New bot listening in and broadcasting

[JacquesFreud]

Hi folks,
Since yesterday, March 23 2023, we came across a new function on the website Jamulus.live
It is called "Listen" and enables people from outside to hear what is going on in a Jamulus server, without actually joining in. After fooling around with it for a bit, some of us started to raise questions. Feel free to read along with the mail I got from one of my fellow jammers, translated from German:

_Yesterday I checked this "obscure" Jamulus.Live website with my Norton 360 security program - and was immediately warned about this "unsafe" website: Everything you enter there is tapped and distributed in a completely uncontrolled manner. My suspicion that the bot that "listened" to St. Aposteln (Note from JacquesFreud: the particular server we used) is spreading everything we say and play there - whether we like it or not - directly onto the WWW and is thus doing illegal "broadcasting", unfortunately confirmed. As nice and simple as this monitoring and recording function may seem - it violates all personal and copyright laws.
It is actually only a matter of time before major companies such as Sony or Universal Music, with the help of AI, which is already searching the www 24/7 for all possible copyright infringements, tell us about the IP addresses and hold them liable as the perpetrators of illegal broadcasting. In Germany, the following applies: "Ignorance does not protect against punishment". And unfortunately I had to learn to see these connections only from a professional perspective.

Actually, we shouldn't stay so naively around the musical campfire any longer and continue covering songs that we don't have the rights to "publish" if these bots are broadcasting us worldwide. Unfortunately, the very good basic idea of Jamulus is destroyed by these bots. The founding fathers of Jamulus expressly give no guarantee in the "Help Menu" and refer to the GNU General Public License under US law.
That's why I rehearse with my bands via Jamulus exclusively via my private server, which you can only access with the current IP address in the "Server address" connect field. This is a closed group that no longer appears in the Jamulus directories - but all loud distortion guitarists and bad bots stay outside.
Another possibility is the private, password-protected connection platform - Pear to Pear - on Sonobus, which also offers better sound and single track recording. However, my studio PC only manages 6-7 participants there with an acceptable latency.

You can of course continue as before - but then don't be surprised about possibly very expensive legal warning procedures in the future._

So, what do we have to say about this?

[pljones]

It's always been the way since day one. If you're running or using a public server, you do whatever you do there in public - just as public as performing the same act on the town hall steps. Any passer-by is free to watch or record you.

[JacquesFreud]

That is a clear answer. And an acceptable one, I would think. Thanks.

[rdica]

In all actuality, if you operate the server, you're free to use any tools you desire to control access to your server, regardless that jamulus software itself has no access control mechanism.

Firewalling on the server is an effective means of access control, and is used by many server operators.

[ghost]

This is more than illegal broadcasting, it is spying. People who join a Jamulus session are part of a conversation where everyone is conversing. Bots (and people) that connect without the knowledge of the group conversing are spying on that group. This is Criminal and can be prosecuted.

[chrisrimple]

Full disclosure: I have no relationship to or interest in Jamulus.live

Settle down, people. As noted above, "public" Jamulus servers are just that: public. Anyone can join, including a bot that is then resharing the content from the server in other ways. That's not illegal broadcasting or spying, since the bot connects to the server using a Jamulus client just like any musician, and all musicians on the server can see that the bot has connected.

In regard to IP violations and takedown requests from music rights holders, there is zero chance that happens. No one is going to get sued or arrested for copyright infringement. The WorldJam has been live-streaming Jamulus sessions of musicians playing cover songs for 3 years via YouTube, which are also made available afterward as recordings. That's almost 100 broadcasts and more than 1000 cover songs, with maybe 5 takedown alerts from YouTube in all that time. After responding to the alert, the recording was allowed to remain on YouTube, because the recordings ARE NOT BEING MONETIZED. That is, the musicians are not making any money from advertising or selling the music without a license. Musicians playing on a public Jamulus server, that perhaps gets re-streamed by a bot, are not making money from the broadcast and no music rights owner is going to come after them. Yes, the music rights owner might have a right to do so, but it's not worth their time and effort.

[ElectricBoogalo]

@mcfnord As this is you hosting this on Jamulus.live, can you please give us your reply? It is getting to the point where people are not wanting to play, and move completely private. I am feeling like as a good service you could take these "bots" out, and let things be as they used to. You probably don't' agree, as its your project. But at the very least if someone has a server and requests to have this "technology add on" removed, would you oblige to the request? That seems like the moral and kind thing to do. Thanks!

[mcfnord]

I have harvested Welcome messages in the past (for Jitsi links), and could support an "opt out keyword" there, but for now I've added a Block bots tab with opt-out instructions. Either (a) include "priv" in the server name, or (b) block one or both IPs at the firewall. I'm still intrigued by self-serve opt-out at the individual level as perhaps a better solution. I am also developing a way to provide an informative message in the chat, especially when a recording lobby joins. I reach users in English, German, Chinese, and Thai, which makes disclosures more complicated.

[ann0see]

Hmm. I mean probably that solution is fine. Per user level opt out sounds more challenging.

[rdica]

@mcfnord Why should WE server operators have to change our server names to opt out?

We have branding to consider.
Adding "priv" to our server names would send OUR users the wrong message, not to mention new users potentially joining our servers.

Same applies for any thought of per-user opt out using a change in username.

Parsing the server welcome message for a keyword would likely be the best method, much as robots.txt would function.
It doesn't affect server name or username branding, and doesn't require additional firewalling (not every server operator is a server admin-level skilled person), and those that run servers from their home connections (windows and macs mostly) would be able to easily modify welcome message to opt out.

Win-win for everybody.

[pcar75]

Keyword in welcome message could be "BOT-FREE" or something similar in english only to reduce the amount of translation guessing or processing required.

[pljones]

The other benefit with the welcome message is that it supports some HTML features. Ideally it could contain, for example:

<!--
X-NoBots: all
X-NoBots: broadcast
X-NoBots: broadcast; record; name="Ear"
-->

and not be rendered in the actual message... I wonder if the Qt rich text widget supports it, though - it can be fussy.

(It'll work with the PR for fixing #3050 though. No client change needed; plain text editing of the server welcome message - or just carry on using -w '<!-- some comment --><b>LOUD HTML</b>' command line. I'm assuming it's sent to the client, regardless of the widget it gets rendered into by the client.)

[jcritica]

Here are 3 IP addresses discovered that jamulus.live bots use to record session audio:

159.89.140.136 (DigitalOcean US West Coast)
54.67.56.73 (AWS US West)
134.122.89.41 (DigitalOcean Germany)

[ElectricBoogalo]

Thank you! We are in the midst of creating some new servers, and will need to block these programmed listeners IP's to ensure all our jammers are comfortable. Cheers!