TorrentFreak

Most prevalent in the movie and TV show sectors, applications for DMCA subpoenas are regularly filed at courts in the United States.

Aside from their intended purpose, DMCA subpoenas can provide useful clues about future anti-piracy strategies. When subpoenas are contested by intermediaries, subpoena applications sometimes become copyright cases in their own right. From a rightsholders' perspective, in some cases they may be the only potential source of information yet to be exhausted.

Getting Prepared

A few days ago, the UK's Premier League asked a California federal court to issue a DMCA subpoena against Cloudflare. The application identifies 38 target pirate streaming sites, many of which utilize multiple domains. Since the platforms all use Cloudflare, the Premier League hopes that information held by the company will help to unmask the sites' currently anonymous operators.

Before filing an application under Section 512(h) of the DMCA, which allows copyright owners to obtain a subpoena and receive “information sufficient to identify an anonymous infringer," applicants are first required to send DMCA takedown notices to the platform in question. The notices should identify the infringing content and state where the content can be found; in cases involving streaming sites, the right tools can prove helpful.

Recreating the Toolkit

The screenshot below shows a live match playing on a pirate streaming site. Culled from the Premier League's application, it provides clues that allow us to start identifying the tools in use and the problems they're likely to solve once combined with Open Source Intelligence (OSINT).

At a basic level in this context, OSINT can be almost any information made available on the internet. The screenshot is our primary source; it will help us identify the tools to recreate the toolkit, which in turn will use other public information sources to satisfy the requirements of the application.

M3U8 Sniffer

In this example it appears that when the Premier League visited the website sporttuna.pro, they were redirected to sporttuna.website and then to sporttuna.xyz (boxed in red).

Like most pirate sites, the 'backend link' or source of the stream (boxed in green) isn't on public display. These links can be obtained in various ways but in this case, Chrome extension M3U8 Sniffer is the weapon of choice.

M3U8 Sniffer

From the developer 's website: The extension intercepts visited web page's network requests and identifies all m3u8 video stream URLs. When a m3u8 URL request is found, it is displayed in a box that overlays the visited web page (see images above) from which you can copy the m3u8 URL or play the video stream. Also, you can open the extension's popup window to view the first and last m3u8 URLs found for each site, as well as to set a variety of extension options.

M3U8 Sniffer is afree extension available from the Chrome Web Store. Further information is available from the developer at SnifferTV.com.

Identifying the Remaining Tools

Identifying the remaining tools was a little time-consuming but if we said the method was advanced or complicated, that would be a lie.

We simply trawled through the browser evidence images and took screenshots of the toolbars. These contain the icons of the apps used to obtain the evidence.

After extracting the toolbar icons we put those we recognized to the side, then identified the remainder using reverse image search tools. Straightforward options include Google Images and Google Lens.

As an alternative, Chrome extension RevEye Reverse Image Search provides instant results from Google, Bing, Yandex, and TinEye.

(Note: Bad extensions exist, trust nobody,check the source)

Internet Download Manager

Given that M3U8 Sniffer "does NOT provide functionality to download the actual video streams" another piece of software comes in handy. IDM is a popular choice in the niche and appears to be the downloader of choice in this particular toolkit.

From the official website: When you click on a download link in a browser, IDM will take over the download and accelerate it. You don't need to do anything special, just browse the Internet as you usually do. IDM will catch your downloads and accelerate them. IDM supports HTTP, FTP, HTTPS and MMS protocols.

Unfortunately, IDM isn't free but it is free to try via a 30-day trial. Some prefer JDownloader since the price is more predictable, but there are plenty of options in this niche.

Fiddler

Our best guess at identifying this next tool comes with a small caveat that its icon was almost impossibly blurred and even when fresh it's still pretty basic. Ultimately, a green diamond and a single white 'F' works here.

Fiddler and tools with similar functionality (web debugging proxy tools) are used extensively by developers and investigators when keeping a close eye on HTTP traffic is a must. For those who've never cared to take a closer look, it can be real eye-opener. Even the most innocuous websites can behave pretty badly until users notice, so there's never a bad time to take a first look.

Fiddler Classic and Fiddler Everywhere are both available as free trials, and the same is true for Charles Proxy which appears regularly as evidence in Indian site-blocking cases.

Some prefer to monitor traffic with Wireshark but for others it can be too much. Open source and available on Linux, Windows (GUI), and macOS, MITM Proxy will scratch most itches for free.

At a pocket friendly price of $0.00, the open sourceMITM Proxy (man-in-the-middle) does exactly as its name suggests, making it a popular choice.

Instant Datascraper

Scraping data from websites in a structured and usable format isn't always easy and for big jobs, things can quickly descend into a time-wasting nightmare.

Instant Data Scraper hopes to eliminate the frustrations often associated with scraping and with over a million users, people seem happy with the results.

It's impossible to say how the Premier League uses Instant Datascraper, but it could easily consume a visible members' list in an instant or scrape a mountain of forum posts. The options are only limited by data becoming unavailable.

From the official site: Instant Data Scraper is an automated data extraction tool for any website. It uses AI to predict which data is most relevant on a HTML page and allows saving it to Excel or CSV file (XLS, XLSX, CSV). This tool does not require website specific scripts, instead it uses heuristic AI analysis of HTML structure to detect data for extraction. This means that our scraping method works just as well with small and lesser known websites, as it does with global giants like Amazon. Also, our users do not need to have any coding, json or xml skills

The software is free and available direct fromwebrobots.io and the Chrome Store.

IPNetInfo | Investigator

IPNetInfo describes itself a small utility that allows people to easily find all available information about an IP address. That includes the owner of the IP address and sundry other details. Hosted on Nirsoft.com and GitHub respectively, both also have a bit more to offer.

Investigator is actually a collection of useful tools, one of which is bound to come in useful sooner or later. Developed by Nirsoft, IPNetInfo is surrounded by dozens of other useful free tools at Nirsoft.net so still worth a quick visit.

Those with access to a Linux command line also have access to the best tools when investigating domains, IP addresses, and DNS. For Windows users or those who simply prefer the convenience of GUIs, the following perform well and look great too: Digger Tools, DNSViz, URLQuery, DMNSApp, URLScan, and WebCheck.

Finally, a pair of outliers to consider.

The End: Emulators

Given that there are Android emulators that are less elaborate, more predictable, and therefore better suited to the assumed job in hand, the discovery of two fairly elaborate emulators in the toolkit initially seems a little puzzling.

There's bound to be a good reason they're installed but right now, those reasons will have to wait until another day.

[Content truncated due to length...]

From TorrentFreak via this RSS feed

The frontline of online piracy liability keeps moving, and core internet infrastructure providers are increasingly finding themselves in the crosshairs.

In a significant ruling last week, the Paris Judicial Tribunal ordered Cloudflare to actively block access to pirate MotoGP streams, confirming that third-party intermediaries can be required to take responsibility.

The ruling follows a complaint from French entertainment powerhouse Société d'Edition de Canal Plus (SECP), which holds the rights to various sports broadcasts. In this case, the proceeding was filed to protect its interests in MotoGP events, which started a new season last month.

DNS Resolvers are Liable

The reasoning behind the blocking request is similar to a previous blocking order, which also targeted OpenDNS and Google DNS. It is grounded in Article L. 333-10 of the French Sports Code, which empowers rightsholders to seek court orders against any outfit that can help to stop 'serious and repeated' sports piracy.

This time, SECP's demands are broader than DNS blocking alone. The rightsholder also requested blocking measures across Cloudflare's other services, including its CDN and proxy services.

The 14 domain names

The legal paperwork cites 14 domain names, including motogpstream.me and livestreamhd247.live, but doesn't stop there. SECP also pushed for dynamic blocking, asking Cloudflare to act against future infringing sites identified by French media regulator, ARCOM.

Cloudflare's Failed Defense

Cloudflare put up a defense, arguing that unlike traditional ISPs, it isn't the kind of intermediary that's targeted by Article L. 333-10. The company said that its DNS, CDN, and reverse proxy services don't "transmit" infringing content in the way envisioned by the law. Instead, they merely route traffic or cache content passively, so strict policing obligations are not appropriate.

Cloudflare also attacked the proportionality and effectiveness of the requested measures. For example, it said that DNS blocking would affect a "negligible" number of users and could be easily bypassed by VPNs or other DNS resolvers, rendering these restrictions futile.

