Sounding an alarmist note about peer-to-peer networks, the Federal Trade Commission said today it has informed more than 100 schools, business and local governments that sensitive data about their
customers and employees has landed on file-sharing networks.
The FTC has notified the organizations and advised them to take remedial steps, including contacting people whose data might have
been exposed. The commission additionally said it has launched a probe of other companies to determine whether they exposed private data online -- which could potentially violate laws like the
Gramm-Leach-Bliley Act and Fair Credit Reporting Act.
"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized
programs are properly configured and secure," FTC chairman Jon Leibowitz said in a statement. "Just as important, companies that distribute P2P programs, for their part, should ensure that their
software design does not contribute to inadvertent file sharing."
The FTC stopped short of recommending that all businesses avoid file-sharing programs, but directed companies to a publication urging them to implement procedures to limit the risk of data breaches.
The FTC's report -- marking the first
time the commission investigated data breaches on peer-to-peer networks -- comes several months after Congress probed peer-to-peer networks in response to reports that people were inadvertently
sharing private data online. At the time, LimeWire's CEO Mark Gorton told Congress that the
company's latest software doesn't share documents by default or, for that matter, share any files without express authorization by users.
Long associated with copyright infringement,
peer-to-peer networks already have an image problem. In fact, the Recording Industry Association of America complained this afternoon that the FTC's public statement about peer-to-peer networks
doesn't go far enough. "We are grateful to the FTC for recognizing the harmful effects of p2p abuse and raising consumer awareness on this issue. While the warning is welcome, it does not fully
address the persistent problems caused by bad actors who profit everyday as they jeopardize privacy and computer networks," Mitch Bainwol, RIAA Chairman & CEO, stated.
"Given the significant
job losses endured by the creative community and profound evidence that no business or community is immune from the damaging effects of p2p abuse, what will it take to spur meaningful and long-overdue
action against those who profit from nefarious use of p2p?" he added.
But, while there's no question that some people have used peer-to-peer networks to share copyrighted files, or that some
people have inadvertently shared private documents via such networks, vilifying the technology itself won't solve either problem.
First of all, peer-to-peer networks have legitimate uses --
including facilitating transfer of files that aren't under copyright.
Additionally -- and possibly even more significantly -- companies easily can and do compromise people's privacy without
using peer-to-peer technology. In fact, some of the biggest privacy missteps have had nothing to do with peer-to-peer networks. Last week, Google exposed people's address book contacts with its new
Buzz service. Several months ago, Rocky Mountain Bank misdirected an email with confidential account
information. In 2007 Facebook's Beacon program shared information about people's retail activity with their friends; the year before AOL released search query data for 650,000 supposedly anonymized
users -- some of whom were identified based on their queries alone.
Yes, the FTC is right to warn companies that they are inadvertently exposing confidential data. But the problem doesn't stem
from peer-to-peer technology but from the fact that companies don't think through the privacy ramifications of their decisions. And that holds true regardless of whether those decisions involve
launching a product like Buzz or storing confidential files on a computer system without implementing the security measures that would prevent them from ending up on peer-to-peer networks.