Congress takes on file-sharing, again [UPDATED]
The news that a House committee was reopening its investigation into security risks posed by file-sharing software reminded me of something one of my pals in the computer-security field once told me. The biggest vulnerabilities aren't caused by deficiencies in machines or their software; they're caused by the humans who use them. It's a point that seems lost on the committee.
Ever since successors to Napster's song-swapping program made it possible for users to share any file stored on their PC, people have been unwittingly sharing address books, financial records, resumes and other personal items. They did this because they didn't bother to check which folders the software was offering to the public, or they put items into shared folders that didn't belong there. And they continued to do it even as the programs changed their default modes to force users to be more selective about their sharing. When the file-sharers are using office or government computers, the leaks can be even more damaging. The problem can be mitigated with better software design, but it can't be eliminated -- just as the government can't stop defense contractors from carelessly losing their laptops.
The Oversight and Government Reform Committee had conducted hearings in 2007 into the inadvertent sharing of sensitive and personal information over LimeWire and other peer-to-peer networks. At the time, they extracted a promise from the Lime Group (the company that makes and distributes LimeWire software) to change the program to deter such leaks. But the trade group representing file-sharing companies, the Distributed Computing Industry Assn., had already been working with the Federal Trade Commission on this problem, and it offered to work with the committee as well. In fact, the association had been active on the issue since at least 2004.
Lime Group spokeswoman Linda Lipman told the Associated Press that the latest version of LimeWire software was designed not to share the file types associated with spreadsheets and documents. "In fact, the software does not share any file or directory without explicit permission from the user,” she said. Nevertheless, the chairman and the top Republican on the Oversight and Government Reform Committee -- Reps. Edolphus Towns (D-N.Y.) and Darrell Issa (R-Vista) -- declared in a letter to the Lime Group, "[I]t appears that nearly two years after your commitment to make significant changes in the software, LimeWire and other P2P (peer-to-peer) providers have not taken adequate steps to address this critical problem."
Perhaps the real motive here is to find grounds to ban the software outright, which would please Hollywood but wouldn't solve the problem. Their letter to U.S. Atty. Gen. Eric H. Holder Jr. suggests as much -- it asks whether federal law enforcement efforts can protect people, businesses and the government "from the security risks posed by P2P networks such as LimeWire." They sent a similar inquiry to the FTC. If they were really trying to solve the problem, they would conduct an investigation into what the Pentagon and government agencies were doing to keep file-sharing software off of computers used by their employees and contractors. The right approach here isn't to browbeat Lime Group, it's to demand better security practices by the people who work on the government dime.
Update, 11:40 a.m. Wednesday: Marty Lafferty, the CEO of the Distributed Computing Industry Assn., sent me an e-mail elaborating on the trade group's efforts to deter inadvertent sharing. According to Lafferty, the DCIA's Inadvertent Sharing Protection Working Group, formed two years ago, has worked with federal regulators, the Lime Group and other P2P software providers to develop voluntary best practices.
"Since publishing these in 2008," Lafferty wrote, "we have also completed a compliance report that can be reviewed here. As you will see, our industry takes the safety of consumers very seriously. Once this concern was recognized, we responded proactively. Our best advice now – to parents and children alike – is similar to that given by other Internet software distributors: Please upgrade to the latest version for the best performance and the safest experience."
-- Jon Healey