[Senate Hearing 108-252]
[From the U.S. Government Publishing Office]
S. Hrg. 108-252
THE DARK SIDE OF A BRIGHT IDEA: COULD PERSONAL AND NATIONAL SECURITY
RISKS COMPROMISE THE POTENTIAL OF PEER-TO-PEER FILE-SHARING NETWORKS?
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
JUNE 17, 2003
__________
Serial No. J-108-17
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2004
91-213 DTP
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
CHARLES E. GRASSLEY, Iowa PATRICK J. LEAHY, Vermont
ARLEN SPECTER, Pennsylvania EDWARD M. KENNEDY, Massachusetts
JON KYL, Arizona JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio HERBERT KOHL, Wisconsin
JEFF SESSIONS, Alabama DIANNE FEINSTEIN, California
LINDSEY O. GRAHAM, South Carolina RUSSELL D. FEINGOLD, Wisconsin
LARRY E. CRAIG, Idaho CHARLES E. SCHUMER, New York
SAXBY CHAMBLISS, Georgia RICHARD J. DURBIN, Illinois
JOHN CORNYN, Texas JOHN EDWARDS, North Carolina
Bruce Artim, Chief Counsel and Staff Director
Bruce A. Cohen, Democratic Chief Counsel and Staff Director
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah...... 7
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont,
prepared statement............................................. 66
WITNESSES
Davis, Hon. Tom, a Representative in Congress from the State of
Virginia....................................................... 3
Feinstein, Hon. Dianne, a U.S. Senator from the State of
California..................................................... 1
Good, Nathaniel S., Graduate Student, University of California,
Berkeley School of Information Management Systems and Aaron
Krekelberg, University of Minnesota, Office of Information
Technology..................................................... 9
Morris, Alan, Executive Vice President, Sharman Networks,
Limited, accompanied by Derek Broes, Executive Vice President
of Worldwide Operations, Brilliant Digital Entertainment....... 13
Murray, Chris, Legislative Counsel, Consumers Union.............. 14
Saaf, Randy, President Mediadefender, Inc........................ 11
Waxman, Hon. Henry A., a Representative in Congress from the
State of California............................................ 5
QUESTIONS AND ANSWERS
Responses of Nathaniel Good and Aaron Krekelberg to questions
submitted by Senator Leahy..................................... 24
Responses of Alan Morris to questions submitted by Senators
Hatch, Biden and Leahy......................................... 27
SUBMISSIONS FOR THE RECORD
Broes, Derek, Executive Vice President of Worldwide Operations,
Brilliant Digital Entertainment, prepared statement............ 48
Davis, Hon. Tom, a Representative in Congress from the State of
Virginia, prepared statement................................... 52
Feinstein, Hon. Dianne, a U.S. Senator from the State of
California, prepared statement................................. 57
Good, Nathaniel S., Graduate Student, University of California,
Berkeley School of Information Management Systems and Aaron
Krekelberg, University of Minnesota, Office of Information
Technology, prepared statement................................. 59
Morris, Alan, Executive Vice President, Sharman Networks,
Limited, prepared statement.................................... 70
Murray, Chris, Legislative Counsel, Consumers Union, prepared
statement...................................................... 79
Saaf, Randy, President Mediadefender, Inc., prepared statement... 88
Waxman, Hon. Henry A., a Representative in Congress from the
State of California, prepared statement........................ 93
THE DARK SIDE OF A BRIGHT IDEA: COULD PERSONAL AND NATIONAL SECURITY
RISKS COMPROMISE THE POTENTIAL OF PEER-TO-PEER FILE-SHARING NETWORKS?
----------
TUESDAY, JUNE 17, 2003
United States Senate,
Committee on the Judiciary,
Washington, D.C.
The committee met, pursuant to notice, at 2:08 p.m., in
Room SD-226, Dirksen Senate Office Building, Hon. Orrin G.
Hatch, Chairman of the Committee, presiding.
Present: Senator Hatch.
Chairman Hatch. Sorry I am just a bit late. I understand
Senator Feinstein has another appointment, so we are going to
take her first, even before I make opening remarks. It is good
to have you here, Tom, as well. We will take your statement
first, too, after Senator Feinstein.
STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE
STATE OF CALIFORNIA
Senator Feinstein. Thanks very much, Mr. Chairman. I Chair
a Senate Cancer Coalition and we have got a very interesting
meeting that starts just about now to begin. But I feel very
strongly about this issue, so I very much appreciate an
opportunity to testify.
This hearing is on peer-to-peer networks and security
risks. Now, peer-to-peer software is a technology that allows
Internet users around the world to share files with each other
very easily. All you need is some software, which can be
obtained free, and an Internet connection, and your files are
instantly made available over the Internet. This technology can
be used to help researchers share information or files
seamlessly across borders or to help business people share
documents. In other words, there are good, positive, legitimate
reasons for this.
But as with many new technologies, there are also serious
risks. One such risk is the recent explosion of illegally
shared copyrighted files over the Internet, most of it
occurring through these relatively anonymous peer-to-peer
networks. Using this free software, one Internet user can
simply put his or her entire music collection onto a computer
and then open that computer up to the entire rest of the world,
allowing anyone else with an Internet connection and similar
software to find the music, to download it onto their own
computers, and to listen to it at will without compensating the
copyright holder, something that we have spent a lot of time
on.
Meanwhile, these peer-to-peer networks are also
facilitating a new era of easily obtainable pornographic
material, including child pornography. MediaDefender, a company
that will testify today, has estimated that more than 800
universities are hosting child pornography on their networks.
Of most concern, however, is the use of peer-to-peer file
sharing by government employees. According to recent studies,
the vast majority of peer-to-peer users have no idea of the
breadth and scope of data they are sharing with users. A
Federal employee intending to simply download and share music
files, therefore, could easily make available every file on his
or her computer, without intending to do so or even realizing
it after the fact. This could include personal correspondence,
private financial information, and even proprietary and
sensitive government documents.
For normal users, this lack of security presents the real
threat of identity theft. Stored credit card information,
financial documents of all kinds, personal information, like
birthdays, mother's maiden names, you name it, all of this is
often stored on an individual's computer and all of it can thus
be compromised if the user is not careful when setting up peer-
to-peer software.
For government users, the situation is far worse. Not only
personally sensitive information can be stolen, but information
vital to the functioning of government, as well. Confidential
memos, Defense Department information, law enforcement records,
all could be available to any Internet user with some free
software and the desire to go looking.
The scope of the problem is unclear. Nobody really knows
how many government employees are using this software and what
level of risk there truly is. But one thing seems clear. The
risk is not worth it.
According to recent reports, it appears that many
government employees are indeed using time at work to set up
peer-to-peer software on government computers. They search for,
they obtain pornographic data of all kinds. That is illegally
downloaded and distributed, copyright material, as well. Each
of these activities reduces work productivity. Many of these
violate the law. And most importantly, the entire process opens
those computers and computer systems to invasion by outside
entities.
