[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





    OVEREXPOSED: THE THREATS TO PRIVACY AND SECURITY ON FILESHARING 
                                NETWORKS

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 15, 2003

                               __________

                           Serial No. 108-26

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

88-016              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, 
NATHAN DEAL, Georgia                     Maryland
CANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of 
TIM MURPHY, Pennsylvania                 Columbia
MICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee
JOHN R. CARTER, Texas                CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota                 ------
MARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont 
                                         (Independent)

                       Peter Sirh, Staff Director
                 Melissa Wojciak, Deputy Staff Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
              Philip M. Schiliro, Minority Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 15, 2003.....................................     1
Statement of:
    Broes, Derek S., executive vice president of Worldwide 
      Operations, Brilliant Digital Entertainment................    59
    Davidson, Alan B., associate director, Center for Democracy 
      and Technology.............................................    39
    Farnan, James E., Deputy Assistant Director, Cyber Division, 
      Federal Bureau of Investigation, accompanied by Dan Larkin, 
      Supervisory Special Agent, Federal Bureau of Investigation.    89
    Frank, Mari J., esquire, Mari J. Frank, Esquire & Associates.    66
    Good, Nathaniel S., University of California, Berkeley, 
      School of Information Management Systems...................    13
    Hale, Dr. John, assistant professor of computer science and 
      director, Center for Information Security, the University 
      of Tulsa...................................................    31
    Schiller, Jeffrey I., network manager/security architect, 
      Massachusetts Institute of Technology......................    25
Letters, statements, etc., submitted for the record by:
    Broes, Derek S., executive vice president of Worldwide 
      Operations, Brilliant Digital Entertainment, prepared 
      statement of...............................................    62
    Davidson, Alan B., associate director, Center for Democracy 
      and Technology, prepared statement of......................    41
    Davis, Chairman Tom, a Representative in Congress from the 
      State of Virginia, prepared statement of...................     3
    Farnan, James E., Deputy Assistant Director, Cyber Division, 
      Federal Bureau of Investigation, prepared statement of.....    91
    Frank, Mari J., esquire, Mari J. Frank, Esquire & Associates, 
      prepared statement of......................................    69
    Good, Nathaniel S., University of California, Berkeley, 
      School of Information Management Systems, prepared 
      statement of...............................................    16
    Hale, Dr. John, assistant professor of computer science and 
      director, Center for Information Security, the University 
      of Tulsa, prepared statement of............................    34
    Schiller, Jeffrey I., network manager/security architect, 
      Massachusetts Institute of Technology, prepared statement 
      of.........................................................    27
    Waxman, Hon. Henry A., a Representative in Congress from the 
      State of California, prepared statement of.................     7

 
    OVEREXPOSED: THE THREATS TO PRIVACY AND SECURITY ON FILESHARING 
                                NETWORKS

                              ----------                              


                         THURSDAY, MAY 15, 2003

                          House of Representatives,
                            Committee on Government Reform,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:09 a.m., in 
room 2154, Rayburn House Office Building, Hon. Tom Davis of 
Virginia (chairman of the committee) presiding.
    Present: Representatives Tom Davis of Virginia, Shays, 
Putnam, Duncan, Murphy, Waxman, Maloney, Cummings, Tierney, 
Clay, Sanchez, and Ruppersberger.
    Staff present: Peter Sirh, staff director; Melissa Wojciak, 
deputy staff director; Keith Ausbrook, chief counsel; Anne 
Marie Turner and Randall Kaplan, counsels; David Marin, 
director of communications; Scott Kopple, deputy director of 
communications; Ken Feng, investigator/GAO detailee; Teresa 
Austin, chief clerk; Joshua E. Gillespie, deputy clerk; Corinne 
Zaccagnini, chief information officer; Brien Beattie, staff 
assistant; Phil Barnett, minority chief counsel; Karen 
Lightfoot, minority communications director/senior policy 
advisor; Josh Sharfstein and Nancy Scola, minority professional 
staff members; Earley Green, minority chief clerk; and Jean 
Gosa, minority assistant clerk.
    Chairman Tom Davis. Good morning. A quorum being present, 
the Committee on Government Reform will come to order.
    Let me say a special thank you to our visiting students 
from Woodson High School, out in the 11th Congressional 
District of Virginia. We are happy to have you with us, and I 
hope you will find some of this hearing interesting.
    We are here today to continue our examination into peer-to-
peer file-sharing programs. This is the committee's second 
hearing on this topic.
    At our first hearing held in March, we examined the growing 
problem of the availability of pornography, including child 
pornography, on these networks. The committee found that 
pornography is, in fact, being traded on peer-to-peer networks, 
and children are at great risk of inadvertent exposure to 
pornography while using these programs.
    File-sharing programs or Internet applications allow users 
to download and directly share electronic files from other 
users on the same network. Users of these programs can share 
files that contain documents, as well as music or videos. These 
programs are surging in popularity.
    KaZaA, the most popular file-sharing program has been 
downloaded almost 225 million times, making it the most popular 
software downloaded on the Internet.
    File-sharing technology can be beneficial. However, as we 
learned from our first hearing on this topic, use of this 
technology also presents certain risks. Today, the committee 
will examine the risks to personal privacy and computer 
security posed by the use of peer-to-peer file-sharing 
programs.
    Specifically, we are going to look at three issues: first, 
the reason why highly personal information is available over 
these networks; second, the potential effects of software known 
as ``spyware'' or ``adware'' that is being bundled or included 
with file-sharing programs; and third, the growing risk of 
downloading computer viruses from files shared on these 
programs.
    The committee will release a staff report today that 
highlights these issues. Through a simple search on one file-
sharing program, committee staff easily obtained tax returns, 
medical records, attorney-client communications, resumes, and 
personal correspondence.
    Users of these programs may accidentally share this 
information because of incorrect program configuration. They 
also could be intentionally sharing these files because 
increased file-sharing earns the user higher priority status on 
popular downloads.
    Either way, users of these programs need to be aware that 
sharing personal information can open the door to identity 
theft, consumer fraud, or other unwanted uses of their personal 
data. Parents, businesses, and government agencies also need to 
be aware of these risks if their home or office computers 
contain file-sharing programs.
    Another concern raised by the use of peer-to-peer file-
sharing is the bundling of these programs with software known 
as ``spyware'' or ``adware.'' These programs monitor Internet 
usage primarily for marketing purposes, without the users' 
knowledge. They also give rise to pop-up advertisements and 
spam e-mail.
    Finally, computer viruses can easily spread through file-
sharing programs, since files are shared anonymously. In fact, 
just this week, a new computer virus called ``Fizzer'' spread 
rapidly across the Internet, affecting computers worldwide 
through e-mails and the file-sharing program, KaZaA.
    We have assembled an excellent panel of witnesses who will 
discuss these important issues. I would like to thank each of 
our witnesses for appearing today. I would now like to yield to 
Mr. Waxman for his opening statement.
    [The prepared statement of Chairman Tom Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.001
    
    [GRAPHIC] [TIFF OMITTED] T8016.002
    
    Mr. Waxman. Thank you very much, Mr. Chairman. I am pleased 
to join with you in this hearing. I want to commend our staff 
for developing this report that we issued today, ``File-Sharing 
Programs and Peer-to-Peer Networks, Privacy and Security 
Risks.''
    This is the second of a series of hearings that this 
committee has been holding to highlight and educate the public 
about not just the great opportunities with these new file-
sharing efforts on the computers, but the risks involved, as 
well.
    At our last hearing, we talked about the fact that if young 
people, who are, for the most part, the ones who are using 
these peer-to-peer file-sharing programs, try to get music from 
the programs, more often than not, they are having very vile 
pornography pushed upon them.
    Most parents were not aware of that fact; and most people, 
I think, are not aware of the facts that we are going to 
examine at our hearing today.
    We live in a world that is increasingly more connected. New 
computer innovations can open us up to new experiences and 
offer more choices than ever before. As we experiment with new 
technologies, however, we must recognize their risks. In the 
real world, we know how to guard our privacy and security 
carefully. It is just as important to do so in the on-line 
world.
    So in this hearing, we are going to look at these very 
incredibly popular programs. In fact, the most popular of these 
file-sharing programs, KaZaA, has been downloaded more than 220 
million times. That is really incredible, 22 million times in 
the last 2 months alone.
    Despite their soaring popularity, few people understand the 
risks that these new file-sharing programs can pose. In large 
part, this is due to what I call the on-line generation gap. 
The users of file-sharing programs are predominantly teenagers. 
The parents, however, and grandparents are too often left 
struggling just to keep up.
    In our report that we are releasing today, I think we have 
an opportunity to inform the parents and grandparents that when 
their kids use these file-sharing programs, they may find that 
inadvertently they are sharing incredibly personal files 
through these peer-to-peer networks.
    Our investigators found that they could find completed tax 
returns, medical records, and even entire e-mail in-boxes 
through simple searches using file-sharing programs. No one 
would want to share this kind of personal information, but in 
many cases, that is exactly what is happening.
    Due to the way some users configure their computers, their 
personal files can be accessed by millions of strangers through 
peer-to-peer networks. This invasion of privacy is not the only 
risk families face. Our report finds that when users download 
free file-sharing programs, they are also exposing their 
computers to hidden software called ``spyware'' or ``adware.''
    These programs track what you do online, the Web sites you 
look at, how long you stay on those Web sites, even your e-mail 
address. This zombie-like ware, which takes over the spare 
computing power of personal computers can be bundled with file-
sharing programs.
    So not only can they get access to what is in your personal 
files, they can make your computer server a zombie for their 
own purposes. Besides tracking your computer habits, these 
programs can also cause software conflicts and computer 
crashes. In fact, in committee testing, these programs ruined a 
committee computer twice. Even the House's most experienced 
computer technicians could not restore the computers.
    The chairman mentioned that we are putting computers at 
risk for viruses and other damaging computer files, and we will 
have more testimony about that in our hearing.
    While technical innovation on the Internet is tremendously 
important, our purpose in holding these hearings and releasing 
these investigative reports is not to say that peer-to-peer 
technology is inherently bad. In fact, it may ultimately prove 
to have important and valuable uses.
    But there can be no question that this new technology, at 
least in its current incarnation, can create serious risks for 
users. Our purpose in holding these hearings is to help the 
public understand what these risks are. Without this knowledge, 
families and businesses simply will not be able to make 
intelligent decisions about the technology.
    [The prepared statement of Hon. Henry A. Waxman follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.003
    
    [GRAPHIC] [TIFF OMITTED] T8016.004
    
    [GRAPHIC] [TIFF OMITTED] T8016.005
    
    [GRAPHIC] [TIFF OMITTED] T8016.006
    
    [GRAPHIC] [TIFF OMITTED] T8016.007
    
    Chairman Tom Davis. Thank you very much, and let me also 
commend the staff, and Mr. Waxman, your leadership in helping 
put these hearings together.
    Are there any other opening statements; the gentleman from 
Maryland?
    Mr. Ruppersberger. The information superhighway has opened 
many doors and opportunities, both in terms of communication 
and in terms of commerce. It gave us a .com boom in the mid-and 
late 1990's and helped us to make a more technologically 
advanced country.
    Now privacy on the Internet has been discussed in Congress 
since 1998. We have discussed what information needs to be 
protected. Is a disclosure policy a privacy policy? How do we 
protect it and how do we enforce it? Does Congress need to set 
standards, or do we let the industry decide what is best?
    As technology advances, we have to ask ourselves, if 
Government does promulgate regulations, will those regulations 
be able to keep up with the pace of technology?
    Now today we are discussing file-sharing networks like 
KaZaA and Morpheus. These networks allow subscribers to 
download and share music, photo and video clips with other 
subscribers. The question is, how safe are these networks?
    Can a hacker or an individual use networks to get around 
any firewalls and protections and invade persons' more personal 
files? Can they look at people's Quicken statements? Can they 
view saved e-mails and documents?
    Privacy is not just about personal information. The most 
important part is, we have to be able to be concerned about how 
those companies track and use what you download to market your 
items.
    Do these networks sell your information to retailers? Do 
they share them with spammers, companies that flood our e-mail 
with product information?
    At this time, I think we need legislation, but I am fearful 
whatever we write up in Congress will be obsolete within 1 
year.
    Can we legislate privacy? Yes, we can. Congress has done 
that. We have cable and video store privacy. We have financial 
privacy and we have medical privacy. Why not person-to-person 
network privacy? How about a strong Federal enforcement 
mechanism, based on violations of industry-based best practice 
standards?
    Now obviously, no one wants to harm the continued 
advancement of technology. But eventually there will be the 
need for a balance. There will be the need to assure people 
that your information is safe as you connect to the Internet as 
it travels through cyberspace.
    Thank you, Mr. Chairman.
    Chairman Tom Davis. Thank you very much.
    Does anyone else wish to make an opening statement?
    [No response.]
    Chairman Tom Davis. We will now move to our witnesses. We 
have Nathaniel Good from the University of California, 
Berkeley, who will be demonstrating for the committee how 
personal documents can easily be accessed from peer-to-peer 
file-sharing networks.
    Next, we have Jeffrey Schiller, who is network manager for 
the Massachusetts Institute of Technology. Following Mr. 
Schiller is Dr. John Hale, the director of the Center for 
Information Security at the University of Tulsa.
    We will then hear from Alan Davidson from the Center for 
Democracy and Technology; and then from Derek Broes, the 
executive vice president of Brilliant Digital Entertainment.
    Next is Mari Frank, who is an identity theft expert. 
Rounding out the panel is James Farnan, Deputy Assistant 
Director of the Federal Bureau of Investigations Cyber 
Division.
    It is the policy of this committee that all witnesses be 
sworn before they testify, so if you will rise with me and 
raise your right hands.
    [Witnesses sworn.]
    Chairman Tom Davis. Thank you very much; please be seated. 
We have a light in front. We have your total statements in the 
record that we have read. Your green light will be on for the 
first 4 minutes. In the 5th minute, an orange light will go 
with the red light, so at 5 minutes, we would appreciate your 
summing up.
    Your total testimony is in the committee record, and we 
will go from there. I think for our first witness, you are 
going to do a demonstration. We will cut a little slack on the 
time, but if we can get it down, then we can get to questions; 
thank you very much, Mr. Good.

