[Discussion] Mitigations to improve peers privacy

[Chocobozzz]

Hi :)

I would like to discuss the possibility (or not) to improve peers privacy (related to the IP) when using the bittorrent-tracker package, because there are some concerns about viewers privacy in PeerTube. I came to different possible mitigations, but since I'm not a BitTorrent expert I would like to have some feedbacks:

• Have a daemon (or something like that) announcing some torrents with fake IPs. People that would want to spy a specific torrent (with an announce), could not differentiate real peers than fake ones. They would need to connect directly to the peer to check if it is real one or not -> more work for the spy. And even with that, if they cannot connect to a peer, they would not be sure at 100% this is a fake one because some real peers cannot use P2P with WebRTC (network limitations).
• Modify the max announce peers limit to be very small (~10/20)
• Limit the number of announce requests by a specific IP per minute (for example limit to 5 announce per minute?)

Any thoughts on this?

Thanks <3

[DiegoRBaquero]

1. I don't like the first or see it as a reasonable solution.
2. Could be an option
3. Should be an option

my 2c

[Chocobozzz]

Thanks @DiegoRBaquero for the feedback. Could your elaborate why you don't like the first point?

[rigelk]

@Chocobozzz if I may elaborate on 1., this has been in place for quite some time at some of the major trackers and dates back to as early as 2008:

Polluting the evidence works like this. When a client asks for a list of peers who are downloading the same torrent, the tracker software automatically inserts several “random IP addresses” that are not in the swarm. They are based on existing sub-nets, but might be from people who may not even be aware that BitTorrent exists. This means that the evidence that’s being gathered by anti-piracy companies includes IPs that belong to people that were not downloading the movie or album they are accused of.

But that only works so long as there is no actual proof of the transfer. Protecting from the latter is more tricky, and − as far as I know − requires blocklists, which are already out of scope of this issue. A paper from 2012, The Unbearable Lightness of Monitoring: Direct Monitoring in BitTorrent, shows their efficiency leaves much to be desired (~68% efficiency) but is very hard to maintain updated.

Anything beyond requires using a different protocol than BitTorrent. Apparently that's what some guy did in an obscure research in 2015, showing only a low percentage of nodes are actually initiating a content transfer so as to prove the client is authentic. Interesting but out of scope.

[iamhansen]

Option 1 has been implemented in opentracker. I think it should be added because no one is being stopped to just put in a script that announces the visitor's ip to an info hash that an antipiracy corporation is monitoring.

[kelu1018]

Hello @Chocobozzz , in a research project on alternative video streaming platforms to YouTube we investigated PeerTube. The goal was to find an alternative to Youtube to include videos on our university website. This is mainly done for data protection reasons. Videos should be made available to the user without him being tracked directly and without his consent. We did a lot of research on PeerTube and P2P and tried to take measurements to find out IP addresses of individual peers. In our understanding, this should be possible with the Webtorrent technology used at PeerTube. In our measurements with Wireshark and other programs, however, we only succeeded in identifying the servers/hosts through which a P2P connection is established. We could explain this by the fact that the Webtorrent Tracker does not pass on the IP addresses of the users. We have read here: https://github.com/yciabaud/webtorrent/blob/beps/bep_webrtc.rst. However, the diagram ends after "connection established", which would be the interesting part for us. Could you explain to us how PeerTube connects here and why we can't see the IP addresses of each user? According to the diagrams in this video https://framatube.org/videos/watch/217eefeb-883d-45be-b7fc-a788ad8507d3 this should be possible. For the users of our website it is of course very good if the IP address is not so easy to find out while watching a video on PeerTube. We would like to understand this in detail and be able to explain it better to the users (also regarding the security mechanisms of PeerTube). We look forward to hearing from you to improve our understanding of PeerTube and help spread the technology. Thanks!

[Chocobozzz]

@kelu1018 I'm not an expert in the webtorrent protocol, but I think you are able to find the IP address in the SDP offer (between tracker and peer 2). Tracking users using webtorrent protocol is harder than the classic bittorrent protocol, because the tracker does not send directly IP address to those who request them. But it's still possible if you seed a particular file: you just have to wait the SDP offer from the tracker.

For the users of our website it is of course very good if the IP address is not so easy to find out while watching a video on PeerTube

Users can already disable P2P in their settings, and I'll try to implement a disable P2P option in the future for instance administrators who don't have a lot of visitors and prefer to improve their users privacy.

[ghost]

@Chocobozzz Can you please update your first post, if I'm not wrong, 1. has already been implemented in PeerTube. Thank you.

[Chocobozzz]

This is just a discussion, not a checklist of things implemented in PeerTube.

[ghost]

ah, and i only now noticed that this is the wrong repository, so i deleted my previous comments.

[github-actions[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?