Podjacking
- From: "djc" <djc@xxxxxxxxxxxxxxx>
- To: blindcasting@xxxxxxxxxxxxx
- Date: Sat, 10 Dec 2005 14:04:47 -0800
I offer the following article for your Education.
from the web page:
http://vegan.com/issues/2005/podjacking.htm
Preventing and Surviving a Podjacking
By Erik Marcus
Publisher of Vegan.com and host of the Erik?s Diner podcast
December 8, 2005
Podjack: (verb) ? To create an alternate RSS feed to a
podcast
without the permission of the podcast?s owner.
The Rise and Rise of Podcasting
Podcasting has exploded in popularity since Adam Curry?s first podcast
began on August
13, 2004.
PodcastAlley.com
shows there are now more than 10,000 different podcasts available.
That?s 10,000
people all with something to say (usually), and most of these people would
never
have had this opportunity without the emergence of podcasting.
I was lucky enough to learn about podcasting near its beginning. As the
publisher
of
Vegan.com
, and the author a couple books on veganism, I realized that podcasting was
a wonderful
way to reach people. It?s hard for me to get on the radio, since fast
food chains
and other big advertisers don?t appreciate guests like me. Podcasting
offered me
an opportunity to go straight to the public with a show that exposes the
meat industry?s
unethical practices, and teaches people how healthy and delicious a vegan
diet can
be.
I started my show October of 2004, and have slowly built my audience over
the past
year of podcasting. My first shows got barely a hundred listeners. But by
last month,
my audience was approaching 1500 people. Those may not be huge numbers, but
I was
proud of the relatively rapid growth in my audience. It came from a lot of
hard work.
Then, out of the blue a few weeks ago, my audience collapsed overnight ?
it dropped
by some 75 percent. My podcast had been ?podjacked.?
If you?re involved in podcasting, you need to know about podjacking. This
article
will tell you what podjacking is, how to avoid becoming a victim, and how
to take
action if it happens to you.
How Podjacking Works
Perhaps you?ve already heard of domain hijacking. The hijacker finds a
desirable
domain name, say Sex.com, that already belongs to another party, and he
contrives
a method to steal it. Doing this is not only illegal, but difficult. The
hijacker
must either steal the domain registry password from the sex.com domain
owner, or
hack into the domain registrar?s system. Either way, hard work and even
talent is
required. Plus, the hijacker likely must commit felony-level crimes in the
process
of stealing the domain.
Podjacking, by contrast, requires neither computer hacking nor jimmying
locks. To
understand how it works you first have to know about the most basic element
of podcasting:
the URL pointing to the RSS feed for each show. The URL for my podcast,
Erik?s Diner,
happens to be:
http://www.vegan.com/diner/eriksdiner.rss
diner/eriksdiner.rss
As a podcaster, the URL you create for your RSS feed becomes the doorway
through
which your entire listenership arrives. Every single one of your listeners
will come
in through this doorway. And it?s this URL that
iTunes
,
Yahoo
,
Podcast Alley
, and all the other podcast search engines will use in order to bring
listeners to
your show.
These search engines, both large and small, are the key to building your
audience.
Nearly all your listeners will subscribe to your show through search
engines. How
do most of my listeners find Erik?s Diner, when they?ve never heard of
me, my show,
or my website? Most of my potential listeners are quite interested in
veganism, and
so they go into one of the podcast search engines and type ?vegan.? At
that point,
a dozen shows that pertain to veganism might come up, and Erik?s Diner
will be one
of them.
At that point, the listener can usually sample my show through the search
engine.
If she likes what she hears, she can subscribe. Both sampling and
subscriptions come
through the front door that I just told you about: my show?s RSS feed.
When the listener
subscribes to a show, the URL to the show?s RSS feed is copied into the
user?s podcast
player?which is usually iTunes,
iPodder
, or some sort of web browser based software.
It?s an ingenious and elegant system. Thanks to the existence of RSS
feeds and their
ability to attach MP3 files, that one simple URL allows unlimited numbers
of people
to permanently subscribe to your show.
