The report got some press, but not a lot, and its implications are important, so it is worth some excerpts:
B. Implications
.
This report does not purport to draw conclusions about whether any given distributor of a particular filesharing program intended to deploy “technological features” in order to “induce users to share” files inadvertently. Nevertheless, for some groups of persons, significant implications follow from the conclusions drawn regardless of whether or how questions about any individual distributor’s intent are ultimately resolved.
Government and Corporate IT-Security Managers: For anyone concerned about protecting the security of sensitive data or the security of computer networks, questions about whether features that can cause users to share files unintentionally were intended to programs present a tripartite threat to the security of data and networks.
• Filesharing programs can cause inadvertent sharing that can compromise entire networks: In networked environments, the effects of the “features” discussed above can be particularly devastating. For example, on some networks, a user who tries to store downloaded files in a folder like “Documents and Settings” can end up “sharing” all files created by all users of the network. Even home use of filesharing programs can compromise government or corporate networks: Usability and Privacy notes that if a home computer has a VPN connection to a corporate or governmental network, a user can inadvertently “share” the portion of the network available through the VPN connection.
• Filesharing programs can infect computers or networks with malicious code: To avoid vicarious liability for pervasive infringing uses of their programs, distributors of filesharing programs stopped registering or uniquely identifying individual users of their programs. Distributors knew that this would encourage distributors of malicious code to use popular downloads as a means to compromise computers and networks: “As you would expect, when files often come from anonymous and uncertified sources, the risk of that file containing a virus greatly increases.”77 As a result, research by the security company TruSecure found that 45% of popular downloaded files concealed malicious code.
• Filesharing programs can contain vulnerabilities that hackers can exploit to steal sensitive data: DHS warns that filesharing programs “can result in network intrusions and the theft of sensitive data.… [F]ederal government organizations have discovered the presence of P2P software on compromised systems while investigating cyber intrusions.” McGill University warns that some filesharing programs are developed by “ragtag teams following ad hoc plans, resulting in barely functional, extremely buggy clients that are prone to security breaches.
All three of these risks increase because filesharing programs—unlike most others—often appear to be designed to go where they are not wanted and to evade the security measures that could exclude them. As one security expert warns, “Many of the finest computer minds in the world are continuously working to make the P2P programs evade the best detection schemes available.
There will almost never be a legitimate business or governmental justification for employee use of filesharing programs. Nevertheless, preventing employees from using these programs on corporate or government networks can be both difficult and expensive.81
Owners of Home Computers: People who store any type of sensitive data on their home computers—particularly computers to which children, teenagers, or college students might have access—confront circumstances similar to those faced by governmental or corporate IT managers. Unfortunately, owners of home computers face two additional challenges.
First, owners of home computers will almost always lack the resources available to governmental or corporate IT managers. Second, home computers are often used by multiple persons, and the person who best understands which files are sensitive and where they are stored may not be the person who installs and runs a filesharing program. Indeed, whenever employees do work at home, government or corporate IT managers may find that these complications affect their interests as well.
The critical challenge will be assessing the options available to owners of home computers (or persons who contract with Internet-access providers) who want to prevent filesharing programs from being installed or used on their computers and networks. While software firewalls or routers can be configured so that only one person can grant Internet access to a program, this solution may prove impractical for most roommates or families. The Federal Trade Commission has done some initial investigation into other filesharing-detection-or-prevention options available to owners of home computers. Further research and reporting by consumer-protection advocates might be useful.
Users of Filesharing Programs: For users of filesharing programs, it is, again, largely irrelevant whether particular features in those programs were intended to—or simply can—cause some users to share infringing files inadvertently. In either case, many of the same implications follow.
The research on uploading rates among users of filesharing programs suggests that users’ propensity to share files is affected, but not dictated, by the design of filesharing programs. The more than 100% increase in sharing reported between 2000 and 2001 strongly suggests that program design can significantly affect users’ propensity to upload files. But the 500% plunge in sharing rates—to 15% of the user population— by 2004 strongly suggests that users can, over time, overcome the effects of design. But the rise of coerced-sharing features suggests that as users overcome the effects of design, users’ past experiences can be turned against them.
This suggests that users are neither unaffected nor enslaved by the design of filesharing programs. This may refute claims that distributors of filesharing programs do not “facilitate the exchange of files between users” or that users alone “select which files to share.”82 But it also seems to refute Professor Lessig’s claim that a “fundamental principle of bovinity” ensures that “it is as likely that the majority of people would resist [imperfect controls imposed through code] as it is that cows would resist wire fences.”83 His “bovine account” of human nature asserts that most people are no more than witless cows. But, given time, information, and incentives, most users did resist some of the “technological barriers” to disabling sharing that filesharing programs tended to create.
Unfortunately, while users of filesharing programs may have proven to be, over time, more competent—more human—than some thought, for users, the implications of features in filesharing programs that can cause users to share files inadvertently are almost universally bad.
First, until distributors of filesharing programs eliminate all features in their programs that can cause users to share files unintentionally—and stop adding new ones—filesharing programs will be dangerous, use-at-your-own-risk propositions. While this report identifies some potential problems, the precautions taken to avoid confusing imperfect interface design with duping ensure that this report does not purport to identify all features in filesharing programs that could cause users to share files unintentionally: It is not a guide to “safe sharing.”
Second, for now, users of filesharing programs who want to avoid inadvertent sharing are on their own. As Usability and Privacy noted, filesharing programs themselves often do a “poor job” of helping users avoid inadvertent sharing. The users’ guides and manuals for these programs are also often unhelpful, and some could be affirmatively misleading. Nor can users rely on the informal user forums associated with most programs: Posting questions on these forums about halting or restricting sharing may produce hostile “flame” responses, but little useful guidance. While users can search the Internet for instructions on disabling sharing in various programs, most are now dated, and some are inaccurate. Again, consumer-protection or public-interest advocates might assist by providing a regularly updated online guide to halting sharing in the more popular programs. Unfortunately, some technical analysis would be needed to confirm that features that seem to let users halt sharing actually do so.