The House and the Senate have already prohibited the use of
this technology on Congressional computers, as I understand it,
for these reasons. I am in the process of preparing a letter to
the Cabinet heads of each Secretary asking them to look into
this problem and work toward addressing it within each of their
organizations, and I would like to give this to you. Perhaps
you and others on the Committee might wish to either take it
over or sign onto it at your pleasure.
But there can be no doubt that the widespread use of these
new technologies represents a grave security risk to this
nation and should be treated as such.
So, Mr. Chairman, this should be a very interesting
hearing. I am sorry that I can't stay. I am very interested in
the topic and look forward as a member of the Committee working
with you and see what we can come up with.
Chairman Hatch. Thank you, Senator Feinstein. We appreciate
your hard work on this Committee and your interest in this
subject, so we will let you go so you can keep your
appointments.
Senator Feinstein. Thanks very much.
Chairman Hatch. Thank you.
[The prepared statement of Senator Feinstein appears as a
submission for the record.]
Chairman Hatch. Representative Davis, we are honored to
have you come over from the House. We welcome your testimony.
STATEMENT OF HON. TOM DAVIS, A REPRESENTATIVE IN CONGRESS FROM
THE STATE OF VIRGINIA
Representative Davis. Thank you very much. As you know, we
have held hearings on the House side and look forward to
working with you on what can be done about this important
issue.
I associate myself with Senator Feinstein's remarks. I
agree with what she said.
As you know, our Committee on Government Reform, which I
Chair, has been investigating some of the risks associated with
the use of these programs. File sharing programs are Internet
applications that allow users to download and directly share
electronic files from other users who are on the same network.
These programs are easily installed and permit the sharing of
files containing documents, music, or videos, free of charge.
Now, file sharing is surging in popularity. The most
popular file sharing program, Kazaa, has been downloaded almost
240 million times, making it the most popular software program
downloaded from the Internet. File sharing programs are
increasingly popular with kids. Research has shown that more
than 40 percent of those who download files from peer-to-peer
networks are under the age of 18.
The technology underlying file sharing programs is not
inherently bad, and it may turn out to have a variety of
beneficial applications. However, as our Committee has learned,
this technology can create serious risks for users.
Most of the news coverage on file sharing focuses on one
issue, the ability of users to trade copyrighted music, movies,
and videos. Our Committee is investigating other aspects of
file sharing. In March, we began our investigation by holding a
hearing to examine the extent to which pornography, including
child pornography, is traded on these networks. Last month, we
held a second hearing to review the personal privacy and
computer security risks posed by the use of these programs.
At our first hearing, we learned that peer-to-peer networks
have become an increasingly popular mechanism for trafficking
in pornography, including child pornography. In fact, it seems
as if many of these programs have become digital pornographic
libraries where all sorts of pornographic materials can be
easily accessed for free.
At the Committee's request, the GAO searched file sharing
programs and found hundreds of pornographic images, more than
half of which was child pornography and graphic adult
pornography. Research performed by another witness at our
hearing found that nearly six million pornographic files were
available for downloading on one popular peer-to-peer network
over a two-day period.
These findings are very disturbing. Many of these
pornographic images are appearing on our children's computer
screens whether they ask for it or not. Innocent searches for
files using the names of popular cartoon characters, singers,
and actors produce thousands of graphic pornographic images,
including child pornography.
At the hearing, we issued a report detailing our findings
and I would urge parents to review it in order to become
familiar with these issues. We also developed a list of non-
technical actions parents can take to reduce or eliminate their
children's exposure to pornography on these networks. This list
is available on the Committee's website.
Last month, we held a second hearing to examine threats to
personal privacy and computer security posed by the use of file
sharing programs. Despite the surging popularity of these
programs, few people recognize the risks that this technology
presents. For example, through a couple of simple searches on
one file sharing program, Committee staff easily obtained
completed tax returns with Social Security numbers, including
the names and Social Security numbers of spouses and
dependents; medical records; confidential legal documents, such
as attorney-client communications regarding divorce proceedings
and custody disputes; business files, including contract and
personnel evaluations; political records, including campaign
documents and private correspondence with constituents; and
resumes with addresses, contact information, job histories,
salary requirements, and references.
There are several possible causes for the sharing of
personal information over these networks. Users could
accidentally share this information because of incorrect
program configuration. We learned at our hearing that the
installation and set-up process can be confusing and can cause
users to unwittingly expose their entire hard drive.
Unintentional sharing of personal information can also
result from the sharing of one computer among several users.
For example, a teenager sharing a computer with his or her
parents may elect to make all the contents of the computer
available for sharing without thinking about the types of files
stored on the computer.
Users may also intentionally share these files because
increased file sharing earns the user higher priority status,
resulting in faster downloads of popular files.
Either way, the public should be aware that these programs
could result in the sharing of personal information which can
open the door to identity theft, consumer fraud, or other
unwanted uses of their personal data. Parents, businesses, and
government agencies also need to be aware of these risks if
file sharing programs are installed on their office and home
computers.
And finally, another privacy concern raised by peer-to-peer
sharing is bundling of these programs with software known as
``spyware'' and ``adware.'' These programs monitor Internet
usage primarily for marketing purposes, often without the
user's knowledge. They also give rise to pop-up advertisements
and spam e-mail.
Finally, computer viruses can easily spread through file
sharing programs, since files are shared anonymously.
I commend this Committee for looking at these important
issues. Computer users at all levels of expertise must
understand and appreciate the risks associated with the use of
this technology. Because of the privacy and security risks,
users must fully understand which files are being shared. File
sharing companies must also play a role in helping to protect
personal privacy and make the programs safe for use by kids. At
a minimum, instructions for installing and configuring these
programs should be easy to understand and should be designed
with the least technologically savvy user in mind.
Once again, thank you for allowing me to testify.
Chairman Hatch. Thank you, Representative Davis. We are
happy to have you here on this side of the Hill and happy to
have that testimony. We will excuse you if you need to get
back.
Representative Davis. I will wait for Mr. Waxman for five
minutes and then we will walk over.
[The prepared statement of Representative Davis appears as
a submission for the record.]
Chairman Hatch. All right. I will turn to my friend, Henry
Waxman, as well. Good to see you, Henry.
Representative Waxman. Thank you very much, Mr. Chairman.
Chairman Hatch. We just had a hearing this morning on
Hatch-Waxman or Waxman-Hatch. I know it depends on which side
of the Hill.
[Laughter.]
Chairman Hatch. I was honored to work with you on that as
we have on so many health care issues and I look forward to
hearing your testimony on this.
STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF CALIFORNIA
Representative Waxman. Thank you very much, Mr. Chairman. I
was honored to work with you on that legislation and we did a
lot of good in the days when we were working together on health
issues.
But I come to you today to talk about another issue where I
hope we can work together, if we could find some solution,
legislative solution, to a problem that is really quite
perplexing, and that is what happens when there are peer-to-
peer networks and file sharing programs. Chairman Davis and I
have worked closely together to bring attention to this
technology and the questions it raises.
This technology is in many ways a bright idea, as you
indicated in the title of the hearing. It is a unique and
innovative use of Internet technology. But it also carries
significant risks that most people don't know about. These
programs are incredibly popular with young people. They have
been downloaded literally hundreds of millions of times, and
for teenagers and people in their 20s, peer-to-peer file
sharing programs are as common as a computer application as e-
mail and word processing programs are for the rest of us.
