[House Hearing, 108 Congress] [From the U.S. Government Publishing Office] OVEREXPOSED: THE THREATS TO PRIVACY AND SECURITY ON FILESHARING NETWORKS ======================================================================= HEARING before the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS FIRST SESSION __________ MAY 15, 2003 __________ Serial No. 108-26 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ______ 88-016 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON : 2003 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman DAN BURTON, Indiana HENRY A. WAXMAN, California CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland DOUG OSE, California DENNIS J. KUCINICH, Ohio RON LEWIS, Kentucky DANNY K. DAVIS, Illinois JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri CHRIS CANNON, Utah DIANE E. WATSON, California ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California JOHN SULLIVAN, Oklahoma C.A. ``DUTCH'' RUPPERSBERGER, NATHAN DEAL, Georgia Maryland CANDICE S. MILLER, Michigan ELEANOR HOLMES NORTON, District of TIM MURPHY, Pennsylvania Columbia MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee JOHN R. CARTER, Texas CHRIS BELL, Texas WILLIAM J. JANKLOW, South Dakota ------ MARSHA BLACKBURN, Tennessee BERNARD SANDERS, Vermont (Independent) Peter Sirh, Staff Director Melissa Wojciak, Deputy Staff Director Rob Borden, Parliamentarian Teresa Austin, Chief Clerk Philip M. Schiliro, Minority Staff Director C O N T E N T S ---------- Page Hearing held on May 15, 2003..................................... 1 Statement of: Broes, Derek S., executive vice president of Worldwide Operations, Brilliant Digital Entertainment................ 59 Davidson, Alan B., associate director, Center for Democracy and Technology............................................. 39 Farnan, James E., Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation, accompanied by Dan Larkin, Supervisory Special Agent, Federal Bureau of Investigation. 89 Frank, Mari J., esquire, Mari J. Frank, Esquire & Associates. 66 Good, Nathaniel S., University of California, Berkeley, School of Information Management Systems................... 13 Hale, Dr. John, assistant professor of computer science and director, Center for Information Security, the University of Tulsa................................................... 31 Schiller, Jeffrey I., network manager/security architect, Massachusetts Institute of Technology...................... 25 Letters, statements, etc., submitted for the record by: Broes, Derek S., executive vice president of Worldwide Operations, Brilliant Digital Entertainment, prepared statement of............................................... 62 Davidson, Alan B., associate director, Center for Democracy and Technology, prepared statement of...................... 41 Davis, Chairman Tom, a Representative in Congress from the State of Virginia, prepared statement of................... 3 Farnan, James E., Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation, prepared statement of..... 91 Frank, Mari J., esquire, Mari J. Frank, Esquire & Associates, prepared statement of...................................... 69 Good, Nathaniel S., University of California, Berkeley, School of Information Management Systems, prepared statement of............................................... 16 Hale, Dr. John, assistant professor of computer science and director, Center for Information Security, the University of Tulsa, prepared statement of............................ 34 Schiller, Jeffrey I., network manager/security architect, Massachusetts Institute of Technology, prepared statement of......................................................... 27 Waxman, Hon. Henry A., a Representative in Congress from the State of California, prepared statement of................. 7 OVEREXPOSED: THE THREATS TO PRIVACY AND SECURITY ON FILESHARING NETWORKS ---------- THURSDAY, MAY 15, 2003 House of Representatives, Committee on Government Reform, Washington, DC. The committee met, pursuant to notice, at 10:09 a.m., in room 2154, Rayburn House Office Building, Hon. Tom Davis of Virginia (chairman of the committee) presiding. Present: Representatives Tom Davis of Virginia, Shays, Putnam, Duncan, Murphy, Waxman, Maloney, Cummings, Tierney, Clay, Sanchez, and Ruppersberger. Staff present: Peter Sirh, staff director; Melissa Wojciak, deputy staff director; Keith Ausbrook, chief counsel; Anne Marie Turner and Randall Kaplan, counsels; David Marin, director of communications; Scott Kopple, deputy director of communications; Ken Feng, investigator/GAO detailee; Teresa Austin, chief clerk; Joshua E. Gillespie, deputy clerk; Corinne Zaccagnini, chief information officer; Brien Beattie, staff assistant; Phil Barnett, minority chief counsel; Karen Lightfoot, minority communications director/senior policy advisor; Josh Sharfstein and Nancy Scola, minority professional staff members; Earley Green, minority chief clerk; and Jean Gosa, minority assistant clerk. Chairman Tom Davis. Good morning. A quorum being present, the Committee on Government Reform will come to order. Let me say a special thank you to our visiting students from Woodson High School, out in the 11th Congressional District of Virginia. We are happy to have you with us, and I hope you will find some of this hearing interesting. We are here today to continue our examination into peer-to- peer file-sharing programs. This is the committee's second hearing on this topic. At our first hearing held in March, we examined the growing problem of the availability of pornography, including child pornography, on these networks. The committee found that pornography is, in fact, being traded on peer-to-peer networks, and children are at great risk of inadvertent exposure to pornography while using these programs. File-sharing programs or Internet applications allow users to download and directly share electronic files from other users on the same network. Users of these programs can share files that contain documents, as well as music or videos. These programs are surging in popularity. KaZaA, the most popular file-sharing program has been downloaded almost 225 million times, making it the most popular software downloaded on the Internet. File-sharing technology can be beneficial. However, as we learned from our first hearing on this topic, use of this technology also presents certain risks. Today, the committee will examine the risks to personal privacy and computer security posed by the use of peer-to-peer file-sharing programs. Specifically, we are going to look at three issues: first, the reason why highly personal information is available over these networks; second, the potential effects of software known as ``spyware'' or ``adware'' that is being bundled or included with file-sharing programs; and third, the growing risk of downloading computer viruses from files shared on these programs. The committee will release a staff report today that highlights these issues. Through a simple search on one file- sharing program, committee staff easily obtained tax returns, medical records, attorney-client communications, resumes, and personal correspondence. Users of these programs may accidentally share this information because of incorrect program configuration. They also could be intentionally sharing these files because increased file-sharing earns the user higher priority status on popular downloads. Either way, users of these programs need to be aware that sharing personal information can open the door to identity theft, consumer fraud, or other unwanted uses of their personal data. Parents, businesses, and government agencies also need to be aware of these risks if their home or office computers contain file-sharing programs. Another concern raised by the use of peer-to-peer file- sharing is the bundling of these programs with software known as ``spyware'' or ``adware.'' These programs monitor Internet usage primarily for marketing purposes, without the users' knowledge. They also give rise to pop-up advertisements and spam e-mail. Finally, computer viruses can easily spread through file- sharing programs, since files are shared anonymously. In fact, just this week, a new computer virus called ``Fizzer'' spread rapidly across the Internet, affecting computers worldwide through e-mails and the file-sharing program, KaZaA. We have assembled an excellent panel of witnesses who will discuss these important issues. I would like to thank each of our witnesses for appearing today. I would now like to yield to Mr. Waxman for his opening statement. [The prepared statement of Chairman Tom Davis follows:] [GRAPHIC] [TIFF OMITTED] T8016.001 [GRAPHIC] [TIFF OMITTED] T8016.002 Mr. Waxman. Thank you very much, Mr. Chairman. I am pleased to join with you in this hearing. I want to commend our staff for developing this report that we issued today, ``File-Sharing Programs and Peer-to-Peer Networks, Privacy and Security Risks.'' This is the second of a series of hearings that this committee has been holding to highlight and educate the public about not just the great opportunities with these new file- sharing efforts on the computers, but the risks involved, as well. At our last hearing, we talked about the fact that if young people, who are, for the most part, the ones who are using these peer-to-peer file-sharing programs, try to get music from the programs, more often than not, they are having very vile pornography pushed upon them. Most parents were not aware of that fact; and most people, I think, are not aware of the facts that we are going to examine at our hearing today. We live in a world that is increasingly more connected. New computer innovations can open us up to new experiences and offer more choices than ever before. As we experiment with new technologies, however, we must recognize their risks. In the real world, we know how to guard our privacy and security carefully. It is just as important to do so in the on-line world. So in this hearing, we are going to look at these very incredibly popular programs. In fact, the most popular of these file-sharing programs, KaZaA, has been downloaded more than 220 million times. That is really incredible, 22 million times in the last 2 months alone. Despite their soaring popularity, few people understand the risks that these new file-sharing programs can pose. In large part, this is due to what I call the on-line generation gap. The users of file-sharing programs are predominantly teenagers. The parents, however, and grandparents are too often left struggling just to keep up. In our report that we are releasing today, I think we have an opportunity to inform the parents and grandparents that when their kids use these file-sharing programs, they may find that inadvertently they are sharing incredibly personal files through these peer-to-peer networks. Our investigators found that they could find completed tax returns, medical records, and even entire e-mail in-boxes through simple searches using file-sharing programs. No one would want to share this kind of personal information, but in many cases, that is exactly what is happening. Due to the way some users configure their computers, their personal files can be accessed by millions of strangers through peer-to-peer networks. This invasion of privacy is not the only risk families face. Our report finds that when users download free file-sharing programs, they are also exposing their computers to hidden software called ``spyware'' or ``adware.'' These programs track what you do online, the Web sites you look at, how long you stay on those Web sites, even your e-mail address. This zombie-like ware, which takes over the spare computing power of personal computers can be bundled with file- sharing programs. So not only can they get access to what is in your personal files, they can make your computer server a zombie for their own purposes. Besides tracking your computer habits, these programs can also cause software conflicts and computer crashes. In fact, in committee testing, these programs ruined a committee computer twice. Even the House's most experienced computer technicians could not restore the computers. The chairman mentioned that we are putting computers at risk for viruses and other damaging computer files, and we will have more testimony about that in our hearing. While technical innovation on the Internet is tremendously important, our purpose in holding these hearings and releasing these investigative reports is not to say that peer-to-peer technology is inherently bad. In fact, it may ultimately prove to have important and valuable uses. But there can be no question that this new technology, at least in its current incarnation, can create serious risks for users. Our purpose in holding these hearings is to help the public understand what these risks are. Without this knowledge, families and businesses simply will not be able to make intelligent decisions about the technology. [The prepared statement of Hon. Henry A. Waxman follows:] [GRAPHIC] [TIFF OMITTED] T8016.003 [GRAPHIC] [TIFF OMITTED] T8016.004 [GRAPHIC] [TIFF OMITTED] T8016.005 [GRAPHIC] [TIFF OMITTED] T8016.006 [GRAPHIC] [TIFF OMITTED] T8016.007 Chairman Tom Davis. Thank you very much, and let me also commend the staff, and Mr. Waxman, your leadership in helping put these hearings together. Are there any other opening statements; the gentleman from Maryland? Mr. Ruppersberger. The information superhighway has opened many doors and opportunities, both in terms of communication and in terms of commerce. It gave us a .com boom in the mid-and late 1990's and helped us to make a more technologically advanced country. Now privacy on the Internet has been discussed in Congress since 1998. We have discussed what information needs to be protected. Is a disclosure policy a privacy policy? How do we protect it and how do we enforce it? Does Congress need to set standards, or do we let the industry decide what is best? As technology advances, we have to ask ourselves, if Government does promulgate regulations, will those regulations be able to keep up with the pace of technology? Now today we are discussing file-sharing networks like KaZaA and Morpheus. These networks allow subscribers to download and share music, photo and video clips with other subscribers. The question is, how safe are these networks? Can a hacker or an individual use networks to get around any firewalls and protections and invade persons' more personal files? Can they look at people's Quicken statements? Can they view saved e-mails and documents? Privacy is not just about personal information. The most important part is, we have to be able to be concerned about how those companies track and use what you download to market your items. Do these networks sell your information to retailers? Do they share them with spammers, companies that flood our e-mail with product information? At this time, I think we need legislation, but I am fearful whatever we write up in Congress will be obsolete within 1 year. Can we legislate privacy? Yes, we can. Congress has done that. We have cable and video store privacy. We have financial privacy and we have medical privacy. Why not person-to-person network privacy? How about a strong Federal enforcement mechanism, based on violations of industry-based best practice standards? Now obviously, no one wants to harm the continued advancement of technology. But eventually there will be the need for a balance. There will be the need to assure people that your information is safe as you connect to the Internet as it travels through cyberspace. Thank you, Mr. Chairman. Chairman Tom Davis. Thank you very much. Does anyone else wish to make an opening statement? [No response.] Chairman Tom Davis. We will now move to our witnesses. We have Nathaniel Good from the University of California, Berkeley, who will be demonstrating for the committee how personal documents can easily be accessed from peer-to-peer file-sharing networks. Next, we have Jeffrey Schiller, who is network manager for the Massachusetts Institute of Technology. Following Mr. Schiller is Dr. John Hale, the director of the Center for Information Security at the University of Tulsa. We will then hear from Alan Davidson from the Center for Democracy and Technology; and then from Derek Broes, the executive vice president of Brilliant Digital Entertainment. Next is Mari Frank, who is an identity theft expert. Rounding out the panel is James Farnan, Deputy Assistant Director of the Federal Bureau of Investigations Cyber Division. It is the policy of this committee that all witnesses be sworn before they testify, so if you will rise with me and raise your right hands. [Witnesses sworn.] Chairman Tom Davis. Thank you very much; please be seated. We have a light in front. We have your total statements in the record that we have read. Your green light will be on for the first 4 minutes. In the 5th minute, an orange light will go with the red light, so at 5 minutes, we would appreciate your summing up. Your total testimony is in the committee record, and we will go from there. I think for our first witness, you are going to do a demonstration. We will cut a little slack on the time, but if we can get it down, then we can get to questions; thank you very much, Mr. Good. STATEMENT OF NATHANIEL S. GOOD, UNIVERSITY OF CALIFORNIA, BERKELEY, SCHOOL OF INFORMATION MANAGEMENT SYSTEMS Mr. Good. Thank you very much; good morning, Mr. Chairman and committee members. Thank you for the opportunity to appear before you today. In the brief amount of time that we have to talk to you about our study, we would like to give you a video demonstration of the problem that we found with KaZaA; describe how this problem can occur; and then talk about the possible solutions to this problem. On the screen in front of you is KaZaA. KaZaA is the most popular peer-to-peer file-sharing program on the Internet today. With KaZaA, you can look for any type of file, such as music, documents, videos. Any file that can be stored on your hard drive can be shared through the KaZaA network. To do this, one would download the application, type the key words that one is looking for into the search box, hit the return, and the results would pop up to the right to your search box. In this example, we will show how a user could get ahold of someone else's personal information through KaZaA by typing key words and looking for information from the search results. So in the first example that we have, we have a user who is looking for a file called ``inbox.dbx.'' Inbox.dbx is someone's e-mail file. As you can see, there have been a couple different results that we have returned. If we wanted to see what other files these people were sharing, we could go to that person's file. We could find more from that user, and we would see all the files that this person is sharing. So we can see there are other e-mail files that this person has. There is the ``sent'' files that this person has. There are a whole bunch of deleted items that we could download and restore and look at, and there is also the in-box and other personal pieces of information. So for the next search, we will be doing a slightly more sophisticated search, where we will be looking for an Excel spreadsheet that has possibly credit card information. In this demonstration, we will show how, if you know a little about what Excel is, that you know an Excel document has the extension ``XLS,'' and you think that someone would call their Excel document credit card, or something that begins with credit. You could type in these key words here, run a search, and this is what you would probably see, something very similar to this. So here we have a list similar to the list that we had earlier, where we had a bunch of files that were returned from various users. If we wanted to see some more files from an end user, we could click on a file there, type in find more from same user. Again, we would see all the fields that that person has shared. In this case, it looks like the person has pretty much shared most of their hard drive. There is again, the in-box file. This is the e-mail file we were talking about before. There are a whole bunch of system files. There are cookie files. If we scan over, we can see a little bit more detailed file information. We can sort by media type, so we can browse around and look for other types of information. So we can see that this person has certain spread sheets that pertain to salary structures. They have a PDF on tax returns. They have letters that they have written to people. They have an address book. If we keep browsing through, we will find that they have bonus agreements that they have sharing. There is a lot of stuff here that this person probably does not want the rest of the world to download. We also have the credit card activity, the spreadsheet that we talked about earlier. There is quite a bit, as you can see; office documents and there is the credit card file, again. There is another one. Here, we also have a password list which, unfortunately, probably contains all the passwords that this person has to get into various Web sites or corporate sites. People typically keep their passwords in a document, because they have to remember so many of them. So if we downloaded this, we probably would be able to hop around to various Web sites and jump into this person's accounts and such. So this is pretty much the problem that we discovered on KaZaA. We determined that through a series of user studies and analyzing the interface, that this problem could occur because parts of the KaZaA application could be very confusing to users, and it relied very heavily on some unstated assumptions. In some cases, it was possible for the user to think that what they were sharing was completely different than what was actually being shared. There are too many details to cover in the time that we have allocated, but if you were able to go over the research report that we have and our written testimony, you should be able to get more details about how this problem could possibly occur. As for solutions, we see two possible paths that we could take. The first is education. It is important for people to understand that what peer-to-peer can share, and more generally, what it means to be connected to a network in terms of privacy and security. We would also like to see stronger default settings and better explanations of what is going on in the program. It is important that applications should be safest right out of the box. Security and convenience are typically seen as tradeoffs of one another. As the world becomes more networked and more devices are able to store, collect, and share private information, it is crucial that we find ways for applications to be secure without sacrificing convenience and vice versa. Thank you very much for your time. [The prepared statement of Mr. Good follows:] [GRAPHIC] [TIFF OMITTED] T8016.008 [GRAPHIC] [TIFF OMITTED] T8016.009 [GRAPHIC] [TIFF OMITTED] T8016.010 [GRAPHIC] [TIFF OMITTED] T8016.011 [GRAPHIC] [TIFF OMITTED] T8016.012 [GRAPHIC] [TIFF OMITTED] T8016.013 [GRAPHIC] [TIFF OMITTED] T8016.095 [GRAPHIC] [TIFF OMITTED] T8016.096 [GRAPHIC] [TIFF OMITTED] T8016.097 Chairman Tom Davis. Thank you very much. Mr. Schiller. STATEMENT OF JEFFREY I. SCHILLER, NETWORK MANAGER/SECURITY ARCHITECT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY Mr. Schiller. Good morning and thank you for inviting me. Chairman Tom Davis. Thank you. Mr. Schiller. I am actually not going to read my statement, but I will tell you essentially what is in there. I have been involved in the Internet since the day it was born which was, we say, January 1, 1983, and there is a story behind that. It is funny, I remember, e-mail was the application that everybody said was the forbidden application, because it was a waste of network bandwidth. So here we are today with e-mail being one of the killer applications, and we are looking at another application that causes us a bit of concern. From my view as a security expert, I can tell you that my professional assessment is that these programs, peer-to-peer file-sharing, particularly once they are perfected, are not significantly more dangerous, from an end users perspective, than any other technology they use. Just as we have seen here today, KaZaA can be used to reveal private information. I have certainly received in my e- mail inbox private information that was sent via e-mail, due to various viruses and worms that people have caught. Because of who I am, I net a lot of that sort of stuff, and it is pretty amazing what you can get. So I try to say, what is the difference between a file- sharing program that we have today and some of the traditional technology that we have on the Internet, such as e-mail and Web browsing? One of the key differences is that file-sharing is still under active development. The e-mail technology we use today was standardized many years ago, and it does not change. As a manager of a network, if I wish to control e-mail, if I wish to set up a firewall that examines incoming e-mail messages to make sure they do not contain viruses or worms, I can do that, but I can be pretty assured that my e-mail scanning will, in fact, happen as it is supposed to. However, file-sharing programs are programs that are currently under active development. As some of us who run networks try to put in ways of controlling them, the authors of these programs in their newest versions put in ways to get around those controls. So one of the ways that peer-to-peer file-sharing significantly differs from the more traditional applications is the intent to subvert third party controls. That is inherent in them. That is not inherent in other technologies. So as a network manager, one of my concerns with peer-to- peer file-sharing is its use of our precious bandwidth, which we pay dearly for; and there are various tactics that we can do to try to limit the use of that bandwidth. What happens next, of course, is the next version of these programs, those various techniques to avoid that rate limiting. Without going into a lot of technical detail, one of the things we have been seeing is what I call ``port hopping.'' Most Internet applications use a well known port. E-mail travels over port 25, for example; file transfer over port 21, Web browsing over port 80. Well, in their early days, most file-sharing programs had well known ports. I use port 1214, for example, and by controlling access to that port, we could control its use. What we are seeing more and more of are programs that hop around. They might use port 1214 for a few minutes, and then a few minutes later, we see a lot of traffic on some other literally randomly chosen port. With applications that do this, it becomes very difficult to actually know what is going on and control it. We have also seen applications that appear to be encrypting their content; not to hide it from any eavesdropper, but to make it difficult again for us to figure out, oh, this is file- sharing programs. There are many such programs that do this. KaZaA is not the only one. So my point today is that one of the things that makes these things just a bit more dangerous than other things is the attempt to subvert third parties. Particularly in an environment where you have end users who are not necessarily experts, who leave themselves exposed, we have many places where we try to use firewalls at the corporate level to protect people, and that is being subverted. Now like everything, many things are a two-edged sword. Sometimes, the third parties trying to control access to the network are not necessarily what we could consider good guys. The same technology that a corporation can use to control access can be used by governments that wish to suppress their people, and peer-to-peer file-sharing programs can often be used as a way of spreading the work, without it being controlled. But like all things, it is a two-way street, thank you. [The prepared statement of Mr. Schiller follows:] [GRAPHIC] [TIFF OMITTED] T8016.014 [GRAPHIC] [TIFF OMITTED] T8016.015 [GRAPHIC] [TIFF OMITTED] T8016.016 [GRAPHIC] [TIFF OMITTED] T8016.017 Chairman Tom Davis. Thank you very much. Dr. Hale. STATEMENT OF DR. JOHN HALE, ASSISTANT PROFESSOR OF COMPUTER SCIENCE AND DIRECTOR, CENTER FOR INFORMATION SECURITY, THE UNIVERSITY OF TULSA Mr. Hale. Mr. Chairman, Ranking Minority Member Waxman, and members of the committee, thank you for giving me the opportunity to testify today on a topic that is of growing concern to the network security community, to American businesses and schools and, in fact, anyone that uses the Internet. I am an Assistant Professor of Computer Science at the University of Tulsa, and serve there as the Director of its Center