[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 
          INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 24, 2007

                               __________

                           Serial No. 110-39

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                      http://www.house.gov/reform


                    U.S. GOVERNMENT PRINTING OFFICE
40-150                      WASHINGTON : 2008
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092104 Mail: Stop IDCC, Washington, DC 20402ï¿½090001

             COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM

                 HENRY A. WAXMAN, California, Chairman
TOM LANTOS, California               TOM DAVIS, Virginia
EDOLPHUS TOWNS, New York             DAN BURTON, Indiana
PAUL E. KANJORSKI, Pennsylvania      CHRISTOPHER SHAYS, Connecticut
CAROLYN B. MALONEY, New York         JOHN M. McHUGH, New York
ELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana
DANNY K. DAVIS, Illinois             TODD RUSSELL PLATTS, Pennsylvania
JOHN F. TIERNEY, Massachusetts       CHRIS CANNON, Utah
WM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California          MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts      DARRELL E. ISSA, California
BRIAN HIGGINS, New York              KENNY MARCHANT, Texas
JOHN A. YARMUTH, Kentucky            LYNN A. WESTMORELAND, Georgia
BRUCE L. BRALEY, Iowa                PATRICK T. McHENRY, North Carolina
ELEANOR HOLMES NORTON, District of   VIRGINIA FOXX, North Carolina
    Columbia                         BRIAN P. BILBRAY, California
BETTY McCOLLUM, Minnesota            BILL SALI, Idaho
JIM COOPER, Tennessee                JIM JORDAN, Ohio
CHRIS VAN HOLLEN, Maryland
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont

                     Phil Schiliro, Chief of Staff
                      Phil Barnett, Staff Director
                       Earley Green, Chief Clerk
                  David Marin, Minority Staff Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 24, 2007....................................     1
Statement of:
    Sydnor, Thomas D., II, Attorney-Advisor, Copyright Group, 
      Office of International Relations, U.S. Patent and 
      Trademark Office; Mary Koelbel Engle, Associate Director 
      for Advertising Practices, Bureau of Consumer Protection, 
      Federal Trade Commission; Daniel G. Mintz, Chief 
      Information Officer, U.S. Department of Transportation; 
      General Wesley K. Clark, chairman and chief executive 
      officer, Wesley K. Clark and Associates, board member, 
      Tiversa, Inc.; Robert Boback, chief executive officer, 
      Tiversa, Inc.; M. Eric Johnson, professor of operations 
      management, director, Glassmeyer/McNamee Center for Digital 
      Strategies, Tuck School of Business, Dartmouth College; and 
      Mark Gorton, chief executive officer, the Lime Group.......    18
        Boback, Robert...........................................    88
        Clark, General Wesley K..................................   106
        Engle, Koelbel...........................................    40
        Gorton, Mark.............................................    84
        Johnson, M. Eric.........................................    67
        Mintz, Daniel G..........................................    54
        Sydnor, Thomas D., II....................................    18
Letters, statements, etc., submitted for the record by:
    Boback, Robert, chief executive officer, Tiversa, Inc., 
      prepared statement of......................................    91
    Davis, Hon. Tom, a Representative in Congress from the State 
      of Virginia, prepared statement of.........................    10
    Engle, Mary Koelbel, Associate Director for Advertising 
      Practices, Bureau of Consumer Protection, Federal Trade 
      Commission, prepared statement of..........................    10
    Gorton, Mark, chief executive officer, the Lime Group, 
      prepared statement of......................................    42
    Issa, Hon. Darrell E., a Representative in Congress from the 
      State of California, prepared statement of.................    15
    Johnson, M. Eric, professor of operations management, 
      director, Glassmeyer/McNamee Center for Digital Strategies, 
      Tuck School of Business, Dartmouth College, prepared 
      statement of...............................................    69
    Mintz, Daniel G., Chief Information Officer, U.S. Department 
      of Transportation, prepared statement of...................    56
    Sydnor, Thomas D., II, Attorney-Advisor, Copyright Group, 
      Office of International Relations, U.S. Patent and 
      Trademark Office, prepared statement of....................    20
    Waxman, Chairman Henry A., a Representative in Congress from 
      the State of California, prepared statement of.............     3


          INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS

                              ----------                              


                         TUESDAY, JULY 24, 2007

                          House of Representatives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10 a.m. in room 
2154, Rayburn House Office Building, Hon. Henry A. Waxman 
(chairman of the committee) presiding.
    Present: Representatives Waxman, Cummings, Tierney, Clay, 
Watson, Yarmuth, Norton, Cooper, Hodes, Welch, Davis of 
Virginia, Shays, Cannon, Issa, and Jordan.
    Staff present: Phil Schiliro, chief of staff; Phil Barnett, 
staff director and chief counsel; Kristin Amerling, general 
counsel; Roger Sherman, deputy chief counsel; Earley Green, 
chief clerk; Teresa Coufal, deputy clerk; Zhongrui ``JR'' Deng, 
chief information officer; Leneal Scott, information systems 
manager; Tony Haywood, Information Policy, Census and National 
Archives staff director; Kerry Gutknecht and Will Ragland, 
staff assistants; David Marin, minority staff director; Larry 
Halloran, minority deputy staff director; Jennifer Safavian, 
minority chief counsel for oversight and investigations; Keith 
Ausbrook, minority general counsel; Ellen Brown, minority 
legislative director and senior policy counsel; Charles 
Phillips, minority counsel; Allyson Blandford, minority 
professional staff member; Patrick Lyden, minority 
parliamentarian and member services coordinator; and Benjamin 
Chance, minority clerk.
    Chairman Waxman. The meeting of the committee will come to 
order.
    Just over 4 years ago, the Committee on Government Reform 
held a hearing entitled ``Overexposed: the Threats to Privacy 
and Security on File-Sharing Networks.'' Then, as now, the 
hearing was part of a bipartisan effort to investigate and 
understand the uses and risks of peer-to-peer file-sharing 
networks, also known as P2P networks.
    The committee previously looked at two problematic aspects 
associated with P2P networks: children's exposure to 
pornography on these P2P networks, and the privacy and security 
risks created by these networks.
    That investigation found that P2P networks were making 
highly personal data, such as tax returns and financial 
information, available to anybody using popular P2P 
applications like Kazaa, Morpheus, LimeWire, and Grokster. 
These documents were being shared with millions of computer 
users without the knowledge of their owners.
    After the hearing, numerous P2P file-sharing program 
distributors adapted a voluntary Code of Conduct to prevent 
inadvertent disclosures of sensitive information. Along with 
other Members, I had hoped the problem had been solved.
    In March, however, the Patent and Trademark Office released 
a report suggesting the inadvertent file sharing may still be a 
serious problem. Moreover, following the release of the PTO 
study, several news reports revealed that individuals and 
government entities were unknowingly sharing highly 
confidential information, including files from National 
Archives, the Department of Transportation, a Naval Hospital, 
and the Department of Defense.
    The committee staff did its own investigation. We used the 
most popular P2P program, LimeWire, and ran a series of basic 
searches. What we found was astonishing: personal bank records 
and tax forms, attorney/client communications, the corporate 
strategies of Fortune 500 companies, confidential corporate 
accounting documents, internal documents from political 
campaigns, government emergency response plans, and even 
military operations orders.
    All these files were found in unpublished Microsoft Word 
document format. All were found in limited searches over the 
past month. It is truly chilling to think of what a private 
organization, an organized operation or a foreign government 
could acquire with additional resources.
    In light of these developments, Ranking Member Davis and I 
agreed that the committee should take another look at the 
privacy and security issues posed by P2P networks. We will use 
this hearing to examine three basic questions.
    Does inadvertent file sharing over P2P networks create 
unacceptable risks for consumers, corporations, and Government?
    If so, how extensive is the problem?
    Does Congress need to intervene in this matter with 
legislation, or can the problems be addressed through available 
oversight tools and enhanced consumer education?
    We are fortunate to have with us a distinguished panel of 
experts. They include Government officials, representatives 
from computer security firms, academics, and the head of 
LimeWire. They can provide the committee with a wide range of 
perspectives on the risks and benefits of P2P networks.
    The purpose of this hearing is not to shut down P2P 
networks or bash P2P technology. P2P networks have the 
potential to deliver innovative and lawful applications that 
will enhance business and academic endeavors, reduce 
transaction costs, and increase available bandwidth across the 
country.
    At the same time, however, we must achieve a balance that 
protects sensitive government, personal, and corporate 
information and copyright laws.
    The goal of this hearing is to gain insights into how to 
strike this balance and ensure that inadvertent file sharing 
does not jeopardize the public's privacy and security.
    [The prepared statement of Chairman Henry A. Waxman 
follows:]

