Congress: File sharing leaks sensitive data

Sensitive files like Secret Service safehouse locations, military rosters, and IRS tax returns can still be found on file-sharing networks, according to new report.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

Sensitive files like Secret Service safehouse locations, military rosters, and IRS tax returns can still be found on file-sharing networks, according to a report to a U.S. House of Representatives committee on Wednesday.

In many cases, that's because federal government employees or contractors installed peer-to-peer software on their computers without paying attention to which documents would be shared, Robert Boback, the chief executive of Tiversa, told the panel.

Boback said his company found the Secret Service's evacuation plans for the first lady and motorcade routes. (See an interview with Tiversa about Marine One documents found on a peer-to-peer network this spring.)

That led some politicians to announce that new federal laws were necessary to stop inadvertent file sharing.

"I'm planning to introduce a bill," said Rep. Edolphus Towns, a New York Democrat who heads a House oversight committee. He said his legislation would limit the use of peer-to-peer software on all computer networks operated by the federal government or its contractors.

In addition, the Federal Trade Commission should investigate whether P2P software developers are violating the law, and the Obama administration should "undertake a national campaign to educate consumers about the dangers of file sharing software," Towns said. (In April, Towns' committee informed the FTC it had reopened an investigation into inadvertent file sharing.)

Rep. Peter Welch, a Vermont Democrat, suggested a similar approach. He wanted to know "whether there's some legal action that should be taken to protect intellectual property, to protect kids from pornography, to protect classified medical information, national security information."

The two-and-a-half hour hearing singled out LimeWire, which is probably the highest-profile P2P client in use today. LimeWire is distributed by Manhattan-based Lime Wire LLC (which sells a more featureful version called LimeWire Pro) and it uses the BitTorrent and Gnutella networks.

Lime Group chairman Mark Gorton tried to defuse some of the criticism, saying "the current version of LimeWire does not share any documents by default," and many security improvements were added in version 5 of the software--released in December 2008--that were absent from version 4.

Gorton also tried to make a more subtle point: the Gnutella network is an amalgamation of scores of different P2P clients, many of which may have different default settings, and LimeWire shouldn't be held responsible for someone's decision to share files using a program written by a different company.

It didn't work. "It is chilling what the public now has available to it," Towns said. "The idea that you can look at the first lady's information, where she's going, how she's getting there. Tax records, things of that nature...we need to get to the bottom of this."

Not helping was the fact that Gorton testified at an earlier hearing in July 2007 on the same topic.

"Mr. Gorton, I find your testimony today stunning," said Rep. Paul Hodes, a New Hampshire Democrat. "You promised us two years ago you were going to fix LimeWire."

Replied Gorton: "LimeWire does not control the computers of people around the country."

He added later: "It's not unreasonable to expect that people who install file-sharing software want to share files."

Other suggestions were more extreme. Rep. Bill Foster, an Illinois Democrat who's more technically-inclined than most politicians (he has a doctorate in physics), said "the nuclear option is to block the Gnutella protocol" on a national basis.

But, Foster acknowledged, that wasn't likely to work. Another option, he said, would be to create a new version of the Gnutella protocol that allowed only limited clients--that curbed what folders or file types could be shared--to connect to it.