International Trade Today is a service of Warren Communications News.

P2P Bill Would Require Pre-Install Sharing Notice, Disabling of Any Function

A reintroduced bill to require user protections in P2P software would require a revision of the Distributed Computing Industry Association’s inadvertent-sharing protection principles, the group’s leader said Thursday. The Informed P2P User Act (HR-1319) by Rep. Mary Mack, R-Calif., which has support from Commerce Committee Ranking Member Joe Barton, R-Texas, was also offered late last year. It would require finer-grained user controls over P2P software than companies have been willing to offer.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

The DCIA recently reviewed working-group participants’ plans for carrying out the principles (WID Feb 24 p3), whose drafting started in earnest after a House Oversight Committee investigation in 2007. They showed among other things a decline in the use of recursive sharing, the practice of sharing the contents of an entire parent folder, including subfolders that users may not intend to share. Inadvertent sharing last year made public a Supreme Court justice’s financial information and recently exposed blueprints for President Barack Obama’s helicopter (WID March 3 p3).

Mack’s bill would require P2P software makers to provide “clear and conspicuous notice” to users, “immediately” before installation, that their files will be available for others to download. Makers would have to get “informed consent” from users before installation of their programs and before turning on the file-sharing function. In a provision that DCIA Executive Director Marty Lafferty agreed would mean changing his group’s principles, the bill would require similar notice of “which files are to be made available to another computer” before sharing is enabled. The principles currently let software makers without notice carry over the default settings, including which files and folders are shared, from an earlier version of installed software when a new version is installed.

More difficult for software makers is the bill’s requirement that any function a user doesn’t want must have a “reasonable and effective means” to be disabled or removed from the software. The DCIA principles don’t come anywhere near a recommendation for such granular user control. The language may be broad enough to require makers to let users turn off advertisements in the free version of a P2P client. Lafferty said the working group will make changes to the principles “insofar as possible” and try to convince lawmakers to modify provisions that are “impractical or ineffective to implement.” It has been keeping congressional staff up to date on the progress of the working group, and its goal is to make legislation “unnecessary,” he said. A spokeswoman for Mack said she wasn’t sure whether the office had been in contact with the DCIA.

The bill also gives the FTC enforcement authority over P2P software makers. Users are “posting their tax returns, financial records, and personal messages on the Internet, and they don’t even know it,” Rep. John Barrow, D-Ga., a co- sponsor of the bill, said in a statement with other sponsors. “We have truth in lending and truth in labeling -- this is truth in networking, and we need it.” The statement noted security company Tiversa’s recent report that Marine One’s blueprints were shared through a file-sharing program that showed they were accessed by an IP address in Tehran. The House Commerce Committee, on which the sponsors serve, couldn’t tell us when a hearing may be scheduled to consider HR-1319.

Recursive Functionality on the Decline

One of the more notable changes in P2P software settings to emerge from participants in the DCIA working group is the removal of recursive sharing by default, and in some cases altogether. That setting was the means by which P2P networks became flooded with users’ collections of not only music and movies but also sensitive files that have drawn government attention since at least 2003, when House Oversight first held hearings.

The DCIA has been collecting members’ implementations of the principles for about two weeks, and has received seven. The group is made up largely of P2P companies that want to show themselves as protective of users and responsible to content owners. So its survey isn’t conclusive about the practices of others, especially independent developers who wrap an interface around a popular protocol like BitTorrent. Lafferty said other companies taking part had “pending software upgrades” that had slowed their drafting of compliance reports to the DCIA.

“There was a consensus realization of the value of working to remove recursiveness” to prevent accidental sharing, Lafferty said. “The discussion [before the principles were released] went to the degree of difficulty and the time-and-resource commitment that would be required to make this change, which was different for different file-sharing software companies.” The DCIA’s principles require a user’s express decision to share folders recursively, rather than banning the feature.

Lime Wire, once the poster child in Congress for reckless sharing settings (WID July 25/07 p1), abandoned recursive sharing in its latest version. Users of LimeWire 5.0 must explicitly drag a folder they want to share to the “P2P Network” icon in the software. The company also ditched the all-in-one “shared folder” that has gotten so many P2P users in trouble with the RIAA. Version 5.0 requires users to take several steps in order to share “documents” such as Word files, as opposed to media files. They must check a box on a page labeled “Unsafe Categories” deep within the menu interface.

A big exception to the recursiveness trend is GigaTribe, which like many P2P companies of recent vintage has emphasized closed-network sharing. The French company requires users to invite their friends to a private network to share files and designate which files they want shared. There’s no simultaneous uploading of content in the process of being downloaded, as with the BitTorrent protocol, and unsharing selected folders is a one-click operation. Freedom from recursiveness carries a price, though: GigaTribe’s free version only allows sharing of folders with “read” access, makes shared folders available to all contacts, and is recursive by default. The paid version offers read/write access for folders, user control of which groups can access which folders, and downloading of folders. Lafferty confirmed that GigaTribe seems to be violating the principles. He said he’s been unable to reach the company for several days. A spokeswoman late Tuesday told us executives were at a trade show and unreachable all week.

The DCIA’s report on submissions so far showed 100 percent compliance with the principle that users be told clearly before installation that downloaded files can be re- downloaded by others on the network. “User-originated files” aren’t allowed to be shared by default. Four of seven companies required “affirmative steps” for users to share their own files, while the principle was inapplicable to the other three. The same figures applied to providing a simple way to disable sharing functionality altogether from any screen on the user interface. (Some DCIA participants, like Abacast, provide distribution services to content owners using P2P functionality, not user-controlled sharing.) All but one gave users a simple way to stop sharing of specific folders and files. Four companies didn’t offer recursive sharing and two complied with the no-recursive-by-default principle. GigaTribe was the exception.

Four companies provided “additional protection” against potential user error after user-originated files have been affirmatively shared, while one didn’t comply with that principle. The same numbers applied to blocking any attempt to share a complete drive or system folder. Three required affirmative steps and “conspicuous warnings” to share a “sensitive folder,” while one did not. It was two-to-two for the principle that “sensitive file types” must be blocked from sharing even if a user chooses to share user-originated files. Five out of seven clearly specify how many files are being shared, including a “prominent warning” for a large number, with one not complying.

All eight companies for which the principle is applicable said they make “best efforts” to convince users to upgrade to new software once it’s available. That includes asking them to re-confirm earlier sharing settings, and warning them about sensitive folders currently marked as shared. The same number said they require users to reset their earlier settings upon installation if the new version materially affects user settings. Lafferty said the group decided against forcibly upgrading users to new software, even if it’s safer than old versions, because it violates the principle of user control and may be technically difficult. - - Greg Piper