[Senate Hearing 108-252]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 108-252
 
 THE DARK SIDE OF A BRIGHT IDEA: COULD PERSONAL AND NATIONAL SECURITY 
 RISKS COMPROMISE THE POTENTIAL OF PEER-TO-PEER FILE-SHARING NETWORKS?

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 17, 2003

                               __________

                          Serial No. J-108-17

                               __________

         Printed for the use of the Committee on the Judiciary



                      U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2004
91-213 DTP

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001



                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman
CHARLES E. GRASSLEY, Iowa            PATRICK J. LEAHY, Vermont
ARLEN SPECTER, Pennsylvania          EDWARD M. KENNEDY, Massachusetts
JON KYL, Arizona                     JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin
JEFF SESSIONS, Alabama               DIANNE FEINSTEIN, California
LINDSEY O. GRAHAM, South Carolina    RUSSELL D. FEINGOLD, Wisconsin
LARRY E. CRAIG, Idaho                CHARLES E. SCHUMER, New York
SAXBY CHAMBLISS, Georgia             RICHARD J. DURBIN, Illinois
JOHN CORNYN, Texas                   JOHN EDWARDS, North Carolina
             Bruce Artim, Chief Counsel and Staff Director
      Bruce A. Cohen, Democratic Chief Counsel and Staff Director



                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah......     7
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, 
  prepared statement.............................................    66

                               WITNESSES

Davis, Hon. Tom, a Representative in Congress from the State of 
  Virginia.......................................................     3
Feinstein, Hon. Dianne, a U.S. Senator from the State of 
  California.....................................................     1
Good, Nathaniel S., Graduate Student, University of California, 
  Berkeley School of Information Management Systems and Aaron 
  Krekelberg, University of Minnesota, Office of Information 
  Technology.....................................................     9
Morris, Alan, Executive Vice President, Sharman Networks, 
  Limited, accompanied by Derek Broes, Executive Vice President 
  of Worldwide Operations, Brilliant Digital Entertainment.......    13
Murray, Chris, Legislative Counsel, Consumers Union..............    14
Saaf, Randy, President Mediadefender, Inc........................    11
Waxman, Hon. Henry A., a Representative in Congress from the 
  State of California............................................     5

                         QUESTIONS AND ANSWERS

Responses of Nathaniel Good and Aaron Krekelberg to questions 
  submitted by Senator Leahy.....................................    24
Responses of Alan Morris to questions submitted by Senators 
  Hatch, Biden and Leahy.........................................    27

                       SUBMISSIONS FOR THE RECORD

Broes, Derek, Executive Vice President of Worldwide Operations, 
  Brilliant Digital Entertainment, prepared statement............    48
Davis, Hon. Tom, a Representative in Congress from the State of 
  Virginia, prepared statement...................................    52
Feinstein, Hon. Dianne, a U.S. Senator from the State of 
  California, prepared statement.................................    57
Good, Nathaniel S., Graduate Student, University of California, 
  Berkeley School of Information Management Systems and Aaron 
  Krekelberg, University of Minnesota, Office of Information 
  Technology, prepared statement.................................    59
Morris, Alan, Executive Vice President, Sharman Networks, 
  Limited, prepared statement....................................    70
Murray, Chris, Legislative Counsel, Consumers Union, prepared 
  statement......................................................    79
Saaf, Randy, President Mediadefender, Inc., prepared statement...    88
Waxman, Hon. Henry A., a Representative in Congress from the 
  State of California, prepared statement........................    93


 THE DARK SIDE OF A BRIGHT IDEA: COULD PERSONAL AND NATIONAL SECURITY 
 RISKS COMPROMISE THE POTENTIAL OF PEER-TO-PEER FILE-SHARING NETWORKS?

                              ----------                              


                         TUESDAY, JUNE 17, 2003

                              United States Senate,
                                Committee on the Judiciary,
                                                   Washington, D.C.
    The committee met, pursuant to notice, at 2:08 p.m., in 
Room SD-226, Dirksen Senate Office Building, Hon. Orrin G. 
Hatch, Chairman of the Committee, presiding.
    Present: Senator Hatch.
    Chairman Hatch. Sorry I am just a bit late. I understand 
Senator Feinstein has another appointment, so we are going to 
take her first, even before I make opening remarks. It is good 
to have you here, Tom, as well. We will take your statement 
first, too, after Senator Feinstein.

  STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE 
                      STATE OF CALIFORNIA

    Senator Feinstein. Thanks very much, Mr. Chairman. I Chair 
a Senate Cancer Coalition and we have got a very interesting 
meeting that starts just about now to begin. But I feel very 
strongly about this issue, so I very much appreciate an 
opportunity to testify.
    This hearing is on peer-to-peer networks and security 
risks. Now, peer-to-peer software is a technology that allows 
Internet users around the world to share files with each other 
very easily. All you need is some software, which can be 
obtained free, and an Internet connection, and your files are 
instantly made available over the Internet. This technology can 
be used to help researchers share information or files 
seamlessly across borders or to help business people share 
documents. In other words, there are good, positive, legitimate 
reasons for this.
    But as with many new technologies, there are also serious 
risks. One such risk is the recent explosion of illegally 
shared copyrighted files over the Internet, most of it 
occurring through these relatively anonymous peer-to-peer 
networks. Using this free software, one Internet user can 
simply put his or her entire music collection onto a computer 
and then open that computer up to the entire rest of the world, 
allowing anyone else with an Internet connection and similar 
software to find the music, to download it onto their own 
computers, and to listen to it at will without compensating the 
copyright holder, something that we have spent a lot of time 
on.
    Meanwhile, these peer-to-peer networks are also 
facilitating a new era of easily obtainable pornographic 
material, including child pornography. MediaDefender, a company 
that will testify today, has estimated that more than 800 
universities are hosting child pornography on their networks.
    Of most concern, however, is the use of peer-to-peer file 
sharing by government employees. According to recent studies, 
the vast majority of peer-to-peer users have no idea of the 
breadth and scope of data they are sharing with users. A 
Federal employee intending to simply download and share music 
files, therefore, could easily make available every file on his 
or her computer, without intending to do so or even realizing 
it after the fact. This could include personal correspondence, 
private financial information, and even proprietary and 
sensitive government documents.
    For normal users, this lack of security presents the real 
threat of identity theft. Stored credit card information, 
financial documents of all kinds, personal information, like 
birthdays, mother's maiden names, you name it, all of this is 
often stored on an individual's computer and all of it can thus 
be compromised if the user is not careful when setting up peer-
to-peer software.
    For government users, the situation is far worse. Not only 
personally sensitive information can be stolen, but information 
vital to the functioning of government, as well. Confidential 
memos, Defense Department information, law enforcement records, 
all could be available to any Internet user with some free 
software and the desire to go looking.
    The scope of the problem is unclear. Nobody really knows 
how many government employees are using this software and what 
level of risk there truly is. But one thing seems clear. The 
risk is not worth it.
    According to recent reports, it appears that many 
government employees are indeed using time at work to set up 
peer-to-peer software on government computers. They search for, 
they obtain pornographic data of all kinds. That is illegally 
downloaded and distributed, copyright material, as well. Each 
of these activities reduces work productivity. Many of these 
violate the law. And most importantly, the entire process opens 
those computers and computer systems to invasion by outside 
entities.
    The House and the Senate have already prohibited the use of 
this technology on Congressional computers, as I understand it, 
for these reasons. I am in the process of preparing a letter to 
the Cabinet heads of each Secretary asking them to look into 
this problem and work toward addressing it within each of their 
organizations, and I would like to give this to you. Perhaps 
you and others on the Committee might wish to either take it 
over or sign onto it at your pleasure.
    But there can be no doubt that the widespread use of these 
new technologies represents a grave security risk to this 
nation and should be treated as such.
    So, Mr. Chairman, this should be a very interesting 
hearing. I am sorry that I can't stay. I am very interested in 
the topic and look forward as a member of the Committee working 
with you and see what we can come up with.
    Chairman Hatch. Thank you, Senator Feinstein. We appreciate 
your hard work on this Committee and your interest in this 
subject, so we will let you go so you can keep your 
appointments.
    Senator Feinstein. Thanks very much.
    Chairman Hatch. Thank you.
    [The prepared statement of Senator Feinstein appears as a 
submission for the record.]
    Chairman Hatch. Representative Davis, we are honored to 
have you come over from the House. We welcome your testimony.

