July 29, 2009 1:20 PM

Congress: File Sharing Leaks Sensitive Government Data

By
Declan McCullagh
Topics
In The News
(CBS/AP)
Sensitive files including Secret Service safehouse locations, military rosters, and IRS tax returns can still be found on file-sharing networks, according to a report issued to a U.S. House of Representatives committee on Wednesday.

In many cases, that's because federal government employees or contractors installed peer-to-peer software on their computers without paying attention to which documents would be shared, Robert Boback, the chief executive of Tiversa, told the panel.

Boback said his company found the Secret Service's evacuation plans for the first lady and motorcade routes. (See an interview with Tiversa about Marine One documents found on a peer-to-peer network this spring.)

That led some politicians to announce that new federal laws were necessary to stop inadvertent file sharing.

"I'm planning to introduce a bill," said Rep. Edolphus Towns, a New York Democrat who heads a House oversight committee. He said his legislation would limit the use of peer-to-peer software on all computer networks operated by the federal government or its contractors.

In addition, the Federal Trade Commission should investigate whether P2P software developers are violating the law, and the Obama administration should "undertake a national campaign to educate consumers about the dangers of file-sharing software," Towns said. (In April, Towns' committee informed the FTC it had reopened an investigation into inadvertent file sharing.)

Rep. Peter Welch, a Vermont Democrat, suggested a similar approach. He wanted to know "whether there's some legal action that should be taken to protect intellectual property, to protect kids from pornography, to protect classified medical information, national security information."

The two-and-a-half hour hearing singled out LimeWire, which is probably the highest-profile P2P client in use today. LimeWire is distributed by Manhattan-based Lime Wire LLC (which sells a more featureful version called LimeWire Pro) and it uses the BitTorrent and Gnutella networks.

Lime Group chairman Mark Gorton tried to defuse some of the criticism, saying "the current version of LimeWire does not share any documents by default," and many security improvements were added in version 5 of the software -- released in December 2008 -- that were absent from version 4.

Gorton also tried to make a more subtle point: the Gnutella network is an amalgamation of scores of different P2P clients, many of which may have different default settings, and LimeWire shouldn't be held responsible for someone's decision to share files using a program written by a different company.

It didn't work. "It is chilling what the public now has available to it," Rep. Towns said. "The idea that you can look at the first lady's information, where she's going, how she's getting there, tax records, things of that nature. ... we need to get to the bottom of this."

Not helping was the fact that Gorton testified at an earlier hearing in July 2007 on the same topic.

"Mr. Gorton, I find your testimony today stunning," said Rep. Paul Hodes, a New Hampshire Democrat. "You promised us two years ago you were going to fix LimeWire."

Replied Gorton: "LimeWire does not control the computers of people around the country."

He added later: "It's not unreasonable to expect that people who install file-sharing software want to share files."

Other suggestions were more extreme. Rep. Bill Foster, an Illinois Democrat who's more technically-inclined than most politicians (he has a doctorate in physics), said that "the nuclear option is to block the Gnutella protocol" on a national basis.

But, Foster acknowledged, that wasn't likely to work. Another option, he said, would be to create a new version of the Gnutella protocol that allowed only limited clients -- that curbed what folders or filetypes could be shared -- to connect to it.

Declan McCullagh is a correspondent for CBSNews.com. He can be reached at declan@cbsnews.com.

  • Declan McCullagh is the chief political correspondent for CNET. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.

Add a Comment
by Aaron.Walkhouse August 9, 2009 7:01 AM EDT
At first all these politicians and "experts" all look like total idiots every time they talk about this topic but when you look at their campaign contributions and funding you realize they are just lobbying and posturing for more cash from copyright leeches again and their motives have nothing to do with national security.

This time it's the Terrorist/SuperCriminal boogeyman so next time they'll be back with the KiddyPorn poster child or the Omnipotent Identity Thief scarecrow once they realize they are losing their circular argument yet again. They're kind of predictable that way.
Reply to this comment
by pflatlyne August 1, 2009 3:32 PM EDT
Its so much easier to blame the people who write the software. The real issue is government employees with security clearances not properly controllign classified information. The answer is to find the people who have done this and deal with them. Additionally,there needs to be education and guidelines for dealing with computers that have classified information on them.
What kind of idiot puts a file sharing program on their work laptop anyway. Add on to that,that the computer has classified information and at the least the person should be fired,if not prosecuted for mishandling classified information.

As for the idea of blocking the gnutella protocol,its not possible,they will just change it,or people will switch to something else. The idea of making a "safer" protocol is also just as idiotic. No one would ever use it.
I also dont understand why you would ask limewire about this issue. Why are they not talking ot the security people in the IT departments of the affected agencies. For unbiased information,they should be talkign to IT security experts. What we have now is a bunch of people in the house runnign around like chickens with their heads cut off. Whats worse,its clear that they are trying to use this very real national security issue to push their own crazy agendas. Notice how they are starting to talk about banning gnutella to get rid of porn (oh yea,and national security too,yea,we can fix that while we are at it,ban gnutella and get rid of all the porn or you help the terrorists)
Reply to this comment
by eiverson July 30, 2009 4:47 PM EDT
As network administrators have tried to clamp down on P2P usage within their networks, P2P developers have added features to make it harder to detect P2P traffic.

I'd rather we NOT respond to this with creating yet another law. Instead, I'd like to see federal agencies as well as commercial organizations assume greater operational awareness and control over their computers both on and off their enterprise networks:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/endpoint-control-audit-failure-p2p-software-data-loss-security-breach

Also, if you believe that non-admin accounts prevent P2P software usage, read the blog post above.
Reply to this comment
by pflatlyne August 1, 2009 3:34 PM EDT
One way to help would be to add the signatures of known pvp software to the virus scanners. There are ways around it,true,but that means that if someone tried to install it,they would have to try to get around it. If your caught you would be made to attend an security class. If your caught again,your fired. Simple solution.
by Aaron.Walkhouse August 9, 2009 6:36 AM EDT
Having antivirus scanners treat all P2P software as malware would be illegal
The FTC wouldn't allow it and all the AV vendors would fight it too.
by tx_doughboy July 29, 2009 5:53 PM EDT
Two things here folks:
1) No administrator should ever allow government employees the rights to install programs on a government computers. Period! It is against all computer industry security best practices.
2) There should have been a firewall to block traffic to the Limewire networks. Again computer industry security best pratcices.

I hate to hear these uneducated politicians crucify the private sector when the government has incompetent systems administrators.
Reply to this comment
.

Follow Political Hotsheet

Scroll Left
Scroll Right More »
CBS News on Facebook
  • Building You a Better Morning

  • CBS This Morning

    "CBS This Morning," anchored by Charlie Rose, Gayle King and Erica Hill, airs weekdays from 7 to 9 a.m. ET and at the same time in other time zones.
    Learn more...