WASHINGTON — A House panel heard testimony today about the ongoing vulnerability of peer-to-peer networks, including the alarming contention that data about the Pentagon’s most expensive weapons program is still vulnerable.
Two weeks ago, The Wall Street Journal splashed a story on its front page detailing how intruders were able to access design data about the $300 billion Joint Strike Fighter Project.
“What wasn’t reported in the Wall Street Journal? This was peer-to-peer,” Tiversa CEO Robert Boback told members of the House Subcommittee on Commerce, Trade and Consumer Protection on Tuesday afternoon. “The information, unfortunately, is still on the peer-to-peer [network],” said Boback, whose security firm specializes in analyzing traffic on file-sharing networks.
“This was discovered in January, 2005 — we discovered it. We reported it to the DoD,” he said. “It’s still out there. It’s never been remediated. Awareness is not where it needs to be. Oversight is not where it needs to be.”
Today’s hearing focused on a pair of bills related to data security, including one that would tighten the screws on peer-to-peer networks. The Informed P2P User Act would require file-sharing companies to shore up their policies to guard against users’ sensitive files inadvertently leaking out across peer-to-peer networks.
Security concerns associated with peer-to-peer networks were elevated earlier this year when Tiversa discovered engineering and communications information about the president’s helicopter on a server in Iran, obtained through a peer-to-peer network.
There have also been several reported instances where consumers’ sensitive files, such as tax returns and medical records, have been inadvertently shared over peer-to-peer networks.
The P2P bill was introduced within a week of the helicopter breach.
It seeks to clarify for consumers which files on their computers will be accessible once they connect to a peer-to-peer network and obtain meaningful consent before sharing files, areas where critics charge peer-to-peer networks have been too lax.
“We’ve got truth in lending. We’ve got truth in labeling. I think it’s about time we had truth in networking,” said John Barrow, a Georgia Democrat and co-sponsor of the bill.
But while the witnesses generally agreed that peer-to-peer networks could use a security tune-up to prevent inadvertent sharing, some warned that the bill overreaches.
Page 2: Eyes on self-regulation
Page 2 of 2
[cob:Pull_Quote]Robert Holleyman, president and CEO of the Business Software Alliance, the trade group that represents the country’s software and hardware industries, told the panel that he supported the spirit of the bill, but that its vague language would impose unnecessary and burdensome restrictions on useful applications, such as automatic Internet security updates.
“We are concerned that this bill could pull in some of the very legitimate applications and uses of peer-to-peer technology.” Holleyman said. “We know that is not the intent of this bill, but as it is written it could reach that breadth.”
There was one full-throated opponent at today’s hearing. Martin Lafferty is the CEO of the Distributed Computing Industry Association, which represents file-sharing firms. Lafferty assured the representatives that those companies have taken vigorous steps to shore up their networks and assure meaningful consent.
Regulation, Lafferty said, would choke off growth and innovation in an industry that has come a long way since the days of Napster, and is today used for a bevy of legal applications.
“To the extent that legitimate consumer concerns persist … we strongly believe they can best be handled by ongoing self-regulation under the oversight of the appropriate federal authority,” Lafferty said.
But he was in the minority. The other witnesses said that they could support the bill — either in its current version of with some modest changes — and the handful of representatives in attendance seemed generally to agree that the threat of inadvertent file-sharing is serious enough that the legislation is necessary.
“Industry’s opportunity to self-regulate has passed,” said Mary Bono Mack, the California Republican who introduced the bill.
The second bill, the Data Accountability and Trust Act, would establish regulations for how companies handle information, requiring, among other things, companies deemed “information brokers” to provide their security policies to the Federal Trade Commission and submit to audits by the agency.
The bill would also impose stricter requirements to notify consumers in the event of a data breach.
Most states already have data-breach notification laws on the books. Privacy-advocacy groups such as the Center for Democracy and Technology (CDT) are generally supportive of the bill’s intent of establishing a nationwide legal framework for protecting consumers in the event of a data breach. Still, they worry that if its requirements are overly broad, it could perversely end up weakening consumer protections by trumping the stronger laws already on the books in some states.
“Preempting state laws in this area is a very significant step,” said CDT Senior Policy Counsel David Sohn, senior policy counsel. “Moving forward, Congress needs to keep in mind that the price of preemption must be strong federal action.”
[cob:Special_Report]This is third time a version of the bill has been brought forward. In the 109th Congress, the bill cleared the House Energy and Commerce Committee, but never made it to a floor vote. The bill stalled in committee in the last Congress.
The Federal Trade Commission would be empowered to enforce both laws.
Under current law, the FTC does not have the authority to pursue civil damages against peer-to-peer firms it finds to be operating in a deceptive manner. Eileen Harrington, the acting director of the FTC’s Bureau of Consumer Protection, said the agency strongly favors both bills. She was quick to point out, however, that the FTC has no interest in wading into the copyright fight that often attends discussions of peer-to-peer file-sharing networks.
The FTC is currently reviewing the security practices of seven of the largest U.S. peer-to-peer networks, and plans to publish the results of its review this summer.