TECHNOLOGY SPECIAL REPORT
Sharing Files: The Untold Story of Software Piracy

File-sharing through the dozens of software piracy mills on the Internet and well-known peer-to-peer networks like Kazaa, Morpheus, iMesh, eDonkey, Gnutella, LimeWire and Grokster accounts for thousands of illegally downloaded music files, games, movies and software. Computer security experts warn that more harm than the mere theft of intellectual property by piracy occurs through participation in file-sharing over the Internet. For example, use of file-sharing operations usually leads to situations in which computers -- and even networks -- are infected with spyware, malware and backdoors left ajar for hackers.

MP3 downloads remain a big draw, despite continuing lawsuits against downloaders by the music industry. Computer users can find just about anything through file-sharing and P2P exchanges. Much of the software available on P2P networks comes cracked, meaning antipiracy activation technologies that are supposed to ensure use only by legitimate purchasers are disabled. Other software can be downloaded with serial numbers included in the zipped file so installation is not impeded. But all of this seemingly free software is not without risks.

"Spyware is a byproduct of peer-to-peer file-sharing. People are generally unaware of how easily spyware gets into their computers," said Jerry Periolat, president of Apreo Software, whose products help employers inventory legal copies of software and block file-sharing applications. The programs required to participate in peer-to-peer networks do not just help people share music files. "They share whatever they can find on the hard drive and the network," he said.

Spyware, bad enough on a consumer's home PC, is worse when it enters the workplace. Some forms of spyware can track user activity, identify files and their locations, and capture passwords. This sensitive personal and corporate data then can be automatically uploaded to servers controlled by spammers, mass marketers and hackers.

Corporate Networks at Risk

When you get right down to the basics, using broadband connections in the workplace to download files for personal use does more than steal productivity and cheat employers out of bandwidth costs. Pereolat told TechNewsWorld that employees generally are not aware of the damage their P2P and instant-messaging use does to their companies.

"File-sharing is sharing company information. Often, workers contribute software put on corporate networks in exchange for the downloads they get. Some people don't realize that P2P applications can search for files and other software and upload them unknowingly," said Pereolat.

According to IDC, employees at up to 70 percent of businesses are using free, consumer-oriented instant messaging, in some cases without corporate IT consent. Many IM applications, by default, give direct file-sharing access to computer users listed on each other's buddy lists.

Both employers and their employees discovered the hidden dangers of illegal file-sharing in a recent incident involving a popular Internet game. The new game, called Osama Found, secretly steals usernames from certain IM address books. Using those usernames and the direct IM connections, the game automatically sends instant messages with links to a Web page where the game can be downloaded.

Thus, while employees chat away on company time, they can be manipulated to expose their corporate networks to attack. The MyDoom worm was first distributed through P2P networks by file-sharers.

Legal Liabilities Abound

Often, employees also are tempted to use their high-speed connections at work to download songs, movies and software through P2P applications. Besides compromising network security, their association with illegal file-sharing creates legal liabilities for their employers.

"Most companies only worry about bandwidth issues and are not concerned about being sued," said Pereolat. "Especially in the banking and healthcare industries, IT managers have to be concerned about privacy issues."

More often than not, companies aren't aware of software license violations and other infractions their workers commit through file-sharing.

"There is a certain amount of naiveté," Pereolat said. However, the Apreo president said he sees a trend toward greater awareness about these issues, in part because of legal concerns. Corporations are starting to take steps to prevent P2P activities because employees are getting cute in trying to avoid corporate file-sharing policies.

One popular tactic he sees often is that employees reinstall file-sharing software when they want to go shopping for files. Another tactic is renaming executable files to conceal their use.

Popularity Growing

BayTSP provides digital-tracking and compliance-enforcement services. Its clients include three of the top five record labels, six of the top seven film studios and some of the largest software companies in the world. The company issues monthly reports on online piracy issues. Highlights from its March report show that file piracy is a thriving Internet activity.

According to BayTSP, movie piracy rebounded in March, with five films showing increases of 50 percent or more in the number of copies available for download. This is significant because file-sharing had dropped dramatically in February. Some industry watchers suggest the decline resulted from new lawsuits filed by the RIAA. But holding to past trends, file-sharing increased the following month.

Five new films joined the top-10 list of most popular downloads: "Lost in Translation," "The Passion of the Christ," "21 Grams," "50 First Dates" and "Starsky and Hutch."

The BayTSP report noted that use of Kazaa and its underlying Fast Track protocol declined again in March. But this decline was offset by an increase in use of the eDonkey application and protocol.

The March report shows more people returning to file-sharing after a two-month decline. While peer-to-peer network use is on the rise during business hours for downloading, actual uploading of files is down. This shows that file-sharers are using their office and school broadband connections to download but not to share files. The number of users decreased in the evening, but the average number of files shared per user increased, according to BayTSP.

Prevention Is Possible

Two products are taking the lead in curbing file-sharing piracy, at least in the workplace. FaceTime's RTG500 is a network device that delivers complete, nonstop protection from unauthorized IM connections. It also eliminates P2P file-sharing. Apreo's SmartSearch technology finds files based on content so that they are discovered even if they have been renamed or hidden inside compressed files. Its Workstation PolicyShield software provides a signature-identification database to search and disable games, P2P file-sharing programs, instant messaging and spyware applications.

"Most companies have come to realize the business benefits of IM, but its complex nature has left many wondering how it can be managed without the cost of additional IT resources," said Rahul Abhyankar, director of product management at FaceTime Communications. "RTG500 helps to make IM more useful by eliminating rogue IM and P2P use in a very simplified way."

Apreo's software allows approved IM use by providing policies tailored to employees' needs. "Our technology detects P2P applications where they are stored and stops their use," said Pereolat. "We eliminate file-sharing. Our product works in conjunction with inventory products to remove and block reinstallation."

Ultimately, corporations have to take a more proactive stance against file-sharing to prevent its use. "Re-education is needed. People just don't get it," Pereolat said about the lack of concern for security.