|
Article Excerpt
HEARING OF THE HOUSE OVERSIGHT AND GOVERNMENT REFORM COMMITTEE SUBJECT: INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS: HOW IT ENDANGERS CITIZENS AND JEOPARDIZES NATIONAL SECURITY CHAIRED BY: REPRESENTATIVE EDOLPHUS TOWNS (D-NY) WITNESSES: MARK GORTON, CHAIRMAN, THE LIME GROUP; ROBERT BOBACK, CHIEF EXECUTIVE OFFICER, TIVERSA, INC.; TOM SYDNOR, SENIOR FELLOW AND DIRECTOR, CENTER FOR THE STUDY OF DIGITAL PROPERTY, THE PROGRESS AND FREEDOM FOUNDATION LOCATION: 2154 RAYBURN HOUSE OFFICE BUILDING, WASHINGTON, D.C. TIME: 10:00 A.M. EDT DATE: WEDNESDAY, JULY 29, 2009
HEARING OF THE HOUSE OVERSIGHT AND GOVERNMENT REFORM COMMITTEE SUBJECT: INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS: HOW IT ENDANGERS CITIZENS AND JEOPARDIZES NATIONAL SECURITY CHAIRED BY: REPRESENTATIVE EDOLPHUS TOWNS (D-NY) WITNESSES: MARK GORTON, CHAIRMAN, THE LIME GROUP; ROBERT BOBACK, CHIEF EXECUTIVE OFFICER, TIVERSA, INC.; TOM SYDNOR, SENIOR FELLOW AND DIRECTOR, CENTER FOR THE STUDY OF DIGITAL PROPERTY, THE PROGRESS AND FREEDOM FOUNDATION LOCATION: 2154 RAYBURN HOUSE OFFICE BUILDING, WASHINGTON, D.C. TIME: 10:00 A.M. EDT DATE: WEDNESDAY, JULY 29, 2009
REP. EDOLPHUS TOWNS (D-NY): Good morning and thank you all for being here. Imagine for a moment that you had a special software on your computer that exposed many of the files on your hard drive to searches by other people. At any time your computer is connected to the internet, other computer users with similar software could simply search your hard drive and copy unprotected files.
Unfortunately, that is a sad reality for many unsuspecting computer users. Peer-to-peer file sharing software like LimeWire works in just that way. Most people who use peer-to-peer software do it to download music and movies over the internet, and most people who use it are totally unaware that they are -- may expose some of the most private files on their computers to being downloaded by others.
Nine years ago, this committee first held a hearing that revealed that government, commercial, and private information was being stolen by peer-to-peer file sharing network unbeknowing (sic) to the users. In response to Congressional pressure, the file sharing software industry agreed to regulate itself, implementing a code of conduct to address inadvertent file sharing.
The efforts failed. Two years ago at our July the 24th, 2007 hearing, LimeWire's CEO Mark Gorton expressed surprise that sensitive personal information was available through LimeWire. He pledged to address the problem. That effort failed.
Over the last year alone, there have been several reports of major security and privacy breaches involving LimeWire, information about electronics for the President's Marine One helicopter, and financial information belonging to Supreme Court Justice Stephen Breyer were leaked on LimeWire.
LimeWire does not deny those reports, but claims that recent changes to the software prevent inadvertent file sharing. To investigate LimeWire's assertion, the committee staff downloaded and explored LimeWire software. The staff found copyrighted music and movies, federal tax returns, government files, medical records, and many other sensitive documents on the LimeWire network.
Security experts from Tiversa found major problems. Specific examples of recent LimeWire leaks range from appalling to shocking. The Social Security numbers and family information for every master sergeant in the Army had been found on LimeWire. The medical records of some 24,000 patients of a Texas hospital were inadvertently released and most of the files are still available on LimeWire. FBI files, including surveillance photos of an alleged Mafia hit man were leaked while he was on trial and before he was convicted.
We were astonished to discover that a security breach involving the Secret Service resulted in the leak of a file on LimeWire containing a safe house location for the First Family. As far as I'm concerned, the days of self-regulation should be over for the filing -- file-sharing industry. In the last administration, the Federal Trade Commission took a see-no-evil, hear-no-evil approach to the file sharing software industry.
I hope the new administration is revisiting that approach, and I hope to work with them on how to better protect the privacy of consumers. Today I look forward to hearing from our witnesses on the impact of peer-to-peer file sharing and in particular how LimeWire proposes to help remedy the problems caused by its software.
I now yield five minutes to the Ranking Member, Congressman Darrell Issa of California.
