The FTC issued a statement earlier this week regarding its distribution of warning letters to around 100 organizations that have had “sensitive” customer and/or employee data shared on P2P file sharing networks. The agency made clear that although the recipients of the letters are not necessarily the focus of pending legal action, the fact that sensitive data now resides on these P2P networks means that organizations “may” have violated laws enforced by the FTC, including the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, among others.
Organizations receiving the letters ranged from governments to private businesses. “We found health-related information, financial records, and drivers’ license and social security numbers – the kind of information that could lead to identity theft”, warned Jon Leibowitz, FTC Chairman.
A press release issued by the FTC noted that P2P file sharing software, when not configured correctly, could allow unauthorized access to files by anyone on the network. The FTC would go on to provide these organizations with links to resources to address the issue, including its new business education brochure: Peer-to-Peer File Sharing: A Guide for Businesses.
“If not configured properly, Kazaa, LimeWire, and other P2P file-sharing networks can scoop up files on your computer that you would probably prefer the whole world didn’t have access to”, said Graham Cluley, senior technology consultant at security vendor Sophos. “There are now cybercriminal gangs who scavenge the file-sharing networks, hunting for sensitive work documents such as financial records and social security numbers.”
The FTC said that recipients of the letters should consider informing customers and employees if their data were made available on a P2P network, but it is not requiring such action at this point. According to the notices sent this week: “The fact that a company received a letter does not mean that the company necessarily violated any law enforced by the Commission. Letters went to companies under FTC jurisdiction, as well as entities such as banks and public agencies over which the agency does not have jurisdiction.”
For now, the FTC is leaving it up to each organization to determine if they are in violation of any particular federal or state law, and proper notification and rectification steps are, at this point, at their discretion.
Comments
martylafferty says:
27 February 2010
The Distributed Computing Industry Association (DCIA) supports the statement made by the US Federal Trade Commission (FTC) on Monday, not only with words but also with its actions. The Inadvertent Sharing Protection Working Group (ISPG) is a DCIA-sponsored industry-wide program introduced in July 2008 that has been working with the private sector and FTC staff to address the issues Chairman Leibowitz spoke about in his statement.
Compliance reports began to be compiled and submitted one year ago from top brands representing implementations of P2P technologies ranging from downloading to live-streaming, from open consumer file-sharing environments to secure corporate intranet deployments, and from user-generated to professionally produced content.
Representative examples of these are BitTorrent and LimeWire. In the case of BitTorrent and software programs that use BitTorrent, it is unlikely that a user can inadvertently share data because of the multiple intentional steps involved in converting a file to a .torrent format, uploading it to a tracker, etc. In the case of LimeWire, the company literally rebuilt its software to protect users from accidentally sharing their personal or sensitive data.
The distributed computing industry takes the safety of consumers very seriously. Once this concern was recognized, it responded proactively.
The fact remains, however, that the amount of confidential data that is in distribution on the Internet is cumulative. Material that was accidentally disclosed years ago is still floating around. And more recently leaked data is also accessible. The entire focus of ISPG so far has been to shore up the sources of such unintended file uploads in the first place. Removing items that are already in circulation on the web is a problem of a different order of magnitude and one that this group is just starting to investigate.
The ISPG's best advice now - to parents and children alike - is similar to that given by other Internet software distributors: PLEASE UPGRADE TO THE LATEST VERSION FOR THE BEST PERFORMANCE AND THE SAFEST EXPERIENCE.
For public and private sector institutions that require workers to handle classified information: PLEASE DISCONNECT YOUR COMPUTER FROM THE INTERNET WHILE WORKING ON HIGH-SECURITY PROJECTS AND REMOVE SENSITIVE DATA FROM YOUR DEVICE BEFORE RECONNECTING.
Also, along with actively participating in this program, summarized here, the DCIA encourages file-sharing software distributors to direct users to the Onguard Online website pages dedicated to File-Sharing Safety.
The DCIA was less enthusiastic about news that Senators Amy Klobuchar (D-MN) and John Thune (R-SD) misguidedly introduced legislation on Wednesday "to inform Internet users of the privacy and security risks associated with file-sharing software programs."
Such measures tend to be technologically outdated before they can be finalized and signed into law, result in unintended consequences that stifle commercial innovation, and prove to be unenforceable given that the Internet is a global medium.
The industry has moved to address inadvertent uploading of sensitive data by shoring up the entry points in file-sharing software.
This issue has moved now to institutional policies for managing data securely and to the removal of confidential data already in circulation. Nevertheless, the DCIA will engage with Senate staff to minimize collateral damage.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.