ADVERTISEMENT
  About the SA Blog Network













Observations

Observations


Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

FTC issues warnings to plug P2P security holes

The views expressed are those of the author and are not necessarily those of Scientific American.


Email   PrintPrint



P2P, FTCThe U.S. government has stepped up its efforts to warn computer users about the security vulnerabilities that come with using peer-to-peer (P2P) file-sharing networks, the most popular of which today are perhaps BitTorrent and LimeWire. The Federal Trade Commission (FTC) reported Monday that it has sent letters to nearly 100 businesses, schools and government organizations warning that personal information, including sensitive data about customers and/or employees, has been shared from their computer networks and is available on P2P networks to any users of those networks. P2P users  could use the personal data to commit identity theft or fraud.

P2P began as a seemingly harmless way of allowing computer users to share documents, images, music and other media files. The information flows quickly and easily from PC to PC because there’s no centralized server that needs to route network traffic. Instead, computer users make a portion of their processing power, disk storage or network bandwidth available to others on the network.

The now-defunct Napster file-sharing site illustrates both the good and bad of P2P. The site first popularized P2P in 1999 as a way for computer users to swap digital music files. Within two years, however, Napster’s capacity to facilitate the transfer of copyrighted material led to legal problems that shut down the site, although the Napster brand has since been bought and sold several times since then, most recently in 2008 by electronics retailer BestBuy.

Copyright infringement issues aside, the FTC is more concerned now with the prevalence of personal information—health-related information, financial records, drivers license numbers and social security numbers—it claims to have found floating around on P2P networks. In the letters the FTC sent to organizations leaking sensitive data via P2P networks (pdf), the commission points out at least one specific file it found that, in the wrong hands, could be used to commit fraud or identity theft.

Although the FTC’s letters don’t threaten legal action, the agency has in the past prosecuted failures to secure sensitive information through the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and other laws that require health-care organizations and businesses to put in place "reasonable" data security. Last year, CVS Caremark settled a HIPAA violation case with the FTC for $2.25 million. In November, the House Oversight and Government Reform Committee introduced the "Secure Federal File Sharing Act," a bill aimed at restricting the use of P2P file sharing software across the federal government. Given Congress’s other current priorities, namely healthcare reform and the weak economy, it’s not surprising that no action has been taken on the bill since it was introduced.

Some see the FTC’s latest action as a long time in coming. "The FTC has been under pressure to do something for years," Eric Johnson, an operations management professor at Dartmouth College’s Tuck School of Business in Hanover, N.H., wrote in an e-mail to Scientific American. Johnson’s P2P security research has turned up confidential medical files, involving thousands of people, leaked through P2P networks. These medical files include patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. "We have been showing that this is a significant issue for the last three years," he adds.

"FTC is finally taking it seriously and 1) warning consumers and 2) going after firms with leaks," Johnson wrote. "Data that simply leaks out of large firms—from banking to healthcare—is a bigger issue than technical hacks in many cases. Criminals simply need to know where to look."

Image ©iStockphoto.com/ Alex Slobodkin

Tags: , ,





Rights & Permissions

Comments 7 Comments

Add Comment
  1. 1. cassiebates 4:49 am 02/24/2010

    <a href="http://www.google.com/&quot; rel="dofollow">nice</a>

    Link to this
  2. 2. cassiebates 4:49 am 02/24/2010

    [url=http://www.google.com]nice[/url]

    Link to this
  3. 3. cassiebates 4:50 am 02/24/2010

    [url=http://www.google.com]nice[/url]

    Link to this
  4. 4. jtdwyer 10:46 am 02/24/2010

    The article states: "P2P began as a seemingly harmless way of allowing computer users to share documents, images, music and other media files. The information flows quickly and easily from PC to PC because there’s no centralized server that needs to route network traffic. Instead, computer users make a portion of their processing power, disk storage or network bandwidth available to others on the network."

    This is a pretty misleading explanation of P2P. How about: P2P allows people to access each others computers as file servers.
    This is not only simpler but more accurate.

    Link to this
  5. 5. mgasparel 12:01 pm 02/24/2010

    I dont fully understand how sensitive data was leaked over the p2p network. Were users hosting sensitive files, or did some p2p software cause a security hole that was exploited? When you run something like napster or utorrent, it doesn’t automatically allow users to download any file they choose from your computer; you have to specify which files/folders you wish to share.

    Link to this
  6. 6. janice33rpm 10:43 am 02/25/2010

    In David Scotts words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary an eCulture for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS check out a couple links down and read the interview with the author David Scott at Bostons Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).

    Link to this
  7. 7. janice33rpm 10:44 am 02/25/2010

    In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).

    Link to this

Add a Comment
You must sign in or register as a ScientificAmerican.com member to submit a comment.

More from Scientific American

Scientific American Holiday Sale

Limited Time Only!

Get 50% off Digital Gifts

Hurry sale ends 12/31 >

X

Email this Article

X