But my concern is that there is a digital generation gap
when it comes to understanding these programs. Parents simply
don't have the knowledge about these programs that their
children do, and as a result, many parents are unaware of the
special risks posed by these programs. How many parents realize
that these programs, if carelessly installed, can make every
single bit of electronic information on a family computer
available to millions of strangers? Very few.
The Committee's first investigation into peer-to-peer
technology looked at one of the risks posed by file sharing
programs, the prevalence of pornography. We learned that these
peer-to-peer networks operate like a vast library of free
pornographic content. Any child that has access to a broad-band
connection can easily find and download the most hard-core
triple-X videos imaginable in just a matter of minutes at
absolutely no cost. They are pushed, this is all pornography is
pushed on kids who may be looking for Britney Spears or some
other popular artist.
GAO reported at our hearing that kids are bombarded with
this pornography even if they are not looking for it. We feel
that parents need to be aware of this so they can talk to their
kids and be advised that their kids may be having this kind of
junk forced on them.
Peer-to-peer programs connect users from anywhere in the
world into a vast open, free trade network, where with the
click of a mouse, users can share files back and forth with
other users across the globe.
Our staffs installed Kazaa--it is the most popular file
sharing program--and ran test searches to see what kind of
information people were sharing unintentionally, and what we
found was amazing. We found complicated tax returns, medical
records, and even entire e-mail in-boxes through simple
searches using file share programs. We also found that other
incredibly private documents, such as attorney-client
correspondence relating to divorce proceedings and living
wills, were also available. We found that tax returns and other
private information could be downloaded by somebody who was
using the file sharing at the same time.
We prepared a report on our findings and I would like to
submit it to you, Mr. Chairman, for your record and be included
in this hearing.
Chairman Hatch. Thank you. We will include it.
Representative Waxman. I welcome the interest of your
Committee in exploring this new technology. There is much this
hearing and future ones can add to our understanding of file
sharing programs. We need to work together on this issue. It
has become a vehicle for pornographers, for intruders, for new
technology that can lead to greater education. There are ups
and down sides to this new technology and we need to figure out
what is a rational approach to dealing with the down sides to
it.
Thank you very much.
Chairman Hatch. Thank you very much. I am very impressed
that you two friends would come over here and help us to
understand this better, so we appreciate you being here.
Representative Waxman. Thank you very much.
Chairman Hatch. Thanks.
[The prepared statement of Representative Waxman appears as
a submission for the record.]
STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM THE STATE
OF UTAH
Chairman Hatch. We will excuse both of you and let you get
back to your busy lives. Thank you for coming.
Our second panel includes four witnesses from the private
sector who have taken leading roles in identifying and
resolving the security concerns associated with peer-to-peer
networks.
Last year, Nathaniel Good and Aaron Krekelberg published a
ground-breaking study entitled, ``Usability and Privacy: A
Study of Kazaa P2P File Sharing.''
Our next witness will be Randy Saaf, the President of
MediaDefender, Inc., a leading provider of computer security
services to private and governmental entities.
Next, we will hear testimony from Alan Morris, the
Executive Vice President of Sharman Networks, Limited, the
company that owns and operates the Kazaa peer-to-peer file
sharing program. Mr. Morris is joined by Mr. Derek Broes, the
Senior Vice President and Assistant General Counsel of
Brilliant Digital Entertainment, the parent company of Altnet,
the North American business partner of Sharman Networks. Altnet
has provided a written statement for the record and Mr. Broes
may assist Mr. Morris in responding to any questions relating
to the activities of Altnet.
And finally, we will hear testimony from Mr. Chris Murray,
Legislative Counsel for Consumers Union.
I want to thank you all for being here today and welcome
you all here, but I think what I am going to do is first make
my opening statement and then turn to you, in that order. We
will start with Mr. Good and Mr. Krekelberg and then go across
the way.
We are here today to explore some potentially troubling
aspects of an exciting technology that rightfully has gained
the attention and admiration of millions and millions of
Americans, and many millions more around the world, peer-to-
peer file sharing networks. Recent developments in peer-to-peer
networks have added dramatically to their versatility and,
therefore, their utility to many computer users.
Napster, the first peer-to-peer system, permitted the
sharing of audio files only, but newer generations of this
technology permit the sharing of all types of computer files,
including audio files, video files, visual images, documents of
all kinds, and computer programs. These advances have been
accompanied by a soaring increase in the use of peer-to-peer
networks.
Kazaa, the most popular of these networks, is now the most
popular download on the ``downloads.com'' Internet site. Kazaa
and other file sharing programs have now been downloaded over
400 million times. Kazaa often has over four million users
connected to its network simultaneously.
The demand for other popular P2P programs such as Grokster
and Morpheus is growing rapidly, as well, and mostly among
minors. Research shows that about 41 percent of those who
download files over P2P file sharing networks are between the
ages of 12 and 18. These statistics underscore the great appeal
and promise of P2P networks as well as the potential scale of
any problems that they create. They permit rapid and broad
dissemination of information and ideas and they have provided a
powerful tool to researchers, hobbyists, and interested
citizens seeking information and ideas on a wide array of
topics.
At the same time, however, they have also opened up our
homes, our businesses, and our governmental agencies to
potentially serious security risks that are neither widely
recognized nor easily remedied. Recent studies involving some
of the more popular P2P networks suggest that a significant
number of their users are inadvertently sharing personal and
highly-sensitive data over these networks, including tax
returns, bank account information, personal identifying
information, passwords, and e-mail in-boxes.
While the true scope of this problem is still unknown,
studies have shown that potentially malicious parties are
searching P2P networks for personal e-mails and credit card
numbers. This alone is disturbing, but in government agencies,
employees' use of P2P networks could also disclose sensitive
government data to the enemies of this country. At this moment
in history, the implications of this risk or the risks involved
are trembling, to say the least.
I am also troubled that many P2P networks require their
users to install so-called ``spyware'' or ``adware,'' programs
that monitor, collect, and record information about the
Internet browsing habits of a particular user. Such programs
can collect and disseminate information about the Internet use
and personal information of anyone using the computer on which
a P2P networking program has been installed. The invasion of
privacy and potential for identity theft inherent in such
programs has already attracted justifiable attention from
members of Congress and consumer advocates concerned about the
privacy and security implications of such practices.
In addition, some of the spyware or adware programs can
also wreak havoc on a user's computer by commandeering their
browsers, creating conflicts with other software that can crash
a user's computer and otherwise interfering with users' control
over their own computers.
Finally, the users of P2P file sharing networks may also
encounter malicious programs, such as viruses, worms, and
trojan horses that have been disguised as popular media files.
Indeed, the operators of the most popular file sharing program
recently explained to the House Committee on Government Reform
that ``when files come from anonymous and uncertified sources,
the risk of those files containing a virus greatly increases.''
If the promoters of these networks acknowledge that their
nature increases users' risks of exposure to malicious
programs, then they must also recognize their increased duty to
protect and educate their users.
I do believe that peer-to-peer file sharing networks are
here to stay, but the problems of data privacy, spyware and
viruses should remind all of us that the final role of peer-to-
peer file sharing networks in our culture remains to be seen.
This technology has great promise, but also some potential
pitfalls. If these networks are designed to minimize the risks
of file sharing, then the promises of this technology can
become reality. If not, then users, network administrators, and
others may ultimately conclude that the risks of this
technology outweigh its advantages.
I would like to thank all of our witnesses for appearing
here today to address these important issues. We are
particularly privileged to have with us three of our colleagues
whose stellar work in this area has shed much needed light on
the significance of the risks, as they have mentioned in their
statements, and we appreciate that. They talked about their
potential consequences, as well. So I was happy to have Senator
Feinstein and Congressmen Tom Davis and Henry Waxman here with
us today.
So we are delighted to have all of you here today. We will
start with you, Mr. Good and Mr. Krekelberg, and you just take
over. We are going to give you only five minutes apiece, so I
hope you can all stay within that time frame.
Mr. Good. We will try. Thank you, Mr. Chairman.
Chairman Hatch. We will try and be liberal in the use of
time.
STATEMENT OF NATHANIEL S. GOOD AND AARON KREKELBERG, AUTHORS OF
``USABILITY AND PRIVACY: A STUDY OF KAZAA P2P FILE SHARING''
Mr. Good. Good afternoon, Mr. Chairman. Thank you for the
opportunity to appear before you here today. In the brief
amount of time that we have, we would like to look at a study
that we performed on a peer-to-peer file sharing program called
Kazaa. In this study, we will discuss how configuration
problems could contribute to users of P2P networks
inadvertently sharing their personal and private information.
In this study, we addressed two major issues. One issue is
that users of P2P systems don't always realize what they are
sharing with others on the P2P network. In other words,
sometimes people may think they are sharing one thing, but they
are actually sharing something completely different.
The second issue is that the kind of problem we have
discovered is a problem with the program's usability and the
interaction between the application and the user. It is
different than other problems that are frequently mentioned in
the media because it is something that can't be patched in a
traditional sense that requires a redesign of the program's way
of interacting with the user, as well as educating the user to
the potential problems that could occur.
We felt that the file sharing on P2P systems could be
secure and usable if users were made clearly aware of what
files others can download, that they are able to determine how
to share and stop sharing files, that the system does not allow
users to make dangerous errors that lead to unintentionally
sharing private files, and that users are comfortable with what
is being shared and confident that the system is handling it
correctly.
By looking at the interface and performing a user study, we
were able to determine that certain parts of the Kazaa
application could be confusing to users and relied heavily on
unstated assumptions. In some cases, it was possible for the
user to think that what they were sharing was completely
different than what was actually being shared.
There are too many details to cover in the time that we
have allocated, but a majority of the details are in our
research paper and written testimony.
On the screen in front of you is Kazaa. Kazaa is the most
popular P2P file sharing program on the Internet today. With
Kazaa, you can look at any type of file, such as music,
documents, videos. Anything that can be stored on your hard
drive can be shared or downloaded from others. To do this, one
would download the application and type the keywords that one
is looking for into the search box. Kazaa then returns the
search results to the window to the right of the search screen.
Users can download other files or see files from other users.
In any peer-to-peer system, the user has to make two
important configuration choices. They have to decide where they
are going to store files that they download from the network
and what files they are going to share with others. In most
peer-to-peer systems, the folder that one chooses to save the
files to is also the one that is shared with other users. In
addition, all files and folders contained in that location are
also typically shared.
So in the next couple of slides, we will be describing some
points of confusion that may cause people to share more than
they realize and possibly share private information. Again,
there are many more details that we could go over, but due to
the brevity of this testimony, we will just go over some of the
most important ones and focus in on one of the worst-case
scenarios.
The first problem we will describe is when users specify
the location they would like to store downloaded information
to. The problem here is with terminology. There is no
indication that these files and folders will also be shared, as
well as all files and folders contained in whatever folder you
specify. There is also no description of the types of file
types that can be shared. In addition, this is the only
location where users can disallow sharing with other users.
Another problem that we discovered was with the Search
Wizard and the folder list, which were two interfaces that were
designed to allow people to specify what they could share with
the Kazaa application, and in some cases, Kazaa will bring this
up when the user is first running the installation for the
program.
In the search interface, Kazaa will look through the user's
computer and determine what sort of files that they could share
with the network. In this case, it came back with ``My
Documents'' file and thought that there would be something good
to share there. Unfortunately, it doesn't tell me what it is
going to share there and relies on my assumptions of what Kazaa
can do in order to share these programs with other people.
In the next interface is a list for browsing the computer
hard drive and its contents and users can check off what area
they would like to search, or they would like to share with
other users. In addition, there is the ``My Shared'' folder,
which is the default folder that things can be shared in, is
checked all the time.
The problem in both of these interfaces is that there is no
association between what is indicated as shared in the file
import and what is indicated as shared in the downloaded
folders. So unless users intuitively know that these two are
linked, there is no way for them to know that the download
folder is also the sharing folder.
While this chance is rare, the confusion that may arise
from this problem could confuse users for other situations, as
well. In a 1996 USENIX conference, Matt Bished, a prominent
security expert, mentioned that configuration errors are a
probable cause for more than 90 percent of security failures.
Education of users is one means of helping to reduce
configuration errors. In addition, providing help and
explanations can sometimes be useful, but has limitations.
Users rarely read documentation and frequently gloss over
privacy statements and textual explanations embedded in the
interface.
We feel that the issues we describe would be most
adequately addressed at the application level, where they would
be most effective. Thank you very much for your time.
Chairman Hatch. Thank you. We appreciate it.
[The prepared statement of Mr. Good and Mr. Krekelberg
appears as a submission for the record.]
Chairman Hatch. Mr. Saaf, we will turn to you.
STATEMENT OF RANDY SAAF, PRESIDENT, MEDIADEFENDER, INC.
Mr. Saaf. I would like to thank you for holding this
hearing and inviting me to speak. My name is Randy Saaf and I
am the President of MediaDefender. MediaDefender is one of the
most well-respected peer-to-peer anti-piracy software companies
in the world. We have very sophisticated tools for
understanding piracy problems on the peer-to-peer network and
security problems and we want to share these tools with this
Committee.
Usually, only very sophisticated computer users get
involved with network and software. In the case of peer-to-peer
networking, that is simply not true. The sheer quantity of
users of peer-to-peer networking mean that quite a few really
don't know that they are opening their computers up to the
whole world.
In the summer of 2000, Napster was hitting its stride as
the hottest software application in the world. Napster really
didn't have very many security problems. It had roughly 40
million users, but it was mainly used to share MP3 pirated
music files. Today, the peer-to-peer networks have over 80
million users and they are used to trade all sorts of rich
media files, including documents and software applications.
All the security concerns associated with peer-to-peer
networking come from the file sharing aspect common to every
program. If a user never changes the default settings in a
program like Kazaa, they probably won't have any security
problems. The problem is that with the sheer number of users,
you are always going to have a certain segment that just want
to change the settings or don't understand the settings. Many
users of peer-to-peer do not realize that the default folder
that they download content to is shared up to the entire peer-
to-peer network.
A typical scenario of a security risk might be a child who
downloads his music files to his parents' ``My Documents''
folder that contains all their personal tax and financial
information, and that folder then gets re-shared to the entire
network.
MediaDefender collected data from the sixth to the ninth of
this month. We were invited to participate in this hearing on
the fifth, so we only had a few days to collect data, but we
wanted to get something that was a representative sampling of a
security risk. So MediaDefender looked for Microsoft Money
files shared on the Fast Track-based Kazaa network.
Microsoft Money files are personal tax and financial
information and there is really no reason somebody would want
to be sharing those on a peer-to-peer network. MediaDefender
found 8,034 unique Microsoft Money files being shared on the
Fast Track-based network on 6,032 unique IP addresses. The
larger implication is that probably almost every one of those
people were sharing their entire ``My Documents'' folder on
Kazaa because that is where the Microsoft Money file gets saved
by default.
So I want to give a brief demo that I did at 12:00 this
afternoon at Kinko's, where I just plugged my laptop in and did
a search for ``.mny.'' I search ``.mny,'' click enter, and up
comes a screen full of Microsoft Money files, and you will
notice each one of them has the Microsoft Money extension. I
just randomly selected one and did the feature of ``find more
from the same user.'' Now, this is a pretty standard feature in
Kazaa. Anybody could do this at home. This is no fancy software
involved in this.
Clicking ``find more from the same user'' brought up 1,500
files that that person has shared on their computer, I mean,
presumably in their ``My Documents'' folder, and you can look
at the files. They are just a hodgepodge of different types of
files, including pictures, private pictures, phone-type
information. Obviously, their Microsoft Money file was in
there, which presumably contains all their financial
information.
A user could then select all those files and just click
``download'' and have that person's entire snapshot of that
person's life. I mean, I can see from the screen here the
person goes to Indiana University and there is probably a whole
lot of information you can tell about this person in this
relatively quick exercise that took approximately five minutes.
So you can see how the clear extension of this problem
could be carried over to businesses and government
organizations, because for the same reason people don't
understand they are sharing documents at home that they don't
intend to, people at government organizations will do the same.
People want to download their music and movies on their fast
Internet connections at work.
So for this particular study, we looked for as many
computers we could find with the search phrases ``Madonna,''
``The Matrix,'' ``porn,'' and ``sex.'' We pretty much
arbitrarily chose those search phrases because we knew they
would give us a lot of returns, and I don't think any files
with these words in them would have any legitimate governmental
purposes.
We focused on three government organizations, Los Alamos
National Laboratory, NASA, and the Naval Warfare Systems
Command. We chose them because they are obviously sensitive
organizations that would have sensitive data. We found 155
computers at Los Alamos National Laboratory sharing files on
peer-to-peer networks, 138 computers at NASA, and 236 at the
Naval Warfare Systems Command. I am fairly sure that these are
unintentional sharing, because I don't think anybody in these
organizations would be intentionally sharing pornography files
and those types of things on a peer-to-peer network at work.
This was not a comprehensive study. We simply wanted to
demonstrate there was a problem and we would recommend to the
Committee that further studies be done to actually quantify the
extent of the problem. Thank you.
Chairman Hatch. And you just did that at Kinko's today?
Mr. Saaf. Pardon?
Chairman Hatch. You just did some of this at Kinko's today?
Mr. Saaf. Yes. I did this part at Kinko's today. It was
pretty much a five-minute exercise, what I went through there.
It is very fast.
[The prepared statement of Mr. Saaf appears as a submission
for the record.]
Chairman Hatch. Mr. Morris?
STATEMENT OF ALAN MORRIS, EXECUTIVE VICE PRESIDENT, SHARMAN
NETWORKS, LIMITED; ACCOMPANIED BY DEREK BROES, EXECUTIVE VICE
PRESIDENT OF WORLDWIDE OPERATIONS, BRILLIANT DIGITAL
ENTERTAINMENT
Mr. Morris. Thank you very much indeed, Chairman Hatch, for
inviting us to come today and to help the Committee in its
determinations about the very important issues of security and
privacy in file sharing.
I am the Executive Vice President of Sharman Networks,
Limited. I look after the company's business when Sydney is
asleep, and importantly, I look after its licensed activities,
along with my colleagues here at Altnet. And in that respect,
we are the world's largest distributor of licensed files.
When we acquired the Kazaa Media Desktop, or Kazaa, as it
is known, we set ourselves two goals. Firstly, to be the
premier distributor of licensed files, and with over half-a-
million licensed files distributed a day, I think we have
achieved that; and secondly, to set the standards in usability.
If I can talk first about viruses, an issue which is very
important, we recognized this last year, and everybody knows
the effect viruses can have. So we invested in a fully-featured
anti-virus program called BullGuard, and BullGuard has been
installed as an active part of the Kazaa Media Desktop for over
a year now. So no user of the Kazaa Media Desktop need ever be
bothered by viruses. It runs there and it is free.
Secondly, inadvertent file sharing. Since we acquired the
assets, we have carried out usability tests. We looked at the
work that the guys, Good and Krekelberg, did back in April last
year on Version 1.7 and we have constantly modified the user
interface, because it is important. It is crucial that people
don't inadvertently share files. The latest Version 2.5, which
is in public beta at the moment, which I am going to send the
guys for their comments, makes it very, very difficult, indeed,
for somebody to inadvertently share files.
We have used best industry practice, known as, A) make it
intuitive, and B) most importantly, make it safe by default. So
if anybody tries to share parts of their hard drive which would
be inadvisable, they get a very strong notice, like ``Do you
want to do this?'' So I will be very interested in what you
guys think about 2.5.
Thirdly, the issues of privacy. Issues have been raised
such as spyware. We have got a very strict new spyware policy.
We certainly serve advertising. We use proprietary ad serving
technology and we have one application bundled which is used by
many Fortune 100 companies, and very clearly by our definition
it is not spyware.
User education to us is fundamentally important. We accept
that responsibility as the leader in the marketplace and we
would distance ourselves, I think, from our competitors, if
they don't mind us saying that. So on the website, in very
clear English, we give very clear guidance about how people can
share safely. And again, guys, we welcome your views on that.
We talk about issues like cookies and opt-ins. Spam has been
mentioned. We have never spammed. We haven't sent it ourselves.
And we have never sold any e-mail addresses.
The other issue that has been raised is that of
pornography. We totally abhor child pornography. I am a parent
myself. What we have is a fully password-protected adult
filter. We can't control what is distributed on the network. It
is a digital democracy. But what we do is, by default, there is
a series of filters for adult and offensive material which is
password-protected and it is there to encourage and support
responsible parenting.
So we emphasize user education very strongly. The issue
that we all face, I think for every application on the
Internet, is the extent to which people, as has already been
mentioned here, are prepared to accept that education. A recent
AOL study on broadband use shows that many people choose not to
update their anti-virus software. They choose not to use
firewalls. So it does behoove us as the industry leader, and
the rest of the industry, to work with the Committee and work
with other agencies worldwide to ensure that user education is
of the highest standard.
