Also unearthed on LimeWire networks in recent days were presidential motorcade routes and a sensitive but unclassified document listing details on every nuclear facility in the country, Robert Boback, CEO of Tiversa Inc. told committee members.
The disclosures prompted the chairman of the committee, Rep. Edolphus Towns, (D-N.Y.), to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks. "For our sensitive government information, the risk is simply too great to ignore," said Towns who plans to introduce a bill to enforce just such a P2P ban.
Tiversa is a Cranberry Township, Pa.-based provider of P2P monitoring services. In the past, it has served up dramatic examples of highly sensitive information found on file-sharing networks. In January for instance, the company disclosed how it had discovered sensitive details about the President's helicopter, Marine One, on an Iranian computer after a document leaked out over a P2P network.
Today's hearing continued in that vein, with Tiversa providing new sensational examples of leaked information. Boback showed off a document, apparently from a senior executive of a Fortune 500 company, listing every acquisition the company planned to make -- along with how much it was willing to pay. Also included in the document were still-private details about the company's financial performance. Boback also showed numerous documents listing Social Security numbers and other personal details on 24,000 patients at a health care system, as well as FBI files, including surveillance photos of an alleged Mafia hit man that were leaked while he was on trial. He demonstrated to members of the committee how pedophile predators troll file-sharing networks looking for images and data.
Speaking with Computerworld before the hearing, Boback said that all of the information was readily available on LimeWire's file-sharing network after apparently being leaked. The data on the nuclear sites was found on computers associated with four IP addresses in France, though it is not immediately clear where the data came from. The files containing information about the president and his family had Barack Obama's seal on it and a July date.
Though the information was not classified, it was sensitive enough that under normal circumstances it would not have been available even via a Freedom of Information Act request, he said.
This is the third time that the House Oversight committee has held a hearing on the topic of data leaks on P2P networks. The last hearing was two years ago and featured similar revelations from Tiversa and others.
The problem is well understood, but it remains difficult to stop. The leaks typically occur when a user installs a P2P client such as Kazaa, LimeWire, BearShare, Morpheus or FastTrack on a computer for the purposes of sharing music and other files with others on the network. In many cases, users inadvertently expose not just the files they want to share, but also every other file on their computers.
Boback and others have warned that leaks have resulted in file-sharing networks becoming vast treasure troves of information for identity thieves, corporate spies and even foreign intelligence agencies. That has prompted calls for lawmakers to force software vendors to implement stricter security controls in their applications.
The only vendor at today's hearing was Mark Gorton, chairman of Lime Group LLC, the umbrella organization that runs Lime Wire LLC, developer of LimeWire, which is the most-used P2P client available. Gorton testified two years ago and promised at that time to implement changes in the company's products to make it harder for users to inadvertently share files.
Today he insisted that the company had implemented many of those changes and that the latest version of LimeWire makes it much harder for data to be inadvertently leaked. Those claims were largely rejected by members of the committee, who blasted Gorton for failing to live up to his promises.
Pointing to the examples offered by Boback, Towns said that the file-sharing industry's promises to regulate itself had clearly failed. "Specific examples of recent LimeWire leaks range from appalling to shocking," Towns said. "As far as I am concerned, the days of self-regulation should be over for the file-sharing industry."
Other members want the issue investigated by the Federal Trade Commission, the Securities and Exchange Commission and law enforcement authorities. They said that the continued failure by companies such as LimeWire to take more proactive steps to stop inadvertent file-sharing is tantamount to enabling illegal activity resulting from the data leaks.
Towns plans to meet with the chairman of the FTC to determine whether the failure to stop inadvertent file-sharing constitutes an unfair trade practice by P2P companies.