[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
OVEREXPOSED: THE THREATS TO PRIVACY AND SECURITY ON FILESHARING
NETWORKS
=======================================================================
HEARING
before the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
MAY 15, 2003
__________
Serial No. 108-26
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
88-016 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
JOHN SULLIVAN, Oklahoma C.A. ``DUTCH'' RUPPERSBERGER,
NATHAN DEAL, Georgia Maryland
CANDICE S. MILLER, Michigan ELEANOR HOLMES NORTON, District of
TIM MURPHY, Pennsylvania Columbia
MICHAEL R. TURNER, Ohio JIM COOPER, Tennessee
JOHN R. CARTER, Texas CHRIS BELL, Texas
WILLIAM J. JANKLOW, South Dakota ------
MARSHA BLACKBURN, Tennessee BERNARD SANDERS, Vermont
(Independent)
Peter Sirh, Staff Director
Melissa Wojciak, Deputy Staff Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Philip M. Schiliro, Minority Staff Director
C O N T E N T S
----------
Page
Hearing held on May 15, 2003..................................... 1
Statement of:
Broes, Derek S., executive vice president of Worldwide
Operations, Brilliant Digital Entertainment................ 59
Davidson, Alan B., associate director, Center for Democracy
and Technology............................................. 39
Farnan, James E., Deputy Assistant Director, Cyber Division,
Federal Bureau of Investigation, accompanied by Dan Larkin,
Supervisory Special Agent, Federal Bureau of Investigation. 89
Frank, Mari J., esquire, Mari J. Frank, Esquire & Associates. 66
Good, Nathaniel S., University of California, Berkeley,
School of Information Management Systems................... 13
Hale, Dr. John, assistant professor of computer science and
director, Center for Information Security, the University
of Tulsa................................................... 31
Schiller, Jeffrey I., network manager/security architect,
Massachusetts Institute of Technology...................... 25
Letters, statements, etc., submitted for the record by:
Broes, Derek S., executive vice president of Worldwide
Operations, Brilliant Digital Entertainment, prepared
statement of............................................... 62
Davidson, Alan B., associate director, Center for Democracy
and Technology, prepared statement of...................... 41
Davis, Chairman Tom, a Representative in Congress from the
State of Virginia, prepared statement of................... 3
Farnan, James E., Deputy Assistant Director, Cyber Division,
Federal Bureau of Investigation, prepared statement of..... 91
Frank, Mari J., esquire, Mari J. Frank, Esquire & Associates,
prepared statement of...................................... 69
Good, Nathaniel S., University of California, Berkeley,
School of Information Management Systems, prepared
statement of............................................... 16
Hale, Dr. John, assistant professor of computer science and
director, Center for Information Security, the University
of Tulsa, prepared statement of............................ 34
Schiller, Jeffrey I., network manager/security architect,
Massachusetts Institute of Technology, prepared statement
of......................................................... 27
Waxman, Hon. Henry A., a Representative in Congress from the
State of California, prepared statement of................. 7
OVEREXPOSED: THE THREATS TO PRIVACY AND SECURITY ON FILESHARING
NETWORKS
----------
THURSDAY, MAY 15, 2003
House of Representatives,
Committee on Government Reform,
Washington, DC.
The committee met, pursuant to notice, at 10:09 a.m., in
room 2154, Rayburn House Office Building, Hon. Tom Davis of
Virginia (chairman of the committee) presiding.
Present: Representatives Tom Davis of Virginia, Shays,
Putnam, Duncan, Murphy, Waxman, Maloney, Cummings, Tierney,
Clay, Sanchez, and Ruppersberger.
Staff present: Peter Sirh, staff director; Melissa Wojciak,
deputy staff director; Keith Ausbrook, chief counsel; Anne
Marie Turner and Randall Kaplan, counsels; David Marin,
director of communications; Scott Kopple, deputy director of
communications; Ken Feng, investigator/GAO detailee; Teresa
Austin, chief clerk; Joshua E. Gillespie, deputy clerk; Corinne
Zaccagnini, chief information officer; Brien Beattie, staff
assistant; Phil Barnett, minority chief counsel; Karen
Lightfoot, minority communications director/senior policy
advisor; Josh Sharfstein and Nancy Scola, minority professional
staff members; Earley Green, minority chief clerk; and Jean
Gosa, minority assistant clerk.
Chairman Tom Davis. Good morning. A quorum being present,
the Committee on Government Reform will come to order.
Let me say a special thank you to our visiting students
from Woodson High School, out in the 11th Congressional
District of Virginia. We are happy to have you with us, and I
hope you will find some of this hearing interesting.
We are here today to continue our examination into peer-to-
peer file-sharing programs. This is the committee's second
hearing on this topic.
At our first hearing held in March, we examined the growing
problem of the availability of pornography, including child
pornography, on these networks. The committee found that
pornography is, in fact, being traded on peer-to-peer networks,
and children are at great risk of inadvertent exposure to
pornography while using these programs.
File-sharing programs or Internet applications allow users
to download and directly share electronic files from other
users on the same network. Users of these programs can share
files that contain documents, as well as music or videos. These
programs are surging in popularity.
KaZaA, the most popular file-sharing program has been
downloaded almost 225 million times, making it the most popular
software downloaded on the Internet.
File-sharing technology can be beneficial. However, as we
learned from our first hearing on this topic, use of this
technology also presents certain risks. Today, the committee
will examine the risks to personal privacy and computer
security posed by the use of peer-to-peer file-sharing
programs.
Specifically, we are going to look at three issues: first,
the reason why highly personal information is available over
these networks; second, the potential effects of software known
as ``spyware'' or ``adware'' that is being bundled or included
with file-sharing programs; and third, the growing risk of
downloading computer viruses from files shared on these
programs.
The committee will release a staff report today that
highlights these issues. Through a simple search on one file-
sharing program, committee staff easily obtained tax returns,
medical records, attorney-client communications, resumes, and
personal correspondence.
Users of these programs may accidentally share this
information because of incorrect program configuration. They
also could be intentionally sharing these files because
increased file-sharing earns the user higher priority status on
popular downloads.
Either way, users of these programs need to be aware that
sharing personal information can open the door to identity
theft, consumer fraud, or other unwanted uses of their personal
data. Parents, businesses, and government agencies also need to
be aware of these risks if their home or office computers
contain file-sharing programs.
Another concern raised by the use of peer-to-peer file-
sharing is the bundling of these programs with software known
as ``spyware'' or ``adware.'' These programs monitor Internet
usage primarily for marketing purposes, without the users'
knowledge. They also give rise to pop-up advertisements and
spam e-mail.
Finally, computer viruses can easily spread through file-
sharing programs, since files are shared anonymously. In fact,
just this week, a new computer virus called ``Fizzer'' spread
rapidly across the Internet, affecting computers worldwide
through e-mails and the file-sharing program, KaZaA.
We have assembled an excellent panel of witnesses who will
discuss these important issues. I would like to thank each of
our witnesses for appearing today. I would now like to yield to
Mr. Waxman for his opening statement.
[The prepared statement of Chairman Tom Davis follows:]
[GRAPHIC] [TIFF OMITTED] T8016.001
[GRAPHIC] [TIFF OMITTED] T8016.002
Mr. Waxman. Thank you very much, Mr. Chairman. I am pleased
to join with you in this hearing. I want to commend our staff
for developing this report that we issued today, ``File-Sharing
Programs and Peer-to-Peer Networks, Privacy and Security
Risks.''
This is the second of a series of hearings that this
committee has been holding to highlight and educate the public
about not just the great opportunities with these new file-
sharing efforts on the computers, but the risks involved, as
well.
At our last hearing, we talked about the fact that if young
people, who are, for the most part, the ones who are using
these peer-to-peer file-sharing programs, try to get music from
the programs, more often than not, they are having very vile
pornography pushed upon them.
Most parents were not aware of that fact; and most people,
I think, are not aware of the facts that we are going to
examine at our hearing today.
We live in a world that is increasingly more connected. New
computer innovations can open us up to new experiences and
offer more choices than ever before. As we experiment with new
technologies, however, we must recognize their risks. In the
real world, we know how to guard our privacy and security
carefully. It is just as important to do so in the on-line
world.
So in this hearing, we are going to look at these very
incredibly popular programs. In fact, the most popular of these
file-sharing programs, KaZaA, has been downloaded more than 220
million times. That is really incredible, 22 million times in
the last 2 months alone.
Despite their soaring popularity, few people understand the
risks that these new file-sharing programs can pose. In large
part, this is due to what I call the on-line generation gap.
The users of file-sharing programs are predominantly teenagers.
The parents, however, and grandparents are too often left
struggling just to keep up.
In our report that we are releasing today, I think we have
an opportunity to inform the parents and grandparents that when
their kids use these file-sharing programs, they may find that
inadvertently they are sharing incredibly personal files
through these peer-to-peer networks.
Our investigators found that they could find completed tax
returns, medical records, and even entire e-mail in-boxes
through simple searches using file-sharing programs. No one
would want to share this kind of personal information, but in
many cases, that is exactly what is happening.
Due to the way some users configure their computers, their
personal files can be accessed by millions of strangers through
peer-to-peer networks. This invasion of privacy is not the only
risk families face. Our report finds that when users download
free file-sharing programs, they are also exposing their
computers to hidden software called ``spyware'' or ``adware.''
These programs track what you do online, the Web sites you
look at, how long you stay on those Web sites, even your e-mail
address. This zombie-like ware, which takes over the spare
computing power of personal computers can be bundled with file-
sharing programs.
So not only can they get access to what is in your personal
files, they can make your computer server a zombie for their
own purposes. Besides tracking your computer habits, these
programs can also cause software conflicts and computer
crashes. In fact, in committee testing, these programs ruined a
committee computer twice. Even the House's most experienced
computer technicians could not restore the computers.
The chairman mentioned that we are putting computers at
risk for viruses and other damaging computer files, and we will
have more testimony about that in our hearing.
While technical innovation on the Internet is tremendously
important, our purpose in holding these hearings and releasing
these investigative reports is not to say that peer-to-peer
technology is inherently bad. In fact, it may ultimately prove
to have important and valuable uses.
But there can be no question that this new technology, at
least in its current incarnation, can create serious risks for
users. Our purpose in holding these hearings is to help the
public understand what these risks are. Without this knowledge,
families and businesses simply will not be able to make
intelligent decisions about the technology.
[The prepared statement of Hon. Henry A. Waxman follows:]
[GRAPHIC] [TIFF OMITTED] T8016.003
[GRAPHIC] [TIFF OMITTED] T8016.004
[GRAPHIC] [TIFF OMITTED] T8016.005
[GRAPHIC] [TIFF OMITTED] T8016.006
[GRAPHIC] [TIFF OMITTED] T8016.007
Chairman Tom Davis. Thank you very much, and let me also
commend the staff, and Mr. Waxman, your leadership in helping
put these hearings together.
Are there any other opening statements; the gentleman from
Maryland?
Mr. Ruppersberger. The information superhighway has opened
many doors and opportunities, both in terms of communication
and in terms of commerce. It gave us a .com boom in the mid-and
late 1990's and helped us to make a more technologically
advanced country.
Now privacy on the Internet has been discussed in Congress
since 1998. We have discussed what information needs to be
protected. Is a disclosure policy a privacy policy? How do we
protect it and how do we enforce it? Does Congress need to set
standards, or do we let the industry decide what is best?
As technology advances, we have to ask ourselves, if
Government does promulgate regulations, will those regulations
be able to keep up with the pace of technology?
Now today we are discussing file-sharing networks like
KaZaA and Morpheus. These networks allow subscribers to
download and share music, photo and video clips with other
subscribers. The question is, how safe are these networks?
Can a hacker or an individual use networks to get around
any firewalls and protections and invade persons' more personal
files? Can they look at people's Quicken statements? Can they
view saved e-mails and documents?