But as beautiful as this system is, it has a glaring security hole.
You?ve seen how
the URL that points to your RSS feed is the doorway to your podcast. The
trouble
is, there?s nothing to prevent an unscrupulous party from creating a
different doorway
without your consent. And once that second doorway gets created, your show
has been
podjacked. And your life is about to get a whole lot worse.
Congratulations, You?ve Been Podjacked!
In my case, I spent many months blissfully unaware that my show had been
podjacked.
Everything seemed wonderful to me. My listenership was steadily growing,
and there
were no icebergs on the horizon. Then one day a couple months ago I heard
that
Yahoo had launched a podcast directory
. As a podcaster, I wanted to be sure that Yahoo created a listing for
Erik?s Diner.
So I went to Yahoo?s podcast directory, typed ?vegan? in the search
field, and my
show came right up. Everything appeared in perfect order. But when I
clicked on the
show?s listing to get its details, I noticed a big problem. The URL
listed pointing
to the RSS feed for my show was not the official Vegan.com URL I have
listed above.
Instead, for some mysterious reason, Yahoo had my RSS feed listed as:
http://cooking.podkeyword.com/
cooking.podkeyword.com/
I was baffled. Who on earth was behind podkeyword.com, and how did they
manage to
get their feed rather than my official feed listed for my show?
While I couldn?t get these two questions answered right away, I could
see at a glance
the danger posed by this incorrect listing. Listeners who subscribed
through Yahoo
would not enter Erik?s Diner through the doorway I?d established ?
they would be
coming in through the podkeyword domain. That podkeyword domain was
currently pointing
to my show?s RSS feed, and so the listener experience was no different
than if Yahoo?s
entry carried my show?s official RSS feed URL. The trouble is that I had
no control
over the podkeyword RSS feed. The owner of podkeyword.com, by creating this
alternate
URL and allowing it to get put onto Yahoo, had established himself as the
gatekeeper
for my entire Yahoo audience. Everybody who came to my show through Yahoo
be arriving
through his doorway, which gave him almost unlimited potential power.
He could easily, for instance, attach advertising clips to accompany my
show ? keeping
any revenue he generated from these ads. In such a situation, my listeners
might
not even know these ads were not a legitimate part of the programming.
Alternately,
the podkeyword.com guy might at some point demand payment from me to keep
his URL
pointing to my show. With two minutes work, he could easily point his feed
to the
?Kobe Beef Show? (yes, there is such a thing), and all my Yahoo
listeners would be
lost.
My point isn?t that the podkeyword owner would necessarily do these
horrible and
unethical things ? but rather that he had assumed the power to do all
this and more
at any time. And the longer my listing in Yahoo?s directory pointed to
his feed,
and the larger my pool of subscribers from Yahoo became, the more listeners
I could
lose. I had to nip this problem in the bud.
So, over the next month, I sent a few emails to Yahoo. To Yahoo?s eternal
discredit,
they neither replied nor did they take any action to correct the feed. And
meanwhile
my subscribers through Yahoo continued to grow?all of them listening to
my show through
the podkeyword.com feed. Fortunately, Yahoo?s podcast search engine is
still in beta
and is not yet widely used.
My inability to have Yahoo correct my RSS feed was vexing, so I decided to
go to
the source of the problem. I sent an email to the person at podkeyword, and
asked
him to get rid of the RSS feed he had pointed to the show. To his credit,
he complied
right away, and he also got rid of another four RSS feeds he had pointing
to Erik?s
Diner that I didn?t know about. I knew that his removal of these RSS
feeds would
cause my Yahoo subscribers to be lost. But I only had about seventeen such
subscribers,
and I didn?t want this problem to get any further out of hand by waiting.