[GRAPHIC] [TIFF OMITTED] T0150.001

[GRAPHIC] [TIFF OMITTED] T0150.002

[GRAPHIC] [TIFF OMITTED] T0150.003

[GRAPHIC] [TIFF OMITTED] T0150.004

[GRAPHIC] [TIFF OMITTED] T0150.005

    The Chair now wishes to recognize Ranking Member Tom Davis, 
and we will call on Members for brief opening statements.
    Mr. Davis.
    Mr. Davis of Virginia. Mr. Chairman, thank you.
    Let me just say something at the beginning, and that is 
that last Thursday night an event took place on the Mall on a 
level playing field where the Waxman Team played the Davis Team 
in a softball game. I am happy to say that, for the first time 
this year, our side won something with this committee, an 8-7 
victory. For the record, I had a hit and scored a run. The 
Cougar team of the chairman's staff was without the services of 
the chairman. He was detained on business that evening, or the 
score might have been different. But I just wanted to note that 
for the record.
    Chairman Waxman. You would have won by a bigger number. 
[Laughter.]
    Mr. Davis of Virginia. We did have a couple interns. One 
plays on the Harvard Baseball Team, and another on the 
Swarthmore Baseball Team. They helped us. Oh, and we had a 
Rhodes Scholar in left field that made a great catch. We will 
be ready for a rematch any time.
    I want to thank you again for this hearing today, Mr. 
Chairman. Four years ago, this committee undertook a detailed 
examination of peer-to-peer file-sharing programs. Since then, 
technology has advanced. Legal actions have been initiated, and 
the landscape of companies and programs has changed. But the 
risk to sensitive personal information and confidential records 
still exists.
    I am pleased the committee is continuing an effort we began 
4 years ago. At that hearing we examined the growing problem of 
pornography, including child pornography, on these networks. 
The testimony was surprising and shocking. At the second 
hearing we examined issues similar to those we are focusing on 
today. We asked why highly personal information could be found 
on these networks. We looked at the prevalence of spyware or 
adware hidden within these programs, and we examined the 
growing risk of downloading computer viruses from files shared 
on these programs.
    Under my direction the committee prepared and released a 
staff report highlighting the types of sensitive personal 
information available on these networks.
    Four years later it appears these problems persist. As I 
said then, users of these programs may accidentally share 
information because of incorrect program information. We will 
learn today exactly what people are sharing, whether they know 
it or not.
    As I have noted before, secure information is the lifeblood 
of effective government policy and management; yet, sensitive 
personal and classified information continues to be placed at 
risk. The examples we will hear today will illustrate how far 
we have to go to reach the goal of strong, uniform, Government-
wide information security policies and procedures, but this 
hearing will show the unique risks that we face.
    I have focused on Government-wide information, management, 
and security for a long time. The Privacy Act and the E-
Government Act of 2002 outlined the parameters for the 
protection of personal information. The incidents we will 
examine today highlight the importance of establishing and 
following good security practices for safeguarding personal 
information, whether at home or at work. They highlight the 
need for proactive security breach notification requirements 
for organizations, including Federal agencies, dealing with 
sensitive personal information. And they demonstrate the need 
for personal vigilance and responsibility when online.
    Federal agencies present unique data security requirements 
and challenges, and this has been our focus. These incidents 
demonstrate the importance of strengthening the laws and rules 
protecting personal information held by Federal agencies. We 
need to do this quickly.
    As we have seen, our computers hold sensitive personal and 
classified information on every citizen and on every subject. 
We need to ensure this information remains where it should and 
the public knows when its sensitive personal information has 
been lost or compromised. Public confidence in Government in 
this area is essential.
    It is important for us to recognize that file-sharing 
programs can be beneficial. As file size increases and demands 
for bandwidth expands, these programs can move huge amounts of 
data efficiently among a large number of users, but I think the 
volume and type of sensitive information out there will 
surprise people. And if this information is being harvested and 
shared through deceptive practices or manipulative programs, 
then it must stop.
    For the past several years we have focused on improving and 
enhancing the information security posture of Federal agencies, 
because in the end the public demands effective Government, and 
effective Government depends on secure information, so this is 
an issue that must remain a priority for all of us.
    Mr. Chairman, thank you for continuing the committee's work 
in this important area.
    I want to welcome our witnesses and thank them for 
appearing today.
    [The prepared statement of Hon. Tom Davis follows:]

