Hey Mom, is it ok if I send your tax forms to a guy named "SlickWolffy"?
When I speak to parent groups, I often tell them if they buy their child an iPod but don't give their kids an iTunes account or other legitimate way to get music, they've just created a music pirate. It's illegal to acquire copyrighted material such as music and films without paying for it. I know most people don't worry about the Feds pounding on their door to find the kid who downloaded the latest Taylor Swift single for free, but there are several high profile RIAA (Recording Industry Association of America) lawsuits targeting the individual music file sharer. More recently, in Europe, a pub was fined for allowing file sharing over a public Wi-Fi connection and IP addresses are now being subpoenaed in an illegal music file sharing lawsuit. So I would say that while the chances of anyone you know getting into legal trouble for using peer to peer file sharing services are slim, it's not unheard of. And as a parent, I'm still stuck on the bit about it being illegal, not about whether or not I might get caught. You don't teach your child that shoplifting is ok as long as you aren't caught, do you?
OK, so perhaps you're with me and agree that it's wrong to steal music and videos with file sharing systems. But what about the identity theft risk? How is peer to peer file sharing a factor?
First, what is peer to peer (or P2P) file sharing? According to Wikipedia, it's the "practice of distributing or providing access to digitally stored information, such as computer programs, multi-media (audio, video), documents or electronic books." The peer to peer bit means instead of accessing a centralized server, the desired files are stored on user systems all across the network. And the network consists of fellow users of that particular system. Some of the popular programs or networks are: Limewire, Bearshare, uTorrent, BitTorrent, Morpheus. Older, defunct brands you might recognize are KaZaa and Napster.
When you use peer to peer file sharing services, you identify a folder or area on your hard drive you authorize all the users of that network to search in their effort to find the desired music and video files. Therefore you are giving millions of strangers some level of limited access to your computer, all day and every day. How does it happen that private and sensitive information gets leaked onto these networks?
Several possible ways:
- Your children install peer to peer software without your knowledge. They don't know where you store your private information and by mistake give the P2P network rights to the folder where your personal correspondence is stored.
- The user interface for the peer to peer software is hard to understand. You didn't realize you authorized your whole hard drive to be used.
- You downloaded a new mp3 and stored it in the wrong place. But your peer to peer configuration says to use folders where mp3s are stored.
- There was a bug in the version of the software you used and your settings weren't saved.
- You searched for a file, downloaded it and it happened to contain malware that silently installed on your computer. One of the first things the malicious code did was change your P2P settings so that your entire network was exposed.
I recently attended a demonstration from a company that monitors peer to peer file sharing networks looking for leaked security and private information. In just one live demo of Limewire, they found hundreds upon hundreds of US tax returns doing a search on the term: "tax return". Each file popped on the screen as a .pdf file that the instructor clicked on and opened for our review. All the data was there: name, address, Social Security Number. Identity theft would have been a piece of cake, except that the audience consisted of law enforcement professionals (and me.)
This isn't science fiction. There have been cases of private and security related information leaking out on to peer to peer systems for many years. Here's a story from Japan of police information ending up in public hands. Or read about this summer's Congressional testimony that told about Department of Transportation and US National Archive documents leaked to peer to peer because a DOT employee logged into work from her home computer. The same home computer her daughter used to download peer to peer software to share music. In the same article you can read about the Ethics committee staffer whose files were leaked, files that included lists of people involved in ethics inquiries. And the story I've mentioned before, of a family whose tax returns ended up on Limewire and were used by crooks to steal their tax refund. Or today's story of a lawsuit stemming from P2P leaked passwords that led to stolen Department of Defense paychecks totaling $20,000.
An estimated 20 million people are using peer to peer every second. Most kids report using peer to peer, especially when they get to college. Even when they know it's illegal, young people view P2P as an accepted and socially-sanctioned method for acquiring music and videos. Only 18% of companies have an outright ban on P2P at work, despite the fact that even a single installation on a corporate network can compromise the entire corporation's security. I genuinely get that it's a huge battle to change behavior.
You might be curious to know how it works at Symantec/Norton. We have a policy against P2P use in the office and on company equipment. It is grounds for HR discipline and can lead to dismissal. Each new hire is taught about the restrictions on using P2P and annually we undergo security awareness training. We have our own Symantec Endpoint Client Security product that can detect and block the use of a P2P application. Many large enterprises use our product to ensure that P2P isn't used in the workplace and doesn't compromise security.
To learn more about how criminals can access your private information on peer to peer networks and a university's research into how quickly private information is stolen and used, read this article: http://www.computer.org/comp/proceedings/hicss/2008/3075/00/30750383.pdf
Fine, maybe I've convinced you that allowing P2P on your home computers is a bad idea. So how to determine if your child (or spouse) is using P2P:
- Ask them. Explain what you've learned and ask for their help.
- Look at their music player; if there are thousands of songs and you haven't paid for thousands of songs, you likely have a P2P user.
- Look at their computer, your computer and any external hard drives, thumb drives and CDs. If you find mp3 files, ask where they came from.
- If you have current movie files on your computer, ask your children and spouse where they came from.
- Run your own amnesty program to encourage family members to confess using P2P. If you have family members or friends who visit with their laptops and might use P2P, find out.
- Look for programs running in the system tool tray. P2P names include: uTorrent, KaZaa, Morpheus, Limewire, Grokster, iMesh, Blubster but remember there are more than 225 different kinds and not all will be easily recognized by name. Do a "search" on your computer for files with these names. Click on Start>Programs to see if one of these names appears in the programs directory. Look under "Files and Folders" as well. Go to the Control Panel and click on "Add or Remove Programs" to see if any of them are listed.
- If you find evidence that P2P is on your computer, use the "Add or Remove Programs" feature to uninstall them.
As we get closer to the holiday gift-giving season, give strong consideration to giving all your loved ones a subscription or gift card to an online music and video sharing site like iTunes, Amazon, Rhapsody, Wal-Mart and so forth. Put a pirate out of business and help protect your future.