   STATEMENT OF NATHANIEL S. GOOD, UNIVERSITY OF CALIFORNIA, 
       BERKELEY, SCHOOL OF INFORMATION MANAGEMENT SYSTEMS

    Mr. Good. Thank you very much; good morning, Mr. Chairman 
and committee members. Thank you for the opportunity to appear 
before you today.
    In the brief amount of time that we have to talk to you 
about our study, we would like to give you a video 
demonstration of the problem that we found with KaZaA; describe 
how this problem can occur; and then talk about the possible 
solutions to this problem.
    On the screen in front of you is KaZaA. KaZaA is the most 
popular peer-to-peer file-sharing program on the Internet 
today. With KaZaA, you can look for any type of file, such as 
music, documents, videos. Any file that can be stored on your 
hard drive can be shared through the KaZaA network.
    To do this, one would download the application, type the 
key words that one is looking for into the search box, hit the 
return, and the results would pop up to the right to your 
search box.
    In this example, we will show how a user could get ahold of 
someone else's personal information through KaZaA by typing key 
words and looking for information from the search results.
    So in the first example that we have, we have a user who is 
looking for a file called ``inbox.dbx.'' Inbox.dbx is someone's 
e-mail file. As you can see, there have been a couple different 
results that we have returned.
    If we wanted to see what other files these people were 
sharing, we could go to that person's file. We could find more 
from that user, and we would see all the files that this person 
is sharing.
    So we can see there are other e-mail files that this person 
has. There is the ``sent'' files that this person has. There 
are a whole bunch of deleted items that we could download and 
restore and look at, and there is also the in-box and other 
personal pieces of information.
    So for the next search, we will be doing a slightly more 
sophisticated search, where we will be looking for an Excel 
spreadsheet that has possibly credit card information.
    In this demonstration, we will show how, if you know a 
little about what Excel is, that you know an Excel document has 
the extension ``XLS,'' and you think that someone would call 
their Excel document credit card, or something that begins with 
credit. You could type in these key words here, run a search, 
and this is what you would probably see, something very similar 
to this.
    So here we have a list similar to the list that we had 
earlier, where we had a bunch of files that were returned from 
various users. If we wanted to see some more files from an end 
user, we could click on a file there, type in find more from 
same user. Again, we would see all the fields that that person 
has shared.
    In this case, it looks like the person has pretty much 
shared most of their hard drive. There is again, the in-box 
file. This is the e-mail file we were talking about before. 
There are a whole bunch of system files. There are cookie 
files. If we scan over, we can see a little bit more detailed 
file information.
    We can sort by media type, so we can browse around and look 
for other types of information. So we can see that this person 
has certain spread sheets that pertain to salary structures. 
They have a PDF on tax returns. They have letters that they 
have written to people. They have an address book.
    If we keep browsing through, we will find that they have 
bonus agreements that they have sharing. There is a lot of 
stuff here that this person probably does not want the rest of 
the world to download.
    We also have the credit card activity, the spreadsheet that 
we talked about earlier. There is quite a bit, as you can see; 
office documents and there is the credit card file, again. 
There is another one.
    Here, we also have a password list which, unfortunately, 
probably contains all the passwords that this person has to get 
into various Web sites or corporate sites. People typically 
keep their passwords in a document, because they have to 
remember so many of them.
    So if we downloaded this, we probably would be able to hop 
around to various Web sites and jump into this person's 
accounts and such.
    So this is pretty much the problem that we discovered on 
KaZaA. We determined that through a series of user studies and 
analyzing the interface, that this problem could occur because 
parts of the KaZaA application could be very confusing to 
users, and it relied very heavily on some unstated assumptions.
    In some cases, it was possible for the user to think that 
what they were sharing was completely different than what was 
actually being shared.
    There are too many details to cover in the time that we 
have allocated, but if you were able to go over the research 
report that we have and our written testimony, you should be 
able to get more details about how this problem could possibly 
occur.
    As for solutions, we see two possible paths that we could 
take. The first is education. It is important for people to 
understand that what peer-to-peer can share, and more 
generally, what it means to be connected to a network in terms 
of privacy and security.
    We would also like to see stronger default settings and 
better explanations of what is going on in the program. It is 
important that applications should be safest right out of the 
box.
    Security and convenience are typically seen as tradeoffs of 
one another. As the world becomes more networked and more 
devices are able to store, collect, and share private 
information, it is crucial that we find ways for applications 
to be secure without sacrificing convenience and vice versa.
    Thank you very much for your time.
    [The prepared statement of Mr. Good follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.008
    
    [GRAPHIC] [TIFF OMITTED] T8016.009
    
    [GRAPHIC] [TIFF OMITTED] T8016.010
    
    [GRAPHIC] [TIFF OMITTED] T8016.011
    
    [GRAPHIC] [TIFF OMITTED] T8016.012
    
    [GRAPHIC] [TIFF OMITTED] T8016.013
    
    [GRAPHIC] [TIFF OMITTED] T8016.095
    
    [GRAPHIC] [TIFF OMITTED] T8016.096
    
    [GRAPHIC] [TIFF OMITTED] T8016.097
    
    Chairman Tom Davis. Thank you very much.
    Mr. Schiller.

  STATEMENT OF JEFFREY I. SCHILLER, NETWORK MANAGER/SECURITY 
        ARCHITECT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY

    Mr. Schiller. Good morning and thank you for inviting me.
    Chairman Tom Davis. Thank you.
    Mr. Schiller. I am actually not going to read my statement, 
but I will tell you essentially what is in there. I have been 
involved in the Internet since the day it was born which was, 
we say, January 1, 1983, and there is a story behind that.
    It is funny, I remember, e-mail was the application that 
everybody said was the forbidden application, because it was a 
waste of network bandwidth. So here we are today with e-mail 
being one of the killer applications, and we are looking at 
another application that causes us a bit of concern.
    From my view as a security expert, I can tell you that my 
professional assessment is that these programs, peer-to-peer 
file-sharing, particularly once they are perfected, are not 
significantly more dangerous, from an end users perspective, 
than any other technology they use.
    Just as we have seen here today, KaZaA can be used to 
reveal private information. I have certainly received in my e-
mail inbox private information that was sent via e-mail, due to 
various viruses and worms that people have caught. Because of 
who I am, I net a lot of that sort of stuff, and it is pretty 
amazing what you can get.
    So I try to say, what is the difference between a file-
sharing program that we have today and some of the traditional 
technology that we have on the Internet, such as e-mail and Web 
browsing?
    One of the key differences is that file-sharing is still 
under active development. The e-mail technology we use today 
was standardized many years ago, and it does not change.
    As a manager of a network, if I wish to control e-mail, if 
I wish to set up a firewall that examines incoming e-mail 
messages to make sure they do not contain viruses or worms, I 
can do that, but I can be pretty assured that my e-mail 
scanning will, in fact, happen as it is supposed to.
    However, file-sharing programs are programs that are 
currently under active development. As some of us who run 
networks try to put in ways of controlling them, the authors of 
these programs in their newest versions put in ways to get 
around those controls.
    So one of the ways that peer-to-peer file-sharing 
significantly differs from the more traditional applications is 
the intent to subvert third party controls. That is inherent in 
them. That is not inherent in other technologies.
    So as a network manager, one of my concerns with peer-to-
peer file-sharing is its use of our precious bandwidth, which 
we pay dearly for; and there are various tactics that we can do 
to try to limit the use of that bandwidth. What happens next, 
of course, is the next version of these programs, those various 
techniques to avoid that rate limiting.
    Without going into a lot of technical detail, one of the 
things we have been seeing is what I call ``port hopping.'' 
Most Internet applications use a well known port. E-mail 
travels over port 25, for example; file transfer over port 21, 
Web browsing over port 80.
    Well, in their early days, most file-sharing programs had 
well known ports. I use port 1214, for example, and by 
controlling access to that port, we could control its use.
    What we are seeing more and more of are programs that hop 
around. They might use port 1214 for a few minutes, and then a 
few minutes later, we see a lot of traffic on some other 
literally randomly chosen port. With applications that do this, 
it becomes very difficult to actually know what is going on and 
control it.
    We have also seen applications that appear to be encrypting 
their content; not to hide it from any eavesdropper, but to 
make it difficult again for us to figure out, oh, this is file-
sharing programs. There are many such programs that do this. 
KaZaA is not the only one.
    So my point today is that one of the things that makes 
these things just a bit more dangerous than other things is the 
attempt to subvert third parties.
    Particularly in an environment where you have end users who 
are not necessarily experts, who leave themselves exposed, we 
have many places where we try to use firewalls at the corporate 
level to protect people, and that is being subverted.
    Now like everything, many things are a two-edged sword. 
Sometimes, the third parties trying to control access to the 
network are not necessarily what we could consider good guys.
    The same technology that a corporation can use to control 
access can be used by governments that wish to suppress their 
people, and peer-to-peer file-sharing programs can often be 
used as a way of spreading the work, without it being 
controlled. But like all things, it is a two-way street, thank 
you.
    [The prepared statement of Mr. Schiller follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.014
    
    [GRAPHIC] [TIFF OMITTED] T8016.015
    
    [GRAPHIC] [TIFF OMITTED] T8016.016
    
    [GRAPHIC] [TIFF OMITTED] T8016.017
    
    Chairman Tom Davis. Thank you very much.
    Dr. Hale.

