X

Comcast to face lawsuits over BitTorrent filtering

Has Comcast shot itself in the foot? Lawyers are already circling in the water, and the company could be looking at a world of pain for its sneaky BitTorrent filtering.

Chris Soghoian
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/.
Chris Soghoian
7 min read

The blogosphere is abuzz over an Associated Press investigative article this past Friday on the subject of Comcast's BitTorrent filtering. Briefly, there were a number of articles in early September which alleged that Comcast was using some fairly sneaky techniques to throttle BitTorrent traffic on its network. Comcast, of course, denied any such behavior. It took a month and a half, but both a mainstream media news organization as well as the Electronic Frontier Foundation have tested and confirmed the previously reported claims. It turns out that Comcast is not only throttling BitTorrent, but Gnutella and, strangely, Lotus Notes are also suffering.

If it ain't the truth.... technochick / flickr

Comcast's PR people gave me the following statement on Monday: "Comcast does not block access to any Web sites or online applications, including peer-to-peer services like BitTorrent...We have a responsibility to provide all of our customers with a good Internet experience and we use the latest technologies to manage our network so that they can continue to enjoy these applications." I was also able to interview a Comcast Internet executive who would only speak on background. He bobbed and weaved, sticking to his talking points, yet a few things were clear: he would not deny that the company was sending out TCP RST packets, but stated that if it were being done, it was at a "low level" where average users would not see it.

A Comcast engineer who spoke to the Tech Liberation Front's Tim Lee confirmed this, stating that "most users wouldn't even be able to detect the traffic-shaping activities they use without special equipment and training." On the subject of why the filtering is done networkwide and not just to individual bandwidth hogs: "Comcast (doesn't) throttle on a user-by-user basis rather than a protocol-by-protocol basis, (as the company is) concerned with the privacy implications of that approach." Thats right folks, Comcast will sell network wiretaps to the feds for $1,000 a pop, but won't calculate a user's total bandwidth per month for "privacy reasons."




When your ISP receives a spam e-mail, and deletes it without delivering the message to your in-box, it is blocking access to your in-box. (This is a good thing.) When you install a firewall on your home computer and someone else tries to connect to you from another network, your firewall software "blocks access" to that other party. The packets attempting to initiate a connection to your machine will either be silently dropped onto the floor, or in some cases, a rejection message will be sent back to the session initiator telling them that their connection attempt was refused.

Comcast LolCat Comcast and LolCat Buildr

If Comcast deployed networkwide firewall rules that would drop any BitTorrent packets that came in and out of its network, Comcast would be "blocking access." However, it is not doing this. Primarily, because if it did so, the BitTorrent downloads of its customers would fail, and thousands of users would complain. Instead, Comcast is attempting to only target the sharing or uploading portions of BitTorrent, which are not nearly so noticeable for end users. Comcast will still see a significant drop in network traffic by targeting uploads, but is far less likely to suffer the wrath of its users.

So what is Comcast doing? It is letting BitTorrent traffic flow across its network, and thus is not technically "blocking" anything. Instead, it is forging TCP reset packets that are misleadingingly labeled as being sent by one of the two ends of the BitTorrent connection. That is, Comcast is masquerading as its customers, and sending out data with false sender information. When the BitTorrent clients receive the false reset packets, they themselves terminate the connection, as they think the other host has told them to go away. Thus, through sneaky techniques and network-level false statements, Comcast is able to trick users' software into terminating their own transfers.

Interestingly enough, were Comcast applying this same technique to e-mail, and falsifying the header information of e-mail messages, it would soon find itself violating the Can-Spam Act. That law states that "Whoever...materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages...shall be punished...with a fine...or imprisonment for not more than one year."

As for the idea that Comcast is using the "latest technologies" to manage its network--hogwash. The concept of forging TCP reset packets is at least 10 years old, if not older. Purdue professor Gene Spafford and a number of his graduate students developed a "synkill" system to defeat SYN flood attacks that used the very same technique, back in 1996.




What about the argument that Comcast has the right to "manage (its) network so that (all customers) can continue to enjoy (permitted) applications?" The tactics that Comcast is using are 1. Probably a violation of its own terms of service, and 2. are being applied blindly across the whole network, instead of targeting those "heavy users" who use a disproportionate amount of the company's bandwidth.

Comcast's own "terms of use" state that Comcast reserves "the right to refuse to upload, post, publish, transmit or store any information or materials, in whole or in part, that, in (its) sole discretion, is unacceptable, undesirable or in violation of (the) agreement." Thus, if Comcast wished to deploy networkwide firewall rules blocking all BitTorrent traffic (that is, such packets would be either dropped on the floor or rejected by the network's routers), Comcast would be perfectly within its rights as outlined in the agreement. Comcast would probably lose a large number of customers, but it would at least be acting legally and following its own published rules. However, Comcast is not doing that. Nowhere in its terms of service has the company stated that it reserves the right to impersonate its customers, and to send false and misleading data out onto the network originating from or addressed to its customers.

In addition to the BitTorrent filtering technique being discussed, Comcast uses other methods to keep the amount of data flowing over its network to a minimum. Customers who use more than their "fair share" of bandwidth will eventually be terminated. How much is too much? Comcast won't tell you.

While this latter method of network management is not so popular with the Slashdot crowd, it at least makes some sense, since it is aimed at those users who are using the most of Comcast's seemingly scarce resources. Comcast's BitTorrent filtering, on the other hand, is being blindly applied to the entire network. Users who download 10 gigabytes of data per day, and little old grandmothers who wish to share a 4.5-megabyte copy of the King James Bible (as the AP did in their test) will both equally be filtered. This is not a technique aimed at abusive overuse by a handful of users, but is an all-out war against particular networking protocols.

I discussed this issue with Fred von Lohmann, a lawyer with the Electronic Frontier Foundation. Von Lohmann stated that "based on (our) own testing, as well as what has been reported, it seems clear that Comcast's techniques are bad for its customers and bad for innovation generally. The fact that Comcast's efforts are reportedly interfering with BitTorrent, Gnutella and Lotus Notes communications makes it clear that they are not narrowly targeted at particular users or protocols."

Regarding the effectiveness of Comcast's techniques, von Lohmann said that: "It's as though they are throwing a spanner in the works of the Internet, hoping that this will somehow reduce bandwidth usage overall.

As I mentioned in an article last month, Comcast's tactics may very well be violating the law. Many states make it illegal for an individual to impersonate another individual. New York, a state notorious for its aggressive pro-consumer office of the Attorney General, makes it a crime for someone to "(impersonate) another and (do) an act in such assumed character with intent to obtain a benefit or to injure or defraud another." (See: NY Sec. 190.25: Criminal impersonation in the second degree). I do not believe that it would be too difficult to prove that Comcast obtains a benefit by impersonating others to eliminate or reduce BitTorrent traffic. Less torrent data flowing over its network will lead to an overall reduction in its bandwidth bill, and thus a huge cost savings.

With regard to Comcast's legal liability, von Lohmann said that he could not comment as he had not yet had a chance to review the New York anti criminal impersonation laws. He did, however, state that "(The EFF has) already been contacted by attorneys who are considering legal action against Comcast." In the meantime, the EFF will "continue to perform tests in hopes of better understanding how this works and how it might effect Comcast subscribers and other Internet users."

While the EFF is holding back for now, it seems clear that other lawyers are circling in the water. They can smell blood. Not only is Comcast actively impersonating its customers on the Internet, but it has continued to deny it for the past two months. Should the court's approve a class action lawsuit, Comcast could be looking at a world of pain--and rightly so.