Peer-to-peer (P2P) poisoning company MediaDefender suffered an embarrassing leak this weekend, when almost 700MB of internal company e-mail was distributed on the Internet via BitTorrent. The e-mails reveal many aspects of MediaDefender's elaborate P2P disruption strategies, illuminate previously undisclosed details about the MiiVi scandal, and bring to light details regarding MediaDefender's collaboration with the New York Attorney General's office on a secret law enforcement project. We have been reviewing the data for days and will have multiple reports on the topic.

MediaDefender specializes in file-sharing mitigation—practices that disrupt and deter infringing uses of P2P file-sharing networks. Music labels and movie studios pay the company millions of dollars to temporarily impede the propagation of new releases in order to compel consumers to pursue legitimate commercial distribution channels. MediaDefender accomplishes this task by using its array of 2,000 servers and a 9GBps dedicated connection to propagate fake files and launch denial of service attacks against distributors.

The e-mail was leaked to the public by a group that calls itself MediaDefender-Defenders. In a text file distributed with the mail, the group explains how the e-mails were obtained and why they are being distributed. Apparently, MediaDefender employee Jay Mairs forwarded all of his company e-mails to a Gmail account, which was eventually infiltrated. "By releasing these e-mails we hope to secure the privacy and personal integrity of all peer-to-peer users," writes the group behind the disclosure. "So here it is; we hope this is enough to create a viable defense to the tactics used by these companies."

It's not surprising that MediaDefender was targeted in this manner. The company was accused of using shady tactics earlier this year when BitTorrent community site TorrentFreak revealed that the anti-piracy company was surreptitiously operating a video upload service called MiiVi that offered high speed downloads of copyright-protected content. Critics accused MediaDefender of using the site to perpetrate an entrapment scheme, an allegation that the company has vigorously denied. MediaDefender founder Randy Saaf personally assured Ars that MiiVi was an internal project that was never intended for public use. Back in July when we covered the MiiVi scandal, we knew Saaf's story didn't quite add up, and now the general public has evidence that blows holes in Saaf's claims.

The MediaDefender e-mails leaked this weekend confirm beyond doubt that the company intentionally attempted to draw traffic to MiiVi while obscuring its own affiliation with the site. The e-mails also show that MediaDefender immediately began to recreate the site under a different name and corporate identity soon after the original plan was exposed.

The rise of MiiVi

Shortly after the public launch of MiiVi in June, developer Ben Grodsky e-mailed Saaf and his colleagues to inform them that the site was beginning to receive traffic. "We have some success! 12 people have signed up on [the] page. 7 have installed [the] app," wrote Grodsky. "This is from about 3,000 uniques from limewire redirects." Grodksy sent another user count status update a week later revealing that the site had drawn 19,000 unique visitors from LimeWire redirects. He also informed Saaf that his team was "working on putting Google Analytics all over MiiVi" in order to "better track what people are doing on the site."

MediaDefender went to great lengths to obscure its affiliation with MiiVi. "I don't want MediaDefender anywhere in your e-mail replies to people contacting Miivi," Saaf instructed company employees. "Make sure MediaDefender can not be seen in any of the hidden email data crap that smart people can look in." Grodsky and Saaf also began discussing new ways to drive traffic to the MiiVi site. "If we want more users, Dylan's eDonkey messages would get us a lot of Europeans that are a little bit older crowd," Grodsky wrote. "I would like it if our pictures were indexed with goggle [sic]. We need to get as much search traffic as we can," Saaf replied.

Developer Dylan Douglas also suggested some Google ranking improvement strategies. "We should come up with a bunch of keywords and a description for the hidden metadata entries to increase traffic," Douglas told the MiiVi developers.

In late June, Grodsky began considering ways to leverage the MiiVi client application infrastructure. "Do you think it would break a lot and take more time than its [sic] worth for the MiiVi application/installer also to act like Serge's Proxy client and spoof on eMule?" Grodsky asked Saaf. "We don't want to do this at this time," Saaf replied. "Good idea, but we don't want to give it a spyware stigma."

The disclosure

Chaos ensued at the company when TorrentFreak disclosed MediaDefender's affiliation with MiiVi in early July. "Looks like the domain transfer screwed us over," Grodsky wrote in an e-mail which also contained a link to TorrentFreak's article. "What needs to happen?! Do you want the server pulled?" he asked Saaf. "This is really fucked," Saaf replied. "Let's pull miivi offline." Shortly after the server was shut down completely, Grodsky sent a follow-up e-mail noting that the story was beginning to spread. He dutifully requested "damage control" instructions from Saaf and discontinued the LimeWire redirect campaign.

