20 questions for RazorPop
p2pnet.net News:- Alex H recently took RazorPop to task over its apparent lack of foresight in implementing a “Report Child Pornography command” in its TrustyFiles p2p application. The flaw allows users to report a file – any file – to the various organizations who work to combat the proliferation of online child pornography.
The seeming weakness of the reporting system, which could allow large scale spamming of these organizations, was revealed. But RazorPop ceo Marc Freedman was emphatic in his rejection of these claims.
RazorPop, Freedman said in a number of Reader’s Write comments, is merely implementing a system designed by other organizations and believes authorities such as the FBI are the only ones capable of assessing the usefulness of such systems.
But Alex H says Freedman is stonewalling and still thinks more information is required before file sharers can feel safe in using TrustyFiles and other clients which connect to it.
So he’s come up with 20 questions for RazorPop and the other organizations involved in the Child Pornography reporting scheme:
“I’m also interested to know what happens to the ‘false’ reports and whether someone other than the Child Pornography Hotline could get hold of them – like the MPAA, etc,” says Alex.
We will, of course, carry Freedman’s replies in full.
Read on >>>>>>>>>>>>>>>>>>>>>>>>
1: Does RazorPop acknowledge that there is an inherent weakness in the TrustyFiles application to allow mass abuse of the reporting feature?
2: If yes, is RazorPop considering the removal of this feature?
3: Considering the decentralized nature of the TrustyFiles application, how does RazorPop intend to “recall” the software from users who have already installed it?
4: How does RazorPop plan to stop the proliferation, through p2p networks, of the TrustyFiles version(s) containing these features?
5: What precisely does P2P PATROL do when “co-coordinating” efforts between p2p developers, private anti-child pornography organizations and the authorities?
6: Are individuals employed by or working for private anti-child pornography organizations required to undergo criminal background checks before commencing their duties?
7: Is the Child Pornography Hotline or any other organization creating a “rejected reports” database of files which do NOT contain child pornography and is any personally identifiable information on the people sharing those files held within that database or another?
8: Will the FBI and/or any similar authority guarantee they will not pursue individuals, reported through the TrustyFiles application, for the sharing of material found NOT to contain child pornography?
9: What protections are there against copyright trade organizations getting access to individual’s sharing habits?
10: Does the Association of Sites Advocating Child Protection’s Child Pornography Hotline enjoy any type of legal exemption from subpoenas or civil lawsuits which the MPAA/RIAA use to gain access to a “rejected reports” database?
11: Is the Child Pornography Hotline or any other organization creating a database of verified hashes for files containing child pornography?
12: If yes, who is responsible for the appropriate level of security required for this database?
13: Has the security of this database been made available for outside, independent scrutiny and, if so, was it found to be adequate?
14: What systems are in place to deal with the negative effects of a malicious wide scale, mass reporting attack?
15: Is the reporting system (especially the receiving end) able to be simply shut off?
16: If yes, what happens to genuine reports sent in by concerned individuals during an attack period?
17: Will RazorPop be financially aiding any of the private anti-child pornography organizations as a result of their inevitably increased workload due to the TrustyFiles reporting features?
18: What would be RazorPop’s response if developers or users of other P2P clients decided to ban TrustyFiles clients from connecting to them due to security fears?
19: Is RazorPop or any of its employees receiving any type of incentive (financial or otherwise) for implementing the child pornography reporting features?
20: Is RazorPop considering or has RazorPop already implemented any more GPLed code, systems designed by external organizations or other third party add-ons to the TrustyFiles application?
Alex H – Sydney, Australia
[Alex is an operations manager for an ATM (automatic teller machine) supplier and he specialises in infrastructure (development and maintenance) and logistics. He’s also an[other] active member of the Shareaza community.
“I do a lot of “dumbing down” when writing manuals and instructions for equipment,” he told p2pnet. “So I’m used to thinking along the lines of ‘How can I get a complete idiot to understand this? Ah. Tell them to push this button and then that button and we can skip Chapter 18 in the manual’.
===================
Something you think we should know? tips[at]p2pnet.net
March 3rd, 2005 at 6:43 am
Alex,
COPYRIGHT INFRINGEMENT
You have a concern that our child porn reporting features will be used for copyright infringement access by the entertainment industry. That frankly is absurd. Individual reports such as those generated by our software are a poor way to collect data. As you yourself have made clear, the reports have low quality, represent limited information, and are an incomplete picture of a personâs actual activity.
