The Warez and Filesharing Era: Copying as Rebellion, Industry, and Revolution

The Scene: Before Napster, There Was an Order

The popular history of digital piracy begins with Napster in 1999. The actual history begins twenty years earlier, on bulletin boards, and the culture it produced was far more organized than the chaos Napster unleashed.

The warez scene — covered in part in The BBS Era — operated through a strict hierarchy. At the top were release groups: teams of specialists who obtained commercial software (through retail theft, insider leaks, or advance copies), cracked its copy protection, packaged it with an NFO file documenting the release, and uploaded it to topsites — private, high-speed FTP servers accessible only to trusted scene members.

Topsites were not public. Access required invitation from existing members and a demonstrated ability to contribute (through uploading new releases, maintaining server infrastructure, or providing courier services). A topsite might have fifty to two hundred members globally, held together by reputation and mutual interest. These servers ran on university networks, corporate servers whose administrators hadn’t noticed the unauthorized use, or dedicated hardware funded by members.

From topsites, releases were couriered — manually transferred by scene members — to a second tier of distribution sites, then to semi-public IRC channels, and eventually to the broader internet. The time from commercial release to scene release shortened relentlessly through the 1990s: where a 1988 crack might appear weeks after a game’s release, by 1998 the scene was routinely releasing software the day of commercial availability, and increasingly before it — through retail leaks and insider access.

The scene ran on competition and reputation. Groups competed to be first (releasing before all rivals), complete (releasing full versions, not partial), and clean (releases with working cracks, no malware). Nuking — invalidating a release for quality failures — enforced standards. A group whose release was nuked for a bad crack suffered public humiliation in scene channels. The competitive dynamic produced extraordinary technical skill in software protection analysis.

The Legal Framework: Copyright in the Digital Age

To understand the filesharing wars, the legal background matters.

US copyright law, as codified in the Copyright Act of 1976, gave copyright holders exclusive rights to reproduce, distribute, and publicly perform their works. Copying a copyrighted work without authorization was infringement. The law predated digital copying by a generation, but it applied: ripping a CD to MP3 was technically reproduction; sharing the resulting file was distribution.

The No Electronic Theft (NET) Act (1997) closed a gap: previously, criminal copyright infringement required proof of financial gain. The NET Act criminalized large-scale infringement even without commercial motive — targeting people who distributed thousands of files for free. The first prosecution under it, US v. LaMacchia (1994, which the NET Act was written to address retroactively), had failed because the defendant had made no profit.

The Digital Millennium Copyright Act (DMCA) (1998) added two provisions that would define the next two decades:

1. Anti-circumvention (Section 1201): illegal to circumvent technological protection measures on copyrighted works — making the act of cracking copy protection itself a crime, separate from infringement.
2. Safe harbor (Section 512): online service providers not liable for user-uploaded infringing content if they responded promptly to takedown notices. This provision created the legal foundation for YouTube, Google, and every user-generated content platform.

The safe harbor was the DMCA’s most consequential provision. Its interpretation — how much knowledge of infringement a platform could have before losing safe harbor protection — would be litigated for the following twenty years.

Napster: The Flood

Shawn Fanning was eighteen years old when he wrote Napster. A freshman at Northeastern University in 1998, he had heard his roommate complain about difficulty finding MP3 files online. Fanning wrote a program that combined three existing ideas: a client that could share files from a user’s hard drive, a search interface that could find those files across all connected users, and a central server that maintained the index of who had what.

The central index was Napster’s technical defining feature and its legal fatal flaw. Napster’s servers did not host the files — they only hosted the index of who had them. The actual transfer happened directly between users. But the central index meant Napster had direct, specific knowledge of what was being shared, which would prove decisive in court.

Napster launched in June 1999. Growth was immediate and exponential. By February 2001 it had 26.4 million users — more than the entire population of Australia — sharing approximately 80 million songs. College networks, unprepared for the traffic, struggled. Universities began blocking Napster. The recording industry watched its sales figures and arrived at a conclusion that was partly right and partly wrong: Napster was destroying their business.

