Torrentspy ordered to turn over the contents of the RAM of its servers.

Aug 29, 2007

If you've been following the saga of Torrentspy, then you know that the Motion Picture Association of America has been trying to force the website's admins to start logging all of the activity on their site so that the MPAA can then subpoena the records and track down people who've been illegally downloading pirated movies. Per the prediction of the time, Torrentspy started blocking all access attempts that originate from the United States rather than a) shut down, or b) have to turn on web server logging. Well, things have gotten more interesting in the case because the magistrate of the district court of California has demanded that the admins of Torrentspy turn over the contents of the RAM of the servers running the website for forensic analysis. This means little, actually, because the servers are in the Netherlands and not the United States, and the court case hasn't progressed to the higher US courts yet, but the point remains that they're going to try to get their hands on whatever information they can to start slinging lawsuits.

I wonder what would happen if someone powered each one of those boxes down and mailed the MPAA the now empty memory modules...

As a technical aside, what they're asking for is this: Every web server maintains in memory a list of IP addresses and source ports for every connection, so that the HTTP server process knows where to send the requested files to. It is possible but optional for the web server software to write to disk data representing an HTTP transaction. For example, the logs of the Apache web server can look something like this:
ip.add.re.ss - - [25/Aug/2007:05:36:10 -0400] "GET /rss.xml HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; U; Linux; en-US; rv:w.x.y.z) Gecko/20060517 Firefox/2.0"

But Torrentspy doesn't store logs, so the MPAA wants to look at the raw lists of IP addresses and requests from memory, which is something of a crapshoot because the contents of a computer's memory are constantly in a state of flux. Every process on a machine has a limited amount of memory at its disposal, and so the memory containing older data are deallocated so that it can be reused. The older data is often overwritten in the process by something else. To prevent servers from having to swap memory to disk (which degrades system performance), it is common to give each physical computer scads of RAM so that they don't have to swap out.

It would make sense for the lawsuit to demand both dumps of RAM in each server as well as copies of the swap partitions of the physical servers but so far they haven't figured that out. If they have, it's not mentioned in this article.

Net result: Little to no usable evidence for the MPAA. Most of what they'd be getting wouldn't even be from the States, anyway.

As for people in the US who want to search for torrents, there are scads of ways to browse Torrentspy without appearing to be in the US. I leave this as an exercise for the reader.