Cloudflare also warned that due to technical challenges, it could be difficult to accurately geo-restrict blocking measures to France, introducing a new risk of global collateral damage.

Court Dismisses Pushback, Orders Blocking Measures

None of these defenses convinced the Paris court, which rejected all of Cloudflare's arguments. For example, it disregarded the "passive" vs. "active" distinction, concluding that intermediaries such as Cloudflare play an integral role in accessing pirate streams. As a result, the company is required to block this content.

The potentially limited effect of the blocking order didn't change the court's view either. While Cloudflare's blocking won't put an end to piracy, it will have an impact, even if some people bypass the proposed blocking measures.

All in all, the Paris Court ordered Cloudflare to comply and block the listed pirate site domains within three days. The blockades should stay in place for the remainder of the 2025 MotoGP season, across all relevant services.

Future Pirate Site Domains are Covered

The order was issued last week and Cloudflare has already implemented it, with the court allowing Cloudflare to adopt its own technical measures. Visiting the blocked domain names from France will now result in an HTTP 451 error, indicating that they are now unavailable for legal reasons.

Error HTTP 451

Interestingly, the blockades may not stop at the 14 domain names mentioned in the original complaint. The 'dynamic' order allows SECP to request additional blockades from Cloudflare, if future pirate sites are flagged by French media regulator, ARCOM. Refusal to comply could see Cloudflare incur a €5,000 daily fine per site.

"[Cloudflare is ordered to implement] all measures likely to prevent, until the date of the last race in the MotoGP season 2025, currently set for November 16, 2025, access to the sites identified above, as well as to sites not yet identified at the date of the present decision," the order reads.

From the order

This latest French ruling is part of broader efforts by rightsholders to co-opt core internet infrastructure into their enforcement efforts. Mandatory blocking requirements, once largely confined to ISPs, are now gradually expanding to other intermediaries. The expansion is not just a French or European phenomenon; a proposed U.S. site blocking bill also envisions a key role for DNS resolvers.

_--

A copy of the Paris Court order, issued on March 28, 2025, is available here (pdf) _

From: TF, for the latest news on copyright battles, piracy and more.

From TorrentFreak via this RSS feed

When rightsholders feel that conditions are optimal, site-blocking measures are presented to countries as a proportionate, precise, and entirely reasonable response to rampant piracy.

Should there be a need for new legislation, care should be taken to provide room for rightsholders to maneuver, to ensure that adaptive pirates are placed under maximum continuous pressure.

Under intense pressure itself by an impatient United States demanding that piracy needed to be taken more seriously, Spain spent years doing just that. The success story includes over a decade of site-blocking that generated zero controversy.

Piracy blocking applications even appeared to decline in 2024. A far cry from the days when a call-out on the USTR's Priority Watch List seemed inevitable, but still light years adrift from the disaster playing out in Spain since February.

With Great Power Comes….Massive Blocking

In 2022 LaLiga and Telefonica, owner of broadcaster Movistar, found room for legal maneuver. Understandably frustrated that their premium live sports broadcasts were instantly pirated, the companies convinced a court that rapid, dynamic blocking would be a proportionate response to IPTV piracy.

These blocking orders presented new problems. The crisis currently playing out in Spain shows how easily circumvented technical restrictions can be rendered almost useless. This, in turn, triggered a disproportionate response leading to substantial collateral damage.

When enhanced privacy features at Cloudflare undermined blocking, the power of a new court order issued last December allowed LaLiga to block Cloudfare itself and by default, many thousands of innocent Cloudflare customers.

Block and Awe

After a court rejected appeals by Cloudflare and hacker collective RootedCON in March, LaLiga now appears to be blocking whatever it needs to block to get the job done. And it's a big job, as updates from sysadmin @jaumepons on X reveal.

300 of 12382 domains behind 1 IP address

According to @jaumepons, Cloudflare IP addresses are currently being blocked by LaLiga at the rate of 3,000 every week. For perspective, Italy's Piracy Shield caused uproar when it blocked less than a handful.

Each IP address serves thousands of innocent Cloudflare customers and whichever pirate streaming service happens to be taking cover among them.

Despite having no links to pirate sites, the number of domains said to be affected by IP address-based blocking appears to be disproportionate to the stated aim. The claim that many newspapers have been caught up in the dragnet is concerning; the claim below is more disconcerting than anything else.

