its help with the filtering. There is another problem with filtering, though — AT&T’s Internet backbone lines carry a staggering amount of traffic, so any kind of filtering would of necessity have to be very rudimentary or the processing power requirements would be enormous. Essentially, they would have to do something like what Comcast did with the Sandvine system — just interfere with all BitTorrent (or other P2P) traffic, without making any attempt to differentiate between legal and illegal content.

Perhaps AT&T has another ulterior motive, though — P2P traffic is representing an increasing proportion of all Internet traffic, at this point more than half. If killing P2P would drop AT&T’s bandwidth requirements by 60% while not affecting their revenue, this would have to be tempting for the corporation.

The increasing amount of P2P traffic is causing another major Internet company to consider sabotaging their own business — Time-Warner Cable. Ars Technica reports that Time-Warner is considering switching to metered rates, where users pay different amounts based on how much bandwidth they are using. They’re undoubtedly considering this due to the public’s reaction to Comcast’s filtering of P2P traffic (outrage and lawsuits.) Cable companies are in a bind — they built their networks under the assumption that traffic is extremely asymmetric — many users send small amounts of traffic (requests, acknowledgments) to centralized servers which respond with large amounts of traffic. This made sense when almost all Internet traffic consisted of web pages, but P2P networks destroy this assumption, with each user uploading as much, or more, than they download. Essentially, with P2P everyone is a server, and the cable companies simply can’t handle this without massive, expensive upgrades to their entire infrastructure. Their problem is one of failure to plan — they didn’t see this coming, and spent billions of dollars in capital building the wrong network. Even without piracy, P2P would be an increasing proportion of Internet traffic today — the world has changed, and it won’t be changed back again.

On one hand, metered pricing is fair. Right now, the people who use P2P are getting their Internet connections below-cost — we’re unprofitable for the ISPs, who can only support us because the masses of people who do nothing but occasional web-surfing are so profitable that they subsidize P2P users and result in an overall profit for the ISP. ISPs can afford to offer “unlimited” broadband only so long as they can be sure almost no one will use it. With metered pricing, heavy users pay for their heavy use, and light users can pay less since they don’t have to subsidize the heavy users. On the other hand, there’s a problem — customers despise metered pricing, especially when they’re used to flat-rate. In the 90’s, phone companies experimented with metered local service, and it was outrageously unpopular even with people whose phone bills decreased as a result. Sure, they were paying less, but now they felt limited.

Switching to metered pricing will indeed save money. However, it will do so by driving away customers, starting with the unprofitable heavy users. Perhaps this is intentional — banks set up their fee structures to drive away unprofitable customers, too, so it’s not unprecedented. But in the long run, P2P use is increasing, and the old usage patterns are decreasing — if the networks don’t adapt to this, eventually they’ll have no customers left. Competitors like Verizon FiOS, which (due to a fiber-optic last mile) don’t need to limit upstream bandwidth and have been built in the modern P2P world will kill off any network that tries to live in the past.

There has been some controversy over two new security-related bills in the United States Congress right now: the SAFE Act and PRO IP.

The SAFE Act (Secure Adolescents From Exploitation Online; another case where the acronym almost certainly came first) aims to protect children and teenagers from exploitation by increasing enforcement of child pornography laws.  Not, on the surface of it, a bad thing.  The controversy comes from its means: it requires anyone operating an internet service to report not just actual child pornography, but also fully-clothed minors in “lascivious poses” (whatever that means) and any “drawing, cartoon, sculpture, or painting” consisting of an obscene depiction of minors.  This troubles people for two reasons: first of all, due to the vagueness of what is prohibited (can you tell if a drawing, cartoon, sculpture, or painting is of a 17-year-old or an 18-year-old?), and second, because of the apparent requirement that providers monitor all their traffic in order to make these reports.

According to C|Net News, the monitoring requirement would apply to anyone providing an open Wi-Fi node, such as coffee shops, restaurants, and even homes that simply don’t choose to encrypt their Wi-Fi, in addition to social networking sites, web-based email providers, domain name registrars, etc.  Were the bill interpreted in this way, this would place an impossible burden on any provider of connectivity — there is no automated way to scan the traffic of all your subscribers for vaguely-defined unlawful depictions of fictional minors, you would need to have a person manually inspect all the traffic, which is obviously impossible at any scale (not to mention a terrible privacy invasion.)

