Robert Anderson, the MPAA hacker, speaks to Wired

My very first post on Cyberpunk Review’s meatspace was a ZDNet article about the MPAA hiring a hacker to steal data from TorrentSpy. Now that hacker, Robert Anderson, has given an exclusive interview to Wired giving his reason for joining the anti-sharing movie group, and what lead him to leave.

All about the Benjamins. Anderson approached the MPAA to help their anti-piracy efforts after an online advertising venture with TorrentSpy founder Justin Bunnell didn’t pan out. For the MPAA, who reports that the movie industry loses billions due to piracy via file sharing, to have someone with inside knowledge of an “enemy organization” on their side would be an answer to their prayers, and the MPAA was going to do whatever they needed to do to keep him on their side:

According to Anderson, the MPAA told him: “We would need somebody like you. We would give you a nice paying job, a house, a car, anything you needed…. if you save Hollywood for us you can become rich and powerful.”

In 2005, the MPAA paid Anderson $15,000 for inside information about TorrentSpy — information at the heart of a copyright-infringement lawsuit brought by the MPAA against TorrentSpy of Los Angeles.

Anderson was put in contact with Dean Garfield, then legal director now executive vice president and chief strategic officer, who believed Anderson had “an informant that can intercept any e-mail communication.” But Anderson himself was the “informant,” and how he intercepted the e-mails is what has both the MPAA and TorrentSpy at odds with each other.

A sticky wicket. Anderson was able to intercept not only e-mails, but software and source codes, invoices, and even passwords. How did he do it?

The hacker, then 23 and living in Vancouver, British Columbia, claims he had cracked TorrentSpy’s servers by simply guessing an administrative password. He knew the password was weak — a combination of a name and some numbers.

“I just kept changing the numbers until it fit,” he says. “I guess you can call it luck. It took a little more than 30 tries.”

Once inside, he programmed TorrentSpy’s mail system to relay e-mail to a newly created external account he could access.

There’s a trace of pride in his voice as he details the hack. “The e-mails weren’t forwarded using the mail command. They were sent actually before it reached anyone’s mailbox,” he says. “So it was more like interception before delivery. I could even stop certain mail from reaching their box.”

Anderson also received a contract to sign, with provisions like:

… the information the MPAA was seeking would “include, but is not limited to, the names, addresses, and phone numbers of the owners of TorrentSpy.com.”

The contract also requested information on The Pirate Bay, and called for Anderson to look for “evidence concerning and correspondence between these entities.”

The contract prohibited both parties from disclosing “the existence of this agreement to anyone,” and said the MPAA would pay $15,000 for services to Anderson’s business, Vaga Ventures. Finally, the contract dictated that the confidential data would be obtained “through legal means.”

The data being obtained “through legal means” was at the heart of a countersuit filed by Bunnell against the MPAA, claiming Anderson’s actions violated wiretapping laws.

A falling out, and the fallout. At one point, Anderson knew the honeymoon was over:

But once Anderson turned over the data and cashed the MPAA’s check, he quickly realized that Garfield had no further use for him. “He lost interest in me,” he says. Anderson felt abandoned: During negotiations with Garfield, the hacker had become convinced he was starting a long-term, lucrative relationship with the motion picture industry. “He was stringing me along personally.”

Hollywood’s cold shoulder put Anderson’s allegiance back up for grabs, and about a year later he came clean with TorrentSpy’s Bunnell in an online chat. “‘I sold you out to the MPAA,’” Anderson says he told Bunnell. “I felt guilty (for) what happened and I kinda also thought at that point the MPAA wasn’t going to do anything.”

After Anderson’s chat, Bunnell filed the countersuit. The suit is currently on hold pending an appeal, while the MPAA can use the stolen data in their ongoing persecutions. TorrentSpy was also ordered to track US users, but they countered by blocking them and increasing privacy for everyone else.

The worse may be yet to come. Given the almost soap-operatic nature of this case so far, what else Anderson “intercepted” is something to give cause for alarm… if it weren’t for other enterprising hackers:

Among the purloined files was the source code for TorrentSpy’s backend software, says Anderson. Anderson alleges this interested the MPAA, which he says wanted to set up a fake BitTorrent site of its own. According to Anderson, the MPAA said, “We’ll set up a fake Torrent site. We’ll contact the other Torrent sites. We’ll get their names, address books, contact information and banking information…. (They) wanted to run this as a shadow portion of the MPAA.”

Can you say MediaDefender?

Robert Anderson wanted to make money, but he had to sell his soul to a corporate gestapo to get that paycheck. In the process, he may have done something to help protect us from the virtual reality “they” (the MPAA) want to keep us asleep in…

Anderson’s account shows that the content industry may be willing to go to significant — and some say ethically questionable — lengths in its war against online piracy, and that it is determined to keep its methods secret.