????

Unsolicited Press Release

While we're generally averse to parroting press releases without broader context, a communication received late Wednesday piqued our interest and then proved unusually puzzling. The author is the Spanish non-profit DigitalES and at the time of writing the release doesn't appear on the group's website. Its intentions, however, are made clear right off the bat:

_DigitalES, the Spanish Association for Digitalization and the employers ' association for the telecommunications, technology, and digital innovation sectors, is calling for the cooperation of all Internet intermediaries to ensure compliance with the court order requiring the blocking of resources linked to pirated audiovisual content.

---snip---

This court ruling is based on the material impossibility of implementing DNS-level blocking as a measure against online piracy. The main reason is that websites with illegal content and the intermediary companies that connect them to the internet employ various techniques (such as ECH or Relay) to change their IP addresses and circumvent these restrictions. Therefore, the most viable solution is considered to be either directly blocking the IP addresses associated with pirated content, or a combined strategy that includes blocking domains, URLs, and IP addresses .

Despite the agreement reached with most of these web traffic intermediaries to implement this solution, some services are not implementing the court order._

Whether the overblocking situation is linked to lacking implementation at some providers isn't clear. In fact, the press release doesn't mention overblocking at all; it notes the failed legal actions by Cloudflare and RootedCON but says nothing about the controversial events that triggered them.

Other Relevant Details

It may be a coincidence that Telefonica, Vodafone, MásOrange, and DIGI, are directly linked to the blocking action in Spain, while also being members of DigitalES. That no mention is made of these companies in the DigitalES press release might be an oversight, but with vested interests in how the current situation plays out, a few extra details of their involvement may prove informative.

The blocking injunction obtained last December was a joint effort by LaLiga and Telefónica Audiovisual Digital (TAD), which operates the Telefonica-owned subscription digital TV platform known as Movistar Plus+. In January it was reported that Telefonica had retained the domestic rights to broadcast LaLiga matches until the end of 2026/27 season, in a deal worth €1.29bn (US$1.43bn).

The injunction protects this investment by providing the legal basis for blocking measures at four named ISPs;

• MásOrange: Operator of brands including Orange, Yoigo, Jazztel, Masmovil, Simyo, Pepephone, Lebara, Lyca, Llamaya, and Euskaltel. An agreement between Orange and Telefonica-owned Movistar and DAZN secured broadcasting rights for LaLiga matches.
• Vodafone: LaLiga matches are available on Vodafone TV through a deal with DAZN
• DIGI: Romanian telco sells access to LaLiga matches via its DIGI TV platform in Spain
• Movistar: Telefonica-owned telco (LaLiga shown on Movistar+)

The process through which blocking injunctions are obtained is typically non-adversarial. Ultimately signed-off by a judge, ISPs are indeed compelled to implement piracy blocking measures, albeit under pre-arranged terms to which they all agreed.

The theory is straightforward. LaLiga/Telefonica monitor the internet for pirate streams and send their IP addresses to the ISPs. Once the ISPs add those IP addressees to their internal blacklists, their own customers watching those streams can no longer do so.

The companies believe that with enough disruption, pirates will decide to go legal. How well that's going right is unclear. The massive overblocking of Cloudflare denies access to legitimate platforms for pirates and non-pirates alike.

A Surprise Intervention

According to RootedCON, Vodafone surprised by intervening in its case.

_One of the most controversial points in the development of the case has been Vodafone 's intervention: before the judge made a decision, it appeared to reject RootedCON's presence in the legal process. The operator maintained, now with the support of the judge, that the only ones entitled to challenge the ruling were the operators that were sued at the time by LaLiga and Telefónica.

However, they themselves have not filed their own request for annulment. "What Vodafone is effectively saying is that operators are happy to be forced to block."_

And as distributors of LaLiga content, purchased at considerable expense, that makes complete sense. As internet service providers knowingly blocking legitimate resources and their own non-pirating customers? Not so much.

From: TF, for the latest news on copyright battles, piracy and more.

From TorrentFreak via this RSS feed

Posted from this RSS feed via bot, see !meta@rss.ponder.cat

Posted from this RSS feed via bot, see !meta@rss.ponder.cat