FTC P2P data leak alarm could give law-makers big stick

FTC says P2P file-sharing networks are leaking sensitive data

The FTC said companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information such as health-related information, financial records, and drivers’ license and social security numbers at risk for identity theft.

It’ s the last thing P2P File-Sharing Network proponents needed to hear: The Federal Trade Commission this week sent letters to almost 100 organizations that personal information, including sensitive data about customers and employees, has been shared from their computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud.

The FTC said companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information such as health-related information, financial records, and drivers’ license and social security numbers at risk for identity theft. In the notification letters, the FTC urged the entities to review their security practices and, if appropriate, the practices of contractors and vendors, to ensure that they are reasonable, appropriate, and in compliance with the law.

12 mad science projects that could shake the world

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” said FTC Chairman Jon Leibowitz.

The FTC has been leading the charge for tighter regulations of the P2P industry and this latest problem is only likely to increase the calls for such regulation. At a hearing last summer the FTC expressed its doubts about companies protecting sensitive consumer information or sensitive data over P2P Internet file-sharing networks. It doesn’t help the P2P cause that the technology continues to pop up in bad practices.

Peer-to-peer technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents. But when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network, the FTC said.

The FTC said while many P2P file-sharing program developers have voluntarily implemented safeguards against the risk of inadvertent sharing of user-originated files in current versions of their programs, the FTC is supportive of legislation that mandates distributors of P2P file-sharing programs provide timely, clear, and conspicuous notice and obtain consent from consumers regarding the essential aspects of those programs.

Part of the agency’s concern comes from the fact that a number of industry watchers see P2P growing exponentially in the next few years. For example, MultiMedia Intelligence sees P2P traffic growing by 400% in the next five years, from 1.6 to 8 petabytes per month, with licensed P2P growing at ten times that rate as authorized offerings come into their own; and new advancements, such as P4P and hybrid services, take hold. Insight Research projected that the worldwide market for P2P and file-sharing will surpass $28 billion per year in revenue for carriers and ISPs over the next three years, according to the Distributed Computing Industry Association.

Specifically the FTC is in favor of adopting the bill known as H.R. 1319 or the Informed P2P User Act which has been passed by the House and is in is in a Senate committee. It would let the agency obtain civil penalties against the distributors who do not meet a baseline standard of providing clear and conspicuous notice, in advance, to consumers about what files a P2P program will share, and for obtaining consent from consumers before making those files available on a P2P network. The proposed legislation also has provisions that should help network administrators keep P2P file-sharing applications that are inappropriate and potentially dangerous off their computer systems and would give the commission authority to seek civil penalties for violations.

Another bill called H.R 4098: Secure Federal File Sharing Act would require the government to issue rules on the use of peer-to-peer file sharing software by Government employees, and for other purposes. It too is in committee.

Meanwhile the DCIA has said the past any laws would likely be ineffective and stifle the business opportunities P2P can generate.

In an interview today, Marty Lafferty, CEO of the DCIA said: “We support the statement made by the US Federal Trade Commission (FTC), not only with words but also with our actions. The Inadvertent Sharing Protection Working Group (ISPG) is a DCIA-sponsored industry-wide program introduced in July 2008 that has been working with the private sector and FTC staff to address the very issues Chairman Leibowitz spoke about in his statement.”

Lafferty went on to say compliance reports began to be compiled and submitted one year ago from top brands representing implementations of P2P technologies ranging from downloading to live-streaming, from open consumer file-sharing environments to secure corporate intranet deployments, and from user-generated to professionally produced content.

“The fact remains, however, that the amount of confidential data that is in distribution on the Internet is cumulative. Material that was accidentally disclosed years ago is still floating around. And more recent leaked data is also out there. The entire focus of ISPG so far has been to shore up the sources of such unintended file uploads in the first place. Removing items that are already in circulation on the web is a problem of a different order of magnitude and one we are just starting to look into,” Lafferty stated.

P2P industry players include BitTorrent, the most widely used protocol, now with an enterprise offering and many derivatives; eDonkey, which ceased commercial operation, but has remained popular as the open-source eMule; Bearshare, which despite the company's acquisition by iMesh has also remained popular as a standalone program; LimeWire, a widely-used open-P2P program now integrating a LimeWire Store and new Lime Engine; and Kontiki, spun-off by VeriSign and currently used in several major enterprise deployments, including Wells Fargo, GM, and Coca-Cola.

Examples of new and emerging P2P services are Damaka, FrostWire,GigaTribe, Grooveshark, Itiva, LittleShoot, mBit, MyBloop, Ooma, Pownce, Raketu, RedSwoosh, SlapVid, Swapper, Twango, Vudu, and Yoomba, the DCIA noted.

Learn more about this topic

Experimental laser system quickly, safely exposes bombs

Will commercial spaceflight be safe?

US sharpens intellectual property crime battleaxe

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies