Over the last few years, the popularity of peer-to-peer filesharing has exploded, leaving widespread filesharing lawsuits and traffic management policies in its wake. But the same features that allow P2P applications to provide lots of bandwidth also make these clients less-than-ideal for maintaining a degree of anonymity and limiting the sharing of documents to a specific set of users. Some computer scientists at the University of Washington think they've overcome that in their new software, called OneSwarm, but they may have opened up a can of worms in the process.

The basics of OneSwarm are pretty simple. The software consists of a server app that appears to be written in Java, allowing it to run on Linux, the Mac, and Windows. All interactions with the OneSwarm system beyond that, however, take place in a browser—the app's authors say all the major players other than IE are capable of handling the system. The software is back-compatible with BitTorrent, meaning it functions fine as a generic P2P client.

But the software's specialty is adding a layer of social networking on top of P2P sharing. When first starting up on a user's machine, OneSwarm creates a unique cryptographic key, which it uses to encrypt its IP address information. Other users can only find you, and thus the files you share, if you've established a relationship with them. Although you can create these relations manually, OneSwarm will also piggyback on the GTalk network: provide it your credentials, and it will check to see if your friends there are already using OneSwarm. These two features—backwards compatibility and the leveraging of an existing social network—should go a long way towards solving the early adopter problems that plague social networks.

The social network aspects allow fine grained control over the sharing of files. Users can pick any combination of friends, groups of friends, etc. to share a specific file with, or can offer it up to the entire OneSwarm network. Because it's running in a browser, the browser's plugins allow content like music and video to stream while partially downloaded.

Peer to anonymous peer

Even if a file is being shared with the entire network, however, it doesn't mean that anyone on the network can tell what you're up to, a feature of P2P software that had landed no end of college students on the wrong end of RIAA discovery motions. Instead, searches for content go out only to a user's immediate friends on the OneSwarm network. If they don't have matching content, they forward the requests on to their friends, and it spreads out into the social network.

When results are returned, they're anonymized at each step back towards the machine that made the request; any machine along the chain of friends only knows about its nearest neighbors. The same thing goes for when parts of the file are shared: all a user can discover is which friend is sending them the chunk of the file they requested. They can't tell whether that chunk came from the friend, or some other computer dozens of hops through the social network. Tests with a network modeled on last.fm data shows that the system can fulfill the vast majority of requests, indicating that the limits of the network don't interfere with finding content.

This anonymity is significantly different than encrypted BitTorrent, which attempts to obscure the protocol and the contents of the packets. Each point-to-point connection in OneSwarm uses SSL encryption, though, so the equivalent behavior is built in to the system.

This isn't a complete guarantee of anonymity, as there are a couple of ways to potentially work back to the source of a file, although neither seems especially practical. The easiest is simply access to the systems involved, which could be used to identify the friended systems; access to those could lead people further through the network towards the source of the file, although the number of systems that someone might need access to goes up pretty fast.

It's also possible to envision ways to reconstruct portions of the social network. If an attacker is friends with two members (we'll go with tradition and call them Alice and Bob). By sending requests for a file Alice has to both of them and timing their responses, it should be possible to recognize both that Alice has the file and that Bob is her friend, assuming network congestion isn't too much of a problem. Similar efforts could allow a portion of the local network to be reconstructed, although the computational challenge and influence of network congestion should get larger as requests move further afield. As such, it might be more accurate to describe OneSwarm as practically anonymous

Making potential enemies

It's clear that a couple of groups are going to hate this system. ISPs, for one, have enough trouble coping with users that use existing P2P software, which establishes direct connections to the content. For OneSwarm, each node along a network has to download and transfer the data in order to fulfill a request. And, although they've apparently stopped their lawsuit binge, the RIAA would undoubtedly like to reserve the right to start them up again should it feel the need.

But the creators of OneSwarm view P2P distribution as vital to the future growth of the Internet. Michael Piatek, a grad student who works on the project, pointed out that big players, like Google and Amazon, can afford to create a content distribution network with sufficient capacity. Smaller and newer companies can't afford to bring an equivalent data-intensive service to market.

Piatek said, however, that current implementations of P2P allow anyone to track what an individual is downloading, and users aren't likely to flock to a service that lets anonymous groups track, for example, their online television viewing habits. Many commercial filesharing services make few guarantees that the contents of shared files will perpetually remain off-limits to third parties.

OneSwarm's authors also may have bigger fish in mind. In a paper describing their preliminary work on the system, they write, "an explicit non-goal is to provide provably strong anonymity or to eliminate the possibility of monitoring by a highly capable monitoring agent, e.g., governments or law enforcement." It's worth considering how much we now know about the actions of authoritarian governments has come through the anonymous smuggling of texts and images.