The RIAA filed suit in December 1999. Metallica — having discovered their unreleased track I Disappear circulating on Napster before official release — filed their own suit in April 2000 and submitted 335,000 usernames of alleged infringers to Napster, demanding they be banned. Napster complied. The spectacle of Lars Ulrich personally delivering boxes of printouts to Napster’s offices became the defining image of the industry’s response to filesharing: technically futile, symbolically alienating, legally necessary.

The Ninth Circuit ruled against Napster in February 2001. Judge Marilyn Hall Patel’s injunction required Napster to implement filtering to block copyrighted material — an impossible standard given the scale and the limitations of audio fingerprinting technology at the time. Napster implemented partial filters that satisfied nobody. In July 2001 it shut down the free service. In 2002 it declared bankruptcy.

Gnutella and the Decentralized Response

Napster’s central index was its vulnerability. The logical response was to eliminate the center.

Justin Frankel — who had previously written Winamp, the dominant MP3 player of the late 1990s, and sold it to AOL for $80 million at age twenty — released Gnutella in March 2000, two days before AOL ordered him to take it down. He complied; the code was already released and copied. AOL fired him.

Gnutella had no central server. Search queries propagated across the network from peer to peer; results returned the same way. There was no company to sue, no central index to shut down, no single point of control. The tradeoff was performance: searching a fully decentralized network was slow and incomplete. Gnutella was theoretically unshuttable but practically frustrating.

Kazaa — built on the FastTrack protocol by Niklas Zennström and Janus Friis (who would later build Skype and sell it to Microsoft for $8.5 billion) — found a middle path: a semi-decentralized network where high-bandwidth users became supernodes that routed traffic for smaller nodes. FastTrack combined Gnutella’s decentralization with Napster’s search performance. Kazaa launched in 2001 and quickly surpassed Napster’s peak user count.

eMule (2002) and the eDonkey network used a different architecture: a distributed hash table-based system optimized for large file transfers, with sophisticated queue management and file integrity verification. eMule’s design was particularly well-suited to large files — full software packages, films — and it became dominant in Europe. Its open-source codebase meant that even if the eDonkey servers were shut down, the client software and the network would continue.

The industry sued all of them. Kazaa migrated its corporate registration through offshore jurisdictions in a shell game that kept it operating for years. MGM v. Grokster (2005) reached the Supreme Court, which ruled unanimously that a company could be liable for copyright infringement committed by its users if it actively induced that infringement — even without a central index, even with a decentralized architecture. The inducement theory meant that Grokster’s marketing materials promising users access to copyrighted content were evidence of liability. Grokster shut down voluntarily rather than face damages. Kazaa eventually settled with the major record labels for $115 million.

BitTorrent: The Protocol That Couldn’t Be Sued

Bram Cohen was twenty-four years old, unemployed, and in the middle of a difficult personal period when he worked out the design for BitTorrent in 2001. He was not building a piracy tool. He was solving an engineering problem.

The problem: large file distribution is expensive. A server hosting a popular file bears all the bandwidth cost regardless of how many people download it. Cohen’s insight was that downloading and uploading could happen simultaneously and from multiple sources. A file would be split into small pieces. A downloader would receive different pieces from different peers — and simultaneously upload completed pieces to others. The more popular a file, the faster it would transfer, because more seeders meant more simultaneous sources. The distribution cost was shared among all participants.

Cohen published the BitTorrent specification as an open protocol in 2001. It was technically elegant and immediately understood by the file-sharing community as something new. BitTorrent didn’t just improve on existing P2P networks — it reversed their economics. On Napster, popular files were no faster to download than obscure ones. On BitTorrent, popular files were faster, because popularity meant more seeders.

The key to BitTorrent’s piracy ecosystem was the .torrent file and later the magnet link: a small metadata file that described the content to be downloaded and pointed to trackers — servers that maintained lists of which peers had which pieces. Torrents required a two-tier system: tracker infrastructure (which could be shut down) and the actual peer network (which could not). Legal attacks focused on the trackers.