  STATEMENT OF DR. JOHN HALE, ASSISTANT PROFESSOR OF COMPUTER 
  SCIENCE AND DIRECTOR, CENTER FOR INFORMATION SECURITY, THE 
                      UNIVERSITY OF TULSA

    Mr. Hale. Mr. Chairman, Ranking Minority Member Waxman, and 
members of the committee, thank you for giving me the 
opportunity to testify today on a topic that is of growing 
concern to the network security community, to American 
businesses and schools and, in fact, anyone that uses the 
Internet.
    I am an Assistant Professor of Computer Science at the 
University of Tulsa, and serve there as the Director of its 
Center for Information Security.
    Over the past 5 years, I have watched peer-to-peer 
technology make a startling transition from the backwaters of 
computer science to mainstream society. This March, Sharman 
Networks hit the 200 million mark for downloads of its popular 
KaZaA Media Desktop.
    File-sharing softwares are in homes, businesses, and 
schools across the world, connecting users in a peer-wise 
architecture that is both resilient and efficient. Peer-to-peer 
networking has grown faster than the Internet itself, reaching 
a much broader audience at this stage of its development.
    But there is a downside to placing such a potent technology 
in the hands of novice users. A peer-to-peer client exposes a 
computer to new threats, and some of the practices of its 
developers magnify the risk.
    The prevalence of spyware in peer-to-peer clients is but 
one example. Developers bundle spyware in their clients to 
generate revenue. One company maintains that it is 
``intrigral'' to the operation of their product.
    Of course, there is no inherent functional dependency 
between advertising and file-sharing. Intrigral then means that 
the peer-to-peer software has been deliberately engineered so 
that it will not function without the spyware active.
    To avoid detection, spyware often hides in system folders 
or runs in the background. Amazingly, some spyware components 
remain on a system long after the original application is 
removed and will even imbed themselves in a host, despite an 
aborted installation of a carrier program.
    Spyware imbedded in clients sometimes downloads executable 
code without user knowledge. Even if the code is not malicious, 
it may contain flaws that render a system vulnerable to attack. 
More importantly, the clandestine nature of the software makes 
detection and remediation extremely challenging.
    Peer-to-peer is also commonly designed to circumvent 
network security services. Techniques such as tunneling, port 
hopping, and push request messages make it difficult to detect 
and filter peer-to-peer traffic.
    HTTP tunneling, in which peer-to-peer communications are 
disguised as Web traffic, is popular because such traffic often 
travels freely across networks. To this end, tunneling not only 
helps violate a network security policy by enabling forbidden 
applications, but also expands the network perimeter in ways 
unknown to system administrators.
    Another trick used by some of the most popular peer-to-peer 
clients is to vary communication ports, a technique called port 
hopping. This thwarts blocking and scanning software that 
identifies network services, based on well-known port 
assignments, as described previously.
    Push request messages in the Gnutella protocol are used to 
circumvent firewalls. Instead of a client pulling a file to it, 
it asks the host behind the firewall to push the file out. This 
is all transparent to the user, but it constitutes a subtle 
collusion between the two clients to violate a security policy.
    Another concern is how flaws in clients can increase 
exposures in a network, leaving it vulnerable to hackers. 
Exploitable weaknesses in peer-to-peer software have been 
identified, and in some cases, the media files themselves can 
enable an attack.
    There is nothing special about peer-to-peer clients that 
makes them any more flawed than other software. However, 
several factors conspire to amplify the risks they induce.
    They engender massive ad hoc connectivity across network 
domains. Hosts are exposed to every user on a peer-to-peer 
network. More than that, they allow users to share files 
pseudo-anonymously. Often, clients, themselves, are installed 
from peers on a network.
    In short, peer-to-peer file-sharing exposes systems to 
untrusted hosts and software, and offers little in the way of 
protection.
    Worms and viruses are also very real threats. The most 
recent example is the Fizzer virus, a blended attack that 
propagates via e-mail and KaZaA.
    Another is the Duload worm, which hides in a system folder, 
and alters the registry so that runs it startup. But it then 
copies itself to several provocatively named files within a 
folder that it exposes to the peer-to-peer network. Since 
Duload relies on human interaction, it is more of a virus than 
a worm.
    So Internet worms that target Web and data base servers 
actually provide better insight of the real potential. Code Red 
infected almost 400,000 Internet hosts within 14 hours, causing 
an estimated $2.6 billion in damage. Nimda infected 2.2 million 
hosts. The Slammer worm, by comparison, only affected 200,000 
hosts, but set new speed records, infecting 90 percent of its 
victims in under 10 minutes.
    A true peer-to-peer worm can infect an entire network with 
similar speed. More importantly, the obstacles for remediation 
indicate that it would have tremendous staying power, re-
infected unpatched hosts and infecting new ones as they came 
on-line.
    There is a role for technology to play in addressing these 
problems, but it is only a small piece of the solution. Users 
have to be made aware of the risks of file-sharing. Developers 
must live up to higher standards of integrity and transparency 
for the software they develop.
    We cannot predict the next Code Red or Nimda. But if and 
when it strikes peer-to-peer networks, I hope we do not look 
back and see a missed opportunity to lead a promising 
technology out a turbulent period in its development; thank 
you.
    [The prepared statement of Mr. Hale follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.018
    
    [GRAPHIC] [TIFF OMITTED] T8016.019
    
    [GRAPHIC] [TIFF OMITTED] T8016.020
    
    [GRAPHIC] [TIFF OMITTED] T8016.021
    
    [GRAPHIC] [TIFF OMITTED] T8016.022
    
    Chairman Tom Davis. Thank you very much.
    Mr. Davidson.

 STATEMENT OF ALAN B. DAVIDSON, ASSOCIATE DIRECTOR, CENTER FOR 
                    DEMOCRACY AND TECHNOLOGY

    Mr. Davidson. Mr. Chairman, Mr. Waxman, members of the 
committee, I am Alan Davidson, associate director of the Center 
for Democracy and Technology. CDT is a non-profit public 
interest group, based here in Washington, dedicated to 
promoting civil liberties and human rights on the Internet.
    Since its creation, CDT has been heavily involved in issues 
of on-line privacy and security, and we welcome the opportunity 
to testify today on a timely issue of privacy and security, the 
question of privacy on popular peer-to-peer file-sharing 
systems.
    We commend the committee for its thoughtful efforts on this 
and other topics related to peer-to-peer over the last few 
months and few years.
    Our top line is this. The use of file-sharing software 
certainly raises serious privacy issues for consumers and 
computer users, often through mistakes that the users make in 
sharing very sensitive personal information.
    At the same time, file-sharing technology can be very 
beneficial. It is new and changing, and it is largely in the 
control of the people who use it. So the most important thing 
that we can do is to inform people about the potential risks of 
sharing, and teach them how to use peer-to-peer safely. There 
are other things, as well, and I will go into that.
    As we have heard, peer-to-peer file-sharing systems are a 
computing phenomenon. They are among the most popular and 
downloaded computer programs today. Much of the concern that we 
have comes from the fact that these are systems that just a few 
years ago were used by a relatively small and savvy group of 
people. Today, they are being embraced by millions of users, 
many of whom do not have a lot of expertise.
    People who install these powerful tools need to be aware of 
the potential privacy and security risks that come from their 
use or their misuse. Among our top concern, first and foremost, 
and potentially most serious, is this issue of inadvertent 
sharing of sensitive personal information.
    I cannot do much better than the demo that you saw in 
trying to make it clear how it is possible, in some cases, 
probably too easy, for people to share personal files. 
Certainly, there is a lot of evidence that some people, at 
least, are doing this.
    A cautionary note, we need to keep this in perspective. We 
do not have a good set of data right now about how big a 
problem this is. There is not very much research in terms of 
quantifying how large a percentage of people are doing this. 
But certainly, for some people, this is a very real problem.
    Second, many file-sharing programs, as we have heard, 
contain spyware that communicates information for advertising 
or for other reasons, often without a user's knowledge.
    This is not a problem that peer-to-peer file-sharing 
networks have alone. This is a problem in many software 
programs for users. But whether in peer-to-peer or in other 
software, consumers deserve real notice and real choices about 
how their computers are going to communicate with third 
parties.
    A third issue for us are the legal risks that people face 
when using these systems and the privacy issues that can come 
with that.
    First of all, file traders who violate copyright laws face 
obvious legal risks. At the same time, we are concerned that at 
least one provision of the current law, which is the broad 
subpoena power that is granted to any copyright holder under 
Section 512(h) of the DMCA, too easily allows the identity of a 
peer-to-peer participant, or for that matter, any Internet 
user, to be unmarked wrongly or by mistake without their 
knowledge. That is something that we think Congress should 
address.
    So what do we do about all of these problems? First and 
foremost, and I think you have already heard some of this, the 
public and particularly the families of file trading minors 
need greater awareness of the potential risks of file-sharing.
    One example of how to do this is something that we have 
been working on, in collaboration with a number of other 
companies and public interest groups, which is the GetNetWise. 
It is a collaborative collection of tools for families seeking 
to protect their kids on-line. It is a Web site, 
GetNetWise.org, that is linked to by over 80,000 sites, 
including many major Internet providers, other public interest 
groups, Members of Congress including, I believe this 
committee, for which we are always grateful, and your tips on 
how to protect kids in peer-to-peer networks from adult 
content.
    First of all, there is a major new initiative in this 
project. I have attached to the back of my testimony some of 
the materials from that, to try to educate parents about how to 
keep their kids safe when using peer-to-peer networks.
    There are lots of tips. There are tips in some of the other 
sets of testimony that were put together. Those are the kinds 
of things that we need to do to really make parents and 
families aware of the risks that they may be facing.
    There are other things that can be done, as well. Another 
is that we must insist that fair information practices be 
obeyed in file-sharing software. Much more could be done to 
design these systems with better transparency and better 
control. Software producers should reject invasive spyware, 
unless they find ways to give people more notice and control.
    Finally, we do think that Congress should be looking at 
finding ways to add privacy protections to these DMCA subpoenas 
so that mistakes are not made.
    I think our bottom line is, we do not need to throw the 
baby out with the bath water. There are many benefits to some 
of these technologies. They are also facing their own moments 
of dislocation and concern.
    We look forward to working with Congress to find a way to 
make sure that privacy is protected without damaging what can 
be a very good source of innovation.
    [The prepared statement of Mr. Davidson follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.023
    
    [GRAPHIC] [TIFF OMITTED] T8016.024
    
    [GRAPHIC] [TIFF OMITTED] T8016.025
    
    [GRAPHIC] [TIFF OMITTED] T8016.026
    
    [GRAPHIC] [TIFF OMITTED] T8016.027
    
    [GRAPHIC] [TIFF OMITTED] T8016.028
    
    [GRAPHIC] [TIFF OMITTED] T8016.029
    
    [GRAPHIC] [TIFF OMITTED] T8016.030
    
    [GRAPHIC] [TIFF OMITTED] T8016.031
    
    [GRAPHIC] [TIFF OMITTED] T8016.032
    
    [GRAPHIC] [TIFF OMITTED] T8016.033
    
    [GRAPHIC] [TIFF OMITTED] T8016.034
    
    [GRAPHIC] [TIFF OMITTED] T8016.035
    
    [GRAPHIC] [TIFF OMITTED] T8016.036
    
    [GRAPHIC] [TIFF OMITTED] T8016.037
    
    [GRAPHIC] [TIFF OMITTED] T8016.038
    
    [GRAPHIC] [TIFF OMITTED] T8016.094
    
    [GRAPHIC] [TIFF OMITTED] T8016.039
    
    Chairman Tom Davis. Thank you very much.
    Mr. Broes.

   STATEMENT OF DEREK S. BROES, EXECUTIVE VICE PRESIDENT OF 
     WORLDWIDE OPERATIONS, BRILLIANT DIGITAL ENTERTAINMENT

    Mr. Broes. Thank you for inviting me. Chairman Davis, 
Representative Waxman, and members of the committee, I am Derek 
Broes. I am the executive vice president of Worldwide 
Operations for Brilliant Digital Entertainment and its 
subsidiary, Altnet.
    Altnet offers the largest secure commercial platform for 
distribution of digital content over peer-to-peer software-
based networks.
    Under an exclusive agreement with Sharman Networks Limited, 
publisher of KaZaA Media Desk peer-to-peer application, Altnet 
reaches an estimated 75 million worldwide unique users per 
month. That is about twice the reach of America Online.
    With this reach, Altnet has become the largest distributor 
of rights-managed content over the Internet today. Altnet takes 
the issues before this committee very seriously. As you will 
hear in my testimony today, Altnet is leveraging its role as 
the market leader by spearheading efforts to make security and 
privacy over file-sharing networks a top priority.
    There is something very exciting about technology that 
allows tens of millions of people across the globe to 
simultaneously connect to each other. It is a true digital 
democracy.
    But as in any democracy, there are challenges that must be 
overcome, and moral and ethical standards to be established. As 
with any technology that reaches millions of people, there is a 
responsibility that every company must assume when creating an 
instant messenger, e-mail, peer-to-peer, online interactive 
games, chat rooms, or any technology designed to share digital 
words or files with anyone, any time, instantly.
    My past experience in the entertainment industry, combined 
with experience in Internet peer-to-peer security technologies, 
gives me a uniquely broad perspective on the issues before the 
committee here today.
    As the former CEO of Vidius, Inc., I built an Internet 
security company that creates products to monitor corporate 
networks for security risks associated with file-sharing 
applications that are run on company computers. In most cases, 
we found the risks solvable with simply company policy changes 
and minor network alterations.
    In addition to addressing corporate security risks, much of 
Vidius' work was dedicated to an in-depth technical analysis of 
peer-to-peer networks for such clients as the Motion Picture 
Association and the Recording Industry Association of America, 
and that was from an anti-piracy point of view.
    I firmly believe that it is the responsibility of peer-to-
peer file-sharing companies to protectively protect the privacy 
and security of the users of their software application.
    While there are some unique challenges to making file-
sharing programs applications more secure, which I will 
outline, it is important that we de-mystify these technologies 
and realize that the many protective security technologies that 
are already widely available.
    By simply adopting the standards commonly used by the World 
Wide Web such as Secure Socket Layer, Public Key Infrastructure 
[PKI], and Authentication Agents, file-sharing becomes much 
more secure.
    In addition to these, distributors of peer-to-peer 
applications should adopt standard user privacy policies, and 
take care to educate users as to how their applications works 
and how to be a safe and responsible user of that application.
    Beyond adopting industry standard security practices and 
policies, distributors of file-sharing applications must also 
address security challenges common to peer-to-peer and similar 
infrastructures.
    A publicized threat with file-sharing technology, as well 
as with e-mail and instant messenger technologies, is the 
spread of viruses. As you would expect, when files come from an 
anonymous and uncertified source, the risk of that file 
containing a virus is greatly increased.
    In addition, many file-sharing applications provide a tool 
to allow users to search their hard drives for files to share. 
If that tool is used incorrectly, users could inadvertently 
give access to their confidential files and folders.
    Allow me to review how Altnet meets the challenges from 
within the KaZaA Media Desktop peer-to-peer application, and 
how Sharman Networks, the owner and operator of KaZaA have 
reacted to various privacy and security issues over the past 18 
months.
    Altnet's patented technology called ``TrueNames'' ensures 
that only certified and authenticated files can be transferred 
by the Peer Enabler component of the Altnet application. This 
eliminates the risk of viruses when users download files from 
file-sharing networks that utilize this technology, such as the 
KaZaA Media Desktop.
    Sharman Networks has taken great care to protect users' 
privacy and security. As distributors of the most popular peer-
to-peer application today, Sharman Networks has consistently 
led the field with security enhancements developed explicitly 
for the challenges of this new industry, including the peer-to-
peer's first built-in anti-virus tool.
    KaZaA Media Desktop contains two layers of propriety virus 
protection technology. In addition, Bullguard, a well-known 
anti-virus software, is installed free with the KaZaA Media 
Desktop application, providing users with an additional layer 
of security and protection.
    Sharman has shown great commitment to ensure that any new 
malicious viruses that freeze or silence or otherwise 
compromise a user's PC and its information are detected by this 
software, as was with Fizzer.
    Altnet and Sharman Networks take every opportunity to 
encourage responsible and safe peer-to-peer usage through user 
education and via the default configuration of the software of 
the upcoming release.
    The nature of the decentralized peer-to-peer technology 
means that users are in control of the material they choose to 
share with others. Our goal is to provide them with the 
education and tools they need for safe and responsible use.
    Commercialization of the World Wide Web has lead to the 
creation and adoption of advanced security, privacy policies 
and protection technologies, and the evolution of file-sharing 
networks will follow that same path.
    The future technological benefits of peer-to-peer 
technology are only now being explored and include the 
voluntary creation of shared resource networks that will allow 
massive distributed computing and storage of a scale only 
dreamed about by the pioneering medical research and astronomy 
projects that have received publicity to date.
    These types of applications will give research labs the 
ability to share processing power with hundreds of thousands of 
computers and digitally crunch billions of numbers in a 
nanosecond.
    The technological benefits of such a program are 
undisputed. From medical research to rendering Toy Story part 
3, Altnet intends to lead the market by presenting an opt-in 
resource sharing program to users that will be defined by the 
highest principles of disclosure and consent.
    If file-sharing software companies understand and meet 
their responsibilities, and content companies support these 
positive and important initiatives, then companies such as 
Altnet will have the ability to find an audience, reduce 
piracy, offer vastly improved efficiencies in digital 
distribution, create instantly accessible global content sales 
and marketing channels, provide a variety of public services, 
distribute a movie, market an artist, and sell a game, all 
while turning a profit and protecting user privacy from within 
a secure environment.
    We welcome input from our peers and from this committee to 
insure that we continue to meet the responsibilities we have 
assumed. Thank you, Mr. Chairman, for the opportunity to 
participate in this important hearing today.
    [The prepared statement of Mr. Broes follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.040
    
    [GRAPHIC] [TIFF OMITTED] T8016.041
    
    [GRAPHIC] [TIFF OMITTED] T8016.042
    
    [GRAPHIC] [TIFF OMITTED] T8016.043
    
    Chairman Tom Davis. Thank you very much.
    Ms. Frank.

 STATEMENT OF MARI J. FRANK, ESQUIRE, MARI J. FRANK, ESQUIRE & 
                           ASSOCIATES

    Ms. Frank. Good morning, Chairman Davis, Ranking Member 
Waxman, honorable committee members and invited guests. Thank 
you for the opportunity to address you today.
    My name is Mari Frank, and I am attorney and the author of 
the ``Identity Theft Survival Kit'' and ``Privacy Piracy'' from 
Laguna Niguel, CA. I have brought copies of these for the 
committee to use.
    My identity was stolen in 1996 by an imposter who paraded 
as an attorney, robbing me of my profession, my credit, and my 
piece of mind. She obtained over $50,000 using my name, after 
going on-line to obtain my credit report.
    Your personal information, worth more than currency itself, 
can be used to apply for credit cards, mortgages, cell phones, 
insurance, utilities, products, and services, all without your 
knowledge.
    A fraudster can do anything you can do, and worse than 
that, they can do things you would not do, like commit crimes 
and terrorist activities.
    There are three motivations for identity theft. First is 
financial gain. An example: Robert is a high tech computer 
consultant who normally encrypts all his sensitive data on his 
computer.
    Unfortunately, his resume was not stored in an encrypted 
file. He suspects that his impersonator accessed his computer 
through a network, copied his resume, and used it to obtain a 
well paying job. When Robert applied for the same job, he was 
shocked to find out that another person with his name and 
credentials was already hired.
    The second reason is avoiding prosecution. Tom was laid off 
from a high paying job in the medical industry. He had great 
recommendations and felt sure that he would be re-hired. For 2 
years, he was denied position after position, after each 
company had performed a background check.
    Finally, Tom hired a private investigator that showed him 
that his criminal background included two DUIs and an arrest 
for murder, none of which belonged to him.
    The third reason someone commits identity theft is revenge. 
The first cyber-stalking case prosecuted in Orange County, CA 
turned out to be identity theft. A computer expert was angry 
when a woman he liked shunned his advances. So he impersonated 
her in a chat room, stating that she had fantasies of being 
raped. When he gave out her phone number and address, several 
men appeared at her door.
    There are many ways in which personal information can be 
obtained. According to the FTC, the Federal Trade Commission, 
72 percent of victims have no idea how their information was 
accessed.
    The new May 2003 California Public Research Study on Police 
and Identity Theft list the top sources of identity theft: mail 
theft, dumpster diving, unscrupulous employees, stolen or lost 
wallets, Internet fraud, burglary, friends, relations, phone 
scams, unethical use of public documents, shoulder surfing, 
medical cards and drivers licenses, and personal information 
sold by financial institutions.
    Since this hearing is focusing on the peer-to-peer file-
sharing vulnerabilities and the potential of revealing 
sensitive information in our computers, I am going to give a 
few suggestions that are just lay person things.
    No. 1, research any program before installing it. No. 2, 
learn how to safely stop sharing your files and how to unblock 
wanted files from entering your computer. Three, if possible, 
when using peer-to-peer file-sharing on the Internet, use a 
computer that does not store personal information on it.
    Four, password protect and encrypt your sensitive files. 
Five, do not put any confidential information in your e-mail, 
unless they are encrypted. Next, be conscious about what 
information you share in your files at Web sites, in chat 
rooms, and in e-mail.
    Read the privacy policies of the Web site you deal with and 
try and understand them. Make sure you have updated virus 
protection on your computers, and do not assume that you are 
anonymous.
    Your confidential information is a valued commodity. 
Marketers, information brokers, and the financial industry, 
buy, transfer, and sell your aggregated profiles, including 
your income; credit-worthiness; buying, spending, and travel 
habits; health information, and much more.
    Intimate facts about your life are shared legally and 
illegally without your knowledge or consent. The loss of 
control over our personal information has led to the epidemic 
of identity theft.
    I applaud this committee for researching the perils posed 
by peer-to-peer file-sharing. It is important to acquire 
knowledge, security measures, and careful strategies to protect 
ourselves. Hopefully, divulging security flaws in peer-to-peer 
file-sharing and other technologies to the media and Congress 
will encourage companies to make user-friendly security a top 
priority.
    But peer-to-peer file-sharing may pose less of a theft of 
identity theft than the careless display of records at your 
doctor's office, the negligently piled tax returns left on your 
accountant's desk for the cleaning crew to review, the 
encrypted and unlocked cabinets with personnel files at work, 
the non-shredded trash bins behind banks, insurance agencies, 
and mortgage companies, and the hack data bases of credit card 
companies, financial companies, and universities and the like.
    To prevent identity theft, the burden should be on the 
credit granters who are in the unique position on the front end 
to take precautions and require verification of change of 
address, and refuse to issue to fraudsters.
    Unfortunately, quick, easy credit, pre-approved offers 
convenience checks, mass marketing of data bases and sloppy 
information handling make this a simple crime.
    I encourage this honorable committee to also investigate 
ways in which the financial industry and information brokers 
can better protect our security.
    Since Congress passed the Financial Modernization Act in 
1999, identity theft has skyrocketed. Whether on-line or 
offline, our sensitive information must be better protected to 
foster consumer trust, so that our economy and our society can 
flourish; thank you.
    [The prepared statement of Ms. Frank follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.044
    
    [GRAPHIC] [TIFF OMITTED] T8016.045
    
    [GRAPHIC] [TIFF OMITTED] T8016.046
    
    [GRAPHIC] [TIFF OMITTED] T8016.047
    
    [GRAPHIC] [TIFF OMITTED] T8016.048
    
    [GRAPHIC] [TIFF OMITTED] T8016.049
    
    [GRAPHIC] [TIFF OMITTED] T8016.050
    
    [GRAPHIC] [TIFF OMITTED] T8016.051
    
    [GRAPHIC] [TIFF OMITTED] T8016.052
    
    [GRAPHIC] [TIFF OMITTED] T8016.053
    
    [GRAPHIC] [TIFF OMITTED] T8016.054
    
    [GRAPHIC] [TIFF OMITTED] T8016.055
    
    [GRAPHIC] [TIFF OMITTED] T8016.056
    
    [GRAPHIC] [TIFF OMITTED] T8016.057
    
    [GRAPHIC] [TIFF OMITTED] T8016.058
    
    [GRAPHIC] [TIFF OMITTED] T8016.059
    
    [GRAPHIC] [TIFF OMITTED] T8016.060
    
    [GRAPHIC] [TIFF OMITTED] T8016.061
    
    [GRAPHIC] [TIFF OMITTED] T8016.062
    
    [GRAPHIC] [TIFF OMITTED] T8016.063
    
    Chairman Tom Davis. Thank you very much.
    Mr. Farnan.