STATEMENT OF HON. TOM DAVIS, A REPRESENTATIVE IN CONGRESS FROM 
                     THE STATE OF VIRGINIA

    Representative Davis. Thank you very much. As you know, we 
have held hearings on the House side and look forward to 
working with you on what can be done about this important 
issue.
    I associate myself with Senator Feinstein's remarks. I 
agree with what she said.
    As you know, our Committee on Government Reform, which I 
Chair, has been investigating some of the risks associated with 
the use of these programs. File sharing programs are Internet 
applications that allow users to download and directly share 
electronic files from other users who are on the same network. 
These programs are easily installed and permit the sharing of 
files containing documents, music, or videos, free of charge.
    Now, file sharing is surging in popularity. The most 
popular file sharing program, Kazaa, has been downloaded almost 
240 million times, making it the most popular software program 
downloaded from the Internet. File sharing programs are 
increasingly popular with kids. Research has shown that more 
than 40 percent of those who download files from peer-to-peer 
networks are under the age of 18.
    The technology underlying file sharing programs is not 
inherently bad, and it may turn out to have a variety of 
beneficial applications. However, as our Committee has learned, 
this technology can create serious risks for users.
    Most of the news coverage on file sharing focuses on one 
issue, the ability of users to trade copyrighted music, movies, 
and videos. Our Committee is investigating other aspects of 
file sharing. In March, we began our investigation by holding a 
hearing to examine the extent to which pornography, including 
child pornography, is traded on these networks. Last month, we 
held a second hearing to review the personal privacy and 
computer security risks posed by the use of these programs.
    At our first hearing, we learned that peer-to-peer networks 
have become an increasingly popular mechanism for trafficking 
in pornography, including child pornography. In fact, it seems 
as if many of these programs have become digital pornographic 
libraries where all sorts of pornographic materials can be 
easily accessed for free.
    At the Committee's request, the GAO searched file sharing 
programs and found hundreds of pornographic images, more than 
half of which was child pornography and graphic adult 
pornography. Research performed by another witness at our 
hearing found that nearly six million pornographic files were 
available for downloading on one popular peer-to-peer network 
over a two-day period.
    These findings are very disturbing. Many of these 
pornographic images are appearing on our children's computer 
screens whether they ask for it or not. Innocent searches for 
files using the names of popular cartoon characters, singers, 
and actors produce thousands of graphic pornographic images, 
including child pornography.
    At the hearing, we issued a report detailing our findings 
and I would urge parents to review it in order to become 
familiar with these issues. We also developed a list of non-
technical actions parents can take to reduce or eliminate their 
children's exposure to pornography on these networks. This list 
is available on the Committee's website.
    Last month, we held a second hearing to examine threats to 
personal privacy and computer security posed by the use of file 
sharing programs. Despite the surging popularity of these 
programs, few people recognize the risks that this technology 
presents. For example, through a couple of simple searches on 
one file sharing program, Committee staff easily obtained 
completed tax returns with Social Security numbers, including 
the names and Social Security numbers of spouses and 
dependents; medical records; confidential legal documents, such 
as attorney-client communications regarding divorce proceedings 
and custody disputes; business files, including contract and 
personnel evaluations; political records, including campaign 
documents and private correspondence with constituents; and 
resumes with addresses, contact information, job histories, 
salary requirements, and references.
    There are several possible causes for the sharing of 
personal information over these networks. Users could 
accidentally share this information because of incorrect 
program configuration. We learned at our hearing that the 
installation and set-up process can be confusing and can cause 
users to unwittingly expose their entire hard drive.
    Unintentional sharing of personal information can also 
result from the sharing of one computer among several users. 
For example, a teenager sharing a computer with his or her 
parents may elect to make all the contents of the computer 
available for sharing without thinking about the types of files 
stored on the computer.
    Users may also intentionally share these files because 
increased file sharing earns the user higher priority status, 
resulting in faster downloads of popular files.
    Either way, the public should be aware that these programs 
could result in the sharing of personal information which can 
open the door to identity theft, consumer fraud, or other 
unwanted uses of their personal data. Parents, businesses, and 
government agencies also need to be aware of these risks if 
file sharing programs are installed on their office and home 
computers.
    And finally, another privacy concern raised by peer-to-peer 
sharing is bundling of these programs with software known as 
``spyware'' and ``adware.'' These programs monitor Internet 
usage primarily for marketing purposes, often without the 
user's knowledge. They also give rise to pop-up advertisements 
and spam e-mail.
    Finally, computer viruses can easily spread through file 
sharing programs, since files are shared anonymously.
    I commend this Committee for looking at these important 
issues. Computer users at all levels of expertise must 
understand and appreciate the risks associated with the use of 
this technology. Because of the privacy and security risks, 
users must fully understand which files are being shared. File 
sharing companies must also play a role in helping to protect 
personal privacy and make the programs safe for use by kids. At 
a minimum, instructions for installing and configuring these 
programs should be easy to understand and should be designed 
with the least technologically savvy user in mind.
    Once again, thank you for allowing me to testify.
    Chairman Hatch. Thank you, Representative Davis. We are 
happy to have you here on this side of the Hill and happy to 
have that testimony. We will excuse you if you need to get 
back.
    Representative Davis. I will wait for Mr. Waxman for five 
minutes and then we will walk over.
    [The prepared statement of Representative Davis appears as 
a submission for the record.]
    Chairman Hatch. All right. I will turn to my friend, Henry 
Waxman, as well. Good to see you, Henry.
    Representative Waxman. Thank you very much, Mr. Chairman.
    Chairman Hatch. We just had a hearing this morning on 
Hatch-Waxman or Waxman-Hatch. I know it depends on which side 
of the Hill.
    [Laughter.]
    Chairman Hatch. I was honored to work with you on that as 
we have on so many health care issues and I look forward to 
hearing your testimony on this.

STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN CONGRESS 
                  FROM THE STATE OF CALIFORNIA

    Representative Waxman. Thank you very much, Mr. Chairman. I 
was honored to work with you on that legislation and we did a 
lot of good in the days when we were working together on health 
issues.
    But I come to you today to talk about another issue where I 
hope we can work together, if we could find some solution, 
legislative solution, to a problem that is really quite 
perplexing, and that is what happens when there are peer-to-
peer networks and file sharing programs. Chairman Davis and I 
have worked closely together to bring attention to this 
technology and the questions it raises.
    This technology is in many ways a bright idea, as you 
indicated in the title of the hearing. It is a unique and 
innovative use of Internet technology. But it also carries 
significant risks that most people don't know about. These 
programs are incredibly popular with young people. They have 
been downloaded literally hundreds of millions of times, and 
for teenagers and people in their 20s, peer-to-peer file 
sharing programs are as common as a computer application as e-
mail and word processing programs are for the rest of us.
    But my concern is that there is a digital generation gap 
when it comes to understanding these programs. Parents simply 
don't have the knowledge about these programs that their 
children do, and as a result, many parents are unaware of the 
special risks posed by these programs. How many parents realize 
that these programs, if carelessly installed, can make every 
single bit of electronic information on a family computer 
available to millions of strangers? Very few.
    The Committee's first investigation into peer-to-peer 
technology looked at one of the risks posed by file sharing 
programs, the prevalence of pornography. We learned that these 
peer-to-peer networks operate like a vast library of free 
pornographic content. Any child that has access to a broad-band 
connection can easily find and download the most hard-core 
triple-X videos imaginable in just a matter of minutes at 
absolutely no cost. They are pushed, this is all pornography is 
pushed on kids who may be looking for Britney Spears or some 
other popular artist.
    GAO reported at our hearing that kids are bombarded with 
this pornography even if they are not looking for it. We feel 
that parents need to be aware of this so they can talk to their 
kids and be advised that their kids may be having this kind of 
junk forced on them.
    Peer-to-peer programs connect users from anywhere in the 
world into a vast open, free trade network, where with the 
click of a mouse, users can share files back and forth with 
other users across the globe.
    Our staffs installed Kazaa--it is the most popular file 
sharing program--and ran test searches to see what kind of 
information people were sharing unintentionally, and what we 
found was amazing. We found complicated tax returns, medical 
records, and even entire e-mail in-boxes through simple 
searches using file share programs. We also found that other 
incredibly private documents, such as attorney-client 
correspondence relating to divorce proceedings and living 
wills, were also available. We found that tax returns and other 
private information could be downloaded by somebody who was 
using the file sharing at the same time.
    We prepared a report on our findings and I would like to 
submit it to you, Mr. Chairman, for your record and be included 
in this hearing.
    Chairman Hatch. Thank you. We will include it.
    Representative Waxman. I welcome the interest of your 
Committee in exploring this new technology. There is much this 
hearing and future ones can add to our understanding of file 
sharing programs. We need to work together on this issue. It 
has become a vehicle for pornographers, for intruders, for new 
technology that can lead to greater education. There are ups 
and down sides to this new technology and we need to figure out 
what is a rational approach to dealing with the down sides to 
it.
    Thank you very much.
    Chairman Hatch. Thank you very much. I am very impressed 
that you two friends would come over here and help us to 
understand this better, so we appreciate you being here.
    Representative Waxman. Thank you very much.
    Chairman Hatch. Thanks.
    [The prepared statement of Representative Waxman appears as 
a submission for the record.]

STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM THE STATE 
                            OF UTAH

    Chairman Hatch. We will excuse both of you and let you get 
back to your busy lives. Thank you for coming.
    Our second panel includes four witnesses from the private 
sector who have taken leading roles in identifying and 
resolving the security concerns associated with peer-to-peer 
networks.
    Last year, Nathaniel Good and Aaron Krekelberg published a 
ground-breaking study entitled, ``Usability and Privacy: A 
Study of Kazaa P2P File Sharing.''
    Our next witness will be Randy Saaf, the President of 
MediaDefender, Inc., a leading provider of computer security 
services to private and governmental entities.
    Next, we will hear testimony from Alan Morris, the 
Executive Vice President of Sharman Networks, Limited, the 
company that owns and operates the Kazaa peer-to-peer file 
sharing program. Mr. Morris is joined by Mr. Derek Broes, the 
Senior Vice President and Assistant General Counsel of 
Brilliant Digital Entertainment, the parent company of Altnet, 
the North American business partner of Sharman Networks. Altnet 
has provided a written statement for the record and Mr. Broes 
may assist Mr. Morris in responding to any questions relating 
to the activities of Altnet.
    And finally, we will hear testimony from Mr. Chris Murray, 
Legislative Counsel for Consumers Union.
    I want to thank you all for being here today and welcome 
you all here, but I think what I am going to do is first make 
my opening statement and then turn to you, in that order. We 
will start with Mr. Good and Mr. Krekelberg and then go across 
the way.
    We are here today to explore some potentially troubling 
aspects of an exciting technology that rightfully has gained 
the attention and admiration of millions and millions of 
Americans, and many millions more around the world, peer-to-
peer file sharing networks. Recent developments in peer-to-peer 
networks have added dramatically to their versatility and, 
therefore, their utility to many computer users.
    Napster, the first peer-to-peer system, permitted the 
sharing of audio files only, but newer generations of this 
technology permit the sharing of all types of computer files, 
including audio files, video files, visual images, documents of 
all kinds, and computer programs. These advances have been 
accompanied by a soaring increase in the use of peer-to-peer 
networks.
    Kazaa, the most popular of these networks, is now the most 
popular download on the ``downloads.com'' Internet site. Kazaa 
and other file sharing programs have now been downloaded over 
400 million times. Kazaa often has over four million users 
connected to its network simultaneously.
    The demand for other popular P2P programs such as Grokster 
and Morpheus is growing rapidly, as well, and mostly among 
minors. Research shows that about 41 percent of those who 
download files over P2P file sharing networks are between the 
ages of 12 and 18. These statistics underscore the great appeal 
and promise of P2P networks as well as the potential scale of 
any problems that they create. They permit rapid and broad 
dissemination of information and ideas and they have provided a 
powerful tool to researchers, hobbyists, and interested 
citizens seeking information and ideas on a wide array of 
topics.
    At the same time, however, they have also opened up our 
homes, our businesses, and our governmental agencies to 
potentially serious security risks that are neither widely 
recognized nor easily remedied. Recent studies involving some 
of the more popular P2P networks suggest that a significant 
number of their users are inadvertently sharing personal and 
highly-sensitive data over these networks, including tax 
returns, bank account information, personal identifying 
information, passwords, and e-mail in-boxes.
    While the true scope of this problem is still unknown, 
studies have shown that potentially malicious parties are 
searching P2P networks for personal e-mails and credit card 
numbers. This alone is disturbing, but in government agencies, 
employees' use of P2P networks could also disclose sensitive 
government data to the enemies of this country. At this moment 
in history, the implications of this risk or the risks involved 
are trembling, to say the least.
    I am also troubled that many P2P networks require their 
users to install so-called ``spyware'' or ``adware,'' programs 
that monitor, collect, and record information about the 
Internet browsing habits of a particular user. Such programs 
can collect and disseminate information about the Internet use 
and personal information of anyone using the computer on which 
a P2P networking program has been installed. The invasion of 
privacy and potential for identity theft inherent in such 
programs has already attracted justifiable attention from 
members of Congress and consumer advocates concerned about the 
privacy and security implications of such practices.
    In addition, some of the spyware or adware programs can 
also wreak havoc on a user's computer by commandeering their 
browsers, creating conflicts with other software that can crash 
a user's computer and otherwise interfering with users' control 
over their own computers.
    Finally, the users of P2P file sharing networks may also 
encounter malicious programs, such as viruses, worms, and 
trojan horses that have been disguised as popular media files. 
Indeed, the operators of the most popular file sharing program 
recently explained to the House Committee on Government Reform 
that ``when files come from anonymous and uncertified sources, 
the risk of those files containing a virus greatly increases.''
    If the promoters of these networks acknowledge that their 
nature increases users' risks of exposure to malicious 
programs, then they must also recognize their increased duty to 
protect and educate their users.
    I do believe that peer-to-peer file sharing networks are 
here to stay, but the problems of data privacy, spyware and 
viruses should remind all of us that the final role of peer-to-
peer file sharing networks in our culture remains to be seen.
    This technology has great promise, but also some potential 
pitfalls. If these networks are designed to minimize the risks 
of file sharing, then the promises of this technology can 
become reality. If not, then users, network administrators, and 
others may ultimately conclude that the risks of this 
technology outweigh its advantages.
    I would like to thank all of our witnesses for appearing 
here today to address these important issues. We are 
particularly privileged to have with us three of our colleagues 
whose stellar work in this area has shed much needed light on 
the significance of the risks, as they have mentioned in their 
statements, and we appreciate that. They talked about their 
potential consequences, as well. So I was happy to have Senator 
Feinstein and Congressmen Tom Davis and Henry Waxman here with 
us today.
    So we are delighted to have all of you here today. We will 
start with you, Mr. Good and Mr. Krekelberg, and you just take 
over. We are going to give you only five minutes apiece, so I 
hope you can all stay within that time frame.
    Mr. Good. We will try. Thank you, Mr. Chairman.
    Chairman Hatch. We will try and be liberal in the use of 
time.

