Wired Exclusive: I Was a Hacker for the MPAA
Young hacker posed as file-sharing spy for promises of fame, fortune.
Oct. 22, 2007 -- Promises of Hollywood fame and fortune persuaded a young hacker to betray former associates in the BitTorrent scene to Tinseltown's anti-piracy lobby, according to the hacker.
In an exclusive interview with Wired News, gun-for-hire hacker Robert Anderson tells for the first time how the Motion Picture Association of America promised him money and power if he provided confidential information on TorrentSpy, a popular BitTorrent search site.
According to Anderson, the MPAA told him: "We would need somebody like you. We would give you a nice paying job, a house, a car, anything you needed.... if you save Hollywood for us you can become rich and powerful."
In 2005, the MPAA paid Anderson $15,000 for inside information about TorrentSpy -- information at the heart of a copyright-infringement lawsuit brought by the MPAA against TorrentSpy of Los Angeles. The material is also the subject of a wiretapping countersuit against the MPAA brought by TorrentSpy's founder, Justin Bunnell, who alleges the information was obtained illegally.
The MPAA does not dispute it paid Anderson for the sensitive information, but insists that it had no idea that Anderson stole the data. "The MPAA obtains information from third parties only if it believes the evidence has been collected legally," says MPAA spokeswoman Elizabeth Kaltman.
The MPAA's use of Anderson is one of a series of controversies the movie industry is confronting in its zero-tolerance war on piracy. MediaDefender, a California company that tracks and disrupts file sharing of movies and music, was reported to Swedish authorities last month by The Pirate Bay, after an internet leak revealed the extent to which MediaDefender pollutes file-sharing services with fake, decoy content. And an executive at a national theater chain successfully pressed New Jersey authorities in August to prosecute a teenager for filming 20 seconds of a movie at a theater to show to her little brother later.
Anderson's account shows that the content industry may be willing to go to significant -- and some say ethically questionable -- lengths in its war against online piracy, and that it is determined to keep its methods secret.
"It was an understanding," Anderson says of the deal, "that it was hush-hush."
Anderson's brief Hollywood career began in the spring of 2005, after a online advertising venture with TorrentSpy founder Bunnell turned sour.
Looking to profit in other ways, Anderson approached the MPAA with an e-mail offering to help the movie studios' lobbying arm beat piracy, which the industry says costs it billions in lost sales each year. Among other things, Anderson proposed to implement an anti-piracy marketing campaign for the MPAA.
But he says he also offered to provide inside information on TorrentSpy, which, along with The Pirate Bay, is among the most popular BitTorrent destinations for downloaders looking for free movies and music.
"It was an opportunity to make money, because I knew how these networks operated," he says.
On June 8, 2005, within weeks of sending his unsolicited e-mail, Anderson says he was put in touch with the MPAA's Dean Garfield, then the organization's legal director. Anderson says he told Garfield that he had "an informant that can intercept any e-mail communication."
Anderson didn't tell Garfield he was the "informant," and that he'd already hacked into TorrentSpy's systems. The hacker, then 23 and living in Vancouver, British Columbia, claims he had cracked TorrentSpy's servers by simply guessing an administrative password. He knew the password was weak -- a combination of a name and some numbers.
"I just kept changing the numbers until it fit," he says. "I guess you can call it luck. It took a little more than 30 tries."
Once inside, he programmed TorrentSpy's mail system to relay e-mail to a newly created external account he could access.
There's a trace of pride in his voice as he details the hack. "The e-mails weren't forwarded using the mail command. They were sent actually before it reached anyone's mailbox," he says. "So it was more like interception before delivery. I could even stop certain mail from reaching their box."
In this manner, Anderson says, he sucked down about three dozen pages of e-mails detailing banking, advertising and other confidential information. "Everything they were talking about was sent to my Gmail," he says. "Everything they sent, anything sent to them, I got: invoices; in one case they sent passwords."
Among the purloined files was the source code for TorrentSpy's backend software, says Anderson. Anderson alleges this interested the MPAA, which he says wanted to set up a fake BitTorrent site of its own. According to Anderson, the MPAA said, "We'll set up a fake Torrent site. We'll contact the other Torrent sites. We'll get their names, address books, contact information and banking information.... (They) wanted to run this as a shadow portion of the MPAA."
