The Congressional Oversight and Government Reform Committee hasreopened hearings on possible privacy and security risks posed byusing LimeWire and similar peer-to-peer (P2P) file-sharing applications.
The committee on Monday sent letters to Mark Gorton, chairman of TheLime Group, which owns LimeWire; U.S. Attorney General Eric H. Holder Jr.; and Jon Leibowitz,chairman of the U.S. Federal Trade Commission. Rep. Edolphus Towns, D-N.Y., committee chairman, ordered Gorton and Leibowitz to provideanswers to a series of questions by May 4.
The committee also directed the attorney general to arrange a fullbriefing on the Justice department’s role in protecting Americans fromthe dangers associated with P2P networks.
The committee hinted at the possibility of legal action againstLimeWire in order to curtail certain security risks. The committee said it wasparticularly interested in learning the extent to which federal lawenforcement action may be taken.
However, LimeWire officials said they have implemented software upgrades.The current version of the software, released in early 2009, only exposes files andfolders users explicitly designate.
Recurring Disclosures
Government officials were not reacting to a first-time breach. A seriesof incidents involving private or otherwise sensitive data showing upon sharing networks prompted the committee to reopen the hearings onP2P trading.
“Nearly two years after your commitment to make significant changes inthe software, LimeWire and other P2P providers have not taken adequatesteps to address this critical problem,” Towns, Rep. Darrell E. Issa, R-Calif., and Rep. Peter Welch, D-Vt., wrote to the Lime Group. Thecommittee last met with LimeWire in hearings to investigate the sametype of security lapses in July 2007.
A U.S. Patent and Trademark Office report earlier this yearwarned that installing P2P software on computers carrying private or secret information could dangerously impact national security by making confidential government information accessible.
Key Examples
The committee’s letter highlighted several examples that rang the congressional alarm bell:
- On Feb. 28, a television station in Pittsburgh reportedthat the blueprints and avionics package for Marine One, thePresident’s helicopter, was made available on a P2P network by adefense contractor in Maryland.
- On Feb. 26, the “Today Show” broadcast a segment oninadvertent P2P file-sharing, reporting that Social Security numbers,more than 150,000 tax returns, 25,800 student loan applications, andnearly 626,000 credit reports were easily accessible on a P2P network.
- On Feb. 23, a Dartmouth College professor published apaper reporting that over a two-week period, he was able to search a P2Pnetwork and uncover tens of thousands of medical files containingnames, addresses and Social Security numbers for patients seekingtreatment for conditions such as AIDS, cancer and mental healthproblems. The professor found links to four major hospitals and 355insurance carriers that provided health coverage to 4,029 employersand 266 doctors.
- On July 9, 2008, the Washington Post reported that an employee ofan investment firm who allegedly used LimeWire to trade music ormovies inadvertently exposed the names, dates of birth, and SocialSecurity numbers of about 2,000 of the firm’s clients, includingSupreme Court Justice Stephen Breyer.
On the Warpath
The committee is waiting for answers from the Lime Group on severalquestions designed to determine the extent, if any, of LimeWiresoftware involvement in the improper disclosure of data.
Key to the investigation is the company’s pending response to two questions. One focuses on changes LimeWire’sengineers made to prevent inadvertent file-sharing since Gorton’s testimony on July 24, 2007. The second askswhat effective measures exist in the current version of thesoftware.
The committee members also want LimeWire officials to detail whatevertests they performed to assess whether the changes made since July24, 2007, have been effective.
Measured Response
In response, LimeWire officials acknowledged they understandthat Internet safety is paramount.
“We’ve been diligent in working with our trade association (DCIA) andregulatory agency representatives to develop and implement [software upgrades] to protect usersagainst inadvertent file-sharings,” said Linda Lipman, spokesperson for TheLime Group.
Those upgrades include changes in default settings,file-sharing controls, shared folder configurations, user-errorprotections and sensitive-file-type restrictions, according to thecompany.
“Our newest version, LimeWire 5.0, by default does not sharesensitive file types such as spreadsheets or documents. In fact, thesoftware does not share any file or directory without explicitpermission from the user,” Lipman said.
Significant Action
The Congressional committee’s actions are very significant, in light ofthe huge security risks disclosed, according to Linda Thayer, apartner at intellectual property law firm Finnegan.
The general publicdoes not fully understand how P2P networks operate, she said.
What legal remedies Congress may impose is anybody’s guess, though government agencies can shut down any company to safeguardhomeland security, she added.
“I wouldn’t expect the current administration to do something likethat under the guise of homeland security. I also have some fear overthat, because I’ve seen what the government has done, for example, incontrolling encryption,” Thayer told TechNewsWorld.