Over the past week, I have been asked repeatedly about the Voluntary Best Practices for P2P File-Sharing Software Developers to Implement to Protect Users Against Inadvertently Sharing Personal or Sensitive Data(the "VBPs") just released by the Distributed Computing Industry Association ("DCIA"). As most probably know, these VBPs appear to have been hastily released after LimeWire's latest fiasco, which involved inadvertent sharing of the financial data of Supreme Court Justice Stephen Breyer.

I am still reviewing these new VBPs and comparing their provisions against the behavior of then-current versions of the file-sharing programs distributed by entities that purport to have developed these VBPs. Nevertheless, I can now summarize some key conclusions: I have serious concerns about the scope, substance, and credibility of these new VBPs.

CONCERNS ABOUT THE SCOPE OF THE VBPs:

The VBPs Unfairly Stigmatize All "P2P File-Sharing Software Developers": The VBPs seem to proceed from a absurd premise: They seem to presume that roses and skunks are equally likely to smell bad. The VBPs purport to apply to all "P2P File-Sharing Software Developers." I am aware of no data showing that risks of potentially harmful inadvertent sharing, (much less inadvertent sharing of "personal" or "sensitive" files), arise consistently from all "P2P File-Sharing Software."

To the contrary, the available data indicate that the worst of these risks seem to arise only from a narrow subset of programs whose similarities appear to arise more from the business models of their developers than from any actual reliance upon peer-to-peer networking or file transfers. For example, both the Gnutella-based LimeWire program and the BitTorrent-based program Joost are "P2P File-Sharing Software." But Joost and LimeWire do not even arguably pose similar risks to their users. Nevertheless, the VBPs treat both programs as if either could be equally likely to cause harm.

That is just plain wrong. It makes no sense to state or imply that all "P2P File-Sharing Software" should be painted with the same bad-actor brush.

CONCERNS ABOUT THE SUBSTANCE OF THE VBPs:

Compliance with the VBPs Is Unlikely To Significantly Reduce Potentially Dangerous Inadvertent Sharing: Regrettably, I expect that the VBPs--even if scrupulously followed--may have little or no effect on the prevalence of inadvertent sharing of personal data. The VBPs seem to presume that inadvertent sharing of "sensitive" data is still a problem that program distributors can cause or remediate at will. I suspect that this presumption is now dreadfully wrong.

For example, when episodes occurring in 2005 and 2006 returned my attention to the problem of inadvertent sharing of personal data, I embarked on a then-fruitless snipe hunt. When trying to determine why users of file-sharing programs might be inadvertently sharing personal files in 2005 and 2006, I first thought that the programs themselves were unlikely to be causing inadvertent sharing: After all, problems with program design had been rather extensively investigated--and purportedly resolved--back in 2002 and 2003. I thus assumed that inadvertent sharing must be recurring for some other reason.

I thus investigated the possibility that malware might be causing inadvertent sharing of personal files. The same factors that make piracy-prone file-sharing networks well suited for the distribution of infringing files also make them well-suited for the distribution of files infected with malicious code. Consequently, I assumed that inadvertent sharing might be recurring because file-sharing networks were distributing malware that was reconfiguring the file-sharing programs themselves. At the time, nothing came of those efforts: Searches of the usual data repositories did not reveal malicious programs that reconfigured popular file-sharing programs. Only after this "malware hypothesis" led nowhere did I look again at the programs themselves--only to find some dumbfoundingly familiar problems.

The VBPs returned my attention to malware as a potential cause of inadvertent sharing after I discussed them with the data-security company Tiversa, Inc. Tiversa's perspectives on file-sharing tend to be uniquely valuable. Tiversa's technology lets it look comprehensively at all activities occurring on multiple networks, and the monitoring and remediation services that it provide to its clients ensure that Tiversa often has unique, first-hand knowledge about the causes of inadvertent sharing.

After reviewing the VBPs, Tiversa's President, Mr. Robert Boback, reported that he was not optimistic about their potential to reduce inadvertent sharing. In particular, he cited the problem of malware--he reported that Tiversa has now encountered multiple forms of malware that reconfigure the sharing-related settings of popular file-sharing programs.

If so, then the VBPs are too little, too late. By perpetuating the problem of inadvertent sharing until identity thieves had years to realize how advantageous it could be to them, distributors of file-sharing programs have ensured that inadvertent sharing is no longer a problem that they can cause or remediate by changing the default settings of their programs.

The VBPs Seem Hopelessly Vague: The VBPs also seem very waffly and fuzzy--they are so vague and flexible that it will often be very hard to say whether any given program complies with any particular provision. Worse yet, they are often so vague that they seem to fail to engage the available data on the causes of inadvertent sharing. Indeed, preliminary analysis suggests that the VBPs could permit use of search-wizards, partial-uninstall features, and certain coerced-sharing features, including LimeWire's confusing "individually-shared-files" feature. I don't see how anyone can be expected to believe that these VBPs will really deter inadvertent sharing unless they clearly address all the problems that have been repeatedly called to the attention of distributors.