However, I think that this is an overly alarmist reading of the bill.  It’s certainly not the author’s intent (indeed, Rep. Rick Lampson’s office has responded to the C|Net article) for the bill to apply to every small Wi-Fi provider, though author’s intent is often beside the point once a law is passed.  More importantly, though, the bill does not mandate surveillance or detection at all — it mandates reporting if child pornography (or something that kind of sort of looks like it) is detected.  In other words, it forbids finding out about illegal activity and looking the other way; it does not mandate actually looking for it.  I think that Ars Technica has a much more balanced article about the bill.  Overall, I think it’s feel-good “for the children” legislation that won’t accomplish much (ISP’s are already required by law to report child pornography if they detect it, this just raises the penalties and expands the definition), and that prohibiting fictional depictions of children where no actual children are involved is a poor idea from a legal standpoint (since it is very open to abuse by subjective interpretations of judges, prosecutors, and jurors), but that this bill, if it passes — which is likely — will not impose a serious technical burden on service providers.

Meanwhile, the Electronic Frontier Foundation reports on the PRO IP Act (”Prioritizing Resources and Organization for Intellectual Property (PRO IP) Act of 2007″ — doesn’t anyone ever just name a bill and then come up with the acronym anymore?), which aims to fight copyright infringement in the typical ineffective way, presumably to shore up the music industry’s failing business model.  It increases penalties for peer-to-peer file sharing from their current ridiculous levels (which build animosity toward the recording industry via outlandish million-dollar damages levied against ordinary university students) to new even more ridiculous levels, while also creating a new $25 million federal bureaucracy to step up copyright enforcement.

Having a copyright system is important.  However, you would think that by now the music industry would realize that if suing customers for $250,000 does not stop piracy, the problem is not that they’re not suing them for enough money, and stepping up the penalties will have no effect.  People believe either a.) that they’re not doing anything wrong or illegal, or b.) that they’re extremely unlikely to get caught (this latter belief being true.)   In order to change this, they’ll need to either offer a legal alternative that at least approaches the convenience and usability of illegal downloading (which you would think would not be a high bar — BitTorrent is not very convenient) and is affordable for broad categories of consumers, or they’ll need to decrease the penalties while increasing the percentage of people who get caught.

With regard to the former, coming up with a pricing model seems to be their stumbling block.  Some customers buy several CDs a month, spending $100 or more on music.  These customers would love a monthly-fee option, and would pay a substantial amount for unlimited downloads.  Other customers buy one CD in a great while, and a subscription model is terrible for them — and thus they prefer individual song downloads like iTunes.  All customers hate DRM, as it prevents them from using music in ways we now take for granted (e.g. playing on multiple devices.)  What the music industry is doing now is akin to the government trying to win the War on Drugs by dropping defoliant in Colombia while doing nothing to reduce local demand — if the demand for illegal material exists, an infrastructure will spring up to fill it.

With regard to the latter, the recording industry faces a backlash when they impose penalties that vastly outstrip the perceived seriousness of the crime.  People have an idea of what fair use entails, and anything you could do with a tape recorder in the 1980’s pretty much fits in that category.  Thus, multi-million-dollar prosecutions of parents and students seems grossly unfair.  However, people also know that “everyone” shares files, yet we only occasionally hear about these huge lawsuits, and thus people assume it won’t happen to them.  The only people who believe they’ll get caught for file-sharing are those that already have.  However, if being caught file-sharing leads to financial ruin, this must of necessity be only a very small percentage.  If university students got caught by the thousand file-sharing and got fined $100 for it, they might consider legal alternatives a better option after a fine or two.

All this said, I think the future will eventually be in DRM-free downloads, and that that future will result in less profit both for recording companies (which may die entirely) and for hit artists (though it will result in substantially more profit for well-known local and regional acts, or less-popular national acts, which currently get almost nothing from the “star” system of the recording industry.)  It’s understandable that the recording industry and the most-successful recording artists want to fight this future, but I don’t see any way that continuously stepping up penalties for actions taken by half the American population is going to do it.

As for creating a new federal bureaucracy to fight copyright infringement, having law enforcement involved in what is essentially a civil matter (as copyright should be) is always dangerous, because it eliminates risk and return from the equation.  When something is a civil matter,  the injured party must decide that its worth its while to pursue a given enforcement action.  Industrial-scale piracy would certainly be worth a lawsuit; a university student running Kazaa probably isn’t.  However, when the injured party can simply ask the government to use taxpayer dollars to go after infringers, then why not go after everyone?  it doesn’t cost them anything; instead we get to pay for it.

DRM is a dead end; as a trusted-client problem, it is unsolvable.  I think this “get tough” legislative approach is a dead end as well.

SecurityFocus reports that a patch has been issued for a vulnerability in the Macrovision SafeDisc driver.  Apparently, due to a flaw in how the driver handles configuration parameters (which probably means a garden-variety buffer overflow), it’s possible for a local user to use the driver to elevate privilege all the way to the kernel.

