Napster's program, which lets users see which digital music files other users possess, also exposes their Internet Protocol addresses, according to Internet security consultant Richard Smith. IP addresses are unique strings of numbers that identify users' computers on the Internet.
That could help copyright owners identify and try to prosecute Napster users who may be illegally swapping music.
"Napster has a problem," he said. "It's serious in the sense that they have exposed their users to legal risk."
Napster acknowledged the problem but minimized its importance, saying that IP addresses are not easily procurable except by experienced network experts or hackers, and that individual IP addresses are more often than not obscured behind corporate or Internet service provider firewalls and proxy servers.
"With our product, when you transfer from point to point, the IP address is available to you," said Eddie Kessler, Napster's vice president of engineering. "It's something that a hacker might have access to. In most cases, tracing an individual user would not be possible, but it is possible."
Smith noted that IP addresses are traceable to individuals about a third of the time.
Napster said it is working on hiding its users' IP addresses.
"We're evaluating various technologies that would provide an even higher level of security to our users," Kessler said. "Specifically, they would not make your IP address visible to the person who was downloading content to you."
Kessler would not say when the company expects to implement those changes.
The trend in digital music copyright enforcement has been to target companies and larger institutions like universities rather than individuals. Napster itself is the target of a lawsuit by the Recording Industry Association of America (RIAA), which accused the company of "facilitating piracy" through its forum for letting online users trade unauthorized music files directly from their PCs.
Another company under legal fire from the RIAA is music Web site MP3.com.
Smith said he discovered the Napster security flaw after examining the documentation posted to the Web this week by Stanford University senior David Weekly. Weekly's post irked Napster, which asked him to pull the page. Weekly declined and encouraged the page's dissemination.
Today Kessler said the matter with Weekly will rest there.
"We're not going to play the DVD DeCSS game and try to shut it down," Kessler said, referring to the recent controversy over a piece of software called DeCSS that lets users circumvent copyright controls on DVDs. The Motion Picture Association of America has gone after sites to force them to take down copies of the tool.