Third, users should assume that they can be held liable for infringing use of filesharing programs even if they share or upload infringing files unintentionally and even if they do as a result of features that were intended to dupe users. Direct liability for copyright infringement is a form of strict liability.84 And many users who upload copyright-protected files inadvertently may do so negligently or recklessly: The features discussed above do not force users to share infringing files, and do they do not cause sharing that cannot be detected and corrected by a very alert, well-informed user.
Moreover, while duping might cause high-volume uploading that triggers a copyright-enforcement lawsuit against a particular user, discovery will probably reveal other, more intentional, forms of infringement. As one commenter notes, “Virtually everyone who participates in one of the file-swapping networks is breaking the law in the process.”85 So regardless of whether a given user bears some measure of personal culpability for the sort of high-volume uploading of infringing files that can trigger an enforcement lawsuit, that user has probably also engaged in infringement not caused by duping. For example, uploading may have led rightsholders to sue one particular user of a filesharing program, but the courts ultimately held her liable for downloading infringing files.86
Fourth, users should not expect rightsholders or courts to sympathize whenever a user claims that he or she was duped into becoming a high-volume uploader of infringing files. Duping schemes—or features that simply act like duping schemes—are dangerous because they make it difficult to distinguish those who acted unintentionally from culpable wrongdoers who planned to “cry duping” if they were caught. For example, a culpable user of BearShare might use its share-folder feature to store downloaded files in “My Music” folder so he could, if caught, claim that he did not know that BearShare was recursively sharing all of the subfolders of “My Music” that stored thousands of audio files copied from lawfully purchased CDs.
Fifth, users should recognize that the factors outlined above do not mean that users who have shared files unintentionally lack any form of legal redress. For example, one court adjudicating a lawsuit brought against a user of a filesharing program who claimed that she shared any allegedly infringing files inadvertently has noted that she could bring a state-law contribution or indemnity claim against the distributor of the filesharing program at issue.87 State consumer-protection laws may provide another means of redress.
Finally, some defenders of filesharing may argue that the prevalence of “technological features” that can “induce users to share” infringing files makes it unfair for copyright holders to sue users of filesharing programs for infringement. They may thus argue that if distributors of filesharing programs have both encouraged users to infringe copyrights voluntarily and duped them into doing so involuntarily, then those distributors should be given them what they always wanted: A collective or compulsory license to distribute the copyrighted works targeted by their schemes. One could scarcely conceive of a better means to encourage future copyright piracy, fraud, and duping schemes.
Distributors of filesharing programs: Distributors of filesharing programs may also find that they should eliminate or fully disclose any features that could cause new or unsophisticated users of their programs to share files unintentionally—and do so regardless of whether or how questions about the intent underlying such features are resolved.
Many distributors of filesharing programs have claimed that they want copyright enforcement to “leave the little guys alone”—to avoid targeting the young and unsophisticated users of filesharing programs who seem to be prevalent among the high-volume uploaders of infringing files. The data analyzed above strongly suggests that distributors of filesharing programs could make this aspiration a reality: If children and unsophisticated users shared hundreds of infringing files only when they clearly intended to do so, most would likely choose not to do so. The conclusion that Usability and Privacy drew in 2002 remains valid today: Eliminating features that can cause inadvertent sharing, and halting any continuing effects of previously deployed features, should be a “top priority” for responsible distributors of filesharing programs.
Raw self-interest on the part of distributors may also dictate such a course. The intentional-inducement doctrine recognized in Grokster is unusual: Most civil laws impose liability for wrongful conduct without a showing of intent. This is true for most forms of direct or secondary liability for copyright infringement. It is also true for other forms of civil liability that could be triggered by “technological features” that “induce users to share” files inadvertently.
For example, the distributor of a filesharing program that contains features that do cause users to share infringing files unintentionally could face direct or secondary liability for the resulting infringements absent any showing of intent. Direct liability for copyright infringement is joint and several: When an infringement occurs as the result of consecutive wrongful acts by two parties, each is held fully liable. An infringing upload might occur only because (1) a distributor released a program that contained a not-so-obvious redistribution feature, and (2) a user unaware of that feature intentionally downloaded an infringing file. In such a case, an infringing upload results from the combined effects of consecutive wrongful acts by the distributor and user of the program.
A similar result might follow under secondary-liability doctrines. If a program deploys a feature that its distributor knew or should have known would cause some users to upload infringing files inadvertently, then vicarious liability may attach: Such a distributor would have had the right and ability to control—indeed, to prevent—the infringing acts that the feature subsequently caused.
Nor is civil liability for copyright infringement the only form of civil liability that might confront the distributor of a filesharing program containing “features” that cause users to share files unintentionally. Regardless of whether a file shared inadvertently is infringing or a sensitive personal file, the affected consumer incurs a significant risk of harm. Civil consumer-protection and tort laws impose forms of strict liability against distributors of products—particularly if those products become, in effect, dangerous toys often used by children. Indeed, as noted above, at least one court has already noted that a user of a filesharing program who shares files inadvertently may have a cause of action for contribution against the distributor of the program.
All of these factors suggest that any more attempts to deploy “technological features” that can “induce users to share” infringing files should be viewed with great skepticism. Six years ago, Free Riding on Gnutella questioned whether a viable filesharing network could be based upon “voluntary cooperation between users.” The public data analyzed here suggest that the events of the last six years may not answer this question. The events of the next few years probably will.
