Download Peer-to-Peer Networks and

Peer-to-Peer Networks and
Music File Sharing
Tim Caserza
COEN 150
Holliday
5/17/04
Tim Caserza, -1Napster, Kazaa, LimeWire, Morpheus, Bearshare, Direct Connect, the list of peerto-peer file sharing programs goes on and on. Anyone with a computer and internet
connection can download one of these programs and download any file or song
imaginable in a matter of minutes. Millions of people use file-sharing programs, but very
few actually know how these complex peer-to-peer networks actually work, or the
security issues involved in using peer-to-peer applications. This paper will give a brief
history of peer-to-peer and file sharing, then discuss the major file-sharing models such
as Gnutella and Gia. In addition, it will discuss the matter of music piracy, the Recording
Industry Association of America (RIAA), legal issues, laws and statistics. Lastly, this
paper will discuss security issues involved in peer-to-peer networks and applications such
as viruses, worms, spyware, adware, and the accidental sharing of private information
and sensitive materials.
Network applications can be one of three types: master/slave, client/server, or
peer-to-peer; most fall under the latter two types. The client/server model can be easily
seen while browsing webpages. When a user enters a web server address in the address
bar of their internet browser their computer becomes a client and sends a request to the
appropriate server for the webpage file. The web server receives the request and returns
the appropriate content and the page is displayed in the browser window on the client. In
this simple example, the server never requests a file from the client, and the client does
not wait for any connections from the server after the file is received; if it did, then it
would be classified as peer-to-peer. In a peer-to-peer network, each computer connected
has the ability to act as both a client and a server as well as perform multiple tasks for
both simultaneously.
Tim Caserza, -2One of the earliest large-scale examples of a peer-to-peer network was Usenet. It
was originally designed to allow a UNIX computer to dial into another UNIX computer,
exchange files using a UNIX-to-UNIX copy protocol and then disconnect. This was
useful in sending emails and distributing system patches. Today, Usenet has grown into
an enormous news network which uses the Network News Transport Protocol to enable a
computer to efficiently find newsgroups and read and post messages. Usenet is a prime
example of a decentralized network; there is no one central authority, only thousands of
individual servers that allow users to search through newsgroups (Oram). If one server,
or node, of the network goes down the rest of the network is not greatly affected, unlike a
web server, or Napster, discussed later. The decentralization of Usenet is a main reason
that it has survived since its inception in 1979.
The earliest popular means of music file-sharing was through FTP servers and
websites; however these do not fall under the category of peer-to-peer. A FTP user can
upload and download, but the protocol does not allow multiple instances of either to be
performed simultaneously. Shawn Fanning, a college dropout, developed Napster in
1999 as a means for people around the world to download music files and share their own
collections with other users on its network. Users connected to a centralized Napster
server and the names of their shared files were sent and stored on the central server. A
client doing a search for a particular song sent the request to the Napster server, which
replied with all the locations of users on the network with the requested song available
for download. To get the song, the user simply clicked on a location returned by the
search and the request for the song was sent to the peer with the song; the peer became a
server and sent the file to the client (Wikipedia, “Napster”). A user could be a client and
Tim Caserza, -3download multiple files at once at the same time as being a server and uploading multiple
files to other users. Unfortunately, the Napster centralized server scheme led to its
downfall when it caught the eye of Recording Industry Association of America. The
RIAA and its influence on peer-to-peer music sharing will be discussed later.
Developed in 2000 by Justin Frankel and Tom Pepper, Gnutella is able to avoid
the inherent problems of a centralized server by using a network of decentralized servers.
Having decentralized servers makes the network extremely difficult to shut down because
you can shut down a server, but the rest of the network is still there. As long as there are
two computers connected to it, the network will still exist. Gnutella-based applications,
such as Kazaa, come with a list of Gnutella servers called nodes. When the program is
opened it tries to connect to all the default nodes. If a node is unreachable, it is deleted
from the client’s list. If the client connects to a node, the node will send the client a list
of all the nodes that it is connected to. Then the client will attempt to connect to all the
new nodes it receives and the process continues until the client is connected to the desired
number of nodes. When the client does a search it sends a request to all the nodes it is
connected to, which search their shared folder for a match, and then forward the request
to all the nodes they are connected to until the entire network is searched (Wikipedia,
“Gnutella”). If a match is found, it will be displayed in the user’s application and the
user may click on it to begin downloading from the node. If the same file is found on
multiple nodes, the download can be split up so that the client can receive different parts
of the file from each node and greatly increase the speed of the download. The Gnutellastyle network is vastly superior to the centralized Napster network, but it is far from ideal
or efficient. The way in which Gnutella searches for a file is called flooding because it
Tim Caserza, -4literally floods the network with requests. Nodes do not know that other nodes have been
searched for a file, so nodes may be searched a great deal of times during the same
search. This obviously makes Gnutella very inefficient and not scalable (Ritter).
The shortcomings of Napster and Gnutella are partly due to the fact that they were
designed by one or two smart programmers rather than a team of computer scientists and
