Congress: File sharing leaks sensitive data

Sensitive files like Secret Service safehouse locations, military rosters, and IRS tax returns can still be found on file-sharing networks, according to a report to a U.S. House of Representatives committee on Wednesday.

In many cases, that's because federal government employees or contractors installed peer-to-peer software on their computers without paying attention to which documents would be shared, Robert Boback, the chief executive of Tiversa, told the panel.

Boback said his company found the Secret Service's evacuation plans for the first lady and motorcade routes. (See an interview with Tiversa about Marine One documents found on a peer-to-peer network this spring.)

That led some politicians to announce that new federal laws were necessary to stop inadvertent file sharing.

"I'm planning to introduce a bill," said Rep. Edolphus Towns, a New York Democrat who heads a House oversight committee. He said his legislation would limit the use of peer-to-peer software on all computer networks operated by the federal government or its contractors.

In addition, the Federal Trade Commission should investigate whether P2P software developers are violating the law, and the Obama administration should "undertake a national campaign to educate consumers about the dangers of file sharing software," Towns said. (In April, Towns' committee informed the FTC it had reopened an investigation into inadvertent file sharing.)

Rep. Peter Welch, a Vermont Democrat, suggested a similar approach. He wanted to know "whether there's some legal action that should be taken to protect intellectual property, to protect kids from pornography, to protect classified medical information, national security information."

The two-and-a-half hour hearing singled out LimeWire, which is probably the highest-profile P2P client in use today. LimeWire is distributed by Manhattan-based Lime Wire LLC (which sells a more featureful version called LimeWire Pro) and it uses the BitTorrent and Gnutella networks.

Lime Group chairman Mark Gorton tried to defuse some of the criticism, saying "the current version of LimeWire does not share any documents by default," and many security improvements were added in version 5 of the software--released in December 2008--that were absent from version 4.

Gorton also tried to make a more subtle point: the Gnutella network is an amalgamation of scores of different P2P clients, many of which may have different default settings, and LimeWire shouldn't be held responsible for someone's decision to share files using a program written by a different company.

It didn't work. "It is chilling what the public now has available to it," Towns said. "The idea that you can look at the first lady's information, where she's going, how she's getting there. Tax records, things of that nature...we need to get to the bottom of this."

Not helping was the fact that Gorton testified at an earlier hearing in July 2007 on the same topic.

"Mr. Gorton, I find your testimony today stunning," said Rep. Paul Hodes, a New Hampshire Democrat. "You promised us two years ago you were going to fix LimeWire."

Replied Gorton: "LimeWire does not control the computers of people around the country."

He added later: "It's not unreasonable to expect that people who install file-sharing software want to share files."

Other suggestions were more extreme. Rep. Bill Foster, an Illinois Democrat who's more technically-inclined than most politicians (he has a doctorate in physics), said "the nuclear option is to block the Gnutella protocol" on a national basis.

But, Foster acknowledged, that wasn't likely to work. Another option, he said, would be to create a new version of the Gnutella protocol that allowed only limited clients--that curbed what folders or file types could be shared--to connect to it.

[Michichael]

Oi vey... we seriously need to require that the representatives of our nation have a vague clue of what they're talking about before they try to write laws involving it?

WTB Tech Party.

[unknown unknown]

"He said his legislation would limit the use of peer-to-peer software on all computer networks operated by the federal government or its contractors."

That what they should of done two years ago instead of threating Limewire. Which as Mr. Gorton points out, they don't which client was responsible for the leak.

"the nuclear option is to block the Gnutella protocol"

I think there would be some issues with that, both legal and technical.

"But, Foster acknowledged, that wasn't likely to work. Another option, he said, would be to create a new version of the Gnutella protocol that allowed only limited clients--that curbed what folders or file types could be shared--to connect to it."

Is the government going to get in the business of legislating network protocols, or just create it for use in the government?

[Lerianis3]

The fact is that these idiots in Congress have NO idea what they are talking about in most cases. Really, p2p programs used by federal agencies should ONLY allow connections to OTHER federal agencies IP addresses.
Easy solution to this problem, but something that they most likely won't want to do.

Another answer is to simply make their own p2p program, and only use it, with the HIGHEST LEVEL OF ENCRYPTION they can muster on it.

[jake3373]

It must have taken a real idiot to install LimeWire on a GOVERNMENT computer and not watch out what he was sharing.

[tech_crazy]

This is as ridiculous as a burglary victim who had left the door open, blaming the doorlock company for keeping the default state as unlocked. And these morons are paid in the 6 digits!

[Lerianis3]

Hey, give them a break (at least the Congressmen). Most Congressmen are pushing 70-80 years old, they have NO idea what the internet is in most cases.

[Raabscuttle]

Isn't it just a series of tubes?

[jake3373]

If they don't know what the Internet is, they shouldn't make laws about it.
I know nothing about what panda bears eat, so I'm not going to make laws restricting their diet.

[shootfirst]

I thought Google and the cloud would fix all these issues since you wouldn't have any files to share on your computer anymore. O that's right the cloud sucks for right now and not all files can be kept in the cloud because they will have to live offline on your machine too since the connection to the cloud isn't guaranteed at all times.

IMO anyone who contracts with the government and anyone in the government who installs P2P on machines with sensitive data should be charged with treason and we all know how that is punishable, you can't cure stupidity but you can sure as heck cull it out when it rears its ugly head.

[Lerianis3]

No, they should not be charged with treason, because quite a few times they are being ORDERED to do this by their higher-ups. Really, our government should, best case scenario, HAVE NO FREAKING SECRETS in the first place.

Thomas Jefferson, George Washington, etc. made it VERY clear that government should have no secrets outside of wartime in many of their papers.

[SergeM256]

It is so ridiculous. Congress is going to legislateroutine issue of a proper security procedure. This issue should be resolved at the level of field manual for security procedures.

[krosafcheg]

You can't fix stupid. Quit trying to regulate ignorant people. You simply can't. The rest of us suffer. For God's sake let's embrace some common sense!

[unknown unknown]

I just watched the streaming version of this hearing, and to put it mildly, they couldn't have picked a more inept bunch of congress critters. Most where obstinate and ignorate (not new for congress) and any regulation that comes from these hearing will probably reflect that, and we'll all be worse off from the unintended consiquences they falled to consider.

[Mekolo]

This is something that is very bothersome. Many people are at a huge risk for identity theft because of someone's negligence. I for one am very familar with OPSEC (Operationational Security) and have worked on Govn't computers, not once having any disregard for everyone personal information. I am truely outraged by this incident.
[CNET editor's note: Prohibited spam deleted.]