FTC Delivers Stern Warning About P2P Data on the Loose

The Federal Trade Commission is getting proactive in trying to reduce the risk of data breaches due to peer-to-peer programs, notifying nearly 100 organizations of data breaches it traced back to file-sharing.

The FTC did not identify the organizations, but said they ranged in size from small businesses to publicly held corporations with tens of thousands of employees. It warned all of the organizations that it was their responsibility to secure their data against theft, noting that in some cases, it was the agency's responsibility to enforce laws mandating data security.

The FTC told businesses to "take a hard look" at their networks to ensure unauthorized P2P programs were not installed, and that those that were authorized were properly configured.

Files Shared Unwittingly

Peer-to-peer programs work by allowing users to designate files to share with other users. Early incarnations of the programs, many copies of which are still in use, employed a shared-folder model: Any files deposited in a specific folder would be available for searching or uploading. That system allowed users to unwittingly expose entire hard drives, or even networks, to peer-to-peer inquiries. Newer versions require that users convert files or selectively choose files to share.

Such software can be a big problem for many companies, said Scott Harrer, brand manager for Tiversa.

The company reported last year that on behalf of its clients, it located 13 million breached files that had made their way to file-sharing sites over the course of the year.

Such data can include medical records, Social Security numbers, payroll records and tax information. Press accounts in recent years have even related the discovery of sensitive national security information on peer-to-peer networks, including the release of information about Marine One, the presidential helicopter

"A lot of people are sharing their entire hard drives, and they don't realize it," Harrer told TechNewsWorld.

What Corporations Should Do

One of the primary problems with P2P software is that it's designed to get around firewall and antivirus protections, said Harrer.

Monitoring for accidental discosure -- Tiversa's stock-in-trade -- can help there, he said.

Another key solution is to keep sensitive data off connected machines, Marty Lafferty, CEO of the Distributed Computing Industry Association, told TechNewsWorld.

By storing sensitive information in devices that can go offline once the need to access the data is gone, such as a USB drive, the risk of inadvertent file-sharing is reduced, he said.

Just as importantly, corporations that pass sensitive data to partners and vendors have to become more aggressive in making sure those firms have vigorous policies regarding P2P use in place.

"Over 90 percent of disclosures we see occurring come from the extended enterprise," Harrer said.

Industry Behind the Effort

Although the FTC's statement was sometimes sternly worded -- reminding companies that they could be subject to legal repercussions if they didn't act to secure data from release over P2P networks -- the agency struck just the right tone in its statement, Lafferty maintained.

The DCIA has been working with the FTC and Congress on this very issue since 1997, he noted.

After all, the growing use of peer-to-peer technology to distribute games, movies and other licensed content relies on an expectation of user safety, said Lafferty. "If their users are not safe, then their users will stop using the software."

P2P software makers have moved beyond the inadvertent sharing problem by requiring users to proactively share files, he noted. Now, there are active efforts to recall all the information that's already out there.

One idea Lafferty mentioned is software that would wrap itself around an improperly shared file and refuse to allow it further passage on P2P networks.