STATEMENT OF NATHANIEL S. GOOD AND AARON KREKELBERG, AUTHORS OF 
  ``USABILITY AND PRIVACY: A STUDY OF KAZAA P2P FILE SHARING''

    Mr. Good. Good afternoon, Mr. Chairman. Thank you for the 
opportunity to appear before you here today. In the brief 
amount of time that we have, we would like to look at a study 
that we performed on a peer-to-peer file sharing program called 
Kazaa. In this study, we will discuss how configuration 
problems could contribute to users of P2P networks 
inadvertently sharing their personal and private information.
    In this study, we addressed two major issues. One issue is 
that users of P2P systems don't always realize what they are 
sharing with others on the P2P network. In other words, 
sometimes people may think they are sharing one thing, but they 
are actually sharing something completely different.
    The second issue is that the kind of problem we have 
discovered is a problem with the program's usability and the 
interaction between the application and the user. It is 
different than other problems that are frequently mentioned in 
the media because it is something that can't be patched in a 
traditional sense that requires a redesign of the program's way 
of interacting with the user, as well as educating the user to 
the potential problems that could occur.
    We felt that the file sharing on P2P systems could be 
secure and usable if users were made clearly aware of what 
files others can download, that they are able to determine how 
to share and stop sharing files, that the system does not allow 
users to make dangerous errors that lead to unintentionally 
sharing private files, and that users are comfortable with what 
is being shared and confident that the system is handling it 
correctly.
    By looking at the interface and performing a user study, we 
were able to determine that certain parts of the Kazaa 
application could be confusing to users and relied heavily on 
unstated assumptions. In some cases, it was possible for the 
user to think that what they were sharing was completely 
different than what was actually being shared.
    There are too many details to cover in the time that we 
have allocated, but a majority of the details are in our 
research paper and written testimony.
    On the screen in front of you is Kazaa. Kazaa is the most 
popular P2P file sharing program on the Internet today. With 
Kazaa, you can look at any type of file, such as music, 
documents, videos. Anything that can be stored on your hard 
drive can be shared or downloaded from others. To do this, one 
would download the application and type the keywords that one 
is looking for into the search box. Kazaa then returns the 
search results to the window to the right of the search screen. 
Users can download other files or see files from other users.
    In any peer-to-peer system, the user has to make two 
important configuration choices. They have to decide where they 
are going to store files that they download from the network 
and what files they are going to share with others. In most 
peer-to-peer systems, the folder that one chooses to save the 
files to is also the one that is shared with other users. In 
addition, all files and folders contained in that location are 
also typically shared.
    So in the next couple of slides, we will be describing some 
points of confusion that may cause people to share more than 
they realize and possibly share private information. Again, 
there are many more details that we could go over, but due to 
the brevity of this testimony, we will just go over some of the 
most important ones and focus in on one of the worst-case 
scenarios.
    The first problem we will describe is when users specify 
the location they would like to store downloaded information 
to. The problem here is with terminology. There is no 
indication that these files and folders will also be shared, as 
well as all files and folders contained in whatever folder you 
specify. There is also no description of the types of file 
types that can be shared. In addition, this is the only 
location where users can disallow sharing with other users.
    Another problem that we discovered was with the Search 
Wizard and the folder list, which were two interfaces that were 
designed to allow people to specify what they could share with 
the Kazaa application, and in some cases, Kazaa will bring this 
up when the user is first running the installation for the 
program.
    In the search interface, Kazaa will look through the user's 
computer and determine what sort of files that they could share 
with the network. In this case, it came back with ``My 
Documents'' file and thought that there would be something good 
to share there. Unfortunately, it doesn't tell me what it is 
going to share there and relies on my assumptions of what Kazaa 
can do in order to share these programs with other people.
    In the next interface is a list for browsing the computer 
hard drive and its contents and users can check off what area 
they would like to search, or they would like to share with 
other users. In addition, there is the ``My Shared'' folder, 
which is the default folder that things can be shared in, is 
checked all the time.
    The problem in both of these interfaces is that there is no 
association between what is indicated as shared in the file 
import and what is indicated as shared in the downloaded 
folders. So unless users intuitively know that these two are 
linked, there is no way for them to know that the download 
folder is also the sharing folder.
    While this chance is rare, the confusion that may arise 
from this problem could confuse users for other situations, as 
well. In a 1996 USENIX conference, Matt Bished, a prominent 
security expert, mentioned that configuration errors are a 
probable cause for more than 90 percent of security failures. 
Education of users is one means of helping to reduce 
configuration errors. In addition, providing help and 
explanations can sometimes be useful, but has limitations. 
Users rarely read documentation and frequently gloss over 
privacy statements and textual explanations embedded in the 
interface.
    We feel that the issues we describe would be most 
adequately addressed at the application level, where they would 
be most effective. Thank you very much for your time.
    Chairman Hatch. Thank you. We appreciate it.
    [The prepared statement of Mr. Good and Mr. Krekelberg 
appears as a submission for the record.]
    Chairman Hatch. Mr. Saaf, we will turn to you.

    STATEMENT OF RANDY SAAF, PRESIDENT, MEDIADEFENDER, INC.

