Malware Suggests Search Plays a Major Role in Piracy

Image by stefanocar75

Copyright holders have long insisted that search results play a substantial role in driving users toward pirate sites.  Google and piracy advocates have generally countered that search does not drive much traffic to illegal sites because the people who consistently use infringing sites know what they’re doing and will go directly to the content they’re seeking.  This is a reasonable assumption to make about the population of committed infringers out there, but one fact that refutes this premise is the extraordinary volume of malware (a 1-in-3 chance) on infringing sites.  Because malware isn’t there to catch the experienced visitor—it’s there to catch the unsuspecting individuals who may not even realize they’re using illegal sites when they first visit.

For those who don’t know how it works, it goes like this:  A user is interested in watching Moonlight.  If he types “Moonlight” into Google Search, the second-tier results will be links that read “Watch Moonlight Online for Free,” all of which are directed to infringing sites.  If the user actually types “Watch Moonlight” into the search field, then the first-tier results will be infringing links. And quite often, Google will automatically suggest words that prompt the user toward an infringing site. For instance, if the user logically adds the word “movie” (because moonlight is a word and not just a title), then Google will complete the thought with “online,” which then yields top results with links to “watch moonlight movie online” via an infringing site.

Google and the piracy apologists are almost certainly correct that many avid visitors to infringing sites are fairly sophisticated users; they have VPNs, ad-blockers, security software, etc. to avoid detection and malware.  But if these were the only kind of visitors landing on these sites, then the underground market in malware-based trade would not be nearly so robust as it is.

As described in this 2015 post about a report called Digital Bait, commissioned by Digital Citizens Alliance and conducted by RiskIQ, a sophisticated “crimeware economy” exists on the Darknet, where criminals buy and sell goods and services used exclusively for preying on users. To use a blunt example, if a teenage girl visits an infringing site, she has up to a 30% chance of contracting malware. That malware may be a Remote Access Trojan (RAT), which gives fairly unsophisticated hackers control of her computer, including her webcam.  Then, her IP address may be sold in this black market to people who want to spy on teenage girls in their bedrooms. In many cases, a user doesn’t even have to consume the infringing content in order to infect a device. The promise of “free content” may be draw the user into a dead-end malware trap.

If all traffic to pirate sites truly comprised only the knowledgeable users, then the criminals would not have a financial incentive to deploy so much malware on sites that infringe, or promise to infringe, copyrighted content.  The very existence of prevalent malware is an indication that a substantial number of users who have no idea what they’re doing are visiting these sites, which logically leads to the conclusion that search must play a significant role in driving users toward these sites and into the hands of criminals.

Notice that, in this context, we don’t even need to address the subject of copyright infringement, let alone get bogged down in all the tedious rhetoric about free speech.  If Google’s top search results are indeed putting users in harm’s way, this is a consumer protection issue for the Fair Trade Administration and/or State Attorneys General.  And, in fact, Digital Citizens Alliance, after releasing its 2016 report Enabling Malware, began presenting its findings to the AGs.

Yes, it is likely true that once a user—even a fairly unsophisticated teenager—is aware of sites where free content is available, he will probably revisit those sites directly without going through a search engine. But even this kind of anecdotal assumption does not mean the role of search is insignificant, not least because the illegal nature of pirate sites means that they have a tendency to disappear and reappear as authorities in various regions shut them down.  A 2013 study indicated that 19% of the traffic to infringing sites could be directly attributable to search, and if that number were wrong by half, it would still represent billions of visits per year.

Consumers have a right to know the nature of their vulnerabilities when using any product or service, and they have a right to demand that U.S. companies take every reasonable step to mitigate exposure to risk.  To date, Google has refused to take even the obvious step of demoting known infringing sites in their search results, let alone to alter the way in which auto-complete may drive consumers toward these sites.

Google does now feature the legal channels for consuming media, including their own services like YouTube and Google Play, which is a good step but not likely sufficient to protect consumers as hackers become more sophisticated and more ambitious.  In fact, one likely consequence of advertisers becoming more effective at keeping their brands off pirate sites is that the criminals will depend more on the “crimeware economy” to make money through infringing content as a means to deliver malware.

Google is getting a lot of pushback lately—from the EU’s anti-trust decision, from the advertisers, and from the Canadian Supreme Court this week in the Equustek case. (More on that shortly.)  I would not be surprised if the State AGs and other consumer-protection agencies begin to take a more active interest in the relationship between search, piracy, and malware.

© 2017, David Newhoff. All rights reserved.

Follow IOM on social media:


  • Soon enough folk will also start to see that using virtual machines gets around the malware problem rather easily. Simply record a snapshot before downloading (and/or watching), and if you are unfortunate enough to have the VM infected, simply delete that state and start a new copy from your snapshot. Theres also the benefit of locking out your personal data on the other HD partition for safety.

    It’s not that this is “sophisticated” to be honest. 10 years ago in high school even the least bright of us could get around our school’s firewall. Frankly it’s rather optimistic to expect refrain from typing “how to get around internet blocks”. A VPN doesn’t need a degree in computer science either.

    But malware still exists for the same reason ads still exist despite all the ad block software. Better to put it in than not as even 1% return is better than 0%.

    Google would need to prevent all discussion whatsoever of e.g. the Pirate Bay to truly remove it from it’s search engines, since if talking about it naturally leads folk to it, then that very talking is just as much a “link” as any URL – both direct or redirect you to the site just by telling you what it is. Every mere mention of the Pirate Bay at all would have to be removed, even the sites of copyright advocates who protest against it. Otherwise people will learn of the Pirate Bay and hence take a few attempts to correctly guess the URL or a proxy to that URL, or another internet user who can PM you that URL. “Six degrees of separation” is a very small number in this respect.

    Because in the end it doesn’t matter who the middleman is, the root of the problem is the sheer numbers willing to go to the pirate sites in the first place. The fact that Google may be a big part of the 19% figure doesn’t say much about what else users would easily turn to if Google ceased and desisted.

    • This post does not suggest that piracy will be stopped by changes in search, but it does reject the idea that search doesn’t matter. And if Google were to alter the search results based on different priorities, this would have no effect on “discussion” about The Pirate Bay, et al.

Join the discussion.