[Beldur]

Does it mean that whenever I click on a link I must be afraid that my computer will start to participate in a filesharing network?

What if a website uses the technology to spread copyrighted material in the background without me knowing about it? Maybe the website had a simple XSS hole that allowed an attacker to do it?

So later I will get a fine for spreading copyrighted material and I don't even know where it came from?

[Drakim]

This isn't actually a new problem though!

After all, what if the JavaScript on a website makes an AJAX request to fetch illegal content and store it in your HTML5 LocalStorage?

Bam, you are now a criminal in possession of illegal content of some sort.

[Beldur]

In Germany at least, downloading is not a big problem as is sharing and uploading.

[ascagnel_]

In the US, copyright is also more about sharing/uploading than downloading (if I remember right, all of the RIAA lawsuits were for uploading). The bigger issue is if the exploit has you download something that's illegal to possess (eg: illegal pornography).

[Zoobu]

Is it still illegal content if its a fragment, or part of, the file? Because if its an encrypted portion of a file, then you actually only have bits of nothing.

[martindevans]

In the UK the police can demand encryption keys and, if you fail to supply them, throw you in prison for 10 years. So the punishment for having encrypted content which you do not have the key for could be far worse than actually having illegal content :(

[ethanbond]

Are you sure that they don't have to prove you know/can find/used to have the keys?

[lol768]

You're correct.

A person to whom a section 49 notice has been given is guilty of an offence if he knowingly fails, in accordance with the notice, to make the disclosure required by virtue of the giving of the notice.

In proceedings against any person for an offence under this section, if it is shown that that person was in possession of a key to any protected information at any time before the time of the giving of the section 49 notice, that person shall be taken for the purposes of those proceedings to have continued to be in possession of that key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.

For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if:

* sufficient evidence of that fact is adduced to raise an issue with respect to it; and

* the contrary is not proved beyond a reasonable doubt.

There's also a 2/5 year sentence maximum.

http://www.legislation.gov.uk/ukpga/2000/23/section/53

[nabaraz]

Do you happen to know how is it different in US? I am curious on what would happen if someone simply refused to provide the decryption key.

[riskable]

In the US we have the 5th Amendment to the Constitution which forbids the government from making you testify against yourself. Details can be found here:

http://en.wikipedia.org/wiki/Key_disclosure_law#United_State...

TL;DR: Case law is mixed on the matter but it sure seems clear to me at least. I don't understand why people can't just say, "I forgot it. Sorry."

[mikegerwitz]

This concern applies to any JavaScript: your browser is automatically downloading and running untrusted software on your computer without prompting you.

Even if you enjoy having JavaScript enabled for many sites, something like NoScript is still a good idea---it at least gives you a chance to question whether it's needed at all, or verify what it's doing yourself.

[ljk]

sometimes noscript notifites about domain names that leads to nothing when I google it/go directly to it... how do you know if a site is legitimate?

[mikegerwitz]

If you're not a JavaScript developer, that's not so easy to do with NoScript, unfortunately, because you'd have to allow the file to load, or pause it with a debugger, to see what is actually going on. Some scripts are also loaded at runtime.

LibreJS will list every script and its contents if it's not marked with a free license, but since it will refuse to execute it, it will not load anything that is dynamically loaded at runtime. But a malicious script could just mark itself as free to get around that.

It's a bad situation all-around.

[seanp2k2]

Yes, and given the prevalence of javascript in 2015, I don't see this as a practical option at all for actually using the Internet.

Chrome canary + uBlock *uMatrix (which lets you allow images / scripts / css / XHR selectively per-domain) is about as much as I can stand to maintain.

[untog]

Yeah, this is an interesting thought exercise. You could even, ad banner style, put an iframe on all sorts of pages letting a computer serve as part of a torrenting network.

(Provided the page stayed open, of course)

[yAnonymous]

Exactly my thoughts. JS torrent clients are dangerous.

There was a case in Germany recently where thousands of internet users got cease-and-desist letters and were asked to pay a fine based on an ad-injection. The people behind it made hundreds of thousands and ran off with the money.

On the other hand: If malicious driveby torrenting happens regularly, it will be harder to fine people for it, because it gives them a good excuse.

[realusername]

The case you are talking about clearly looks like a scam, how is that even legal to ask for a ransom in exchange of not disclosing you to the justice ?

[yAnonymous]

It wasn't legal, but that didn't prevent them from running off with the money. Nobody wants to get involved in a lawsuit over porn movie piracy, so many people just pay the fine.

And when you pay, it's almost impossible to get the money back, because you basically admit your guilt, even when the claim was not legit.

There's more to this case, you can read about it here:

https://torrentfreak.com/viewing-pirated-streams-is-not-ille...

tl;dr: They got users' IPs through ads and misled the courts into thinking the users committed a crime by watching the videos. Courts ordered the ISPs to give out the users' info, the law firm CD'd the users and ran off when shit hit the fan.

The same thing can happen with JS torrenting and it's even easier to do.

[ikeboy]

There are companies that do this on scale, with permission from copyright holders.

[adam12]

I'm pretty sure this will work to stop webtorrent in chrome:

chrome://flags

disable webrtc

[Wilya]

This flag is Android-only. It seems that disabling WebRTC on the desktop versions of Chrome isn't easy.