US gov't leaks data through file sharing

Sensitive files such as US Secret Service safehouse locations, military rosters and IRS tax returns can still be found on file-sharing networks, according to a report to a US House of Representatives committee on Wednesday.

In many cases, it is because US federal government employees or contractors had installed peer-to-peer software on their computers without paying attention to which documents would be shared, Robert Boback, chief executive of P2P intelligence company Tiversa, told the panel.

Boback said Tiversa had found the Secret Service's evacuation plans for the first lady and motorcade routes earlier this year, which led some politicians to announce that new federal laws were necessary to stop inadvertent file sharing.

"I'm planning to introduce a bill," said Edolphus Towns, a New York Democrat who heads a House oversight committee. He said his legislation would limit the use of P2P software on all computer networks operated by the federal government or its contractors.

In addition, the Federal Trade Commission should investigate whether P2P software developers are violating the law and the Obama administration should "undertake a national campaign to educate consumers about the dangers of file-sharing software", Towns said. In April, Towns' committee informed the FTC it had reopened an investigation into inadvertent file sharing.

Peter Welch, a Vermont Democrat, suggested a similar approach. He wanted to know: "whether there's some legal action that should be taken to protect intellectual property, to protect kids from pornography, to protect classified medical information, national security information."

The two-and-a-half hour hearing singled out LimeWire, which is probably the highest-profile P2P client in use today. It is distributed by Manhattan-based Lime Wire, which sells a more featured version called LimeWire Pro, and it uses the BitTorrent and Gnutella networks.

Lime Group chairman Mark Gorton tried to defuse some of the criticism: "The current version of LimeWire does not share any documents by default." He added that many security improvements were included in version 5 of the software — released in December 2008 — that were absent from the previous version.

Gorton also tried to make a more subtle point: the Gnutella network is an amalgamation of scores of various P2P clients, many of which may have different default settings, and Lime Wire should not be held responsible for someone's decision to share files using a program written by a different company. It didn't work.

"It is chilling what the public now has available to it," Towns said. "The idea that you can look at the first lady's information — where she's going, how she's getting there, tax records, things of that nature. We need to get to the bottom of this."

Not helping was the fact that Gorton testified at an earlier hearing in July 2007 on the same topic.

"Mr Gorton, I find your testimony today stunning," said Paul Hodes, a New Hampshire Democrat. "You promised us two years ago you were going to fix LimeWire."

Gorton replied: "LimeWire does not control the computers of people around the country." He later added: "It's not unreasonable to expect that people who install file-sharing software want to share files."

Other suggestions were more extreme. Bill Foster, an Illinois Democrat who's more technically-inclined than most politicians with his doctorate in physics, said "the nuclear option is to block the Gnutella protocol" on a national basis.

But he acknowledged, that was not likely to work. Another option, he said, would be to create a new version of the Gnutella protocol that allowed only limited clients — that curbed what folders or file types could be shared — to connect to it.