For example, the VBPs center around the notion that developers can deter inadvertent sharing by requiring users to take "Affirmative Steps" before they share "User-Originated Files." That sounds good--until one recalls that the more dangerous version of the KaZaA program condemned in the 2002 study Usability and Privacy: A Study of KaZaA Peer-to-Peer File Sharing also required its users to take "Affirmative Steps" before they would share "User-Originated Files." Indeed, partial-uninstall features excepted, so did the "features" condemned in the USPTO report, Filesharing Programs and "Technological Features to Induce Users to Share."

The VBPs Proceed from the Sometimes-False Premise That It Is "Safe" for Users of File-Sharing Programs to "Share" Downloaded Files by Default: The VBPs also look like a cynical half-effort to redress inadvertent sharing. To me, the difference between conscientious program distributors and cynical distributors is simple: The former are concerned about the safety of users of their program; they want to ensure that users do not inadvertently share any files that would tend to be dangerous to share. The latter are concerned only about themselves; they only want to ensure that users of their program do not inadvertently share the sorts of files that would be likely to attract adverse attention to program distributors from the media, Congress, or Supreme Court Justices.

Sadly, the VBPs seem to reflect the latter approach to inadvertent sharing: They divide all files stored on users' computers into two classes: files downloaded from the file-sharing network and all others, (the VBPs call this latter class "User-Originated Files"). The VBPs then proceed from the following premise: Sharing of downloaded files is presumptively "non-sensitive," safe and permissible by default, while sharing of User-Originated Files is not. In other words, the VBPs presume that users sharing downloaded files are not sharing "sensitive" files.

As applied to programs like LimeWire, that premise is demonstrably and deliberately false. As LimeWire CEO Mark Gorton testified, other than downloading of music, the only other "major use" of his program is downloading movies. Sharing files containing downloaded music or movies can cost from $750 to $150,000 per file. As a result, for persons of moderate means, the financial consequences of sharing those files are probably as bad or worse than the financial consequences of identity theft.

Worse yet, this very real threat of enforcement lawsuits is a risk imposed upon users deliberately by distributors of certain file-sharing programs: For example, in MGM v. Grokster, LimeWire went out of its way to blame copyright owners for failing to sue infringing users of its program. Subsequently, LimeWire then altered its program in ways that can make it more difficult for users to stop sharing downloaded files--thus ensuring that the risks of sharing downloaded files would tend to fall disproportionately upon those users who happen to be very young or otherwise particularly unsophisticated.

An article published recently by the Torrentfreak website illustrates the real-world consequences of these choices. The article reports on an interview with "Hannah," the pseudonym of a 9-year-old girl who uses LimeWire. The interview begins, "Everyone knows that a significant number of file-sharers are teenagers and young adults.... But what about the true kids--the under 10's?"

In the interview, "Hannah" says that she uses LimeWire, "Because you can put anything in and it will come up and you don't actually pay for it" and because "you can get good albums off there. Duh!!" When asked whether downloading music for free might be illegal, she replied, "Why would they put it [music] on the Internet ... if it was against the law?" She was then asked what would happen if one of her favorite artists, Sean Kingstone, sued her family or sought a settlement because she had shared his albums using LimeWire. She replied, "I'd say 'tooooo strict' and anyway he can't make me do anything. He's not the boss of me, he's the boss of Sean Kingstone." When asked what would happen if her family did not settle, she said, "Nothing. I'm too young to be charged by the government so he can't charge me."

"Hannah" has her facts dangerously wrong, but I can still sympathize with Hannah (and her family): She's just a little girl who has made the usually rational assumption that most adults don't distribute dangerous toys to children. Unfortunately, some adults who distribute certain file-sharing programs persist in distributing potentially dangerous toys to children--even after painting enforcement targets on their little foreheads. As a result, programs like LimeWire now jeopardize the privacy, reputations, and finances of the families of many thousands of "Hannahs."

Nor do the distributors of such programs simply lack any means to prevent their misuse or otherwise avoid the need for enforcement against consumers who share infringing files--deliberately or otherwise. They do have the means, but they have chosen not to deploy them.

Distributors of other file-sharing programs have now made this clear: Joost only distributes files authorized for distribution; Veoh uses forms of filtering; Pando uses something akin to a notice-and-takedown process. That doesn't mean that any of these programs are perfect, but it does mean that people using them are unlikely to face the financial and other consequences of an infringement lawsuit.

In short, a useful set of VBPs would have to address a very deliberately constructed reality: Inadvertently sharing files downloaded from some networks can be as presumptively dangerous and as "sensitive" as inadvertently sharing personal files. VBPs that refuse to confront this deliberately constructed reality are not worth the pixels they are printed upon.