    Mr. Saaf. I would like to thank you for holding this 
hearing and inviting me to speak. My name is Randy Saaf and I 
am the President of MediaDefender. MediaDefender is one of the 
most well-respected peer-to-peer anti-piracy software companies 
in the world. We have very sophisticated tools for 
understanding piracy problems on the peer-to-peer network and 
security problems and we want to share these tools with this 
Committee.
    Usually, only very sophisticated computer users get 
involved with network and software. In the case of peer-to-peer 
networking, that is simply not true. The sheer quantity of 
users of peer-to-peer networking mean that quite a few really 
don't know that they are opening their computers up to the 
whole world.
    In the summer of 2000, Napster was hitting its stride as 
the hottest software application in the world. Napster really 
didn't have very many security problems. It had roughly 40 
million users, but it was mainly used to share MP3 pirated 
music files. Today, the peer-to-peer networks have over 80 
million users and they are used to trade all sorts of rich 
media files, including documents and software applications.
    All the security concerns associated with peer-to-peer 
networking come from the file sharing aspect common to every 
program. If a user never changes the default settings in a 
program like Kazaa, they probably won't have any security 
problems. The problem is that with the sheer number of users, 
you are always going to have a certain segment that just want 
to change the settings or don't understand the settings. Many 
users of peer-to-peer do not realize that the default folder 
that they download content to is shared up to the entire peer-
to-peer network.
    A typical scenario of a security risk might be a child who 
downloads his music files to his parents' ``My Documents'' 
folder that contains all their personal tax and financial 
information, and that folder then gets re-shared to the entire 
network.
    MediaDefender collected data from the sixth to the ninth of 
this month. We were invited to participate in this hearing on 
the fifth, so we only had a few days to collect data, but we 
wanted to get something that was a representative sampling of a 
security risk. So MediaDefender looked for Microsoft Money 
files shared on the Fast Track-based Kazaa network.
    Microsoft Money files are personal tax and financial 
information and there is really no reason somebody would want 
to be sharing those on a peer-to-peer network. MediaDefender 
found 8,034 unique Microsoft Money files being shared on the 
Fast Track-based network on 6,032 unique IP addresses. The 
larger implication is that probably almost every one of those 
people were sharing their entire ``My Documents'' folder on 
Kazaa because that is where the Microsoft Money file gets saved 
by default.
    So I want to give a brief demo that I did at 12:00 this 
afternoon at Kinko's, where I just plugged my laptop in and did 
a search for ``.mny.'' I search ``.mny,'' click enter, and up 
comes a screen full of Microsoft Money files, and you will 
notice each one of them has the Microsoft Money extension. I 
just randomly selected one and did the feature of ``find more 
from the same user.'' Now, this is a pretty standard feature in 
Kazaa. Anybody could do this at home. This is no fancy software 
involved in this.
    Clicking ``find more from the same user'' brought up 1,500 
files that that person has shared on their computer, I mean, 
presumably in their ``My Documents'' folder, and you can look 
at the files. They are just a hodgepodge of different types of 
files, including pictures, private pictures, phone-type 
information. Obviously, their Microsoft Money file was in 
there, which presumably contains all their financial 
information.
    A user could then select all those files and just click 
``download'' and have that person's entire snapshot of that 
person's life. I mean, I can see from the screen here the 
person goes to Indiana University and there is probably a whole 
lot of information you can tell about this person in this 
relatively quick exercise that took approximately five minutes.
    So you can see how the clear extension of this problem 
could be carried over to businesses and government 
organizations, because for the same reason people don't 
understand they are sharing documents at home that they don't 
intend to, people at government organizations will do the same. 
People want to download their music and movies on their fast 
Internet connections at work.
    So for this particular study, we looked for as many 
computers we could find with the search phrases ``Madonna,'' 
``The Matrix,'' ``porn,'' and ``sex.'' We pretty much 
arbitrarily chose those search phrases because we knew they 
would give us a lot of returns, and I don't think any files 
with these words in them would have any legitimate governmental 
purposes.
    We focused on three government organizations, Los Alamos 
National Laboratory, NASA, and the Naval Warfare Systems 
Command. We chose them because they are obviously sensitive 
organizations that would have sensitive data. We found 155 
computers at Los Alamos National Laboratory sharing files on 
peer-to-peer networks, 138 computers at NASA, and 236 at the 
Naval Warfare Systems Command. I am fairly sure that these are 
unintentional sharing, because I don't think anybody in these 
organizations would be intentionally sharing pornography files 
and those types of things on a peer-to-peer network at work.
    This was not a comprehensive study. We simply wanted to 
demonstrate there was a problem and we would recommend to the 
Committee that further studies be done to actually quantify the 
extent of the problem. Thank you.
    Chairman Hatch. And you just did that at Kinko's today?
    Mr. Saaf. Pardon?
    Chairman Hatch. You just did some of this at Kinko's today?
    Mr. Saaf. Yes. I did this part at Kinko's today. It was 
pretty much a five-minute exercise, what I went through there. 
It is very fast.
    [The prepared statement of Mr. Saaf appears as a submission 
for the record.]
    Chairman Hatch. Mr. Morris?

  STATEMENT OF ALAN MORRIS, EXECUTIVE VICE PRESIDENT, SHARMAN 
 NETWORKS, LIMITED; ACCOMPANIED BY DEREK BROES, EXECUTIVE VICE 
     PRESIDENT OF WORLDWIDE OPERATIONS, BRILLIANT DIGITAL 
                         ENTERTAINMENT

    Mr. Morris. Thank you very much indeed, Chairman Hatch, for 
inviting us to come today and to help the Committee in its 
determinations about the very important issues of security and 
privacy in file sharing.
    I am the Executive Vice President of Sharman Networks, 
Limited. I look after the company's business when Sydney is 
asleep, and importantly, I look after its licensed activities, 
along with my colleagues here at Altnet. And in that respect, 
we are the world's largest distributor of licensed files.
    When we acquired the Kazaa Media Desktop, or Kazaa, as it 
is known, we set ourselves two goals. Firstly, to be the 
premier distributor of licensed files, and with over half-a-
million licensed files distributed a day, I think we have 
achieved that; and secondly, to set the standards in usability.
    If I can talk first about viruses, an issue which is very 
important, we recognized this last year, and everybody knows 
the effect viruses can have. So we invested in a fully-featured 
anti-virus program called BullGuard, and BullGuard has been 
installed as an active part of the Kazaa Media Desktop for over 
a year now. So no user of the Kazaa Media Desktop need ever be 
bothered by viruses. It runs there and it is free.
    Secondly, inadvertent file sharing. Since we acquired the 
assets, we have carried out usability tests. We looked at the 
work that the guys, Good and Krekelberg, did back in April last 
year on Version 1.7 and we have constantly modified the user 
interface, because it is important. It is crucial that people 
don't inadvertently share files. The latest Version 2.5, which 
is in public beta at the moment, which I am going to send the 
guys for their comments, makes it very, very difficult, indeed, 
for somebody to inadvertently share files.
    We have used best industry practice, known as, A) make it 
intuitive, and B) most importantly, make it safe by default. So 
if anybody tries to share parts of their hard drive which would 
be inadvisable, they get a very strong notice, like ``Do you 
want to do this?'' So I will be very interested in what you 
guys think about 2.5.
    Thirdly, the issues of privacy. Issues have been raised 
such as spyware. We have got a very strict new spyware policy. 
We certainly serve advertising. We use proprietary ad serving 
technology and we have one application bundled which is used by 
many Fortune 100 companies, and very clearly by our definition 
it is not spyware.
    User education to us is fundamentally important. We accept 
that responsibility as the leader in the marketplace and we 
would distance ourselves, I think, from our competitors, if 
they don't mind us saying that. So on the website, in very 
clear English, we give very clear guidance about how people can 
share safely. And again, guys, we welcome your views on that. 
We talk about issues like cookies and opt-ins. Spam has been 
mentioned. We have never spammed. We haven't sent it ourselves. 
And we have never sold any e-mail addresses.
    The other issue that has been raised is that of 
pornography. We totally abhor child pornography. I am a parent 
myself. What we have is a fully password-protected adult 
filter. We can't control what is distributed on the network. It 
is a digital democracy. But what we do is, by default, there is 
a series of filters for adult and offensive material which is 
password-protected and it is there to encourage and support 
responsible parenting.
    So we emphasize user education very strongly. The issue 
that we all face, I think for every application on the 
Internet, is the extent to which people, as has already been 
mentioned here, are prepared to accept that education. A recent 
AOL study on broadband use shows that many people choose not to 
update their anti-virus software. They choose not to use 
firewalls. So it does behoove us as the industry leader, and 
the rest of the industry, to work with the Committee and work 
with other agencies worldwide to ensure that user education is 
of the highest standard.
    It is particularly important, because in this always-on 
world, this wide world of broadband, the risks are much, much 
higher. It is well recognized, I think, that peer-to-peer is 
the main driver of broadband. It is the thing that drives the 
broadband future.
    So, Mr. Chairman, we are very happy to work with you, with 
members of the Committee and other agencies in the areas of 
improving the interface and in the areas of user education.
    Chairman Hatch. Well, I appreciate the comments and we will 
be happy to have you work with us and help us, if we can.
    [The prepared statement of Mr. Morris appears as a 
submission for the record.]
    Chairman Hatch. Let us turn to Mr. Murray and Mr. Broes.
    Mr. Broes. My statement has already been entered into the 
record.
    [The prepared statement of Mr. Broes appears as a 
submission for the record.]
    Chairman Hatch. Mr. Murray?