Privacy is not just about personal information. The most
important part is, we have to be able to be concerned about how
those companies track and use what you download to market your
items.
Do these networks sell your information to retailers? Do
they share them with spammers, companies that flood our e-mail
with product information?
At this time, I think we need legislation, but I am fearful
whatever we write up in Congress will be obsolete within 1
year.
Can we legislate privacy? Yes, we can. Congress has done
that. We have cable and video store privacy. We have financial
privacy and we have medical privacy. Why not person-to-person
network privacy? How about a strong Federal enforcement
mechanism, based on violations of industry-based best practice
standards?
Now obviously, no one wants to harm the continued
advancement of technology. But eventually there will be the
need for a balance. There will be the need to assure people
that your information is safe as you connect to the Internet as
it travels through cyberspace.
Thank you, Mr. Chairman.
Chairman Tom Davis. Thank you very much.
Does anyone else wish to make an opening statement?
[No response.]
Chairman Tom Davis. We will now move to our witnesses. We
have Nathaniel Good from the University of California,
Berkeley, who will be demonstrating for the committee how
personal documents can easily be accessed from peer-to-peer
file-sharing networks.
Next, we have Jeffrey Schiller, who is network manager for
the Massachusetts Institute of Technology. Following Mr.
Schiller is Dr. John Hale, the director of the Center for
Information Security at the University of Tulsa.
We will then hear from Alan Davidson from the Center for
Democracy and Technology; and then from Derek Broes, the
executive vice president of Brilliant Digital Entertainment.
Next is Mari Frank, who is an identity theft expert.
Rounding out the panel is James Farnan, Deputy Assistant
Director of the Federal Bureau of Investigations Cyber
Division.
It is the policy of this committee that all witnesses be
sworn before they testify, so if you will rise with me and
raise your right hands.
[Witnesses sworn.]
Chairman Tom Davis. Thank you very much; please be seated.
We have a light in front. We have your total statements in the
record that we have read. Your green light will be on for the
first 4 minutes. In the 5th minute, an orange light will go
with the red light, so at 5 minutes, we would appreciate your
summing up.
Your total testimony is in the committee record, and we
will go from there. I think for our first witness, you are
going to do a demonstration. We will cut a little slack on the
time, but if we can get it down, then we can get to questions;
thank you very much, Mr. Good.
STATEMENT OF NATHANIEL S. GOOD, UNIVERSITY OF CALIFORNIA,
BERKELEY, SCHOOL OF INFORMATION MANAGEMENT SYSTEMS
Mr. Good. Thank you very much; good morning, Mr. Chairman
and committee members. Thank you for the opportunity to appear
before you today.
In the brief amount of time that we have to talk to you
about our study, we would like to give you a video
demonstration of the problem that we found with KaZaA; describe
how this problem can occur; and then talk about the possible
solutions to this problem.
On the screen in front of you is KaZaA. KaZaA is the most
popular peer-to-peer file-sharing program on the Internet
today. With KaZaA, you can look for any type of file, such as
music, documents, videos. Any file that can be stored on your
hard drive can be shared through the KaZaA network.
To do this, one would download the application, type the
key words that one is looking for into the search box, hit the
return, and the results would pop up to the right to your
search box.
In this example, we will show how a user could get ahold of
someone else's personal information through KaZaA by typing key
words and looking for information from the search results.
So in the first example that we have, we have a user who is
looking for a file called ``inbox.dbx.'' Inbox.dbx is someone's
e-mail file. As you can see, there have been a couple different
results that we have returned.
If we wanted to see what other files these people were
sharing, we could go to that person's file. We could find more
from that user, and we would see all the files that this person
is sharing.
So we can see there are other e-mail files that this person
has. There is the ``sent'' files that this person has. There
are a whole bunch of deleted items that we could download and
restore and look at, and there is also the in-box and other
personal pieces of information.
So for the next search, we will be doing a slightly more
sophisticated search, where we will be looking for an Excel
spreadsheet that has possibly credit card information.
In this demonstration, we will show how, if you know a
little about what Excel is, that you know an Excel document has
the extension ``XLS,'' and you think that someone would call
their Excel document credit card, or something that begins with
credit. You could type in these key words here, run a search,
and this is what you would probably see, something very similar
to this.
So here we have a list similar to the list that we had
earlier, where we had a bunch of files that were returned from
various users. If we wanted to see some more files from an end
user, we could click on a file there, type in find more from
same user. Again, we would see all the fields that that person
has shared.
In this case, it looks like the person has pretty much
shared most of their hard drive. There is again, the in-box
file. This is the e-mail file we were talking about before.
There are a whole bunch of system files. There are cookie
files. If we scan over, we can see a little bit more detailed
file information.
We can sort by media type, so we can browse around and look
for other types of information. So we can see that this person
has certain spread sheets that pertain to salary structures.
They have a PDF on tax returns. They have letters that they
have written to people. They have an address book.
If we keep browsing through, we will find that they have
bonus agreements that they have sharing. There is a lot of
stuff here that this person probably does not want the rest of
the world to download.
We also have the credit card activity, the spreadsheet that
we talked about earlier. There is quite a bit, as you can see;
office documents and there is the credit card file, again.
There is another one.
Here, we also have a password list which, unfortunately,
probably contains all the passwords that this person has to get
into various Web sites or corporate sites. People typically
keep their passwords in a document, because they have to
remember so many of them.
So if we downloaded this, we probably would be able to hop
around to various Web sites and jump into this person's
accounts and such.
So this is pretty much the problem that we discovered on
KaZaA. We determined that through a series of user studies and
analyzing the interface, that this problem could occur because
parts of the KaZaA application could be very confusing to
users, and it relied very heavily on some unstated assumptions.
In some cases, it was possible for the user to think that
what they were sharing was completely different than what was
actually being shared.
There are too many details to cover in the time that we
have allocated, but if you were able to go over the research
report that we have and our written testimony, you should be
able to get more details about how this problem could possibly
occur.
As for solutions, we see two possible paths that we could
take. The first is education. It is important for people to
understand that what peer-to-peer can share, and more
generally, what it means to be connected to a network in terms
of privacy and security.
We would also like to see stronger default settings and
better explanations of what is going on in the program. It is
important that applications should be safest right out of the
box.
Security and convenience are typically seen as tradeoffs of
one another. As the world becomes more networked and more
devices are able to store, collect, and share private
information, it is crucial that we find ways for applications
to be secure without sacrificing convenience and vice versa.
Thank you very much for your time.
[The prepared statement of Mr. Good follows:]
[GRAPHIC] [TIFF OMITTED] T8016.008
[GRAPHIC] [TIFF OMITTED] T8016.009
[GRAPHIC] [TIFF OMITTED] T8016.010
[GRAPHIC] [TIFF OMITTED] T8016.011
[GRAPHIC] [TIFF OMITTED] T8016.012
[GRAPHIC] [TIFF OMITTED] T8016.013
[GRAPHIC] [TIFF OMITTED] T8016.095
[GRAPHIC] [TIFF OMITTED] T8016.096
[GRAPHIC] [TIFF OMITTED] T8016.097
Chairman Tom Davis. Thank you very much.
Mr. Schiller.
STATEMENT OF JEFFREY I. SCHILLER, NETWORK MANAGER/SECURITY
ARCHITECT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
Mr. Schiller. Good morning and thank you for inviting me.
Chairman Tom Davis. Thank you.
Mr. Schiller. I am actually not going to read my statement,
but I will tell you essentially what is in there. I have been
involved in the Internet since the day it was born which was,
we say, January 1, 1983, and there is a story behind that.
It is funny, I remember, e-mail was the application that
everybody said was the forbidden application, because it was a
waste of network bandwidth. So here we are today with e-mail
being one of the killer applications, and we are looking at
another application that causes us a bit of concern.
From my view as a security expert, I can tell you that my
professional assessment is that these programs, peer-to-peer
file-sharing, particularly once they are perfected, are not
significantly more dangerous, from an end users perspective,
than any other technology they use.
Just as we have seen here today, KaZaA can be used to
reveal private information. I have certainly received in my e-
mail inbox private information that was sent via e-mail, due to
various viruses and worms that people have caught. Because of
who I am, I net a lot of that sort of stuff, and it is pretty
amazing what you can get.
So I try to say, what is the difference between a file-
sharing program that we have today and some of the traditional
technology that we have on the Internet, such as e-mail and Web
browsing?
One of the key differences is that file-sharing is still
under active development. The e-mail technology we use today
was standardized many years ago, and it does not change.
As a manager of a network, if I wish to control e-mail, if
I wish to set up a firewall that examines incoming e-mail
messages to make sure they do not contain viruses or worms, I
can do that, but I can be pretty assured that my e-mail
scanning will, in fact, happen as it is supposed to.
However, file-sharing programs are programs that are
currently under active development. As some of us who run
networks try to put in ways of controlling them, the authors of
these programs in their newest versions put in ways to get
around those controls.
So one of the ways that peer-to-peer file-sharing
significantly differs from the more traditional applications is
the intent to subvert third party controls. That is inherent in
them. That is not inherent in other technologies.
So as a network manager, one of my concerns with peer-to-
peer file-sharing is its use of our precious bandwidth, which
we pay dearly for; and there are various tactics that we can do
to try to limit the use of that bandwidth. What happens next,
of course, is the next version of these programs, those various
techniques to avoid that rate limiting.
Without going into a lot of technical detail, one of the
things we have been seeing is what I call ``port hopping.''
Most Internet applications use a well known port. E-mail
travels over port 25, for example; file transfer over port 21,
Web browsing over port 80.
Well, in their early days, most file-sharing programs had
well known ports. I use port 1214, for example, and by
controlling access to that port, we could control its use.
What we are seeing more and more of are programs that hop
around. They might use port 1214 for a few minutes, and then a
few minutes later, we see a lot of traffic on some other
literally randomly chosen port. With applications that do this,
it becomes very difficult to actually know what is going on and
control it.
We have also seen applications that appear to be encrypting
their content; not to hide it from any eavesdropper, but to
make it difficult again for us to figure out, oh, this is file-
sharing programs. There are many such programs that do this.
KaZaA is not the only one.
So my point today is that one of the things that makes
these things just a bit more dangerous than other things is the
attempt to subvert third parties.
Particularly in an environment where you have end users who
are not necessarily experts, who leave themselves exposed, we
have many places where we try to use firewalls at the corporate
level to protect people, and that is being subverted.
Now like everything, many things are a two-edged sword.
Sometimes, the third parties trying to control access to the
network are not necessarily what we could consider good guys.
The same technology that a corporation can use to control
access can be used by governments that wish to suppress their
people, and peer-to-peer file-sharing programs can often be
used as a way of spreading the work, without it being
controlled. But like all things, it is a two-way street, thank
you.
[The prepared statement of Mr. Schiller follows:]
[GRAPHIC] [TIFF OMITTED] T8016.014
[GRAPHIC] [TIFF OMITTED] T8016.015
[GRAPHIC] [TIFF OMITTED] T8016.016
[GRAPHIC] [TIFF OMITTED] T8016.017
Chairman Tom Davis. Thank you very much.
Dr. Hale.
STATEMENT OF DR. JOHN HALE, ASSISTANT PROFESSOR OF COMPUTER
SCIENCE AND DIRECTOR, CENTER FOR INFORMATION SECURITY, THE
UNIVERSITY OF TULSA
Mr. Hale. Mr. Chairman, Ranking Minority Member Waxman, and
members of the committee, thank you for giving me the
opportunity to testify today on a topic that is of growing
concern to the network security community, to American
businesses and schools and, in fact, anyone that uses the
Internet.
I am an Assistant Professor of Computer Science at the
University of Tulsa, and serve there as the Director of its
Center for Information Security.
Over the past 5 years, I have watched peer-to-peer
technology make a startling transition from the backwaters of
computer science to mainstream society. This March, Sharman
Networks hit the 200 million mark for downloads of its popular
KaZaA Media Desktop.