for Information Security. Over the past 5 years, I have watched peer-to-peer technology make a startling transition from the backwaters of computer science to mainstream society. This March, Sharman Networks hit the 200 million mark for downloads of its popular KaZaA Media Desktop. File-sharing softwares are in homes, businesses, and schools across the world, connecting users in a peer-wise architecture that is both resilient and efficient. Peer-to-peer networking has grown faster than the Internet itself, reaching a much broader audience at this stage of its development. But there is a downside to placing such a potent technology in the hands of novice users. A peer-to-peer client exposes a computer to new threats, and some of the practices of its developers magnify the risk. The prevalence of spyware in peer-to-peer clients is but one example. Developers bundle spyware in their clients to generate revenue. One company maintains that it is ``intrigral'' to the operation of their product. Of course, there is no inherent functional dependency between advertising and file-sharing. Intrigral then means that the peer-to-peer software has been deliberately engineered so that it will not function without the spyware active. To avoid detection, spyware often hides in system folders or runs in the background. Amazingly, some spyware components remain on a system long after the original application is removed and will even imbed themselves in a host, despite an aborted installation of a carrier program. Spyware imbedded in clients sometimes downloads executable code without user knowledge. Even if the code is not malicious, it may contain flaws that render a system vulnerable to attack. More importantly, the clandestine nature of the software makes detection and remediation extremely challenging. Peer-to-peer is also commonly designed to circumvent network security services. Techniques such as tunneling, port hopping, and push request messages make it difficult to detect and filter peer-to-peer traffic. HTTP tunneling, in which peer-to-peer communications are disguised as Web traffic, is popular because such traffic often travels freely across networks. To this end, tunneling not only helps violate a network security policy by enabling forbidden applications, but also expands the network perimeter in ways unknown to system administrators. Another trick used by some of the most popular peer-to-peer clients is to vary communication ports, a technique called port hopping. This thwarts blocking and scanning software that identifies network services, based on well-known port assignments, as described previously. Push request messages in the Gnutella protocol are used to circumvent firewalls. Instead of a client pulling a file to it, it asks the host behind the firewall to push the file out. This is all transparent to the user, but it constitutes a subtle collusion between the two clients to violate a security policy. Another concern is how flaws in clients can increase exposures in a network, leaving it vulnerable to hackers. Exploitable weaknesses in peer-to-peer software have been identified, and in some cases, the media files themselves can enable an attack. There is nothing special about peer-to-peer clients that makes them any more flawed than other software. However, several factors conspire to amplify the risks they induce. They engender massive ad hoc connectivity across network domains. Hosts are exposed to every user on a peer-to-peer network. More than that, they allow users to share files pseudo-anonymously. Often, clients, themselves, are installed from peers on a network. In short, peer-to-peer file-sharing exposes systems to untrusted hosts and software, and offers little in the way of protection. Worms and viruses are also very real threats. The most recent example is the Fizzer virus, a blended attack that propagates via e-mail and KaZaA. Another is the Duload worm, which hides in a system folder, and alters the registry so that runs it startup. But it then copies itself to several provocatively named files within a folder that it exposes to the peer-to-peer network. Since Duload relies on human interaction, it is more of a virus than a worm. So Internet worms that target Web and data base servers actually provide better insight of the real potential. Code Red infected almost 400,000 Internet hosts within 14 hours, causing an estimated $2.6 billion in damage. Nimda infected 2.2 million hosts. The Slammer worm, by comparison, only affected 200,000 hosts, but set new speed records, infecting 90 percent of its victims in under 10 minutes. A true peer-to-peer worm can infect an entire network with similar speed. More importantly, the obstacles for remediation indicate that it would have tremendous staying power, re- infected unpatched hosts and infecting new ones as they came on-line. There is a role for technology to play in addressing these problems, but it is only a small piece of the solution. Users have to be made aware of the risks of file-sharing. Developers must live up to higher standards of integrity and transparency for the software they develop. We cannot predict the next Code Red or Nimda. But if and when it strikes peer-to-peer networks, I hope we do not look back and see a missed opportunity to lead a promising technology out a turbulent period in its development; thank you. [The prepared statement of Mr. Hale follows:] [GRAPHIC] [TIFF OMITTED] T8016.018 [GRAPHIC] [TIFF OMITTED] T8016.019 [GRAPHIC] [TIFF OMITTED] T8016.020 [GRAPHIC] [TIFF OMITTED] T8016.021 [GRAPHIC] [TIFF OMITTED] T8016.022 Chairman Tom Davis. Thank you very much. Mr. Davidson. STATEMENT OF ALAN B. DAVIDSON, ASSOCIATE DIRECTOR, CENTER FOR DEMOCRACY AND TECHNOLOGY Mr. Davidson. Mr. Chairman, Mr. Waxman, members of the committee, I am Alan Davidson, associate director of the Center for Democracy and Technology. CDT is a non-profit public interest group, based here in Washington, dedicated to promoting civil liberties and human rights on the Internet. Since its creation, CDT has been heavily involved in issues of on-line privacy and security, and we welcome the opportunity to testify today on a timely issue of privacy and security, the question of privacy on popular peer-to-peer file-sharing systems. We commend the committee for its thoughtful efforts on this and other topics related to peer-to-peer over the last few months and few years. Our top line is this. The use of file-sharing software certainly raises serious privacy issues for consumers and computer users, often through mistakes that the users make in sharing very sensitive personal information. At the same time, file-sharing technology can be very beneficial. It is new and changing, and it is largely in the control of the people who use it. So the most important thing that we can do is to inform people about the potential risks of sharing, and teach them how to use peer-to-peer safely. There are other things, as well, and I will go into that. As we have heard, peer-to-peer file-sharing systems are a computing phenomenon. They are among the most popular and downloaded computer programs today. Much of the concern that we have comes from the fact that these are systems that just a few years ago were used by a relatively small and savvy group of people. Today, they are being embraced by millions of users, many of whom do not have a lot of expertise. People who install these powerful tools need to be aware of the potential privacy and security risks that come from their use or their misuse. Among our top concern, first and foremost, and potentially most serious, is this issue of inadvertent sharing of sensitive personal information. I cannot do much better than the demo that you saw in trying to make it clear how it is possible, in some cases, probably too easy, for people to share personal files. Certainly, there is a lot of evidence that some people, at least, are doing this. A cautionary note, we need to keep this in perspective. We do not have a good set of data right now about how big a problem this is. There is not very much research in terms of quantifying how large a percentage of people are doing this. But certainly, for some people, this is a very real problem. Second, many file-sharing programs, as we have heard, contain spyware that communicates information for advertising or for other reasons, often without a user's knowledge. This is not a problem that peer-to-peer file-sharing networks have alone. This is a problem in many software programs for users. But whether in peer-to-peer or in other software, consumers deserve real notice and real choices about how their computers are going to communicate with third parties. A third issue for us are the legal risks that people face when using these systems and the privacy issues that can come with that. First of all, file traders who violate copyright laws face obvious legal risks. At the same time, we are concerned that at least one provision of the current law, which is the broad subpoena power that is granted to any copyright holder under Section 512(h) of the DMCA, too easily allows the identity of a peer-to-peer participant, or for that matter, any Internet user, to be unmarked wrongly or by mistake without their knowledge. That is something that we think Congress should address. So what do we do about all of these problems? First and foremost, and I think you have already heard some of this, the public and particularly the families of file trading minors need greater awareness of the potential risks of file-sharing. One example of how to do this is something that we have been working on, in collaboration with a number of other companies and public interest groups, which is the GetNetWise. It is a collaborative collection of tools for families seeking to protect their kids on-line. It is a Web site, GetNetWise.org, that is linked to by over 80,000 sites, including many major Internet providers, other public interest groups, Members of Congress including, I believe this committee, for which we are always grateful, and your tips on how to protect kids in peer-to-peer networks from adult content. First of all, there is a major new initiative in this project. I have attached to the back of my testimony some of the materials from that, to try to educate parents about how to keep their kids safe when using peer-to-peer networks. There are lots of tips. There are tips in some of the other sets of testimony that were put together. Those are the kinds of things that we need to do to really make parents and families aware of the risks that they may be facing. There are other things that can be done, as well. Another is that we must insist that fair information practices be obeyed in file-sharing software. Much more could be done to design these systems with better transparency and better control. Software producers should reject invasive spyware, unless they find ways to give people more notice and control. Finally, we do think that Congress should be looking at finding ways to add privacy protections to these DMCA subpoenas so that mistakes are not made. I think our bottom line is, we do not need to throw the baby out with the bath water. There are many benefits to some of these technologies. They are also facing their own moments of dislocation and concern. We look forward to working with Congress to find a way to make sure that privacy is protected without damaging what can be a very good source of innovation. [The prepared statement of Mr. Davidson follows:] [GRAPHIC] [TIFF OMITTED] T8016.023 [GRAPHIC] [TIFF OMITTED] T8016.024 [GRAPHIC] [TIFF OMITTED] T8016.025 [GRAPHIC] [TIFF OMITTED] T8016.026 [GRAPHIC] [TIFF OMITTED] T8016.027 [GRAPHIC] [TIFF OMITTED] T8016.028 [GRAPHIC] [TIFF OMITTED] T8016.029 [GRAPHIC] [TIFF OMITTED] T8016.030 [GRAPHIC] [TIFF OMITTED] T8016.031 [GRAPHIC] [TIFF OMITTED] T8016.032 [GRAPHIC] [TIFF OMITTED] T8016.033 [GRAPHIC] [TIFF OMITTED] T8016.034 [GRAPHIC] [TIFF OMITTED] T8016.035 [GRAPHIC] [TIFF OMITTED] T8016.036 [GRAPHIC] [TIFF OMITTED] T8016.037 [GRAPHIC] [TIFF OMITTED] T8016.038 [GRAPHIC] [TIFF OMITTED] T8016.094 [GRAPHIC] [TIFF OMITTED] T8016.039 Chairman Tom Davis. Thank you very much. Mr. Broes. STATEMENT OF DEREK S. BROES, EXECUTIVE VICE PRESIDENT OF WORLDWIDE OPERATIONS, BRILLIANT DIGITAL ENTERTAINMENT Mr. Broes. Thank you for inviting me. Chairman Davis, Representative Waxman, and members of the committee, I am Derek Broes. I am the executive vice president of Worldwide Operations for Brilliant Digital Entertainment and its subsidiary, Altnet. Altnet offers the largest secure commercial platform for distribution of digital content over peer-to-peer software- based networks. Under an exclusive agreement with Sharman Networks Limited, publisher of KaZaA Media Desk peer-to-peer application, Altnet reaches an estimated 75 million worldwide unique users per month. That is about twice the reach of America Online. With this reach, Altnet has become the largest distributor of rights-managed content over the Internet today. Altnet takes the issues before this committee very seriously. As you will hear in my testimony today, Altnet is leveraging its role as the market leader by spearheading efforts to make security and privacy over file-sharing networks a top priority. There is something very exciting about technology that allows tens of millions of people across the globe to simultaneously connect to each other. It is a true digital democracy. But as in any democracy, there are challenges that must be overcome, and moral and ethical standards to be established. As with any technology that reaches millions of people, there is a responsibility that every company must assume when creating an instant messenger, e-mail, peer-to-peer, online interactive games, chat rooms, or any technology designed to share digital words or files with anyone, any time, instantly. My past experience in the entertainment industry, combined with experience in Internet peer-to-peer security technologies, gives me a uniquely broad perspective on the issues before the committee here today. As the former CEO of Vidius, Inc., I built an Internet security company that creates products to monitor corporate networks for security risks associated with file-sharing applications that are run on company computers. In most cases, we found the risks solvable with simply company policy changes and minor network alterations. In