It is particularly important, because in this always-on
world, this wide world of broadband, the risks are much, much
higher. It is well recognized, I think, that peer-to-peer is
the main driver of broadband. It is the thing that drives the
broadband future.
So, Mr. Chairman, we are very happy to work with you, with
members of the Committee and other agencies in the areas of
improving the interface and in the areas of user education.
Chairman Hatch. Well, I appreciate the comments and we will
be happy to have you work with us and help us, if we can.
[The prepared statement of Mr. Morris appears as a
submission for the record.]
Chairman Hatch. Let us turn to Mr. Murray and Mr. Broes.
Mr. Broes. My statement has already been entered into the
record.
[The prepared statement of Mr. Broes appears as a
submission for the record.]
Chairman Hatch. Mr. Murray?
STATEMENT OF CHRIS MURRAY, LEGISLATIVE COUNSEL, CONSUMERS UNION
Mr. Murray. Chairman Hatch, I am both grateful and honored
by your invitation to testify before the Committee today.
Consumers Union, as publisher of Consumer Reports magazine, is
an organization that makes its living based on intellectual
property, based on compensation for our creation, as well as
our reputation as based on the trust of consumers.
Since the first issue of Consumer Reports arrived in
consumers' mailboxes in the 1930s, we have built our
reputation, I think, on a love affair with technology and a
desire to make that technology work better for consumers.
Today's hearing presents another opportunity to scrutinize a
technology with both enormous potential and enormous problems.
The potential comes in the form of some really exciting new
applications that we see, such as peer-to-peer distributed
computing. We have got--Oxford's Center for Drug Discovery is
using the power of peer-to-peer distributed computing to help
come up with new drugs to solve problems like cancer and I
believe they are also working on a cure for smallpox.
We have Stanford's ``Folding at Home'' project, where they
are using normal consumers like you and me, they are using our
computers to run protein folding sequences, things that just
require enormous amounts of processing power that an average
research university or library just wouldn't have the funds to
undertake.
And we have got normal consumer uses of peer-to-peer
technologies. There is a technology out there called Spam Watch
right now where it is a collaborative filtering software
whereby users flag a particular piece of e-mail as spam, and
then when enough users flag that as spam, they say, okay, we
are going to shut this person down to the rest of the network.
But we also have seen today it comes with a dark side. As
the Committee clearly understands, both the promise and
potential as well as the dark side appear, and the dark side
that we see and that we are concerned about is two-fold. Number
one, the default settings concern us greatly because consumers
are unwittingly sharing documents like tax returns, Social
Security numbers, private information, money files, as we saw.
But there is also this really prevalent use of spyware and
adware that concerns us.
I think one of the, if I can jump straight to my punch
line, I think perhaps the most exciting near-term role I can
see for Congress in this space is to do exactly what you are
doing today, which is open this up to sunshine and make sure
that people understand what exactly, what risks they are
exposing their computers to. That seems to have had some
effect. I guess in their latest build, they are saying that
they have remedied some of these problems. I hope that we can
continue to move the industry along with default settings, make
sure that configurations work for consumers.
As I dug into this a little bit in preparation for today's
hearing and I looked at where uses of spyware and adware are
happening on peer-to-peer, I realized, number one, it is a
rampant problem on peer-to-peer and I am quite concerned about
it. But number two, perhaps of even greater concern is I
discovered that this is all over the place on the Internet.
Mainstream providers, such as Microsoft, AOL's Netscape, Real
Networks, have features on their software that millions upon
millions of users are using whereby they are being tracked.
Their music preferences, their reading preferences, their DVD
watching preferences are being sent back to companies, in some
cases along with a unique identifier which says, this is what
this particular consumer is watching and reading and listening
to.
I think we, like you, are believers that if consumers can
get information in their hands, they can begin to make some of
the right decisions and we can move the marketplace along far.
And so there are three things, if I can just summarize what
I would like to say today very briefly, there are three roles
that I think Congress can help play.
Number one, education. Users of peer-to-peer systems need
to be aware that what they are doing on their computers can
expose them to enormous risks. Part of our education problem is
that sometimes the users aren't the same people that would be
concerned about risks. If I am a parent, I don't necessarily
know that my child is going to be downloading Kazaa or Morpheus
or Grokster or whatever application onto my system and
potentially exposing my files to great risk, and so that this
education process needs to extend not only to the people who
are using the application, but to parents in general.
The second role I see for Congress is investigation. I
would be very grateful if the Chairman would urge the Federal
Trade Commission to look into uses of spyware and adware in the
marketplace. I see, again, in peer-to-peer, it is a rampant
problem, but it is also a rampant problem in the mainstream
software applications base.
And the final role I see for Congress is in the policy
arena. Sometimes, there is just no educating around a design
problem. Perhaps the role that Congress could fill, the gap
that Congress could fill would be to provide consumers with as
much notice about what is going into the software that they are
using on their computers. If there is spyware and adware that
comes along with that software, we think that educating
consumers--consumers can only be educated if they know exactly
what is underneath the hood of that software. So perhaps we
could discuss and work with the Committee on coming up with
some solutions in that space.
As I said before, I think any solutions we come up with in
the peer-to-peer space are going to necessarily extend to the
rest of the Internet because the fundamental architecture of
the Internet is that of peer-to-peer. Anytime we try to
regulate peer-to-peer as such, I think we are also talking
about a very broad regulation of the Internet in general. It is
difficult for me to imagine a definition of peer-to-peer that
doesn't also include applications such as e-mail and instant
messaging.
I am very grateful, as I said, Mr. Chairman, for the
opportunity to testify here today and we would be happy to
continue the conversation.
Chairman Hatch. Thank you. We appreciate all your
testimony.
[The prepared statement of Mr. Murray appears as a
submission for the record.]
Chairman Hatch. Let me start with you, Mr. Morris. You make
the point that parents or employers who own Internet-connected
computers must educate themselves about the operation or design
flaws of every peer-to-peer software program that might be
downloaded by their children or employees and then reeducate
themselves every time any one of these programs is updated or
ordered. Is that one of the arguments you are making, that
parents--
Mr. Morris. No, the argument I make is that, as the leader,
we have a responsibility and we take that very seriously. So
when people choose to download Kazaa Media Desktop in all the
versions from 1.7 up until now, we have done our very best to
make sure it is very clear to people what happens, make it very
clear to parents exactly how the parental control filter works,
and also make it very, very difficult for people to
inadvertently file share.
Now, we hope that sets a standard for other people and we
hope that other peer-to-peer providers follow our lead, but we
can't, obviously, legislate for them.
Chairman Hatch. No, but is it true that anti-virus software
distributed with Kazaa is disabled by default when the software
is installed? Is that true?
Mr. Morris. No. It is currently enabled by default.
Chairman Hatch. It is enabled?
Mr. Morris. It was previously disabled. It was an optional
choice for people. And now, in the latest version, it is
currently enabled.
Chairman Hatch. In your written testimony, you state that,
``Users control the material they choose to share with
others.'' This leads me to ask, does Sharman Networks accept
any responsibility for the files that are shared inadvertently
or even illegally over the Kazaa network?
Mr. Morris. No. As I said, we have no control over what is
the digital democracy, but we do do our very best to, firstly,
when somebody downloads the Kazaa Media Desktop, they have a
very clear end user license agreement. We like to believe it is
written in plain English, unlike some. And that obliges them to
state that they will not infringe copyrights. Now, we can't
police that. And all over the website, you'll see statements
like, ``Do not infringe copyright.'' And certainly with
pornographic material, we have the parental control feature,
but we cannot police the network. It is physically and
technically impossible.
Chairman Hatch. Mr. Good and Mr. Krekelberg, let me ask you
this question. I would like to commend both of you for
identifying the data security problems potentially associated
with peer-to-peer file sharing. In your testimony, you state
that these problems are not intrinsic to peer-to-peer
technology, but derive from the design of the Kazaa program.
Now, do you know whether any similar problems affect other file
sharing programs?
Mr. Good. As stated earlier when we were giving our
demonstration, all peer-to-peer file sharing systems have to do
two things. They have to say what you are going to save and
where you are going to save it to, and also what you are going
to share. So any peer-to-peer file application, you have to
address those problems somehow in the interface, and so not
only with Kazaa, but other peer-to-peer file sharing programs,
you have the same sort of issues that would arise.
Chairman Hatch. Do you have anything to add, Mr.
Krekelberg?
Mr. Krekelberg. The point we were trying to make with that
statement is that peer-to-peer technology is not fundamentally
flawed where people will just start sharing all their stuff.
There are some user interface issues that need to be addressed
with most of these peer-to-peer clients, that users
accidentally share things they don't want to share.
Mr. Good. In addition, we have looked at some other peer-
to-peer file sharing programs and they seem to have similar
sort of issues that Kazaa would have.
Chairman Hatch. I am going to submit for the record written
testimony from the Business Software Association.
But let me ask you, Mr. Saaf, how often are peer-to-peer
networks updated or altered to circumvent firewalls, filters,
and other security measures that computer owners might take to
protect themselves from the risks that are outlined by your
testimony here today? I mean, who makes these alterations and
why are they done?
Mr. Saaf. Well, peer-to-peer file sharing networks are
frequently updated. I am not sure that they are really updated
to circumvent anything per se. Sometimes, they may be. That is
really--I would have no idea. I do think that a fundamental
issue with the peer-to-peer networking is that you are going to
have to get rid of some of the cool things about the peer-to-
peer networking to take care of a lot of fundamental problems,
like child pornography and security.
The bottom line is, if you leave a peer-to-peer network
wide open for anything to be shared, you are always going to
run a risk that people are going to share the wrong stuff. So
it is going to be this tension of give and take, and I think
eventually the peer-to-peer networks may have to give up some
of the cooler functionality if they are going to seriously take
care of the piracy and child pornography and security concerns.
Chairman Hatch. In your experience, how many peer-to-peer
sharing programs install spyware and adware programs?
Mr. Saaf. I mean, most of them. They need to make money to
pay their staff. Typically, it is free software, so there has
to be some method of getting revenue. But like was stated in
other people's testimony, that is not totally uncommon on the
Internet. A lot of software does have spyware and adware.
And again, you know, if you don't have as much money to pay
programmers to develop cool peer-to-peer applications, then the
applications won't be as cool. So if you get rid of the
spyware, then all of the sudden the company doesn't have the
money to develop the peer-to-peer applications. It is going to
be always a tension.
Chairman Hatch. What can these programs do to their host
computers?
Mr. Saaf. What can they do?
Chairman Hatch. Yes.
Mr. Saaf. You mean in terms of damaging those computers?
Well, the problem with any sort of spyware or adware or really
any sort of software that is unregulated or not operated by a
big company is it is not always necessarily designed perfectly,
and what could end up happening is two or three spyware or
adware programs just conflict with each other. You might have a
spyware that gets installed with one version of a peer-to-peer
networking software and a spyware that gets installed with
another version of a different peer-to-peer networking software
and those two spywares just don't know how to be graceful with
each other, whereas you are not going to run into those same
sort of problems with, like, Microsoft Word and Microsoft Power
Point, because those are very well designed programs that have
millions of dollars of development in them.
Chairman Hatch. Mr. Murray, do you have anything to add
here or what we might do in Congress besides what you said in
your testimony?
Mr. Murray. Well, that is an excellent question, Senator.
Perhaps I could briefly add Consumer Reports' recommendations
to users as to what we can do in general to protect ourselves,
a couple quick things.
Number one, you should have some form of virus software
installed in your computer and you should update that at least
weekly. If possible, we recommend for users, especially anybody
that has a broadband connection, because a persistent broadband
connection presents a lot of the same risks that peer-to-peer
does, you can be quite transparent to the world with some very
simple hacking tools--
Chairman Hatch. So every time it comes up on the screen,
you ought to click onto it.
Mr. Murray. The updated--
Chairman Hatch. Yes.
Mr. Murray. As annoying as it is, yes, Senator, I believe
that is the right answer. You should go ahead and say, yes,
update my files, at least weekly is what we recommend. But for
broadband users especially, we recommend putting in place a
firewall, which can either be a piece of software or actually a
physical router with a firewall which goes behind your modem.
That can go a long ways towards making your computer opaque to
the rest of the world.
If users are going to use peer-to-peer software, we also
recommend that they download it from one of the major portals.
One of the bigger problems that we are having is that a piece
of software such as Kazaa's Media Desktop, there are all of
these third-party sites out there which say, hey, if you come
to me and pay me a dollar, I will let you have Kazaa, when
they, in fact, have nothing to do with Kazaa, and some of the
worst forms of spyware and adware that we have seen have to do
with these third-party distributors. So we recommend, again, a
lot of what goes on in these networks is illegal sharing of
intellectual property. So we are not meaning to endorse that in
any way, but insofar as there are legitimate uses of these
networks, you should download it from a major portal.
Chairman Hatch. I am going to put Senator Leahy's statement
in the record. He could not attend this hearing, but he wanted
to. He takes great interest in these matters, so I will put his
statement in the record immediately following my statement.
Let me just ask one last question. I have heard that with
regard to piracy problems and the stealing of music and
copyrighted material, that there is now a software or at least
a methodology of giving a warning that what you are doing is an
illegal act, giving another warning, and then finally just
destroying their computer. Are you aware of that, the warning
that we are going to destroy your computer if you keep doing
this illegal act? Can somebody help me to understand that?
Mr. Morris. Derek is one of the foremost experts on
security issues in P2P, so I think I would ask Derek to answer.
Chairman Hatch. I have been wanting to ask you a question,
so this is a good one for you.
Mr. Broes. First, I should explain my role in this is that
Brilliant Digital and Altnet, we are the commercial component
to Kazaa Media Desktop. All of the media that we distribute
through the network is licensed commercial material, including
30,000 independent artists.
And so our major concern, obviously, is with copyright. In
being the largest distributor of digitally rights managed
material, we have learned that distributing DRM-ed content is
working. We distribute, as Alan mentioned earlier, 500,000
digital rights licenses every single day, and that is growing.