File-sharing softwares are in homes, businesses, and
schools across the world, connecting users in a peer-wise
architecture that is both resilient and efficient. Peer-to-peer
networking has grown faster than the Internet itself, reaching
a much broader audience at this stage of its development.
But there is a downside to placing such a potent technology
in the hands of novice users. A peer-to-peer client exposes a
computer to new threats, and some of the practices of its
developers magnify the risk.
The prevalence of spyware in peer-to-peer clients is but
one example. Developers bundle spyware in their clients to
generate revenue. One company maintains that it is
``intrigral'' to the operation of their product.
Of course, there is no inherent functional dependency
between advertising and file-sharing. Intrigral then means that
the peer-to-peer software has been deliberately engineered so
that it will not function without the spyware active.
To avoid detection, spyware often hides in system folders
or runs in the background. Amazingly, some spyware components
remain on a system long after the original application is
removed and will even imbed themselves in a host, despite an
aborted installation of a carrier program.
Spyware imbedded in clients sometimes downloads executable
code without user knowledge. Even if the code is not malicious,
it may contain flaws that render a system vulnerable to attack.
More importantly, the clandestine nature of the software makes
detection and remediation extremely challenging.
Peer-to-peer is also commonly designed to circumvent
network security services. Techniques such as tunneling, port
hopping, and push request messages make it difficult to detect
and filter peer-to-peer traffic.
HTTP tunneling, in which peer-to-peer communications are
disguised as Web traffic, is popular because such traffic often
travels freely across networks. To this end, tunneling not only
helps violate a network security policy by enabling forbidden
applications, but also expands the network perimeter in ways
unknown to system administrators.
Another trick used by some of the most popular peer-to-peer
clients is to vary communication ports, a technique called port
hopping. This thwarts blocking and scanning software that
identifies network services, based on well-known port
assignments, as described previously.
Push request messages in the Gnutella protocol are used to
circumvent firewalls. Instead of a client pulling a file to it,
it asks the host behind the firewall to push the file out. This
is all transparent to the user, but it constitutes a subtle
collusion between the two clients to violate a security policy.
Another concern is how flaws in clients can increase
exposures in a network, leaving it vulnerable to hackers.
Exploitable weaknesses in peer-to-peer software have been
identified, and in some cases, the media files themselves can
enable an attack.
There is nothing special about peer-to-peer clients that
makes them any more flawed than other software. However,
several factors conspire to amplify the risks they induce.
They engender massive ad hoc connectivity across network
domains. Hosts are exposed to every user on a peer-to-peer
network. More than that, they allow users to share files
pseudo-anonymously. Often, clients, themselves, are installed
from peers on a network.
In short, peer-to-peer file-sharing exposes systems to
untrusted hosts and software, and offers little in the way of
protection.
Worms and viruses are also very real threats. The most
recent example is the Fizzer virus, a blended attack that
propagates via e-mail and KaZaA.
Another is the Duload worm, which hides in a system folder,
and alters the registry so that runs it startup. But it then
copies itself to several provocatively named files within a
folder that it exposes to the peer-to-peer network. Since
Duload relies on human interaction, it is more of a virus than
a worm.
So Internet worms that target Web and data base servers
actually provide better insight of the real potential. Code Red
infected almost 400,000 Internet hosts within 14 hours, causing
an estimated $2.6 billion in damage. Nimda infected 2.2 million
hosts. The Slammer worm, by comparison, only affected 200,000
hosts, but set new speed records, infecting 90 percent of its
victims in under 10 minutes.
A true peer-to-peer worm can infect an entire network with
similar speed. More importantly, the obstacles for remediation
indicate that it would have tremendous staying power, re-
infected unpatched hosts and infecting new ones as they came
on-line.
There is a role for technology to play in addressing these
problems, but it is only a small piece of the solution. Users
have to be made aware of the risks of file-sharing. Developers
must live up to higher standards of integrity and transparency
for the software they develop.
We cannot predict the next Code Red or Nimda. But if and
when it strikes peer-to-peer networks, I hope we do not look
back and see a missed opportunity to lead a promising
technology out a turbulent period in its development; thank
you.
[The prepared statement of Mr. Hale follows:]
[GRAPHIC] [TIFF OMITTED] T8016.018
[GRAPHIC] [TIFF OMITTED] T8016.019
[GRAPHIC] [TIFF OMITTED] T8016.020
[GRAPHIC] [TIFF OMITTED] T8016.021
[GRAPHIC] [TIFF OMITTED] T8016.022
Chairman Tom Davis. Thank you very much.
Mr. Davidson.
STATEMENT OF ALAN B. DAVIDSON, ASSOCIATE DIRECTOR, CENTER FOR
DEMOCRACY AND TECHNOLOGY
Mr. Davidson. Mr. Chairman, Mr. Waxman, members of the
committee, I am Alan Davidson, associate director of the Center
for Democracy and Technology. CDT is a non-profit public
interest group, based here in Washington, dedicated to
promoting civil liberties and human rights on the Internet.
Since its creation, CDT has been heavily involved in issues
of on-line privacy and security, and we welcome the opportunity
to testify today on a timely issue of privacy and security, the
question of privacy on popular peer-to-peer file-sharing
systems.
We commend the committee for its thoughtful efforts on this
and other topics related to peer-to-peer over the last few
months and few years.
Our top line is this. The use of file-sharing software
certainly raises serious privacy issues for consumers and
computer users, often through mistakes that the users make in
sharing very sensitive personal information.
At the same time, file-sharing technology can be very
beneficial. It is new and changing, and it is largely in the
control of the people who use it. So the most important thing
that we can do is to inform people about the potential risks of
sharing, and teach them how to use peer-to-peer safely. There
are other things, as well, and I will go into that.
As we have heard, peer-to-peer file-sharing systems are a
computing phenomenon. They are among the most popular and
downloaded computer programs today. Much of the concern that we
have comes from the fact that these are systems that just a few
years ago were used by a relatively small and savvy group of
people. Today, they are being embraced by millions of users,
many of whom do not have a lot of expertise.
People who install these powerful tools need to be aware of
the potential privacy and security risks that come from their
use or their misuse. Among our top concern, first and foremost,
and potentially most serious, is this issue of inadvertent
sharing of sensitive personal information.
I cannot do much better than the demo that you saw in
trying to make it clear how it is possible, in some cases,
probably too easy, for people to share personal files.
Certainly, there is a lot of evidence that some people, at
least, are doing this.
A cautionary note, we need to keep this in perspective. We
do not have a good set of data right now about how big a
problem this is. There is not very much research in terms of
quantifying how large a percentage of people are doing this.
But certainly, for some people, this is a very real problem.
Second, many file-sharing programs, as we have heard,
contain spyware that communicates information for advertising
or for other reasons, often without a user's knowledge.
This is not a problem that peer-to-peer file-sharing
networks have alone. This is a problem in many software
programs for users. But whether in peer-to-peer or in other
software, consumers deserve real notice and real choices about
how their computers are going to communicate with third
parties.
A third issue for us are the legal risks that people face
when using these systems and the privacy issues that can come
with that.
First of all, file traders who violate copyright laws face
obvious legal risks. At the same time, we are concerned that at
least one provision of the current law, which is the broad
subpoena power that is granted to any copyright holder under
Section 512(h) of the DMCA, too easily allows the identity of a
peer-to-peer participant, or for that matter, any Internet
user, to be unmarked wrongly or by mistake without their
knowledge. That is something that we think Congress should
address.
So what do we do about all of these problems? First and
foremost, and I think you have already heard some of this, the
public and particularly the families of file trading minors
need greater awareness of the potential risks of file-sharing.
One example of how to do this is something that we have
been working on, in collaboration with a number of other
companies and public interest groups, which is the GetNetWise.
It is a collaborative collection of tools for families seeking
to protect their kids on-line. It is a Web site,
GetNetWise.org, that is linked to by over 80,000 sites,
including many major Internet providers, other public interest
groups, Members of Congress including, I believe this
committee, for which we are always grateful, and your tips on
how to protect kids in peer-to-peer networks from adult
content.
First of all, there is a major new initiative in this
project. I have attached to the back of my testimony some of
the materials from that, to try to educate parents about how to
keep their kids safe when using peer-to-peer networks.
There are lots of tips. There are tips in some of the other
sets of testimony that were put together. Those are the kinds
of things that we need to do to really make parents and
families aware of the risks that they may be facing.
There are other things that can be done, as well. Another
is that we must insist that fair information practices be
obeyed in file-sharing software. Much more could be done to
design these systems with better transparency and better
control. Software producers should reject invasive spyware,
unless they find ways to give people more notice and control.
Finally, we do think that Congress should be looking at
finding ways to add privacy protections to these DMCA subpoenas
so that mistakes are not made.
I think our bottom line is, we do not need to throw the
baby out with the bath water. There are many benefits to some
of these technologies. They are also facing their own moments
of dislocation and concern.
We look forward to working with Congress to find a way to
make sure that privacy is protected without damaging what can
be a very good source of innovation.
[The prepared statement of Mr. Davidson follows:]
[GRAPHIC] [TIFF OMITTED] T8016.023
[GRAPHIC] [TIFF OMITTED] T8016.024
[GRAPHIC] [TIFF OMITTED] T8016.025
[GRAPHIC] [TIFF OMITTED] T8016.026
[GRAPHIC] [TIFF OMITTED] T8016.027
[GRAPHIC] [TIFF OMITTED] T8016.028
[GRAPHIC] [TIFF OMITTED] T8016.029
[GRAPHIC] [TIFF OMITTED] T8016.030
[GRAPHIC] [TIFF OMITTED] T8016.031
[GRAPHIC] [TIFF OMITTED] T8016.032
[GRAPHIC] [TIFF OMITTED] T8016.033
[GRAPHIC] [TIFF OMITTED] T8016.034
[GRAPHIC] [TIFF OMITTED] T8016.035
[GRAPHIC] [TIFF OMITTED] T8016.036
[GRAPHIC] [TIFF OMITTED] T8016.037
[GRAPHIC] [TIFF OMITTED] T8016.038
[GRAPHIC] [TIFF OMITTED] T8016.094
[GRAPHIC] [TIFF OMITTED] T8016.039
Chairman Tom Davis. Thank you very much.
Mr. Broes.
STATEMENT OF DEREK S. BROES, EXECUTIVE VICE PRESIDENT OF
WORLDWIDE OPERATIONS, BRILLIANT DIGITAL ENTERTAINMENT
Mr. Broes. Thank you for inviting me. Chairman Davis,
Representative Waxman, and members of the committee, I am Derek
Broes. I am the executive vice president of Worldwide
Operations for Brilliant Digital Entertainment and its
subsidiary, Altnet.
Altnet offers the largest secure commercial platform for
distribution of digital content over peer-to-peer software-
based networks.
Under an exclusive agreement with Sharman Networks Limited,
publisher of KaZaA Media Desk peer-to-peer application, Altnet
reaches an estimated 75 million worldwide unique users per
month. That is about twice the reach of America Online.
With this reach, Altnet has become the largest distributor
of rights-managed content over the Internet today. Altnet takes
the issues before this committee very seriously. As you will
hear in my testimony today, Altnet is leveraging its role as
the market leader by spearheading efforts to make security and
privacy over file-sharing networks a top priority.
There is something very exciting about technology that
allows tens of millions of people across the globe to
simultaneously connect to each other. It is a true digital
democracy.
But as in any democracy, there are challenges that must be
overcome, and moral and ethical standards to be established. As
with any technology that reaches millions of people, there is a
responsibility that every company must assume when creating an
instant messenger, e-mail, peer-to-peer, online interactive
games, chat rooms, or any technology designed to share digital
words or files with anyone, any time, instantly.
My past experience in the entertainment industry, combined
with experience in Internet peer-to-peer security technologies,
gives me a uniquely broad perspective on the issues before the
committee here today.
As the former CEO of Vidius, Inc., I built an Internet
security company that creates products to monitor corporate
networks for security risks associated with file-sharing
applications that are run on company computers. In most cases,
we found the risks solvable with simply company policy changes
and minor network alterations.
In addition to addressing corporate security risks, much of
Vidius' work was dedicated to an in-depth technical analysis of
peer-to-peer networks for such clients as the Motion Picture
Association and the Recording Industry Association of America,
and that was from an anti-piracy point of view.
I firmly believe that it is the responsibility of peer-to-
peer file-sharing companies to protectively protect the privacy
and security of the users of their software application.
While there are some unique challenges to making file-
sharing programs applications more secure, which I will
outline, it is important that we de-mystify these technologies
and realize that the many protective security technologies that
are already widely available.
By simply adopting the standards commonly used by the World
Wide Web such as Secure Socket Layer, Public Key Infrastructure
[PKI], and Authentication Agents, file-sharing becomes much
more secure.
In addition to these, distributors of peer-to-peer
applications should adopt standard user privacy policies, and
take care to educate users as to how their applications works
and how to be a safe and responsible user of that application.
Beyond adopting industry standard security practices and
policies, distributors of file-sharing applications must also
address security challenges common to peer-to-peer and similar
infrastructures.
A publicized threat with file-sharing technology, as well
as with e-mail and instant messenger technologies, is the
spread of viruses. As you would expect, when files come from an
anonymous and uncertified source, the risk of that file
containing a virus is greatly increased.
In addition, many file-sharing applications provide a tool
to allow users to search their hard drives for files to share.
If that tool is used incorrectly, users could inadvertently
give access to their confidential files and folders.
Allow me to review how Altnet meets the challenges from
within the KaZaA Media Desktop peer-to-peer application, and
how Sharman Networks, the owner and operator of KaZaA have
reacted to various privacy and security issues over the past 18
months.
Altnet's patented technology called ``TrueNames'' ensures
that only certified and authenticated files can be transferred
by the Peer Enabler component of the Altnet application. This
eliminates the risk of viruses when users download files from
file-sharing networks that utilize this technology, such as the
KaZaA Media Desktop.
Sharman Networks has taken great care to protect users'
privacy and security. As distributors of the most popular peer-
to-peer application today, Sharman Networks has consistently
led the field with security enhancements developed explicitly
for the challenges of this new industry, including the peer-to-
peer's first built-in anti-virus tool.
KaZaA Media Desktop contains two layers of propriety virus
protection technology. In addition, Bullguard, a well-known
anti-virus software, is installed free with the KaZaA Media
Desktop application, providing users with an additional layer
of security and protection.
Sharman has shown great commitment to ensure that any new
malicious viruses that freeze or silence or otherwise
compromise a user's PC and its information are detected by this
software, as was with Fizzer.
Altnet and Sharman Networks take every opportunity to
encourage responsible and safe peer-to-peer usage through user
education and via the default configuration of the software of
the upcoming release.
The nature of the decentralized peer-to-peer technology
means that users are in control of the material they choose to
share with others. Our goal is to provide them with the
education and tools they need for safe and responsible use.
Commercialization of the World Wide Web has lead to the
creation and adoption of advanced security, privacy policies
and protection technologies, and the evolution of file-sharing
networks will follow that same path.
The future technological benefits of peer-to-peer
technology are only now being explored and include the
voluntary creation of shared resource networks that will allow
massive distributed computing and storage of a scale only
dreamed about by the pioneering medical research and astronomy
projects that have received publicity to date.
These types of applications will give research labs the
ability to share processing power with hundreds of thousands of
computers and digitally crunch billions of numbers in a
nanosecond.
The technological benefits of such a program are
undisputed. From medical research to rendering Toy Story part
3, Altnet intends to lead the market by presenting an opt-in
resource sharing program to users that will be defined by the
highest principles of disclosure and consent.
If file-sharing software companies understand and meet
their responsibilities, and content companies support these
positive and important initiatives, then companies such as
Altnet will have the ability to find an audience, reduce
piracy, offer vastly improved efficiencies in digital
distribution, create instantly accessible global content sales
and marketing channels, provide a variety of public services,
distribute a movie, market an artist, and sell a game, all
while turning a profit and protecting user privacy from within
a secure environment.
We welcome input from our peers and from this committee to
insure that we continue to meet the responsibilities we have
assumed. Thank you, Mr. Chairman, for the opportunity to
participate in this important hearing today.
[The prepared statement of Mr. Broes follows:]
[GRAPHIC] [TIFF OMITTED] T8016.040
[GRAPHIC] [TIFF OMITTED] T8016.041
[GRAPHIC] [TIFF OMITTED] T8016.042
[GRAPHIC] [TIFF OMITTED] T8016.043
Chairman Tom Davis. Thank you very much.
Ms. Frank.
STATEMENT OF MARI J. FRANK, ESQUIRE, MARI J. FRANK, ESQUIRE &
ASSOCIATES
Ms. Frank. Good morning, Chairman Davis, Ranking Member
Waxman, honorable committee members and invited guests. Thank
you for the opportunity to address you today.
My name is Mari Frank, and I am attorney and the author of
the ``Identity Theft Survival Kit'' and ``Privacy Piracy'' from
Laguna Niguel, CA. I have brought copies of these for the
committee to use.
My identity was stolen in 1996 by an imposter who paraded
as an attorney, robbing me of my profession, my credit, and my
piece of mind. She obtained over $50,000 using my name, after
going on-line to obtain my credit report.
Your personal information, worth more than currency itself,
can be used to apply for credit cards, mortgages, cell phones,
insurance, utilities, products, and services, all without your
knowledge.
A fraudster can do anything you can do, and worse than
that, they can do things you would not do, like commit crimes
and terrorist activities.
There are three motivations for identity theft. First is
financial gain. An example: Robert is a high tech computer
consultant who normally encrypts all his sensitive data on his
computer.
Unfortunately, his resume was not stored in an encrypted
file. He suspects that his impersonator accessed his computer
through a network, copied his resume, and used it to obtain a
well paying job. When Robert applied for the same job, he was
shocked to find out that another person with his name and
credentials was already hired.
The second reason is avoiding prosecution. Tom was laid off
from a high paying job in the medical industry. He had great
recommendations and felt sure that he would be re-hired. For 2
years, he was denied position after position, after each
company had performed a background check.
Finally, Tom hired a private investigator that showed him
that his criminal background included two DUIs and an arrest
for murder, none of which belonged to him.
The third reason someone commits identity theft is revenge.
The first cyber-stalking case prosecuted in Orange County, CA
turned out to be identity theft. A computer expert was angry
when a woman he liked shunned his advances. So he impersonated
her in a chat room, stating that she had fantasies of being
raped. When he gave out her phone number and address, several
men appeared at her door.
There are many ways in which personal information can be
obtained. According to the FTC, the Federal Trade Commission,
72 percent of victims have no idea how their information was
accessed.
The new May 2003 California Public Research Study on Police
and Identity Theft list the top sources of identity theft: mail
theft, dumpster diving, unscrupulous employees, stolen or lost
wallets, Internet fraud, burglary, friends, relations, phone
scams, unethical use of public documents, shoulder surfing,
medical cards and drivers licenses, and personal information
sold by financial institutions.
Since this hearing is focusing on the peer-to-peer file-
sharing vulnerabilities and the potential of revealing
sensitive information in our computers, I am going to give a
few suggestions that are just lay person things.
No. 1, research any program before installing it. No. 2,
learn how to safely stop sharing your files and how to unblock
wanted files from entering your computer. Three, if possible,
when using peer-to-peer file-sharing on the Internet, use a
computer that does not store personal information on it.
Four, password protect and encrypt your sensitive files.
Five, do not put any confidential information in your e-mail,
unless they are encrypted. Next, be conscious about what
information you share in your files at Web sites, in chat
rooms, and in e-mail.
Read the privacy policies of the Web site you deal with and
try and understand them. Make sure you have updated virus
protection on your computers, and do not assume that you are
anonymous.
Your confidential information is a valued commodity.
Marketers, information brokers, and the financial industry,
buy, transfer, and sell your aggregated profiles, including
your income; credit-worthiness; buying, spending, and travel
habits; health information, and much more.
Intimate facts about your life are shared legally and
illegally without your knowledge or consent. The loss of
control over our personal information has led to the epidemic
of identity theft.
I applaud this committee for researching the perils posed
by peer-to-peer file-sharing. It is important to acquire
knowledge, security measures, and careful strategies to protect
ourselves. Hopefully, divulging security flaws in peer-to-peer
file-sharing and other technologies to the media and Congress
will encourage companies to make user-friendly security a top
priority.
But peer-to-peer file-sharing may pose less of a theft of
identity theft than the careless display of records at your
doctor's office, the negligently piled tax returns left on your
accountant's desk for the cleaning crew to review, the
encrypted and unlocked cabinets with personnel files at work,
the non-shredded trash bins behind banks, insurance agencies,
and mortgage companies, and the hack data bases of credit card
companies, financial companies, and universities and the like.
To prevent identity theft, the burden should be on the
credit granters who are in the unique position on the front end
to take precautions and require verification of change of
address, and refuse to issue to fraudsters.
Unfortunately, quick, easy credit, pre-approved offers
convenience checks, mass marketing of data bases and sloppy
information handling make this a simple crime.
I encourage this honorable committee to also investigate
ways in which the financial industry and information brokers
can better protect our security.
Since Congress passed the Financial Modernization Act in
1999, identity theft has skyrocketed. Whether on-line or
offline, our sensitive information must be better protected to
foster consumer trust, so that our economy and our society can
flourish; thank you.
[The prepared statement of Ms. Frank follows:]
[GRAPHIC] [TIFF OMITTED] T8016.044
[GRAPHIC] [TIFF OMITTED] T8016.045
[GRAPHIC] [TIFF OMITTED] T8016.046
[GRAPHIC] [TIFF OMITTED] T8016.047
[GRAPHIC] [TIFF OMITTED] T8016.048
[GRAPHIC] [TIFF OMITTED] T8016.049
[GRAPHIC] [TIFF OMITTED] T8016.050
[GRAPHIC] [TIFF OMITTED] T8016.051
[GRAPHIC] [TIFF OMITTED] T8016.052
[GRAPHIC] [TIFF OMITTED] T8016.053
[GRAPHIC] [TIFF OMITTED] T8016.054
[GRAPHIC] [TIFF OMITTED] T8016.055
[GRAPHIC] [TIFF OMITTED] T8016.056
[GRAPHIC] [TIFF OMITTED] T8016.057
[GRAPHIC] [TIFF OMITTED] T8016.058
[GRAPHIC] [TIFF OMITTED] T8016.059
[GRAPHIC] [TIFF OMITTED] T8016.060
[GRAPHIC] [TIFF OMITTED] T8016.061
[GRAPHIC] [TIFF OMITTED] T8016.062
[GRAPHIC] [TIFF OMITTED] T8016.063
Chairman Tom Davis. Thank you very much.
Mr. Farnan.
STATEMENT OF JAMES E. FARNAN, DEPUTY ASSISTANT DIRECTOR, CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION, ACCOMPANIED BY DAN
LARKIN, SUPERVISORY SPECIAL AGENT, FEDERAL BUREAU OF
INVESTIGATION
Mr. Farnan. Good morning, I would like to thank Chairman
Davis, Ranking Member Waxman and members of the committee for
the opportunity to testify today.
We welcome your committee's leadership in dealing with the
serious security and privacy issues associated with identity
theft and peer-to-peer sharing.
My testimony today will address the activities of the FBI's
Cyber Division, in relation to the Internet and identity theft.