addition to addressing corporate security risks, much of Vidius' work was dedicated to an in-depth technical analysis of peer-to-peer networks for such clients as the Motion Picture Association and the Recording Industry Association of America, and that was from an anti-piracy point of view. I firmly believe that it is the responsibility of peer-to- peer file-sharing companies to protectively protect the privacy and security of the users of their software application. While there are some unique challenges to making file- sharing programs applications more secure, which I will outline, it is important that we de-mystify these technologies and realize that the many protective security technologies that are already widely available. By simply adopting the standards commonly used by the World Wide Web such as Secure Socket Layer, Public Key Infrastructure [PKI], and Authentication Agents, file-sharing becomes much more secure. In addition to these, distributors of peer-to-peer applications should adopt standard user privacy policies, and take care to educate users as to how their applications works and how to be a safe and responsible user of that application. Beyond adopting industry standard security practices and policies, distributors of file-sharing applications must also address security challenges common to peer-to-peer and similar infrastructures. A publicized threat with file-sharing technology, as well as with e-mail and instant messenger technologies, is the spread of viruses. As you would expect, when files come from an anonymous and uncertified source, the risk of that file containing a virus is greatly increased. In addition, many file-sharing applications provide a tool to allow users to search their hard drives for files to share. If that tool is used incorrectly, users could inadvertently give access to their confidential files and folders. Allow me to review how Altnet meets the challenges from within the KaZaA Media Desktop peer-to-peer application, and how Sharman Networks, the owner and operator of KaZaA have reacted to various privacy and security issues over the past 18 months. Altnet's patented technology called ``TrueNames'' ensures that only certified and authenticated files can be transferred by the Peer Enabler component of the Altnet application. This eliminates the risk of viruses when users download files from file-sharing networks that utilize this technology, such as the KaZaA Media Desktop. Sharman Networks has taken great care to protect users' privacy and security. As distributors of the most popular peer- to-peer application today, Sharman Networks has consistently led the field with security enhancements developed explicitly for the challenges of this new industry, including the peer-to- peer's first built-in anti-virus tool. KaZaA Media Desktop contains two layers of propriety virus protection technology. In addition, Bullguard, a well-known anti-virus software, is installed free with the KaZaA Media Desktop application, providing users with an additional layer of security and protection. Sharman has shown great commitment to ensure that any new malicious viruses that freeze or silence or otherwise compromise a user's PC and its information are detected by this software, as was with Fizzer. Altnet and Sharman Networks take every opportunity to encourage responsible and safe peer-to-peer usage through user education and via the default configuration of the software of the upcoming release. The nature of the decentralized peer-to-peer technology means that users are in control of the material they choose to share with others. Our goal is to provide them with the education and tools they need for safe and responsible use. Commercialization of the World Wide Web has lead to the creation and adoption of advanced security, privacy policies and protection technologies, and the evolution of file-sharing networks will follow that same path. The future technological benefits of peer-to-peer technology are only now being explored and include the voluntary creation of shared resource networks that will allow massive distributed computing and storage of a scale only dreamed about by the pioneering medical research and astronomy projects that have received publicity to date. These types of applications will give research labs the ability to share processing power with hundreds of thousands of computers and digitally crunch billions of numbers in a nanosecond. The technological benefits of such a program are undisputed. From medical research to rendering Toy Story part 3, Altnet intends to lead the market by presenting an opt-in resource sharing program to users that will be defined by the highest principles of disclosure and consent. If file-sharing software companies understand and meet their responsibilities, and content companies support these positive and important initiatives, then companies such as Altnet will have the ability to find an audience, reduce piracy, offer vastly improved efficiencies in digital distribution, create instantly accessible global content sales and marketing channels, provide a variety of public services, distribute a movie, market an artist, and sell a game, all while turning a profit and protecting user privacy from within a secure environment. We welcome input from our peers and from this committee to insure that we continue to meet the responsibilities we have assumed. Thank you, Mr. Chairman, for the opportunity to participate in this important hearing today. [The prepared statement of Mr. Broes follows:] [GRAPHIC] [TIFF OMITTED] T8016.040 [GRAPHIC] [TIFF OMITTED] T8016.041 [GRAPHIC] [TIFF OMITTED] T8016.042 [GRAPHIC] [TIFF OMITTED] T8016.043 Chairman Tom Davis. Thank you very much. Ms. Frank. STATEMENT OF MARI J. FRANK, ESQUIRE, MARI J. FRANK, ESQUIRE & ASSOCIATES Ms. Frank. Good morning, Chairman Davis, Ranking Member Waxman, honorable committee members and invited guests. Thank you for the opportunity to address you today. My name is Mari Frank, and I am attorney and the author of the ``Identity Theft Survival Kit'' and ``Privacy Piracy'' from Laguna Niguel, CA. I have brought copies of these for the committee to use. My identity was stolen in 1996 by an imposter who paraded as an attorney, robbing me of my profession, my credit, and my piece of mind. She obtained over $50,000 using my name, after going on-line to obtain my credit report. Your personal information, worth more than currency itself, can be used to apply for credit cards, mortgages, cell phones, insurance, utilities, products, and services, all without your knowledge. A fraudster can do anything you can do, and worse than that, they can do things you would not do, like commit crimes and terrorist activities. There are three motivations for identity theft. First is financial gain. An example: Robert is a high tech computer consultant who normally encrypts all his sensitive data on his computer. Unfortunately, his resume was not stored in an encrypted file. He suspects that his impersonator accessed his computer through a network, copied his resume, and used it to obtain a well paying job. When Robert applied for the same job, he was shocked to find out that another person with his name and credentials was already hired. The second reason is avoiding prosecution. Tom was laid off from a high paying job in the medical industry. He had great recommendations and felt sure that he would be re-hired. For 2 years, he was denied position after position, after each company had performed a background check. Finally, Tom hired a private investigator that showed him that his criminal background included two DUIs and an arrest for murder, none of which belonged to him. The third reason someone commits identity theft is revenge. The first cyber-stalking case prosecuted in Orange County, CA turned out to be identity theft. A computer expert was angry when a woman he liked shunned his advances. So he impersonated her in a chat room, stating that she had fantasies of being raped. When he gave out her phone number and address, several men appeared at her door. There are many ways in which personal information can be obtained. According to the FTC, the Federal Trade Commission, 72 percent of victims have no idea how their information was accessed. The new May 2003 California Public Research Study on Police and Identity Theft list the top sources of identity theft: mail theft, dumpster diving, unscrupulous employees, stolen or lost wallets, Internet fraud, burglary, friends, relations, phone scams, unethical use of public documents, shoulder surfing, medical cards and drivers licenses, and personal information sold by financial institutions. Since this hearing is focusing on the peer-to-peer file- sharing vulnerabilities and the potential of revealing sensitive information in our computers, I am going to give a few suggestions that are just lay person things. No. 1, research any program before installing it. No. 2, learn how to safely stop sharing your files and how to unblock wanted files from entering your computer. Three, if possible, when using peer-to-peer file-sharing on the Internet, use a computer that does not store personal information on it. Four, password protect and encrypt your sensitive files. Five, do not put any confidential information in your e-mail, unless they are encrypted. Next, be conscious about what information you share in your files at Web sites, in chat rooms, and in e-mail. Read the privacy policies of the Web site you deal with and try and understand them. Make sure you have updated virus protection on your computers, and do not assume that you are anonymous. Your confidential information is a valued commodity. Marketers, information brokers, and the financial industry, buy, transfer, and sell your aggregated profiles, including your income; credit-worthiness; buying, spending, and travel habits; health information, and much more. Intimate facts about your life are shared legally and illegally without your knowledge or consent. The loss of control over our personal information has led to the epidemic of identity theft. I applaud this committee for researching the perils posed by peer-to-peer file-sharing. It is important to acquire knowledge, security measures, and careful strategies to protect ourselves. Hopefully, divulging security flaws in peer-to-peer file-sharing and other technologies to the media and Congress will encourage companies to make user-friendly security a top priority. But peer-to-peer file-sharing may pose less of a theft of identity theft than the careless display of records at your doctor's office, the negligently piled tax returns left on your accountant's desk for the cleaning crew to review, the encrypted and unlocked cabinets with personnel files at work, the non-shredded trash bins behind banks, insurance agencies, and mortgage companies, and the hack data bases of credit card companies, financial companies, and universities and the like. To prevent identity theft, the burden should be on the credit granters who are in the unique position on the front end to take precautions and require verification of change of address, and refuse to issue to fraudsters. Unfortunately, quick, easy credit, pre-approved offers convenience checks, mass marketing of data bases and sloppy information handling make this a simple crime. I encourage this honorable committee to also investigate ways in which the financial industry and information brokers can better protect our security. Since Congress passed the Financial Modernization Act in 1999, identity theft has skyrocketed. Whether on-line or offline, our sensitive information must be better protected to foster consumer trust, so that our economy and our society can flourish; thank you. [The prepared statement of Ms. Frank follows:] [GRAPHIC] [TIFF OMITTED] T8016.044 [GRAPHIC] [TIFF OMITTED] T8016.045 [GRAPHIC] [TIFF OMITTED] T8016.046 [GRAPHIC] [TIFF OMITTED] T8016.047 [GRAPHIC] [TIFF OMITTED] T8016.048 [GRAPHIC] [TIFF OMITTED] T8016.049 [GRAPHIC] [TIFF OMITTED] T8016.050 [GRAPHIC] [TIFF OMITTED] T8016.051 [GRAPHIC] [TIFF OMITTED] T8016.052 [GRAPHIC] [TIFF OMITTED] T8016.053 [GRAPHIC] [TIFF OMITTED] T8016.054 [GRAPHIC] [TIFF OMITTED] T8016.055 [GRAPHIC] [TIFF OMITTED] T8016.056 [GRAPHIC] [TIFF OMITTED] T8016.057 [GRAPHIC] [TIFF OMITTED] T8016.058 [GRAPHIC] [TIFF OMITTED] T8016.059 [GRAPHIC] [TIFF OMITTED] T8016.060 [GRAPHIC] [TIFF OMITTED] T8016.061 [GRAPHIC] [TIFF OMITTED] T8016.062 [GRAPHIC] [TIFF OMITTED] T8016.063 Chairman Tom Davis. Thank you very much. Mr. Farnan. STATEMENT OF JAMES E. FARNAN, DEPUTY ASSISTANT DIRECTOR, CYBER DIVISION, FEDERAL BUREAU OF INVESTIGATION, ACCOMPANIED BY DAN LARKIN, SUPERVISORY SPECIAL AGENT, FEDERAL BUREAU OF INVESTIGATION Mr. Farnan. Good morning, I would like to thank Chairman Davis, Ranking Member Waxman and members of the committee for the opportunity to testify today. We welcome your committee's leadership in dealing with the serious security and privacy issues associated with identity theft and peer-to-peer sharing. My testimony today will address the activities of the FBI's Cyber Division, in relation to the Internet and identity theft. I have asked Supervisory Special Agent, Dan Larkin, Chief of our Internet Fraud Complaint Center to attend, and he will provide specific answers, should the committee have any questions about more technical matters with the Internet Fraud Complaint Center's role in this area. A May 8th cover story in the Washington Post is nothing new to Americans today. Another group was discovered in possession of a veritable factory of counterfeit credit cards, including newly made cards, credit card numbers downloaded from a major retail store, and 600 pages containing more than 40,000 alleged stolen names and credit card numbers. As the investigation continues, we will probably find that these criminals have affected the lives of hundreds of victims, perhaps destroying their credit and creating hardships that will take years to abate. These thefts could be the result of computer hacking, insider theft, and/or social engineering. Stolen information can also be sold and used to establish new identifies for fugitives or terrorists. In these cases, identity theft can have much more serious consequences. Identity theft is the fraudulent use of individual's personal identifying information. It is normally a component or end result of another crime. Victims of