Lawmakers eye banning P2P use in government following leak in LimeWire of details on presidential motorcades and safe house for First Family
Details about a U.S. Secret Service safe house for the First Family — to be used in a national emergency — were found to have leaked on a LimeWire file-sharing network recently, members of the House Oversight and Government Reform Committee were told this morning.
Also unearthed on LimeWire networks in recent days were presidential motorcade routes and a sensitive but unclassified document listing details on every nuclear facility in the country, Robert Boback, CEO of Tiversa Inc. told committee members.
The disclosures prompted the chairman of the committee Rep. Edolphus Towns, (D-N.Y.), to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks. “For our sensitive government information, the risk is simply too great to ignore,” said Towns who plans to introduce a bill to enforce just such a P2P ban.
Tiversa is a Cranberry Township, Pa.-based P2P monitoring services provider that in the past has served up dramatic examples of highly-sensitive information found on file-sharing networks. In January for instance, the company disclosed how it had discovered sensitive details about the President’s helicopter, Marine One, on an Iranian computer after the document leaked over a P2P network.
Today’s hearing continued in that vein, with Tiversa providing new sensational examples of leaked information. Boback showed off a document, apparently from a senior executive of a Fortune 500 company, listing every acquisition the company planned to make — along with how much it was willing to pay. Also included in the document were still-private details about the company’s financial performance. Boback also showed numerous documents listing Social Security numbers and other personal details on 24,000 thousand patients at a health care system and FBI files, including surveillance photos of an alleged Mafia hit man, leaked while he was on trial. He demonstrated to members of the committee how child predators troll file-sharing networking looking for images and data they could use.
Speaking with Computerworld before the hearing, Boback said that all of the information was readily available on LimeWire’s file-sharing network after apparently being leaked. The data on the nuclear sites was found on computers associated with four IP addresses in France, though it is not immediately clear where the data came from. The files containing information about the president had Obama’s seal on it and a July date.
Though the information was not classified, it was sensitive enough that under normal circumstances it would not have been available even with a Freedom of Information Act request, he said.
This is the third-time that the House Oversight committee has held a hearing on the topic of data leaks on P2P networks. The last heaing was two years ago and featured similar revelations from Tiversa and others.
The problem is well-understood but remains difficult to stop. The leaks typically occur when a user installs a P2P client such as Kazaa, LimeWire, BearShare, Morpheus and FastTrack on their computer for the purposes of sharing music and other files with others on the network. In many cases, users inadvertently expose not just the files they want to share, but also every other file on their computers.
Boback and others have warned that leaks have resulted in file-sharing networks becoming a vast treasure trove of information for identity thieves, corporate spies and even foreign intelligence agencies. That’s prompted calls for lawmakers to force software vendors to implement stricter security controls in their apps.
The only vendor at today’s hearing was Mark Gorton, chairman of the Lime Group, the maker of LimeWire, which is the most-used P2P client available. Gorton testified two years ago and promised at the time to implement changes in the company’s products to make it harder for users to inadvertently share files.
Today he insisted that the company had implemented many of those changes and that the latest version of LimeWire makes it much harder for data to be inadvertently leaked. Those claims were largely rejected by members of the committee, who blasted Gorton for failing to live up to his promises.
Pointing to the examples offered by Boback, Towns said that the file-sharing industry’s promises to self-regulate itself had clearly failed. “Specific examples of recent LimeWire leaks range from appalling to shocking,” Towns said. “As far as I am concerned, the days of self-regulation should be over for the file-sharing industry.”
Other members want the issue investigated by the Federal Trade Commission, the Securities and Exchange Commission and law enforcement authorities. They said that the continued failure by companies such as LimeWire to take more proactive steps to stop inadvertent file-sharing is tantamount to enabling illegal activity resulting from the data leaks.
Towns plans to meet with the chairman of the FTC to determine with the failure stop inadvertent file-sharing constitutes an unfair trade practice by P2P companies.