I have asked Supervisory Special Agent, Dan Larkin, Chief
of our Internet Fraud Complaint Center to attend, and he will
provide specific answers, should the committee have any
questions about more technical matters with the Internet Fraud
Complaint Center's role in this area.
A May 8th cover story in the Washington Post is nothing new
to Americans today. Another group was discovered in possession
of a veritable factory of counterfeit credit cards, including
newly made cards, credit card numbers downloaded from a major
retail store, and 600 pages containing more than 40,000 alleged
stolen names and credit card numbers.
As the investigation continues, we will probably find that
these criminals have affected the lives of hundreds of victims,
perhaps destroying their credit and creating hardships that
will take years to abate.
These thefts could be the result of computer hacking,
insider theft, and/or social engineering. Stolen information
can also be sold and used to establish new identifies for
fugitives or terrorists. In these cases, identity theft can
have much more serious consequences.
Identity theft is the fraudulent use of individual's
personal identifying information. It is normally a component or
end result of another crime. Victims of identity theft often do
not realize that someone has stolen their identity until their
credit has been ruined.
Although we have received no complaints alleging identity
theft by peer-to-peer to networks, some factors must be
considered.
Peer-to-peer networks primarily serve as a ``come and get
it'' resource on the Internet. In using such a utility, the
user specifically searches for the item they want; for example,
music, images, or software.
The most significant criminal activity involving peer-to-
peer sharing centers largely on music and software privacy, an
area in which the FBI has been working closely with the private
industry.
The FBI has also seen an increase in peer-to-peer sharing
of child pornography files. Peer-to-peer networks are
increasingly being identified as sources from which Trojans or
back doors were installed on computers during downloads.
Victims sometimes discovered that personal and financial
information have been removed from their computer through the
back door. It is becoming more common for ``bots'' or active
Trojans to be installed during a peer-to-peer download.
In these instances, the victim computer executes
instructions from the ``bots'' creator. Active ``bots'' could
also be used to retrieve sensitive information from victim
computers in furtherance of identity theft schemes. A person
using peer-to-peer utilities for unauthorized or illegal
purposes is not as likely to tell the FBI that a back door was
found on their system, or that as a result, certain personal or
financial information may have been taken.
Through the Internet Fraud Complaint Center [IFCC], the FBI
has positioned itself at the gateway of incoming intelligence
regarding a wide variety of cyber crime matters. The IFCC
received 75,000 complaints in 2002, and is now receiving more
than 9,000 complaints each month.
We expect that number to increase significantly, as the
American and international communities become more aware of our
mission and capabilities.
Later this year, the IFCC will be renamed as the Internet
Crime Complaint Center, to more accurately reflect its mission.
The center receives complaints about various Internet-based
crimes, analyzes the complaints for common patterns and
perpetrators, and then sends them the appropriate agency for
investigation and prosecution.
In summary, cyber crime continues to grow at an alarming
rate, and identity theft is a major part of the increase.
Criminals are only beginning to explore the potential of crime
via peer-to-peer networks.
The FBI is grateful for the efforts of your committee and
others dedicated to the safety and security of our Nation's
families and businesses. The FBI will continue to work with
your committee and aggressively pursue cyber criminals as we
strive to stay one step ahead of them in the cyber crime
technology race.
I thank you for your invitation to speak to you today, and
on behalf of the FBI, I look forward to working with you on
this very important topic; thank you.
[The prepared statement of Mr. Farnan follows:]
[GRAPHIC] [TIFF OMITTED] T8016.064
[GRAPHIC] [TIFF OMITTED] T8016.065
[GRAPHIC] [TIFF OMITTED] T8016.066
[GRAPHIC] [TIFF OMITTED] T8016.067
[GRAPHIC] [TIFF OMITTED] T8016.068
[GRAPHIC] [TIFF OMITTED] T8016.069
[GRAPHIC] [TIFF OMITTED] T8016.070
[GRAPHIC] [TIFF OMITTED] T8016.071
[GRAPHIC] [TIFF OMITTED] T8016.072
[GRAPHIC] [TIFF OMITTED] T8016.073
[GRAPHIC] [TIFF OMITTED] T8016.074
[GRAPHIC] [TIFF OMITTED] T8016.075
[GRAPHIC] [TIFF OMITTED] T8016.076
[GRAPHIC] [TIFF OMITTED] T8016.077
[GRAPHIC] [TIFF OMITTED] T8016.078
[GRAPHIC] [TIFF OMITTED] T8016.079
Chairman Tom Davis. Thank you very much. I thank all of you
for your input into this. Let me just ask a general question of
the panel. The testimony, I think, makes it clear that users of
file-sharing programs can expose their most personal files to
millions of strangers, many times without the knowledge of the
person using the files.
Is there general agreement among the witnesses that file-
sharing programs can be confusing to configure, and that most
people are unaware that they might be sharing their tax
returns, credit card data and other confidential files on these
networks? Is there a consensus on that?
Mr. Farnan. I think so, yes.
Mr. Davidson. I would just say that your mileage may vary,
in the sense that different programs do have different
capabilities or different defaults. So I think on the one hand,
people should not get the feeling that if they use one of these
things, they are automatically sharing everything on their hard
drive. But the flip side of it is, I think the usability
studies have shown that a lot of them could do a lot better
job.
Mr. Broes. Also, software companies across the board have
taken this secure by default initiative, where the
applications, when they install it, it is secure. In the past,
not even Microsoft had done that.
So now, today, the standards that everyone is practicing,
including Sharman Networks and Altnet, is by the standard, once
it is installed, it is locked, and then guides the user and
allows the user to unlock it if they see fit.
So for the most part, there are many peer-to-peer
applications out there, primarily on the new Tele-base, that
are very difficult to understand.
Chairman Tom Davis. Obviously, an educated user is the best
defense. I do not think there is any question about that. The
level of sophistication of people using this is very different.
How widespread is this problem? I mean, we see the
potentials; we see an isolated case. Does the FBI have any data
on how widespread it is? Do you have any feel for that?
Mr. Farnan. Let me ask Mr. Larkin if he can address that
particular question.
Chairman Tom Davis. I am going to have to swear him in.
[Witness sworn.]
Mr. Larkin. Well, the problem is growing, but it is how we
define the problem, I guess, as Mr. Farnan had indicated. What
we see with the peer-to-peer networks is not so much identity
theft. It is more intellectual property rights and software
piracy and that kind of thing.
Although we have not linked it to identity theft,
specifically, we do have instances where there are Trojans and
``bots'' that have been downloaded, at a pretty high rate and a
growing rate, giving the unscrupulous creator of that Trojan or
that BOT the opportunity to come in and access information on
that computer.
Generally, though, it has not been the practice of those
subjects out there to go in and look for that data. They are
just looking for that computer to use, for some other high
speed attack where they need that type of bandwidth for.
Chairman Tom Davis. You only need a couple cases, and lives
can be completely destroyed.
Mr. Farnan. That is true.
Chairman Tom Davis. Are there any other thoughts on that?
Ms. Frank. I think the only other thing I would say is, it
is so important to realize that most identity theft victims do
not know where it is coming from. So what happens is, if they
are sharing and somebody gets this information, they will never
know, and it is very hard for even the FBI to know.
Chairman Tom Davis. Mr. Broes, what steps is KaZaA taking
to proactively protect their privacy and security of its users?
Mr. Broes. Well, I cannot speak on behalf of Sharman
Networks. But I can tell you that as a partner, we have
encouraged them to look at every possible study, such as Mr.
Good's study, and they have definitely taken that to heart.
I think many of the things that he has discussed and many
of the issues that we are discussing here today will be
addressed in the very, very near future, in the future
releases.
Chairman Tom Davis. In general, are the file-sharing
companies doing a good job educating users about the privacy
and security risks? Are they doing a better job; are they on to
this? What is the consensus on this?
Mr. Broes. Well, I have recently come on board with Altnet.
I would say that from my perspective, Sharman Networks, who run
KaZaA Media Desktop, have been the most proactive in that.
In the past, coming from the security and technology
background, I was the one that was actually hired by the Motion
Pictured Association, when they AA to do the analysis of the
fast track network, before the legal action was taking place.
So I had a unique look at this.
I can tell you from what I have seen, they are taking the
most proactive approach. I have encouraged it with some of the
other peer-to-peer companies, such as LimeWare and Bearshare,
with absolute resistance.
Chairman Tom Davis. Thank you very much.
Mr. Waxman.
Mr. Waxman. Thank you, Mr. Chairman. I think most people do
not realize, they are opening up their own files when they go
to these peer-to-peer systems.
Mr. Good, in your demonstration, were you actually
downloading someone's personal files in real time?
Mr. Good. No, during the demonstration, that was recorded
beforehand. But no, we did not download anything. We just
looked and browsed around.
Mr. Waxman. So you can look and browse around. Is the
reason that people have their personal files open for others to
come in and look around because of the configuration process
when they go to the peer-to-peer networks?
Mr. Good. If I understand the question correctly, the
question was, would people be sharing stuff other than by
making a mistake? Is that correct?
Mr. Waxman. Well, if you were going to go to a peer-to-peer
network, I do not think you are asked the question, are you
willing to open up all your files; or are you asking the
question? Do people then check, yes, or are you able to check,
no?
Mr. Good. Yes, you are not asked directly, do you want to
open up all your files. You are asked, what do you want to
share with the network.
There are various ways that they do it. Depending on the
version, in earlier versions, they offered to search your hard
drive for you.
In different versions, just by default, they would not
share anything. Then if you decided to change the download
folder, you had to understand what it meant to change the
download folder. Those assumptions were not stated explicitly.
So it really depends.
In the latest version that we downloaded a couple of days
ago, it does offer to search to share your files. But it does
not ask you that question directly, do you want to share
everything or not.
Mr. Schiller. If I may jump in?
Mr. Waxman. Yes, Mr. Schiller.
Mr. Schiller. Just last week, I asked my staff to do a
trial run of downloading KaZaA, because I wanted to see how it
worked these days because, of course, it keeps changing.
We used a blank computer that was newly installed, fresh,
what have you, and downloaded KaZaA. When we installed it, it
did ask us the question, do you wish to search your hard drive
for files to share. It offered to share the directory where
those files are stored.
I said to the guys doing this, you know, that means it is
going to search for media files like MP3s and what have you.
But then it is going to offer to share the directory that they
are in, which might contain other files. Is it only going to
share the MP3s or is it going to share all the other files?
Now we are experts, and we did not know. I think most
people would not think twice about it. So if you had an MP3 in
your ``My Documents'' folder, and you also had your tax returns
in your ``My Documents'' folder, I would bet even money that
the chances are, both wind up being shared.
Mr. Good. That is actually a really good point. I mean, it
does not state the assumptions that it is using while it is
sharing. While it is searching for folders to share, it does
not state what those were. As Jeff has mentioned, even experts
were not able to really tell what it was looking for.
Mr. Davidson. Right; I think there are two issues. One is
sort of what are the defaults; what is easy to do? It turns out
that in a lot of these systems, it is very easy to share more
than you might expect to.
The other is that in a lot of these systems, you do have to
take an affirmative step to share a lot of files, and
particularly to share a whole drive.
For example, a system that we tried out in our office did
not give you any warning when you decided to share your whole C
drive, as it were. There is a lot more that could be done in
the design of this software, to make sure that people have some
awareness that might not be a good idea.
Mr. Waxman. As I understand it, on the KaZaA Network, users
get priority for downloads, the more files they share, which is
obviously an incentive for them to share more files. That could
lead teenagers to share all of the sensitive files on their
parents' computers.
What steps, if any, does KaZaA take to ensure that all
users of a particular computer know which files are being
shared? Does anybody have any idea of that?
Mr. Schiller. If I understand the question correctly, you
are asking what measures are taken to educate the user, as to
what files they are sharing. I can tell you that it is not true
that they do not get a priority. So I do know that. The
priority is for uploads and not files that are downloaded.
Mr. Waxman. What does that mean?
