I'm not particularly interested in spying on people but I find it interesting that many popular BitTorrent clients broadcast the identifier of all currently downloading and seeding torrents publicly on the local area network. Being myself situated on a local network with many other users I find it interesting that I can get a list of what is currently being downloaded just by listening for the packets that are voluntarily sent out on the LAN for a few minutes. This feature is used by the BitTorrent clients for what is known as local peer discovery (LPD). The idea is that someone else on the LAN might just be downloading the same torrent and in that case it is advantageous to connect and transfer the data over the LAN which is usually a fast connection. However, the potential problems of privacy seems to have been overlooked by some of the popular BitTorrent clients since this feature is enabled by default without any warnings about the implications.

LPD monitor screenshot

What is actually being broadcast by these clients is the identifier of the torrent, also known as the infohash. When obtained, this string of hexadecimal characters can then be googled and usually this gives further details on the name and content of the torrent. Alternatively, using the metadata extension of the BitTorrent protocol, the full torrent file (containing name and file descriptions) can be downloaded from the same peer.

To demonstrate how this method works in practice I wrote a small command line tool in Python to monitor the LAN for these packets. It is available here. There is also an experimental graphical interface. In addition, there is a tool to connect to a peer and obtain the torrent file using the metadata extension.

Although local peer discovery can be beneficial I hope this highlights the potential privacy problems. Any sane BitTorrent client should have an option to disable LPD in case this is desired.