Suprnova.org (2003) was the first major BitTorrent index site. The Pirate Bay (2003) was founded by Swedish activists — Peter Sunde, Fredrik Neij, and Gottfrid Svartholm — with explicit political intent: they believed copyright law was unjust and that sharing culture was a human right. The Pirate Bay was not shy about this. When it received legal threats from rights holders, it published the threatening letters alongside sarcastic responses on its website. It became the largest BitTorrent tracker in the world and the most visible symbol of the filesharing movement.

The Swedish authorities raided The Pirate Bay’s servers in May 2006. The site was back online within three days, having migrated hosting. Swedish prosecutors charged the four founders with criminal copyright infringement in 2009; all were convicted and sentenced to prison terms and fines totaling 30 million Swedish kronor. The Pirate Bay remained online throughout and for years afterward, hosted across multiple jurisdictions, surviving repeated attempts to shut it down.

The RIAA’s War on Users

Faced with a decentralized network it could not shut down, the recording industry turned to suing individual users.

In 2003, the RIAA launched a campaign of lawsuits against individual file-sharers. The legal basis was straightforward: users who uploaded copyrighted music were distributing it without authorization. The RIAA obtained subpoenas against ISPs requiring disclosure of the identities behind IP addresses observed sharing copyrighted files, then filed suit.

The scale was unprecedented: over 35,000 lawsuits against individual Americans between 2003 and 2008, including:

• A 12-year-old girl in a New York housing project who had downloaded songs to her mother’s account. Her mother settled for $2,000.
• A deceased 83-year-old woman in Michigan, whose estate was sued for songs she could not possibly have downloaded.
• A single mother in Minnesota, Jammie Thomas-Rasset, who was initially fined $222,000 — $9,250 per song for 24 songs she had shared. After multiple trials and appeals, the verdict was reduced, increased again, and ultimately settled at an undisclosed amount after eight years of litigation.
• A Boston University graduate student, Joel Tenenbaum, fined $675,000 — later reduced to $67,500 on appeal.

The campaign achieved its legal goals: every judgment affirmed that sharing copyrighted files was infringement. It failed catastrophically at its social goals: filesharing did not meaningfully decline, public sympathy shifted to defendants rather than plaintiffs, and the RIAA’s image became permanently associated with suing children for downloading pop songs.

Internally, the campaign’s strategic logic was deterrence — if enough ordinary users faced the risk of ruinous civil liability, they would stop. The logic assumed users were making rational economic calculations. The actual users were teenagers downloading songs their friends liked, who did not read legal news and did not believe they would be selected. Deterrence requires that targets expect enforcement. Most file-sharers did not.

The RIAA ended its campaign of mass lawsuits in 2008. It had collected approximately $2 million in settlements — less than the legal fees for a week of litigation.

Aaron Swartz and the Limits of the Law

The filesharing era’s most contested legal case involved no music, no movies, and no warez: it involved academic journal articles.

Aaron Swartz was by any measure exceptional: at fourteen he had co-authored the RSS 1.0 specification; at fifteen he had contributed to the development of Creative Commons; at nineteen he had co-founded Reddit. In 2010 and 2011, as a fellow at Harvard’s Edmond J. Safra Center for Ethics, he systematically downloaded approximately 4.8 million academic articles from JSTOR — a subscription academic database — using a script that connected to MIT’s open campus network.

Swartz was arrested in January 2011. JSTOR declined to press civil charges and settled with him. Federal prosecutors, led by Assistant US Attorney Stephen Heymann, proceeded anyway. The indictment charged thirteen felony counts under the Computer Fraud and Abuse Act and wire fraud statutes, with potential penalties of up to 35 years in prison and $1 million in fines.

The legal theory was aggressive. Swartz had accessed a network he had legitimate access to (MIT’s open campus network) and downloaded content he had institutional access to (JSTOR). His intent appeared to be making academic research publicly accessible — most of the articles had been published by researchers at public universities, funded by public grants, peer-reviewed by volunteer academics, and then locked behind a commercial paywall that charged readers $35–50 per article.

Prosecutors reportedly offered plea agreements requiring prison time that Swartz refused. On January 11, 2013, Swartz died by suicide at his Brooklyn apartment. He was twenty-six years old. His death produced an outpouring of grief and anger in the technical community and prompted congressional hearings about prosecutorial overreach under the CFAA. The hearings did not change the law.