Mr. Schiller. The priority is for an upload. So for upload
speeds; that your files will have essentially a greater path.
But I am not too certain on this.
Mr. Waxman. Does that mean you get a better quality?
Mr. Schiller. You get a better quality of download; a
better quality of transfer, perhaps. I do not know the
specifics.
Mr. Waxman. Is it not an incentive then, to open up your
files to get the better quality?
Mr. Schiller. No, I do not think so. I think the initiative
that Sharman and Altnet have always gone by, and this is why
Altnet has licensed files, we have an application that is
coming out in the next few weeks that will give people points
that they can exchange for cash and prizes for sharing
legitimate files.
So we are trying to curb the user behavior. Essentially, we
are trying to encourage them to not share illegitimate or
illegal or illicit files, because they will not have any
benefit for doing so. We disclose that right at the beginning.
So essentially, you will see on the front page, it says, for
downloading or uploading gold files, you get points for and you
benefit for that.
So that is really important. We were talking about user
behavior or education of the end user, educating them that
there is zero benefit to transferring or sharing illegal files;
and there is all the benefit in the world for transferring
legitimate files. So that is the message that we put forth.
To address some of the issues that we heard here recently,
I think that I can tell you that the future versions of KaZaA
Media Desktop, it is not public information. I cannot give
specifics about what changes have been made. But I can tell you
that all the issues that we have just heard with regards to a
user mistakenly sharing a folder or sharing an entire directory
have been addressed.
Mr. Waxman. My time is up, and we will have another round,
I am sure. But I just want to ask you a yes or no question. A
user maximizes the number of uploads by sharing the most files.
Is that not a correct statement?
Mr. Broes. In participation, yes.
Mr. Waxman. And it does not distinguish which files?
Mr. Broes. No, that is purely up to the user. The user
makes the decision on what files he wants to share.
Mr. Waxman. Well, I am going to question that in the next
round.
Mr. Broes. Sure.
Mr. Good. Mr. Chairman, my-author would like to speak,
also. Could we swear him in right now?
[Witness sworn.]
Chairman Tom Davis. Thank you, please state your name for
the record.
Mr. Krekelberg. I am Aaron Krekelberg. To address your
question, there is nothing that prevents a teenager from
sharing their father's files or their parents' files. If the
parent were to use that computer, they would not know that that
teenager had allowed the sharing of those files.
Mr. Waxman. And is there an incentive to share more fields,
in order to get better uploads?
Mr. Krekelberg. There seems to be a new performance level
that they are adding. There seems to be an incentive to share
more files.
Mr. Davidson. There is a simple answer, which is, in some
of these systems, yes, that is absolutely true.
Mr. Broes. Let me just also re-define something. It is not
how many files you are sharing. It is how many files are
uploaded.
So the user is incentivized to not share thousands of
files. They are incentivized to share files that people would
like and legitimate files. So by putting 10,000 files in your
shared folder, that is not going to help your status.
Mr. Waxman. Well, some people who are interested in
identity theft or delving into the privacy of others may want
those files. I assume what you are saying is that most people
who go to peer-to-peer file-sharing are more interested in
music, and that is more popular.
But we are opening up a whole new area for a greater
popularity to get private information about people what that is
available to someone who takes advantage of the opportunity.
Mr. Broes. Well, from my previous experience in analyzing
these networks and for precisely what we are discussing here,
sharing private information, we saw a rapid decline over the
years as people understood how a file-sharing network actually
works.
So at the beginning, when it was just a Gnutella-based,
initially right after they shut down Napster, we saw this major
flood of literally tens of millions of people going to
Gnutella.
Of course, they did not understand just how that
decentralized network functioned. So we saw a tremendous amount
of personal files being shared. But as we continued to monitor,
and as we continued to educate, we saw less and less. So today,
I actually find far less private files than initially.
Mr. Waxman. Is that a statement that others would agree
with?
Mr. Good. Well, it is a difficult question to answer,
Because the KaZaA Network is encrypted. So it is difficult to
really tell to what extent the network you are searching in, at
any given time; or how much access to the network a given
client has.
We ran our study initially in June of last year. Over a 12
hour period, we were able to find about 150 users who were
sharing their inboxes, unique users.
We ran a similar study in January, and we ran it for a
longer period of time, over a week, and we were able to find
about 1,000 users who were sharing their in-boxes.
It is difficult for us to say whether this is an increase
or a decrease, because of the encryption, and we're not allowed
to reverse engineer it, so we cannot figure out what is going
on. But it definitely seems like it is a problem today.
Mr. Waxman. Thank you; I have further questions, but I know
my colleague, Mr. Shays, wants to ask some.
Mr. Shays. My daughter would advise me not to be here, so I
would not expose my unbelievable ignorance.
Secretary McNamara, many years ago, always thought there
was a solution to every problem. He acknowledged about 10 years
ago that he realizes there are some problems without solutions.
As I am listening to this dialog, I am obviously hearing
the issue of identity. I am hearing somewhat the issue of
virus. I know this is not a hearing about copyright. So we are
not going to deal with that issue.
But I am interested to know, are there solutions to the
issue of privacy, particularly; and if so, are they regulatory,
legislative, what are they? Maybe you could just kind of go
down the line here.
Mr. Good. Certainly, well, our view is twofold. As I said
in the opening statement, we think it is very important to
educate people. We live in a world now where people can be
connected to the Internet 24 hours a day.
We are going to be living in a world shortly where the
Internet is going to be on your cell phone, and location
information and this sort of information is going to be
available to people, also.
So it is very important for people to understand what it
means to be connected to the network, and what sort of
information that they could be potentially sharing.
The second and probably the more important thing,
especially since I am a researcher in human/computer
interaction, we like to think that we can design things so that
we are not compromising security and convenience. We want
security and convenience to live together, so that things are
convenient, but they are also very secure.
Mr. Shays. Do you think that is possible?
Mr. Good. I think, to a certain extent, it is. I think
having very smart defaults, having defaults that really protect
the user; and we are starting to see that in the world, as
Microsoft now is really trying to push out. So out of the box,
things are safest.
This has not always been the case. It has always been the
case that when things come out the box, they are pretty much
open to anything. This makes the world pretty insecure. But
nowadays, we are really seeing a push for having very strong
default settings that really make sure that things are secure
for people.
I think that there is more we can do in that area. It is a
difficult problem. Because as we start getting into more
complex ways to manage privacy, it becomes increasingly
difficult. But I like to see those two approaches really taken
seriously.
Mr. Shays. Well, one is education and the other is design,
correct?
Mr. Good. That is correct.
Mr. Shays. Is there anything else?
Mr. Good. No, I think that is it.
Mr. Shays. Anyone else?
Mr. Schiller. I would say that it is great to say that we
need to educate people. But, you know, I drive my car every
day, and actually, I do know how internal combustion engines
work. But in some sense, that should not be a requirement in
order to drive a car. So I would say the emphasis has to be on
the design of the technology.
My experience is, we see a pendulum that swings. The
technology comes out. People tradeoff security to get more
convenience. We have hearings like this. People hear about
identity theft. They become concerned about the technology. The
technologists then react to that and put in better technology,
better design, better controls.
I am going to talk a little bit off the top of my head
here. I said before that it asks which directories of files you
wanted to share. You could easily, for example, say, if we are
going to look for music, then let us only share files that end
in .MP3, and let us not share files named ``In-box.''
But, you know, the funny thing is, if I am the guy
designing this, and let us all know that there is a copyright
issue here, that the designers of this are safer sharing
everything than they are trying to just share a particular type
of file. Because then it makes it easier to accuse them of, oh,
gee, this is really only about sharing music.
One of the defenses people like to use is, oh, know, you
can share anything. So that, I think, drives the tradeoff in
the wrong direction. But certainly, I do believe it is possible
to design this stuff in a way that is, in fact, reasonably
secure.
Mr. Shays. You know, it is funny, as you all are
testifying, there is always someone in the audience that is
shaking their head or nodding their head. I feel like I am in a
Baptist church without any sound. [Laughter.]
Dr. Hale.
Mr. Hale. Yes, I think I would agree that education is a
huge component. I would also concur that our design issues, I
would say, is what is designed out of the software, as opposed
to what is added to it, that could really help matters.
The security circumvention tactics that are used by the
software really make it difficult for a corporation or an
academic institution like the University of Tulsa, for
instance, to protect its user population from these abuses, if
they are even real or imagined. So that is what I would
consider to be addition by subtraction.
Mr. Shays. Given the number of participants in this
hearing, Mr. Chairman, do you mind if I just complete this
question with the rest of the witnesses?
Chairman Tom Davis. That is fine.
Mr. Shays. Thank you.
Mr. Davidson. The Federal Trade Commission actually just
had a workshop yesterday on this very question. It is great
question about the broader issue of privacy here. I think there
are three things besides education that we would talk about.
One is technology or design. The fact is that there are a
lot of tools out that can help consumers. We have talked about
some of them: encryption, firewalls, which is something that we
did not talk about today. With personal firewalls, you can give
consumers more control about how their computer is
communicating with.
This broader design question is building programs and
systems in a way that are more privacy friendly. A second is
best practices on the part of industry. I think there is strong
message that needs to be sent and continues to be sent that
companies need to act responsibly when they collect
information, and many of them do.
But there are real issues about best practices for how
people use information that they collect. That is a very
powerful possible tool; industry standards, best practices.
The third, and I think it is important, is there is a
growing realization that there may be a need for baseline,
narrowly tailored legislation about Internet privacy, to deal
with bad actors in this setting.
There are some basic components of fair information
practices like notice about what information is being
collected, meaningful choices for consumers about whether their
information is being collected, access to the information that
has been collected.
I think there is a growing awareness that we may need
something like that, more broadly. I have not emphasized that.
We are a supporter of that. I did not emphasize that in my
testimony because I think the main issue here of people
mistakenly sharing files is not something that you are likely
to solve by legislation.
But, for example, the spyware issue that has come up is
something, if not remedied through best practices, that might
need to be something that is part of a legislative action.
Mr. Waxman. Would the gentleman yield?
Mr. Shays. Absolutely.
Mr. Waxman. It seems to me what you are saying is that
technologically, they can develop a design so that private
information is reasonably secure.
But is there not a financial incentive for them to try to
subvert it, because of spyware and adware, or systems that will
allow people to come in and get information, so that they can
sell it to others; or get advertisers to know what you might be
interested in, so they can direct advertisements directly to
you?
Are those two financial incentives, so that you try to
subvert it, either through port hopping or tunneling or
whatever other way they can design it?
Mr. Davidson. Well, I would just answer by saying I think
that is absolutely true. We are concerned that obviously the
reason that people are doing some of these things is because
there are financial incentives.
Our belief is actually in the long run, a lot of people
will realize that the best financial incentive is having
customers who trust your stuff. People, if they know about what
is going on, will not buy or use products that violate their
privacy, if they have options.
So there is a hope that the market will develop and that
people will, when they learn about these things, not use the
file-sharing product that invades their privacy and has a lot
of spyware. But hopefully, the more responsible actors will
come on the scene.
Now maybe the answer is that if that does not work, then
maybe we do need some kind of baseline legislation.
Mr. Waxman. If the gentleman would permit, what you have is
a lot of kids who want music for nothing.
Mr. Davidson. Right.
Mr. Waxman. So they want music for nothing, even though we
should give some idea to people that when you take something
that is not yours and you are not paying for it, it is a form
of stealing.
So you have got kids who want something for nothing. They
are not going to be informed users and worried about privacy.
So they are just setting the family up for those who want to
take advantage of the situation, to design ways to subvert any
attempt to protect their privacy. Maybe some of the technical
people can tell us about this. But is that not what we are
facing, Mr. Schiller?
Mr. Schiller. Well, there are actually two different issues
here. There is the accidental subversion of privacy by
accidently sharing files you do not wish. That really has
nothing to do with the adware and spyware. I would expect to
see those issues being addressed, because they do not help
anyone except criminals.