REP. DARRELL ISSA (R-CA): Thank you, Mr. -- Thank you, Mr. Chairman, and I think as both of us are saying various ways, today is clearly deja vu all over again. Two years ago, July 2007, this committee brought to light in a vivid but altogether all too easy to demonstrate demonstration that in fact over this peer-to-peer network by design or at least by knowing and allowing, unwitted -- unwitting sharing of personal information over this peer-to-peer was in fact not just going on but well known and going on in a rampant way.
I remember all too well the details of the documents, including Social Security number of a soldier with the 101st Airborne and his colleagues. Those Social Security numbers were there for everyone -- name, rank, Social Security number, date and place of birth, and of course anything and everything one would need to capture his identity and his colleagues.
It's very clear that little has changed. In preparation for this hearing we noted that there was a brand new version, a version that in fact that at least went part of the way toward protecting inadvertent loss of documents, but I say part of the way because as you can imagine in the world of the internet we assume that you are protected unless you give up those protections. Not true of this software.
This software required essentially for copyrighted works that you opt in to in fact protecting software rather than have to knowingly make copyrighted software available. You simply don't check and never again will you have to worry about your copy or someone else's copyrighted software being available to everyone.
The committee's jurisdiction and the committee's primary interest today are contained on this disk and could be contained on thousands like it. This is in fact zip files of names, addresses, Social Security numbers, income tax returns, still once again showing from California showing that in fact today loading the current software -- I should more accurately say yesterday my staff never having worked it before with a brand new computer downloaded the latest software and in fact went sightseeing to find exactly what you might find.
An engineer who only made about $37,000 took a standard deduction and in fact his information, all of it is available.
Mr. Chairman, identity theft should be at the heart of our concern. I'm personally on the Judiciary Committee and I'm concerned about the copyrighted software, the hundreds of thousands, hundreds of millions of dollars that are being stolen through peer-to-peer transaction.
But I think when we look at the most important thing for the American people, we are in fact if we do not close once and for all and in no uncertain terms the loop hole that allows people's individual and sensitive information, company information, employee information, to be inadvertently and thoroughly disbursed in a way that leads without a doubt to PayPal registration, through MasterCard registration, and in fact to the ruining of their credit and their lives.
Mr. Chairman, there is no question we've come not far enough in two years. I know that this hearing will shed more light on it, but I will tell you this, to me, Mr. Chairman, represents a referral to the AG and a referral to California's Attorney General if we cannot be satisfied in no uncertain terms that we have reached the end of this kind of activity because otherwise as we say too often on this committee, but appropriately here, if in fact you condone, allow, and induce this to happen, you are guilty of cooperation and participation in every criminal act that flows from the discovery of that information.
Mr. Chairman, I ask unanimous consent to have the rest of my record -- my opening statement placed in the record and yield back the balance of my time.
REP. TOWNS: Without objection.
It is a long-standing policy that we swear in all of our witness, so will you please stand and raise your right hand.
Do you solemnly swear to tell the truth, the whole truth, and nothing but the truth? If so, answer in the affirmative.
You may be seated.
Let the record reflect that -- (Off mike.) -- Mr. Robert Boback is the Chief Executive Officer of Tiversa, Inc. Mr. Boback will conduct a demonstration of the dangerous uses and activities of LimeWire that Tiversa has uncovered through the monitoring technology and worked with the Federal Bureau of Investigation.
And we welcome you, Mr. Boback, and we are now prepared to -- MR. ROBERT BOBACK: Thank you, Chairman Towns and Ranking Member Issa, and distinguished members of the committee for the opportunity to testify here today.
As the Chairman mentioned my name is Robert Boback. I'm the CEO of Tiversa. What we're about to show you is information that is current. This is all within the last few months of disclosures that have not been publicly released. So this information you most likely haven't seen prior.
But as Ranking Member Issa points out, identity theft is going to be at the core of this, and you will see that despite the -- no regulations around identity theft that the FTC has not addressed this fully. In fact identity theft -- peer-to-peer is not even mentioned on the identity theft website of the FTC for victims -- of the nine million victims, and you will find that this is where identity theft is occurring.
This is the harvest ground. This is why your consumers will say I do not know where it happened. I do not know how identity theft happens and we're going to show you a demonstration of just that fact and they affect every district. There are millions and millions of individuals that are affected.
So if we could start through the demonstration, we're going to highlight this in a number of issues. The first one, of course, is the national security implications of which there are many, many. What we're starting here, these are just some of the files -- excerpts from some of the files. They've been redacted. These are all military troops. Hundreds of thousands of troops' Social Security numbers, different rosters, different information from around the world with their next of kin, their children's names, their Socials, their dates of birth.
As Ranking Member Issa pointed out, again it goes on and on and on. These are all current. They are still all available by the way on the peer-to-peer, and if we could go on to the next one. This is as pointed out in the opening statement of the Chairman, this is the safe house route for the United States Secret Service when they have to evacuate the First Lady in this case. This is found on the peer- to-peer. This is the location.