identity theft often do not realize that someone has stolen their identity until their credit has been ruined. Although we have received no complaints alleging identity theft by peer-to-peer to networks, some factors must be considered. Peer-to-peer networks primarily serve as a ``come and get it'' resource on the Internet. In using such a utility, the user specifically searches for the item they want; for example, music, images, or software. The most significant criminal activity involving peer-to- peer sharing centers largely on music and software privacy, an area in which the FBI has been working closely with the private industry. The FBI has also seen an increase in peer-to-peer sharing of child pornography files. Peer-to-peer networks are increasingly being identified as sources from which Trojans or back doors were installed on computers during downloads. Victims sometimes discovered that personal and financial information have been removed from their computer through the back door. It is becoming more common for ``bots'' or active Trojans to be installed during a peer-to-peer download. In these instances, the victim computer executes instructions from the ``bots'' creator. Active ``bots'' could also be used to retrieve sensitive information from victim computers in furtherance of identity theft schemes. A person using peer-to-peer utilities for unauthorized or illegal purposes is not as likely to tell the FBI that a back door was found on their system, or that as a result, certain personal or financial information may have been taken. Through the Internet Fraud Complaint Center [IFCC], the FBI has positioned itself at the gateway of incoming intelligence regarding a wide variety of cyber crime matters. The IFCC received 75,000 complaints in 2002, and is now receiving more than 9,000 complaints each month. We expect that number to increase significantly, as the American and international communities become more aware of our mission and capabilities. Later this year, the IFCC will be renamed as the Internet Crime Complaint Center, to more accurately reflect its mission. The center receives complaints about various Internet-based crimes, analyzes the complaints for common patterns and perpetrators, and then sends them the appropriate agency for investigation and prosecution. In summary, cyber crime continues to grow at an alarming rate, and identity theft is a major part of the increase. Criminals are only beginning to explore the potential of crime via peer-to-peer networks. The FBI is grateful for the efforts of your committee and others dedicated to the safety and security of our Nation's families and businesses. The FBI will continue to work with your committee and aggressively pursue cyber criminals as we strive to stay one step ahead of them in the cyber crime technology race. I thank you for your invitation to speak to you today, and on behalf of the FBI, I look forward to working with you on this very important topic; thank you. [The prepared statement of Mr. Farnan follows:] [GRAPHIC] [TIFF OMITTED] T8016.064 [GRAPHIC] [TIFF OMITTED] T8016.065 [GRAPHIC] [TIFF OMITTED] T8016.066 [GRAPHIC] [TIFF OMITTED] T8016.067 [GRAPHIC] [TIFF OMITTED] T8016.068 [GRAPHIC] [TIFF OMITTED] T8016.069 [GRAPHIC] [TIFF OMITTED] T8016.070 [GRAPHIC] [TIFF OMITTED] T8016.071 [GRAPHIC] [TIFF OMITTED] T8016.072 [GRAPHIC] [TIFF OMITTED] T8016.073 [GRAPHIC] [TIFF OMITTED] T8016.074 [GRAPHIC] [TIFF OMITTED] T8016.075 [GRAPHIC] [TIFF OMITTED] T8016.076 [GRAPHIC] [TIFF OMITTED] T8016.077 [GRAPHIC] [TIFF OMITTED] T8016.078 [GRAPHIC] [TIFF OMITTED] T8016.079 Chairman Tom Davis. Thank you very much. I thank all of you for your input into this. Let me just ask a general question of the panel. The testimony, I think, makes it clear that users of file-sharing programs can expose their most personal files to millions of strangers, many times without the knowledge of the person using the files. Is there general agreement among the witnesses that file- sharing programs can be confusing to configure, and that most people are unaware that they might be sharing their tax returns, credit card data and other confidential files on these networks? Is there a consensus on that? Mr. Farnan. I think so, yes. Mr. Davidson. I would just say that your mileage may vary, in the sense that different programs do have different capabilities or different defaults. So I think on the one hand, people should not get the feeling that if they use one of these things, they are automatically sharing everything on their hard drive. But the flip side of it is, I think the usability studies have shown that a lot of them could do a lot better job. Mr. Broes. Also, software companies across the board have taken this secure by default initiative, where the applications, when they install it, it is secure. In the past, not even Microsoft had done that. So now, today, the standards that everyone is practicing, including Sharman Networks and Altnet, is by the standard, once it is installed, it is locked, and then guides the user and allows the user to unlock it if they see fit. So for the most part, there are many peer-to-peer applications out there, primarily on the new Tele-base, that are very difficult to understand. Chairman Tom Davis. Obviously, an educated user is the best defense. I do not think there is any question about that. The level of sophistication of people using this is very different. How widespread is this problem? I mean, we see the potentials; we see an isolated case. Does the FBI have any data on how widespread it is? Do you have any feel for that? Mr. Farnan. Let me ask Mr. Larkin if he can address that particular question. Chairman Tom Davis. I am going to have to swear him in. [Witness sworn.] Mr. Larkin. Well, the problem is growing, but it is how we define the problem, I guess, as Mr. Farnan had indicated. What we see with the peer-to-peer networks is not so much identity theft. It is more intellectual property rights and software piracy and that kind of thing. Although we have not linked it to identity theft, specifically, we do have instances where there are Trojans and ``bots'' that have been downloaded, at a pretty high rate and a growing rate, giving the unscrupulous creator of that Trojan or that BOT the opportunity to come in and access information on that computer. Generally, though, it has not been the practice of those subjects out there to go in and look for that data. They are just looking for that computer to use, for some other high speed attack where they need that type of bandwidth for. Chairman Tom Davis. You only need a couple cases, and lives can be completely destroyed. Mr. Farnan. That is true. Chairman Tom Davis. Are there any other thoughts on that? Ms. Frank. I think the only other thing I would say is, it is so important to realize that most identity theft victims do not know where it is coming from. So what happens is, if they are sharing and somebody gets this information, they will never know, and it is very hard for even the FBI to know. Chairman Tom Davis. Mr. Broes, what steps is KaZaA taking to proactively protect their privacy and security of its users? Mr. Broes. Well, I cannot speak on behalf of Sharman Networks. But I can tell you that as a partner, we have encouraged them to look at every possible study, such as Mr. Good's study, and they have definitely taken that to heart. I think many of the things that he has discussed and many of the issues that we are discussing here today will be addressed in the very, very near future, in the future releases. Chairman Tom Davis. In general, are the file-sharing companies doing a good job educating users about the privacy and security risks? Are they doing a better job; are they on to this? What is the consensus on this? Mr. Broes. Well, I have recently come on board with Altnet. I would say that from my perspective, Sharman Networks, who run KaZaA Media Desktop, have been the most proactive in that. In the past, coming from the security and technology background, I was the one that was actually hired by the Motion Pictured Association, when they AA to do the analysis of the fast track network, before the legal action was taking place. So I had a unique look at this. I can tell you from what I have seen, they are taking the most proactive approach. I have encouraged it with some of the other peer-to-peer companies, such as LimeWare and Bearshare, with absolute resistance. Chairman Tom Davis. Thank you very much. Mr. Waxman. Mr. Waxman. Thank you, Mr. Chairman. I think most people do not realize, they are opening up their own files when they go to these peer-to-peer systems. Mr. Good, in your demonstration, were you actually downloading someone's personal files in real time? Mr. Good. No, during the demonstration, that was recorded beforehand. But no, we did not download anything. We just looked and browsed around. Mr. Waxman. So you can look and browse around. Is the reason that people have their personal files open for others to come in and look around because of the configuration process when they go to the peer-to-peer networks? Mr. Good. If I understand the question correctly, the question was, would people be sharing stuff other than by making a mistake? Is that correct? Mr. Waxman. Well, if you were going to go to a peer-to-peer network, I do not think you are asked the question, are you willing to open up all your files; or are you asking the question? Do people then check, yes, or are you able to check, no? Mr. Good. Yes, you are not asked directly, do you want to open up all your files. You are asked, what do you want to share with the network. There are various ways that they do it. Depending on the version, in earlier versions, they offered to search your hard drive for you. In different versions, just by default, they would not share anything. Then if you decided to change the download folder, you had to understand what it meant to change the download folder. Those assumptions were not stated explicitly. So it really depends. In the latest version that we downloaded a couple of days ago, it does offer to search to share your files. But it does not ask you that question directly, do you want to share everything or not. Mr. Schiller. If I may jump in? Mr. Waxman. Yes, Mr. Schiller. Mr. Schiller. Just last week, I asked my staff to do a trial run of downloading KaZaA, because I wanted to see how it worked these days because, of course, it keeps changing. We used a blank computer that was newly installed, fresh, what have you, and downloaded KaZaA. When we installed it, it did ask us the question, do you wish to search your hard drive for files to share. It offered to share the directory where those files are stored. I said to the guys doing this, you know, that means it is going to search for media files like MP3s and what have you. But then it is going to offer to share the directory that they are in, which might contain other files. Is it only going to share the MP3s or is it going to share all the other files? Now we are experts, and we did not know. I think most people would not think twice about it. So if you had an MP3 in your ``My Documents'' folder, and you also had your tax returns in your ``My Documents'' folder, I would bet even money that the chances are, both wind up being shared. Mr. Good. That is actually a really good point. I mean, it does not state the assumptions that it is using while it is sharing. While it is searching for folders to share, it does not state what those were. As Jeff has mentioned, even experts were not able to really tell what it was looking for. Mr. Davidson. Right; I think there are two issues. One is sort of what are the defaults; what is easy to do? It turns out that in a lot of these systems, it is very easy to share more than you might expect to. The other is that in a lot of these systems, you do have to take an affirmative step to share a lot of files, and particularly to share a whole drive. For example, a system that we tried out in our office did not give you any warning when you decided to share your whole C drive, as it were. There is a lot more that could be done in the design of this software, to make sure that people have some awareness that might not be a good idea. Mr. Waxman. As I understand it, on the KaZaA Network, users get priority for downloads, the more files they share, which is obviously an incentive for them to share more files. That could lead teenagers to share all of the sensitive files on their parents' computers. What steps, if any, does KaZaA take to ensure that all users of a particular computer know which files are being shared? Does anybody have any idea of that? Mr. Schiller. If I understand the question correctly, you are asking what measures are taken to educate the user, as to what files they are sharing. I can tell you that it is not true that they do not get a priority. So I do know that. The priority is for uploads and not files that are downloaded. Mr. Waxman. What does that mean? Mr. Schiller. The priority is for an upload. So for upload speeds; that your files will have essentially a greater path. But I am not too certain on this. Mr. Waxman. Does that mean you get a better quality? Mr. Schiller. You get a better quality of download; a better quality of transfer, perhaps. I do not know the specifics. Mr. Waxman. Is it not an incentive then, to open up your files to get the better quality? Mr. Schiller. No, I do not think so. I think the initiative that Sharman and Altnet have always gone by, and this is why Altnet has licensed files, we have an application that is coming out in the next few weeks that will give people points that they can exchange for cash and prizes for sharing legitimate files. So we are trying to curb the user behavior. Essentially, we are trying to encourage them to not share illegitimate or illegal or illicit files, because they will not have any benefit for doing so. We disclose that right at the beginning. So essentially, you will see on the front page, it says, for downloading or uploading gold files, you get points for and you benefit for that. So that is really important. We were talking about user behavior or education of the end user, educating them that there is zero benefit to transferring or sharing illegal files; and there is all the benefit in the world for transferring legitimate files. So that is the message that we put forth. To address