But the adware and spyware issue is certainly an issue
where there is an incentive to gather that information. Of
course, the companies who gather it want only to give it to
themselves and not to the whole world.
I think the issue of multiple people using the same
computer is really an issue of the design of the computer
system. The Windows platform was never really designed to be a
time shared, multi-user system. Windows 2000 and XP start to
add that stuff, but I do not think they have added in the way
that most people know how to use.
But frankly, I have a 20 month old son. When he gets older,
he is going to have his own computer. Because I know not to
have him get onto mine.
So I think it is a separate issue about the fact that these
programs reveal stuff. The fact that it reveals stuff for other
users of the computer is just a happenstance.
Chairman Tom Davis. Thank you, the gentleman's time has
expired; the gentleman from Tennessee?
Mr. Duncan. Mr. Chairman, thank you very much, and thank
you for calling this hearing. I think these are very important
subjects that the panel members are discussing, and I
appreciate your doing this.
I usually avoid discussing personal or family type things
at hearings. But I heard Ms. Frank briefly mention identity
theft.
My wife and I have four children. But the older of my two
sons, who is a senior at the University of Tennessee, just
yesterday received a notice that they want him to come to
Juvenile Court to testify in a case involving apparently a 17-
year-old young man who was using my son's identity and that of
others to apply for credit cards and I do not know what else. I
do not know all the details, yet. But he found out just
yesterday that he was a victim of identity theft. So I guess I
find that kind of interesting.
What should a person do who has found out that he or she is
a victim of identity theft; and how wide-spread is this
problem? I have had to be in and out with some constituents.
Ms. Frank. Right; my written testimony is about 20 pages,
and I talk about that quite a bit. But basically, the first
thing you do, if you find out that you are a victim of
financial identity theft, with somebody applying for credit
cards and credit lines in your name, the first thing you are
going to need to do is to put a fraud alert on all of your
credit profiles with the three major credit reporting agencies;
get those credit reports; and find out what fraud is on there.
There is just a whole list of things to do. Once you find
all that and go to law enforcement and make a police report,
then you go through the whole process of trying to clean it up
and stop it. So that gets into a whole lot of things.
But I have this little kit that I am going to give to the
committee, and I will be happy to speak with you afterwards, if
you would like.
Mr. Duncan. Well, is this problem growing quite a bit?
Ms. Frank. Yes, it is growing tremendously. After the
Gramm-Leach-Briley Act passed, it has actually gotten a lot
worse, when that was our financial privacy act.
What we are finding, and let me give you some statistics,
at least. I have the statistics in my written testimony. But
the Federal Trade Commission shows that it has grown
tremendously in terms of the complaints that they have gotten.
But a lot of people who are victims of identity theft have
no idea to go to the Federal Trade Commission. So since they go
the credit reporting agencies, those are better statistics.
Transunion, one of the three major credit reporting
agencies reported in the year 2000 that they got 85,000 calls a
month to their hotline. In the year 2001, they got 3,500 calls
a day to their fraud hotline, and they did not give us their
most recent figures.
The GAO report that came out last year also talked about
the tremendous increase in identity theft, because our personal
information is everywhere, and that is the key to identity
theft, to use the Social Security number.
Right now, there are several bills pending in Congress,
including Diane Feinstein's Identity Theft Prevention Act of
2003, with some things.
But there is a real need, which I had brought up in my
testimony, for us to have some accountability as to how the
financial industry is issuing credit without verification and
authentication of persons. So that is what is happening.
Mr. Duncan. Well, I will look over that. My time is so
short, let me go in another direction. You know, I chaired the
Aviation Subcommittee for 6 years. I heard our colleague, John
Linder, say at an aviation conference in January that the
Federal Government always seems to overreact to any problem.
We seem to have pretty much done that in regard to
aviation. They say TSA now stands for thousands standing around
and so forth. [Laughter.]
So I think we have done a more than adequate job, let us
say, in regard to aviation. But I think that one of our most
vulnerable areas must be financial cyber-terrorism.
Do any of you have concerns about that? Do you think that
is a potential problem? I read that it possibly is. There are
so many people on this panel, I do not know who is the most
appropriate person to comment on this.
Mr. Farnan. Well, sir, I would like to make a comment about
that. From the FBI's perspective, the answer is a resounding
yes. We are very concerned about cyber-terrorism and how
terrorists and others can exploit technology, which is designed
to be very beneficial and can really advance all of our causes
in many ways. However, that can also be abused and it can be
used against us.
So we have an entire unit at the FBI that focuses on that
particular issue, to try and stay current with technology, to
make sure that we know what is going on out there with the goal
of preventing any kind of cyber-terrorist activity.
Mr. Duncan. I have read here on the front page of the
Washington Post that a 12 year old computer hacker opened the
floodgates at the Hoover Dam. What some people are concerned
about are our financial markets; yes?
Mr. Broes. That is a very big concern, and it should be a
major concern of any company that distributes software that has
the potential of being hijacked, so to speak; you know, 100,000
computers, hijacked to attack something specifically.
For instance, recently, Microsoft has talked about some
vulnerabilities that were in Passport and instant messenger
programs. If you can acquire those computers, certainly you can
cause a tremendous amount of damage. That is why companies have
to take a genuine responsible approach to this and understand
that they have a huge responsibility in adhering to even
voluntary standards and practices.
So I think absolutely that companies need to do that. I do
not know whether that is legislation. I would say that
companies should voluntarily adopt standards and practices,
just for the sake of their security.
Mr. Duncan. Let me just say that I think that is a possible
area of great concern for many of us. Do I have time to ask one
more.
Mr. Shays [assuming Chair]. Let us do this, we will let Mr.
Waxman go, and then we will come back to you.
Mr. Duncan. That is fine.
Mr. Shays. Mr. Waxman, you have the floor.
Mr. Waxman. Thank you very much, Mr. Chairman.
If there were going to be voluntary standards and industry-
wide standards, how would that get done? Does anybody have any
ideas? You have different people competing with each other.
Mr. Broes. Well, I think that companies have recently
started to adopt those voluntary standards. You know, Microsoft
has taken an unprecedented approach by saying, you know, it is
secure by default, secure by design, secure by deployment. They
stopped programming for a period of time to go back and look at
these issues.
So I think that any time you have the leaders in industries
taking those initiatives, you are going to find that people
will follow, because that is the path of success.
Mr. Waxman. That is Microsoft. How about KaZaA; do they
have responsibility?
Mr. Broes. Absolutely; I believe that anyone that has the
ability or the potential to have their computers hijacked, for
any reason whatsoever, via their software, they have a
tremendous responsibility to adopt standards and practices of
their own.
I believe that if there was legislation that was enacted
today, they would have already complied with much of that, if
not all.
Mr. Waxman. Along those lines, according to media reports,
Altnet had planned to launch a program with KaZaA to take
advantage of unused computing power of computers connected to
the network. Initial reports indicated this might be done
without the knowledge of users.
You have now testified that such a program is still in the
works, but will be defined by the highest principles of
disclosure and consent. What are those principles? Will users
have the same access to peer-to-peer networks, if they do not
consent to turning over their unused computing power? Unused
computing power means their computing power becomes a zombie
for someone else, instead having to furnish it themselves.
Mr. Broes. Users will always have the consent. It will
never be a default, where it uses any resource. Altnet has been
very, very careful in its design.
In fact, it can be uninstalled. With the future release of
Altnet, you can uninstall the application that would share
those resources. We give very, very deliberate instructions on
how you can do that.
At the very beginning, when the application is installed,
it says, would you like to share hard drive space in exchange
for points, and those points can be redeemed for cash and
prizes. That hard drive space and how the design has been built
is extremely encrypted.
We have gone through all of the security measures and have
adhered to the security standards that Microsoft and every
other major software company has adjured to, to develop such an
application.
Mr. Waxman. Could users be penalized for not consenting?
Mr. Broes. Not at all.
Mr. Waxman. What do others on this panel think about this
business of how informed the consumer consent is going to be;
how much lack of information there is before these consents are
given for file-sharing; Mr. Hale?
Mr. Hale. If I may say, I think consent is there; informed
consent, I do not know about. I recently read, not KaZaA's, but
a competing client's peer-to-peer privacy policy, which I was
happily surprised to find that they had.
But quite honestly, it would have been easier to try to
decipher my own telephone bill. Maybe that is a topic for
another hearing.
But I think in a lot of the click through agreements which,
by the way, is not just a peer-to-peer problem, and it is a
problem with the software industry; a lot of the click through
agreements are fairly easy to click through without having to
read what you are agreeing to.
So to sum up, I would say the consent is there. Whether the
users are aware of what they are consenting to is an entirely
different matter. This has to do with transparency, in my
opinion, and clarity.
Mr. Davidson. I think you are really on to something,
because we often talk about meaningful choice and meaningful
notice. There is, in fact, if you look at a lot of these end
user license agreements, it says in there that this software is
being installed and it will do these things, but how many
people actually take a look at them?
I could bring you examples of these long agreements, these
long privacy agreements. The average consumer is not getting a
chance to look at it. So I think we are hopeful, on some level,
that people will start to figure this out. I do not want to
sugar coat it, though. We think that is a baseline that needs
to be met, and it is going to be tough.
Mr. Waxman. Mr. Davidson, let me interrupt you, because I
see my yellow light is on. I wanted to ask you one more
question, and I am afraid I will not get a chance to do it.
Why should people who are going on file-sharing programs
and downloading copyrighted music or movies not have the fact
that they are doing that provided to the copyright holders? If
they are consenting to let their files be searched, because
they want something for nothing, why should the copyright
holders not have the access to the information that they are
doing it?
Mr. Davidson. Right; are you thinking particularly about
the subpoena issue that I mentioned in my testimony?
Mr. Waxman. Yes.
Mr. Davidson. I think that is a very good question. I do
not think that the issue is that people who are, for example,
breaking the law should not ultimately be identified and
revealed. The question is, how do we do that? We have to make
this balance about legitimate people getting access to personal
information all the time, in law enforcement contacts and other
kinds of privacy contacts.
I think the issue here is that we have a situation where it
is not just legitimate uses. In this particular provision of
law, it is any copyright holder, and I hazard to guess that
most of the people in this room are copyright holders, they can
go to a court clerk, make an allegation, and reveal somebody's
identity.
Using one of these networks or using the Internet does not
necessarily reveal your identity. For some people, some of the
activities they do online, they do without revealing their
identity, and that is extremely important.
So our feeling is that if identity is going to be revealed,
it should be done with some measure of due process, and
particularly, people should know that their identity has been
revealed.
That is, I think, the flaw here. It is not to say that we
cannot find a way to work this out, so legitimate enforcement
of the law can happen. It is about the fact that there are
actually in this particular provision, very few protections,
and that has been our concern.
Ms. Frank. Let me just add to that, because in California,
we have a bill pending right now in our California legislature.
If there is going to be a subpoena to find out who somebody is
online, that there has to be notice, and that the ISP has to
give notice to the user ahead of time, so that they can get a
protective order or take some measure with this notice to
protect themselves.
We worry about things like stalking; that someone will say,
oh, I am a copyright holder, and I need to know who this person
is in that chat room, and it is really a stalker and ex-
husband. I literally note these kinds of things that happen.
So this is at least to give that person a chance, a 15 day
notice, or a 30 day notice, or whatever it is, so that they get
a chance to go in and say, look, I do not want to reveal my
identity. This person really is my ex-spouse, who is trying to
kill me. So that was the idea of due process, if I understand
what Alan is talking about.
Mr. Davidson. I cannot say it better than that.
Mr. Shays. Mr. Duncan.
Mr. Duncan. Let me go in a little different direction. I
think when we come into a job like those of us who are Members
have, I think we basically sort of tacitly agree to give up our
privacy. That really does not concern me, but it does seem a
shame to me that there is almost no privacy for private
citizens now, it seems to me.