    [GRAPHIC] [TIFF OMITTED] T0150.006
    
    [GRAPHIC] [TIFF OMITTED] T0150.007
    
    [GRAPHIC] [TIFF OMITTED] T0150.008
    
    Chairman Waxman. Thank you very much, Mr. Davis.
    I want to recognize Members who wish to make a brief 
opening statement, but I would like to point out to my 
colleagues that we have a long list of very distinguished 
panelists to make a presentation to us, so keep the opening 
statements as brief as possible, and certainly no longer than 5 
minutes.
    Mr. Cummings.
    Mr. Cummings. No statement at this time.
    Chairman Waxman. Mr. Hodes.
    Mr. Hodes. Thank you, Mr. Chairman.
    Mr. Chairman, this is a very important hearing on peer-to-
peer file-sharing networks. I want to thank all the witnesses 
in the distinguished panel who are here today.
    We are in an age when new technologies are constantly 
allowing us to share information in new ways, but these 
innovations bring with them new security threats, and with the 
rise of peer-to-peer sharing networks we are seeing new 
challenges on how to protect our society as it moves into a 
technologically advanced age.
    Unimaginable advances and the spread of home computers, 
laptops, work stations are now a part of everyday life, and 
significant concerns are raised and should be by peer-to-peer 
file-sharing networks: threats to individuals, personal 
financial security, the danger to our children, assaults on our 
national security, the possibility that peer-to-peer sharing 
networks allow terror groups to piece together classified 
information, and danger to banks and other corporations who may 
be inadvertent sharing confidential financial or proprietary 
information.
    I would like to be just parochial for a moment and welcome 
someone from my own District who is testifying here today. M. 
Eric Johnson is director of Tuck's Glassmeyer/McNamee Center 
for Digital Strategies and professor of operations management 
at the Tuck School of Business at Dartmouth College.
    We welcome your testimony, Mr. Johnson, along with the rest 
of the panel. I am sure you are enjoying drier weather here in 
Washington than they are experiencing in New England.
    I yield back. Thank you, Mr. Chairman.
    Chairman Waxman. Thank you, Mr. Hodes.
    Mr. Cannon.
    Mr. Cannon. Thank you, Mr. Chairman. I would like to thank 
you particularly for holding this hearing on what I think is an 
extraordinarily important topic. I think that the peer-to-peer 
is a profoundly important concept. It has problems, as we are 
going to deal with today, but it is a powerful tool that can 
have significant effects in health care and various other 
areas.
    I would like to introduce in the audience today we have Lee 
Hollaar, professor at the University of Utah, who is the co-
author of the FTC Report that is referenced in the committee 
memo. Mr. Hollaar has been a profoundly important person in the 
area of technological development and understanding the legal 
context in which that happened.
    In fact, if you read the Grokster Opinion by the Supreme 
Court, it follows very closely the amicus brief that Professor 
Hollaar had submitted. He was heavily involved when I first met 
him. He was working with Senator Hatch on the Digital 
Millennial Copyright Act, and just this last week we actually 
got included in the markup of the patent reform bill in the 
Judiciary Committee a proposal for a special master's trial 
that I think may have a profound effect on our patent 
litigation system that he was deeply involved with.
    We are now working together on making some adjustments to 
trademark law that would allow users to control who has access 
to their computers with what kind of information in a way that 
would profoundly change, I think, the issue of pornography and 
how that is promulgated on a system that is still a little bit 
like the wild west.
    So I want to welcome Mr. Hollaar here today.
    Again, thank you, Mr. Chairman, for holding this hearing, 
and Mr. Davis. I yield back.
    Chairman Waxman. Thank you very much, Mr. Cannon.
    Mr. Cooper.
    Mr. Cooper. No statement, thank you, Mr. Chairman.
    Chairman Waxman. Mr. Welch.
    Mr. Welch. No, thanks, Mr. Chairman.
    Chairman Waxman. Mr. Tierney.
    Mr. Tierney. No.
    Chairman Waxman. Mr. Issa.
    Mr. Issa. Thank you, Mr. Chairman. I will be very brief.
    Since everyone is introducing somebody, I should recognize 
General Wesley Clark, who was twice my battalion commander when 
I was a Reservist. He's one of my claims to fame. I have very 
few, as you can imagine.
    But more to the subject here to day, Mr. Chairman, I think 
your calling this hearing is very timely because of the risk to 
the well-being of the Internet and the well-being of people who 
go on to the Internet. Although I can't submit this for the 
record until it is properly redacted, I took the liberty of 
having my staff just quickly go onto the LimeWire network, and 
we were able to download Natalia Gonzales' complete 2003 tax 
records, California resident. We now know about her un-
reimbursed employee business expenses. We are very familiar 
with all of the California deductions and her gross and net 
taxes as a result of it, all of which was available.
    I hope today at the end of this hearing not only will we 
have started a trend for better responsibility by those who set 
up peer-to-peer networks, but I also hope that we will have 
informed the public of the need for them to question whether or 
not a service is inherently on their side or exposing their 
computers to the worst of all losses that they could imagine, 
including their Social Security number and even classified 
information.
    I will put the rest of my opening statement in for the 
record, and I truly appreciate your calling this hearing today 
and yield back.
    [The prepared statement of Hon. Darrell E. Issa follows:]

