Podcast Hijacking Is Here: What To Do, How To Avoid It

Sponsored Links

Podjack: (verb) - To create an alternate RSS feed to a podcast without the permission of the podcast's owner.

Photo credit: Carsten Reisinger

I am writing this piece for the sake of giving podcasters information on how to protect themselves from similar podjackings. And I'm also going to finish this piece with advice on what to do if someone creates an unauthorized feed for your podcast.

If you're involved in podcasting, you need to know about podjacking.

This article will tell you what podjacking is, how to avoid becoming a victim, and how to take action if it happens to you.

The rise and rise of podcasting

Podcasting has exploded in popularity since Adam Curry's first podcast began on August 13, 2004.

PodcastAlley.com shows there are now more than 10,000 different podcasts available. That's 10,000 people all with something to say (usually), and most of these people would never have had this opportunity without the emergence of podcasting.

I was lucky enough to learn about podcasting near its beginning. As the publisher of Vegan.com, and the author a couple books on veganism, I realized that podcasting was a wonderful way to reach people.

It's hard for me to get on the radio, since fast food chains and other big advertisers don't appreciate guests like me.

Podcasting offered me an opportunity to go straight to the public with a show that exposes the meat industry's unethical practices, and teaches people how healthy and delicious a vegan diet can be.

I started my show October of 2004, and have slowly built my audience over the past year of podcasting. My first shows got barely a hundred listeners. But by last month, my audience was approaching 1500 people. Those may not be huge numbers, but I was proud of the relatively rapid growth in my audience. It came from a lot of hard work.

Then, out of the blue a few weeks ago, my audience collapsed overnight -- it dropped by some 75 percent. My podcast had been "podjacked".

If you're involved in podcasting, you need to know about podjacking. This article will tell you what podjacking is, how to avoid becoming a victim, and how to take action if it happens to you.

How Podjacking Works

Perhaps you've already heard of domain hijacking. The hijacker finds a desirable domain name, say Sex.com, that already belongs to another party, and he contrives a method to steal it.

Doing this is not only illegal, but difficult.

The hijacker must either steal the domain registry password from the sex.com domain owner, or hack into the domain registrar's system. Either way, hard work and even talent is required. Plus, the hijacker likely must commit felony-level crimes in the process of stealing the domain.

Podjacking, by contrast, requires neither computer hacking nor jimmying locks. To understand how it works you first have to know about the most basic element of podcasting: the URL pointing to the RSS feed for each show. The URL for my podcast, Erik's Diner, happens to be: http://www.vegan.com/diner/eriksdiner.rss

As a podcaster, the URL you create for your RSS feed becomes the doorway through which your entire listenership arrives. Every single one of your listeners will come in through this doorway. And it's this URL that iTunes, Yahoo, Podcast Alley, and all the other podcast search engines will use in order to bring listeners to your show.

These search engines, both large and small, are the key to building your audience.

Nearly all your listeners will subscribe to your show through search engines. How do most of my listeners find Erik's Diner, when they've never heard of me, my show, or my website?

Most of my potential listeners are quite interested in veganism, and so they go into one of the podcast search engines and type "vegan." At that point, a dozen shows that pertain to veganism might come up, and Erik's Diner will be one of them.

At that point, the listener can usually sample my show through the search engine. If she likes what she hears, she can subscribe. Both sampling and subscriptions come through the front door that I just told you about: my show's RSS feed. When the listener subscribes to a show, the URL to the show's RSS feed is copied into the user's podcast player--which is usually iTunes, iPodder, or some sort of web browser based software.

It's an ingenious and elegant system. Thanks to the existence of RSS feeds and their ability to attach MP3 files, that one simple URL allows unlimited numbers of people to permanently subscribe to your show.

But as beautiful as this system is, it has a glaring security hole.

You've seen how the URL that points to your RSS feed is the doorway to your podcast.

The trouble is, there's nothing to prevent an unscrupulous party from creating a different doorway without your consent. And once that second doorway gets created, your show has been podjacked. And your life is about to get a whole lot worse.

Congratulations, You've Been Podjacked!

In my case, I spent many months blissfully unaware that my show had been podjacked. Everything seemed wonderful to me.

My listenership was steadily growing, and there were no icebergs on the horizon.

Then one day a couple months ago I heard that Yahoo had launched a podcast directory. As a podcaster, I wanted to be sure that Yahoo created a listing for Erik's Diner. So I went to Yahoo's podcast directory, typed "vegan" in the search field, and my show came right up. Everything appeared in perfect order. But when I clicked on the show's listing to get its details, I noticed a big problem. The URL listed pointing to the RSS feed for my show was not the official Vegan.com URL I have listed above. Instead, for some mysterious reason, Yahoo had my RSS feed listed as:
http://cooking.podkeyword.com/

I was baffled. Who on earth was behind podkeyword.com, and how did they manage to get their feed rather than my official feed listed for my show?

While I couldn't get these two questions answered right away, I could see at a glance the danger posed by this incorrect listing.