Megaupload and the Limits of Safe Harbor

While the P2P networks litigated decentralization as a legal shield, a different model had quietly become the dominant mechanism for distributing infringing content: cyberlockers — centralized file hosting services that functioned as anonymous cloud storage.

Megaupload was founded in 2005 by Kim Dotcom (born Kim Schmitz), a German entrepreneur with a prior fraud conviction who had relocated to New Zealand. Megaupload offered free file hosting with links that could be shared publicly. Users uploaded copyrighted movies, software, and music; shared the links on forums and websites; and others downloaded them. Megaupload claimed DMCA safe harbor protection: it responded to takedown notices and had no knowledge of specific infringing content.

The Megaupload business model became the central legal argument against it. Unlike neutral cloud storage, Megaupload paid users based on download counts — a rewards program that directly incentivized uploading popular content, which in practice meant copyrighted content. Internal communications showed employees aware of and joking about specific infringing files. The Department of Justice argued this destroyed safe harbor protection.

On January 19, 2012 — the day after the SOPA blackout protests (see below) — the DOJ indicted Megaupload and seized its domains. New Zealand police, cooperating with the FBI, raided Kim Dotcom’s mansion in a helicopter operation filmed by documentary crews he had apparently invited. Megaupload’s servers, containing files of both infringing and legitimate content, were seized and eventually deleted. Users who had stored legitimate content in Megaupload — backup files, personal documents, legal videos — lost everything with no recourse.

The Megaupload prosecution remained unresolved for over a decade. Kim Dotcom fought extradition from New Zealand through years of legal proceedings, arguing political motivation and disproportionate prosecution. The case illustrated the jurisdictional complexity of enforcing US copyright law globally: the servers were in Virginia, the company was incorporated in Hong Kong, the operators were in New Zealand, and the users were everywhere.

SOPA/PIPA: The Internet Fights Back

In late 2011, the US Congress considered two bills — the Stop Online Piracy Act (SOPA) in the House and the PROTECT IP Act (PIPA) in the Senate — that the entertainment industry had drafted to address foreign piracy sites unreachable by DMCA takedowns.

SOPA’s mechanism: the Department of Justice could seek court orders requiring US-based search engines, advertisers, payment processors, and DNS providers to stop serving “foreign infringing sites.” Critics argued the bills would:

• Require search engines to delete links to entire domains based on some infringing content, without due process
• Break DNSSEC (DNS security extensions) by requiring DNS blocking that conflicted with security architecture
• Create a legal framework easily abused to suppress legitimate speech
• Undermine the safe harbor protections that allowed user-generated content platforms to exist

On January 18, 2012, Wikipedia went dark. Reddit went dark. Google displayed a protest message and petition. Craigslist, Mozilla, and thousands of other websites participated in a coordinated blackout. An estimated 115,000 websites participated. Over 7,000 websites blacked out their content or displayed protest messages. Approximately 4.5 million people signed Google’s petition. Congressional switchboards were overwhelmed.

Within 48 hours, SOPA was indefinitely postponed. PIPA was tabled. Senators and representatives who had co-sponsored the bills withdrew their support. The entertainment industry’s decade of political influence in copyright legislation was broken in a single day.

The SOPA blackout was the first large-scale demonstration that the internet could organize politically against legislation threatening its infrastructure. It also clarified, for the first time publicly, that the commercial interests of the entertainment industry and the commercial interests of the internet industry were not aligned — and that in a direct political conflict, the internet industry could mobilize a larger and more immediate public response.

Streaming: Winning by Being Better Than Free

The filesharing wars ended not with legal victory but with commercial competition.

Spotify launched in Sweden in 2008. Its founding insight, expressed by CEO Daniel Ek: “You can never legislate away piracy. The only way to solve the problem was to create a service that was better than piracy.” Better meant: immediately available without downloading, any device, any song, $9.99/month. The catalog was negotiated directly with labels who had watched a decade of piracy and were, by 2008, willing to accept streaming royalties as better than nothing.