STATEMENT OF JAMES E. FARNAN, DEPUTY ASSISTANT DIRECTOR, CYBER 
 DIVISION, FEDERAL BUREAU OF INVESTIGATION, ACCOMPANIED BY DAN 
     LARKIN, SUPERVISORY SPECIAL AGENT, FEDERAL BUREAU OF 
                         INVESTIGATION

    Mr. Farnan. Good morning, I would like to thank Chairman 
Davis, Ranking Member Waxman and members of the committee for 
the opportunity to testify today.
    We welcome your committee's leadership in dealing with the 
serious security and privacy issues associated with identity 
theft and peer-to-peer sharing.
    My testimony today will address the activities of the FBI's 
Cyber Division, in relation to the Internet and identity theft.
    I have asked Supervisory Special Agent, Dan Larkin, Chief 
of our Internet Fraud Complaint Center to attend, and he will 
provide specific answers, should the committee have any 
questions about more technical matters with the Internet Fraud 
Complaint Center's role in this area.
    A May 8th cover story in the Washington Post is nothing new 
to Americans today. Another group was discovered in possession 
of a veritable factory of counterfeit credit cards, including 
newly made cards, credit card numbers downloaded from a major 
retail store, and 600 pages containing more than 40,000 alleged 
stolen names and credit card numbers.
    As the investigation continues, we will probably find that 
these criminals have affected the lives of hundreds of victims, 
perhaps destroying their credit and creating hardships that 
will take years to abate.
    These thefts could be the result of computer hacking, 
insider theft, and/or social engineering. Stolen information 
can also be sold and used to establish new identifies for 
fugitives or terrorists. In these cases, identity theft can 
have much more serious consequences.
    Identity theft is the fraudulent use of individual's 
personal identifying information. It is normally a component or 
end result of another crime. Victims of identity theft often do 
not realize that someone has stolen their identity until their 
credit has been ruined.
    Although we have received no complaints alleging identity 
theft by peer-to-peer to networks, some factors must be 
considered.
    Peer-to-peer networks primarily serve as a ``come and get 
it'' resource on the Internet. In using such a utility, the 
user specifically searches for the item they want; for example, 
music, images, or software.
    The most significant criminal activity involving peer-to-
peer sharing centers largely on music and software privacy, an 
area in which the FBI has been working closely with the private 
industry.
    The FBI has also seen an increase in peer-to-peer sharing 
of child pornography files. Peer-to-peer networks are 
increasingly being identified as sources from which Trojans or 
back doors were installed on computers during downloads.
    Victims sometimes discovered that personal and financial 
information have been removed from their computer through the 
back door. It is becoming more common for ``bots'' or active 
Trojans to be installed during a peer-to-peer download.
    In these instances, the victim computer executes 
instructions from the ``bots'' creator. Active ``bots'' could 
also be used to retrieve sensitive information from victim 
computers in furtherance of identity theft schemes. A person 
using peer-to-peer utilities for unauthorized or illegal 
purposes is not as likely to tell the FBI that a back door was 
found on their system, or that as a result, certain personal or 
financial information may have been taken.
    Through the Internet Fraud Complaint Center [IFCC], the FBI 
has positioned itself at the gateway of incoming intelligence 
regarding a wide variety of cyber crime matters. The IFCC 
received 75,000 complaints in 2002, and is now receiving more 
than 9,000 complaints each month.
    We expect that number to increase significantly, as the 
American and international communities become more aware of our 
mission and capabilities.
    Later this year, the IFCC will be renamed as the Internet 
Crime Complaint Center, to more accurately reflect its mission. 
The center receives complaints about various Internet-based 
crimes, analyzes the complaints for common patterns and 
perpetrators, and then sends them the appropriate agency for 
investigation and prosecution.
    In summary, cyber crime continues to grow at an alarming 
rate, and identity theft is a major part of the increase. 
Criminals are only beginning to explore the potential of crime 
via peer-to-peer networks.
    The FBI is grateful for the efforts of your committee and 
others dedicated to the safety and security of our Nation's 
families and businesses. The FBI will continue to work with 
your committee and aggressively pursue cyber criminals as we 
strive to stay one step ahead of them in the cyber crime 
technology race.
    I thank you for your invitation to speak to you today, and 
on behalf of the FBI, I look forward to working with you on 
this very important topic; thank you.
    [The prepared statement of Mr. Farnan follows:]

