FTC warns 100 organisations over leaked P2P data
Customer and biz data turning up on Torrents
More than 100 organisations guilty of allowing private data to leak on P2P networks have received warning letters from US consumer watchdog the Federal Trade Commission.
The leaked data – including customer and employee personal information – was left open to download after workers in the affected organisations decided to download content at work without really understanding what they were doing. In the process private files were shared with world + dog.
The offending organisations included schools, local governments, private corporations and small businesses. All were privately urged by the FTC to review their security policies and to apply tighter controls. The FTC issued a statement on this action, which is hopes will act as a wider warning against a real risk.
Sensitive financial data carelessly offered up by filesharers was the basis of an identity theft scam that resulted in a three-year jail sentence for one scallywag last year. Meanwhile, corporate P2P usage has also resulted in police files and even documents relating to nuclear power plants leaking online in Japan.
Sensitive data held by pharmaceutical giant Pfizer leaked onto P2P networks in another incident, after the spouse of a worker at the Viagra manufacturer installed a P2P package on a workplace PC. ®
The Distributed Computing Industry Association (DCIA) supports the statement made by the US Federal Trade Commission (FTC) on Monday, not only with words but also with its actions. The Inadvertent Sharing Protection Working Group (ISPG) is a DCIA-sponsored industry-wide program introduced in July 2008 that has been working with the private sector and FTC staff to address the issues Chairman Leibowitz spoke about in his statement.
Compliance reports began to be compiled and submitted one year ago from top brands representing implementations of P2P technologies ranging from downloading to live-streaming, from open consumer file-sharing environments to secure corporate intranet deployments, and from user-generated to professionally produced content.
Representative examples of these are BitTorrent and LimeWire. In the case of BitTorrent and software programs that use BitTorrent, it is unlikely that a user can inadvertently share data because of the multiple intentional steps involved in converting a file to a .torrent format, uploading it to a tracker, etc. In the case of LimeWire, the company literally rebuilt its software to protect users from accidentally sharing their personal or sensitive data.
The distributed computing industry takes the safety of consumers very seriously. Once this concern was recognized, it responded proactively.
The fact remains, however, that the amount of confidential data that is in distribution on the Internet is cumulative. Material that was accidentally disclosed years ago is still floating around. And more recently leaked data is also accessible. The entire focus of ISPG so far has been to shore up the sources of such unintended file uploads in the first place. Removing items that are already in circulation on the web is a problem of a different order of magnitude and one that this group is just starting to investigate.
The ISPG's best advice now - to parents and children alike - is similar to that given by other Internet software distributors: PLEASE UPGRADE TO THE LATEST VERSION FOR THE BEST PERFORMANCE AND THE SAFEST EXPERIENCE.
For public and private sector institutions that require workers to handle classified information: PLEASE DISCONNECT YOUR COMPUTER FROM THE INTERNET WHILE WORKING ON HIGH-SECURITY PROJECTS AND REMOVE SENSITIVE DATA FROM YOUR DEVICE BEFORE RECONNECTING.
Also, along with actively participating in this program, summarized here, the DCIA encourages file-sharing software distributors to direct users to the Onguard Online website pages dedicated to File-Sharing Safety.
The DCIA was less enthusiastic about news that Senators Amy Klobuchar (D-MN) and John Thune (R-SD) misguidedly introduced legislation on Wednesday "to inform Internet users of the privacy and security risks associated with file-sharing software programs."
Such measures tend to be technologically outdated before they can be finalized and signed into law, result in unintended consequences that stifle commercial innovation, and prove to be unenforceable given that the Internet is a global medium.
The industry has moved to address inadvertent uploading of sensitive data by shoring up the entry points in file-sharing software.
This issue has moved now to institutional policies for managing data securely and to the removal of confidential data already in circulation. Nevertheless, the DCIA will engage with Senate staff to minimize collateral damage.
Chocolaty Burning Bottom Leaks
"We're working on pricing out a new pair of underwear as we speak."