Listeners who subscribed through Yahoo would not enter Erik's Diner through the doorway I'd established -- they would be coming in through the podkeyword domain. That podkeyword domain was currently pointing to my show's RSS feed, and so the listener experience was no different than if Yahoo's entry carried my show's official RSS feed URL.

The trouble is that I had no control over the podkeyword RSS feed.

The owner of podkeyword.com, by creating this alternate URL and allowing it to get put onto Yahoo, had established himself as the gatekeeper for my entire Yahoo audience. Everybody who came to my show through Yahoo be arriving through his doorway, which gave him almost unlimited potential power.

He could easily, for instance, attach advertising clips to accompany my show -- keeping any revenue he generated from these ads. In such a situation, my listeners might not even know these ads were not a legitimate part of the programming.

Alternatively, the podkeyword.com guy might at some point demand payment from me to keep his URL pointing to my show. With two minutes work, he could easily point his feed to the "Kobe Beef Show" (yes, there is such a thing), and all my Yahoo listeners would be lost.

My point isn't that the podkeyword owner would necessarily do these horrible and unethical things -- but rather that he had assumed the power to do all this and more at any time. And the longer my listing in Yahoo's directory pointed to his feed, and the larger my pool of subscribers from Yahoo became, the more listeners I could lose. I had to nip this problem in the bud.

So, over the next month, I sent a few emails to Yahoo.

To Yahoo's eternal discredit, they neither replied nor did they take any action to correct the feed. And meanwhile my subscribers through Yahoo continued to grow--all of them listening to my show through the podkeyword.com feed. Fortunately, Yahoo's podcast search engine is still in beta and is not yet widely used.

My inability to have Yahoo correct my RSS feed was vexing, so I decided to go to the source of the problem.

I sent an email to the person at podkeyword, and asked him to get rid of the RSS feed he had pointed to the show. To his credit, he complied right away, and he also got rid of another four RSS feeds he had pointing to Erik's Diner that I didn't know about. I knew that his removal of these RSS feeds would cause my Yahoo subscribers to be lost. But I only had about seventeen such subscribers, and I didn't want this problem to get any further out of hand by waiting.

But immediately after I posted my next podcast, I realized something terrible had happened.

I hadn't just lost all seventeen of my Yahoo subscribers. I'd lost hundreds of subscribers through iTunes as well.

What happened?

Well, in typical Steve Jobsian fashion, iTunes keeps the ugly-looking RSS feed URL out of people's sight. You have to jump through a couple hoops to be able to see it--and I didn't know how to accomplish this. Anyway, it had never even occurred to me that the RSS feed iTunes used for my show might be anything other than the official Vegan.com feed. It turns out that iTunes is the 800-pound gorilla of podcast search engines -- and I had obtained most of my subscribers through iTunes. Once podkeyword.com deleted its RSS feeds for my show, most of my show's audience disappeared..

This was devastating to me. I have spent perhaps 20 percent of my work hours over the past year doing Erik's Diner. And at a stroke, most of the audience I had built had vanished. Yet the situation could have been repaired so easily.

According to my webmaster, it would have taken the podjacker less than five minutes to temporarily restore these feeds. Once Apple fixed my listing with iTunes I could ask the podjacker to permanently delete the feeds. But in the meantime, I could get my iTunes subscribers back and tell them to subscribe to my show through Vegan.com.

So I sent another email to podkeyword.com asking for the temporary reinstatement of my feed. The podjacker responded that he would reactivate my feeds only if I agreed permanently to his terms or paid some sort of licensing fee. I chose not to respond.

I reluctantly decided to get a lawyer involved, Colette Vogele, who specializes in intellectual property on the Internet.

Photo credit: Internet lawyer Colette Vogele

I also emailed Adam Curry about my predicament. Adam is one of the co-inventors of podcasting, and he also hosts one of its most popular shows, The Daily Source Code. Adam was kind enough to feature a five minute comment about the situation that I recorded for his show (show number 289.)

Shortly after my comments appeared on Adam's show, I was contacted by Apple. An employee there went ahead and deleted the listing for Erik's Diner, and created a new listing with the correct feed. It was the best Apple could do - in iTunes' current incarnation there is apparently no way to modify the RSS feed URL for an existing show. In consequence, even though I now have a working entry for my show in iTunes, it came at the price of losing every one of the hundreds of my original iTunes subscribers.

At the time I contacted Adam Curry and retained Colette Vogele as my lawyer, I had no inkling about how podkeyword got ahold of my feed in the first place. It turns out that more than year ago, I responded to an email somebody sent me about podkeyword.com, and I gave the site a visit and submitted my URL for a few listings. When I launched my show in October of 2004 I went everywhere I could to post its URL, and I quickly forgot all about my five minute visit to podkeyword.

Some bloggers have since seized on this point and claim that I am at fault for what happened. One writes:

"It looks like Erik Marcus had 'asked' for this service, in the beginning. If he never requested the keyword, there would be a problem."

