Interesting People mailing list archives
P2P Users Should Beware of Privacy and Security Risks
From: Dave Farber <dave () farber net>
Date: Mon, 19 May 2003 21:37:54 -0400
CDT Policy Post Volume 9, Number 11, May 19, 2003 A Briefing On Public Policy Issues Affecting Civil Liberties Online From The Center For Democracy And Technology Contents: (1) P2P Users Should Beware of Privacy and Security Risks (2) Risks from Inadvertent Sharing of Sensitive Files (3) "Spyware" Violates Privacy, Denies User Choice (4) Other Legal Risks in Peer-to-Peer Networks ----------------------------------------------------------------------- (1) Peer-to-peer Users Should Beware of Privacy and Security Issues In testimony before the House Government Reform Committee May 15, CDT Associate Director Alan Davidson raised concerns about the privacy and security of popular peer-to-peer (P2P) file sharing networks. P2P programs such as Kazaa, Grokster, and Morpheus are among the most downloaded computer software today. P2P file-sharing tools have become notorious for fostering widescale piracy of copyrighted works -- an activity that CDT condemns, and that carries significant legal penalties. These P2P tools can also raise potential privacy and security risks for those who share files. CDT noted that carelessness in installing and using file-sharing software can result in the unintended sharing of users' sensitive personal information. Key privacy and security concerns facing users include: * Inadvertent sharing of sensitive personal information; * Spyware that communicates without a user's knowledge; and * Legal risks both for those who violate copyright law, and due to certain overly broad subpoena powers granted under law P2P file sharing has many legitimate uses, is largely in the control of those who use it, and is decidedly hard to regulate. CDT called for a broad public education effort and improved software practices to better inform people about the potential privacy and security risks of file sharing while preserving the benefits of this technology. CDT also called for application of fair information practices to spyware and modifications to existing law including baseline privacy legislation for the Internet. CDT's testimony is available at http://www.cdt.org/testimony/030515davidson.pdf [PDF] and http://www.cdt.org/testimony/030515davidson.html [HTML] ----------------------------------------------------------------------- (2) Risks from Inadvertent Sharing of Sensitive Files Peer-to-peer file sharing systems provide Internet users with the ability to share files on their computers with thousands or millions of other people. In doing so they make it possible, and in some cases too easy, for people to share even very personal files, sometimes by accident. Recent studies have found dozens of examples of Kazaa users who have made available for download sensitive documents on their computers like their tax returns, e-mail inboxes, or check registers -- almost certainly by mistake. Once available, these sensitive files could be used to commit fraud, invade privacy, or even commit identity theft. In many respects this issue is akin to the problems facing any speaker on the Internet, who might mistakenly share sensitive files. But several factors heighten the privacy concern for file sharing systems. These networks are used by millions of consumers, typically with far less expertise than publishers on the Web. P2P networks' powerful search capabilities can make files more widely accessible than other publishing tools. And in many cases finding out just what is being shared is not that easy, especially for those unfamiliar with the workings of these programs. Though the consequences of mistakenly sharing personal files are sobering, it is important to keep the problem in perspective. Reports by the General Accounting Office and the Federal Trade Commission indicate that Internet sources of information constitute a very small percentage of identity theft cases, and available data seems to indicate that the percentage of peer-to-peer users who inadvertently share sensitive files is small. CDT believes that education is the key to helping users protect themselves from the dangers of over-sharing on P2P file networks. Resources such as GetNetWise.org offer guides to safe use of these systems. Also, the developers of P2P software can and should make it easier for users to understand and control what they share. Information about safe file-sharing online is available at: http://security.getnetwise.org/tips/filesharing/ ----------------------------------------------------------------------- (3) "Spyware" Violates Privacy, Denies User Choice Many file-sharing programs contain "spyware" that collects information about a user's online activities, then communicates that information back to a third party, typically without the user's knowledge or consent. While often used primarily for sending ads, spyware can be used for more invasive collection of information. These programs can be difficult for users to detect or even remove, and may seriously affect the stability and security of a user's computer. CDT strongly believes that developers of file-sharing software, like any developer that includes spyware, should observe fair information practices. They should give users clear notice about the type of information being collected about them, meaningful choices about whether to participate, and access to personal information being collected and retained. In their current form, many file-sharing applications fail to meet these fair information practices. Notice about the installation of these programs is often buried in complex click-through agreements. The ability to opt-out of data collection often does not exist, even through the use of third-party spyware blocking systems. CDT urges consumer to avoid applications with spyware and demand best practices for the handling of their personal information. More information about Fair Information Practices is available at http://www.cdt.org/privacy/guide/basic/fips.html ----------------------------------------------------------------------- (4) Other Legal Risks in Peer-to-Peer Networks File traders who violate copyright laws face obvious legal risks. CDT condemns the piracy of copyrighted works. Those who engage in it face substantial legal penalties. At the same time, CDT is concerned that at least one provision of current law -- the broad subpoena power granted to any copyright holder under Section 512(h) of the Digital Millennium Copyright Act (DMCA) -- too easily allows the identity of peer-to-peer participants or any Internet user to be unmasked wrongly or by mistake without their knowledge. As recently interpreted in a federal court decision in RIAA v. Verizon, this DMCA subpoena authority would permit any copyright holder -- possibly millions of people and groups -- to compel an ISP to disclose the identity of an Internet user based on an allegation of copyright infringement. This disclosure of personal information would take place without requiring any notice to the user that his or her identity had been unmasked, and without much judicial oversight as to the likely truth of the allegations. Accepting the importance of fighting massive copyright infringement online, we are concerned that personal data about users will be revealed inappropriately due to misuse, abuse, or mistakes. Effective copyright enforcement need not come at the expense of individual privacy. For example, providing end users with notice when their identity is revealed would go a long way toward preventing abuse and could even enhance enforcement by warning users about potential infringing activity. Courts could be required to exercise greater oversight. Sanctions could be put in place for misuse. Reporting requirements could be established to ensure that provisions were not being misused. CDT believes that a better privacy balance can and should be struck by Congress. ----------------------------------------------------------------------- Detailed information about online civil liberties issues may be found at http://www.cdt.org/. This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_9.11.shtml. Excerpts may be re-posted with prior permission of ari () cdt org Policy Post 9.11 Copyright 2003 Center for Democracy and Technology _______________________________________________ http://www.cdt.org/mailman/listinfo/policy-posts ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- P2P Users Should Beware of Privacy and Security Risks Dave Farber (May 19)