engineers. Now that researchers have taken an interest in peer-to-peer networking, they
have begun development of very efficient and scalable peer-to-peer file sharing models
such as Gia. Scalability is very important because peer-to-peer networks are constantly
growing and the traffic and congestion in these networks must remain as low as possible
or the network may become too slow to be usable. The flood searching of a Gnutella
network greatly deters any chance of scalability for the system, as more nodes become
part of the network the total time to finish a search increases a great deal. The solution to
this problem to be implemented in Gia is a random walk through nodes instead of
flooding. Rather than have every node you are connected to ask every node that it is
connected to and so on, a random walk asks one neighbor node who asks his neighbor
node, and so on. Every node is “smart” in the sense that it is aware of the connection
speed and the number of shares on its neighbors. So the random walks are biased
towards nodes more capable of handling many requests, and thus increasing the speed of
a search. Random walks are not the ideal solution; they are still inefficient, but they
greatly reduce duplicate queries of the same node in the same search, and do not flood a
network. The Gia design is one of two popular peer-to-peer design ideas in development.
The other is a Distributed Hash Table network, but due to its specific searching
requirements, it is not likely to be as popular as the Gia design (Chawathe, et al).
Tim Caserza, -5The RIAA is a trade group that represents the recording industry in the United
States. They are responsible for recording and distributing 90% of the music in the U.S.
They are the biggest opponent to using peer-to-peer file sharing for the purpose of
sharing copyrighted files illegally, in their case, music (RIAA, “About Us”). Before
Napster, the RIAA mainly dealt with tracking down illegal CD manufacturing facilities
which copied and sold music CDs on a large scale. When Napster became widely
popular, they caught on to the fact that millions of copyrighted songs were being shared
on a massive scale using Napster. The RIAA sued Napster for aiding its users in illegally
distributing copyrighted music by providing a central server for anyone to connect to and
distribute copyrighted music (Wikipedia, “RIAA”). Napster may have been shut down,
but peer-to-peer music sharing grew to new heights when Gnutella networks sprung up
everywhere.
Due to the decentralized nature of Gnutella, and the fact that many nodes are in
other countries, the RIAA cannot easily go after these Gnutella networks so they now
focus on going after individual users. According to statistics collected by the RIAA, the
total sales of CDs in 2000 increased 3 percent, quite a drop from the previous year’s 14
percent increase. In 2001, the total sales dropped 2 percent, in 2002 dropped nearly 7
percent and in 2003 fell another 7 percent. To put a dollar amount on these percentages,
at their peak in 2000, the annual net income was $13 billion, and in 2003, the net income
was $11 billion (RIAA, “2003 Yearend Statistics”). These figures conflict with figures
determined by Soundscan, the group that compiles the Billboard music charts, which
claim sales are still on the rise (Kensei). Regardless of the dispute in figures, the RIAA
blames their large decline in sales on music file sharing through peer-to-peer networks.
Tim Caserza, -6Because of this, the RIAA has begun tracking down those who share music files illegally
through peer-to-peer networks. Beginning in January 2003, the RIAA began filing
subpoenas to Internet Service Providers to release the identities of the users that they had
identified as illegally sharing large amounts of music. In early September 2003 the
RIAA filed 261 copyright lawsuits against individuals allegedly sharing large amounts of
music files, but offered amnesty to any of the 261 who promised to stop illegally
downloading (NSAI; Heller). This served as the warning to all illegal file-sharers and no
more amnesty would be granted. As of the end of March 2004, 1977 people have been
sued by the RIAA and thousands of small-scale sharers have received warnings. Roughly
one-fifth of those sued by the RIAA have settled out of court with the RIAA paying, on
average, a $3000 fine. None of the suits have been brought to trial yet (Borland).
A major problem with the RIAA lawsuits is the process by which they track users
allegedly sharing copyrighted music on peer-to-peer systems. They use programs to
search the network for specific files that are being shared illegally, and the IP addresses
of any responses are recorded. The RIAA then determines the ISP hosting the IP address,
contacts the ISP, informs them of the illegal activity and lets them know they will be sued
if the offending material is not removed. The ISP must then determine who was using
the IP address at the time of the infraction and shut off their internet access, contact them
and inform them of the situation. The RIAA cannot get the name of the person using the
offending IP address without a subpoena, so unless the IP address was sharing a large
amount of music, they will usually not subpoena the ISP for the personal information of
the offender. The problem with this process lies in determining who the actual offender
is. There are many IP spoofing utilities available, so there is the possibility that the IP
Tim Caserza, -7recorded by the program used by the RIAA got a spoofed IP address. The offending user
could also be connected through a proxy, or possibly a compromised computer that
belongs to someone else. By the time the RIAA contacts the ISP, the person using IP
address may be different than the person who was illegally sharing the files. Also, some
peer-to-peer applications are open-source, so intelligent users could modify the source to
trick the RIAA program.
The RIAA seems to have a “sue first and ask questions later” attitude; this has led
to a few individuals being falsely identified and sued. The Electronic Frontier
Foundation (EFF) is a major opponent to the RIAA and their practices; it has begun
defending those wrongfully accused of illegally sharing files. One particular case that the
EFF is taking on is that of Ross Plank, a website consultant accused of sharing hundreds
