Peer-to-Peer Peering Pondered

WASHINGTON -- A discussion of privacy on peer-to-peer networks raised varied questions and accusations of spying and carelessness, but brought few answers and no plans for legal action, at a recent Congressional hearing.

Some members of Congress were interested in charges that P-to-P networks expose personal data, but experts meeting with the House Committee on Government Reform produced little evidence of that happening on a large scale. Still, the meeting produced a lively discussion, drawing comments from representatives of file-sharing service Kazaa, law enforcement, and academics who have studied file-sharing trends.

Information Unveiled

Committee staff found tax returns, medical records, attorney-client communications, and resumes on one search of an unnamed file-sharing service, said Committee Chairman Tom Davis (R-Virginia). He also warned of spyware and adware that's available on some P-to-P services.

"Users of these programs need to be aware that sharing personal information can open the door to identity theft, consumer fraud, or other unwanted uses of their personal data," Davis said. "Parents, businesses, and government agencies also need to be aware of these risks if their home or office computers contain file-sharing programs."

However, James Farnan, deputy assistant director of the FBI's Cyber Division, said his agency has received no complaints of identity theft through P-to-P networks. He noted that victims may not report the crime if they use P-to-P to illegally trade files.

"Peer-to-peer networks primarily serve as a come-and-get-it resource on the Internet," Farnan said. "Criminals are only beginning to explore the potential of crime via peer-to-peer networks."

Nathaniel Good, an information graduate student at the University of California at Berkeley, showed the committee files downloaded from users of the popular P-to-P service Kazaa. Good identified entire contents of e-mail in-boxes, credit card information on spreadsheets, and employee bonus salary agreements, all presumably shared accidentally.

"There's a lot of stuff here the person doesn't want the rest of the world to download," Good said.

In a study through Good's school and the University of Minnesota, researchers found about 1000 Kazaa users sharing their e-mail in-boxes during a one-week sweep of the service in January, Good said. But that's a small percentage of the estimated 70 million active Kazaa users.

Safeguards Considered

In the newest version of Kazaa, the default setting allows downloading of files only from a downloads folder, said Kazaa lawyer Philip Corwin. Users would have to change the settings to share tax documents or credit card information found elsewhere on their hard drives, he said.

"You have to go in and choose to share that file or everything on your C: drive," said Corwin, who attended the hearing but was not on the witness list.

Good's study recommends consumer education about the dangers of file-sharing and a better user interface for Kazaa, and Corwin said the P-to-P service will take those recommendations to heart. A forthcoming update of Kazaa will include more prominent warnings about unintentionally sharing private files, Corwin said.

The hearing was the committee's second about P-to-P networks. A previous hearing focused on pornography on P-to-P services, and a third will discuss file-sharing among government agencies. Corwin said he hopes the committee will also look into the music industry, which he called the "greatest threat to privacy" for trying to subpoena the names of file downloaders. He said the music industry also wants to be able to go into individual computers and delete files.

"I hope (the committee) is going to look into the millions of dollars Hollywood is spending on very aggressive invasive technologies that appear to be in violation of existing U.S. law," Corwin said.

Corwin's allegation that the music industry is developing such software is a "ridiculous charge," said Jonathan Lamy, a spokesperson for the Recording Industry Association of America. "The record companies would never do anything like that."

Putting It in Perspective

Others accuse some P-to-P services of making it difficult for users to designate files to share, and complain that some P-to-P software includes spyware. E-mail viruses and worms also can expose personal data, but P-to-P presents additional security challenges, said John Hale, assistant professor of computer science at the University of Tulsa.

"In short, P-to-P file sharing exposes users to untrusted hosts and software and offers little in the way of protection," he said.

Others said P-to-P software, when used correctly, isn't more dangerous than most other software.

File-sharing raises serious privacy concerns, said Alan Davidson, associate director of the Center for Democracy and Technology. "At the same time, it can be very beneficial, and it's largely in the control of the people who use it."

P-to-P networks may not be a major culprit in identity theft, although most victims can't identify how their personal information was stolen, said Mari Frank, a lawyer and expert on identity theft.

"P-to-P file sharing may pose less of a threat to identity theft than the careless display of records at your doctor's office, the negligently filed tax returns left on your accountant's desk for the cleaning crew to review, the unencrypted and unlocked cabinet with personnel files at work ... and the hacked databases of credit card companies," she said.

Seeking Suggestions

Representative Christopher Shays (R-Connecticut) suggested Congress sometimes overreacts to problems. He asked for suggestions to prevent P-to-P users from accidentally sharing private data.

Good and most other attendees suggested public education about the potential problems of P-to-P, as well as making P-to-P software easier to use and configure. "(Technologists) like to think we can design things so we're not compromising security and convenience," Good said.

Jeffrey Schiller, network manager and security architect at the Massachusetts Institute of Technology, suggested P-to-P services could design their software to download only music files, but that would give the music industry ammunition against P-to-P services.

"There is a copyright issue here, and designers are safer sharing everything than they are trying to share just a type of file, because then it'd be easier to accuse them, 'this is only about sharing music'," he said. "One of the defenses is, 'Oh, no, you can share anything.'"

Congress should consider legislation that requires P-to-P and other Internet-based businesses to protect consumer privacy, Davidson said.

But Representative Dutch Ruppersberger (D-Maryland) said he is concerned about how P-to-P services use information obtained through spyware or adware, but questions the effectiveness of a law.

"At this time, I think we need legislation, but I'm fearful that whatever we write up in Congress will be obsolete within one year," he said.

A Davis spokesperson said the committee chair has no plans for P-to-P legislation at this point.

"The chairman's goal was to inform other members of Congress and the public about the potential dangers of peer-to-peer networks and to prompt a private-sector fix," the spokesperson said.