At the same time that VPNs and other kinds of encryption are becoming some of web security's hottest topics, when it comes to file-sharing user data there is an elephant in the room. Many BitTorrent trackers, which pride themselves on having some of the best security around, are collecting and storing vast quantities of sensitive user data and almost none of it is encrypted. Is the time right for sites to take a fresh look at the way they handle data retention?

Which companies have access to my web browsing habits? Will the government peek at my emails? Who’s using the data mined from my Facebook activity and what will they end up doing with it in future? Are there really people out there who can monitor my every online move?

Until recently these were the kinds of issues pondered by those with an interest in Internet security and the very paranoid. In the post Edward Snowden world, these are things that are starting to matter to everyone.

Security is a pretty big issue among file-sharers for a number of reasons. Obviously there are many who would like to keep their activities private, but it’s common for file-sharers to be tech-savvy users who are generally more aware of online privacy issues.

Public v Private

By now, those using public BitTorrent sites should be well aware that their activities are, to put it bluntly, extremely public. At any time spies of all kinds can jump into a torrent swarm and start gathering data. The most important pieces of data – times and IP addresses – can be scooped up in an instant and are often enough for trolls to start filing lawsuits.

Private torrent sites, on the other hand, offer a walled garden environment. They are often very hard to gain access to which means that generally speaking there are less spies and fewer chances of being monitored or busted – or so the anecdotes go. Truth is no one is sure how many undesirables may exist on these sites but it’s likely that very few sites will have a completely clean bill of health.

The public vs private security debate has been done to death over the years but what is not often discussed is how sites – private ones in particular – handle the data entrusted to them by their users.

When someone signs up to a site via invite they hand over both their email and IP addresses. Immediate checks are made – has this email or IP address been used on this site before? If so, in many cases the chances of getting account are already reduced to near zero. If there’s no match, the user making the application is in – congratulations.

This is where the fun starts and something less entertaining kicks in behind the scenes. You can buy a zero-logging VPN incredibly simply these days but the same cannot be said about private torrent sites. At every opportunity they log just about everything they can.

Private site logging

Obviously, a certain level logging is required for people to merely have an account. As a matter of course sites log their sign up date along with users’ email addresses, passwords and everything said in their forums. No surprises so far really.

However, sites also log every single torrent downloaded and every IP address used to do so. They log how much data was downloaded and how much was uploaded. Not only that, sites know which other users the downloads came from and to which users the uploads were sent and in what quantity.

Once this information is logged (often against hundreds of torrents per user), sites know all there is to know about their users, real-life identities aside. And the worrying thing is that in many cases the information is never deleted, even when users have left the site. So why is that the case?

The answer is simple – it’s all about keeping the site and its file-sharing ecosystem functioning in an optimal fashion.

Sites rely on users playing fair, such as sharing content in a way determined by the sites rules. When this breaks down so does the site, so site logs are used to weed out the bad players. These include those who damage the ecosystem by not doing their part or – heaven forbid – those evil users who try to cheat the ratio system.

Once these users are found (which is only possible by keeping detailed logs on the activities of all users) they are kicked out. However, their accounts are not usually deleted because they carry useful information which will be used to ensure that the same user doesn’t try to get back on the site in future. To combat these users many sites also ban the use of VPNs, which means that not even good users can enjoy the security they offer.

Logs can be used to keep the enemy out

Site logs are also used to hunt down the private tracker’s worst enemies – anti-piracy companies and those users who make a business out of buying and selling site invites. These two groups can be closely related, since when an invite seller offers his product in public, it’s possible that spies can pick them up for a few dollars and gain access to an otherwise private site in a matter of minutes.

So, as we can see, site logs are there to protect the health of the tracker. However, it would be an absolute nightmate if they fell into the wrong hands. While that doesn’t happen often, it does happen.

Just this week the UFC announced that it had targeted a site called BestFreeUFC and as a result has obtained the site’s database which includes email addresses, IP addresses, user names and chatlogs of individuals who have illegally accessed UFC events. UFC owners Zuffa say they will now go after the infringers.

The future – encryption?

So what can be done to increase site security? TorrentFreak spoke with a couple of admins who informed us that while they would prefer not to carry logs, they are essential for maintaining a healthy tracker and keeping undesirables out. Passwords on Gazelle trackers are encrypted, which is welcome, but currently no other data is encrypted as standard.

One admin told us he would like to add full encryption but from a technical perspective it would seriously complicate matters. Furthermore, much more grunt in both the software and hardware departments would be required, along with a fresh view of the entire situation.

So while email providers start adding encryption as standard and companies like Dotcom’s Mega have security built in from the ground up, the question now is whether private torrent sites will maintain their positions or continue as normal.

This might just be another case of citizens having to sacrifice some of their privacy in order to obtain a valuable service, or perhaps in the overall scheme of things, security is tight enough already…..