of Latin-American music files on Kazaa. Ross claims he does not even listen to LatinAmerican music, nor does he use Kazaa. His records also show that at the time the RIAA
linked the illegal file sharing with the IP address, he was not even using that IP address
(EFF, “EFF defends…”).
Another example of the reckless nature in which the RIAA conducts their hunt for
illegal file sharers is their law suit against Sarah Ward, a 65-year-old teacher. The suit
claims that Ward was sharing hundreds of files on Kazaa, however, Ward owns a
Macintosh, which cannot even run Kazaa. In addition, the only evidence linking Ward to
the illegal file sharing were several screen shots and the information they received from a
subpoena to Comcast (EFF, “Recording Industry Withdraws…”). The USA Patriot Act
is what grants the RIAA the ability to subpoena ISPs to get the information of anyone
suspected of copyright infringement. The Patriot Act, which was written in haste, was
Tim Caserza, -8intended to help fight the war on terrorism. The RIAA, however, has decided to use it to
fight their war on illegal peer-to-peer music sharing.
There are many security issues surrounding peer-to-peer networking shown most
clearly in a study performed by the U.S. House of Representatives Committee on
Government reform. The study of popular peer-to-peer applications found financial
records, tax records, medical records, personal email archives, living wills, attorney files,
business records, military information, and other private information freely available on
the networks (U.S. House of Representatives). Hopefully the cause of this is just the
ignorance of users, and not something more malicious. The simplicity of most file
sharing applications make them easily usable to people who are not computer savvy, and
may not know what they are sharing or how to view or change what they are sharing.
When a user installs a file sharing program such as Kazaa, they are usually given the
option to have Kazaa automatically search for media on their hard drive to share. Most
people just want to hurry and start downloading so they will just click through everything
without really reading it, so the files that Kazaa finds on the user’s computer to share
might be ones they did not want to share. Unless the user knows what he or she is doing,
they will not be able to determine if they are sharing personal information or not. The
lack of education among users of peer-to-peer file sharing programs leaves the door wide
open for people with malicious intent to take advantage of a network which they know
has a large amount of people that know very little about computers.
The study also found that viruses, worms, Trojan horses and other harmful
material can be easily spread through peer-to-peer networks due to flaws in the design of
the program and a lack of education among its users. A user with destructive intent could
Tim Caserza, -9rename a virus they have created to look similar to the name of a popular song or
application in hopes that an unsuspecting user will download and open the virus. The
committee referenced a ZDNet study of Kazaa between May and September 2002 found
eight worms propagating through the network. One worm found in the ZDNet study was
the Benjamin worm, which disguised itself as a Metallica or Bach song, and created and
shared new folders on an infected computer in an attempt to disguise itself. This allows
for possible private data to be shared without the user knowing. The worm also allowed
infected computers to be compromised by hackers and employed in a Denial of Service
attack (ZDNet; U.S. House of Representatives).
The committee conducting the study was also concerned with the spyware and
adware programs that come packaged with many popular peer-to-peer applications. The
study found that the spyware programs collected personal information and reported it
back to its creators without the knowledge or consent of the user and the adware
programs caused unwanted pop-ups. Both were found to install unwanted software,
cause software conflicts, and cause system crashes on some systems (U.S. House of
Representatives). The file sharing applications are able to get away with packaging
spyware and adware with their software because their end user license agreement, which
most users blindly agree too without reading, allows them to include spyware and
adware.
Another cause for concern among the committee is the ability for file sharing
programs to bypass firewalls on the users system. The programs are designed to use any
ports available, so there is no way for a firewall to protect the client unless it blocks every
port. If the programs bypass the firewall, users are left vulnerable to attack. Open ports
Tim Caserza, -10are highly sought by hackers, and unless the peer-to-peer application has proper security
features, they can find holes to exploit these open ports. The committee recommends that
any company wanting to conform to a best-practices approach to network security bans
peer-to-peer applications on their computers (U.S. House of Representatives).
Peer-to-peer file sharing is a very new technology. Because of this, peer-to-peer
networks lack efficiency, scalability, and security. The reported 60 million Americans
using peer-to-peer file sharing applications such as Kazaa have caught the eye of
computer scientists and engineers who will help peer-to-peer bloom in years to come. As
peer-to-peer technology grows, the law must start grow alongside it. Currently the law is
in the process of catching up to the technology due to a lack of experience and knowledge
of computers among politicians. This allows for organizations such as the RIAA to take
the law into its own hands, and abuse laws such as the Patriot Act to serve their own
purposes. The RIAA and peer-to-peer file sharing networks need to make a compromise
between users downloading music for free and consumers having to pay a dollar per song
or fifteen dollars for a CD. The greatest necessity as peer-to-peer technology grows is the
education of lawmakers and most importantly, the millions of people that use the
applications. Regardless of how secure you make the file sharing software, people may
still unknowingly share their tax returns and other personal information, so they must be
taught how to properly use the applications and know what they are sharing. User
education is a must in order for future peer-to-peer technology to reach its full potential.
Tim Caserza, -11-
References