But immediately after I posted my next podcast, I realized something
terrible had
happened. I hadn?t just lost all seventeen of my Yahoo subscribers. I?d
lost hundreds
of subscribers through iTunes as well. What happened? Well, in typical
Steve Jobsian
fashion, iTunes keeps the ugly-looking RSS feed URL out of people?s
sight. You have
to jump through a couple hoops to be able to see it?and I didn?t know
how to accomplish
this. Anyway, it had never even occurred to me that the RSS feed iTunes
used for
my show might be anything other than the official Vegan.com feed. It turns
out that
iTunes is the 800 pound gorilla of podcast search engines ? and I had
obtained most
of my subscribers through iTunes. Once podkeyword.com deleted its RSS feeds
for my
show, most of my show?s audience disappeared..
This was devastating to me. I have spent perhaps 20 percent of my work
hours over
the past year doing Erik?s Diner. And at a stroke, most of the audience I
had built
had vanished. Yet the situation could have been repaired so easily.
According to
my webmaster, it would have taken the podjacker less than five minutes to
temporarily
restore these feeds. Once Apple fixed my listing with iTunes I could ask
the podjacker
to permanently delete the feeds. But in the meantime, I could get my iTunes
subscribers
back and tell them to subscribe to my show through Vegan.com.
So I sent another email to podkeyword.com asking for the temporary
reinstatement
of my feed. The podjacker responded that he would reactivate my feeds only
if I agreed
permanently to his terms or paid some sort of licensing fee. I chose not to
respond.
I reluctantly decided to get a lawyer involved, Colette Vogele, who
specializes in
intellectual property on the Internet. I also emailed Adam Curry about my
predicament.
Adam is one of the co-inventors of podcasting, and he also hosts one of its
most
popular shows, The Daily Source Code. Adam was kind enough to feature a
five minute
comment about the situation that I recorded for his show (show number 289.)
Shortly after my comments appeared on Adam?s show, I was contacted by
Apple. An employee
there went ahead and deleted the listing for Erik?s Diner, and created a
new listing
with the correct feed. It was the best Apple could do ? in iTunes?
current incarnation
there is apparently no way to modify the RSS feed URL for an existing show.
In consequence,
even though I now have a working entry for my show in iTunes, it came at
the price
of losing every one of the hundreds of my original iTunes subscribers.
At the time I contacted Adam Curry and retained Colette Vogele as my
lawyer, I had
no inkling about how podkeyword got ahold of my feed in the first place. It
turns
out that more than year ago, I responded to an email somebody sent me about
podkeyword.com,
and I gave the site a visit and submitted my URL for a few listings. When I
launched
my show in October of 2004 I went everywhere I could to post its URL, and I
quickly
forgot all about my five minute visit to podkeyword.
Some bloggers have since seized on this point and claim that I am at fault
for what
happened. One writes:
?It looks like Erik Marcus had ?asked? for this service, in the
beginning. If he
never requested the keyword, there would be a problem.?
The truth is, it is irrelevant how podkeyword.com obtained my show?s
referring URL.
I went to their website with the understanding that it was one of a large
number
of sites containing directories of podcasts. If podkeyword.com boosted my
traffic,
fantastic. And if not, I would lose nothing. But this is the most important
point:
Podkeyword did not carry a notice on their front page, nor on the page
where URLs
were submitted, that they intended to republish submitted RSS feeds under
feeds controlled
by podkeyword. Remember, an RSS feed is the front door to your show. You
would think
that it would be basic human decency to ask permission before creating an
alternate
RSS feed URL for an existing RSS feed. But not only did podkeyword.com fail
to ask
permission, the site went right ahead and created these alternate feeds and
then
didn?t even bother to tell me!
And it gets worse. In addition to republishing my feeds, the person at
podkeyword.com
submitted these entries to his OPML directory, which he acknowledges ?is
parsed routinely
by other services.? Few podcasters, myself included until recently, are
savvy enough
to know about OPML directories or how to use them. But iTunes, Yahoo, and
the other
podcast search engines all rely on these directories. By posting his
unauthorized
RSS feeds to this directory, podkeyword.com was able to have its own RSS
feeds ?
rather than the podcasts? official feeds ? carried by iTunes and Yahoo.