MediaDefender's damage control program went into full swing shortly after that. When Douglas pointed out that information about MiiVi had been added to the MediaDefender Wikipedia page, Saaf decided that he wanted it taken down. "Can you please do what you can to eliminate the entry? Let me know if you have any success," Saaf wrote. "I will attempt to get all references to miivi removed from wiki," developer Ben Ebert replied. "We'll see if I can get rid of it."

After a statement Saaf sent to Digital Daily was included in a blog entry, Saaf sent an e-mail to a handful of MediaDefender employees asking if it would be a good idea to post it to the Digg.com news site. He also suggested possibly having MediaDefender employees post comments. Referring to the Digg community, MediaDefender co-founder Octavio Herrera replied, "They aren't going to believe you."

MediaDefender developers also discussed ways to downplay the story or spin it to dull the impact. "If the major news outlets aren't interested in the story, I would take that as an indication that the VAST majority of people don't give a shit about this story," Mairs wrote. "However, if they do think it's worth writing about, we definitely want to get our side of the story in the mainstream media, so I think Randy's plan of going to the big tech media outlets is a good one. So far the story has only been on techie, geek web sites where everybody already hates us. If the story stays on these sites, we should let it die."

Saaf sent Mairs a private reply in response, expressing his personal opinion about the media backlash surrounding the spyware allegations. "Truth is I don't give a crap about most of this shit," Saaf wrote.

The resurrection

Despite the serious failure of MiiVi, MediaDefender decided to try again. "Looks like we'll just have to take 2-3 weeks of downtime and do some cosmetic work and relaunch," wrote MediaDefender employee Ty Heath in an e-mail to the MiiVi development team. "Plus creating another DBA (or better yet incorporating under a new name), getting a new domain, getting another Verisign certificate, getting a new IP range, etc.," Grosdky replied. In an e-mail titled "MiiVi redux," Grodsky asks Saaf if he wanted to "do the incorporating from scratch idea for the MiiVi replacement" instead of the doing-business-as arrangement used for MiiVi. "If so," wrote Grodsky, "I have no idea what the turn-around is on creating a complete corporate entity and we would need a name for the new corp."

Grodksy's first step was establishing a new mailing address using a mail service in Las Vegas. "I called the place (www.maillinkplus.com) and verified the name(s) on the box and the name(s) that receive the mail can be different from the name of the company that's paying by check. They also e-mail nightly if there's mail and someone on their staff inputs the FROM address on the envelope to a database that will show us when we login who we got mail from and then we can pick to have those article [sic] forwarded to us per item," wrote Grodsky. "Worst case scenario paranoia craziness, does anyone have objections with this mail box place being the foundation for all the materials that would have to do with the to-be-named MiiVi?"

One point that came up during MiiVi resurrection planning was the potential value of the traffic generated by the negative publicity. "We are leaning toward dumping the URL and just re-launching with a new URL? Are we being too hasty because you can't buy 1,000,000 pages linking to you in Google returns." Michael Potts, who works for MediaDefender parent company ARTISTDirect, suggested putting a link to the new site on a page at the MiiVi domain so that the new site benefits from MiiVi's high Google rank.

After an extensive naming discussion, MediaDefender finally decided to bring back MiiVi under the name Viide. In an e-mail to Potts, Grodsky wrote, "When you get a chance, we would love you to start taking a look at www.viide.com. That is the current home of our MiiVi site. We have totally locked-down the site, while we improve the look and feel from [what] the blogosphere saw."

The next step was purging Viide of all references to MiiVi before the official launch. "I'm not sure if you guys are planning on going live with the Viide domain name... but in case you are... you might want to remove all references of Miivi on the homepage of viide.com before it gets Googled or someone public comes across it," wrote former MediaDefender developer Tabish Hasan in an e-mail sent to the MiiVi development team. Development on Viide was ongoing in the most recent e-mails included in the leaked collection.

Providing data for use by law enforcement agencies

In the collection of leaked e-mails, there are several discussions with representatives of the New York Attorney General's office, including intelligence analyst Bradley J. Bartram and senior special investigator Michael G. McCartney. MediaDefender is in the process of devising a system that will enable the Attorney General's office to remotely access MediaDefender's data about P2P users. In an e-mail that McCartney sent to Mairs last month, the investigator explained that the matter was "being overseen by the highest members of [the] agency" and was considered somewhat urgent.

Although the full scope of the project cannot be extrapolated from the e-mails, the information available indicates that MediaDefender intends to provide the Attorney General's office with information about users accessing pornographic content. Other kinds of information could be involved as well. The e-mails clearly indicate that the data provided by MediaDefender was intended to be used for law enforcement purposes. In an e-mail to Mairs, Bartram says that the system must be specifically designed "to satisfy the legal and evidentiary requirements" before use.