    [GRAPHIC] [TIFF OMITTED] T8016.064
    
    [GRAPHIC] [TIFF OMITTED] T8016.065
    
    [GRAPHIC] [TIFF OMITTED] T8016.066
    
    [GRAPHIC] [TIFF OMITTED] T8016.067
    
    [GRAPHIC] [TIFF OMITTED] T8016.068
    
    [GRAPHIC] [TIFF OMITTED] T8016.069
    
    [GRAPHIC] [TIFF OMITTED] T8016.070
    
    [GRAPHIC] [TIFF OMITTED] T8016.071
    
    [GRAPHIC] [TIFF OMITTED] T8016.072
    
    [GRAPHIC] [TIFF OMITTED] T8016.073
    
    [GRAPHIC] [TIFF OMITTED] T8016.074
    
    [GRAPHIC] [TIFF OMITTED] T8016.075
    
    [GRAPHIC] [TIFF OMITTED] T8016.076
    
    [GRAPHIC] [TIFF OMITTED] T8016.077
    
    [GRAPHIC] [TIFF OMITTED] T8016.078
    
    [GRAPHIC] [TIFF OMITTED] T8016.079
    
    Chairman Tom Davis. Thank you very much. I thank all of you 
for your input into this. Let me just ask a general question of 
the panel. The testimony, I think, makes it clear that users of 
file-sharing programs can expose their most personal files to 
millions of strangers, many times without the knowledge of the 
person using the files.
    Is there general agreement among the witnesses that file-
sharing programs can be confusing to configure, and that most 
people are unaware that they might be sharing their tax 
returns, credit card data and other confidential files on these 
networks? Is there a consensus on that?
    Mr. Farnan. I think so, yes.
    Mr. Davidson. I would just say that your mileage may vary, 
in the sense that different programs do have different 
capabilities or different defaults. So I think on the one hand, 
people should not get the feeling that if they use one of these 
things, they are automatically sharing everything on their hard 
drive. But the flip side of it is, I think the usability 
studies have shown that a lot of them could do a lot better 
job.
    Mr. Broes. Also, software companies across the board have 
taken this secure by default initiative, where the 
applications, when they install it, it is secure. In the past, 
not even Microsoft had done that.
    So now, today, the standards that everyone is practicing, 
including Sharman Networks and Altnet, is by the standard, once 
it is installed, it is locked, and then guides the user and 
allows the user to unlock it if they see fit.
    So for the most part, there are many peer-to-peer 
applications out there, primarily on the new Tele-base, that 
are very difficult to understand.
    Chairman Tom Davis. Obviously, an educated user is the best 
defense. I do not think there is any question about that. The 
level of sophistication of people using this is very different.
    How widespread is this problem? I mean, we see the 
potentials; we see an isolated case. Does the FBI have any data 
on how widespread it is? Do you have any feel for that?
    Mr. Farnan. Let me ask Mr. Larkin if he can address that 
particular question.
    Chairman Tom Davis. I am going to have to swear him in.
    [Witness sworn.]
    Mr. Larkin. Well, the problem is growing, but it is how we 
define the problem, I guess, as Mr. Farnan had indicated. What 
we see with the peer-to-peer networks is not so much identity 
theft. It is more intellectual property rights and software 
piracy and that kind of thing.
    Although we have not linked it to identity theft, 
specifically, we do have instances where there are Trojans and 
``bots'' that have been downloaded, at a pretty high rate and a 
growing rate, giving the unscrupulous creator of that Trojan or 
that BOT the opportunity to come in and access information on 
that computer.
    Generally, though, it has not been the practice of those 
subjects out there to go in and look for that data. They are 
just looking for that computer to use, for some other high 
speed attack where they need that type of bandwidth for.
    Chairman Tom Davis. You only need a couple cases, and lives 
can be completely destroyed.
    Mr. Farnan. That is true.
    Chairman Tom Davis. Are there any other thoughts on that?
    Ms. Frank. I think the only other thing I would say is, it 
is so important to realize that most identity theft victims do 
not know where it is coming from. So what happens is, if they 
are sharing and somebody gets this information, they will never 
know, and it is very hard for even the FBI to know.
    Chairman Tom Davis. Mr. Broes, what steps is KaZaA taking 
to proactively protect their privacy and security of its users?
    Mr. Broes. Well, I cannot speak on behalf of Sharman 
Networks. But I can tell you that as a partner, we have 
encouraged them to look at every possible study, such as Mr. 
Good's study, and they have definitely taken that to heart.
    I think many of the things that he has discussed and many 
of the issues that we are discussing here today will be 
addressed in the very, very near future, in the future 
releases.
    Chairman Tom Davis. In general, are the file-sharing 
companies doing a good job educating users about the privacy 
and security risks? Are they doing a better job; are they on to 
this? What is the consensus on this?
    Mr. Broes. Well, I have recently come on board with Altnet. 
I would say that from my perspective, Sharman Networks, who run 
KaZaA Media Desktop, have been the most proactive in that.
    In the past, coming from the security and technology 
background, I was the one that was actually hired by the Motion 
Pictured Association, when they AA to do the analysis of the 
fast track network, before the legal action was taking place. 
So I had a unique look at this.
    I can tell you from what I have seen, they are taking the 
most proactive approach. I have encouraged it with some of the 
other peer-to-peer companies, such as LimeWare and Bearshare, 
with absolute resistance.
    Chairman Tom Davis. Thank you very much.
    Mr. Waxman.
    Mr. Waxman. Thank you, Mr. Chairman. I think most people do 
not realize, they are opening up their own files when they go 
to these peer-to-peer systems.
    Mr. Good, in your demonstration, were you actually 
downloading someone's personal files in real time?
    Mr. Good. No, during the demonstration, that was recorded 
beforehand. But no, we did not download anything. We just 
looked and browsed around.
    Mr. Waxman. So you can look and browse around. Is the 
reason that people have their personal files open for others to 
come in and look around because of the configuration process 
when they go to the peer-to-peer networks?
    Mr. Good. If I understand the question correctly, the 
question was, would people be sharing stuff other than by 
making a mistake? Is that correct?
    Mr. Waxman. Well, if you were going to go to a peer-to-peer 
network, I do not think you are asked the question, are you 
willing to open up all your files; or are you asking the 
question? Do people then check, yes, or are you able to check, 
no?
    Mr. Good. Yes, you are not asked directly, do you want to 
open up all your files. You are asked, what do you want to 
share with the network.
    There are various ways that they do it. Depending on the 
version, in earlier versions, they offered to search your hard 
drive for you.
    In different versions, just by default, they would not 
share anything. Then if you decided to change the download 
folder, you had to understand what it meant to change the 
download folder. Those assumptions were not stated explicitly. 
So it really depends.
    In the latest version that we downloaded a couple of days 
ago, it does offer to search to share your files. But it does 
not ask you that question directly, do you want to share 
everything or not.
    Mr. Schiller. If I may jump in?
    Mr. Waxman. Yes, Mr. Schiller.
    Mr. Schiller. Just last week, I asked my staff to do a 
trial run of downloading KaZaA, because I wanted to see how it 
worked these days because, of course, it keeps changing.
    We used a blank computer that was newly installed, fresh, 
what have you, and downloaded KaZaA. When we installed it, it 
did ask us the question, do you wish to search your hard drive 
for files to share. It offered to share the directory where 
those files are stored.
    I said to the guys doing this, you know, that means it is 
going to search for media files like MP3s and what have you. 
But then it is going to offer to share the directory that they 
are in, which might contain other files. Is it only going to 
share the MP3s or is it going to share all the other files?
    Now we are experts, and we did not know. I think most 
people would not think twice about it. So if you had an MP3 in 
your ``My Documents'' folder, and you also had your tax returns 
in your ``My Documents'' folder, I would bet even money that 
the chances are, both wind up being shared.
    Mr. Good. That is actually a really good point. I mean, it 
does not state the assumptions that it is using while it is 
sharing. While it is searching for folders to share, it does 
not state what those were. As Jeff has mentioned, even experts 
were not able to really tell what it was looking for.
    Mr. Davidson. Right; I think there are two issues. One is 
sort of what are the defaults; what is easy to do? It turns out 
that in a lot of these systems, it is very easy to share more 
than you might expect to.
    The other is that in a lot of these systems, you do have to 
take an affirmative step to share a lot of files, and 
particularly to share a whole drive.
    For example, a system that we tried out in our office did 
not give you any warning when you decided to share your whole C 
drive, as it were. There is a lot more that could be done in 
the design of this software, to make sure that people have some 
awareness that might not be a good idea.
    Mr. Waxman. As I understand it, on the KaZaA Network, users 
get priority for downloads, the more files they share, which is 
obviously an incentive for them to share more files. That could 
lead teenagers to share all of the sensitive files on their 
parents' computers.
    What steps, if any, does KaZaA take to ensure that all 
users of a particular computer know which files are being 
shared? Does anybody have any idea of that?
    Mr. Schiller. If I understand the question correctly, you 
are asking what measures are taken to educate the user, as to 
what files they are sharing. I can tell you that it is not true 
that they do not get a priority. So I do know that. The 
priority is for uploads and not files that are downloaded.
    Mr. Waxman. What does that mean?
    Mr. Schiller. The priority is for an upload. So for upload 
speeds; that your files will have essentially a greater path. 
But I am not too certain on this.
    Mr. Waxman. Does that mean you get a better quality?
    Mr. Schiller. You get a better quality of download; a 
better quality of transfer, perhaps. I do not know the 
specifics.
    Mr. Waxman. Is it not an incentive then, to open up your 
files to get the better quality?
    Mr. Schiller. No, I do not think so. I think the initiative 
that Sharman and Altnet have always gone by, and this is why 
Altnet has licensed files, we have an application that is 
coming out in the next few weeks that will give people points 
that they can exchange for cash and prizes for sharing 
legitimate files.
    So we are trying to curb the user behavior. Essentially, we 
are trying to encourage them to not share illegitimate or 
illegal or illicit files, because they will not have any 
benefit for doing so. We disclose that right at the beginning. 
So essentially, you will see on the front page, it says, for 
downloading or uploading gold files, you get points for and you 
benefit for that.
    So that is really important. We were talking about user 
behavior or education of the end user, educating them that 
there is zero benefit to transferring or sharing illegal files; 
and there is all the benefit in the world for transferring 
legitimate files. So that is the message that we put forth.
    To address some of the issues that we heard here recently, 
I think that I can tell you that the future versions of KaZaA 
Media Desktop, it is not public information. I cannot give 
specifics about what changes have been made. But I can tell you 
that all the issues that we have just heard with regards to a 
user mistakenly sharing a folder or sharing an entire directory 
have been addressed.
    Mr. Waxman. My time is up, and we will have another round, 
I am sure. But I just want to ask you a yes or no question. A 
user maximizes the number of uploads by sharing the most files. 
Is that not a correct statement?
    Mr. Broes. In participation, yes.
    Mr. Waxman. And it does not distinguish which files?
    Mr. Broes. No, that is purely up to the user. The user 
makes the decision on what files he wants to share.
    Mr. Waxman. Well, I am going to question that in the next 
round.
    Mr. Broes. Sure.
    Mr. Good. Mr. Chairman, my-author would like to speak, 
also. Could we swear him in right now?
    [Witness sworn.]
    Chairman Tom Davis. Thank you, please state your name for 
the record.
    Mr. Krekelberg. I am Aaron Krekelberg. To address your 
question, there is nothing that prevents a teenager from 
sharing their father's files or their parents' files. If the 
parent were to use that computer, they would not know that that 
teenager had allowed the sharing of those files.
    Mr. Waxman. And is there an incentive to share more fields, 
in order to get better uploads?
    Mr. Krekelberg. There seems to be a new performance level 
that they are adding. There seems to be an incentive to share 
more files.
    Mr. Davidson. There is a simple answer, which is, in some 
of these systems, yes, that is absolutely true.
    Mr. Broes. Let me just also re-define something. It is not 
how many files you are sharing. It is how many files are 
uploaded.
    So the user is incentivized to not share thousands of 
files. They are incentivized to share files that people would 
like and legitimate files. So by putting 10,000 files in your 
shared folder, that is not going to help your status.
    Mr. Waxman. Well, some people who are interested in 
identity theft or delving into the privacy of others may want 
those files. I assume what you are saying is that most people 
who go to peer-to-peer file-sharing are more interested in 
music, and that is more popular.
    But we are opening up a whole new area for a greater 
popularity to get private information about people what that is 
available to someone who takes advantage of the opportunity.
    Mr. Broes. Well, from my previous experience in analyzing 
these networks and for precisely what we are discussing here, 
sharing private information, we saw a rapid decline over the 
years as people understood how a file-sharing network actually 
works.
    So at the beginning, when it was just a Gnutella-based, 
initially right after they shut down Napster, we saw this major 
flood of literally tens of millions of people going to 
Gnutella.
    Of course, they did not understand just how that 
decentralized network functioned. So we saw a tremendous amount 
of personal files being shared. But as we continued to monitor, 
and as we continued to educate, we saw less and less. So today, 
I actually find far less private files than initially.
    Mr. Waxman. Is that a statement that others would agree 
with?
    Mr. Good. Well, it is a difficult question to answer, 
Because the KaZaA Network is encrypted. So it is difficult to 
really tell to what extent the network you are searching in, at 
any given time; or how much access to the network a given 
client has.
    We ran our study initially in June of last year. Over a 12 
hour period, we were able to find about 150 users who were 
sharing their inboxes, unique users.
    We ran a similar study in January, and we ran it for a 
longer period of time, over a week, and we were able to find 
about 1,000 users who were sharing their in-boxes.
    It is difficult for us to say whether this is an increase 
or a decrease, because of the encryption, and we're not allowed 
to reverse engineer it, so we cannot figure out what is going 
on. But it definitely seems like it is a problem today.
    Mr. Waxman. Thank you; I have further questions, but I know 
my colleague, Mr. Shays, wants to ask some.
    Mr. Shays. My daughter would advise me not to be here, so I 
would not expose my unbelievable ignorance.
    Secretary McNamara, many years ago, always thought there 
was a solution to every problem. He acknowledged about 10 years 
ago that he realizes there are some problems without solutions.
    As I am listening to this dialog, I am obviously hearing 
the issue of identity. I am hearing somewhat the issue of 
virus. I know this is not a hearing about copyright. So we are 
not going to deal with that issue.
    But I am interested to know, are there solutions to the 
issue of privacy, particularly; and if so, are they regulatory, 
legislative, what are they? Maybe you could just kind of go 
down the line here.
    Mr. Good. Certainly, well, our view is twofold. As I said 
in the opening statement, we think it is very important to 
educate people. We live in a world now where people can be 
connected to the Internet 24 hours a day.
    We are going to be living in a world shortly where the 
Internet is going to be on your cell phone, and location 
information and this sort of information is going to be 
available to people, also.
    So it is very important for people to understand what it 
means to be connected to the network, and what sort of 
information that they could be potentially sharing.
    The second and probably the more important thing, 
especially since I am a researcher in human/computer 
interaction, we like to think that we can design things so that 
we are not compromising security and convenience. We want 
security and convenience to live together, so that things are 
convenient, but they are also very secure.
    Mr. Shays. Do you think that is possible?
    Mr. Good. I think, to a certain extent, it is. I think 
having very smart defaults, having defaults that really protect 
the user; and we are starting to see that in the world, as 
Microsoft now is really trying to push out. So out of the box, 
things are safest.
    This has not always been the case. It has always been the 
case that when things come out the box, they are pretty much 
open to anything. This makes the world pretty insecure. But 
nowadays, we are really seeing a push for having very strong 
default settings that really make sure that things are secure 
for people.
    I think that there is more we can do in that area. It is a 
difficult problem. Because as we start getting into more 
complex ways to manage privacy, it becomes increasingly 
difficult. But I like to see those two approaches really taken 
seriously.
    Mr. Shays. Well, one is education and the other is design, 
correct?
    Mr. Good. That is correct.
