Web Service Can Breach Computers’ Private Files

A popular Internet service that locates digital music and video files also has allowed users to peer at any kind of multimedia file stored on many personal computers--sometimes without the owners’ knowledge.

Scour Inc., a Beverly Hills-based new-media company backed by Hollywood super-agent Michael Ovitz, has attracted millions of users eager to tap into what the company boasts is one of the Internet’s biggest collections of digital entertainment.

Scour’s search engine has created a massive entertainment jukebox, which enables users to access any photograph, sound recording or video clip stored on tens of millions of PCs. But the engine also breaks with accepted search tradition, technology experts say, because some of these multimedia files are up for grabs because many consumers don’t know that they are letting anyone look inside their machines.

Scour’s attorney insists that the company’s search technique is legal. But security experts say that Scour is rattling the virtual front doors of PC owners by providing a one-stop shopping list of computers that are easy to break into because their owners haven’t installed security software known as a firewall.

“To say that all people are giving their permission for Scour to do this is wrong,” said Bruce Forest, director of new-media projects for Viant Inc., an Internet services firm. “The average lug can’t configure a VCR, let alone a secure Internet connection.”

Company officials insist they’re only looking for harmless material that they say consumers have given them tacit approval to scan. They note that the company doesn’t search for sensitive material such as financial documents, although they acknowledge that the software could do just that.

“It may be unfamiliar technology to users, but it’s certainly legal and not uncommon to search publicly available content. . . . You are responsible for your own computer,” Scour co-founder Dan Rodrigues said. “We’re not damaging [anyone’s] computer.” Ovitz declined to comment.

The PCs that are routinely being searched typically have high-speed Internet access and have linked at least two computers--and opened parts of their hard disks--together in their home. That’s only about 20% of all U.S. households that own computers, but researchers predict that 600 million PCs worldwide will be networked by 2003.

Scour’s little-known searching technique illustrates the ongoing problems with personal privacy issues in cyberspace, said Stuart Biegel, a professor of Internet law at UCLA.

“In an age of file-sharing and Napster, where computers and information are all connected, these issues are not going to go away,” Biegel said.

The free service, Scour Exchange, is a file-sharing program that lets people swap music and video files with one another. If members can’t find what they want, they can then use Scour’s search engine to locate their tunes and movies anywhere on the vast Internet. So can anyone who visits the company’s Web site, https://www.scour.com.

What many users don’t know is that Scour’s search engine not only looks over the established public sections of the Net, such as the World Wide Web. It also looks for PCs whose owners have turned on the public file-sharing option and--either intentionally or not--opened their machine’s guts to the world.

Late Thursday afternoon, Scour’s attorney said the company will discontinue its controversial information gathering technique by next month because of new technology.

“We take the privacy of our users very seriously and it’s a top priority,” said Craig Grossman, Scour’s general counsel. “If you review the privacy policies on the site and Scour Exchange, you’ll see that we work very hard to safeguard that privacy.”

What worries critics is not what Scour is doing. They fear that other companies will follow Scour’s lead and start searching for data more sensitive than the latest Britney Spears song.

It all started innocently enough in 1997, years before file-swapping programs such as Napster let college students electronically share their music collections.

Tucked inside the UCLA dorms, Rodrigues and four fellow UCLA computer-science majors combined their student research projects and built a search engine that hunted for multimedia files. The software looked for things that were cool and fun, whether it was movies or music or art.

Like traditional search engines such as AltaVista, Scour’s engine uses robotic software agents, known as “bots” or “spiders,” to crawl about computer networks and scoop up information.

These bots freely traverse according to the accepted principal that any Web page, or download site that does not require a password, is a public forum and that the material can be viewed by anyone.

AltaVista, one of the Net’s oldest search companies, lets people look for either text or digital music files. Like Scour, AltaVista’s bots search Web pages and certain download sites, which are public electronic storage spots where people house data that can be downloaded.

“We try to focus on stuff where there seems to be a clear intent to publish or share material,” said Nick Whyte, technical director for AltaVista’s multimedia search group. “That’s why we focused on the Web and FTP [sites], where people [obviously] are saying they want to share their stuff and tell others.”

Scour’s founders looked further: They also send bots to scan for multimedia files stored on any machine that uses a computer protocol called Server Message Block, or SMB.

The protocol is a little-known but crucial standard that allows one machine to connect--and communicate--with another. Most home and corporate networks with computers using Windows rely on SMB.

“If you are using the file or printer-sharing features in Windows, then you are using SMB,” said Noury Bernard-Hasan, a PC group product manager for Microsoft Corp.