Yet, we seem to have a large segment of the population now,
especially young people, who have become almost addicted to the
computers, and have almost a worship of the computers. So if
anybody asks any questions that are somewhat critical, they
almost get offended, and I hope that none of you will get
offended.
But it seems to me that, as I say, we have just about done
away with privacy. In some ways, maybe it has resulted in good
things. What I have in mind, I am thinking about the Dean of
the Harvard Divinity School got caught for, I think it was,
child pornography or something, and we see that all the time.
I do not see how anybody can feel that there is anything
secret anymore or anything private that they put into a
computer.
I heard on the CBS national news, 2 or 3 years ago on the
radio 1 day as I was driving along, that computer hackers had
gotten into the top secret files at the Pentagon, I think it
was 250,000 times in the year before. I mean, it is just mind
boggling.
It seems that if somebody comes up with a system or a
program to develop some privacy for things that people put into
their computers, that somebody very shortly comes up with
something that breaks that program, or gets into it, or wipes
out the privacy. What do you all say about that? Do you have
any concerns?
Ms. Frank. Well, I would just like to say that it is not
just computers. It is not just our computers. I wanted to
respond to the questions before about consumer education. We do
this all the time with identity theft. But the truth is, they
are so much beyond our control.
For example, yes, we can be educated and say to people, OK,
be careful when you are online or when you are in the chat
rooms, or when you are sharing information, or when you are
doing e-mail. But the truth is that you can tell people that,
but there is so much to know.
I really work at this, but I have a whole other field. I am
sure all of you have so many bills that you have to read. I do
not know how much of a computer expert you all are.
But I sit on the high tech crime unit of Orange County
Sheriff Reserves, and I am the only ``non-techy'' on there. I
have enough information to know that I should be worried. But
it is too much of a burden on consumers to ask them to know all
this stuff.
So if KaZaA is going to have information and they are going
to have software programs that you are going to use, they
should definitely give you big pop-ups in very simple language
saying, if you push this button, your whole ``C'' drive is
going to be open. That means that everybody can get into your
Quicken or your Quickbooks or your IRS or your resume or
whatever it is, and it has to be simple.
Mr. Duncan. Well, it is like you said awhile ago, people
can now find out almost everything about anybody that they want
to find out about: bank records, house records, and everything
else.
Ms. Frank. Right.
Mr. Duncan. It amazes me that just from what I read in the
newspapers that anybody thinks that anything they do on a
computer today is really private; any Web site they visit, any
e-mail they send; yes?
Mr. Broes. Security today has changed. We can no longer put
a lock on something and assume that it is going to hold. I
think the military has learned this, that it is an evolving
process, and it is dynamic.
So we are continuing this. It is just like virus
applications. They are continually chasing viruses. They are
continually updating their data base, and they are continually
educating their users as to what is out there and what the
threats are, and trying to make them feel more secure about it.
I think that is the process that we are going to see take
place in most applications. Certainly, as I said, there are
leaders that have taken initiatives from Microsoft, all the way
to Altnet and Sherman Networks. They have taken those
initiatives to say, we understand there is this issue and we
are dealing with that problem.
I do not foresee that changing anytime soon. This is a
dynamic situation. The Internet, by nature, is dynamic, and we
have to be dynamic in our approach to security and privacy.
Mr. Davidson. I would just add that I think that this is
the tip of the iceburg, unfortunately. There are even more
interesting and sort of more invasive new technologies. We
talked about location information; people building ID tags into
products that people can scan and find out what you have, what
you are wearing, what you are carrying in your handbag.
We are talking about networks of imbedded computers,
intelligent buildings, and intelligent rooms, that are going to
collect all sorts of information about people. It is going to
be increasingly harder for people to avoid all of these things.
So the simple answer of hey, if you put it on the computer,
you should know someone else is going to get it, is going to
become, for a lot of people, not a realistic alternative.
If you use your cell phone, location information may be
captured. If you go through a toll booth, and your electronic
tag records that you have been there.
But even more importantly, I would say the computer is not
something we can avoid in life, so we need to figure out how to
address these things.
Mr. Duncan. Are you saying that Big Brother is already here
and there is nothing we can do about it?
Mr. Davidson. I think, there is nothing we can do about it
is not right. I think that we need to do something about it,
and we are trying to find ways to do something about it, but we
need to keep working on it because we are not there yet.
Mr. Duncan. I see some of the panel members laughing.
Mr. Schiller. It is not Big Brother. There are lots of
Little Brothers.
Mr. Duncan. Lots of Little Brothers?
Ms. Frank. Well, if you want my suggestion as to what I
would like to have Congress do, I would like to have them set
up a privacy commission. We are the only civilized country in
the world that does not have a privacy commission.
If you look at Canada right above us, if you look at all
the European nations, we do not have a privacy commission. We
have had little privacy czars, but we do not have a privacy
commission to look at all these issues.
Privacy in the millennium is not about the right to be left
alone. It is the right to control your personal information. I
think it is pretty frightening, when we are going on our
computer and we do not know about spy-ware. We do not even know
where it is. It is hidden somewhere, and we cannot even find
it. That is terrifying.
So the result of that is identity theft. All this
information that is being taken about us can be used in very
insidious ways. So we do need to have the fair information
practices that Alan was talking about: the notice, the choice,
the security, all those things.
The only way to do it is to really have a real privacy
commission that is looking over this whole issue. Because it is
the scariest issue, I think, of what we are in, in our society
right now.
Mr. Duncan. Well, I would agree with the commission, but I
am a little skeptical. I think we are almost too far gone,
really, now.
Ms. Frank. It is out there, but access is the difference;
in other words, what access and what way to control. For
example, you mentioned your family.
Mr. Duncan. It was my son.
Ms. Frank. So the scary thing for him is, he does not know
what else has happened. He does not know if he has a criminal
record.
So for him to be able to get access to those records and
correct them, if you say, well, my information is out there and
it is too late; well, what happens when you cannot get on an
airplane because the red light comes on and it has nothing to
do with you. Your name is mixed up with somebody else's; or
your son, who is mixed up with some other person who has been
stealing his identity and committing crimes in California and
Virginia.
Mr. Duncan. Well, the one interesting thing that I did not
mention, the young man that they have accused of doing this has
a foreign sounding name, that I cannot even really pronounce.
Ms. Frank. Remember, over half of the terrorists committed
identity theft.
Mr. Duncan. All right, thank you very much; thank you, Mr.
Chairman.
Mr. Shays. Ms. Frank.
Ms. Frank. Yes.
Mr. Shays. You basically were kind of dealing with the
solution, the education versus the design. It is kind of like
your big warning system that flairs up there.
Ms. Frank. The fact that the education is right when you
are using the product, I think, would be helpful.
Mr. Shays. Before my time had run out, I think I was with
you, Mr. Broes. I do not need to spend a lot of time on this. I
just want to know, just simply, the education design, that Mr.
Davidson had added some other points, is there anything that
you would add to the solutions to the privacy issue, the virus
issue?
Mr. Broes. Sure, well, I think it is in our best interests,
and any company's best interest, to design their software to be
as private and as secure as possible. So I think that, as I
said, there is a tremendous amount of responsibility, I
believe, with any company that has applications that are
distributed to millions of people around the world.
So secure, private, by design, I think is definitely the
way to go, and these are voluntary standards. These are
standards that every major corporation today that wants to
compete is going to have to take, because people just do not
want applications on their computers that are not secure and do
not provide privacy.
So I think it is going to be natural selection; that
companies who are willing to play in the spy war game and not
notify people, I think that they are ultimately going to be
uninstalled and deleted, and people are going to remove them.
So voluntary standards and practices, I think, are
critical. As I said earlier, if it were legislated today, I
think that we would have already taken those initiatives.
Mr. Shays. I was struck by the fact that Big Brother is
dead and Little Brothers are in. It is almost like we need a
Big Brother, though, to deal with Little Brothers; Mr. Farnan.
Mr. Farnan. There are definitely privacy issues involved in
what we were talking about today. I think that one of the
reminders that we have to give ourselves is that even though we
are in an electronic age, a lot of the fundamental rules of
life still apply. Things like ``buyer beware'' still apply.
Just because people are involved in dealing in cyberspace
and conducting transactions in a computerized environment does
not automatically mean that there are no privacy issues, or
that it is somehow inherently safer; because as we are seeing
today, it is not.
Second, to follow the analogy of the automobile that was
raised a little bit earlier, what is scarey is that sometimes
we can have fairly young people, and if they are interested in
learning how to drive a car and we put them in a Ferrari, that
might be a scarey thing, as opposed to a four cylinder car in a
safer environment.
So to reiterate, the theme of education and consumer
informness is crucial to this whole area, as are parental
controls. Because as we have also heard, children who have
access to their parents' computers may be pushing buttons that
result in a lot of information leaving that household that was
never intended to leave that household.
Mr. Shays. I just have one other quick question. I do not
need all of you to respond, just one or two. Are we teaching
this in school? Are we educating our kids about this?
Mr. Hale. I can speak to this, somewhat. I would say that
nationwide, we are beginning to. We are only beginning to. But
it is amazing the views that even some of my own students have
about piracy and their privacy, and what they are willing to
give up to get the latest recording.
We work at the University of Tulsa with a number of
schools: high schools, elementary schools, middle schools. I
just was at a high school last week, where I spent almost the
entire time talking about peer-to-peer technology and privacy
issues, and media piracy, as well.
So we are beginning to, but I think that not enough of us
are doing it, just yet. I think that is the key. Because once
you get critical mass, then you can start to see results.
I would like to agree with what Mr. Broes said about the
natural selection piece of this. I think once consumers and our
children are educated, then they will begin to value privacy
more. Then the economics pendulum will begin to swing in the
favor of the companies that are performing due diligence in the
privacy area of their software. But until that happens, the
natural selection is going to favor those companies.
Mr. Shays. I have just a slight observation. I am struck by
this hearing as to one, I would not want to be a professor
teaching young people about technology, considering they
probably know more than you do, and you always fear that they
might.
But the other observation I make is, I am struck by the
fact that young people gain these incredible skills to do bad
things without necessarily knowing the ethnics behind what they
are doing, which is kind of an interesting dilemma.
Mr. Chairman, thank you so much for the hearing, and I
thank our witnesses.
Chairman Tom Davis. Let me thank all the witnesses, as
well, for appearing today, and I thank the staff for working on
this from both sides. We heard some very useful information
today, that should concern any person who uses file-sharing
programs or has them installed in their computers. Obviously, I
think peer-to-peer users have to be aware of the files they are
making available for sharing.
We are going to follow this up with another hearing in the
near future, looking at file-sharing in Government agencies.
Again, I thank the witnesses. This is very, very important, as
we proceed to understand this better and move forward to
whatever we might do.
Thank you very much; the hearing is adjourned.
[Whereupon, at 11:55 a.m., the committee was adjourned, to
reconvene at the call of the Chair.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T8016.080
[GRAPHIC] [TIFF OMITTED] T8016.081
[GRAPHIC] [TIFF OMITTED] T8016.082
[GRAPHIC] [TIFF OMITTED] T8016.083
[GRAPHIC] [TIFF OMITTED] T8016.084
[GRAPHIC] [TIFF OMITTED] T8016.085
[GRAPHIC] [TIFF OMITTED] T8016.086
[GRAPHIC] [TIFF OMITTED] T8016.087
[GRAPHIC] [TIFF OMITTED] T8016.088
[GRAPHIC] [TIFF OMITTED] T8016.089
[GRAPHIC] [TIFF OMITTED] T8016.090
[GRAPHIC] [TIFF OMITTED] T8016.091
[GRAPHIC] [TIFF OMITTED] T8016.092
[GRAPHIC] [TIFF OMITTED] T8016.093