STATEMENT OF CHRIS MURRAY, LEGISLATIVE COUNSEL, CONSUMERS UNION

    Mr. Murray. Chairman Hatch, I am both grateful and honored 
by your invitation to testify before the Committee today. 
Consumers Union, as publisher of Consumer Reports magazine, is 
an organization that makes its living based on intellectual 
property, based on compensation for our creation, as well as 
our reputation as based on the trust of consumers.
    Since the first issue of Consumer Reports arrived in 
consumers' mailboxes in the 1930s, we have built our 
reputation, I think, on a love affair with technology and a 
desire to make that technology work better for consumers. 
Today's hearing presents another opportunity to scrutinize a 
technology with both enormous potential and enormous problems.
    The potential comes in the form of some really exciting new 
applications that we see, such as peer-to-peer distributed 
computing. We have got--Oxford's Center for Drug Discovery is 
using the power of peer-to-peer distributed computing to help 
come up with new drugs to solve problems like cancer and I 
believe they are also working on a cure for smallpox.
    We have Stanford's ``Folding at Home'' project, where they 
are using normal consumers like you and me, they are using our 
computers to run protein folding sequences, things that just 
require enormous amounts of processing power that an average 
research university or library just wouldn't have the funds to 
undertake.
    And we have got normal consumer uses of peer-to-peer 
technologies. There is a technology out there called Spam Watch 
right now where it is a collaborative filtering software 
whereby users flag a particular piece of e-mail as spam, and 
then when enough users flag that as spam, they say, okay, we 
are going to shut this person down to the rest of the network.
    But we also have seen today it comes with a dark side. As 
the Committee clearly understands, both the promise and 
potential as well as the dark side appear, and the dark side 
that we see and that we are concerned about is two-fold. Number 
one, the default settings concern us greatly because consumers 
are unwittingly sharing documents like tax returns, Social 
Security numbers, private information, money files, as we saw. 
But there is also this really prevalent use of spyware and 
adware that concerns us.
    I think one of the, if I can jump straight to my punch 
line, I think perhaps the most exciting near-term role I can 
see for Congress in this space is to do exactly what you are 
doing today, which is open this up to sunshine and make sure 
that people understand what exactly, what risks they are 
exposing their computers to. That seems to have had some 
effect. I guess in their latest build, they are saying that 
they have remedied some of these problems. I hope that we can 
continue to move the industry along with default settings, make 
sure that configurations work for consumers.
    As I dug into this a little bit in preparation for today's 
hearing and I looked at where uses of spyware and adware are 
happening on peer-to-peer, I realized, number one, it is a 
rampant problem on peer-to-peer and I am quite concerned about 
it. But number two, perhaps of even greater concern is I 
discovered that this is all over the place on the Internet. 
Mainstream providers, such as Microsoft, AOL's Netscape, Real 
Networks, have features on their software that millions upon 
millions of users are using whereby they are being tracked. 
Their music preferences, their reading preferences, their DVD 
watching preferences are being sent back to companies, in some 
cases along with a unique identifier which says, this is what 
this particular consumer is watching and reading and listening 
to.
    I think we, like you, are believers that if consumers can 
get information in their hands, they can begin to make some of 
the right decisions and we can move the marketplace along far.
    And so there are three things, if I can just summarize what 
I would like to say today very briefly, there are three roles 
that I think Congress can help play.
    Number one, education. Users of peer-to-peer systems need 
to be aware that what they are doing on their computers can 
expose them to enormous risks. Part of our education problem is 
that sometimes the users aren't the same people that would be 
concerned about risks. If I am a parent, I don't necessarily 
know that my child is going to be downloading Kazaa or Morpheus 
or Grokster or whatever application onto my system and 
potentially exposing my files to great risk, and so that this 
education process needs to extend not only to the people who 
are using the application, but to parents in general.
    The second role I see for Congress is investigation. I 
would be very grateful if the Chairman would urge the Federal 
Trade Commission to look into uses of spyware and adware in the 
marketplace. I see, again, in peer-to-peer, it is a rampant 
problem, but it is also a rampant problem in the mainstream 
software applications base.
    And the final role I see for Congress is in the policy 
arena. Sometimes, there is just no educating around a design 
problem. Perhaps the role that Congress could fill, the gap 
that Congress could fill would be to provide consumers with as 
much notice about what is going into the software that they are 
using on their computers. If there is spyware and adware that 
comes along with that software, we think that educating 
consumers--consumers can only be educated if they know exactly 
what is underneath the hood of that software. So perhaps we 
could discuss and work with the Committee on coming up with 
some solutions in that space.
    As I said before, I think any solutions we come up with in 
the peer-to-peer space are going to necessarily extend to the 
rest of the Internet because the fundamental architecture of 
the Internet is that of peer-to-peer. Anytime we try to 
regulate peer-to-peer as such, I think we are also talking 
about a very broad regulation of the Internet in general. It is 
difficult for me to imagine a definition of peer-to-peer that 
doesn't also include applications such as e-mail and instant 
messaging.
    I am very grateful, as I said, Mr. Chairman, for the 
opportunity to testify here today and we would be happy to 
continue the conversation.
    Chairman Hatch. Thank you. We appreciate all your 
testimony.
    [The prepared statement of Mr. Murray appears as a 
submission for the record.]
    Chairman Hatch. Let me start with you, Mr. Morris. You make 
the point that parents or employers who own Internet-connected 
computers must educate themselves about the operation or design 
flaws of every peer-to-peer software program that might be 
downloaded by their children or employees and then reeducate 
themselves every time any one of these programs is updated or 
ordered. Is that one of the arguments you are making, that 
parents--
    Mr. Morris. No, the argument I make is that, as the leader, 
we have a responsibility and we take that very seriously. So 
when people choose to download Kazaa Media Desktop in all the 
versions from 1.7 up until now, we have done our very best to 
make sure it is very clear to people what happens, make it very 
clear to parents exactly how the parental control filter works, 
and also make it very, very difficult for people to 
inadvertently file share.
    Now, we hope that sets a standard for other people and we 
hope that other peer-to-peer providers follow our lead, but we 
can't, obviously, legislate for them.
    Chairman Hatch. No, but is it true that anti-virus software 
distributed with Kazaa is disabled by default when the software 
is installed? Is that true?
    Mr. Morris. No. It is currently enabled by default.
    Chairman Hatch. It is enabled?
    Mr. Morris. It was previously disabled. It was an optional 
choice for people. And now, in the latest version, it is 
currently enabled.
    Chairman Hatch. In your written testimony, you state that, 
``Users control the material they choose to share with 
others.'' This leads me to ask, does Sharman Networks accept 
any responsibility for the files that are shared inadvertently 
or even illegally over the Kazaa network?
    Mr. Morris. No. As I said, we have no control over what is 
the digital democracy, but we do do our very best to, firstly, 
when somebody downloads the Kazaa Media Desktop, they have a 
very clear end user license agreement. We like to believe it is 
written in plain English, unlike some. And that obliges them to 
state that they will not infringe copyrights. Now, we can't 
police that. And all over the website, you'll see statements 
like, ``Do not infringe copyright.'' And certainly with 
pornographic material, we have the parental control feature, 
but we cannot police the network. It is physically and 
technically impossible.
