Federal Trade Commission links wide data breach to file sharing

By Cecilia Kang
Washington Post Staff Writer
Tuesday, February 23, 2010

The Federal Trade Commission said Monday that it has uncovered widespread data breaches at companies, schools and local governments whose employees are swapping music, software and movie files over the Internet.

The consumer protection agency said it sent nearly 100 letters to organizations where information on customers and employees -- including health and financial data and Social Security and driver's license numbers -- leaked through peer-to-peer Web services. It warned that the security breaches could lead to identity fraud or theft, and it recommended that the groups review their policies and inform affected users.

"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," FTC Chairman Jon Leibowitz said in a news release. The agency said it has launched separate investigations of some companies as a result of its file-swapping inquiry, but it declined to name those firms or detail the scope of the probes.

"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure," he said.

Privacy and consumer advocates have long urged regulators to address the risks posed by peer-to-peer networks. They say that, for example, an employee at a commercial firm could inadvertently publicize unsecured customer data by using a work computer to download music from a Web service such as BitTorrent, BearShare or LimeWire. Those and other peer-to-peer protocols allow users to grab unsecured files from other users' computers. Unless a company protects its data, many sensitive files could get in the wrong hands.

David Vladeck, director of the FTC's bureau of consumer protection, said in an interview that many companies probably aren't aware that they have made user data public. The review is part of a recent "sweep of the Internet" to understand how peer-to-peer networks affect users' privacy online, he said.

"Peer-to-peer file-sharing programs have legitimate uses but -- particularly when people don't understand their vulnerabilities, and as our sweep showed -- they also have vulnerabilities," he said. "What we're trying to do is raise awareness."

The companies notified of the FTC's investigation range from firms with as few eight workers to publicly held corporations with tens of thousands of employees.

Security experts say the investigation is the broadest of its kind by the agency and comes amid recent outrage over missteps by Google on how it handled users' data in its recent launch of a new social-networking application, Buzz. Facebook faced similar criticism in December when changes to its privacy policy caused confusion among users and left some of their information more widely available to the public.

Concerns about Internet privacy also have intensified as broadband and other technologies become more widespread. Consumer advocates, for example, are leery of advertisers using global-positioning satellite technology to track cellphone users. Law enforcement officials routinely ask companies with cloud computing applications, such as Microsoft and Yahoo, for information about users, yet there are no clear rules dictating how federal regulators should address those and other issues.

"Everything is coming to a head here and the FTC is acting effectively and prudently in trying to grapple with this very fast moving marketplace," said Jeffrey Chester, executive director of the Center for Digital Democracy.

© 2010 The Washington Post Company