February 23, 2010 | 7
The U.S. government has stepped up its efforts to warn computer users about the security vulnerabilities that come with using peer-to-peer (P2P) file-sharing networks, the most popular of which today are perhaps BitTorrent and LimeWire. The Federal Trade Commission (FTC) reported Monday that it has sent letters to nearly 100 businesses, schools and government organizations warning that personal information, including sensitive data about customers and/or employees, has been shared from their computer networks and is available on P2P networks to any users of those networks. P2P users could use the personal data to commit identity theft or fraud.
P2P began as a seemingly harmless way of allowing computer users to share documents, images, music and other media files. The information flows quickly and easily from PC to PC because there’s no centralized server that needs to route network traffic. Instead, computer users make a portion of their processing power, disk storage or network bandwidth available to others on the network.
The now-defunct Napster file-sharing site illustrates both the good and bad of P2P. The site first popularized P2P in 1999 as a way for computer users to swap digital music files. Within two years, however, Napster’s capacity to facilitate the transfer of copyrighted material led to legal problems that shut down the site, although the Napster brand has since been bought and sold several times since then, most recently in 2008 by electronics retailer BestBuy.
Copyright infringement issues aside, the FTC is more concerned now with the prevalence of personal information—health-related information, financial records, drivers license numbers and social security numbers—it claims to have found floating around on P2P networks. In the letters the FTC sent to organizations leaking sensitive data via P2P networks (pdf), the commission points out at least one specific file it found that, in the wrong hands, could be used to commit fraud or identity theft.
Although the FTC’s letters don’t threaten legal action, the agency has in the past prosecuted failures to secure sensitive information through the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and other laws that require health-care organizations and businesses to put in place "reasonable" data security. Last year, CVS Caremark settled a HIPAA violation case with the FTC for $2.25 million. In November, the House Oversight and Government Reform Committee introduced the "Secure Federal File Sharing Act," a bill aimed at restricting the use of P2P file sharing software across the federal government. Given Congress’s other current priorities, namely healthcare reform and the weak economy, it’s not surprising that no action has been taken on the bill since it was introduced.
Some see the FTC’s latest action as a long time in coming. "The FTC has been under pressure to do something for years," Eric Johnson, an operations management professor at Dartmouth College’s Tuck School of Business in Hanover, N.H., wrote in an e-mail to Scientific American. Johnson’s P2P security research has turned up confidential medical files, involving thousands of people, leaked through P2P networks. These medical files include patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. "We have been showing that this is a significant issue for the last three years," he adds.
"FTC is finally taking it seriously and 1) warning consumers and 2) going after firms with leaks," Johnson wrote. "Data that simply leaks out of large firms—from banking to healthcare—is a bigger issue than technical hacks in many cases. Criminals simply need to know where to look."
Image ©iStockphoto.com/ Alex Slobodkin