Borland, John. “New RIAA file-swapping suits filed” CNET News.com. 16 May
2004.
<http://zdnet.com.com/2100-1104-5177933.html>

Chawathe, Yatin, et al. “Making Gnutella-like P2P Systems Scalable”???

Electronic Frontier Foundation. "Recording Industry Withdraws Music Sharing
Lawsuit: Lack of Due Process Leads to Mistaken Identity" 16 May 2004.
<http://www.eff.org/IP/P2P/20030924_eff_pr.php>

Electronic Frontier Foundation. “Electronic Frontier Foundation Defends Alleged
Filesharer: Another Error in Record Companies' Legal Crusade” 16 May 2004.
<http://www.eff.org/IP/P2P/20031014_eff_pr.php>

Heller, Kevin J. “Tech Law Advisor: An Internet and Intellectual Property Policy
Weblog”. “RIAA's Offers Amnesty to File Sharers” 16 May 2004.
<http://techlawadvisor.com/riaa.html>

Kensei News & Information Services. “Nielsen Rating System At Odds With RIAA's
Claim Of Lost Sales” 16 May 2004.
<http://www.kensei-news.com/bizdev/publish/factoids_us/article_23374.shtml>

Nashville Songwriters Association International. “The History of Illegal
Downloading of Copyrighted Music” 16 May 2004.
<http://www.nashvillesongwriters.com/news.ez?viewStory=187>

Oram, Andy. Peer-to-Peer: Harnessing the Power of Disruptive Technologies.
O'Reilly & Associates. 2001. Chapter 1.

Recording Industry Association of America. “About Us” 16 May 2004.
<http://www.riaa.com/about/default.asp>

Recording Industry Association of America. “2003 Yearend Statistics” 16 May 2004.
<http://www.riaa.com/news/newsletter/pdf/2003yearEnd.pdf>
Tim Caserza, -12
Ritter, Jordan. “Why Gnutella Can't Scale. No, Really.” 16 May 2004.
<http://www.darkridge.com/~jpr5/doc/gnutella.html>

United States. House of Representatives. Committee on Government Reform – Staff
Report. File-Sharing Programs and Peer-to-Peer Networks: Privacy and Security
Risks. 16 May 2004.
<http://www.house.gov/reform/min/pdfs/pdf_inves/pdf_p2p_security_report.pdf>

Wikipedia. “Gnutella” 16 May 2004.
<http://www.free-definition.com/Gnutella.html>

Wikipedia. “Napster” 16 May 2004.
<http://www.free-definition.com/Napster.html>

Wikipedia. “Recording Industry Association of America” 16 May 2004
<http://en.wikipedia.org/wiki/RIAA>

ZDNet. “New worm crawls around Kazaa” 16 May 2004.
<http://zdnet.com.com/2100-1105_2-954893.html>