Unless the VBPs Redress Inadvertent Sharing of Downloaded Files, Pedophiles Will Use Inadvertent Sharing to Avoid Conviction for Knowingly Distributing Child Pornography: Because the VBPs do not really address inadvertent sharing of downloaded files, they also fail to defuse a ticking time-bomb: Piracy-adapted file-sharing networks have attracted not only 9-year-old girls who share music, but also pedophiles who share child pornography. As a result, a slew of prosecutions are now underway--I counted scores of pending cases during my last sweep of LEXIS, and a public defender in New York told me that her office is now inundated with P2P child-porn cases. Unfortunately, the defendants in these cases have realized that inadvertent sharing can help them avoid conviction on the "knowing distribution" count that can result in serious jail time. Soon enough, inadvertent sharing--even of downloaded files--is going to deliver get-out-of-jail-free cards to pedophiles.

The VBPs would have to reflect a serious effort to prevent inadvertent sharing of downloaded files before they could stop this from happening. Indeed, even their half-efforts are already too late. For example, in United States v. Park, 2008 U.S. Dist. LEXIS 19688, *2 (D. Neb. March 13, 2008), the defendant used LimeWire to share, inter alia, a three-hour video that "depicted 'a female minor bound with a rope and being choked with a belt by what appeared to be an adult male.'" Nevertheless, the defendant secured a reduced sentence by claiming that he "lacked an understanding of the software and thus ... the knowledge to distribute the illegal wares that he possessed." Id. at 4.

To be clear: Distributors of piracy-adapted file-sharing programs rightly resent any claim that might imply that they intend to aid pedophiles. But that is not my point: Frankly, I cannot imagine why any distributor of even the most piracy-prone file-sharing program would intend to facilitate the distribution of child pornography, or, for that matter, malware-infected files, or classified government data.

Nevertheless, some brute facts remain: Actions often have consequences that--while not intended--are wholly predictable. The same attributes that make certain file-sharing programs attractive to persons who want to distribute infringing files predictably make those programs attractive to persons who want to engage in other illegal activities. It was thus utterly foreseeable--and foreseen--that malefactors other than infringers would flock to the accommodating venues thus provided.

For example, in 2003, the distributors of the KaZaA program admitted this when discussing the prevalence of malware-infected files on the FastTrack network: "As you would expect, when files often come from anonymous and uncertified sources, the risk of that file containing a virus greatly increases." They may not have intended to attract malware distributors, but they fully expected that the design of their network would do so nonetheless. Those choices created a network used largely for illegal purposes in which it becomes very important to be able to say whether any given user intended to "share" any given file because so many are unlawful to share. Reasonable VBPs would acknowledge that in such venues, the "sharing" of downloaded files is generally unsafe--it can result in the "sharing" of files that are "sensitive," within any reasonable meaning of that term.

CONCERNS ABOUT THE CREDIBILITY OF THE VBPs:

The VBPs Are "Déjà Vu All Over Again" for Concerned Officials or Citizens: Sadly, these new VBPs proceed from a false premise: They presume that distributors of piracy-adapted file-sharing programs can be reasonably expected to adhere to a completely optional set of inadvertent-sharing-related "best practices" that would require them to redesign their programs in order to prevent users from inadvertently sharing files. All-too-recent experience has eviscerated that premise.

For example, after the second-to-last round of congressional hearings on inadvertent sharing, (back in 2003), the trade association P2P United purported to redress inadvertent sharing by promulgating a mandatory Code of Conduct designed by distributors of file-sharing programs including the distributors of LimeWire. But the distributors who devised that "mandatory" Code tended to ignored it in practice while signing pious hymns to its virtues to congressional committees and federal agencies. Now, another trade association has released another set of now-completely-optional LimeWire-designed VBPs. With all due respect--and none is--these new VBPs accomplish precisely one result: They force everyone concerned about inadvertent sharing to stare straight down both barrels of an old saying:

Fool me once; shame on you. Fool me twice...."

Seriously: If distributors of piracy-adapted file-sharing programs treated their own mandatory Code of Conduct--and the well-being of users of their programs--like an irrelevant joke back in 2004, how can anyone believe that, in 2008, they will treat new optional VBPs with anything other than similar contempt?

And least the above seem unduly harsh, I can report that I have begun to compare the requirements of the VBPs to the behavior of the version of LimeWire that was available when the VBPs were released. This version of LimeWire does not appear to comply with the VBPs. Once again, the VBPs thus seem to be just a cheery promise that things may improve in the future.

I agree that voluntary self-regulation will be an indispensable tool that can let us redress many of the security and privacy challenges that will inevitably arise from fast-changing internet technologies without saddling those technologies with prescriptive, market-distorting regulations that quickly prove to be partially underbroad, partially overbroad, and quickly dated. But for that reason, there will be times when the only reasonable response to miserably failed efforts at voluntary self-regulation will be law enforcement--not the repetition of airy promises of even less-obligatory self-regulation.

For all these reasons--scope, substance, and credibility--I can take no comfort in DCIA's new Voluntary Best Practices for P2P File-Sharing Software Developers to Implement to Protect Users Against Inadvertently Sharing Personal or Sensitive Data.