    Chairman Hatch. Mr. Good and Mr. Krekelberg, let me ask you 
this question. I would like to commend both of you for 
identifying the data security problems potentially associated 
with peer-to-peer file sharing. In your testimony, you state 
that these problems are not intrinsic to peer-to-peer 
technology, but derive from the design of the Kazaa program. 
Now, do you know whether any similar problems affect other file 
sharing programs?
    Mr. Good. As stated earlier when we were giving our 
demonstration, all peer-to-peer file sharing systems have to do 
two things. They have to say what you are going to save and 
where you are going to save it to, and also what you are going 
to share. So any peer-to-peer file application, you have to 
address those problems somehow in the interface, and so not 
only with Kazaa, but other peer-to-peer file sharing programs, 
you have the same sort of issues that would arise.
    Chairman Hatch. Do you have anything to add, Mr. 
Krekelberg?
    Mr. Krekelberg. The point we were trying to make with that 
statement is that peer-to-peer technology is not fundamentally 
flawed where people will just start sharing all their stuff. 
There are some user interface issues that need to be addressed 
with most of these peer-to-peer clients, that users 
accidentally share things they don't want to share.
    Mr. Good. In addition, we have looked at some other peer-
to-peer file sharing programs and they seem to have similar 
sort of issues that Kazaa would have.
    Chairman Hatch. I am going to submit for the record written 
testimony from the Business Software Association.
    But let me ask you, Mr. Saaf, how often are peer-to-peer 
networks updated or altered to circumvent firewalls, filters, 
and other security measures that computer owners might take to 
protect themselves from the risks that are outlined by your 
testimony here today? I mean, who makes these alterations and 
why are they done?
    Mr. Saaf. Well, peer-to-peer file sharing networks are 
frequently updated. I am not sure that they are really updated 
to circumvent anything per se. Sometimes, they may be. That is 
really--I would have no idea. I do think that a fundamental 
issue with the peer-to-peer networking is that you are going to 
have to get rid of some of the cool things about the peer-to-
peer networking to take care of a lot of fundamental problems, 
like child pornography and security.
    The bottom line is, if you leave a peer-to-peer network 
wide open for anything to be shared, you are always going to 
run a risk that people are going to share the wrong stuff. So 
it is going to be this tension of give and take, and I think 
eventually the peer-to-peer networks may have to give up some 
of the cooler functionality if they are going to seriously take 
care of the piracy and child pornography and security concerns.
    Chairman Hatch. In your experience, how many peer-to-peer 
sharing programs install spyware and adware programs?
    Mr. Saaf. I mean, most of them. They need to make money to 
pay their staff. Typically, it is free software, so there has 
to be some method of getting revenue. But like was stated in 
other people's testimony, that is not totally uncommon on the 
Internet. A lot of software does have spyware and adware.
    And again, you know, if you don't have as much money to pay 
programmers to develop cool peer-to-peer applications, then the 
applications won't be as cool. So if you get rid of the 
spyware, then all of the sudden the company doesn't have the 
money to develop the peer-to-peer applications. It is going to 
be always a tension.
    Chairman Hatch. What can these programs do to their host 
computers?
    Mr. Saaf. What can they do?
    Chairman Hatch. Yes.
    Mr. Saaf. You mean in terms of damaging those computers? 
Well, the problem with any sort of spyware or adware or really 
any sort of software that is unregulated or not operated by a 
big company is it is not always necessarily designed perfectly, 
and what could end up happening is two or three spyware or 
adware programs just conflict with each other. You might have a 
spyware that gets installed with one version of a peer-to-peer 
networking software and a spyware that gets installed with 
another version of a different peer-to-peer networking software 
and those two spywares just don't know how to be graceful with 
each other, whereas you are not going to run into those same 
sort of problems with, like, Microsoft Word and Microsoft Power 
Point, because those are very well designed programs that have 
millions of dollars of development in them.
    Chairman Hatch. Mr. Murray, do you have anything to add 
here or what we might do in Congress besides what you said in 
your testimony?
    Mr. Murray. Well, that is an excellent question, Senator. 
Perhaps I could briefly add Consumer Reports' recommendations 
to users as to what we can do in general to protect ourselves, 
a couple quick things.
    Number one, you should have some form of virus software 
installed in your computer and you should update that at least 
weekly. If possible, we recommend for users, especially anybody 
that has a broadband connection, because a persistent broadband 
connection presents a lot of the same risks that peer-to-peer 
does, you can be quite transparent to the world with some very 
simple hacking tools--
    Chairman Hatch. So every time it comes up on the screen, 
you ought to click onto it.
    Mr. Murray. The updated--
    Chairman Hatch. Yes.
    Mr. Murray. As annoying as it is, yes, Senator, I believe 
that is the right answer. You should go ahead and say, yes, 
update my files, at least weekly is what we recommend. But for 
broadband users especially, we recommend putting in place a 
firewall, which can either be a piece of software or actually a 
physical router with a firewall which goes behind your modem. 
That can go a long ways towards making your computer opaque to 
the rest of the world.
    If users are going to use peer-to-peer software, we also 
recommend that they download it from one of the major portals. 
One of the bigger problems that we are having is that a piece 
of software such as Kazaa's Media Desktop, there are all of 
these third-party sites out there which say, hey, if you come 
to me and pay me a dollar, I will let you have Kazaa, when 
they, in fact, have nothing to do with Kazaa, and some of the 
worst forms of spyware and adware that we have seen have to do 
with these third-party distributors. So we recommend, again, a 
lot of what goes on in these networks is illegal sharing of 
intellectual property. So we are not meaning to endorse that in 
any way, but insofar as there are legitimate uses of these 
networks, you should download it from a major portal.
    Chairman Hatch. I am going to put Senator Leahy's statement 
in the record. He could not attend this hearing, but he wanted 
to. He takes great interest in these matters, so I will put his 
statement in the record immediately following my statement.
    Let me just ask one last question. I have heard that with 
regard to piracy problems and the stealing of music and 
copyrighted material, that there is now a software or at least 
a methodology of giving a warning that what you are doing is an 
illegal act, giving another warning, and then finally just 
destroying their computer. Are you aware of that, the warning 
that we are going to destroy your computer if you keep doing 
this illegal act? Can somebody help me to understand that?
    Mr. Morris. Derek is one of the foremost experts on 
security issues in P2P, so I think I would ask Derek to answer.
    Chairman Hatch. I have been wanting to ask you a question, 
so this is a good one for you.
    Mr. Broes. First, I should explain my role in this is that 
Brilliant Digital and Altnet, we are the commercial component 
to Kazaa Media Desktop. All of the media that we distribute 
through the network is licensed commercial material, including 
30,000 independent artists.
    And so our major concern, obviously, is with copyright. In 
being the largest distributor of digitally rights managed 
material, we have learned that distributing DRM-ed content is 
working. We distribute, as Alan mentioned earlier, 500,000 
digital rights licenses every single day, and that is growing.
    So as far as educating the user is the most critical piece, 
and as you mentioned, putting up a banner that says what they 
are doing is illegal is something that we have encouraged in 
the click wrap agreement with Kazaa Media Desktop, and that is 
precisely what they do, is warn them that they are in violation 
of this agreement.
    To inhibit the usability of the application at this stage 
simply pushes users into a deeper, darker tunnel of using peer-
to-peer networks. For instance, if they would get very, very 
frustrated with a specific way, they are going to flee to some 
