fingerprinting traffic at ISP for big content

[Dave Howe]

John Case wrote:
> Recent events related to "big content" pursuing individual file sharers
> based on ISP logs are _very interesting_.
> 
> My first thought is that this usage is tracked via filename - you are
> guilty until proven otherwise if bittorrent traffic indicates a filename
> that matches [Hh][Uu][Rr][Tt].[Ll][Oo][Cc][Kk][Ee][Rr].

Its complex. the surprising and short answer is - bit torrent traffic
does not have *any* file names; the torrent descriptor file contains the
file layout, individual file hashes, and an overall hash that is used to
reference the torrent in communications (in fact, no torrent client will
talk to you unless you reference a file hash it is currently holding
"live", either for download or seeding).

Alternative distributed peer locating systems and "trackerless" cloud
torrents have a secondary system for handling this information, but move
the actual data using the torrent protocols. You also get "private"
trackers, who require a unique registered token per registered user
before they will share peer information. Most of these prohibit
alternative peer finding mechanisms, which is good, but conversely also
track which torrents users have uploaded and how much (in bytes) which,
given those logs are kept, is potentially a goldmine for anyone wishing
to link interest in a given file to a list of people who have
"distributed" it in part or whole.