Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

P2P Users Should Beware of Privacy and Security Risks

From: Dave Farber <dave () farber net>
Date: Mon, 19 May 2003 21:37:54 -0400


CDT Policy Post Volume 9, Number 11, May 19, 2003

A Briefing On Public Policy Issues Affecting Civil Liberties Online
From
The Center For Democracy And Technology

Contents:
(1) P2P Users Should Beware of Privacy and Security Risks
(2) Risks from Inadvertent Sharing of Sensitive Files
(3) "Spyware" Violates Privacy, Denies User Choice
(4) Other Legal Risks in Peer-to-Peer Networks

-----------------------------------------------------------------------

(1) Peer-to-peer Users Should Beware of Privacy and Security Issues

In testimony before the House Government Reform Committee May 15, CDT
Associate Director Alan Davidson raised concerns about the privacy
and security of popular peer-to-peer (P2P) file sharing networks. P2P
programs such as Kazaa, Grokster, and Morpheus are among the most
downloaded computer software today.  P2P file-sharing tools have
become notorious for fostering widescale piracy of copyrighted works
-- an activity that CDT condemns, and that carries significant legal
penalties. These P2P tools can also raise potential privacy and
security risks for those who share files.

CDT noted that carelessness in installing and using file-sharing
software can result in the unintended sharing of users' sensitive
personal information.   Key privacy and security concerns facing
users include:

   * Inadvertent sharing of sensitive personal information;
   * Spyware that communicates without a user's knowledge; and
   * Legal risks both for those who violate copyright law, and due
     to certain overly broad subpoena powers granted under law

P2P file sharing has many legitimate uses, is largely in the control
of those who use it, and is decidedly hard to regulate. CDT called
for a broad public education effort and improved software practices
to better inform people about the potential privacy and security
risks of file sharing while preserving the benefits of this
technology. CDT also called for application of fair information
practices to spyware and modifications to existing law including
baseline privacy legislation for the Internet.

CDT's testimony is available at
http://www.cdt.org/testimony/030515davidson.pdf [PDF] and
http://www.cdt.org/testimony/030515davidson.html [HTML]

-----------------------------------------------------------------------

(2) Risks from Inadvertent Sharing of Sensitive Files

Peer-to-peer file sharing systems provide Internet users with the
ability to share files on their computers with thousands or millions
of other people.  In doing so they make it possible, and in some
cases too easy, for people to share even very personal files,
sometimes by accident.

Recent studies have found dozens of examples of Kazaa users who have
made available for download  sensitive documents on their computers
like their tax returns, e-mail inboxes, or check registers -- almost
certainly by mistake. Once available, these sensitive files could be
used to commit fraud, invade privacy, or even commit identity theft.

In many respects this issue is akin to the problems facing any
speaker on the Internet, who might mistakenly share sensitive files.
But several factors heighten the privacy concern for file sharing
systems.  These networks are used by millions of consumers, typically
with far less expertise than publishers on the Web.  P2P networks'
powerful search capabilities can make files more widely accessible
than other publishing tools.  And in many cases finding out just what
is being shared is not that easy, especially for those unfamiliar
with the workings of these programs.

Though the consequences of mistakenly sharing personal files are
sobering, it is important to keep the problem in perspective. Reports
by the General Accounting Office and the Federal Trade Commission
indicate that Internet sources of information constitute a very small
percentage of identity theft cases, and available data seems to
indicate that the percentage of peer-to-peer users who inadvertently
share sensitive files is small.

CDT believes that education is the key to helping users protect
themselves from the dangers of over-sharing on P2P file networks.
Resources such as GetNetWise.org offer guides to safe use of these
systems.  Also, the developers of P2P software can and should make it
easier for users to understand and control what they share.

Information about safe file-sharing online is available at:
http://security.getnetwise.org/tips/filesharing/

-----------------------------------------------------------------------

(3) "Spyware" Violates Privacy, Denies User Choice

Many file-sharing programs contain "spyware" that collects
information about a user's online activities, then communicates that
information back to a third party, typically without the user's
knowledge or consent.  While often used primarily for sending ads,
spyware can be used for more invasive collection of information.
These programs can be difficult for users to detect or even remove,
and may seriously affect the stability and security of a user's
computer.

CDT strongly believes that developers of file-sharing software, like
any developer that includes spyware, should observe fair information
practices. They should give users clear notice about the type of
information being collected about them, meaningful choices about
whether to participate, and access to personal information being
collected and retained.

In their current form, many file-sharing applications fail to meet
these fair information practices. Notice about the installation of
these programs is often buried in complex click-through agreements.
The ability to opt-out of data collection often does not exist, even
through the use of third-party spyware blocking systems.

CDT urges consumer to avoid applications with spyware and demand best
practices for the handling of their personal information.

More information about Fair Information Practices is available at
http://www.cdt.org/privacy/guide/basic/fips.html

-----------------------------------------------------------------------

(4) Other Legal Risks in Peer-to-Peer Networks

File traders who violate copyright laws face obvious legal risks. CDT
condemns the piracy of copyrighted works.  Those who engage in it
face substantial legal penalties.

At the same time, CDT is concerned that at least one provision of
current law -- the broad subpoena power granted to any copyright
holder under Section 512(h) of the Digital Millennium Copyright Act
(DMCA) -- too easily allows the identity of peer-to-peer participants
or any Internet user to be unmasked wrongly or by mistake without
their knowledge.

As recently interpreted in a federal court decision in RIAA v.
Verizon, this DMCA subpoena authority would permit any copyright
holder -- possibly millions of people and groups -- to compel an ISP
to disclose the identity of an Internet user based on an allegation
of copyright infringement.  This disclosure of personal information
would take place without requiring any notice to the user that his or
her identity had been unmasked, and without much judicial oversight
as to the likely truth of the allegations.  Accepting the importance
of fighting massive copyright infringement online, we are concerned
that personal data about users will be revealed inappropriately due
to misuse, abuse, or mistakes.

Effective copyright enforcement need not come at the expense of
individual privacy.  For example, providing end users with notice
when their identity is revealed would go a long way toward preventing
abuse and could even enhance enforcement by warning users about
potential infringing activity.  Courts could be required to exercise
greater oversight.  Sanctions could be put in place for misuse.
Reporting requirements could be established to ensure that provisions
were not being misused.  CDT believes that a better privacy balance
can and should be struck by Congress.

-----------------------------------------------------------------------
Detailed information about online civil liberties issues may be
found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_9.11.shtml.

Excerpts may be re-posted with prior permission of ari () cdt org

Policy Post 9.11 Copyright 2003 Center for Democracy and Technology
_______________________________________________
http://www.cdt.org/mailman/listinfo/policy-posts


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: