Jul 29 2014

You’ve been reported … by an ad

Published by at 9:39 pm under Government,Malware,Risk

This looks like an interesting experiment; the City of London police have started placing ads on sites for pirated music warning that the visit to the site has been recorded and reported.  Called “Operation Creative”, this is an effort by the Police Intellectual Property Crime Unit (PIPCU) to educate people visiting sites that offer pirated music and videos that it’s illegal and could result in prosecution.  As if anyone who visits a pirate site didn’t already know exactly what they were doing and what the potential consequences are.  The City of London police call it education, though intimidation might be a better word for what they’re actually doing.

The folks over at TorrentFreak are concerned with the fact that they couldn’t get the actual banners to show up.  They created a story out of what they could get to, ads for music sites that have reached agreements with the RIAA and music labels.  While this is interesting, I’m more concerned with what the results of this type of ‘education’ will be.

Let’s be honest in saying that anyone who’s using a pirate site has a pretty good idea of what they’re doing.  So the police banners aren’t going to be educational, they’re attempts to make users believe that their IP addresses has been logged for future prosecution.  While they don’t come out directly with the threat, it is implied using the word “reported”.  And who’s to say that the ad network they’re using to supply the ads isn’t using a cookie to gather IP addresses as well as various other information as well.  This definitely sounds more like a threat than most forms of education I’m familiar with.

The problem I have with this PIPCU exercise isn’t the intimidation, but rather the unintended consequences of it.  Scary warnings that the user is doing something illegal aren’t new and in fact have been used by malware authors for a long, long time.  Scareware saying the FBI is going to come knocking at your door for visiting illegal websites is a common tactic, it’s just whether they’re telling you you’ve been to porn sites with underage models or pirate sites to download music that change.  I’m certain the same groups who send these notifications already have fake ads telling users to “pay a fine of $500 or we’re coming to your house”.  If they aren’t in the ad networks, they definitely send out spam to users with the same messages, often using the same exact graphics and messages as official police web sites.  

Rather than discouraging the average pirate site user from visiting the site, this police effort is likely to create the illusion that such scareware ads might be legitimate in the eyes of the user.  In other words, while there might be some impact on the number of people using pirate sites, it’s more likely this will increase the amount of fraud perpetrated against those same users, since it’ll be hard to tell if the warning is really the police or not.  The music companies are probably perfectly happy with this as an outcome, but I doubt the police will enjoy being used as a method for increasing fraud against anyone.

My second concern is less about the fraud and more about the futility of the exercise.  Brian Krebs recently wrote about services that allow an organization to click on banner ads in order to drain the money spent on those ads.  In other words, you pay a service to click on your competitor’s ads without giving them anything of value, using up the money they paid for those ads as quickly as possible, with little or no return.  I see no reason some of the more technically savvy users of pirate site wouldn’t create scripts to do exactly the same to the police.  How hard would it be to use VPN’s or Tor in order disguise IP addresses and hit the same ads again and again?  In theory there are likely to be defenses in place to stop this type of targeted ad attack, but it’s possible to overcome any defense if you have a motivated attacker.

I’m purposefully not addressing the ethics of pirating music, nor am I addressing the efficacy of an outdated business model such as the music industry.  I’ll leave it to someone else to argue both sides of that argument.  What I’m concerned with is the how effective the efforts are going to be and what the consequences of those efforts.  Does the PIPCU expect their ad campaign to have a direct effort on piracy or do they realize this is a futile effort?  Have they thought of the negative consequences their efforts will have with regard to fraud?  Or is this simply an effort to be seen as doing *something* by the recording companies and the public, no matter how negligible the positive outcomes might be?  

I’m not sure what would constitute an effective measure to stop piracy.  For the most part I think the ads we’ve seen in the past, both in movie theaters and online, have been heavy handed and annoyed most of the people they were targeted at rather than dissuade anyone.  This effort doesn’t seem much different, but it has the added disadvantage of making it easier for the authors of scareware to intimidate the public into giving up money for no good reason.  And that’s something that should be avoided whenever possible.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: