June 6, 2002 10:45 PM PDT
Kazaa users often expose personal files
The research, which was published Wednesday on Hewlett-Packard's Web site, found that a significant percentage of Kazaa users have accidentally or unknowingly designated private files to be shared with everyone who has access to the popular Kazaa network.
"The majority of the users in our study were unable to tell what files they were sharing, and sometimes incorrectly assumed they were not sharing any files when in fact they were sharing all files on their hard drive," the researchers wrote.
The study, conducted by computer scientists Nathaniel S. Good of HP Labs and Aaron Krekelberg of the University of Minnesota, points out that peer-to-peer programs often pose a threat to computer privacy.
Those programs have been controversial in other ways as well. Sharman Networks, which owns the Kazaa software, recently came under a firestorm of criticism for linking Kazaa users, often unwittingly, into peer-to-peer activities unrelated to their own file sharing. And content owners lambaste file swapping in general for fueling massive copyright infringement.
Good and Krekelberg scripted programs to search the Kazaa network for files that store Microsoft Outlook Express e-mail, with the assumption that these would be files that no one would intentionally share on the public network.
The automatic queries occurred every 90 seconds for 12 hours and revealed 443 instances of unintentional file sharing. In that 12-hour period, 156 Kazaa users were found to have e-mail files open for public review. Sixty-one percent of the searches revealed at least one e-mail file.
In another test, researchers studied 20 distinct cases in which the Outlook mail program had been made public. Of those, 19 allowed access to other categories in the program, such as deleted items and mail sent. Nine users exposed their Web browser's cache and cookies, five exposed word processing programs, and two exposed what appeared to be financial data.
Another experiment sought to determine whether other Kazaa users were trying to exploit this vulnerability by downloading files from other people's computers. The researchers placed dummy personal files with titles such as Credit Card.xls and Inbox.dbs on a server. In a 24-hour period, the credit card file was downloaded four times by four unique visitors, and the inbox file was downloaded four times by two unique visitors.
The study said the researchers did not download any files from other Kazaa users.
The researchers blamed shortcomings in the Kazaa installation software for making it easy for people to configure their software improperly and unknowingly share private information.
Kazaa representatives were not immediately available for comment.