What is the Reall Peer-to-Peer Threat
by Stephanie ephanie Jordan
The Recording Industry Association of America's (RIAA) won its first trial when a jury ordered Jammie Thomas of Duluth, Minnesota to pay US$220,000 to a half dozen separate record companies-Sony BMG, Arista Records, Interscope Records, UMG Recordings, Capitol Records, and Warner Bros. Records. The settlement involves 24 copyrighted songs illegally downloaded and shared with others over a Kazaa filesharing network on her computer. Thomas' lawyer argued that someone else could have downloaded the songs either in-person or remotely, but the Minnesota jury ruled in favor of the recording industry. The jury ordered Thomas to pay US$9,250 for each of the 24 songs-well above the anticipated US$750-per-song minimum. "The October Minnesota copyright infringement precedentsetting case gives the RIAA the right ammunition to stop people from downloading and distributing unauthorized copyrighted digital files over contaminated Peer-to- Peer (P2P) networks," says CEO and Chairman Safwat Fahmy of SafeMedia Corporation.
In a previous case in Arizona, Judge Neil V. Wake provided the legal foundation for the Minnesota RIAA victory. In the case Atlantic v. Howell, Judge Wake in a summary judgment handed the RIAA US$40,500 in statutory damages, US$350 in court costs, and a permanent injunction against future copyright infringement by the Howells. "This landmark decision was based on 'The Made Available Theory' that anyone who has P2P programs on their computer, which connect to a contaminated P2P network (even without downloading files) is committing copyright infringement since the only reason to have the programs is to make copyrighted files available to all other users," explains Fahmy.
Not Just Music
On Sept. 7, 2007 U.S. Secret Service, U.S. Postal Inspection Service, and the Seattle Police indicted Gregory Thomas Kopiloff of Seattle for allegedly using information on tax returns, bank statements and credit reports to obtain identity information to defraud consumers, banks and retailers. According to their investigation, thousands of potential criminals each day use P2P networks to steal consumer information necessary to commit identity theft and fraud. According to a four-count indictment unsealed in U.S. District Court, Thomas Kopiloff used LimeWire, Soulseek and other "peer-to-peer" file-sharing programs to troll other computers for financial information, which he used to open credit cards for an online shopping spree. The report said, he bought more than US$73,000 worth of goods online, then resold those items at steep discounts and kept the proceeds.
P2P Networks
By design, P2P networks share files from all the participants (peers) in the P2P network, regardless of copyright and content. Typically, P2P networks do not control the content or the participants on their network. Contaminated P2P networks are known to contain illegal copyrighted files, classified business information, national security data and personal identification documents. BitTorrent, the original file transfer protocol, was designed specifically to share scientific and academic research data. BitTorrent architecture involves creating a very small file called "Torrent," which contains the name of the digital files to be transferred and the location of those files on the Internet. Once the user downloads the Torrent file, then they may use that small file to access the digital files registered in the Torrent. The user computer uses the location in the Torrent file and the name of the digital file to download only those files. Unlike other P2P protocols, BitTorrent only shares the files listed in the Torrent file and no other files on the user's computer. BitTorrent imposes control over the files being downloaded.
"There are plenty of legal, open source products and companies that not only use, but depend upon, peer to peer to survive," says Chris Boyd, director of malware research for FaceTime Security Lab. Boyd sites the new Linux distributions and similar products as examples. "They would have a hard time starting from scratch, if not for the possibilities that something such as BitTorrent offers. It's important not to immediately equate everything related to the words 'peer-to-peer' with bad. As far as 'maintaining control' over the files downloaded goes, tools such as BitTorrent already take this into account and use checksums and hash codes to ensure the integrity of the data sent."
But not all P2P networks operate like BitTorrent. It is easy to see, especially given recent media attention, why the reputation of P2P networks appear tainted. 70 million illegal downloads occur each day worldwide. LimeWire, Kazza Media Desktop, and other P2P networks are used for free downloads, but this can lead to inadvertent filesharing. In other words, it is possible that after people click "yes" to filesharing they download applications that open their computer to the world. "Most people who use P2P networks don't even know that they have exposed sensitive government, corporate and personal, financial, and health information and this indictment on an alleged Seattle fraud ring shows what a group of ID thieves could do if they grab your information," comments Pasquale Giordano, president/COO for SafeMedia. "SafeMedia's P2P Disaggregator (P2PD) Solutions is the only solution that can guarantee that criminals using P2P network clients can never access government, corporate or personal records." A new solution on the market, SafeMedia P2PD technology is embedded in DSL and cable modems in the home or work environment or as a standalone subnet appliance for universities, government agencies and corporate networks. "Our strategy of subnet implementation eliminates any network latency; controls darknets file sharing betweensubnets and reduces exposure to backbone failure."
What is the Real Danger?
According to FaceTime's Use of Greynets: Third Annual Survey of Trends, Attitudes and Impacts, conducted by market research company NewDiligence, 84 percent of end-users perceive either some or great risk in music and video sharing, the highest risk activity in this just-released survey. FaceTime believes this perception is possibly driven by the high-profile cases of data leakage at ABN Amro over LimeWire, and the Jammie Thomas music file sharing suit. According to the survey, IT sees an even higher risk in P2P behavior with 92 percent thinking there is some or great risk involved. However, 21 percent of IT staff believes they cannot prevent end-users from using IM or P2P applications. Just half of IT managers believe they have effective methods to block/filter IM or P2P traffic on their network. But what is the real P2P risk?
To Boyd, the big danger is copyright. But not in the way that one might think. "If someone steals my credit card details, I can recover," states Boyd. "If someone takes personal information, I can usually take steps to mitigate damage. If I'm accused of music piracy, that I didn't commit, and sued for hundreds of thousands of dollars, I'm not sure any force on Earth can help me in the current shoot-first-ask-questions-later climate." For Boyd the real threat surrounding P2P is not the illegal access of personal identification documents, nor loss of national security data. "There is a huge risk for scapegoating with regards to P2P usage," continues Boyd. "For example, if I hack your PC and steal your DRM free music purchased online (which can still actually contain things such as your username for the service you bought) and upload them to P2P networks, what's to stop RIAA coming after you with accusations of music piracy?" SJ/TMP