On July 24, 2007. the US House Committee on Oversight and Government Reform held hearings on the potential threats to national security posed by unintentional file sharing over peer-to-peer (P2P) networks. Testimony presented during the hearings pointed to recent studies by the US House of Representatives Committee on Oversight and Government Reform, the US Patent and Trademark Office, and private researchers that found classified government military orders, confidential corporate-accounting documents, localized terrorist threat assessments, federal workers’ credit card numbers, bank statements, and tax returns and medical records available through various peer-to-peer networks (source).
Previous Leaks
Further examples of inadvertent data leaks via peer-to-peer networks include an incident at the Tokyo Metropolitan Police Department. In this case, a Japanese police officer leaked over 6,000 documents via Winny, a popular peer-to-peer file-sharing network. These documents included reports on interrogations, victim statements from up to 12,000 people, and information regarding the location of city license-plate readers used to track criminals (source).
In another case, the physical security of the Chubu Electronic Power Plant in Japan was compromised when a security contractor for the plant installed Share, a file sharing application, onto his desktop. This peer-to-peer file-sharing application leaked sensitive information on the location of the control and instrument panel rooms, boilers, and on how the plant deals with intruders (Previous Report).
Finally, a recently launched blog entitled, “See What You Share” posted sensitive military data retrieved via various peer-to-peer networks. The blog administrator, claimed that he is trying to help the military understand the dangers presented by unregulated file-sharing application. The administrator claimed to have found documents labeled either “For Official Use Only” or “Secret/NOFORN” – an abbreviation indicating the documents should not be released to foreign nationals (source).
Don’t Blame the Messenger
The knee jerk reaction to these reported data leaks is to blame peer-to-peer networking technology or individual file-sharing applications. However, common sense dictates that the technology is not the problem, rather how people use peer-to-peer networking technology is the problem. Peer-to-peer networking technology, like any other technology, is inherently neutral. It is just as likely that this technology can be used responsibly to reduce costs and increase productivity as it is to be used to improperly provide access to classified or otherwise sensitive data.
To claim that peer-to-peer file-sharing technology is inherently dangerous is also to claim that other Internet-based technology, like web servers, are inherently dangerous. Both technologies enable users to quickly and efficiently share data with a diverse population of remote users. Conversely, both technologies can be improperly configured to share sensitive data with uncleared users.
Certainly it behooves the producer of a peer-to-peer file-sharing application to explicitly warn the consumer of the potential dangers of the technology and provide easy to understand instructions on how to safely install and configure the application. Beyond those baseline responsibilities the producer of peer-to-peer file-sharing technologies cannot prevent a consumer from ignorantly installing these technologies onto machines that contain sensitive data or moving sensitive data onto machines that run file-sharing applications.
The above example of data leaks via peer-to-peer file-sharing technology clearly delineate that many security risks result from the improper use or configuration of otherwise benign technology. To mitigate against the potential threats posed by these applications proper user training, better network administration, and clear policies on the handling of sensitive data is required.