some of the issues that we heard here recently, I think that I can tell you that the future versions of KaZaA Media Desktop, it is not public information. I cannot give specifics about what changes have been made. But I can tell you that all the issues that we have just heard with regards to a user mistakenly sharing a folder or sharing an entire directory have been addressed. Mr. Waxman. My time is up, and we will have another round, I am sure. But I just want to ask you a yes or no question. A user maximizes the number of uploads by sharing the most files. Is that not a correct statement? Mr. Broes. In participation, yes. Mr. Waxman. And it does not distinguish which files? Mr. Broes. No, that is purely up to the user. The user makes the decision on what files he wants to share. Mr. Waxman. Well, I am going to question that in the next round. Mr. Broes. Sure. Mr. Good. Mr. Chairman, my-author would like to speak, also. Could we swear him in right now? [Witness sworn.] Chairman Tom Davis. Thank you, please state your name for the record. Mr. Krekelberg. I am Aaron Krekelberg. To address your question, there is nothing that prevents a teenager from sharing their father's files or their parents' files. If the parent were to use that computer, they would not know that that teenager had allowed the sharing of those files. Mr. Waxman. And is there an incentive to share more fields, in order to get better uploads? Mr. Krekelberg. There seems to be a new performance level that they are adding. There seems to be an incentive to share more files. Mr. Davidson. There is a simple answer, which is, in some of these systems, yes, that is absolutely true. Mr. Broes. Let me just also re-define something. It is not how many files you are sharing. It is how many files are uploaded. So the user is incentivized to not share thousands of files. They are incentivized to share files that people would like and legitimate files. So by putting 10,000 files in your shared folder, that is not going to help your status. Mr. Waxman. Well, some people who are interested in identity theft or delving into the privacy of others may want those files. I assume what you are saying is that most people who go to peer-to-peer file-sharing are more interested in music, and that is more popular. But we are opening up a whole new area for a greater popularity to get private information about people what that is available to someone who takes advantage of the opportunity. Mr. Broes. Well, from my previous experience in analyzing these networks and for precisely what we are discussing here, sharing private information, we saw a rapid decline over the years as people understood how a file-sharing network actually works. So at the beginning, when it was just a Gnutella-based, initially right after they shut down Napster, we saw this major flood of literally tens of millions of people going to Gnutella. Of course, they did not understand just how that decentralized network functioned. So we saw a tremendous amount of personal files being shared. But as we continued to monitor, and as we continued to educate, we saw less and less. So today, I actually find far less private files than initially. Mr. Waxman. Is that a statement that others would agree with? Mr. Good. Well, it is a difficult question to answer, Because the KaZaA Network is encrypted. So it is difficult to really tell to what extent the network you are searching in, at any given time; or how much access to the network a given client has. We ran our study initially in June of last year. Over a 12 hour period, we were able to find about 150 users who were sharing their inboxes, unique users. We ran a similar study in January, and we ran it for a longer period of time, over a week, and we were able to find about 1,000 users who were sharing their in-boxes. It is difficult for us to say whether this is an increase or a decrease, because of the encryption, and we're not allowed to reverse engineer it, so we cannot figure out what is going on. But it definitely seems like it is a problem today. Mr. Waxman. Thank you; I have further questions, but I know my colleague, Mr. Shays, wants to ask some. Mr. Shays. My daughter would advise me not to be here, so I would not expose my unbelievable ignorance. Secretary McNamara, many years ago, always thought there was a solution to every problem. He acknowledged about 10 years ago that he realizes there are some problems without solutions. As I am listening to this dialog, I am obviously hearing the issue of identity. I am hearing somewhat the issue of virus. I know this is not a hearing about copyright. So we are not going to deal with that issue. But I am interested to know, are there solutions to the issue of privacy, particularly; and if so, are they regulatory, legislative, what are they? Maybe you could just kind of go down the line here. Mr. Good. Certainly, well, our view is twofold. As I said in the opening statement, we think it is very important to educate people. We live in a world now where people can be connected to the Internet 24 hours a day. We are going to be living in a world shortly where the Internet is going to be on your cell phone, and location information and this sort of information is going to be available to people, also. So it is very important for people to understand what it means to be connected to the network, and what sort of information that they could be potentially sharing. The second and probably the more important thing, especially since I am a researcher in human/computer interaction, we like to think that we can design things so that we are not compromising security and convenience. We want security and convenience to live together, so that things are convenient, but they are also very secure. Mr. Shays. Do you think that is possible? Mr. Good. I think, to a certain extent, it is. I think having very smart defaults, having defaults that really protect the user; and we are starting to see that in the world, as Microsoft now is really trying to push out. So out of the box, things are safest. This has not always been the case. It has always been the case that when things come out the box, they are pretty much open to anything. This makes the world pretty insecure. But nowadays, we are really seeing a push for having very strong default settings that really make sure that things are secure for people. I think that there is more we can do in that area. It is a difficult problem. Because as we start getting into more complex ways to manage privacy, it becomes increasingly difficult. But I like to see those two approaches really taken seriously. Mr. Shays. Well, one is education and the other is design, correct? Mr. Good. That is correct. Mr. Shays. Is there anything else? Mr. Good. No, I think that is it. Mr. Shays. Anyone else? Mr. Schiller. I would say that it is great to say that we need to educate people. But, you know, I drive my car every day, and actually, I do know how internal combustion engines work. But in some sense, that should not be a requirement in order to drive a car. So I would say the emphasis has to be on the design of the technology. My experience is, we see a pendulum that swings. The technology comes out. People tradeoff security to get more convenience. We have hearings like this. People hear about identity theft. They become concerned about the technology. The technologists then react to that and put in better technology, better design, better controls. I am going to talk a little bit off the top of my head here. I said before that it asks which directories of files you wanted to share. You could easily, for example, say, if we are going to look for music, then let us only share files that end in .MP3, and let us not share files named ``In-box.'' But, you know, the funny thing is, if I am the guy designing this, and let us all know that there is a copyright issue here, that the designers of this are safer sharing everything than they are trying to just share a particular type of file. Because then it makes it easier to accuse them of, oh, gee, this is really only about sharing music. One of the defenses people like to use is, oh, know, you can share anything. So that, I think, drives the tradeoff in the wrong direction. But certainly, I do believe it is possible to design this stuff in a way that is, in fact, reasonably secure. Mr. Shays. You know, it is funny, as you all are testifying, there is always someone in the audience that is shaking their head or nodding their head. I feel like I am in a Baptist church without any sound. [Laughter.] Dr. Hale. Mr. Hale. Yes, I think I would agree that education is a huge component. I would also concur that our design issues, I would say, is what is designed out of the software, as opposed to what is added to it, that could really help matters. The security circumvention tactics that are used by the software really make it difficult for a corporation or an academic institution like the University of Tulsa, for instance, to protect its user population from these abuses, if they are even real or imagined. So that is what I would consider to be addition by subtraction. Mr. Shays. Given the number of participants in this hearing, Mr. Chairman, do you mind if I just complete this question with the rest of the witnesses? Chairman Tom Davis. That is fine. Mr. Shays. Thank you. Mr. Davidson. The Federal Trade Commission actually just had a workshop yesterday on this very question. It is great question about the broader issue of privacy here. I think there are three things besides education that we would talk about. One is technology or design. The fact is that there are a lot of tools out that can help consumers. We have talked about some of them: encryption, firewalls, which is something that we did not talk about today. With personal firewalls, you can give consumers more control about how their computer is communicating with. This broader design question is building programs and systems in a way that are more privacy friendly. A second is best practices on the part of industry. I think there is strong message that needs to be sent and continues to be sent that companies need to act responsibly when they collect information, and many of them do. But there are real issues about best practices for how people use information that they collect. That is a very powerful possible tool; industry standards, best practices. The third, and I think it is important, is there is a growing realization that there may be a need for baseline, narrowly tailored legislation about Internet privacy, to deal with bad actors in this setting. There are some basic components of fair information practices like notice about what information is being collected, meaningful choices for consumers about whether their information is being collected, access to the information that has been collected. I think there is a growing awareness that we may need something like that, more broadly. I have not emphasized that. We are a supporter of that. I did not emphasize that in my testimony because I think the main issue here of people mistakenly sharing files is not something that you are likely to solve by legislation. But, for example, the spyware issue that has come up is something, if not remedied through best practices, that might need to be something that is part of a legislative action. Mr. Waxman. Would the gentleman yield? Mr. Shays. Absolutely. Mr. Waxman. It seems to me what you are saying is that technologically, they can develop a design so that private information is reasonably secure. But is there not a financial incentive for them to try to subvert it, because of spyware and adware, or systems that will allow people to come in and get information, so that they can sell it to others; or get advertisers to know what you might be interested in, so they can direct advertisements directly to you? Are those two financial incentives, so that you try to subvert it, either through port hopping or tunneling or whatever other way they can design it? Mr. Davidson. Well, I would just answer by saying I think that is absolutely true. We are concerned that obviously the reason that people are doing some of these things is because there are financial incentives. Our belief is actually in the long run, a lot of people will realize that the best financial incentive is having customers who trust your stuff. People, if they know about what is going on, will not buy or use products that violate their privacy, if they have options. So there is a hope that the market will develop and that people will, when they learn about these things, not use the file-sharing product that invades their privacy and has a lot of spyware. But hopefully, the more responsible actors will come on the scene. Now maybe the answer is that if that does not work, then maybe we do need some kind of baseline legislation. Mr. Waxman. If the gentleman would permit, what you have is a lot of kids who want music for nothing. Mr. Davidson. Right. Mr. Waxman. So they want music for nothing, even though we should give some idea to people that when you take something that is not yours and you are not paying for it, it is a form of stealing. So you have got kids who want something for nothing. They are not going to be informed users and worried about privacy. So they are just setting the family up for those who want to take advantage of the situation, to design ways to subvert any attempt to protect their privacy. Maybe some of the technical people can tell us about this. But is that not what we are facing, Mr. Schiller? Mr. Schiller. Well, there are actually two different issues here. There is the accidental subversion of privacy by accidently sharing files you do not wish. That really has nothing to do with the adware and spyware. I would expect to see those issues being addressed, because they do not help anyone except criminals. But the adware and spyware issue is certainly an issue where there is an incentive to gather that information. Of course, the companies who gather it want only to give it to themselves and not to the whole world. I think the issue of multiple people using the same computer is really an issue of the design of the computer system. The Windows platform was never really designed to be a time shared, multi-user system. Windows 2000 and XP start to add that stuff, but I do not think they have added in the way that most people