The modest measure of anonymity afforded to queries does not extend to downloading. Some Gnutella applications, e.g. BearShare, keep logs in standard Web server format of all file requests and downloads. This strengthens the concept of a running instance of BearShare being effectively equivalent to a transient Web site, and it gives the BearShare operator as much visibility into his site's traffic as any Web site operator has: time-stamped records of IP addresses and the files they requested and downloaded. Anonymity in downloading is strengthened to the degree transient Web site operators do not keep or do not review logs, just as with conventional Web sites.
"Sharing" files by hosting them on a transient Web site is only somewhat more anonymous than doing so on a permanent Web site. It is not difficult to detect and track new sites on the public network. Clip2, LimeWire and other endeavors run automated systems that continuously discover host addresses. GnuFrog, a Web-based gateway to Gnutella, discovers transient sites and conveniently rank-orders them by the number of files each has available. In fact, simply connecting a Gnutella application to the network will result in passive discovery of host addresses. BearShare, LimeWire and other servents support browsing of the content available on a given site, making it easy to see the entirety of a user's shared files. In the end, the anonymity enjoyed by the operator of a transient Web site is no stronger than an ISP's records of and policies related to tracking which customers were assigned which IP addresses when.
A scarcity of hyperlinks, a lack of sense of place, a built-in search engine, negligible marketing costs, negligible distribution costs, semi-anonymous broadcast querying, downloading and sharing anonymity dependent on other users and ISPs; from just this partial survey, the transient Web as realized through Gnutella certainly introduces some new wrinkles relative to the Web we're used to. The fun is only beginning, however.
Recent Tales from the Transient Web
The fact that transient Web servers run on end-user PCs puts end-user data at risk of unauthorized or unintentionally authorized exposure. Many users have a limited understanding of what they are doing by running a Gnutella application, and they may wind up exposing much more content to the network than they intended. CNET reported in early February that browser cookie files were not hard to find on the Gnutella network.
A search for Netscape's
cookies.txt usually turns up a number of hits; searching for the name of a popular Web site may return corresponding Internet Explorer cookie files. Presumably, these "private" files are available on the public network because users unintentionally shared the folders containing them. Worse yet, once the files are made available, other users may download and redistribute them. Once the cat is out of the bag, it's nearly impossible to get it back in. Less frequently, Clip2 has found instances of Microsoft Outlook data files on transient sites. A single
outlook.pst file can be extremely compromising in that it contains a combination of e-mail messages, calendar data, contact records, notes and other personal data. Users are well advised to exercise caution when configuring what they "share."
Is it possible that even after setting the "shared" folders with care, data can be compromised unexpectedly? Yes, Gnutella applications could have security vulnerabilities - cookie and other files may be exposed due to bugs in servents - but no such faults have been identified thus far. This concern is a good argument for installing well-supported, well-tested Gnutella servents instead of "unknown" apps. But what if an unknown app installed itself?