MPAA spokeswoman Kaltman says the MPAA had no such plans, and says the accusation that the MPAA wanted to set up a phony Torrent site is "patently false."
On June 30, 2005, after Anderson collected the data, Garfield sent Anderson a contract to sign. The contract, seen by Wired News, says the information the MPAA was seeking would "include, but is not limited to, the names, addresses, and phone numbers of the owners of TorrentSpy.com."
The contract also requested information on The Pirate Bay, and called for Anderson to look for "evidence concerning and correspondence between these entities."
The contract prohibited both parties from disclosing "the existence of this agreement to anyone," and said the MPAA would pay $15,000 for services to Anderson's business, Vaga Ventures. Finally, the contract dictated that the confidential data would be obtained "through legal means."
But according to documents filed in support of TorrentSpy's wiretapping countersuit: "Dean Garfield expressly told the informant (Anderson), on behalf of the MPAA, regarding the information that he requested, 'We don't care how you get it.'"
It continues: "(T)he MPAA knew, or had reason to know, that such information was obtained from plaintiffs unlawfully and without authorization."
The details of Anderson's conversations with Garfield could not be independently verified, and Garfield -- now the MPAA's executive vice president and chief strategic officer -- did not respond to repeated requests for comment.
But MPAA spokeswoman Kaltman says the organization's contract with Anderson clearly required any information to be obtained lawfully.
Anderson says he signed the secret pact, and immediately sent in what he says was stolen information.
But once Anderson turned over the data and cashed the MPAA's check, he quickly realized that Garfield had no further use for him. "He lost interest in me," he says. Anderson felt abandoned: During negotiations with Garfield, the hacker had become convinced he was starting a long-term, lucrative relationship with the motion picture industry. "He was stringing me along personally."
Hollywood's cold shoulder put Anderson's allegiance back up for grabs, and about a year later he came clean with TorrentSpy's Bunnell in an online chat. "'I sold you out to the MPAA,'" Anderson says he told Bunnell. "I felt guilty (for) what happened and I kinda also thought at that point the MPAA wasn't going to do anything."
"He was kinda blown away," recalls Anderson.
Bunnell declined to comment for this story.
The MPAA sued Bunnell and TorrentSpy shortly after Anderson's chat. Bunnell then countersued the MPAA under the federal Wiretap Act. Bunnell alleged that Anderson's e-mail surveillance amounted to wiretapping under the law, and that the MPAA was exposed to vicarious liability for the crime.
As Bunnell's star witness, Anderson was not sued "because he took steps to advise us of his wrongdoing and to cooperate. We've made a decision to go after the bigger wrongdoing, the MPAA," says Bunnell's attorney, Ira Rothken.
But U.S. District Judge Florence-Marie Cooper in Los Angeles dismissed Bunnell's lawsuit Aug. 21 on the grounds that Anderson's intrusion did not violate the federal wiretapping statute. Attorney Rothken says he did not sue under the federal computer-hacking law, because it doesn't allow for vicarious liability.
Last week Rothken filed a notice of his intent to appeal Cooper's decision to the 9th U.S. Circuit Court of Appeals. For now, the court's decision has put the brakes on Bunnell's lawsuit against the MPAA, and freed the movie industry to use the purloined e-mail in its lawsuit against TorrentSpy for alleged copyright infringement.
That suit is ongoing and contentious. Cooper ruled last May that TorrentSpy must begin saving the internet addresses and download activity of its U.S.-based users, and turning over the information to the MPAA in pretrial discovery. In response, TorrentSpy began blocking U.S. users, and made changes on its site to protect user privacy -- drawing a fresh burst of outrage in legal filings by MPAA lawyers earlier this month.
The MPAA's Kaltman says the court's decision to throw out Bunnell's lawsuit against the MPAA left no doubt that Garfield's relationship with Anderson was aboveboard. Kaltman points out that the court took note of the contract language between the MPAA and Anderson that represented any data from Anderson as being lawfully obtained.
But Paul Ohm, a University of Colorado Law School scholar specializing in computer crime, is skeptical. "It's hard to say with a straight face that you can obtain that legally," said Ohm. "Ethical red bells should have been going off."