I don't know how much the United States government spends in preparing a safe house location, but assume it's pretty expensive and all of that is lost based on this information being disclosed. So now the safe house has to be moved, the locations have to be moved. We, of course, have redacted all of this so that -- in order to protect what is left of the security of this.
Some of the other information, the motorcade route.
And the next one, Sam.
And as you can see this was the breech just as of yesterday. We found this yesterday, but as you can see from the date, July 5th, 2009. This is the entire United States nuclear information. All of our facilities. Everything. This is from the United States. This is from the president with the president's information listed on here. Every nuclear facility and all the secure, highly confidential -- as you can read on the top, highly confidential safeguard sensitive.
Every nuclear agency. Every facility. The problem is we found this in France. Four locations in France, not in the United States. This information -- other countries know how to access this information and they are accessing this information and this was -- as you can see as of the date as we push on to the next slide, this was the cover letter on it, right from the President of the United States with our President Barak Obama's signature at the end -- with his writing at the end.
This is not even subject to a FOIA request, so therefore, you couldn't get this information on a Freedom of Information Act. However, you can access it on the peer-to-peer in free open text. It just doesn't make sense.
Switching over to an issue. Again, identity theft. Medical identity theft is hugely on the rise. This information. People understand that they're looking for credit card information. I get that, but I don't look at my explanation of benefits from my insurance provider like I look at my credit card statement. I will tell you that you should because the identity thief will.
A medical insurance card is like a Visa card with a thousand -- excuse me -- a million dollar spending limit. They will buy online drugs, Oxycontin, Viagra, and by the time you go to the doctor next time, all of a sudden the doctor has you listed as an Oxycontin addict and you have never taken it in your life.
This is a problem. This information has come out of a hospital, as you mentioned, in a Southern state, and you know, some individuals that will say I don't even use peer-to-peer. I've never downloaded a thing. I'm safe; right? Well have you ever been to the emergency room because you just might not be safe and that's exactly what happened to these 20 sum thousand individuals. All they did was go to the doctor and they provided their information, as they should, to their facility for the insurance billing and a billing company that someone was listening to music while they were typing in their data entry and what ended up happening, 24000 victims are affected.
In this specific case we informed the company -- this actually occurred -- this was the only one that occurred over a year ago. It occurred over a year ago and we have informed through our client, which was a large insurance carrier this company -- we told the hospital that this was disclosed and unfortunately they said, "it's not my problem. It's not my problem. I don't want to go out publicly and say that I disclosed 24000 individuals." What you'll see is that there is a House Bill 2221. 2221 provides for a national breach notification. It's long overdue. Forty-one of the fifty states have breach notification and they vary in their severity.
This hospital is a clear case, although the state of Texas does have a breach notification law, this hospital is in direct violation of it.
They've known about this for over a year. They haven't even told these victims that they're victims, so these people have been the victims of identity theft. The hospital is clearly negligent for handling this information in the way that they have, but this is what you see the pattern. No one wants to say, "gosh, I've been the victim of -- I've had a data breach and it's my responsibility to address it." So there needs to be legislation to force companies to say do the right thing. You would hope that they would do it without the pressing. Information -- Back up one, Sam, please.
This is a Midwest-based HIV clinic, our most sensitive information. These are AIDS victims, 184 patients victims of identity theft. The clinic released their information and has not addressed it and this information is still out there. This is everything you need as an identity thief.
Why would you ever dive in a dumpster as the FTC calls out as the number one reason where people get it? I can get 184 just from this one file and thousands from the other files.
As we continue on, major pharmaceutical company information, all of their research, everyone where they're going. It affects even the most robust security measures, which is what we're seeing. All of these companies have firewalls and antivirus and intrusion detection and intrusion prevention, but yet an encryption? Where's the security? There isn't any. They don't address it because the awareness they say -- I -- "you know, we don't allow downloading of peer-to-peer, or that's a recording industry problem." No. In fact, it's their problem. And companies need to do this. Just as when antivirus started out, it was unheard of at the beginning and then it evolved to where that's how security in technology evolved. So therefore this information is out. Numerous doctors. If you've ever gone to a doctor, your complete patient records, everything, your SOAP notes, if you will, they're all there as well.
And continuing on. Behavioral health information. Again, all with Social Security numbers. Everything we're showing you is a Social Security number in here.
And continue on. This is one if you've ever had -- if you've ever gone to the drug store and buy -- and were buying Sudafed. You're required to give your driver's license information because they keep track of that for meth amphetamine labs. The problem though remains that you now gave your driver license information to buy Sudafed because you had a cold and now you could be the victim of identity theft with individuals with drivers licenses around this nation because that information may or may not have been secured and if it's not secured as this one wasn't, you're now exposed and you're...
|