know how to use. But frankly, I have a 20 month old son. When he gets older, he is going to have his own computer. Because I know not to have him get onto mine. So I think it is a separate issue about the fact that these programs reveal stuff. The fact that it reveals stuff for other users of the computer is just a happenstance. Chairman Tom Davis. Thank you, the gentleman's time has expired; the gentleman from Tennessee? Mr. Duncan. Mr. Chairman, thank you very much, and thank you for calling this hearing. I think these are very important subjects that the panel members are discussing, and I appreciate your doing this. I usually avoid discussing personal or family type things at hearings. But I heard Ms. Frank briefly mention identity theft. My wife and I have four children. But the older of my two sons, who is a senior at the University of Tennessee, just yesterday received a notice that they want him to come to Juvenile Court to testify in a case involving apparently a 17- year-old young man who was using my son's identity and that of others to apply for credit cards and I do not know what else. I do not know all the details, yet. But he found out just yesterday that he was a victim of identity theft. So I guess I find that kind of interesting. What should a person do who has found out that he or she is a victim of identity theft; and how wide-spread is this problem? I have had to be in and out with some constituents. Ms. Frank. Right; my written testimony is about 20 pages, and I talk about that quite a bit. But basically, the first thing you do, if you find out that you are a victim of financial identity theft, with somebody applying for credit cards and credit lines in your name, the first thing you are going to need to do is to put a fraud alert on all of your credit profiles with the three major credit reporting agencies; get those credit reports; and find out what fraud is on there. There is just a whole list of things to do. Once you find all that and go to law enforcement and make a police report, then you go through the whole process of trying to clean it up and stop it. So that gets into a whole lot of things. But I have this little kit that I am going to give to the committee, and I will be happy to speak with you afterwards, if you would like. Mr. Duncan. Well, is this problem growing quite a bit? Ms. Frank. Yes, it is growing tremendously. After the Gramm-Leach-Briley Act passed, it has actually gotten a lot worse, when that was our financial privacy act. What we are finding, and let me give you some statistics, at least. I have the statistics in my written testimony. But the Federal Trade Commission shows that it has grown tremendously in terms of the complaints that they have gotten. But a lot of people who are victims of identity theft have no idea to go to the Federal Trade Commission. So since they go the credit reporting agencies, those are better statistics. Transunion, one of the three major credit reporting agencies reported in the year 2000 that they got 85,000 calls a month to their hotline. In the year 2001, they got 3,500 calls a day to their fraud hotline, and they did not give us their most recent figures. The GAO report that came out last year also talked about the tremendous increase in identity theft, because our personal information is everywhere, and that is the key to identity theft, to use the Social Security number. Right now, there are several bills pending in Congress, including Diane Feinstein's Identity Theft Prevention Act of 2003, with some things. But there is a real need, which I had brought up in my testimony, for us to have some accountability as to how the financial industry is issuing credit without verification and authentication of persons. So that is what is happening. Mr. Duncan. Well, I will look over that. My time is so short, let me go in another direction. You know, I chaired the Aviation Subcommittee for 6 years. I heard our colleague, John Linder, say at an aviation conference in January that the Federal Government always seems to overreact to any problem. We seem to have pretty much done that in regard to aviation. They say TSA now stands for thousands standing around and so forth. [Laughter.] So I think we have done a more than adequate job, let us say, in regard to aviation. But I think that one of our most vulnerable areas must be financial cyber-terrorism. Do any of you have concerns about that? Do you think that is a potential problem? I read that it possibly is. There are so many people on this panel, I do not know who is the most appropriate person to comment on this. Mr. Farnan. Well, sir, I would like to make a comment about that. From the FBI's perspective, the answer is a resounding yes. We are very concerned about cyber-terrorism and how terrorists and others can exploit technology, which is designed to be very beneficial and can really advance all of our causes in many ways. However, that can also be abused and it can be used against us. So we have an entire unit at the FBI that focuses on that particular issue, to try and stay current with technology, to make sure that we know what is going on out there with the goal of preventing any kind of cyber-terrorist activity. Mr. Duncan. I have read here on the front page of the Washington Post that a 12 year old computer hacker opened the floodgates at the Hoover Dam. What some people are concerned about are our financial markets; yes? Mr. Broes. That is a very big concern, and it should be a major concern of any company that distributes software that has the potential of being hijacked, so to speak; you know, 100,000 computers, hijacked to attack something specifically. For instance, recently, Microsoft has talked about some vulnerabilities that were in Passport and instant messenger programs. If you can acquire those computers, certainly you can cause a tremendous amount of damage. That is why companies have to take a genuine responsible approach to this and understand that they have a huge responsibility in adhering to even voluntary standards and practices. So I think absolutely that companies need to do that. I do not know whether that is legislation. I would say that companies should voluntarily adopt standards and practices, just for the sake of their security. Mr. Duncan. Let me just say that I think that is a possible area of great concern for many of us. Do I have time to ask one more. Mr. Shays [assuming Chair]. Let us do this, we will let Mr. Waxman go, and then we will come back to you. Mr. Duncan. That is fine. Mr. Shays. Mr. Waxman, you have the floor. Mr. Waxman. Thank you very much, Mr. Chairman. If there were going to be voluntary standards and industry- wide standards, how would that get done? Does anybody have any ideas? You have different people competing with each other. Mr. Broes. Well, I think that companies have recently started to adopt those voluntary standards. You know, Microsoft has taken an unprecedented approach by saying, you know, it is secure by default, secure by design, secure by deployment. They stopped programming for a period of time to go back and look at these issues. So I think that any time you have the leaders in industries taking those initiatives, you are going to find that people will follow, because that is the path of success. Mr. Waxman. That is Microsoft. How about KaZaA; do they have responsibility? Mr. Broes. Absolutely; I believe that anyone that has the ability or the potential to have their computers hijacked, for any reason whatsoever, via their software, they have a tremendous responsibility to adopt standards and practices of their own. I believe that if there was legislation that was enacted today, they would have already complied with much of that, if not all. Mr. Waxman. Along those lines, according to media reports, Altnet had planned to launch a program with KaZaA to take advantage of unused computing power of computers connected to the network. Initial reports indicated this might be done without the knowledge of users. You have now testified that such a program is still in the works, but will be defined by the highest principles of disclosure and consent. What are those principles? Will users have the same access to peer-to-peer networks, if they do not consent to turning over their unused computing power? Unused computing power means their computing power becomes a zombie for someone else, instead having to furnish it themselves. Mr. Broes. Users will always have the consent. It will never be a default, where it uses any resource. Altnet has been very, very careful in its design. In fact, it can be uninstalled. With the future release of Altnet, you can uninstall the application that would share those resources. We give very, very deliberate instructions on how you can do that. At the very beginning, when the application is installed, it says, would you like to share hard drive space in exchange for points, and those points can be redeemed for cash and prizes. That hard drive space and how the design has been built is extremely encrypted. We have gone through all of the security measures and have adhered to the security standards that Microsoft and every other major software company has adjured to, to develop such an application. Mr. Waxman. Could users be penalized for not consenting? Mr. Broes. Not at all. Mr. Waxman. What do others on this panel think about this business of how informed the consumer consent is going to be; how much lack of information there is before these consents are given for file-sharing; Mr. Hale? Mr. Hale. If I may say, I think consent is there; informed consent, I do not know about. I recently read, not KaZaA's, but a competing client's peer-to-peer privacy policy, which I was happily surprised to find that they had. But quite honestly, it would have been easier to try to decipher my own telephone bill. Maybe that is a topic for another hearing. But I think in a lot of the click through agreements which, by the way, is not just a peer-to-peer problem, and it is a problem with the software industry; a lot of the click through agreements are fairly easy to click through without having to read what you are agreeing to. So to sum up, I would say the consent is there. Whether the users are aware of what they are consenting to is an entirely different matter. This has to do with transparency, in my opinion, and clarity. Mr. Davidson. I think you are really on to something, because we often talk about meaningful choice and meaningful notice. There is, in fact, if you look at a lot of these end user license agreements, it says in there that this software is being installed and it will do these things, but how many people actually take a look at them? I could bring you examples of these long agreements, these long privacy agreements. The average consumer is not getting a chance to look at it. So I think we are hopeful, on some level, that people will start to figure this out. I do not want to sugar coat it, though. We think that is a baseline that needs to be met, and it is going to be tough. Mr. Waxman. Mr. Davidson, let me interrupt you, because I see my yellow light is on. I wanted to ask you one more question, and I am afraid I will not get a chance to do it. Why should people who are going on file-sharing programs and downloading copyrighted music or movies not have the fact that they are doing that provided to the copyright holders? If they are consenting to let their files be searched, because they want something for nothing, why should the copyright holders not have the access to the information that they are doing it? Mr. Davidson. Right; are you thinking particularly about the subpoena issue that I mentioned in my testimony? Mr. Waxman. Yes. Mr. Davidson. I think that is a very good question. I do not think that the issue is that people who are, for example, breaking the law should not ultimately be identified and revealed. The question is, how do we do that? We have to make this balance about legitimate people getting access to personal information all the time, in law enforcement contacts and other kinds of privacy contacts. I think the issue here is that we have a situation where it is not just legitimate uses. In this particular provision of law, it is any copyright holder, and I hazard to guess that most of the people in this room are copyright holders, they can go to a court clerk, make an allegation, and reveal somebody's identity. Using one of these networks or using the Internet does not necessarily reveal your identity. For some people, some of the activities they do online, they do without revealing their identity, and that is extremely important. So our feeling is that if identity is going to be revealed, it should be done with some measure of due process, and particularly, people should know that their identity has been revealed. That is, I think, the flaw here. It is not to say that we cannot find a way to work this out, so legitimate enforcement of the law can happen. It is about the fact that there are actually in this particular provision, very few protections, and that has been our concern. Ms. Frank. Let me just add to that, because in California, we have a bill pending right now in our California legislature. If there is going to be a subpoena to find out who somebody is online, that there has to be notice, and that the ISP has to give notice to the user ahead of time, so that they can get a protective order or take some measure with this notice to protect themselves. We worry about things like stalking; that someone will say, oh, I am a copyright holder, and I need to know who this person is in that chat room, and it is really a stalker and ex- husband. I literally note these kinds of things that happen. So this is at least to give that person a chance, a 15 day notice, or a 30 day notice, or whatever it is, so that they get a chance to go in and say, look, I do not want to reveal my identity. This person really is my ex-spouse, who is trying to kill me. So that was the idea of due process, if I understand what Alan is talking about. Mr. Davidson. I cannot say it better than that. Mr. Shays. Mr. Duncan. Mr. Duncan. Let me go in a little different direction. I think when we come into a job like those of us who are Members have, I think we basically sort of tacitly agree to give up our privacy. That really does not concern me, but it does seem a shame to me that there is almost