This sort of security flaw is a major problem with copy-protection drivers like SafeDisc; this is also the same basic issue as caused all the controversy over the “Sony Rootkit” of 2005.  Fundamentally, the purpose of any copy-protection or DRM system is to protect data from the user.  Thus, it is attempting to create a security boundary where none exists — to prevent the user, possibly a user with administrative privileges, from performing certain manipulations of data entirely under his control while allowing other manipulations (e.g. watching a film, playing a game, listening to a CD) to continue unhindered.  The problem is that it’s just data — what copy-protection and DRM vendors are doing is the equivalent to my trying to write a book, with normal ink on normal paper, that you can read but not copy, even by hand.  It can’t be done; there is no inherent difference between reading-to-read and reading-to-copy.

So instead, DRM and copy-protection vendors, like Macrovision, create a system that runs at a level of privilege above what the user can normally achieve — on a Windows machine, at least NT AUTHORITY\SYSTEM privileges, but often kernel mode drivers.   This driver then sits, Big Brother-like, above the user, watching his activities, and preventing “illicit” operations.  Meanwhile, while being immune to manipulations by the user, this supervisor must take orders from data — that is, Macrovision SafeDisc must be told by a game that it should check for copy protection and stop the game if it fails, while the Sony “rootkit” must be told by a CD that it should allow playing but stop copying.

Thus, the user’s computer is put into a rather odd state — the user doesn’t control it, a piece of supervisory code does.  And if that piece of code is flawed (as it was in both the Macrovision and Sony cases), attackers can write malware that issues instructions to that supervisory code, imitating “protected” media.

If you’re a non-Administrative user (such as almost all Vista or UNIX/Linux users, but only a few Windows XP-and-before users), you are protected from running code that does certain potentially-harmful things to your system.  You can’t write to the Windows directory, or modify installed programs, or register a driver.  However, these copy-protection drivers supply an end-run around this protection — you can supply data to the copy-protection driver (after all, you have to be able to tell it to check up on you), which means that any malware you run can also supply data to the copy-protection driver.  And since it runs with greater privilege than you, it can do all the harmful things you supposedly can’t.  Copy-protection drivers, to make content more secure for the copyright-holder, make your computer less secure for you.

From a theory perspective, the problem here is that there is no security boundary (a line which code and data cannot cross without being subjected to a security policy), on a general-purpose computer, between an administrative user and all the data on the system.  This is what the copyright-holders want, but it’s not really possible for them to get it.  All of these systems can be circumvented by simply placing a new supervisor above the one added by the copyright holder (e.g. run the system in a virtual machine, or with a kernel debugger attached, or in the most extreme scenario, just walk through the code execution by hand, choosing to ignore instructions you don’t like until you get a fully unprotected data stream.)  Thus, they fake it, in ways that make the system less secure, simply to make it more difficult for a nontechnical user to get the unencrypted stream.  The result is a simple arms race between copyright-holders and hackers, which has a side effect of harming innocent users by making them increasingly vulnerable to malware.

According to a recent Reuters article, the unrepentant pirates of Sweden’s The Pirate Bay are working on developing their own peer-to-peer networking system.  It turns out that this is a relatively fascinating security problem, even though in this case it’s the criminals needing the security, vs. the law-abiding companies trying to break it — a bit of a reversal, to say the least.

Currently, the Pirate Bay is probably the world’s most popular BitTorrent tracker for downloading pirated media, receiving 1.5 million unique visitors a day.  With a quick trip to the Pirate Bay, you can quickly acquire any piece of music, any episode of any recent television show (usually within a couple hours of its first airing), any movie (generally while it’s still in theaters), etc.  Membership is required to enforce ratios (i.e. ensure you upload as well as download), but is free and open to all.  However, they’re unsatisfied with the BitTorrent protocol for a variety of reasons — chiefly the legal risk that their “customers” take.  Downloading from the Pirate Bay via BitTorrent runs two risks — first, that a copyright holder will grab your IP address and send a cease-and-desist order to your ISP, or worse, a subpoena which under the DMCA in the United States could carry a fine of tens of thousands of dollars, and second, that your ISP itself will cancel your subscription for using too much upstream bandwidth.  Comcast, in particular, is notorious for doing this without being willing to admit how much “too much” is, even as they cut you off for using it.

