The hidden dangers of illegal downloading

• Unlicensed internet services risk spyware, ad ware, malware, viruses and even identity theft. Yet these dangers are often unknown to downloaders.

The security risks of downloading unlicensed music have been well-publicised, but awareness of them still appears low.

An academic paper by Eric Johnson, ‘Inadvertent Disclosure – Information Leaks in the Extended Enterprise’ (June 2007), examining inadvertent disclosures through P2P networks found that:

• ‘Unrecognised to many of [P2P] users is the serious security threat these networks pose to both corporate and individual security.’
• ‘Confidential and potentially damaging documents have made their way onto these networks. The research also shows that criminals actively search P2P networks hoping to find information that they can exploit.’
• ‘Our analysis clearly reveals a significant information risk firms and individuals face from P2P file sharing networks. ’

According to Symantec, the main vehicle for spreading viruses and malware today is email, but distribution via P2P is also in the top ten list of main propagation vehicles. In the first half of 2007, 15 per cent of all potential infections were propagated by eDonkey.

Specialist technology security company, McAfee, looked at the risk levels of searching the internet. Its report, 'The State of Search Engine Safety' (June 2007), highlights that searches of keywords involving P2P services, such as Limewire, are among the most likely to generate results that activate spyware and viruses once clicked on.

There is evidence that criminals are using file-sharing networks to gather information than can be used to facilitate identity theft. In March 2008, a Seattle court sentenced a man to four years in prison in the first Federal case against someone using file-sharing software to steal identities. Gregory Kopiloff had used the software to search users’ computers for personal financial documents which he used to commit aggravated identity theft to support drug and gambling addictions.

New research also points to the dangers of other forms of infringing downloading. An experiment run by Benjamin Googins, a senior researcher at the international IT software management company CA, showed that a single download from an unauthorised MP3 site resulted in the installation without permission of trojan downloaders, spyware and pop-up ads having a severe impact on his computer's performance.

Consumers are paying a price for these kinds of risks. Americans spent at least US$8 billion in computer repairs, parts and replacement over the past two years as a result of viruses and spyware alone according to Consumer Reports.

Research exposes piracy in the workplace

Companies face significant security risks when employees file-share on corporate networks.

Research conducted by Ipsos-MORI for IFPI in the UK in November 2007 indicates that one in ten office employees are using the workplace to download music, two thirds of them illegally, exposing their employers not only to computer network risks, but to legal risks too.

Nearly half of those who download music illegally in the workplace (43%) know that their employers have a policy on copying, sharing and downloading music – suggesting they disregard rules set by their bosses.

The problem appears to be concentrated among younger workers. The survey indicated that one in five under 25s illegally download music at work. It only takes one person to download an infected file and expose the company to huge risks.

The problem is not restricted to the UK. Research by the Information Systems Audit and Control Association (ISACA) explored the internet behaviour of US employees and found that 15 per cent of respondents indicated they had used P2P at work at least once, with 35 per cent of white collar workers saying they had violated their company’s IT policies at least once.

In Europe, McAfee commissioned a pool of IT managers with research firm ICM across 1,049 IT professionals in the UK, France, Germany, Italy, the Netherlands, Poland, Spain, Sweden, Austria and Switzerland and found that music downloaded from the web came top of a list of perceived threats to security. Despite this, two-thirds of European IT managers admitted that they don't block music downloads to work machines

Recent moves towards encrypting P2P traffic could increase the overall security risks if it is used illicitly on corporate networks. Encrypted P2P prevents security measures such as IT network firewalls from screening the transferred traffic for the threat of viruses or spyware. IFPI urges companies to note this potential threat and take the necessary steps to protect their IT networks.

Workplace piracy in the news

• In September 2007, Citigroup confirmed that it was investigating a data breach where the names, mortgage information and social security numbers from 5,200 customers were inadvertently leaked by an employee using the Limewire P2P application.
• Also in September 2007, a confidential report by consultancy firm Booz-Allen Hamilton for the Federal Transit Administration on the US bus and rail networks leaked on P2P, resulting in a major security lapse.
• In June 2007, Pfizer said the names and social security numbers of 17,000 current and former employees were leaked after the partner of an employee downloaded file-sharing software onto a company laptop.
• In July 2007, a Congressional committee in Washington heard testimony from experts that inadvertent file-sharing on P2P networks could pose a significant problem in terms of breach of confidential data and could threaten national security.

IFPI has produced and distributed free copyright and security guides for companies and for academic institutions that can be downloaded here. Organisations seeking advice on how to improve or implement their policies on copyright should contact IFPI.

This article appears in the IFPI Digital Music Report 2008. Click here to download the full report.