Leaking Through the Cracks – by “Michael C”

Last week, the Federal Trade Commission (FTC) notified close to 100 companies that their employees have been sharing sensitive customer and employee data on P2P file-sharing networks. The FTC did not release the list to the public, but FTC chairman Jon Leibowitz stated that “companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk,” so it is quite possible that some bigger companies were affected, especially those who have many employees who all use computers.

In recent years, with more companies distributing laptops instead of desktops to employees, the problem has grown worse. Users can now take their work home with them, and are therefore more likely to mix their business and personal lives on the same computer, installing file-sharing programs to download their favorite songs, for example. After installing these programs, users are asked what folders they would like to share, and it’s easy for a casual user to breeze through this dialogue, accidentally selecting their documents folder containing all of their (and the company’s) sensitive files.

LimeWire share folder selection
LimeWire share folder selection

This problem has actually become so common that there are “cybercrime gangs” that are dedicated to searching P2P sites to obtain sensitive documents. In their investigation, the FTC reported that they easily found everything from financial records to social security numbers, perfect for use in an identity theft. To test this, I fired up LimeWire, clicked on “documents” (in the search categories) and typed in “taxreturn.pdf.” Sure enough, after only a few seconds, I was able to download someone’s electronic tax return (completed in TurboTax), complete with financial information and social security number! After my experiment, I had no doubts in the FTC’s claims.

Searching LimeWire for taxreturn.pdf
Searching LimeWire for taxreturn.pdf
The downloaded tax return
The downloaded tax return (redacted by me)

The FTC has been pushing for tighter regulation of P2P software for years. They are in favor of legislation that requires P2P file-sharing programs to provide clearer notice about what files are being shared, and make sure that consent is obtained to share those files. Many industry watchers see P2P traffic growing exponentially (by some estimates, up to 400%) in the next few years, so the problem will only get worse. To address this, the government has finally acted—H.R. 1319, or the “Informed P2P User Act,” has been passed by the House and is currently being reviewed by a Senate committee. It would let the FTC place civil penalties on the P2P program distributors who do not meet a certain standard of providing “clear and conspicuous notice, in advance” to users about what specific files and folders the P2P program will share, and obtaining consent from the users before sharing those files on the public P2P network. There is also another bill being reviewed by Senate committee, H.R. 4098, or the “Secure Federal File Sharing Act,” which would require the government to issue rules regarding the use of P2P software by government employees, the people who are likely to have confidential information on their computers.

The issue of accidentally sharing confidential files via P2P has existed for a long time, probably since the advent of Napster. Yet, over ten years later, the Senate is only now considering legislation to make P2P programs safer. Why the delay? It seems like the government ignored the problem for a long time due to the illegal nature of P2P. Perhaps they felt that by creating legislation regarding P2P file sharing, they would be legitimatizing these programs. At this point, however, it is clear that P2P file sharing is not going anywhere anytime soon, and it has become mostly accepted in our society. Therefore, I’m glad that the government is taking steps to make P2P software more secure, rather than just shoving the problem under the rug and hoping that it goes away.

2 thoughts on “Leaking Through the Cracks – by “Michael C”

  1. This actually seems incredibly useless if taken to the extreme that it seems it may be heading to. The fact that you uploaded a photo of LimeWire’s what-folders-do-you-want-to-share screen demonstrates that this is already in effect. I’d be fine with a law requiring all P2P programs to have such an alert and not to simply be able to access everything on the computer, but I do not know how LimeWire, for example, could do any more. The warnings are already there, and, as you point out, “it’s easy for a casual user to breeze through this dialogue”. The fault does not lie with the program, but with the users. I don’t see how increased regulation and mandates on the programs could make up for people not reading before they click.


  2. Yes, it is true that some of the fault lies with the users clicking through without reading. In that case, H.R. 4098 will be useful in preventing government employees from using the programs in general. But, I think one can argue that the P2P programs now don’t really give “clear and conspicuous notice, in advance” about what folders, and especially, what files, will be shared. The folder selection screen that shows upon initial start-up has some default options selected, and it’s easy to just accept the defaults and click “next” without taking a closer look at what’s being shared. After that, no warnings are ever given. If there were a specific, informative warning that popped up saying “Please confirm that you want to share your documents folder, containing the files “taxreturn.pdf,” “Q1 2009 Report.doc,” etc., and possibly showing previews of some of the files, I think it would be more difficult for the casual user to accidentally share confidential information.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s