A Study of Kazaa File Sharing by Nathaniel Good and Aaron Krekelberg

This article is provided courtesy of STQE, the software testing and quality engineering magazine. Bug Report

Usability and Privacy: A Study of KaZaA File Sharing by Nathaniel Good and Aaron Krekelberg

THE INTERNET’S MOST POPULAR PEER- to-peer (P2P) file-sharing software has a little problem: Users of KaZaA could be shocked to discover that they might be sharing more than they intended. In a study we conducted, 63% of the searches for private email inboxes on KaZaA were successful. Many of these people were sharing much more—some were sharing their whole hard drive. We also discovered a number of users taking advantage of this problem. We set up machine sharing files such as “credit- cards.xls,” “inbox.dbx,” and “outbox. pst.” A number of users downloaded them. A more recent search revealed that a number of users had acquired quite a collection of inboxes that were in turn being shared for others to download. Conversations on Slashdot, a popular Web forum, were about users who were able to download bank statements, ac- count passwords, Social Security num- bers, and more. How could this happen? While most bugs that make headline news are due to careless software implementations ex- ploited by skilled hackers, the problems in KaZaA center around its user interface. In this article, we’ll look at one of the KaZaA application’s flaws, then sug- gest ways to prevent such flaws. Figure 1: Folders KaZaA found when it searched for things to share. Buried in the tip is the fact that all files in that folder and its subfolders are shared. The KaZaA Interface The default settings vary among differ- computers, but their files are shared searching, the wizard returns a list of ent versions of KaZaA. We’ll discuss with no one. The danger comes when folders that it recommends for the user version 1.71. In this version, file sharing the user modifies the settings. For exam- to share with other KaZaA users (see is disabled by default. This means that ple, suppose a user installing KaZaA al- Figure 1). It recommends folders con- users can download files from other ready has a number of image files on his taining documents (such as the default disk that he desires to share. Windows My Documents folder), im- INFO TO GO How might he do it? age files, and multi-media files, such as KaZaA provides several in- music and video. How might this inter- Problems with the KaZaA interface allowed terfaces for sharing files. Two face cause people to share the wrong users to unwittingly share their entire hard are located in the Tools Menu files? drive with others. under “Find Shared Files.” Se- One problem with this interface is When designing secure applications, you lecting this menu item brings up that it does not describe what criteria it should make the important obvious. Under- a dialog box with several choic- uses to find folders to share. For exam- stand your users’ abilities and assumptions. es. One choice is to press the ple, it does not say what files in the Good systems warn users of potential hazards “Search Wizard” button and “My Documents” folder will be shared, and give users control over critical decisions. have KaZaA automatically dis- or describe the particular attributes of cover files for the user. After the “My Documents” folder that

14 STQE JANUARY/FEBRUARY 2003 www.stqemagazine.com This article is provided courtesy of STQE, the software testing and quality engineering magazine. Bug Report caused it to be recommended for shar- shared files other than music, software, think the program shares. ing. The interface assumes users know and digital video files. One user ex- Good systems also keep adequate logs what can be shared by a file-sharing claimed, “You mean it shares all files?” to allow users to back up and see what program and what the program is look- and expressed concern over why it they are doing, and whether it matches ing for. would be able to share anything other their expectations. Another problem is that the “Tip” than multi-media files. In a file system, all files are not message (see Figure 1) is the only part of equal, yet KaZaA treats them as so. the interface that warns the user about Ways to Improve User Password files are very different than the risk of sharing files they may not Interfaces cached navigation icons, so the system want to share. It is unclear whether or A simple rule to follow in designing se- should know the difference and handle not users even read this message, and it is cure applications is that the more impor- them accordingly. Good systems don’t uncertain if they would remember the in- tant something is, the more obvious it allow users to shoot themselves in the structions for stopping the sharing of should be. In KaZaA’s case, file sharing, foot. They provide warnings, give the such files if they did read them. The tip as well as the types of files being shared, user control over critical decisions, and also says that users must remove the files should be easy to understand from the do the hard work for the user in a clear, one by one if they choose not to share first time the application is opened. In- concise manner, rather than shifting the them. Overall, the search interface makes stead, users in KaZaA have to traverse cognitive loads onto the user, making browsing, searching, and blocking the several layers of cryptic menus to deter- assumptions, and punishing them when sharing of specific files within shared mine whether they are sharing files. Im- they are wrong. folders difficult and tedious. portant functionality, like disabling file A final problem is that the dialog in sharing, should be easily visible at the Summary the interface does not contain the com- front of the application, rather than Usability isn’t about pretty interfaces or plete list of folders KaZaA will share. It buried beneath menu hierarchies. The snazzy graphics, but about making sure will also share any folders contained more important the functionality is, the that the users can do the job the software within those folders. While some users more accessible it should be. was built for effectively and safely. As we understand hierarchical file systems As we noted, one key flaw in the saw in KaZaA, pretty graphics and a quite well, some novice users don’t get KaZaA interface is that it makes the slick look and feel did little to prevent them at all. For them, finding where dangerous assumption that users under- people from sharing their personal files things are or where certain programs stand the system as well as the develop- with the rest of the community. Knowing “put things” can be an intimidating and ers do. A key to identifying users’ as- your audience and adjusting your pro- difficult task. By automatically recurs- sumptions is testing with a wide range of gram to meet the majority of basic user ing through directories for files, KaZaA users. A few iterations of user testing needs and expectations will save you a presumes its users have a detailed with a range of actual users should lot of headaches down the road. Technol- knowledge of their file systems and their quickly determine the mismatch between ogy is a tool for people, and if a system is contents. the system’s assumptions and the users’ technologically perfect but no one can To find out whether or not users could understanding. figure it out, ultimately the technology is determine if they were sharing files on It is also important that the default useless. STQE KaZaA, we ran a lab study on twelve sub- configuration conforms to the basic jects. All of the users in the study were ex- user’s expectations, as these will most Aaron Krekelberg is a senior developer perienced computer users (spending more likely be the bulk of people using your for the University of Minnesota, Office than ten hours a week at their computers) application. This can be found out easily of Information Technology group. and ten of the twelve had used file-sharing by focused interviews early in the devel- programs before, including KaZaA. The opment cycle and by user tests at the end. After graduation with a BSCS from the subjects were given an installation of Users may have a mental model of University of Minnesota, Nathan Good KaZaA and asked to determine what files how the software is working and what it worked at Xerox PARC and HP Labs. and folders, if any, were being shared. is doing, so the application should try to His research interests are in human-com- They were given as much time as they keep the user informed about the actions puter interaction, machine learning, and needed to explore the KaZaA interface it is undertaking and their implications. automated collaborative filtering. Cur- and find the answer. KaZaA’s search interface (see Figure 1) rently, Nathan is a grad student at SIMS, The results of the study were surpris- doesn’t mention what criteria it has used UC, Berkeley. ing. Only two of the twelve users were to determine that “My Documents” is a able to determine that the KaZaA instal- good candidate for sharing with others, lation was sharing all files on the C and it doesn’t describe what it intends to STQE magazine is produced by drive. Most users were surprised to learn share in “My Documents.” It relies on Software Quality Engineering. that file-sharing software like KaZaA the users’ assumptions of what they