Section 33.1. Introduction

33.1. Introduction

The excitement about P2P systems has been encouraged by recent innovations that foster easier sharing of files, such as downloading simultaneously from multiple sources, and the sharing of many different file types, as well as improvements to the usability of these clients. Of the current P2P systems, KaZaA is by far the most popular and widely used, with more than 120 million downloads worldwide and an average of 3 million users online at any given time. The user interface (UI) for finding files is straightforward: the user types a query into a textbox and, from the results, selects a matching filename to download. If sharing is enabled, the files that the user downloads are then shared automatically with other users on the network. The success of a P2P file sharing network depends on people sharing files with one another, so this feature helps promote file sharing by recycling files in the network.

While facilitating file sharing and searching, the systems do a poor job of preventing users from accidentally sharing personal files. Users attracted to the simplicity of downloading files provided by the P2P network can inadvertently allow access to their private data files, such as email, tax reports, work-related spreadsheets, and private documents. This is especially problematic in a single-machine, multiple-user situation typical of families sharing a single computer. In such a setting, a parent could have a secure VPN connection to a corporation for downloading and working on important confidential files, only to have them inadvertently shared by a teenage son or daughter, without either party's knowledge. This is not simply a theoretical problem but describes a scenario that is possible in the current reality. Our research suggests that people are unintentionally sharing what appear to be personal or confidential files via KaZaA. Queries for files such as Inbox for Outlook Express (.dbx files), data for financial applications, and .pst files (Microsoft Outlook mail folders) returned numerous results.

In order to understand how this can take place, we examined KaZaA's UI and use from a variety of perspectives to determine if usability issues could account for such fatal errors. KaZaA is interesting from a usability perspective because it is widely used by millions of users with varying degrees of computer experience, has crossed over from a select group of expert users to a more general population, and has challenging UI issues that it must address to preserve users' privacy while facilitating file sharing. We feel that lessons learned from KaZaA are applicable to designers working with other P2P systems, as well as with other kinds of continually connected systems where users manage access control and share information (e.g., KM applications, expert finding, etc.). From a more general perspective, we hope that our study provides a concrete example of the challenges in designing UIs that both encourage participation and protect privacy, and guidelines for building these kinds of systems.

Recent literature examined usability guidelines for user interfaces for security applications. Whitten and Tygar^[2] looked into usability problems that affected users sending secure messages via PGP,^[3] and how inadequate design caused users to make fatal mistakes, such as sending unencrypted messages that they felt were encrypted, or sending people their private keys. Yee^[4] has expanded on this work, and provides a list of guidelines and case studies for usability of security applications. His work builds on that of Saltzer and Schroeder,^[5] which focused on understanding the design requirements for developing secure systems.

^[2] A. Whitten and J. D. Tygar, "Why Johnny Can't Encrypt" Proceedings of the 8th USENIX Security Symposium (Aug. 1999). See also Chapter 34, this volume.

^[3] PGP: Pretty Good Privacy, http://www.pgp.com.

^[4] K. P. Yee, "User Interaction Design for Secure Systems," ICSIS, Singapore (2002).

^[5] J. H. Saltzer and M. D. Schroeder, "The Protection of Information in Computer Systems" in Proceedings of the IEEE 63:9 (Sept. 1975), 12781308; http://web.mit.edu/Saltzer/www/publications/protection/.

While KaZaA is not a security application like PGP or personal firewall software, it nonetheless has privacy implications for its users. It must help them ensure that data is not accidentally shared with others. We used an approach inspired by the success of Whitten and Tygar in identifying the flaws within PGP 5.0. We performed a cognitive walkthrough and a user study to analyze the interface of KaZaA and determine usability issues that could cause users to share files unintentionally with the KaZaA network . The results detailed in the following sections show that usability issues alone could account for unintentional file sharing. Indeed, we were able to determine from our user studies that it was possible for users to share all files on their hard drive and not even know it.

33.1.1. Abuses on KaZaA Today

We looked at other P2P networks, such as Gnutella, for similar problems. We found that over a 24-hour period, we were able to find files such as inbox.dbx on these networks as well, yet in fewer numbers than KaZaA. We attribute this to the much smaller user base of Gnutella. Because Gnutella is an open protocol, unlike KaZaA, there are many different client programs that use it, each with a different interface. Focusing on the KaZaA interface gave us the benefit of a large user base and a consistent UI, from which we hoped we could generalize a solution for all kinds of P2P clients.

We were curious to see how widespread the problem of unintended file sharing is on the current KaZaA network, and whether users are currently taking advantage of others' mistakes to download private files from them. In order to do this, we scripted searches to run every 1.5 minutes for a 12-hour period. KaZaA operates on a closed protocol, so it is not possible to determine the full extent of people sharing personal files, as one cannot tell exactly how much of the network is being searched with every query.

33.1.2. Unintended File Sharing Among KaZaA Users

In our searches of the KaZaA network , we purposely limited ourselves to queries only, and did not download any user files to verify their contents. The targets of the searches were files that end in .dbx, with particular emphasis on inbox.dbx. DBX files are Microsoft Outlook Express email files. This is a good indicator that users are unintentionally sharing files, for several reasons. First, DBX files are commonly found on Windows machines because they are packaged with Internet Explorer and Windows. Second, they contain private email correspondence that most users would not likely intend to share. Finally, we had discovered that users who have their inbox shared typically had other files shared that contained what appeared to be private information.

The results of 443 searches in 12 hours showed that unintentional file sharing is quite prevalent on the KaZaA network. We found that 61% of all searches performed in this test returned one or more hits for inbox.dbx. By the end of the 12-hour period, 156 distinct users with shared inboxes were found.

To further demonstrate that this indicates unintentional file sharing, we examined 20 distinct cases of shares on the inbox.dbx file by manually using the "find more from same user" feature. We found that 19 of the 20 users shared the other email files found in the default Microsoft Outlook Express installation (Sent Items, Deleted Items, Outbox, etc.). In addition, nine users had exposed their web browser's cache and cookies, five had exposed word processing documents, two had what appeared to be data from financial software, and one user had files that belong in the system folder for Windows.

33.1.3. Users Downloading Others' Private Files

After we determined that users were indeed sharing private files, we were interested in whether other users on the KaZaA network were taking advantage of this fact and downloading files from others. We ran a dummy client populated with dummy files (such as Credit Cards.xls, Inbox.dbx, Outlook.pst, and other types of files that were intended to appear to be private) over a 24-hour period.

From our dummy server, we received a total of four downloads from two unique users of an Inbox.dbx file (Figure 33-1).

Figure 33-1. Inbox.dbx files being downloaded from our dummy client by other KaZaA users

We also received four downloads from four unique users for an Excel spreadsheet named Credit Cards.xls (Figure 33-2).

Figure 33-2. Credit Card.xls files KaZaA users downloaded from our dummy client