Every day, millions of people download files through BitTorrent. This works well but there is one major drawback; everything you download can be tracked.
To bypass this privacy concern many people have started to use VPNs, many of which provide good anonymity. Others prefer cloud torrenting tools, which also help to hide users’ IP-addresses.
Over the past few years we’ve regularly asked VPN providers how anonymous they really are. However, little is known about the privacy policies and logging practices of cloud torrenting services. Today, we hope to fill this gap.
At the start of the week we reached out to several of the leading cloud torrenting services to ask some detailed questions. In particular, we wanted to know what information they store and if that can expose users.
The list of all questions, including the answers from providers, is listed below. At the bottom of the article we provide a summary, as well as a list of those who failed to respond at all.
1. Does your service collect any temporary or permanent data that can link a timestamp and IP-address to a specific user on your service? If so, what information do you collect and how long is that stored?
2. Does your service store any personally identifiable information of users (including IP-addresses)? If so, what information do you store, and for how long?
3. Does your service store the names/hashes or other identifying information of downloaded content (stored on your servers) that can be connected with a specific user? If so, for how long?
4. Does your service store the names/hashes or other identifying information of previously downloaded content (after being removed from the user’s account) that can be connected with a specific user? If so, for how long?
5. How does your service respond to DMCA notices or similar takedown requests?
6. Do you have a repeat infringer policy? If so, what does it entail?
1. No, we don’t log any IP access data. Our whole service is built to have minimal logging and is very light on the database level. That keeps things simple.
2. The most unique userkey is the user’s email address. We keep that for obvious reasons – to secure the account and reach the user. We keep it until the account is deleted. Apart from that we don’t store anything, but other information might be stored by our payment gateways. Nothing really can be done there except moving to Bitcoin – which we support and love.
3. There are two parts to our service. One is for fetching (eg a transfer job for importing the files into cloud storage) and then there’s the actual cloud storage. There is obviously a database that links the files to the user’s account but that connection is gone once the user deletes(removes) the file from their cloud. We cannot restore files and cannot backtrack who added/transferred what.
4.No, we do not.
5. Luckily we don’t have this problem since our business model does not contain any sort of sharing or publishing. Generated filelinks are locked to the user’s account and cannot be accessed externally.
6. We do not and it would be pretty hard since we do not have the logs. For now, we are content with the current legal situation.
TorrentFreak summary: There are no logs that can connect a person’s IP-address to an account. Premiumize can link files to user accounts and information
1. The last IP address is registered when the user logs on and it is cleared when the user logs out. This IP is only used to permit access to their downloaded files, and it is correlated with the login cookie. This is temporary and the privacy of the user is assured when they logout. The email is used to register and as an account recovery mechanism.
2. Each account is associated with an email address. Even though we frown on ‘temporary’ or ‘disposable’ emails, we make no effort in collecting the real name. In fact, if the user logs in with a Facebook account and refuses to share their email address, we don’t store any address at all. Email is only used to ensure the ownership of the account and allow users to ‘recover’ their own account and not be available for anyone else.
At any point, users can change their email address or delete it. Also, at any point any user can ask for account deletion and all information will be purged on request. We are working on adding an automatic mechanism for this.
Now, if the user upgrades their account, our payment processor asks for PII to ensure the identity of the user to protect against credit card fraud. This information STAYS on their servers and is not available from ours. We don’t use that information at all, we just receive the activation for a specific account.
3. See the next answer.
4. On all active or previous transfers the original request is stored as long as the user leaves them on their ‘downloaded’ list. As soon as they clear this list, that information is purged and can no longer be connected with the user.
5. We respond as soon as the request is received. We delete the referred content and comply, informing the user why it was deleted and suggesting they do not try downloading any copyrighted content.
6. We have not had to enforce any “repeat infringer” policies, but we do not disclose the limits we would consider as abuse to avoid users trying to “pass below the radar”. To be clear, although we do have a “fair use” policy for bandwidth usage, we have not had to impose any limits, as we try to permit the users to use the service to their maximum potential, and instead, we are really happy to see users enjoy it that much.
TorrentFreak summary: There are temporary logs that can connect a person’s IP-address to an account. TransferCloud can link non-deleted files and download histories to user accounts and information
1. Since we are a Turkish company we are required to abide by Turkish laws, which are more concerned about curtailing free speech than privacy. And since there is no speech at put.io we’re not keeping a list of [‘all’] used IP addresses.
We do keep the last used IP address to generate a download token that invalidates download links when requested from other IP addresses. We keep this last IP address as long as the user is logged in. It is erased when the user logs out or is inactive for 7 days. This is a precaution against abuse. We are currently working on a solution that will make it unnecessary to keep the last IP address.
2. We keep the username, reported email address and the last IP address for the purpose explained above. We have no access to users’ payment information. These are stored by our payment providers
3. There is an association with the account and the transfer jobs as long as they are displayed on the transfers page, and there is an association between the account and the files as long as they are stored under that account. There is also a history page that lists the latest transfer jobs, but it can be turned off.
These associations disappear the moment the transfers page is cleared, the files are deleted or the history page is cleared (or disabled). We wouldn’t be able to answer the question “What has this user downloaded?” after that.
Also, if the user ever destroys their account, we destroy everything related to the account. The only record we keep is a log entry that states that an account with that username was destroyed on that date. We had to add this to solve some mysteries with unintended account deletions.
4. No. If it’s not visible in the user interface we don’t keep it.
5. After 10 years in operation we have received only one DMCA request and that was meant for another service called Putlocker. The copyright holder had mixed up the services. We don’t receive DMCA requests, but if we ever did, we would comply and remove the content from our servers. That would be the end of it.
6. We have never had to develop a policy to deal with this.
TorrentFreak summary: There are temporary logs that can connect a person’s IP-address to an account. Put.io can link the non-deleted files and download history to user accounts and information.
Summary: How Anonymous Are Cloud Torrenting Services
Cloud torrenting services help people to hide their IP-addresses from the public. By doing so, they add an extra privacy layer. Outsiders can’t see what people download. However, true anonymity is a different matter.
The services can link stored files – and in some cases non-deleted download histories – to the personal information they store in their database. In that regard, they are similar to cloud hosting services. This is worth keeping in mind, as services can be compromised or legally required to share information.
Cloud Torrenting Services That Haven’t Responded (fully)
The following services didn’t respond to our questions. If they do, we will update the article accordingly. Bitport submitted a partial response after our deadline, we will add the full response if it comes in.
Many thanks to TorrentFreak for the breaking news.