BitTorrent is an ingenious protocol.  The idea is to prevent massive load on single servers for downloading popular files by ensuring that everyone who downloads the file also shares it with others, even as the download occurs.  You don’t need the entire file to start sharing it — you register with a BitTorrent “tracker” like (The Pirate Bay) as working on a file, and all the other peers who either have or want that file are notified of your existence.  Peers then communicate with each other, swapping whatever parts of the file they have for the parts they don’t.  Thus, everyone’s upload bandwidth is being used at the same time as the download, unlike some previous P2P protocols.  This is used for many legal purposes — for one, Blizzard’s World of Warcraft uses it to update the game, to get around the obvious difficulty of having about 4 million of its 6 million subscribers all trying to download a 450-meg content update on the same day.  Thanks to BitTorrent, these updates go smoothly every time.

The problem, however, comes when the files being shared are illegal.  In the United States, uploading copyrighted media can result in rather substantial fines and statutory damages, and the RIAA and MPAA are actively suing people by the thousand to get them charged.  People want to download copyrighted media, so sites like the Pirate Bay exist.  But RIAA and MPAA agents can connect to these trackers, too — they’re open to all — and the tracker shares everyone’s IP address with them.  Since with BitTorrent, downloading and uploading go hand in hand, there’s no way to download copyrighted material without not only breaking the law but also advertising your IP to anyone who wants it.  There are blacklists of known RIAA/MPAA peers that will protect a pirate from the most ham-fisted detection, but it would be trivial for the copyright holders to evade this sort of blocking.  The Pirate Bay itself is largely immune to prosecution — they are located in Sweden, where copyright law subjects them to at worst a $300 fine every time they’re arrested (which has happened more than once.)  For the most part, legal threats just amuse them.  However, they’re concerned about their downloaders — as without people sharing files, they cannot exist.

In addition to the legal issues, there is the issue with ISPs.  “Unlimited” low-cost home broadband survives because people generally use only the tiniest fraction of their upstream bandwidth.  Comcast allocates me, and everyone else in my area, 384 kbit/sec.  If I used this bandwith to full utilization for an entire month, I’d have uploaded 118 gigabytes.  This is actually quite a lot — by way of comparison, playing World of Warcraft 24/7 for an entire month would use only 1.2 megabytes, or 1% as much.  This is fine by Comcast, because most of their users are only surfing the web, using only a few hundred kilobytes per month.  If everyone used their entire allotment of 118 gigabytes, Comcast would have to raise rates tremendously — from the current $50 or so per month to probably 5 times as much (or more.)  Compare business Internet rates (which assume you are hosting servers, and thus upload a lot) with residential ones (which assume you almost always download and upload very little) to see the difference. Instead, the many light users subsidize the few heavy users.  BitTorrent, in which everyone helps take load off servers by uploading everything they download, often many times over, threatens this model — if everyone uploads, Internet rates will have to go way up.

Thus, ISPs often try to stop BitTorrent and other peer-to-peer systems.  They use copyright as an excuse, but really, they don’t care about copyright — they care about cost.  Your downloading costs very little.  Your uploading to other customers on the same ISP costs very little.  Your uploading to the Internet costs them quite a lot by comparison.  The most primitive way they’ve tried this is simple port-blocking — they ban connections to the port TCP/6119 (BitTorrent’s default) on all their customers PCs.  This doesn’t work very well — for one, it’s obvious (BitTorrent simply fails to function), and for another, BitTorrent doesn’t need to use any port in particular.  Due to the tracker, other peers can find you no matter what port you choose, so simply changing the default in your BitTorrent client gets around this.  Slightly less primitive is “traffic shaping” — the ISP slows traffic to the default port, or it inspects all traffic for BitTorrent headers and slows any packets showing them.  (The latter approach is much more expensive for the ISP, since it requires a deep inspection firewall on all traffic.)  Once again, changing port is easy.  In addition, some BitTorrent clients have added a header encryption feature to evade traffic shaping — this limits which peers are usable (specifically, to only other peers that support the header encryption), but evades the traffic shaping.  Comcast has recently been using the Sandvine intelligent traffic management system, which has caused some controversy since it actually impersonates the user and sends forged traffic on their behalf, in a further attempt to limit BitTorrent and other P2P traffic.

The above problems are inherent to BitTorrent, and at first, they seem inherent to all peer-to-peer systems.  However, the buccaneers of the Pirate Bay have come up with a rather ambitious plan to improve on BitTorrent, developing their own protocol to better suit their needs.  They’re still working on the specification (there’s a wiki up for suggestions), but I find it interesting the security and privacy issues they need to overcome.  At first glance, it seems the problems they must solve are the following:

• How can people upload pirated files without their IP addresses being detected by groups like the MPAA and RIAA?
• How can people hide the use of a file-sharing application so their ISP does not detect it and cut them off?