So as far as educating the user is the most critical piece,
and as you mentioned, putting up a banner that says what they
are doing is illegal is something that we have encouraged in
the click wrap agreement with Kazaa Media Desktop, and that is
precisely what they do, is warn them that they are in violation
of this agreement.
To inhibit the usability of the application at this stage
simply pushes users into a deeper, darker tunnel of using peer-
to-peer networks. For instance, if they would get very, very
frustrated with a specific way, they are going to flee to some
networks that are highly encrypted, such as FreeNet. They are
going to find ways. They are going to use anonymizers to
disguise themselves.
So the issue here and our feeling is that gradually
changing user behavior is the approach to this, and that is
critical, and this goes to as far as the user education. For
instance, today, I have my laptop, which is wireless, and I
picked up on a number of wireless networks from a number of
companies within the D.C. area, including law firms, where
files were accidentally being shared via--in fact, their entire
network is accidentally being shared via wireless networks. And
these are IT folks that are in charge of these.
This is not a problem that is just localized to P2P
networks. This is with technology altogether. We need to take
greater care in educating ourselves and practicing--and as a
company leading this initiative, we have to practice best
practices, and we feel that we lead that, particularly because
we are making this a commercial initiative.
Chairman Hatch. That has been very helpful, but--
Mr. Saaf. I would like to address that question, as well,
if you wouldn't mind.
Chairman Hatch. Can you destroy their set in a home?
Mr. Saaf. Yes. I think that is not something anybody is
really interested in doing.
Chairman Hatch. Well, I am. I am interested in doing that.
[Laughter.]
Chairman Hatch. I am very interested. That may be the only
way you can teach somebody about copyright.
Mr. Saaf. What the industry, speaking as an anti-piracy
software company, what the industry is mostly interested in is
non-invasive solutions to the piracy problem. Nobody wants to
destroy files. Nobody wants to go onto people's computers and
damage those computers.
Chairman Hatch. But you can? There is methodology you could
do that?
Mr. Saaf. I am not really aware of anybody that is
exploring methodology in a legitimate way to actually destroy
people's computers. It is just not something that anybody is
really interested in doing.
What people are interested in doing is non-invasive anti-
piracy measures, such as what our company does, is decoying,
where we just put fake files on the network. It is extremely
non-invasive. It just tries to create a needle-in-a-haystack
situation, where the pirated content is difficult to find.
The bottom line is that it is not the 30,000 independent
artists that are being pirated, it is the top 100 platinum
artists that are being pirated on these networks and it is
crucial that that be protected on these networks.
But in terms of invasive procedures, nobody is--I am not
aware of anybody that is really pursuing invasive technology.
Chairman Hatch. Okay.
Mr. Murray. Senator, if I can perhaps try and respond. I am
not the biggest technology expert on the panel by any means. My
understanding is that there are viruses out there that could
have the effect of doing what you are describing there, and if
a company that were enforcing copyrights chose to use such
means, they would have such means available.
Chairman Hatch. Well, I would think that in order to do
that, you would have to have a law passed by Congress enabling
them to do that. I mean, there are a lot of other issues
involved there, but I was interested that there is technology
available. You could actually warn the person, warn them again,
and tell them, ``if you continue, we are going to destroy your
machine.'' I was interested in that because that would be maybe
the ultimate way of making sure that no more copyright is
pirated. But--
Mr. Murray. That does seem to be what Representative
Berman's bill contemplates.
Chairman Hatch. Pardon?
Mr. Murray. Insofar as I understand it, that seems to be
what Representative Berman's bill in the House contemplates, is
that sort of action.
Mr. Saaf. I would take issue with that and disagree with
that. As Representative Berman's bill, our company is the
primary company that bill was directed towards and the bill
very clearly does not allow any sort of invasive procedures. It
is a very--I recommend anybody actually look at the actual
context of the bill before drawing conclusions. There are
sensationalists, like it is directed towards hurting people's
computers.
Invasive procedures are not being pursued by any legitimate
anti-piracy software company right now. That is just a fact.
Mr. Broes. Well, I can add a piece to that. I was the CEO
prior to being at Altnet, was the CEO of Vidius, which was
actually the company that was hired by the RIAA and the MPAA to
do the evaluation of the Fast Track network prior to the
lawsuit that was filed. We practiced and we developed
technology that was considered interdiction. In fact, we were
one of the first, I think even before MediaDefender. We did
spoofing.
What we found it to be is actually very ineffective, not
cost--it is not cost effective at all. It actually cost us more
to interdict and to spoof than it was worth, than the progress
that we were making, for the reason that the peer-to-peer
networks are a democracy. When you spoof a file and you put it
out there, the intent is to try to seed the network with
millions of these spoofed files, and what happens is users,
once they find out that that file is a spoofed file, they
remove it out of their shared folder. So they are no longer
sharing that folder, which means that the company is now faced
with the burden of seeding the network once again with that
same spoofed file. That costs money and bandwidth.
Our approach to this has always been a positive, kind of a
glass is half-empty, half-full. If this glass here represents
all of the pirated content on the Internet or all of the
pirated content on peer-to-peer network, if we took a gallon
jug of milk and we filled that full of legitimate content, then
I kept pouring that into that network, eventually, it is going
to be filled with milk and not water.
So my point is that if we continue to take digitally rights
managed files, which is a positive approach curbing user
behavior, we will find that users find it more difficult to
find the pirated content and the viruses and everything else
because we have populated the network with legitimate content
that is available for a price.
So I have practiced personally as a company and as the CEO
of a company the tactics that you are speaking of and I can
tell you that it actually makes the problem more difficult.
Chairman Hatch. That is interesting. Well, we would like
you to consider helping us to understand what are the best
methodologies that we can use or what would be the best thing
Congress could do to help to avoid and prevent piracy of
copyrighted materials throughout the country and the world.
Write to us and help us to understand this better, because
there is no excuse for anybody violating the copyright laws.
Those laws are what protect our artists and our novelists and
you name it, anybody who can qualify for a copyright, in what
they are trying to do. And if they get a copyright, that ought
to be respected.
And if we can find some ways to do this short of destroying
their machines, I would like to know what it is. But if that is
the only way, then I am all for destroying their machines and
letting them know.
[Laughter.]
Chairman Hatch. After you have a few hundred thousand of
those, I think people will grow up and realize. But we would
have to pass legislation permitting that, it seems to me,
before somebody could really do that with any degree of
assurance that they are doing something that might be proper.
I am very interested in this area, and naturally, we have
had everybody in the entertainment world come to us and say,
``Please, help us to find a way around these piracy situations
because it is just costing billions and billions of dollars.''
I have seen first-run movies out within an hour after the movie
is shown for the first time on a pirated basis. Of course, you
can imagine what happens in the publishing world and the
recording world. It is just awful.
So we could use your help on that. Congress can't do
everything, but if there are some things we can do with regard
to copyright, we would like to do them.
This has been a very interesting panel. I really appreciate
all of you coming and taking your time to help us to understand
this better. I commend you for the success that you have made
and for the great work that you are doing in the respective
areas of the industry that you represent. So thank you for
being here.
With that, we will recess until further notice.
[Whereupon, at 3:17 p.m., the Committee was adjourned.]
Questions and answers and submissions for the record
follow.]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
