CYBEREYE — Commentary

The hidden dangers of P2P file sharing

Be careful who your peers are: P2P file sharing can open a world of information to the world

Recent reports that sensitive personnel information about U.S. soldiers has been found on foreign computers highlights the risks of peer-to-peer (P2P) file-sharing applications that can make more data than you realize available to other users on the networks.

It has been known for years that many of the mainline P2P applications can quietly make much more than audio and video files in your shared folder available for downloading by others. This is one of the reasons that the Defense Department has banned unauthorized P2P applications since 2004. But Triversa Inc., which provides services to locate files exposed by P2P file sharing, reportedly has found unauthorized foreign downloads of files about soldiers. The most recent incident, reported last week by the Washington Post, is only the latest in a series of leaks that persist well after the P2P ban.

Everyone knows that P2P networks remove the distinction between client and server, giving other users access to files that you have downloaded and stored in a shared folder. That's why it's called peer-to-peer and file sharing. But apparently this knowledge is not common enough. And what is even less commonly known is that P2P apps can expose almost any kind of data once it gets into your computer.

According to a report from the U.S. Patent and Trademark Office (USPTO)  on some of the unsavory features included in P2P file-sharing applications, if a downloaded file is moved out of the shared folder, that file can give most file-sharing applications access to all the data in the new folder as well. If the new folder happens to contain a tax return or old love letters as well as your MP3s and MP4s, all of your peers have access to that, too. Some of the P2P programs included a search wizard that would scour your hard drive for other interesting folders for sharing.

The subject of P2P security caught the attention of former USPTO Director Jon Dudas in 2006 when he was shown some data on file-sharing programs that had gathered for a law review article.

“Because the data seemed to have potentially important implications, I asked the authors to present it in the form of a report,” Dudas wrote in a foreword to the subsequent report. “I conclude that this data should be made known to the public.”

The PTO report focused on five applications: BearShare, eDonkey, KaZaA, LimeWire and Morpheus.

One of the common side effects of participating in P2P file sharing is that of other users on the network sucking up your bandwidth when they are downloading files from your shared folder. After all, the point of P2P is that others can access your files, just as you access theirs. But users who want to eliminate this bandwidth drain often move downloaded files to another folder in an effort to make them unavailable. But in doing this they are merely exposing another folder for sharing. It is like throwing water on a grease fire. Instead of putting it out, it only spreads the problem.

The results are predictable. “By late spring 2005 the Department of Homeland Security reported that government employees using file-sharing programs had repeatedly compromised national- and military-security by 'sharing' files containing sensitive or classified data,” the USPTO report said. And four years later, it apparently still is going on.

So what is the lesson here? Remember what your mother told you all those years ago: Never take candy from strangers, and never accept free software from untrusted sources. You just might end up with a gift that keeps on giving and giving.

Reader Comments

Fri, Aug 27, 2010 Chris

I completely agree. Its important for business and parents to monitor the use of file sharing apps on their devices. I used a free app called Peer2Peer Terminator to find and stop these apps. http://www.peer2peerterminator.com/home

Mon, Oct 5, 2009 Marty Lafferty Washington, DC

The DCIA is the international trade group representing 150 companies that commercially use P2P technologies, which include file-sharing software firms. From the perspective of DCIA Member companies, even one instance of identity theft as a result of file sharing is one too many. But to put the underlying issue in perspective, ID theft costs US businesses and consumers over $50 billion in an estimated 15 million cases per year. Of this amount, the Department of Justice (DOJ) has prosecuted only two cases associated with file sharing. And among thousands of cases cited in the President's Identity Theft Task Force fact sheet, none involved file sharing. That does not mean this potential threat should be ignored or under-estimated by our emerging industry, which is the reason we established the Inadvertent Sharing Protection Working Group (ISPG) in 2007. In about one-fifth of stolen ID cases, the Internet plays a part in perpetrating the crime. Thus far, in such instances, the means have tended to be more directly related to the intentions of the criminal than would have been the case with user-error and file-sharing software programs. Phishing scams involving a combination of e-mail and fraudulent websites - whose average time in operation is less than three days - have posed by far the greatest danger. Given that reality, the ISPG represents an important preventive measure. Our Member companies turned their software inside out to address inadvertent sharing once this potential threat was identified. However, without a computer; an operating system; and an Internet connection; as well as a word-processing, or spreadsheet, or income tax preparation software program; the user couldn't have made the error either. A user could as easily inadvertently e-mail his/her confidential data to the wrong address as file-share it. Inadvertently clicking on "Reply All" in an e-mail application actually poses a far greater risk than inadvertently converting a file to a torrent for sharing by means of a BitTorrent-based software program for example. There are plenty of ways to search for confidential data, too, starting with Google, Yahoo, and MSN. Often, users don't understand Internet technology and ignore or override provided safeguards. Bottom line, the best advice to parents and children alike regarding the use of file-sharing software – stick with well-known popular brands like LimeWire, and be sure to download the very latest versions for the best performance and the greatest safety.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above