    [GRAPHIC] [TIFF OMITTED] T0150.095
    
    [GRAPHIC] [TIFF OMITTED] T0150.096
    
    Chairman Waxman. Thank you, Mr. Issa.
    Mr. Jordan.
    Mr. Jordan. No opening statement, Mr. Chairman.
    Chairman Waxman. Thank you.
    Without any other Members seeking recognition, let me 
introduce the panelists.
    Tom Sydnor is one of the authors of the PTO Report 
detailing the risks of inadvertent file sharing. He is 
currently serving as an Attorney Advisor in the Office of 
International Relations at the U.S. Patent and Trademark 
Office.
    Mary K. Engle is the Associate Director for Advertising 
Practices for the Federal Trade Commission's Division of 
Advertising Practices. She has been a staff attorney for the 
FTC since 1990.
    Daniel Mintz is the Chief Information Officer for the U.S. 
Department of Transportation. He serves as the principal 
advisor to the Secretary on matters involving information 
resources and information services and mortgage mitigation.
    M. Eric Johnson is director of Tuck's Glassmeyer/McNamee 
Center for Digital Strategies and professor of operations 
management at the Tuck School of Business, Dartmouth College. 
His teach and research focused on the impact of information 
technology on supply chain management.
    Mark Gorton is the founder and chief executive of the Lime 
Group, which owns Lime Brokerage, LLC; Tower Research; Capital, 
LLC; Lime Medical, LLC; and LimeWire, LLC, a leading maker of 
file-sharing technology.
    General Wesley K. Clark retired from the U.S. Army after 34 
years, rising to the rank of four-star general. His last 
position was as NATO Supreme Allied Commander and the 
Commander-in-Chief of the U.S. European Command. In 2004 he 
started Wesley K. Clark and Associates, a strategic advisory 
and consulting firm, where he serves as chairman and CEO. In 
November 2006 he joined the Advisory Board of Tiversa, Inc.
    And Mr. Robert Boback, is co-founder and chief executive 
officer of Tiversa, Inc. As a result of his work at Tiversa, 
Mr. Boback has become a leading authority in the consequences 
of inadvertent information sharing, the P2P network.
    We are pleased to have all of you here for our hearing 
today.
    It is a practice of this committee that all witnesses take 
an oath. I would like to ask each of you if you would stand and 
please raise your right hands.
    [Witnesses sworn.]
    Chairman Waxman. Let the record show that the witnesses 
each responded in the affirmative.
    We are pleased to have you with us. Your prepared 
statements will be in the record in full. We would like to ask 
if you would to try to limit the oral presentation to around 5 
minutes.
    Mr. Sydnor, why don't we start with you?
    We will have a clock that will give you a yellow light when 
there is 1 minute left, the red light meaning the time is 
expired. We hope all of you, not just you, alone, will be 
mindful of that and try to summarize at that point.
    Thank you.

