Tell Congress to Protect Our Personal InformationLearn More About Unauthorized Access to Data
Back in March, Reps. Bono Mack, Barrow, and Barton introduced H.R. 1319, The Informed P2P User Act, a bill that was intended to "prevent the inadvertent disclosure of information on a computer through the use of certain "peer-to-peer" file sharing software." The bill tries to respond to the problem you may have read about or seen on TV where people have installed file sharing software on their computer and unintentionally exposed their private and sensitive information to the public. The bill will be at least part of what's discussed at today's House Energy and Commerce Committee hearing. While the bill maybe well intentioned, it's flawed in a number of ways:
Definition of "Peer-to-Peer File Sharing Program"
The definition of a p2p app under the bill is as follows:
(2) the term "peer-to-peer file sharing program" means computer software that allows the computer on which such software is installed--
(A) to designate files available for transmission to another computer;
(B) to transmit files directly to another computer; and
(C) to request the transmission of files from another computer.
As to the question of intent, the definition doesn't contemplate who (or what) designates the program to share files and which files. There's little in this definition that limits the scope to an actual p2p application, either. Depending on what a court later determines to be a "file" (since there doesn't appear to be a definition for "file" here), it's conceivable that this legislation reaches almost any app that touches the Internet (save those that only transmit or receive files). If the aim of the legislation is to actually protect consumers and give them notice, why limit it (even just in name) to peer-to-peer applications, when so many other applications can share sensitive data, in a non-p2p fashion? Why call out p2p technology specifically?
Click-Thrus and Pop-ups Oh My!
The bill makes it unlawful to cause or induce the installation of file sharing software on a computer without, before installation and immediately prior to "initial activation of a file sharing function":
providing clear and conspicuous notice that the software allows files to be searched and copied to other computers; and
obtaining the informed consent of the installation of the owner or authorized user of the computer;
The "before installation" part would likely be dealt with by a click-thru license, and many argue that today's p2p file sharing apps do just this (whereas previous versions did not). So, the problem may already be solved for that part. But for prior to "initial activation of a file sharing function," the question is, what does "initial" mean? The very first time you start-up the app or every time it goes to share files? That's a lot of pop-ups! And since the definition of p2p apps is so broad as to even include web browsers and email clients, can you imagine having to click thru a message every time you wanted to send or receive an email or load a web page? How about on your smart phone (are you really going to say today that a smart phone really not a computer)?
Public vs. Private File Sharing
The bill also doesn't seem to contemplate file sharing for private networks or in-home use, as opposed to those that touch the public Internet. Meaning, if I have an application that simply shares files on my home network or in the office among my peers or even just other devices that I own, the file sharing applications would have to provide notice. Will I have to navigate a pop-up every time I share iTunes music between my computers and AppleTV at home? Or content from my TiVo? By my reading, both private-network apps fit the definition, even though the intent is making private information public.
There are a lot of questions left to be answered about this bill and hopefully much light will be shed on the issues at today's hearing. Hopefully we'll get a better idea of why we need such a bill. The bill's sponsor, Rep. Mary Bono Mack has had a lot to say about P2P software and her apparent disdain of it, which may be why this bill targets a kind of technology instead of the bad behavior of software that shares personal information.
When introduced, the bill had three sponsors, today it has 35 (not including Rep. Lofgren who apparently withdrew her support of the bill). The goal of preventing consumers' and companies' private information from carelessly becoming public may be a laudable goal, but this bill's fixation on a specific technology (even only in name) spoils the mission. Look for the software community to be up in arms about this bill.
For those interested, we're going to attempt to stream some live-video from the hearing today
(which the Committee apparently will not be live webcasting). We'll see if this works with limited network availability.
In regards to the p2p portion of the hearing, frankly, the hearing went about as expected. The tech people said the intent of this bill was fine, but the statutory language was too broad. BSA's Robert Holleyman said that the bill would implicate virus scanners, operating system updaters, and web browsers; CDT's David Sohn argued similarly, said to call it "file sharing" instead of "peer-to-peer" and offered some ways to tighten up the definition (see pgs. 8+9). DCIA's Marty Lafferty touted his industry's record in working with government to get his member p2p companies to comply with standards -- essentially "we self-regulate fine, no need for any legislation." Tom Sydnor referred back to his studies (for a synopsis, see his testimony) saying that the p2p companies aren't doing their jobs to keep users' information safe.
I don't think that H.R. 1319 will one of those bills that gets a lot of attention, which can be good and bad. Good if it just goes away because not enough people support it. Bad if it doesn't get fixed and people find it non-controversial enough, it might just pass or get attached to another bill without notice. The tech industry should take note, there wasn't a single member at that hearing that had their back -- questioning the need for or the statutory language of this bill. They may exist, but they weren't at the hearing, and some of the tech-savvy-er members are actually listed as co-sponsors of the bill! As is, it's a poorly drafted bill that if passed would make it more difficult for consumers to use common Internet-connected computer applications that have little to nothing to do with sharing private information with the public.