"On your end, the peer-to-peer crawler will be identifying files matching the established search criteria from various hosts," wrote Bartram. "This data will then be collected, filtered for New York resident ip addresses (to the accuracy limits imposed by geo-query tech). The data will then be transferred to us where; on our end, a separate piece of software will use that data to connect into the network and download the file from a host and store it on our servers for evidence retention and further analysis."

It is not clear whether or not the project with the Attorney General's Office has any connection with the MiiVi project. At this time, we have not uncovered any substantial evidence to indicate that such a connection exists.

Some evidence in the e-mails indicates that the system devised by MediaDefender in collaboration with the Attorney General's Office was targeted by a hacker. "[A]n ip from, what appears to be sweden, connected to the server using your username, made two failed password entries and then disconnected 4 seconds after the initial connection," Bartram informed MediaDefender. "Considering the nature of the information being collected, I would like to restrict access as much as possible." McCartney followed up soon after with an e-mail to Grodsky and Mairs. "Is this one of your engineers? Because if not, this is very disturbing! Who ever [sic] this was obviously had the non standard port as well as your user name to attempt these logins," wrote McCartney. "This leads me to believe that your system is compromised and/or our communications were either sniffed or accessed providing this fella with much of the relevant information to attempt access. As of now, all out side [sic] access has been disabled until we can figure this out further."

It is possible that the individual who attempted to infiltrate the server is associated with the organization behind the MediaDefender e-mail leak. McCartney's concerns represent the only instance in the MediaDefender e-mails where anyone expresses suspicion that the messages are being intercepted and obtained by a third party.

Universal Music Group contract

One of the most informative documents included in the leaked e-mails is a draft of MediaDefender's confidential contract with Universal Music Group. The contract reveals exact details of MediaDefender's pricing structure and services and provides insight into which P2P networks the company is targeting. MediaDefender charges $4,000 for one month of protection for an album, and $2,000 for one month of protection for a track. Clients are also given access to MediaDefender's reports and statistical analysis. In the contract, the company claims that it "will perform Services against approximately twelve million" file-sharing users at any given time and will target the fifteen most popular P2P networks. Targeted networks include FastTrack, Gnutella, IRC, Usenet, DirectConnect, eDonkey, MP2P, Kademlia, Overnet, BitTorrent, SoulSeek, and Shareaza. The contract also provides detailed explanations of MediaDefender's efficacy testing practices.

Other odds and ends

There is simply too much information in the MediaDefender e-mails for us to cover in detail. We leave further analysis of the data as an exercise to the reader. We did encounter, however, a few other things worthy of note. There are detailed statistics that illuminate the efficacy of MediaDefender's file-sharing mitigation tactics and an extensive discussion of new techniques used by the company. The e-mails, unfortunately, also contain some highly sensitive financial information, including a spreadsheet with the salaries, Social Security numbers, and home addresses of individual MediaDefender software developers. There are also e-mails that discuss MediaDefender's competition intelligence activities, where they attempt to discover file-sharing mitigation tactics used by competitors like MediaSentry.

The e-mails contain information about the personal life of MediaDefender employees as well. One particularly ironic example can be found in an e-mail sent by Mairs, the MediaDefender employee whose technical ineptitude was ultimately responsible for the leak. "I was out of the office yesterday because my son stuck something up his nose and I had to take him to urgent care. I guess we know where he gets his smarts from ;)" The NBC Universal representative who received that e-mail replied sympathetically, "Haha. I hope it wasn't a crayon."

Conclusion

The cold war being waged between MediaDefender and P2P copyright infringers is rife with mutual deception, but one fact shines through all of the layers of obfuscation: MediaDefender consistently underestimates the ingenuity, resourcefulness, and dedication of its adversaries. In this case, it could cost the company everything.

Internet users are beginning to demand a higher level of transparency and accountability from companies that operate within the Internet ecosystem. Companies like MediaDefender that rely on secrecy and discretion unintentionally invite scrutiny by attempting to hide.

Although many of MediaDefender's innermost secrets have been laid bare by this leak, there are many aspects of the company that remain shrouded in mystery. The ultimate purpose of the MiiVi site, for instance, is still an enigma. In some ways, the information in these e-mails raises more questions about MiiVi than it answers. It is likely that many additional details about MediaDefender's operations will be disclosed to the public as new secrets are uncovered in the e-mails. The rate at which these e-mails propagate across the Internet may also stand as a testament to the difficulty of trying to stand between consumers and their torrents.