It?s too late for me to undo the damage this podjacking has caused. I
believe that
many of the iTunes subscribers I?ve lost may never return. So I am
writing this piece
for the sake of giving podcasters information on how to protect themselves
from similar
podjackings. And I?m also going to finish this piece with advice on what
to do if
someone creates an unauthorized feed for your podcast.
Keeping the Podjackers at Bay
At the moment, there are few effective technical approaches that a typical
podcaster
can use to discourage podjackers. But both Apple and Yahoo are aware of the
problem.
They will doubtless invest resources to make sure that eventually their
directories
carry only the official feeds of the podcasts they feature.
In the meantime, the best way to protect yourself from a podjacking is to
erect a
few simple and easy legal barriers, as recommended by Colette Vogele.
First, be sure
to get a Copyright tag into your RSS feed. I now have a tag in my show?s
RSS feed
that reads: ?<copyright>Erik Marcus 2004-2005</copyright>? ? you can
check the RSS
feed for Erik?s Diner to see how and where this tag is placed.
Additionally, it?s not a bad idea to end your show by saying the
copyright date and
providing your name. That way, both the feed itself and the content going
over that
feed is clearly copyrighted, and it will be easier to go after a podjacker
in the
courts if they republish your show under an unauthorized RSS feed.
One thing I?ll be doing shortly to further protect my show is to acquire
a Creative
Commons license. This will allow me to secure rights sufficient to fend off
podjackers,
without scaring people away from making use of my show in a fair and
legitimate way.
To learn more about this kind of license, visit:
http://creativecommons.org/.
And finally, you should regularly check all the major podcast directories
and search
engines to be sure that their listings point to your official URL/RSS feed.
Most
podcasts, with the exception of iTunes, show your feed?s referring URL
right in their
show listings. To find that in iTunes, just subscribe to the show. Then go
to the
page in iTunes that lists all the podcasts you subscribe to, right-click on
your
show, and choose the ?Show Description? option.
Dealing with a Podjack
If your show does end up being podjacked, there are a number of things you
can do
to resolve the situation and retain as much of your audience as possible.
First,
I strongly advise you
not
to contact the podjacker right away. Chances are that your show is still
reaching
many of your listeners through his unauthorized feed, and you need to
capitalize
on this. On your next show, tell your listeners that your feed has been
podjacked,
and ask them to verify that they are subscribed through your official feed.
Read
your official RSS URL on your show, and ask your listeners to keep visiting
your
main website while you resolve the situation. And don?t forget to
emphasize the copyright
date and copyright owner at the end of that show.
Next, contact the podcast search engines that have accepted the
unauthorized feed,
and ask them to make the correction. If an unauthorized feed has made its
way into
your iTunes show entry, what you need to do is select your show in iTunes
and then
hit the ?Report a Concern? button. From there, the best entry to choose
is ?This
podcast is mine and I want it removed from the music store.? You should
then fill
out the field and tell Apple that your podcast listing was hijacked, and
that their
listing should point to its official feed. Be sure to provide your official
referring
URL as well as your email address.
It?s probably best to hold off on contacting the podjacker until you?ve
fixed your
feed listings with all the major search engines. When you contact the
podjacker,
send him your podcast?s official referring URL and ask that he sets his
server to
send out an http response of 301, along with the official URL, for all
incoming requests
for your show. For a server administrator who knows what he?s doing,
configuring
the server to do this is a two minute job. What this 301 code will do is
tell well-designed
podcast search engines and listening clients (like iTunes) to update their
RSS feed
listing to your official URL.
Every new and exciting technology has its abuses, so it?s not surprising
that a technology
as world-changing as podcasting would have initial problems with security.
I have
no doubt that there are technical fixes to the podjacking problem that will
be introduced
soon. For now, though, podjacking is a huge potential problem and
podcasters need
to be vigilant to protect their shows.
My Journal http://livejournal.com/users/djc1
email Or Msn: djc@xxxxxxxxxxxxxxx
I C Q Number Is: 4781694
Other related posts:
