BayTSP is a company charged with sending warnings to people whose IP address has been recorded in a file sharing swarm. Their method of contacting people turns out to be extremely insecure and prone to all kinds of abuse.



Companies like BayTSP have the honorable task of joining BitTorrent swarms and other file-sharing networks looking out for copyright infringers.
Share a piece of a copyrighted file with them, they log your IP, look up your ISP and send out a copyright infringement notice automatically.

These notices usually list details about the file in cause, person's IP-address and the time the infringement was recorded. BayTSP also includes a link to a response form where you can indicate whether or not you will comply and remove the file from your computer.

The problem with these response forms is that they're not very secure. For example, if you get a notice from BayTSP, someone else can easily find it through a search engine, like Google, and fake a response in your place. There is no way for them to tell who responded to the complaint unless the response originates from the IP-address linked to the infringement.

And the worse, anyone can send out a fake e-mail to someone claiming to be BayTSP. XSS vulnerabilities on the site make it pretty easy to fabricate fake complaints and convince innocent people that to avoid court they must download trojans, or perhaps even enter credit card details to pay a small fine. Ouch.


BayTSP told that they are looking into the XSS issues, hopefully to solve the problem. They also admitted that their response forms are flawed, that everyone can indeed fill out the response form, and that they can’t be sure that the person who responded to it actually received the notice.

However, this response form (and thus the warnings) are completely useless, but BayTSP disagreed with this assessment, but BayTSP disagreed with this assessment. “We’ll have to agree to disagree on this one,” was their final response after having exchanged some arguments back and forth. “We’ll have to agree to disagree on this one,” was their final response after having exchanged some arguments back and forth.

For those people in receipt of an infringement notice it might be good to know that their case becomes closed as soon as they indicate that they have removed the infringing file from their computer. Easy as that. Those who do not comply will receive additional notices until they do so.