no privacy for private citizens now, it seems to me. Yet, we seem to have a large segment of the population now, especially young people, who have become almost addicted to the computers, and have almost a worship of the computers. So if anybody asks any questions that are somewhat critical, they almost get offended, and I hope that none of you will get offended. But it seems to me that, as I say, we have just about done away with privacy. In some ways, maybe it has resulted in good things. What I have in mind, I am thinking about the Dean of the Harvard Divinity School got caught for, I think it was, child pornography or something, and we see that all the time. I do not see how anybody can feel that there is anything secret anymore or anything private that they put into a computer. I heard on the CBS national news, 2 or 3 years ago on the radio 1 day as I was driving along, that computer hackers had gotten into the top secret files at the Pentagon, I think it was 250,000 times in the year before. I mean, it is just mind boggling. It seems that if somebody comes up with a system or a program to develop some privacy for things that people put into their computers, that somebody very shortly comes up with something that breaks that program, or gets into it, or wipes out the privacy. What do you all say about that? Do you have any concerns? Ms. Frank. Well, I would just like to say that it is not just computers. It is not just our computers. I wanted to respond to the questions before about consumer education. We do this all the time with identity theft. But the truth is, they are so much beyond our control. For example, yes, we can be educated and say to people, OK, be careful when you are online or when you are in the chat rooms, or when you are sharing information, or when you are doing e-mail. But the truth is that you can tell people that, but there is so much to know. I really work at this, but I have a whole other field. I am sure all of you have so many bills that you have to read. I do not know how much of a computer expert you all are. But I sit on the high tech crime unit of Orange County Sheriff Reserves, and I am the only ``non-techy'' on there. I have enough information to know that I should be worried. But it is too much of a burden on consumers to ask them to know all this stuff. So if KaZaA is going to have information and they are going to have software programs that you are going to use, they should definitely give you big pop-ups in very simple language saying, if you push this button, your whole ``C'' drive is going to be open. That means that everybody can get into your Quicken or your Quickbooks or your IRS or your resume or whatever it is, and it has to be simple. Mr. Duncan. Well, it is like you said awhile ago, people can now find out almost everything about anybody that they want to find out about: bank records, house records, and everything else. Ms. Frank. Right. Mr. Duncan. It amazes me that just from what I read in the newspapers that anybody thinks that anything they do on a computer today is really private; any Web site they visit, any e-mail they send; yes? Mr. Broes. Security today has changed. We can no longer put a lock on something and assume that it is going to hold. I think the military has learned this, that it is an evolving process, and it is dynamic. So we are continuing this. It is just like virus applications. They are continually chasing viruses. They are continually updating their data base, and they are continually educating their users as to what is out there and what the threats are, and trying to make them feel more secure about it. I think that is the process that we are going to see take place in most applications. Certainly, as I said, there are leaders that have taken initiatives from Microsoft, all the way to Altnet and Sherman Networks. They have taken those initiatives to say, we understand there is this issue and we are dealing with that problem. I do not foresee that changing anytime soon. This is a dynamic situation. The Internet, by nature, is dynamic, and we have to be dynamic in our approach to security and privacy. Mr. Davidson. I would just add that I think that this is the tip of the iceburg, unfortunately. There are even more interesting and sort of more invasive new technologies. We talked about location information; people building ID tags into products that people can scan and find out what you have, what you are wearing, what you are carrying in your handbag. We are talking about networks of imbedded computers, intelligent buildings, and intelligent rooms, that are going to collect all sorts of information about people. It is going to be increasingly harder for people to avoid all of these things. So the simple answer of hey, if you put it on the computer, you should know someone else is going to get it, is going to become, for a lot of people, not a realistic alternative. If you use your cell phone, location information may be captured. If you go through a toll booth, and your electronic tag records that you have been there. But even more importantly, I would say the computer is not something we can avoid in life, so we need to figure out how to address these things. Mr. Duncan. Are you saying that Big Brother is already here and there is nothing we can do about it? Mr. Davidson. I think, there is nothing we can do about it is not right. I think that we need to do something about it, and we are trying to find ways to do something about it, but we need to keep working on it because we are not there yet. Mr. Duncan. I see some of the panel members laughing. Mr. Schiller. It is not Big Brother. There are lots of Little Brothers. Mr. Duncan. Lots of Little Brothers? Ms. Frank. Well, if you want my suggestion as to what I would like to have Congress do, I would like to have them set up a privacy commission. We are the only civilized country in the world that does not have a privacy commission. If you look at Canada right above us, if you look at all the European nations, we do not have a privacy commission. We have had little privacy czars, but we do not have a privacy commission to look at all these issues. Privacy in the millennium is not about the right to be left alone. It is the right to control your personal information. I think it is pretty frightening, when we are going on our computer and we do not know about spy-ware. We do not even know where it is. It is hidden somewhere, and we cannot even find it. That is terrifying. So the result of that is identity theft. All this information that is being taken about us can be used in very insidious ways. So we do need to have the fair information practices that Alan was talking about: the notice, the choice, the security, all those things. The only way to do it is to really have a real privacy commission that is looking over this whole issue. Because it is the scariest issue, I think, of what we are in, in our society right now. Mr. Duncan. Well, I would agree with the commission, but I am a little skeptical. I think we are almost too far gone, really, now. Ms. Frank. It is out there, but access is the difference; in other words, what access and what way to control. For example, you mentioned your family. Mr. Duncan. It was my son. Ms. Frank. So the scary thing for him is, he does not know what else has happened. He does not know if he has a criminal record. So for him to be able to get access to those records and correct them, if you say, well, my information is out there and it is too late; well, what happens when you cannot get on an airplane because the red light comes on and it has nothing to do with you. Your name is mixed up with somebody else's; or your son, who is mixed up with some other person who has been stealing his identity and committing crimes in California and Virginia. Mr. Duncan. Well, the one interesting thing that I did not mention, the young man that they have accused of doing this has a foreign sounding name, that I cannot even really pronounce. Ms. Frank. Remember, over half of the terrorists committed identity theft. Mr. Duncan. All right, thank you very much; thank you, Mr. Chairman. Mr. Shays. Ms. Frank. Ms. Frank. Yes. Mr. Shays. You basically were kind of dealing with the solution, the education versus the design. It is kind of like your big warning system that flairs up there. Ms. Frank. The fact that the education is right when you are using the product, I think, would be helpful. Mr. Shays. Before my time had run out, I think I was with you, Mr. Broes. I do not need to spend a lot of time on this. I just want to know, just simply, the education design, that Mr. Davidson had added some other points, is there anything that you would add to the solutions to the privacy issue, the virus issue? Mr. Broes. Sure, well, I think it is in our best interests, and any company's best interest, to design their software to be as private and as secure as possible. So I think that, as I said, there is a tremendous amount of responsibility, I believe, with any company that has applications that are distributed to millions of people around the world. So secure, private, by design, I think is definitely the way to go, and these are voluntary standards. These are standards that every major corporation today that wants to compete is going to have to take, because people just do not want applications on their computers that are not secure and do not provide privacy. So I think it is going to be natural selection; that companies who are willing to play in the spy war game and not notify people, I think that they are ultimately going to be uninstalled and deleted, and people are going to remove them. So voluntary standards and practices, I think, are critical. As I said earlier, if it were legislated today, I think that we would have already taken those initiatives. Mr. Shays. I was struck by the fact that Big Brother is dead and Little Brothers are in. It is almost like we need a Big Brother, though, to deal with Little Brothers; Mr. Farnan. Mr. Farnan. There are definitely privacy issues involved in what we were talking about today. I think that one of the reminders that we have to give ourselves is that even though we are in an electronic age, a lot of the fundamental rules of life still apply. Things like ``buyer beware'' still apply. Just because people are involved in dealing in cyberspace and conducting transactions in a computerized environment does not automatically mean that there are no privacy issues, or that it is somehow inherently safer; because as we are seeing today, it is not. Second, to follow the analogy of the automobile that was raised a little bit earlier, what is scarey is that sometimes we can have fairly young people, and if they are interested in learning how to drive a car and we put them in a Ferrari, that might be a scarey thing, as opposed to a four cylinder car in a safer environment. So to reiterate, the theme of education and consumer informness is crucial to this whole area, as are parental controls. Because as we have also heard, children who have access to their parents' computers may be pushing buttons that result in a lot of information leaving that household that was never intended to leave that household. Mr. Shays. I just have one other quick question. I do not need all of you to respond, just one or two. Are we teaching this in school? Are we educating our kids about this? Mr. Hale. I can speak to this, somewhat. I would say that nationwide, we are beginning to. We are only beginning to. But it is amazing the views that even some of my own students have about piracy and their privacy, and what they are willing to give up to get the latest recording. We work at the University of Tulsa with a number of schools: high schools, elementary schools, middle schools. I just was at a high school last week, where I spent almost the entire time talking about peer-to-peer technology and privacy issues, and media piracy, as well. So we are beginning to, but I think that not enough of us are doing it, just yet. I think that is the key. Because once you get critical mass, then you can start to see results. I would like to agree with what Mr. Broes said about the natural selection piece of this. I think once consumers and our children are educated, then they will begin to value privacy more. Then the economics pendulum will begin to swing in the favor of the companies that are performing due diligence in the privacy area of their software. But until that happens, the natural selection is going to favor those companies. Mr. Shays. I have just a slight observation. I am struck by this hearing as to one, I would not want to be a professor teaching young people about technology, considering they probably know more than you do, and you always fear that they might. But the other observation I make is, I am struck by the fact that young people gain these incredible skills to do bad things without necessarily knowing the ethnics behind what they are doing, which is kind of an interesting dilemma. Mr. Chairman, thank you so much for the hearing, and I thank our witnesses. Chairman Tom Davis. Let me thank all the witnesses, as well, for appearing today, and I thank the staff for working on this from both sides. We heard some very useful information today, that should concern any person who uses file-sharing programs or has them installed in their computers. Obviously, I think peer-to-peer users have to be aware of the files they are making available for sharing. We are going to follow this up with another hearing in the near future, looking at file-sharing in Government agencies. Again, I thank the witnesses. This is very, very important, as we proceed to understand this better and move forward to whatever we might do. Thank you very much; the hearing is adjourned. [Whereupon, at 11:55 a.m., the committee was adjourned, to reconvene at the call of the Chair.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T8016.080 [GRAPHIC] [TIFF OMITTED] T8016.081 [GRAPHIC] [TIFF OMITTED] T8016.082 [GRAPHIC] [TIFF OMITTED] T8016.083 [GRAPHIC] [TIFF OMITTED] T8016.084 [GRAPHIC] [TIFF OMITTED] T8016.085 [GRAPHIC] [TIFF OMITTED] T8016.086 [GRAPHIC] [TIFF OMITTED] T8016.087 [GRAPHIC] [TIFF OMITTED] T8016.088 [GRAPHIC] [TIFF OMITTED] T8016.089 [GRAPHIC] [TIFF OMITTED] T8016.090 [GRAPHIC] [TIFF OMITTED] T8016.091 [GRAPHIC] [TIFF OMITTED] T8016.092 [GRAPHIC] [TIFF OMITTED] T8016.093