    Mr. Shays. Is there anything else?
    Mr. Good. No, I think that is it.
    Mr. Shays. Anyone else?
    Mr. Schiller. I would say that it is great to say that we 
need to educate people. But, you know, I drive my car every 
day, and actually, I do know how internal combustion engines 
work. But in some sense, that should not be a requirement in 
order to drive a car. So I would say the emphasis has to be on 
the design of the technology.
    My experience is, we see a pendulum that swings. The 
technology comes out. People tradeoff security to get more 
convenience. We have hearings like this. People hear about 
identity theft. They become concerned about the technology. The 
technologists then react to that and put in better technology, 
better design, better controls.
    I am going to talk a little bit off the top of my head 
here. I said before that it asks which directories of files you 
wanted to share. You could easily, for example, say, if we are 
going to look for music, then let us only share files that end 
in .MP3, and let us not share files named ``In-box.''
    But, you know, the funny thing is, if I am the guy 
designing this, and let us all know that there is a copyright 
issue here, that the designers of this are safer sharing 
everything than they are trying to just share a particular type 
of file. Because then it makes it easier to accuse them of, oh, 
gee, this is really only about sharing music.
    One of the defenses people like to use is, oh, know, you 
can share anything. So that, I think, drives the tradeoff in 
the wrong direction. But certainly, I do believe it is possible 
to design this stuff in a way that is, in fact, reasonably 
secure.
    Mr. Shays. You know, it is funny, as you all are 
testifying, there is always someone in the audience that is 
shaking their head or nodding their head. I feel like I am in a 
Baptist church without any sound. [Laughter.]
    Dr. Hale.
    Mr. Hale. Yes, I think I would agree that education is a 
huge component. I would also concur that our design issues, I 
would say, is what is designed out of the software, as opposed 
to what is added to it, that could really help matters.
    The security circumvention tactics that are used by the 
software really make it difficult for a corporation or an 
academic institution like the University of Tulsa, for 
instance, to protect its user population from these abuses, if 
they are even real or imagined. So that is what I would 
consider to be addition by subtraction.
    Mr. Shays. Given the number of participants in this 
hearing, Mr. Chairman, do you mind if I just complete this 
question with the rest of the witnesses?
    Chairman Tom Davis. That is fine.
    Mr. Shays. Thank you.
    Mr. Davidson. The Federal Trade Commission actually just 
had a workshop yesterday on this very question. It is great 
question about the broader issue of privacy here. I think there 
are three things besides education that we would talk about.
    One is technology or design. The fact is that there are a 
lot of tools out that can help consumers. We have talked about 
some of them: encryption, firewalls, which is something that we 
did not talk about today. With personal firewalls, you can give 
consumers more control about how their computer is 
communicating with.
    This broader design question is building programs and 
systems in a way that are more privacy friendly. A second is 
best practices on the part of industry. I think there is strong 
message that needs to be sent and continues to be sent that 
companies need to act responsibly when they collect 
information, and many of them do.
    But there are real issues about best practices for how 
people use information that they collect. That is a very 
powerful possible tool; industry standards, best practices.
    The third, and I think it is important, is there is a 
growing realization that there may be a need for baseline, 
narrowly tailored legislation about Internet privacy, to deal 
with bad actors in this setting.
    There are some basic components of fair information 
practices like notice about what information is being 
collected, meaningful choices for consumers about whether their 
information is being collected, access to the information that 
has been collected.
    I think there is a growing awareness that we may need 
something like that, more broadly. I have not emphasized that. 
We are a supporter of that. I did not emphasize that in my 
testimony because I think the main issue here of people 
mistakenly sharing files is not something that you are likely 
to solve by legislation.
    But, for example, the spyware issue that has come up is 
something, if not remedied through best practices, that might 
need to be something that is part of a legislative action.
    Mr. Waxman. Would the gentleman yield?
    Mr. Shays. Absolutely.
    Mr. Waxman. It seems to me what you are saying is that 
technologically, they can develop a design so that private 
information is reasonably secure.
    But is there not a financial incentive for them to try to 
subvert it, because of spyware and adware, or systems that will 
allow people to come in and get information, so that they can 
sell it to others; or get advertisers to know what you might be 
interested in, so they can direct advertisements directly to 
you?
    Are those two financial incentives, so that you try to 
subvert it, either through port hopping or tunneling or 
whatever other way they can design it?
    Mr. Davidson. Well, I would just answer by saying I think 
that is absolutely true. We are concerned that obviously the 
reason that people are doing some of these things is because 
there are financial incentives.
    Our belief is actually in the long run, a lot of people 
will realize that the best financial incentive is having 
customers who trust your stuff. People, if they know about what 
is going on, will not buy or use products that violate their 
privacy, if they have options.
    So there is a hope that the market will develop and that 
people will, when they learn about these things, not use the 
file-sharing product that invades their privacy and has a lot 
of spyware. But hopefully, the more responsible actors will 
come on the scene.
    Now maybe the answer is that if that does not work, then 
maybe we do need some kind of baseline legislation.
    Mr. Waxman. If the gentleman would permit, what you have is 
a lot of kids who want music for nothing.
    Mr. Davidson. Right.
    Mr. Waxman. So they want music for nothing, even though we 
should give some idea to people that when you take something 
that is not yours and you are not paying for it, it is a form 
of stealing.
    So you have got kids who want something for nothing. They 
are not going to be informed users and worried about privacy. 
So they are just setting the family up for those who want to 
take advantage of the situation, to design ways to subvert any 
attempt to protect their privacy. Maybe some of the technical 
people can tell us about this. But is that not what we are 
facing, Mr. Schiller?
    Mr. Schiller. Well, there are actually two different issues 
here. There is the accidental subversion of privacy by 
accidently sharing files you do not wish. That really has 
nothing to do with the adware and spyware. I would expect to 
see those issues being addressed, because they do not help 
anyone except criminals.
    But the adware and spyware issue is certainly an issue 
where there is an incentive to gather that information. Of 
course, the companies who gather it want only to give it to 
themselves and not to the whole world.
    I think the issue of multiple people using the same 
computer is really an issue of the design of the computer 
system. The Windows platform was never really designed to be a 
time shared, multi-user system. Windows 2000 and XP start to 
add that stuff, but I do not think they have added in the way 
that most people know how to use.
    But frankly, I have a 20 month old son. When he gets older, 
he is going to have his own computer. Because I know not to 
have him get onto mine.
    So I think it is a separate issue about the fact that these 
programs reveal stuff. The fact that it reveals stuff for other 
users of the computer is just a happenstance.
    Chairman Tom Davis. Thank you, the gentleman's time has 
expired; the gentleman from Tennessee?
    Mr. Duncan. Mr. Chairman, thank you very much, and thank 
you for calling this hearing. I think these are very important 
subjects that the panel members are discussing, and I 
appreciate your doing this.
    I usually avoid discussing personal or family type things 
at hearings. But I heard Ms. Frank briefly mention identity 
theft.
    My wife and I have four children. But the older of my two 
sons, who is a senior at the University of Tennessee, just 
yesterday received a notice that they want him to come to 
Juvenile Court to testify in a case involving apparently a 17-
year-old young man who was using my son's identity and that of 
others to apply for credit cards and I do not know what else. I 
do not know all the details, yet. But he found out just 
yesterday that he was a victim of identity theft. So I guess I 
find that kind of interesting.
    What should a person do who has found out that he or she is 
a victim of identity theft; and how wide-spread is this 
problem? I have had to be in and out with some constituents.
    Ms. Frank. Right; my written testimony is about 20 pages, 
and I talk about that quite a bit. But basically, the first 
thing you do, if you find out that you are a victim of 
financial identity theft, with somebody applying for credit 
cards and credit lines in your name, the first thing you are 
going to need to do is to put a fraud alert on all of your 
credit profiles with the three major credit reporting agencies; 
get those credit reports; and find out what fraud is on there.
    There is just a whole list of things to do. Once you find 
all that and go to law enforcement and make a police report, 
then you go through the whole process of trying to clean it up 
and stop it. So that gets into a whole lot of things.
    But I have this little kit that I am going to give to the 
committee, and I will be happy to speak with you afterwards, if 
you would like.
    Mr. Duncan. Well, is this problem growing quite a bit?
    Ms. Frank. Yes, it is growing tremendously. After the 
Gramm-Leach-Briley Act passed, it has actually gotten a lot 
worse, when that was our financial privacy act.
    What we are finding, and let me give you some statistics, 
at least. I have the statistics in my written testimony. But 
the Federal Trade Commission shows that it has grown 
tremendously in terms of the complaints that they have gotten.
    But a lot of people who are victims of identity theft have 
no idea to go to the Federal Trade Commission. So since they go 
the credit reporting agencies, those are better statistics.
    Transunion, one of the three major credit reporting 
agencies reported in the year 2000 that they got 85,000 calls a 
month to their hotline. In the year 2001, they got 3,500 calls 
a day to their fraud hotline, and they did not give us their 
most recent figures.
    The GAO report that came out last year also talked about 
the tremendous increase in identity theft, because our personal 
information is everywhere, and that is the key to identity 
theft, to use the Social Security number.
    Right now, there are several bills pending in Congress, 
including Diane Feinstein's Identity Theft Prevention Act of 
2003, with some things.
    But there is a real need, which I had brought up in my 
testimony, for us to have some accountability as to how the 
financial industry is issuing credit without verification and 
authentication of persons. So that is what is happening.
    Mr. Duncan. Well, I will look over that. My time is so 
short, let me go in another direction. You know, I chaired the 
Aviation Subcommittee for 6 years. I heard our colleague, John 
Linder, say at an aviation conference in January that the 
Federal Government always seems to overreact to any problem.
    We seem to have pretty much done that in regard to 
aviation. They say TSA now stands for thousands standing around 
and so forth. [Laughter.]
    So I think we have done a more than adequate job, let us 
say, in regard to aviation. But I think that one of our most 
vulnerable areas must be financial cyber-terrorism.
    Do any of you have concerns about that? Do you think that 
is a potential problem? I read that it possibly is. There are 
so many people on this panel, I do not know who is the most 
appropriate person to comment on this.
    Mr. Farnan. Well, sir, I would like to make a comment about 
that. From the FBI's perspective, the answer is a resounding 
yes. We are very concerned about cyber-terrorism and how 
terrorists and others can exploit technology, which is designed 
to be very beneficial and can really advance all of our causes 
in many ways. However, that can also be abused and it can be 
used against us.
    So we have an entire unit at the FBI that focuses on that 
particular issue, to try and stay current with technology, to 
make sure that we know what is going on out there with the goal 
of preventing any kind of cyber-terrorist activity.
    Mr. Duncan. I have read here on the front page of the 
Washington Post that a 12 year old computer hacker opened the 
floodgates at the Hoover Dam. What some people are concerned 
about are our financial markets; yes?
    Mr. Broes. That is a very big concern, and it should be a 
major concern of any company that distributes software that has 
the potential of being hijacked, so to speak; you know, 100,000 
computers, hijacked to attack something specifically.
    For instance, recently, Microsoft has talked about some 
vulnerabilities that were in Passport and instant messenger 
programs. If you can acquire those computers, certainly you can 
cause a tremendous amount of damage. That is why companies have 
to take a genuine responsible approach to this and understand 
that they have a huge responsibility in adhering to even 
voluntary standards and practices.
    So I think absolutely that companies need to do that. I do 
not know whether that is legislation. I would say that 
companies should voluntarily adopt standards and practices, 
just for the sake of their security.
    Mr. Duncan. Let me just say that I think that is a possible 
area of great concern for many of us. Do I have time to ask one 
more.
    Mr. Shays [assuming Chair]. Let us do this, we will let Mr. 
Waxman go, and then we will come back to you.
    Mr. Duncan. That is fine.
    Mr. Shays. Mr. Waxman, you have the floor.
    Mr. Waxman. Thank you very much, Mr. Chairman.
    If there were going to be voluntary standards and industry-
wide standards, how would that get done? Does anybody have any 
ideas? You have different people competing with each other.
    Mr. Broes. Well, I think that companies have recently 
started to adopt those voluntary standards. You know, Microsoft 
has taken an unprecedented approach by saying, you know, it is 
secure by default, secure by design, secure by deployment. They 
stopped programming for a period of time to go back and look at 
these issues.
    So I think that any time you have the leaders in industries 
taking those initiatives, you are going to find that people 
will follow, because that is the path of success.
    Mr. Waxman. That is Microsoft. How about KaZaA; do they 
have responsibility?
    Mr. Broes. Absolutely; I believe that anyone that has the 
ability or the potential to have their computers hijacked, for 
any reason whatsoever, via their software, they have a 
tremendous responsibility to adopt standards and practices of 
their own.
    I believe that if there was legislation that was enacted 
today, they would have already complied with much of that, if 
not all.
    Mr. Waxman. Along those lines, according to media reports, 
Altnet had planned to launch a program with KaZaA to take 
advantage of unused computing power of computers connected to 
the network. Initial reports indicated this might be done 
without the knowledge of users.
    You have now testified that such a program is still in the 
works, but will be defined by the highest principles of 
disclosure and consent. What are those principles? Will users 
have the same access to peer-to-peer networks, if they do not 
consent to turning over their unused computing power? Unused 
computing power means their computing power becomes a zombie 
for someone else, instead having to furnish it themselves.
    Mr. Broes. Users will always have the consent. It will 
never be a default, where it uses any resource. Altnet has been 
very, very careful in its design.
    In fact, it can be uninstalled. With the future release of 
Altnet, you can uninstall the application that would share 
those resources. We give very, very deliberate instructions on 
how you can do that.
    At the very beginning, when the application is installed, 
it says, would you like to share hard drive space in exchange 
for points, and those points can be redeemed for cash and 
prizes. That hard drive space and how the design has been built 
is extremely encrypted.
    We have gone through all of the security measures and have 
adhered to the security standards that Microsoft and every 
other major software company has adjured to, to develop such an 
application.
    Mr. Waxman. Could users be penalized for not consenting?
    Mr. Broes. Not at all.
    Mr. Waxman. What do others on this panel think about this 
business of how informed the consumer consent is going to be; 
how much lack of information there is before these consents are 
given for file-sharing; Mr. Hale?
    Mr. Hale. If I may say, I think consent is there; informed 
consent, I do not know about. I recently read, not KaZaA's, but 
a competing client's peer-to-peer privacy policy, which I was 
happily surprised to find that they had.
    But quite honestly, it would have been easier to try to 
decipher my own telephone bill. Maybe that is a topic for 
another hearing.
    But I think in a lot of the click through agreements which, 
by the way, is not just a peer-to-peer problem, and it is a 
problem with the software industry; a lot of the click through 
agreements are fairly easy to click through without having to 
read what you are agreeing to.
    So to sum up, I would say the consent is there. Whether the 
users are aware of what they are consenting to is an entirely 
different matter. This has to do with transparency, in my 
opinion, and clarity.
    Mr. Davidson. I think you are really on to something, 
because we often talk about meaningful choice and meaningful 
notice. There is, in fact, if you look at a lot of these end 