The truth is, it is irrelevant how podkeyword.com obtained my show's referring URL. I went to their website with the understanding that it was one of a large number of sites containing directories of podcasts. If podkeyword.com boosted my traffic, fantastic. And if not, I would lose nothing. But this is the most important point:
"Podkeyword did not carry a notice on their front page, nor on the page where URLs were submitted, that they intended to republish submitted RSS feeds under feeds controlled by podkeyword. Remember, an RSS feed is the front door to your show. You would think that it would be basic human decency to ask permission before creating an alternate RSS feed URL for an existing RSS feed. But not only did podkeyword.com fail to ask permission, the site went right ahead and created these alternate feeds and then didn't even bother to tell me!"

And it gets worse.

In addition to republishing my feeds, the person at podkeyword.com submitted these entries to his OPML directory, which he acknowledges "is parsed routinely by other services."

Few podcasters, myself included until recently, are savvy enough to know about OPML directories or how to use them.

But iTunes, Yahoo, and the other podcast search engines all rely on these directories. By posting his unauthorized RSS feeds to this directory, podkeyword.com was able to have its own RSS feeds -- rather than the podcasts' official feeds -- carried by iTunes and Yahoo.

It's too late for me to undo the damage this podjacking has caused. I believe that many of the iTunes subscribers I've lost may never return.

So I am writing this piece for the sake of giving podcasters information on how to protect themselves from similar podjackings. And I'm also going to finish this piece with advice on what to do if someone creates an unauthorized feed for your podcast.

Keeping the Podjackers at Bay

At the moment, there are few effective technical approaches that a typical podcaster can use to discourage podjackers.

But both Apple and Yahoo are aware of the problem.

They will doubtless invest resources to make sure that eventually their directories carry only the official feeds of the podcasts they feature.

In the meantime, the best way to protect yourself from a podjacking is to erect a few simple and easy legal barriers, as recommended by Colette Vogele.

First, be sure to get a Copyright tag into your RSS feed. I now have a tag in my show's RSS feed that reads: "Erik Marcus 2004-2005" - you can check the RSS feed for Erik's Diner to see how and where this tag is placed.

Additionally, it's not a bad idea to end your show by saying the copyright date and providing your name. That way, both the feed itself and the content going over that feed is clearly copyrighted, and it will be easier to go after a podjacker in the courts if they republish your show under an unauthorized RSS feed.

One thing I'll be doing shortly to further protect my show is to acquire a Creative Commons license. This will allow me to secure rights sufficient to fend off podjackers, without scaring people away from making use of my show in a fair and legitimate way. To learn more about this kind of license, visit: http://creativecommons.org/.

And finally, you should regularly check all the major podcast directories and search engines to be sure that their listings point to your official URL/RSS feed. Most podcasts, with the exception of iTunes, show your feed's referring URL right in their show listings. To find that in iTunes, just subscribe to the show. Then go to the page in iTunes that lists all the podcasts you subscribe to, right-click on your show, and choose the "Show Description" option.

Dealing with a Podjack

If your show does end up being podjacked, there are a number of things you can do to resolve the situation and retain as much of your audience as possible.

First, I strongly advise you not to contact the podjacker right away. Chances are that your show is still reaching many of your listeners through his unauthorized feed, and you need to capitalize on this.

On your next show, tell your listeners that your feed has been podjacked, and ask them to verify that they are subscribed through your official feed.

Read your official RSS URL on your show, and

ask your listeners to keep visiting your main website while you resolve the situation.

And don't forget to emphasize the copyright date and copyright owner at the end of that show.

Next, contact the podcast search engines that have accepted the unauthorized feed, and ask them to make the correction.

If an unauthorized feed has made its way into your iTunes show entry, what you need to do is select your show in iTunes and then hit the "Report a Concern" button. From there, the best entry to choose is "This podcast is mine and I want it removed from the music store." You should then fill out the field and tell Apple that your podcast listing was hijacked, and that their listing should point to its official feed. Be sure to provide your official referring URL as well as your email address.

It's probably best to hold off on contacting the podjacker until you've fixed your feed listings with all the major search engines.

When you contact the podjacker, send him your podcast's official referring URL and ask that he sets his server to send out an http response of 301, along with the official URL, for all incoming requests for your show. For a server administrator who knows what he's doing, configuring the server to do this is a two minute job. What this 301 code will do is tell well-designed podcast search engines and listening clients (like iTunes) to update their RSS feed listing to your official URL.

Every new and exciting technology has its abuses, so it's not surprising that a technology as world-changing as podcasting would have initial problems with security.

I have no doubt that there are technical fixes to the podjacking problem that will be introduced soon.

For now, though, podjacking is a huge potential problem and podcasters need to be vigilant to protect their shows.

Original article was entitled:
Preventing and Surviving a Podjacking
published by Erik Marcus on December 8th 2005
Erik Marcus is the publisher of Vegan.com and host of the Erik's Diner podcast
December 8, 2005

See also: Colette Vogele post on this.

Erik Marcus [via Kevin C. Borgia] -
Reference: Vegan.com [ Read more ]