networks that are highly encrypted, such as FreeNet. They are 
going to find ways. They are going to use anonymizers to 
disguise themselves.
    So the issue here and our feeling is that gradually 
changing user behavior is the approach to this, and that is 
critical, and this goes to as far as the user education. For 
instance, today, I have my laptop, which is wireless, and I 
picked up on a number of wireless networks from a number of 
companies within the D.C. area, including law firms, where 
files were accidentally being shared via--in fact, their entire 
network is accidentally being shared via wireless networks. And 
these are IT folks that are in charge of these.
    This is not a problem that is just localized to P2P 
networks. This is with technology altogether. We need to take 
greater care in educating ourselves and practicing--and as a 
company leading this initiative, we have to practice best 
practices, and we feel that we lead that, particularly because 
we are making this a commercial initiative.
    Chairman Hatch. That has been very helpful, but--
    Mr. Saaf. I would like to address that question, as well, 
if you wouldn't mind.
    Chairman Hatch. Can you destroy their set in a home?
    Mr. Saaf. Yes. I think that is not something anybody is 
really interested in doing.
    Chairman Hatch. Well, I am. I am interested in doing that.
    [Laughter.]
    Chairman Hatch. I am very interested. That may be the only 
way you can teach somebody about copyright.
    Mr. Saaf. What the industry, speaking as an anti-piracy 
software company, what the industry is mostly interested in is 
non-invasive solutions to the piracy problem. Nobody wants to 
destroy files. Nobody wants to go onto people's computers and 
damage those computers.
    Chairman Hatch. But you can? There is methodology you could 
do that?
    Mr. Saaf. I am not really aware of anybody that is 
exploring methodology in a legitimate way to actually destroy 
people's computers. It is just not something that anybody is 
really interested in doing.
    What people are interested in doing is non-invasive anti-
piracy measures, such as what our company does, is decoying, 
where we just put fake files on the network. It is extremely 
non-invasive. It just tries to create a needle-in-a-haystack 
situation, where the pirated content is difficult to find.
    The bottom line is that it is not the 30,000 independent 
artists that are being pirated, it is the top 100 platinum 
artists that are being pirated on these networks and it is 
crucial that that be protected on these networks.
    But in terms of invasive procedures, nobody is--I am not 
aware of anybody that is really pursuing invasive technology.
    Chairman Hatch. Okay.
    Mr. Murray. Senator, if I can perhaps try and respond. I am 
not the biggest technology expert on the panel by any means. My 
understanding is that there are viruses out there that could 
have the effect of doing what you are describing there, and if 
a company that were enforcing copyrights chose to use such 
means, they would have such means available.
    Chairman Hatch. Well, I would think that in order to do 
that, you would have to have a law passed by Congress enabling 
them to do that. I mean, there are a lot of other issues 
involved there, but I was interested that there is technology 
available. You could actually warn the person, warn them again, 
and tell them, ``if you continue, we are going to destroy your 
machine.'' I was interested in that because that would be maybe 
the ultimate way of making sure that no more copyright is 
pirated. But--
    Mr. Murray. That does seem to be what Representative 
Berman's bill contemplates.
    Chairman Hatch. Pardon?
    Mr. Murray. Insofar as I understand it, that seems to be 
what Representative Berman's bill in the House contemplates, is 
that sort of action.
    Mr. Saaf. I would take issue with that and disagree with 
that. As Representative Berman's bill, our company is the 
primary company that bill was directed towards and the bill 
very clearly does not allow any sort of invasive procedures. It 
is a very--I recommend anybody actually look at the actual 
context of the bill before drawing conclusions. There are 
sensationalists, like it is directed towards hurting people's 
computers.
    Invasive procedures are not being pursued by any legitimate 
anti-piracy software company right now. That is just a fact.
    Mr. Broes. Well, I can add a piece to that. I was the CEO 
prior to being at Altnet, was the CEO of Vidius, which was 
actually the company that was hired by the RIAA and the MPAA to 
do the evaluation of the Fast Track network prior to the 
lawsuit that was filed. We practiced and we developed 
technology that was considered interdiction. In fact, we were 
one of the first, I think even before MediaDefender. We did 
spoofing.
    What we found it to be is actually very ineffective, not 
cost--it is not cost effective at all. It actually cost us more 
to interdict and to spoof than it was worth, than the progress 
that we were making, for the reason that the peer-to-peer 
networks are a democracy. When you spoof a file and you put it 
out there, the intent is to try to seed the network with 
millions of these spoofed files, and what happens is users, 
once they find out that that file is a spoofed file, they 
remove it out of their shared folder. So they are no longer 
sharing that folder, which means that the company is now faced 
with the burden of seeding the network once again with that 
same spoofed file. That costs money and bandwidth.
    Our approach to this has always been a positive, kind of a 
glass is half-empty, half-full. If this glass here represents 
all of the pirated content on the Internet or all of the 
pirated content on peer-to-peer network, if we took a gallon 
jug of milk and we filled that full of legitimate content, then 
I kept pouring that into that network, eventually, it is going 
to be filled with milk and not water.
    So my point is that if we continue to take digitally rights 
managed files, which is a positive approach curbing user 
behavior, we will find that users find it more difficult to 
find the pirated content and the viruses and everything else 
because we have populated the network with legitimate content 
that is available for a price.
    So I have practiced personally as a company and as the CEO 
of a company the tactics that you are speaking of and I can 
tell you that it actually makes the problem more difficult.
    Chairman Hatch. That is interesting. Well, we would like 
you to consider helping us to understand what are the best 
methodologies that we can use or what would be the best thing 
Congress could do to help to avoid and prevent piracy of 
copyrighted materials throughout the country and the world. 
Write to us and help us to understand this better, because 
there is no excuse for anybody violating the copyright laws. 
Those laws are what protect our artists and our novelists and 
you name it, anybody who can qualify for a copyright, in what 
they are trying to do. And if they get a copyright, that ought 
to be respected.
    And if we can find some ways to do this short of destroying 
their machines, I would like to know what it is. But if that is 
the only way, then I am all for destroying their machines and 
letting them know.
    [Laughter.]
    Chairman Hatch. After you have a few hundred thousand of 
those, I think people will grow up and realize. But we would 
have to pass legislation permitting that, it seems to me, 
before somebody could really do that with any degree of 
assurance that they are doing something that might be proper.
    I am very interested in this area, and naturally, we have 
had everybody in the entertainment world come to us and say, 
``Please, help us to find a way around these piracy situations 
because it is just costing billions and billions of dollars.'' 
I have seen first-run movies out within an hour after the movie 
is shown for the first time on a pirated basis. Of course, you 
can imagine what happens in the publishing world and the 
recording world. It is just awful.
    So we could use your help on that. Congress can't do 
everything, but if there are some things we can do with regard 
to copyright, we would like to do them.
    This has been a very interesting panel. I really appreciate 
all of you coming and taking your time to help us to understand 
this better. I commend you for the success that you have made 
and for the great work that you are doing in the respective 
areas of the industry that you represent. So thank you for 
being here.
    With that, we will recess until further notice.
    [Whereupon, at 3:17 p.m., the Committee was adjourned.]
    Questions and answers and submissions for the record 
follow.]


[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

[GRAPHIC] [TIFF OMITTED] 

                                   