Steam, Valve’s gaming distribution platform, had launched in 2003. By the late 2000s it had achieved something the games industry had declared impossible: it had largely displaced PC game piracy with a service that offered cheaper games (through frequent sales), automatic updates, cloud saves, and a social platform. Pirates who had previously refused to buy games were buying games on Steam because Steam was more convenient than piracy. The price mattered too: a Steam sale pricing a game at $5 competed differently than a $60 retail box.

Netflix streaming (launched 2007 in the US) and subsequent competitors demonstrated the same dynamic for film and television: legal streaming, priced at $8–15/month with a broad catalog, was more convenient than BitTorrent for most users most of the time.

The common thread: the industry had spent a decade trying to make piracy impossible. The eventual solution was making it unnecessary — not by removing access but by making the legal alternative faster, easier, and cheap enough that the friction of piracy exceeded the cost of payment. This was the lesson Napster had demonstrated in 1999, that the recording industry had refused to learn for thirteen years.

Dead End: DRM and the Arms Race That Harmed Legitimate Users

The entertainment industry’s most visible technical response to piracy — Digital Rights Management — became the clearest example of a security measure that harmed paying customers more than pirates.

DRM systems attempted to technically prevent unauthorized copying by encrypting content and requiring authenticated playback software. The problems were structural:

Pirates removed DRM immediately. A cracked version of any DRM-protected content appeared within hours of release, because DRM must decrypt content to display it, and at the point of decryption the content is unprotected. Every DRM system was broken. The scene cracked them as a competitive exercise before they were commercially deployed. DRM added cost and friction for software developers while providing zero meaningful protection against organized piracy.

Legitimate users were restricted. A music CD with DRM couldn’t be ripped to an iPod. An ebook couldn’t be read on a different manufacturer’s reader. A game that required online authentication couldn’t be played if the authentication server went offline years later — which it did, repeatedly, leaving paying customers unable to access games they had purchased. Amazon remotely deleted purchased copies of George Orwell’s 1984 from users’ Kindles in 2009 — without refund, without notice — because of a licensing dispute, demonstrating that “purchase” in the DRM era meant something less than ownership.

Sony’s rootkit (2005) became the most notorious DRM failure: Sony BMG included software on music CDs that secretly installed a rootkit on Windows PCs when the CD was inserted, hiding itself from the operating system and creating security vulnerabilities that malware exploited. Sony had installed malware on approximately 22 million computers. The resulting class-action settlements cost millions; the reputational damage was worse. It illustrated that in the DRM arms race, the industry was willing to harm its own customers in ways that criminals would have been prosecuted for.

The market responded. Apple’s iTunes Store abandoned DRM for music in 2009, acknowledging that DRM-free MP3s sold better than DRM-locked AAC files. Kindle books retained DRM; their market share expanded anyway. The gaming industry moved toward always-online authentication models (which have their own problems) and toward services like Steam that made access valuable enough that circumventing DRM was less attractive than participating in the ecosystem.

---

📚 Sources

• Menn, Joseph: All the Rave: The Rise and Fall of Shawn Fanning’s Napster (2003), Crown Business
• A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001)
• MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005)
• Oberholzer-Gee, Felix & Strumpf, Koleman: “The Effect of File Sharing on Record Sales” — Journal of Political Economy 115, no. 1 (2007)
• Cohen, Bram: “Incentives Build Robustness in BitTorrent” — Workshop on Economics of Peer-to-Peer Systems (2003)
• Swartz, Aaron: The Guerilla Open Access Manifesto (2008)
• Peters, Justin: The Idealist: Aaron Swartz and the Rise of Free Culture (2016), Scribner
• Electronic Frontier Foundation: SOPA/PIPA coverage and analysis (2012)
• Gillespie, Tarleton: Wired Shut: Copyright and the Shape of Digital Culture (2007), MIT Press
• Doctorow, Cory: Information Doesn’t Want to Be Free (2014), McSweeney’s — on DRM and creator economics
• Recording Industry Association of America: 2023 Music Industry Revenue Report — historical revenue data