July 8, 2003 12:01 PM PDT
P2P's little secret
- Related Stories
Piracy and peer-to-peerJuly 7, 2003
Labels aim big guns at small file swappersJune 25, 2003
Wireless spec approved, next under wayJune 12, 2003
The mood among campus file-swappersMay 14, 2003
Verizon gets 14 days to ID file-swapperApril 24, 2003
Watchdogs rap RIAA's file-trade assaultAugust 30, 2002
DOJ to swappers: Law's not on your sideAugust 20, 2002
Net users lose a secret-alias toolOctober 4, 2001
Popular peer-to-peer networks such as Kazaa, where the lion's share of online trading of music and other files takes place, are designed such that participants who wish to remain completely anonymous must pay a severe price in terms of convenience and usability, experts warn.
"There is no good system out there for hiding identities," said Randy Saaf, president of MediaDefender, a Los Angeles-based company that investigates peer-to-peer networks for the music industry. "If they're sharing content, they're wide open--they're running the risk. It's hard to anonymize people on a big public network."
There are plenty of incentives for Web surfers to try to cloak their identity these days. Recently, the Recording Industry Association of America (RIAA) pledged to sue individuals who infringe copyrights, and it won a court order forcing Verizon Communications to divulge the identity of a Kazaa user. The RIAA has already filed suit against four university students, and some schools have disciplined students for inappropriate file-swapping.
So far, the RIAA's threats of litigation have had no effect, said Wayne Rosso, president of peer-to-peer company Grokster. "As far as I can see, nobody really cares," Rosso said. "Our downloads are up, traffic is holding steady. Come on, users know they can't sue 60 million of them. Who are they kidding?"
Hiding on a file-sharing system is hard for a very simple reason: Peer-to-peer networks are designed for efficiency, not anonymity. They rely on a straightforward mechanism that is ruthlessly efficient at trading files. But, by broadcasting the contents of shared folders, the system leaves users vulnerable to identification and, therefore, to possible legal action.
On a peer-to-peer network, files are directly swapped between computers, each of which has a unique Internet Protocol (IP) address that can be traced back to the Internet service provider, corporation or university to which it belongs. Because computers on a peer-to-peer network transfer files without going through an intermediary, the IP address of one person on the network is generally available to everyone else.
Typically, a copyright holder can unmask a suspected infringer by sending a subpoena--which invokes a controversial section of the Digital Millennium Copyright Act (DMCA)--to the company or university providing network connectivity to the IP address in question, asking it to reveal the identity of the suspect. Once it knows the suspect's name, a copyright holder has the option of filing a lawsuit or simply sending a cease-and-desist notice.
Donning the mask
Products that offer privacy for activities such as Web surfing and e-mail have been available for some time, although most have been greeted with indifference by consumers. That attitude could change, however, with the RIAA's new policy of filing lawsuits against individuals, potentially sparking a renaissance in anonymizing tools for peer-to-peer networks.
Anonymous P2P file trading?
Wayne Cunningham, senior editor, Download.com
A surge in interest in anonymizing technology could radically change the character of the Net, if strong privacy software were to become widely adopted.
In response to the possible threat to file swappers of litigation or even criminal prosecution, some companies have begun to offer products they say will make filing a lawsuit against file swappers more difficult. Last week, for instance, a peer-to-peer service named Blubster announced a new version of its software that it touted as a "new, secure, decentralized, self-assembling network that provides users with private, anonymous accounts."
Consumers hoping for a painless way to hide their identity on peer-to-peer networks may be disappointed, however. For example, Blubster does not conceal the telltale IP addresses used to connect to the file-swapping service, meaning copyright investigators can, in practice, unmask anyone on its system.
Blubster counters that, in practice, its system will still make it more difficult for RIAA investigators to figure out the total number of files an individual is offering for download, as it does not list the files at a specific IP address. On the other hand, Blubster's method would not block a software program that maps the network by performing thousands of automated searches.
Because the RIAA will seek to sue the most flagrant infringers, the thinking goes, its investigators may target peer-to-peer networks that make such information available--without requiring as much discovery effort.
RIAA spokesman Jonathan Lamy declined to discuss the specific techniques the group employs when investigating infringement on peer-to-peer networks. But Lamy said "not only can these services be held criminally responsible, but users who try to avoid detection can face the same charge as well, in addition to the obvious civil liability."
That's not to say that there are no techniques available for savvy file swappers who wish to keep their identity secret.
One way to achieve reasonable anonymity for downloading files, experts say, is to find a free 802.11 Wi-Fi access point that does not require a password or a subscription. Because anyone can access the wireless network without identifying herself or himself first, lawyers from the RIAA would have difficulty tracking down individual users.
Scores of wireless access points exist in New York City, and some municipal governments have funded free access points with tax dollars. Last month, a working group of the Institute of Electrical and Electronics Engineers gave a boost to the growing interest in 802.11 by approving the 802.11g specification as a standard, a faster version of the early 802.11b protocol.
MediaDefender's Saaf admitted that this method offers effective cover for downloaders, but said he believes it is too inconvenient to become a serious conduit for illicit music and video files. "You can go into a Kinko's and plug into your laptop, too, and put files up on a P2P network," he said. "But, if people can't do it at home, they won't do it on a massive scale."
In addition, he predicted that wireless operators could come under fire from copyright holders if Wi-Fi file-sharing hubs become too widespread.
Ian Clarke, the project's inventor, said in an interview that the RIAA's recent legal actions and threats of additional lawsuits have heightened interest in Freenet. "The Freenet site has seen a threefold increase in Web traffic since the RIAA announcement," Clarke said. "We've received more donations to the project in the last week than we had in the past two months before that."
"We like the attention to some degree, and we certainly appreciate the donations, but it places us in a strange position," Clarke said. "Our concern and our goal is to protect political dissidents living in repressive regimes, not to let some kid get the latest Britney Spears album. But we can't prevent that without compromising the goal of Freenet."
Freenet's Web site describes the project as "free software designed to ensure true freedom of communication over the Internet. It allows anybody to publish and read information with complete anonymity. Nobody controls Freenet--not even its creators--meaning that the system is not vulnerable to manipulation or shutdown."
MediaDefender's Saaf admits that Freenet is a "a much more compelling technology" than its rivals. "But the problem with it is that it's not very user-friendly at this point," Saaf said. "It's always been more hype than practical utility. I don't know of anyone who uses Freenet."
In a recent debate, Matt Oppenheim, the RIAA's senior vice president of business and legal affairs, downplayed the problems that Freenet's anonymity may pose to lawyers for the music industry. "Other than the fact that most infringers do not like to use Freenet because it is too clunky for them to get their quick hit of free music, it is no more of a threat than any of the popular P2P services," Oppenheim wrote.
"We have not enabled our service to work with the Gnutellas of the world," Cottrell said. "The problem is that the RIAA has the kind of money that, whether you're right or wrong, you're out of business. It's not whether you win or lose, but whether you survive the litigation."
Under a 1995 Supreme Court ruling, McIntyre v. Ohio Elections Commission, and other precedents going back to the pseudonymously published Federalist Papers, Americans enjoy a broad right to anonymity, especially for political speech. But courts have also held that someone's identity can be unmasked through a DMCA subpoena to an Internet provider or by filing a "John Doe" lawsuit.
In a ruling last week in the Aimster case, a federal appeals court went even further, suggesting that a file-swapping network that cloaks its users' activities might run afoul of copyright law, precisely because it is designed to conceal illegal acts.
"Aimster hampered its search for evidence by providing encryption," wrote Judge Richard Posner, a respected economist and jurist. "It must take responsibility for that self-inflicted wound."
Posner, who serves on the 7th Circuit Court of Appeals, wrote: "A service provider that would otherwise be a contributory infringer does not obtain immunity by using encryption to shield itself from actual knowledge of the unlawful purposes for which the service is being used."
If large copyright holders begin to target privacy-protecting Internet services, advocates worry that the tiny industry may not be able to survive the eventual fusillade of laws and litigation. (In October 2001, Zero-Knowledge Systems, a pioneer in the type of identity-shielding technology that would be a boon to peer-to-peer networks, closed its flagship anonymity network, Freedom.)
Marc Rotenberg, director of the Electronic Privacy Information Center, says that anonymity should remain the default condition both online and offline. "It is in many different contexts in the physical world, whether it's travel or commerce," Rotenberg said. "The burden typically falls on organizations that want your personal identity to justify their reason."
Given the RIAA's history of lawsuits, Rotenberg said he fears the worst. "To the extent that anonymity appears on the RIAA radar screen--as have P2P and other technologies that stand in the way of copyright enforcement--you can be sure that RIAA attorneys will launch a frontal assault, regardless of the constitutional implications," Rotenberg said.