• by Wendy Davis , Staff Writer @wendyndavis, February 22, 2010

Sounding an alarmist note about peer-to-peer networks, the Federal Trade Commission said today it has informed more than 100 schools, business and local governments that sensitive data about their customers and employees has landed on file-sharing networks.

The FTC has notified the organizations and advised them to take remedial steps, including contacting people whose data might have been exposed. The commission additionally said it has launched a probe of other companies to determine whether they exposed private data online -- which could potentially violate laws like the Gramm-Leach-Bliley Act and Fair Credit Reporting Act.

"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure," FTC chairman Jon Leibowitz said in a statement. "Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing."

The FTC stopped short of recommending that all businesses avoid file-sharing programs, but directed companies to a publication urging them to implement procedures to limit the risk of data breaches.

The FTC's report -- marking the first time the commission investigated data breaches on peer-to-peer networks -- comes several months after Congress probed peer-to-peer networks in response to reports that people were inadvertently sharing private data online. At the time, LimeWire's CEO Mark Gorton told Congress that the company's latest software doesn't share documents by default or, for that matter, share any files without express authorization by users.

Long associated with copyright infringement, peer-to-peer networks already have an image problem. In fact, the Recording Industry Association of America complained this afternoon that the FTC's public statement about peer-to-peer networks doesn't go far enough. "We are grateful to the FTC for recognizing the harmful effects of p2p abuse and raising consumer awareness on this issue. While the warning is welcome, it does not fully address the persistent problems caused by bad actors who profit everyday as they jeopardize privacy and computer networks," Mitch Bainwol, RIAA Chairman & CEO, stated.

"Given the significant job losses endured by the creative community and profound evidence that no business or community is immune from the damaging effects of p2p abuse, what will it take to spur meaningful and long-overdue action against those who profit from nefarious use of p2p?" he added.

But, while there's no question that some people have used peer-to-peer networks to share copyrighted files, or that some people have inadvertently shared private documents via such networks, vilifying the technology itself won't solve either problem.

First of all, peer-to-peer networks have legitimate uses -- including facilitating transfer of files that aren't under copyright.

Additionally -- and possibly even more significantly -- companies easily can and do compromise people's privacy without using peer-to-peer technology. In fact, some of the biggest privacy missteps have had nothing to do with peer-to-peer networks. Last week, Google exposed people's address book contacts with its new Buzz service. Several months ago, Rocky Mountain Bank misdirected an email with confidential account information. In 2007 Facebook's Beacon program shared information about people's retail activity with their friends; the year before AOL released search query data for 650,000 supposedly anonymized users -- some of whom were identified based on their queries alone.

Yes, the FTC is right to warn companies that they are inadvertently exposing confidential data. But the problem doesn't stem from peer-to-peer technology but from the fact that companies don't think through the privacy ramifications of their decisions. And that holds true regardless of whether those decisions involve launching a product like Buzz or storing confidential files on a computer system without implementing the security measures that would prevent them from ending up on peer-to-peer networks.