The entertainment industry uses organizations like BayTSP with servers and systems that scan the P2P networks to automatically identify, collate, and report suspected infringement. Our reporting is insignificant in comparison in terms of quantity, quality, and accuracy. Even if the entertainment industry could magically obtain a database of our reports it would be worthless and unnecessary to them.
SECURITY
You have a concern about the security of data being processed. The public and private organizations involved already process extremely sensitive data and have systems and procedures in place to handle that. An Internet-generated report could have actual names and incidents. In comparison our software-generated reports tell much less. The addition of our reports has no affect on security.
1: Does RazorPop acknowledge that there is an inherent weakness in the TrustyFiles application to allow mass abuse of the reporting feature?
Any system can be abused. Can people abuse TrustyFiles? Yes.
2: If yes, is RazorPop considering the removal of this feature?
If the processors of the reports and the FBI believe our reporting process is not useful or needs to be changed, through excessive abuse or any other reason, we will remove or change the reports.
3: Considering the decentralized nature of the TrustyFiles application, how does RazorPop intend to “recall” the software from users who have already installed it?
A recall implies a significant defect or harm, which is not the case. There are a number of ways the reports can be interrupted or ignored in the processing chain, which are more elegant solutions compared to any such recall.
4: How does RazorPop plan to stop the proliferation, through p2p networks, of the TrustyFiles version(s) containing these features?
See the answer to 3.
5: What precisely does P2P PATROL do when “co-coordinating” efforts between p2p developers, private anti-child pornography organizations and the authorities?
See the press release at http://biz.yahoo.com/bw/050216/165190_1.html, regarding some of the P2P PATROLâs activity. Contact the DCIA for more information.
6: Are individuals employed by or working for private anti-child pornography organizations required to undergo criminal background checks before commencing their duties?
I donât know. I suggest you contact them.
7: Is the Child Pornography Hotline or any other organization creating a “rejected reports” database of files which do NOT contain child pornography and is any personally identifiable information on the people sharing those files held within that database or another?
I donât know. I suggest you contact them.
8: Will the FBI and/or any similar authority guarantee they will not pursue individuals, reported through the TrustyFiles application, for the sharing of material found NOT to contain child pornography?
I donât know. I suggest you contact them.
9: What protections are there against copyright trade organizations getting access to individual’s sharing habits?
That is a P2P architecture question. Most P2P protocols make user and file information transparent. So the answer is there are no such protections against anyone. That data is available to any client on that network.
10: Does the Association of Sites Advocating Child Protection’s Child Pornography Hotline enjoy any type of legal exemption from subpoenas or civil lawsuits which the MPAA/RIAA use to gain access to a “rejected reports” database?
I donât know. I suggest you contact them.
11: Is the Child Pornography Hotline or any other organization creating a database of verified hashes for files containing child pornography?
I donât know. I suggest you contact them.
12: If yes, who is responsible for the appropriate level of security required for this database?
I donât know. I suggest you contact them.
13: Has the security of this database been made available for outside, independent scrutiny and, if so, was it found to be adequate?
I donât know. I suggest you contact them.
14: What systems are in place to deal with the negative effects of a malicious wide scale, mass reporting attack?
See the answer to 3.
15: Is the reporting system (especially the receiving end) able to be simply shut off?
See the answer to 3.
16: If yes, what happens to genuine reports sent in by concerned individuals during an attack period?
If the reporting system was interrupted in some way, no reports would be processed.
17: Will RazorPop be financially aiding any of the private anti-child pornography organizations as a result of their inevitably increased workload due to the TrustyFiles reporting features?
There has been no evidence of an increased workload at this time. If reporting is abused, resulting in a huge increase of reports, the processing organizations have the option of terminating or canceling the reporting service.
18: What would be RazorPop’s response if developers or users of other P2P clients decided to ban TrustyFiles clients from connecting to them due to security fears?
You have not identified any security problems. All data provided by reports is already available on the networks and used by organizations as discussed in COPYRIGHT INFRINGEMENT above.
19: Is RazorPop or any of its employees receiving any type of incentive (financial or otherwise) for implementing the child pornography reporting features?
No.
20: Is RazorPop considering or has RazorPop already implemented any more GPLed code, systems designed by external organizations or other third party add-ons to the TrustyFiles application?
Our TrustyFiles software contains no GPL code.
Marc @ RazorPop
March 4th, 2005 at 8:26 am
…And the Award for Executive Who Knows The Least About His Own Company’s Product goes to…
Marc,
That response was absolutly ridiculous. You don’t appear to know much about what you’re actually doing with this “feature” and don’t seem to have thought about the unintended consequences of it’s use.
I am curious about this statement: “Individual reports such as those generated by our software are a poor way to collect data.”
Can I ask why, if they are so bad at data collection do you use them? If the authorities can use them to track down a pedopile, why would they be useless to anyone else?
Could you at least provide us with a sample report so readers can see what personal information is collected about them?
March 4th, 2005 at 11:27 pm
Alex,
I hope the personal insults you make help you sleep better at night. It’s not an effective strategy if you really want a response.
> You don’t appear to know much about what you’re actually doing
> with this “feature”. and don’t seem to have thought about the
> unintended consequences of it’s use.
I told you what we do and that we are well of the aware of the potential for the abuse. You asked about other companies and organizations. I cannot and will not speak for them.
> I am curious about this statement: “Individual reports such as those
> generated by our software are a poor way to collect data.”
> Can I ask why, if they are so bad at data collection do you use
> them? If the authorities can use them to track down a pedopile,
> why would they be useless to anyone else?
Information has different value during an investigation. A tip that comes gift-wrapped with the reporter’s name, the alleged perpetrator’s name and address, and detail of illegal incidents has a high level of actionable information, and will likely lead to an immediate investigation of the suspect. An anonymous tip that someone saw something that looked like kiddy porn in a park has a much lower value. That doesn’t mean that lead is worthless. The police may go check the park. The incident will be logged and could be used to heighten park security or in a future investigation.
Similarly a P2P report has limited information. It needs to be filtered, qualified and verified. No one is going to start an investigation based on it. But it can be used at law enforcement’s discretion to establish a watchlist for files and IPs, and in ongoing and future investigations if relevant.
> Could you at least provide us with a sample report so readers can
> see what personal information is collected about them?
As I said before, it contains hash, file name, file size, IP of party sharing the file (blank if it’s a file the user downloaded). Here’s an actual report (I did ‘x’ out the last 2 pairs of IP digits).
sha1:RXZLV3QTDRPJB65VKYFUZR5PEDJLY7EVname:14 yo son fucks mom while 12 sister watches incest porn preteen kiddy Sexy Teen Girl porno ass vaginal p.mpgsize:54414336ip:82.197.xxx.xxxport:6346idx:0
Marc @ RazorPop
March 5th, 2005 at 2:00 am
That report looks exactly like the type of information sent in an MPAA DMCA take down notice.
Yes, I just checked a BayTSP Infringment Notice: it has all the same info provided in your TrustyFiles report. And you say 90% of reports DO NOT contain child porn? So what happens to all the other reports which may contain copyright infringing files? It would appear that you’re doing BayTSP’s work for them by collecting all this info. Will you be informing users of TrustyFiles AND all the other clients TrustyFiles connects to that TF users can help other organizations harvest information on their sharing habits?
How can any user be confident that the information in these reports won’t find its way to another organization? What if the CP Hotline gets strapped for cash and SELLS the reports to the MPAA or another organization?
Oh and for the record, a personal insult (if you wish to take my comments as an insult) does not have to be devoid of fact.
March 6th, 2005 at 1:04 am
Alex, that report is essentially a Magnet link, which is industry-standard for encoding file data. There is nothing unique or special about it, and nothing that other software doesn’t already generate or display. The relevant data identifying a file and a user is the same – file name, size, hash, IP – so these links and reports are all going to look the same. No mystery or conspiracy.
As to your other concerns I’ve answered them previously and so won’t repeat them yet again.
You have this great fear that these reports are somehow going to find their way into the wrong hands. But you miss the salient points. This data is already publicly available and used, displayed, and/or generated in most clients. It’s already recorded, collected, analyzed, and used by BayTSP and others in a much more effective fashion than individual reports like this.