Searching via the SMB protocol was a natural--and obvious--step for the young Scour founders. SMB was the way students in the UCLA dorm rooms could share computer files with each other, and they jumped at the chance to add their PCs to Scour’s small but growing list of machines to search, Rodrigues said.

Scour’s searches slowly expanded from machines on the campus to machines on the Internet. The bots continued to scan Web sites, as well as for the SMB protocol.

Local buzz about the young company attracted the attention of Ovitz and Yucaipa Cos., the investment vehicle for supermarket magnate Ronald Burkle, who together made a minority investment in Scour in 1999 and moved the company’s offices to Beverly Hills.

Ovitz declined to comment about his investment in Scour or its controversial searching techniques. Officials with Yucaipa Cos. could not be reached for comment.

As the Internet’s popularity grew, the number of people opening their PCs to strangers on the Net--either naively or deliberately--grew as well.

That trend inadvertently allowed Scour’s bots to cross a blurry line that keeps PCs--even ones connected to the Net--firmly in the private world. Because there are dozens of ways to network machines together, it is easy for consumers to forget about their own digital security.

Computer managers at businesses have long relied on software programs known as firewalls to safeguard their corporate networks from intruders. Until recently, however, there has been little demand from consumers for similar programs, largely because few perceived their computers as vulnerable and because firewall programs can be complicated to install and maintain.

But “unless you put up some sort of security--like passwords on shared files or printers, or like a firewall--you’re advertising to other people what you have [on your PC],” said Microsoft’s Bernard-Hasan. He notes that the file-sharing feature, in its default position, is turned off.

Scour officials said their bots seek “public material” through these SMB openings, particularly among Internet users on college campuses and those with high-speed connections that are always on.

“The SMB protocol is a clumsy, error-prone way to do file-sharing. . . . But we wanted to make sure we have as exhaustive a search [for multimedia content on the Net] as we could have,” Rodrigues said.

Scour is dropping the SMB search technique because “it’s not as effective for finding material,” Rodrigues said.

Links to files found this way work about only 20% of the time, Rodrigues said. The bots, for example, are blocked by firewalls. Or if people turn off their PC, then the link to stored music or video files can be useless.

Nevertheless, the company’s search-everywhere approach is attracting Internet users. Nearly 1.5 million people have downloaded the Scour Exchange program, and millions more access the company’s search engine via its Web site. The privately held company declined to discuss its finances, but it draws some revenue from ads on its Web site.

Relying on people’s personal multimedia collections is the same strategy that has launched companies such as Napster into the stratosphere. At least 20 million people have joined the Napster community and allow virtual strangers to go sifting through their PCs in search of hot tunes.

But the difference between Napster and the Scour search engine is in how the companies alert consumers to what is happening to their PCs.

When a person joins Napster, the software specifically asks the user to indicate which folders are open to the public. It also clearly states that by joining Napster, the user is agreeing to let other people pull files and information off their machines.

Scour’s searching via the SMB protocol does not ask people for permission to look.

Scour officials say no one has filed a complaint with them about the searching practice. If anyone did, he or she would be directed to a page on Scour’s Web site where a person’s computer can be removed from the company’s service.

But security and technology experts were flabbergasted by Scour’s rationale. Searching via the SMB protocol crosses the line between what is truly public and what may have become public by accident, they say. Consumers aren’t complaining because they aren’t aware of the practice.

“If I’m a malicious hacker, they’ve identified machines that I can break into,” said Mike Carlton, a software architect with Nomadix Inc., a Westlake Village company that specializes in broadband technologies. “What’s to stop me from looking for .doc files? They’re posting the addresses of all these houses that have their doors unlocked.”

Daniel Huggard, a graduate student at UC Irvine, noticed recently that someone was trying to scan his computer. He was comforted that he had installed a security firewall, which alerts him to intruders and identifies where they come from.

The 28-year-old scanned the firewall’s data logs and located Scour’s bot. Huggard then turned to Internet chat rooms and newsgroups, where he discovered that other people had experienced the same thing.

“I had never heard of them and never downloaded anything of theirs,” Huggard said. “I expect hackers to try something like that, but not a legitimate company.”

*

Times staff writer Ashley Dunn contributed to this report.

(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)

Privacy Problems

Scour Exchange, which combines the file-sharing features of Napster with a search engine, can direct users to multimedia files on personal computers without their owners’ knowledge. Like other search engines, Scour uses robotic software agents, known as bots or spiders, to crawl about the Net and scoop up information. Here is how Napster and Scour Exchange work:

Napster File Sharing

When a person joins Napster, the company’s software asks the user to indicate which folders on his PC are open to the public.

*

How Scour’s Search Engine Works

Unlike with Napster, any multimedia file on your hard drive is available to Scour if you have an Internet connection active, file-sharing software and no security.

*

Source: Times research