Last week, the Federal Trade Commission (FTC) notified close to 100 companies that their employees have been sharing sensitive customer and employee data on P2P file-sharing networks. The FTC did not release the list to the public, but FTC chairman Jon Leibowitz stated that “companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” so it is quite possible that some bigger companies were affected, especially those who have many employees who all use computers.
In recent years, with more companies distributing laptops instead of desktops to employees, the problem has grown worse. Users can now take their work home with them, and are therefore more likely to mix their business and personal lives on the same computer, installing file-sharing programs to download their favorite songs, for example. After installing these programs, users are asked what folders they would like to share, and it’s easy for a casual user to breeze through this dialogue, accidentally selecting their documents folder containing all of their (and the company’s) sensitive files.
This problem has actually become so common that there are “cybercrime gangs” that are dedicated to searching P2P sites to obtain sensitive documents. In their investigation, the FTC reported that they easily found everything from financial records to social security numbers, perfect for use in an identity theft. To test this, I fired up LimeWire, clicked on “documents” (in the search categories) and typed in “taxreturn.pdf.” Sure enough, after only a few seconds, I was able to download someone’s electronic tax return (completed in TurboTax), complete with financial information and social security number! After my experiment, I had no doubts in the FTC’s claims.
The FTC has been pushing for tighter regulation of P2P software for years. They are in favor of legislation that requires P2P file-sharing programs to provide clearer notice about what files are being shared, and make sure that consent is obtained to share those files. Many industry watchers see P2P traffic growing exponentially (by some estimates, up to 400%) in the next few years, so the problem will only get worse. To address this, the government has finally acted—H.R. 1319, or the “Informed P2P User Act,” has been passed by the House and is currently being reviewed by a Senate committee. It would let the FTC place civil penalties on the P2P program distributors who do not meet a certain standard of providing “clear and conspicuous notice, in advance” to users about what specific files and folders the P2P program will share, and obtaining consent from the users before sharing those files on the public P2P network. There is also another bill being reviewed by Senate committee, H.R. 4098, or the “Secure Federal File Sharing Act,” which would require the government to issue rules regarding the use of P2P software by government employees, the people who are likely to have confidential information on their computers.
The issue of accidentally sharing confidential files via P2P has existed for a long time, probably since the advent of Napster. Yet, over ten years later, the Senate is only now considering legislation to make P2P programs safer. Why the delay? It seems like the government ignored the problem for a long time due to the illegal nature of P2P. Perhaps they felt that by creating legislation regarding P2P file sharing, they would be legitimatizing these programs. At this point, however, it is clear that P2P file sharing is not going anywhere anytime soon, and it has become mostly accepted in our society. Therefore, I’m glad that the government is taking steps to make P2P software more secure, rather than just shoving the problem under the rug and hoping that it goes away.