user license agreements, it says in there that this software is 
being installed and it will do these things, but how many 
people actually take a look at them?
    I could bring you examples of these long agreements, these 
long privacy agreements. The average consumer is not getting a 
chance to look at it. So I think we are hopeful, on some level, 
that people will start to figure this out. I do not want to 
sugar coat it, though. We think that is a baseline that needs 
to be met, and it is going to be tough.
    Mr. Waxman. Mr. Davidson, let me interrupt you, because I 
see my yellow light is on. I wanted to ask you one more 
question, and I am afraid I will not get a chance to do it.
    Why should people who are going on file-sharing programs 
and downloading copyrighted music or movies not have the fact 
that they are doing that provided to the copyright holders? If 
they are consenting to let their files be searched, because 
they want something for nothing, why should the copyright 
holders not have the access to the information that they are 
doing it?
    Mr. Davidson. Right; are you thinking particularly about 
the subpoena issue that I mentioned in my testimony?
    Mr. Waxman. Yes.
    Mr. Davidson. I think that is a very good question. I do 
not think that the issue is that people who are, for example, 
breaking the law should not ultimately be identified and 
revealed. The question is, how do we do that? We have to make 
this balance about legitimate people getting access to personal 
information all the time, in law enforcement contacts and other 
kinds of privacy contacts.
    I think the issue here is that we have a situation where it 
is not just legitimate uses. In this particular provision of 
law, it is any copyright holder, and I hazard to guess that 
most of the people in this room are copyright holders, they can 
go to a court clerk, make an allegation, and reveal somebody's 
identity.
    Using one of these networks or using the Internet does not 
necessarily reveal your identity. For some people, some of the 
activities they do online, they do without revealing their 
identity, and that is extremely important.
    So our feeling is that if identity is going to be revealed, 
it should be done with some measure of due process, and 
particularly, people should know that their identity has been 
revealed.
    That is, I think, the flaw here. It is not to say that we 
cannot find a way to work this out, so legitimate enforcement 
of the law can happen. It is about the fact that there are 
actually in this particular provision, very few protections, 
and that has been our concern.
    Ms. Frank. Let me just add to that, because in California, 
we have a bill pending right now in our California legislature. 
If there is going to be a subpoena to find out who somebody is 
online, that there has to be notice, and that the ISP has to 
give notice to the user ahead of time, so that they can get a 
protective order or take some measure with this notice to 
protect themselves.
    We worry about things like stalking; that someone will say, 
oh, I am a copyright holder, and I need to know who this person 
is in that chat room, and it is really a stalker and ex-
husband. I literally note these kinds of things that happen.
    So this is at least to give that person a chance, a 15 day 
notice, or a 30 day notice, or whatever it is, so that they get 
a chance to go in and say, look, I do not want to reveal my 
identity. This person really is my ex-spouse, who is trying to 
kill me. So that was the idea of due process, if I understand 
what Alan is talking about.
    Mr. Davidson. I cannot say it better than that.
    Mr. Shays. Mr. Duncan.
    Mr. Duncan. Let me go in a little different direction. I 
think when we come into a job like those of us who are Members 
have, I think we basically sort of tacitly agree to give up our 
privacy. That really does not concern me, but it does seem a 
shame to me that there is almost no privacy for private 
citizens now, it seems to me.
    Yet, we seem to have a large segment of the population now, 
especially young people, who have become almost addicted to the 
computers, and have almost a worship of the computers. So if 
anybody asks any questions that are somewhat critical, they 
almost get offended, and I hope that none of you will get 
offended.
    But it seems to me that, as I say, we have just about done 
away with privacy. In some ways, maybe it has resulted in good 
things. What I have in mind, I am thinking about the Dean of 
the Harvard Divinity School got caught for, I think it was, 
child pornography or something, and we see that all the time.
    I do not see how anybody can feel that there is anything 
secret anymore or anything private that they put into a 
computer.
    I heard on the CBS national news, 2 or 3 years ago on the 
radio 1 day as I was driving along, that computer hackers had 
gotten into the top secret files at the Pentagon, I think it 
was 250,000 times in the year before. I mean, it is just mind 
boggling.
    It seems that if somebody comes up with a system or a 
program to develop some privacy for things that people put into 
their computers, that somebody very shortly comes up with 
something that breaks that program, or gets into it, or wipes 
out the privacy. What do you all say about that? Do you have 
any concerns?
    Ms. Frank. Well, I would just like to say that it is not 
just computers. It is not just our computers. I wanted to 
respond to the questions before about consumer education. We do 
this all the time with identity theft. But the truth is, they 
are so much beyond our control.
    For example, yes, we can be educated and say to people, OK, 
be careful when you are online or when you are in the chat 
rooms, or when you are sharing information, or when you are 
doing e-mail. But the truth is that you can tell people that, 
but there is so much to know.
    I really work at this, but I have a whole other field. I am 
sure all of you have so many bills that you have to read. I do 
not know how much of a computer expert you all are.
    But I sit on the high tech crime unit of Orange County 
Sheriff Reserves, and I am the only ``non-techy'' on there. I 
have enough information to know that I should be worried. But 
it is too much of a burden on consumers to ask them to know all 
this stuff.
    So if KaZaA is going to have information and they are going 
to have software programs that you are going to use, they 
should definitely give you big pop-ups in very simple language 
saying, if you push this button, your whole ``C'' drive is 
going to be open. That means that everybody can get into your 
Quicken or your Quickbooks or your IRS or your resume or 
whatever it is, and it has to be simple.
    Mr. Duncan. Well, it is like you said awhile ago, people 
can now find out almost everything about anybody that they want 
to find out about: bank records, house records, and everything 
else.
    Ms. Frank. Right.
    Mr. Duncan. It amazes me that just from what I read in the 
newspapers that anybody thinks that anything they do on a 
computer today is really private; any Web site they visit, any 
e-mail they send; yes?
    Mr. Broes. Security today has changed. We can no longer put 
a lock on something and assume that it is going to hold. I 
think the military has learned this, that it is an evolving 
process, and it is dynamic.
    So we are continuing this. It is just like virus 
applications. They are continually chasing viruses. They are 
continually updating their data base, and they are continually 
educating their users as to what is out there and what the 
threats are, and trying to make them feel more secure about it.
    I think that is the process that we are going to see take 
place in most applications. Certainly, as I said, there are 
leaders that have taken initiatives from Microsoft, all the way 
to Altnet and Sherman Networks. They have taken those 
initiatives to say, we understand there is this issue and we 
are dealing with that problem.
    I do not foresee that changing anytime soon. This is a 
dynamic situation. The Internet, by nature, is dynamic, and we 
have to be dynamic in our approach to security and privacy.
    Mr. Davidson. I would just add that I think that this is 
the tip of the iceburg, unfortunately. There are even more 
interesting and sort of more invasive new technologies. We 
talked about location information; people building ID tags into 
products that people can scan and find out what you have, what 
you are wearing, what you are carrying in your handbag.
    We are talking about networks of imbedded computers, 
intelligent buildings, and intelligent rooms, that are going to 
collect all sorts of information about people. It is going to 
be increasingly harder for people to avoid all of these things.
    So the simple answer of hey, if you put it on the computer, 
you should know someone else is going to get it, is going to 
become, for a lot of people, not a realistic alternative.
    If you use your cell phone, location information may be 
captured. If you go through a toll booth, and your electronic 
tag records that you have been there.
    But even more importantly, I would say the computer is not 
something we can avoid in life, so we need to figure out how to 
address these things.
    Mr. Duncan. Are you saying that Big Brother is already here 
and there is nothing we can do about it?
    Mr. Davidson. I think, there is nothing we can do about it 
is not right. I think that we need to do something about it, 
and we are trying to find ways to do something about it, but we 
need to keep working on it because we are not there yet.
    Mr. Duncan. I see some of the panel members laughing.
    Mr. Schiller. It is not Big Brother. There are lots of 
Little Brothers.
    Mr. Duncan. Lots of Little Brothers?
    Ms. Frank. Well, if you want my suggestion as to what I 
would like to have Congress do, I would like to have them set 
up a privacy commission. We are the only civilized country in 
the world that does not have a privacy commission.
    If you look at Canada right above us, if you look at all 
the European nations, we do not have a privacy commission. We 
have had little privacy czars, but we do not have a privacy 
commission to look at all these issues.
    Privacy in the millennium is not about the right to be left 
alone. It is the right to control your personal information. I 
think it is pretty frightening, when we are going on our 
computer and we do not know about spy-ware. We do not even know 
where it is. It is hidden somewhere, and we cannot even find 
it. That is terrifying.
    So the result of that is identity theft. All this 
information that is being taken about us can be used in very 
insidious ways. So we do need to have the fair information 
practices that Alan was talking about: the notice, the choice, 
the security, all those things.
    The only way to do it is to really have a real privacy 
commission that is looking over this whole issue. Because it is 
the scariest issue, I think, of what we are in, in our society 
right now.
    Mr. Duncan. Well, I would agree with the commission, but I 
am a little skeptical. I think we are almost too far gone, 
really, now.
    Ms. Frank. It is out there, but access is the difference; 
in other words, what access and what way to control. For 
example, you mentioned your family.
    Mr. Duncan. It was my son.
    Ms. Frank. So the scary thing for him is, he does not know 
what else has happened. He does not know if he has a criminal 
record.
    So for him to be able to get access to those records and 
correct them, if you say, well, my information is out there and 
it is too late; well, what happens when you cannot get on an 
airplane because the red light comes on and it has nothing to 
do with you. Your name is mixed up with somebody else's; or 
your son, who is mixed up with some other person who has been 
stealing his identity and committing crimes in California and 
Virginia.
    Mr. Duncan. Well, the one interesting thing that I did not 
mention, the young man that they have accused of doing this has 
a foreign sounding name, that I cannot even really pronounce.
    Ms. Frank. Remember, over half of the terrorists committed 
identity theft.
    Mr. Duncan. All right, thank you very much; thank you, Mr. 
Chairman.
    Mr. Shays. Ms. Frank.
    Ms. Frank. Yes.
    Mr. Shays. You basically were kind of dealing with the 
solution, the education versus the design. It is kind of like 
your big warning system that flairs up there.
    Ms. Frank. The fact that the education is right when you 
are using the product, I think, would be helpful.
    Mr. Shays. Before my time had run out, I think I was with 
you, Mr. Broes. I do not need to spend a lot of time on this. I 
just want to know, just simply, the education design, that Mr. 
Davidson had added some other points, is there anything that 
you would add to the solutions to the privacy issue, the virus 
issue?
    Mr. Broes. Sure, well, I think it is in our best interests, 
and any company's best interest, to design their software to be 
as private and as secure as possible. So I think that, as I 
said, there is a tremendous amount of responsibility, I 
believe, with any company that has applications that are 
distributed to millions of people around the world.
    So secure, private, by design, I think is definitely the 
way to go, and these are voluntary standards. These are 
standards that every major corporation today that wants to 
compete is going to have to take, because people just do not 
want applications on their computers that are not secure and do 
not provide privacy.
    So I think it is going to be natural selection; that 
companies who are willing to play in the spy war game and not 
notify people, I think that they are ultimately going to be 
uninstalled and deleted, and people are going to remove them.
    So voluntary standards and practices, I think, are 
critical. As I said earlier, if it were legislated today, I 
think that we would have already taken those initiatives.
    Mr. Shays. I was struck by the fact that Big Brother is 
dead and Little Brothers are in. It is almost like we need a 
Big Brother, though, to deal with Little Brothers; Mr. Farnan.
    Mr. Farnan. There are definitely privacy issues involved in 
what we were talking about today. I think that one of the 
reminders that we have to give ourselves is that even though we 
are in an electronic age, a lot of the fundamental rules of 
life still apply. Things like ``buyer beware'' still apply.
    Just because people are involved in dealing in cyberspace 
and conducting transactions in a computerized environment does 
not automatically mean that there are no privacy issues, or 
that it is somehow inherently safer; because as we are seeing 
today, it is not.
    Second, to follow the analogy of the automobile that was 
raised a little bit earlier, what is scarey is that sometimes 
we can have fairly young people, and if they are interested in 
learning how to drive a car and we put them in a Ferrari, that 
might be a scarey thing, as opposed to a four cylinder car in a 
safer environment.
    So to reiterate, the theme of education and consumer 
informness is crucial to this whole area, as are parental 
controls. Because as we have also heard, children who have 
access to their parents' computers may be pushing buttons that 
result in a lot of information leaving that household that was 
never intended to leave that household.
    Mr. Shays. I just have one other quick question. I do not 
need all of you to respond, just one or two. Are we teaching 
this in school? Are we educating our kids about this?
    Mr. Hale. I can speak to this, somewhat. I would say that 
nationwide, we are beginning to. We are only beginning to. But 
it is amazing the views that even some of my own students have 
about piracy and their privacy, and what they are willing to 
give up to get the latest recording.
    We work at the University of Tulsa with a number of 
schools: high schools, elementary schools, middle schools. I 
just was at a high school last week, where I spent almost the 
entire time talking about peer-to-peer technology and privacy 
issues, and media piracy, as well.
    So we are beginning to, but I think that not enough of us 
are doing it, just yet. I think that is the key. Because once 
you get critical mass, then you can start to see results.
    I would like to agree with what Mr. Broes said about the 
natural selection piece of this. I think once consumers and our 
children are educated, then they will begin to value privacy 
more. Then the economics pendulum will begin to swing in the 
favor of the companies that are performing due diligence in the 
privacy area of their software. But until that happens, the 
natural selection is going to favor those companies.
    Mr. Shays. I have just a slight observation. I am struck by 
this hearing as to one, I would not want to be a professor 
teaching young people about technology, considering they 
probably know more than you do, and you always fear that they 
might.
    But the other observation I make is, I am struck by the 
fact that young people gain these incredible skills to do bad 
things without necessarily knowing the ethnics behind what they 
are doing, which is kind of an interesting dilemma.
    Mr. Chairman, thank you so much for the hearing, and I 
thank our witnesses.
    Chairman Tom Davis. Let me thank all the witnesses, as 
well, for appearing today, and I thank the staff for working on 
this from both sides. We heard some very useful information 
today, that should concern any person who uses file-sharing 
programs or has them installed in their computers. Obviously, I 
think peer-to-peer users have to be aware of the files they are 
making available for sharing.
    We are going to follow this up with another hearing in the 
near future, looking at file-sharing in Government agencies. 
Again, I thank the witnesses. This is very, very important, as 
we proceed to understand this better and move forward to 
whatever we might do.
    Thank you very much; the hearing is adjourned.
    [Whereupon, at 11:55 a.m., the committee was adjourned, to 
reconvene at the call of the Chair.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T8016.080

[GRAPHIC] [TIFF OMITTED] T8016.081

[GRAPHIC] [TIFF OMITTED] T8016.082

[GRAPHIC] [TIFF OMITTED] T8016.083

[GRAPHIC] [TIFF OMITTED] T8016.084

[GRAPHIC] [TIFF OMITTED] T8016.085

[GRAPHIC] [TIFF OMITTED] T8016.086

[GRAPHIC] [TIFF OMITTED] T8016.087

[GRAPHIC] [TIFF OMITTED] T8016.088

[GRAPHIC] [TIFF OMITTED] T8016.089

[GRAPHIC] [TIFF OMITTED] T8016.090

[GRAPHIC] [TIFF OMITTED] T8016.091

[GRAPHIC] [TIFF OMITTED] T8016.092

[GRAPHIC] [TIFF OMITTED] T8016.093

