Besides being an amazing technical achievement, I find this very interesting legally, as it further blurs the line between passively viewing content hosted somewhere and redistributing/actively sharing content.
Have there already been cases of websites making their visitors unwitting peers, similar to e.g. JavaScript cryptocurrency mining?
Well spotted. In other words, WebRTC lets a site owner have their visitors distribute content directly to others without their knowledge or consent, basically making it impossible to argue that the distributor has intent to do so in the general case.
That said, it was already highly questionable for legal application, since a torrent client can run on any machine connected to a home wifi, including guests and compromised machines. It may have been enough for a "hey, you're breaking our tos, please check your devices" from the ISP, but should never have been more than that (like threatening letters from rights-holders).
Do countries other than Germany also have dedicated, famous [1] legal agencies sending out cease and desist letters and suing for damages (~900€) as soon as you accidentally seed a compromised torrent for even a few seconds?
In the US the ESA RIAA and MPA hire out several different third parties (some of which they have very close ties with) to do that kind of work on their behalf. They include companies like Rightscorp, Vobile, OpSec, or PML Process Management
Mostly they just threaten people with lawsuits in order to get settlement money from folks who may even be fully innocent, but who cannot afford to fight against an international media empire in court. Lawsuits against random users are less common than they were, but still happen. The bigger issue is that the media industry has been pressuring ISPs to permanently disconnect users after nothing more than repeated unproven accusations of copyright infringement.
ISPs who fail to close these accounts risk being fined billions of dollars, so anyone in the US who has been getting DMCA notices from their ISP should take steps to prevent that or else they're risking getting disconnected which is a problem for those without many options for high speed internet access.
Permanently cutting people off from the internet over nothing but accusations seems very extreme, but the media industry has already taken several ISPs to court for not doing it and so far they are winning.
Along those lines, Comcast/Xfinity for example has a defaultish setting on their routers to leave an open guest network available. If I connect to my neighbors guest network and download game of thrones, will my neighbor get the nastygram, or is it smart enough to know it is a guest network? Should I connect to my own guest network (not that I have it enabled) if I want to do illegal things?
The xfinitywifi network requires you log your device into a Comcast account. It's not strictly a "guest network" for arbitrary devices, it's more of a roaming access to your own account.
Pretty sure they can nail you even harder for piracy on this than on your own network where it might be someone else's device.
Not only does it require login, but it is not like they are giving you full bandwidth. Good luck to anyone trying to do a lot of high-bandwidth downloads over an Xfinity guest network.
Every one I've ever connected to gave you free access for a new account for some limited period of time. But that was like 5+ years ago so maybe they've changed it.
Usually, these CPE guest networks have their traffic routed via an IP different from the main customer one, and have their own bandwidth/QoS class as well.
I totally agree, that's how it should be. In reality right now there are countries in which you get cease and desist letters and a ~800 Euro fine for even a short amount of seeding. This is a cool technology but also allows more automation in this shady industry and laws will take years and years to follow up.
That's why for a decade already the law around here punishes you not so much for seeding, but specifically for failing to secure your Internet connection to prevent seeding (regardless of who actually seeded).
Intent is a necessary element for that charge, at least on the US Federal level. But in any case, completely accidental possession is a defense, meaning, if you have something in your possession without even knowing that it's in your possession, that can be presented as a defense to charges. That would likely be the same when it comes to being an unwitting distributor of copyrighted material via a stealth torrent. Similarly we don't prosecute individuals whose computers are infected with viruses that propagate (and thus illegally access and trespass onto other systems) without the person's knowledge.
I am on a 200GB capped residential LTE internet connection. Upload is included in that data cap. If this was surreptitiously deployed that would cost me money and generally be not cool.
While there are definitely some terrible ISPs out there, not every instance of someone not being able to use as much bandwidth as they want is a great injustice.
Sometimes it’s just sane network management. LTE networks in particular are limited in capacity. There are a bunch of different ways to limit use with different tradeoffs, and bandwidth caps actually strike a good balance between effectiveness and predictability. I have a lot of experience thinking about and implementing bandwidth pricing models, and I don’t have time to list all the options and their tradeoffs here, but you can suggest one you think is better if you want. Bandwidth caps cause users to limit their use, while still allowing a user to use the network heavily without penalty when they need to.
The real problem here is that OP doesn’t have an intuitive UX for limiting upload bandwidth to something he is comfortable with. Webtorrent then breaks his assumption that web browsing will not incur upload bandwidth.
It is in general dishonest to diminish someone else's resources without their consent or prior knowledge. I can see how this is different from using someone else's computer as part of your botnet (because the act itself is illegal), but how is this different from, say, mining a bitcoin on someone else's computer because they visited your website?
By "this" I mean the case in which a visitor's bandwidth is used to redistribute a file without their permission.
The solution to this is the same as it is for the crypto miners. Disable javascript and WebRTC by default and you no longer have to worry about every website you visit using your computer for whatever they want.
New tech is really nice and all, but I've never been a big fan of letting everyone and anyone run whatever code they want on my systems. If I actually need a website to do something like this I'll whitelist it or even set up a browser dedicated to that task, but at this point letting every website do whatever it wants is just dangerous.
Terrible internet providers are absolutely the norm across all of America. Except for a handful of small regional ISPs and municipal ISPs, where they haven't been outlawed.
As far as I know, Safari is doing something along these lines already (I believe WebRTC connections only work there after requesting camera or microphone permissions).
An explicit permission would be nicer, possibly ("this site is requesting to establish direct connections" or similar).
Have you ever used a limited data plan yourself or talked to someone who does about their web and app use patterns? People get attuned to which sites are wasting their data very quickly.
> Have there already been cases of websites making their visitors unwitting peers, similar to e.g. JavaScript cryptocurrency mining?
I haven't seen it yet in websites, but I have seen video streaming apps using torrents on the backend without informing users about it. It's caused people who thought they were legally (or at least 'safely') streaming shows and movies for free using something they found in the app store to be surprised when they got hit with DMCA notices from their ISP.
I did a PoC in college (~2008!) where I coded a distributed rainbow table generator in JS. It'd assign a block of hashes which would get sent back to the server. We showed that a single webserver distributing the work in a naive js implementation (long before webworks and wasm) could outpace a fairly decent local c impl (we were undergrads, so definitely not optimization experts).
Was fun until sites actually got on board with salting.
I know there has been unwitting peer-to-peer livestreaming of video, but that is not exactly the same as it did not involve file storage.
I think BBC, among others, have experimented with that.
There is https://arc.io/ which is a P2P CDN. Sites get paid a share of the profits based on the amount of data provided by their users. Seems like a cool alternative to ads IMO, but most people that hate ads also hate having their browser "hijacked" so idk if it'll take off.
Have there already been cases of websites making their visitors unwitting peers, similar to e.g. JavaScript cryptocurrency mining?