STATEMENTS OF THOMAS D. SYDNOR II, ATTORNEY-ADVISOR, COPYRIGHT 
   GROUP, OFFICE OF INTERNATIONAL RELATIONS, U.S. PATENT AND 
 TRADEMARK OFFICE; MARY KOELBEL ENGLE, ASSOCIATE DIRECTOR FOR 
 ADVERTISING PRACTICES, BUREAU OF CONSUMER PROTECTION, FEDERAL 
 TRADE COMMISSION; DANIEL G. MINTZ, CHIEF INFORMATION OFFICER, 
  U.S. DEPARTMENT OF TRANSPORTATION; GENERAL WESLEY K. CLARK, 
   CHAIRMAN AND CHIEF EXECUTIVE OFFICER, WESLEY K. CLARK AND 
 ASSOCIATES, BOARD MEMBER, TIVERSA, INC.; ROBERT BOBACK, CHIEF 
EXECUTIVE OFFICER, TIVERSA, INC.; M. ERIC JOHNSON, PROFESSOR OF 
OPERATIONS MANAGEMENT, DIRECTOR, GLASSMEYER/MCNAMEE CENTER FOR 
DIGITAL STRATEGIES, TUCK SCHOOL OF BUSINESS, DARTMOUTH COLLEGE; 
    AND MARK GORTON, CHIEF EXECUTIVE OFFICER, THE LIME GROUP

                STATEMENT OF THOMAS D. SYDNOR II

    Mr. Sydnor. Thank you. I would like to thank this committee 
for holding this hearing on the issue of inadvertent file 
sharing. Other witnesses here today will focus on the 
consequences of inadvertent sharing; I want to focus on why 
inadvertent sharing occurs.
    When the U.S. PTO realized that inadvertent sharing was 
occurring, my co-authors and I were asked to prepare the U.S. 
PTO report, File-Sharing Programs and Technological Features to 
Induce Users to Share. This report analyzed publicly available 
data on five popular file-sharing programs to determine why 
their users share files inadvertently. It reached several 
disturbing conclusions.
    First, it concluded that the distributors of the five 
programs studied had repeatedly deployed at least five features 
that had a known or obvious tendency to cause inadvertent 
sharing of downloaded or existing files. Of these five 
features, the two most dangerous were the share folder and 
search wizard features condemned in the 2002 study Usability 
and Privacy, and in this committee's 2003 hearing. This 
committee had good reason to think that these features had been 
eliminated, as promised during its hearing.
    Many distributors soon devised a self-regulatory Code of 
Conduct that would have prohibited their use. The authors of 
this code told Congress that it rendered further concerns about 
inadvertent sharing completely without foundation, a mere urban 
myth. Nevertheless, in 2004 and 2005 we found similar share 
folder features in four of the five programs we studied, and 
search wizards in at least two.
    To illustrate what these features could do, consider what 
would happen to my family if a visiting friend installed one of 
these programs on my home computer and tried to store 
downloaded files in its My Documents folder so they would be 
easy to find. I would end up sharing bank statements; tax 
returns; passwords for investment accounts; scans of legal, 
medical, and financial records; all my family photos; my 
children's names, addresses, and Social Security numbers; and a 
scan of the sign that designates the car authorized to pick up 
my daughter from preschool. And I would also share over 3,000 
copyrighted audio files. With one mistake, I could be set up 
for identity theft, an infringement lawsuit, or far worse.
    The situation becomes even more disturbing, because the 
U.S. PTO report also concluded that these five features had 
been deployed in waves. One study showed that many users were 
learning how to disable features previously deployed, new sets 
of features appeared and proliferated.
    Why might this be happening? In the Grokster case, the U.S. 
Supreme Court unanimously found overwhelming evidence that two 
distributors of popular file-sharing programs intended to 
induce users of their programs to infringe copyrights. On 
remand, the District Court found that nearly 97 percent of 
files requested for downloading on these networks were or were 
highly likely to be infringing.
    It also found that the distributor of one of these programs 
had claimed that the advantage of its business model was that 
it had no product cost to acquire music and an ability to get 
all the music. This business model also had a disadvantage. 
Modern file-sharing networks are not completely interconnected 
like the Internet. A given user can locate and download only a 
tiny percentage of the files available on the network. As a 
result, this business model would require many users to share 
many infringing files. But studies showed that when users were 
sued for sharing infringing files, their propensity to do so 
plunged.
    Then the deployment of features that could dupe users into 
sharing files unintentionally proliferated.
    As a result, it has become important to understand why 
features that had a known propensity to cause inadvertent 
sharing kept on being deployed. If this conduct was the result 
of error, then the risk of inadvertent sharing might be 
expected to decrease. Over time, mistakes should tend to be 
fixed. But if these features were intended to dupe users into 
sharing infringing files inadvertently, then the risk of 
inadvertent sharing might be expected to increase. Over time, 
duping schemes should tend to persist and proliferate.
    Consequently, the most disturbing thing about today's 
hearing is that it had to occur again. In 2003, this committee 
held a hearing on inadvertent sharing after the distributor of 
the then most popular file-sharing program deployed recursive 
sharing, search wizard, and share folder features. Today, this 
committee is holding a hearing on sharing after the distributor 
of today's most popular file-sharing program deployed recursive 
sharing, search wizard, and share folder features.
    The U.S. PTO report was written in the hope that by 
documenting conduct that occurred over the last few years, we 
could help ensure that neither inadvertent sharing nor hearings 
like this one will continue to recur.
    Thank you.
    [The prepared statement of Mr. Sydnor follows:]

