US congressmen raised concerns over whether peer-to-peer networks are exposing users' personal information, but witnesses at a House Committee on Government Reform hearing yesterday produced little evidence of that happening on a large scale.
Committee staff members were able to find tax returns, medical records, attorney-client communications and resumes on one search of an unnamed file-sharing service, said committee chairman Tom Davis, a Virginia Republican. He also warned that spyware or adware is available on some P-to-P services.
"Users of these programs need to be aware that sharing personal information can open the door to identity theft, consumer fraud or other unwanted uses of their personal data," Davis said.
"Parents, businesses and government agencies also need to be aware of these risks if their home or office computers contain file-sharing programs."
However, James Farnan, deputy assistant director of the cyber division at the Federal Bureau of Investigation, said his agency hasn't received any complaints of identity theft through P-to-P networks, but victims using P-to-P services may not report the crime if they are using P-to-P to trade files illegally.
"Peer-to-peer networks primarily serve as a come-and-get-it resource on the internet," Farnan said. "Criminals are only beginning to explore the potential of crime via peer-to-peer networks."
Nathaniel Good, an information graduate student at the University of California, Berkeley, showed the committee files downloaded from users of popular P-to-P service Kazaa. Good identified entire contents of e-mail inboxes, credit card information on spreadsheets, and employee bonus salary agreements, all presumably shared accidentally.
"There's a lot of stuff here the person doesn't want the rest of the world to download," Good said.
In a study through Good's school and the University of Minnesota, researchers found about 1,000 Kazaa users sharing their e-mail inboxes during a one-week sweep of the service in January. But that is a small percentage of the estimated 70 million active Kazaa users.
In the newest version of Kazaa, the default setting allows only files to be downloaded from a downloads folder, said Kazaa lawyer Philip Corwin. Users would have to change the settings to share tax documents or credit card information elsewhere on their hard drives, he said.
"You have to go in and choose to share that file or everything on your C drive," said Corwin, who attending the hearing but was not on the witness list.
Good's study recommends consumer education about the dangers of file sharing and a better user interface for Kazaa, and Corwin said the P-to-P service will take those recommendations to heart. A new version of Kazaa, due to be released shortly, will include more prominent warnings about unintentionally sharing private files.
Thursday's hearing was the committee's second about P-to-P networks, with the first on pornography available on P-to-P services and a third planned on file sharing among government agencies.
Corwin said he hoped the committee will also look into the music industry, which he called the "greatest threat to privacy" for trying to subpoena the names of file downloaders and which has pushed for legislation that would allow the industry to go into individual computers and delete files. Corwin cited a New York Times article saying the recording industry is also trying to develop software to delete files from remote computers.
"I hope [the committee] is going to look into the millions of dollars Hollywood is spending on very aggressive invasive technologies that appear to be in violation of existing US law," Corwin said.
Corwin's allegation of the music industry developing such software is a "ridiculous charge", said Jonathan Lamy, a RIAA spokesman, adding, "The record companies would never do anything like that."
Other witnesses accused some P-to-P services of making it difficult for users to decide just what files they want to share, and complained that some P-to-P software includes spyware. e-mail viruses and worms also can expose personal data, but P-to-P presents additional security challenges, said John Hale, assistant professor of computer science at the University of Tulsa.
"In short, P-to-P file sharing exposes users to untrusted hosts and software and offers little in the way of protection," he said.
Other witnesses said P-to-P software, when used correctly, is no more dangerous than most other software. Files sharing raises serious privacy concerns, said Alan Davidson, associate director of the Center for Democracy and Technology. "At the same time, it can be very beneficial, and it's largely in the control of the people who use it."
P-to-P networks may not be a major culprit in identity theft, although most victims are unable to identify how their personal information was stolen, said Mari Frank, a lawyer and expert on identity theft.
"P-to-P file sharing may pose less of a threat to identify theft than the careless display of records at your doctor's office, the negligently filed tax returns left on your accountant's desk for the cleaning crew to review, the unencrypted and unlocked cabinet with personnel files at work ... and the hacked databases of credit card companies," she said.
Representative Christopher Shays, a Connecticut Republican, suggested that Congress sometimes overreacts to problems, and he asked witnesses for the best solutions to P-to-P users accidentally sharing private data.
Good and most other witnesses suggested public education about the potential problems of P-to-P, as well as technological solutions that would make P-to-P software easier to use and configure. "Technologists like to think we can design things so we're not compromising security and convenience," Good said.
Jeffrey Schiller, network manager and security architect at the Massachusetts Institute of Technology, suggested P-to-P services could design their software to only download music files, but that would give the music industry ammunition against P-to-P services.
"There is a copyright issue here, and designers are safer sharing everything than they are trying to share just a type of file, because then it'd be easier to accuse them, 'this is only about sharing music'," he said. "One of the defences is, 'Oh, no, you can share anything.' That drives the trade-off in the wrong direction."
Congress should look at legislation that requires P-to-P and other internet-based businesses to protect consumer privacy, Davidson suggested. "There's a growing realisation there may be a need for baseline, narrowly tailored legislation," he said.
But representative Dutch Ruppersberger, a Maryland Democrat, said he was concerned about how P-to-P services use information obtained through spyware or adware, but he questioned the effectiveness of a law.
"At this time, I think we need legislation, but I'm fearful that whatever we write up in Congress will be obsolete within one year," he said.
A spokesman for Davis said the committee chairman has no plans for P-to-P legislation at this point. "The chairman's goal was to inform other members of Congress and the public about the potential dangers of peer-to-peer networks and to prompt a private-sector fix," the spokesman said.