File Sharing Leaks Sensitive Federal Data, Lawmakers Are Told

The indiscriminate use of a popular online data-sharing technology has led to the disclosure of sensitive government and personal information -- including FBI surveillance photos of a Mafia hit man, lists of people with HIV, and motorcade routes and safe-house locations for then-first lady Laura Bush, a congressional panel was told on Wednesday.

The information is often exposed inadvertently by people who download the technology to share music or other files, not realizing that the "peer-to-peer" software also makes the contents of their computers available to other users, experts said.

The issue is so pressing that the chairman of the House Oversight and Government Reform Committee, Rep. Edolphus Towns (D-N.Y.), said he would introduce a bill to ban such software from all government and contractor computers and networks.

"The administration should initiate a national campaign to educate consumers about the dangers involved with file-sharing software," he said.

Robert Boback, chief executive of Tiversa, a company that scours music- and file-sharing networks on the Internet for sensitive data, said the use of such software is being exploited by foreign governments for espionage and other purposes. "Other countries know how to access this information and they are accessing this information," he said.

Boback told the committee that Tiversa found FBI surveillance photos of an alleged hit man on the Internet while he was still on trial. The company also found the government's confidential witness list for that trial, which included the names of some people in the government's witness protection program. He said the company found the documents while scouring the networks for other data for a client.

Boback, who was asked by the committee not to publicly identify the hit man, said the defendant was recently convicted and sent to prison for life.

"This is not information you want to have out there," he said.

A spokesman for the FBI said late Wednesday that he did not have enough information to comment on the surveillance photos. The Secret Service said that the motorcade routes and safe-house locations are not classified or top secret. Such data is "not of any value" after an event, said Secret Service spokesman Malcolm Wiley. "And if something like that were to emerge before an event, keep in mind, we've got other security countermeasures in place."

In addition to the list of people with HIV, which included Social Security numbers, Tiversa discovered records with full psychological assessments of patients with conditions such as bipolar disorder.

Alan Paller, director of research at SANS Institute, a computer-security training group, said that health data are a new target of organized-crime groups. Experts say a copy of a medical record can fetch money on the Internet black market.

"This is unbelievably sensitive medical data," said Deborah Peel, founder of Patient Privacy Rights, a health-privacy advocacy group. "It has people's names on it from mental-health treatment programs, drug studies. All of these medical files have everything needed for identity theft, the most prominent and frightening consumer issue with electronic systems."

Towns said he would ask the Federal Trade Commission to investigate whether inadequate safeguards on file-sharing software constitute an unfair trade practice.

Mark Gorton, chairman of the Lime Group, which makes LimeWire, one of the most popular peer-to-peer, or P2P, programs, told the committee that the latest version of his company's software makes it extremely difficult to accidentally share sensitive documents.

He said that any effort to regulate the industry would be difficult, as LimeWire is one of hundreds of such software providers. "Most creators of P2P applications are not based in the United States, and may not even be corporations," Gorton said.

The Department of Homeland Security warns that file-sharing technology exposes users' computers to infection, attack or exposure of personal information. It recommends avoiding the software.