P2P programs enable users to share files over the Internet by accessing each other’s hard drives directly, providing benefits for academia, governments, commercial interests and individual computer users. Unfortunately, P2P technology is also used for many unlawful purposes, including copyright violations and distribution of child pornography.
{mosads}What many do not realize is that P2P is rapidly becoming the technology of choice for cyber criminals like identity thieves. Most computer users have no idea how vulnerable their personal information is when P2P software is downloaded onto their computer. Often, they don’t even know the software is on their computer — for example, a teenager downloading it to the family computer without parental permission.
Imagine all your tax returns, medical records, family photos, your resume, professional records, online bill information, and anything else available to complete strangers. Does this frighten you? It should.
The online exposure problem associated with P2P software was identified over five years ago in multiple congressional hearings, yet despite the industry’s claim that it would self-regulate to prevent this problem, we still see more and more major security and privacy breaches through inadvertent sharing on P2P networks. For example, in February it was discovered that through a P2P network, an IP address in Iran had obtained blueprints and the avionics package for Marine One, the president’s helicopter.
Additionally, an investment firm employee, by allegedly using LimeWire to trade music or movies, inadvertently released the names, dates of birth and Social Security numbers of about 2,000 of the firm’s clients, including Supreme Court Justice Stephen Breyer.
What’s alarming is that these high-profile cases don’t even begin to scratch the surface of this problem. Thousands of pages of personal information including tax records and medical records are still inadvertently making their way onto P2P networks. In a two-week period alone, a Dartmouth College professor was able to uncover tens of thousands of medical files containing names, addresses and Social Security numbers by searching P2P networks, according to his paper published Feb. 23.
Recently, members of the House Committee on Oversight and Government Reform wrote a letter to Lime Wire, LLC, a popular P2P file-sharing site, expressing their concerns about security risks associated with the software. Lime Wire, as it has done in the past, claimed the problem was corrected. In its response letter to Congress, Lime Wire stated, “Lime Wire does all it can to encourage all users to upgrade to LimeWire 5 as the most effective means of file-sharing while still safeguarding private data.”
From looking at past inaction and reviewing its current practices, we should remain skeptical of Lime Wire and the industry’s assurances that the privacy risks associated with their programs are resolved. After all, Lime Wire still permits its older and unsafe versions to be easily downloaded from its website. Perhaps they’re waiting for another letter from Congress to point this out.
{mosads}People continue to inadvertently share a tremendous amount of personal information, and the P2P industry can no longer be trusted and should not be seen as capable to handle this problem internally.
Computer users have the right to know when and where their personal information is vulnerable, and Congress must take swift action to ensure industry takes meaningful steps to improve security measures for a user’s personal information when they use P2P software. For this reason, I introduced the Informed P2P User Act (H.R. 1319) with Reps. John Barrow (D-Ga.) and Joe Barton (R-Texas), ranking member of the House Subcommittee on Communications, Technology and the Internet. Since its introduction, this bill has generated broad bipartisan support, including from the Federal Trade Commission.
The Informed P2P User Act takes a critical step forward by ensuring people are more aware about what they might be sharing by using P2P networks. Specifically, the legislation prohibits P2P software programs from making files on an authorized user’s computer available for sharing without first providing the user with clear and conspicuous notice and obtaining informed consent of the user.
To ensure people are clearly informed about potential privacy risks, this legislation requires the P2P program to provide notice and obtain consent twice, both when the program is installed and immediately before the file-sharing function is activated. Additionally, the bill makes it unlawful to prevent users from blocking the installation of a P2P program and ensures that reasonable means to disable or remove the program exist.
When it comes to protecting personal information online, being informed can make all the difference. Our world is becoming increasingly dependent on Internet technology, and while we can all potentially benefit through sharing information, we must ensure that this is done in a safe and secure way. Congress shouldn’t default on the side of the P2P industry anymore; we must take action to protect people’s personal information and safeguard our national security.
Bono Mack is a member of the House Subcommittee on Communications, Technology and the Internet.