Congress Squeezes LimeWire for Straight Talk on P2P Security

The Congressional Oversight and Government Reform Committee has reopened hearings on possible privacy and security risks posed by using LimeWire and similar peer-to-peer (P2P) file-sharing applications.

The committee on Monday sent letters to Mark Gorton, chairman of The Lime Group, which owns LimeWire; U.S. Attorney General Eric H. Holder Jr.; and Jon Leibowitz, chairman of the U.S. Federal Trade Commission. Rep. Edolphus Towns, D-N.Y., committee chairman, ordered Gorton and Leibowitz to provide answers to a series of questions by May 4.

The committee also directed the attorney general to arrange a full briefing on the Justice department's role in protecting Americans from the dangers associated with P2P networks.

The committee hinted at the possibility of legal action against LimeWire in order to curtail certain security risks. The committee said it was particularly interested in learning the extent to which federal law enforcement action may be taken.

However, LimeWire officials said they have implemented software upgrades. The current version of the software, released in early 2009, only exposes files and folders users explicitly designate.

Recurring Disclosures

Government officials were not reacting to a first-time breach. A series of incidents involving private or otherwise sensitive data showing up on sharing networks prompted the committee to reopen the hearings on P2P trading.

"Nearly two years after your commitment to make significant changes in the software, LimeWire and other P2P providers have not taken adequate steps to address this critical problem," Towns, Rep. Darrell E. Issa, R-Calif., and Rep. Peter Welch, D-Vt., wrote to the Lime Group. The committee last met with LimeWire in hearings to investigate the same type of security lapses in July 2007.

A U.S. Patent and Trademark Office report earlier this year warned that installing P2P software on computers carrying private or secret information could dangerously impact national security by making confidential government information accessible.

Key Examples

The committee's letter highlighted several examples that rang the congressional alarm bell:

• On Feb. 28, a television station in Pittsburgh reported that the blueprints and avionics package for Marine One, the President's helicopter, was made available on a P2P network by a defense contractor in Maryland.
• On Feb. 26, the "Today Show" broadcast a segment on inadvertent P2P file-sharing, reporting that Social Security numbers, more than 150,000 tax returns, 25,800 student loan applications, and nearly 626,000 credit reports were easily accessible on a P2P network.
• On Feb. 23, a Dartmouth College professor published a paper reporting that over a two-week period, he was able to search a P2P network and uncover tens of thousands of medical files containing names, addresses and Social Security numbers for patients seeking treatment for conditions such as AIDS, cancer and mental health problems. The professor found links to four major hospitals and 355 insurance carriers that provided health coverage to 4,029 employers and 266 doctors.
• On July 9, 2008, the Washington Post reported that an employee of an investment firm who allegedly used LimeWire to trade music or movies inadvertently exposed the names, dates of birth, and Social Security numbers of about 2,000 of the firm's clients, including Supreme Court Justice Stephen Breyer.

On the Warpath

The committee is waiting for answers from the Lime Group on several questions designed to determine the extent, if any, of LimeWire software involvement in the improper disclosure of data.

Key to the investigation is the company's pending response to two questions. One focuses on changes LimeWire's engineers made to prevent inadvertent file-sharing since Gorton's testimony on July 24, 2007. The second asks what effective measures exist in the current version of the software.

The committee members also want LimeWire officials to detail whatever tests they performed to assess whether the changes made since July 24, 2007, have been effective.

Measured Response

In response, LimeWire officials acknowledged they understand that Internet safety is paramount.

"We've been diligent in working with our trade association (DCIA) and regulatory agency representatives to develop and implement [software upgrades] to protect users against inadvertent file-sharings," said Linda Lipman, spokesperson for The Lime Group.

Those upgrades include changes in default settings, file-sharing controls, shared folder configurations, user-error protections and sensitive-file-type restrictions, according to the company.

"Our newest version, LimeWire 5.0, by default does not share sensitive file types such as spreadsheets or documents. In fact, the software does not share any file or directory without explicit permission from the user," Lipman said.

Significant Action

The Congressional committee's actions are very significant, in light of the huge security risks disclosed, according to Linda Thayer, a partner at intellectual property law firm Finnegan.

The general public does not fully understand how P2P networks operate, she said.

What legal remedies Congress may impose is anybody's guess, though government agencies can shut down any company to safeguard homeland security, she added.

"I wouldn't expect the current administration to do something like that under the guise of homeland security. I also have some fear over that, because I've seen what the government has done, for example, in controlling encryption," Thayer told TechNewsWorld.