A flaw in the user interface of KaZaA, the popular Internet multimedia file-sharing service, poses a serious threat to user privacy, according to a recent study published by a researcher at HP Labs.
Nathaniel Good of HP Labs and Aaron Krekelberg, a colleague of Good's at the University of Minnesota, found that a significant percentage of Kazaa users have unknowingly shared private files such as e-mail, passwords or personal financial records.
"You could be sharing everything on your hard drive and not even know it," said Good, whose primary research interest is in human-computer interaction.
P2P privacy glitches
Although the researchers conducted their study on Kazaa, the largest peer-to-peer network with millions of users, they said the potential for privacy lapses extends to other P2P programs.
The work has received considerable media coverage in The New York Times, Cnet, MSN and elsewhere, and Kazaa has added a new users' guide to its site. Guidelines warn users not to accidentally share files and provide instructions for how to avoid doing so accidentally.
Good says it isn't enough. "They haven't corrected the problem, and they don't provide the necessary instruction a novice user needs. A redesign, not guidelines is what's needed."
Repeated attempts to reach officials at Kazaa were unsuccessful.
Good accidentally discovered the Kazaa security hole while helping a friend who is a novice computer user. The friend had complained that his computer was running slowly. Upon inspection, Good found the friend had inadvertently shared his entire hard drive.
He assumed that Kazaa would quickly correct the problem, but when he checked back a few months later, he found it had only worsened.
He and Krekelberg then set about conducting a laboratory study to analyze the usability of the Kazaa file-sharing interface. They scripted Kazaa to search its network for files that store Microsoft Outlook Express e-mail, assuming that no one would intentionally share these on the public network.
They conducted 443 searchers in a 12-hour period and found that 61 percent of searches found at least one e-mail file. They identified 156 users whose e-mail files were public.
The researchers did not download any files from other Kazaa users.
financial data exposed
In another test, Good and Krekelberg looked at 20 distinct cases in which the Outlook mail program had been made public. Of those, 19 allowed access to other categories in the program, such as deleted items and sent mail. Nine users exposed their Web browser's cache and cookies, five exposed word processing programs and two exposed what appeared to be financial data.
They then sought to determine whether other Kazaa users were taking advantage of this vulnerability by downloading files from other people's computers.
They placed dummy personal files with titles such as Credit Card.xls and Inbox.dbs on a server. In a 24-hour period, the credit card file was downloaded four times by four unique visitors, and the inbox file was downloaded four times by two unique visitors.
problems with Kazaa's interface
Both researchers have a strong interest in computer usability, so they asked 12 experienced computer users to determine which files, if any, could be shared. Only 2 were able to determine that Kazaa was sharing their entire hard drive.
The researchers said that Kazaa's user interface allows people to configure their software improperly and unknowingly share private information.
"While facilitating file sharing and searching, the systems do a poor job of preventing users from sharing potentially personal files," they said in their paper. "The design makes too many assumptions about users' knowledge of file sharing."
For example, the application creates a default directory of files to be shared, which Kazaa calls the "download folder." Many users do not realize that when they add files to the download folder, all the files in the directory, as well as the directories below it can be recursively shared, the researchers said.
The paper recommends several usability guidelines for P2P applications to ensure that users are clearly made aware of what files are being offered for others to download, and to enable them to easily determine how to stop sharing files.
Good said that early versions of Napster and other P2P programs did not pose a serious security risk because they allowed users to share only music files. "Now you can share anything."
taking usability seriously
Good is currently an intern in the Information Dynamics Lab. In the fall, he plans to pursue his master's degree at the University of California at Berkeley, specializing in human-computer interaction.
He said he hopes the study and the publicity surrounding it will encourage designers of software applications to take usability issues more seriously.
"You really need to know your audience," he said.
by Jamie Beckett