But that’s actually rather short-sighted, and the suggestions on the wiki seem to indicate that they’ve realized that, too.  Creating a new peer-to-peer protocol to replace BitTorrent for pirates requires not looking at the current attacks, but rather at the threats themselves.  The problem they really want to solve is simply to defend against these two threats:

• Legal prosecution for uploading pirated files
• ISP retribution for uploading large amounts of data

This is rather different!  What they want to avoid is not detection per se, but rather the current consequences of that detection.  In addition, they seek to address several technical/functional shortcomings of the BitTorrent protocol while they’re at it (such as that the tracker software does not scale to their traffic volume, and that upload bandwidth use in BitTorrent is suboptimal — many peers are not uploading anything.)

Right now, ISPs face no legal liability for transferring all this pirated media, since they are only content-indifferent carriers.  Thus, a system that allowed users to also be content-indifferent carriers (i.e. sharing data they did not choose to download as well as the files they acquire on purpose) might provide some legal protection.  The problem is that right now, users are from a legal standpoint sharing media they have, not simply transmitting media.  Thus, a system of “reflector nodes”, where the aforementioned suboptimal bandwidth use instead has the empty bandwidth filled by data relayed from other peers might work.  The ideal from an anonymity perspective would be onion routing, as performed by the TOR Project.  Unfortunately, this causes a serious growth in bandwidth requirements for all peers — basically defeating the purpose of BitTorrent.  Some balance must be found between true anonymity, as can be provided by a high-latency encrypted mix network with traffic-analysis resistance like TOR, and simple obfuscation, or even juggling around what is transmitted to be able to stick to the letter of the law while violating its spirit.  No one would believe that pirates don’t mean to transmit pirated software, the mix network just makes it look that way, but it doesn’t matter if anyone believes it so long as they can’t prove it beyond a reasonable doubt in a court of law.

Avoiding ISP retribution is a bit harder.  You can encrypt and use random ports, thus making detection impossible.  However, this causes a problem — if everyone does this, and everyone uses P2P, then everyone’s Internet rates go up!  This is hardly the desired outcome.  An ISP administrator has contributed some novel suggestions regarding changing the protocol to help ISPs save costs.  If the peer-to-peer system would deliberately prioritize other peers on the same ISP (ideally using WHOIS/ARIN data, though even simple CIDR subnets would help) for uploads, it could drastically reduce the ISP’s costs.  Napster provides a good example — during their heyday, when Napster pirated transfers were killing college networks, they worked with universities to institute just this type of solution.  The Napster client would look for other users at the same university to share with, only going to the Internet when this failed.  This type of solution — not fighting the method by which ISPs hurt P2P but rather fighting its motivation — is bound to work better.  It’s a good example of thinking about the threat, not about the particular vulnerability.  In addition, it’s probably the only way to fight things like Sandvine (which, due to the way it works, can’t be stopped by a BitTorrent client unless it went to full encryption with all the negative effects that has — lightweight ways to evade Sandvine require patching the TCP/IP stack and altering RFC-mandated behavior, which is doable by people willing to hack their OS but not something you can just bundle into your P2P software.)

Another issue that the Pirate Bay has is with fake files.  Sometimes, a user (either an RIAA/MPAA shill or just someone who likes being obnoxious) will upload a file of the approximate right size with a filename matching something new and popular (like a just-released movie or album) that contains no or bad data.  With nothing but the filename to go on, users download the fakes, causing the seed count to go up and making the fake appear even more “realistic” on the tracker — and hundreds of gigabytes of bandwidth are wasted.  Currently, the only thing to be done about this is to look at the uploader and ensure he is someone trusted, but identity is impossible to verify.  Some sort of digital signature/PKI system would be very helpful here.

Overall, it will be very interesting to see what they come up with.  Like all open-source projects, it may or may not actually get off the ground, and pirates are of course not well-known for their altruistic contributions.  However, it’s not likely the BitTorrent creators (who don’t get any money from pirates) will work on these problems, so it falls to people like the Pirate Bay to try.  Even if you don’t want pirated media, the resultant system could be useful for a host of purposes — the same technologies being used for fighting piracy and cutting ISP bills in the United States are used for hunting down dissidents and limiting free access to information in totalitarian nations.  In addition, a sufficiently large peering system with deep storage and forced reflectors (i.e. people sharing data they did not specifically choose to download or share) could result in a sort of distributed information well in which any human knowledge could be stored for easy access and rendered almost indestructible.  Criminals have been putting legitimate technologies to underhanded uses for centuries — an illegitimate technology can be put to beneficial uses as well.