Actually it isn't hard at all, you see the to and from MAC and/or IP-addresses, and parse your logs on those. Sure, it would cost you some time to log traffic and then decrypt it all, but if there's anything which is easy to do on computers these days, it's parsing log-files using easily adaptable scripts. You might want to look into the following story to get an idea on how easy things of such nature are: http://www.securityfocus.com/infocus/1814 If uTorrent would store stuff for a month and then send it only once, you can still see it storing to and reading from disk, even if the position on disk is uncommon and unnoticeable. This is also not hard to detect, decrypt or reveal. What do you think bugtraq or similar groups are doing 24/7 ? Remember what happened to SONY when their rootkit CDs got revealed. Do you think Ludde aspires risking his reputation like that? ;-)