(New Scientist) A research paper highlighting security weaknesses in a popular internet file-sharing network has raised concerns that innocent users could in theory be wrongly accused of sharing copyrighted music.

The Recording Industry Association of America (RIAA), which represents the largest US music companies, has already begun legal action against 261 file-sharers who are accused of sharing “substantial” amounts of copyrighted material through peer-to-peer (P2P) networks.

The RIAA carried out surveillance of P2P networks to determine the usernames of alleged copyright infringers. A subset of these users was then tracked down via their internet service providers.

So far, 52 have agreed to settle with the RIAA for a few thousand dollars each. A further 838 have admitted infringements and promised to destroy illegally obtained files in return for a legal amnesty. An estimated 62 million Americans are thought to have used P2P networks, though it is not known how many have illegally shared music.

The anonymous paper, Entrapment: Incriminating Peer to Peer Network Users, was posted to a free Australian web hosting service and suggests some users could claim that the evidence on which they are brought to trial is flawed. Experts contacted by New Scientist say the paper is a credible piece of work.

False request

The document focuses on the Gnutella file-sharing network that forms the backbone of a number of widely-used file-sharing clients including Morpheus and Bearshare.

It describes various techniques that could be used to make it appear to a third party on the Gnutella network as if an innocent user is hosting or searching for copyrighted files. It also describes methods for tricking users into inadvertently downloading copyrighted files so that they actually host these files.

Some of the methods described are made possible because peer-to-peer networks like Gnutella rely on users passing on requests for files and information about the files stored on users’ machines. Manipulating these network messages can make it look as if a user is illegally offering files for download.

“These Gnutella-specific attacks seem reasonable at first glance,” says Adam Langley, a UK-based peer-to-peer programmer. But the techniques described are not surprising, he says: “Gnutella was certainly never designed to resist an attack like this.”

Unreliable evidence

Others experts say the paper raises interesting issues about the ongoing legal furore. “The core point the author is making – the unreliability of the ‘evidence’ used to sue file sharers – is valid,” says Ian Clarke, who invented Freenet, a file-sharing network designed to provide anonymity for users.

Theodore Hong, a peer-to-peer networking researcher at Imperial College London, UK, comments: “It’s interesting that these technical weaknesses may actually be a legal strength [for P2P users] by introducing doubt as to who is really doing what.”

Langley says it is unclear whether other P2P networks might be similarly vulnerable to misuse. But he notes that there are other ways to incriminate an innocent party: “Most Windows users will run any old attachment you send them, so if you want to implicate someone you can just send them a Trojan.”