    [GRAPHIC] [TIFF OMITTED] T0150.009
    
    [GRAPHIC] [TIFF OMITTED] T0150.010
    
    [GRAPHIC] [TIFF OMITTED] T0150.011
    
    [GRAPHIC] [TIFF OMITTED] T0150.012
    
    [GRAPHIC] [TIFF OMITTED] T0150.013
    
    [GRAPHIC] [TIFF OMITTED] T0150.014
    
    [GRAPHIC] [TIFF OMITTED] T0150.015
    
    [GRAPHIC] [TIFF OMITTED] T0150.016
    
    [GRAPHIC] [TIFF OMITTED] T0150.017
    
    [GRAPHIC] [TIFF OMITTED] T0150.018
    
    [GRAPHIC] [TIFF OMITTED] T0150.019
    
    [GRAPHIC] [TIFF OMITTED] T0150.020
    
    [GRAPHIC] [TIFF OMITTED] T0150.021
    
    [GRAPHIC] [TIFF OMITTED] T0150.022
    
    [GRAPHIC] [TIFF OMITTED] T0150.023
    
    [GRAPHIC] [TIFF OMITTED] T0150.024
    
    [GRAPHIC] [TIFF OMITTED] T0150.025
    
    [GRAPHIC] [TIFF OMITTED] T0150.026
    
    [GRAPHIC] [TIFF OMITTED] T0150.027
    
    [GRAPHIC] [TIFF OMITTED] T0150.028
    
    Chairman Waxman. Thank you very much, Mr. Sydnor.
    Ms. Engle.

                STATEMENT OF MARY KOELBEL ENGLE

    Ms. Engle. Mr. Chairman and members of the committee, I am 
Mary Engle, the Associate Director for Advertising Practices at 
the Federal Trade Commission. I appreciate this opportunity to 
provide an update regarding the FTC's work involving peer-to-
peer file-sharing issues.
    We have submitted our written statement today, which 
reflects the FTC's views. My oral statements are my own and do 
not necessarily reflect the views of the Commission.
    Although P2P technology offers significant benefits, such 
as allowing for faster file transfers and easing computer 
storage requirements, it also poses risks to consumers. P2P 
file-sharing programs may come bundled with spyware or with 
viruses. In addition, as the recent Patent and Trademark Office 
report emphasizes, consumers may end up inadvertently sharing 
many sensitive files that are on their hard drive.
    The FTC has worked with industry to improve the disclosures 
of risk information on P2P file-sharing Web sites. They have 
also brought law enforcement actions where appropriate, and 
have taken steps to educate consumers and businesses on the 
risks involved.
    In December 2004, the FTC held a public workshop to 
consider the many issues raised by P2P file sharing. In June 
2005, we issued a report on that workshop which concluded that 
the risks involved with P2P file sharing stem largely from the 
result of how individuals use the technology, rather than being 
inherent in the technology, itself.
    The report emphasized that many of the risks posed by P2P 
file sharing also exist when consumers engage in other 
Internet-related activities, such as surfing Web sites, using 
search engines, or e-mail.
    In the report, the FTC staff recommended that industry do a 
better job of informing consumers about the risks of P2P file 
sharing. Over the past 3 years, we have periodically reviewed 
the risk disclosures provided on major P2P software Web sites 
and found that these disclosures have steadily improved. We 
also reviewed P2P Web sites to determine if they were a source 
of spyware.
    In the fall of 2005 we downloaded the 10 largest P2P file-
sharing programs to determine whether the distributors were 
bundling spyware or adware with their programs, and, if so, 
whether they were disclosing that fact. We found that, of those 
10 programs, 2 bundled undisclosed spyware or adware. One of 
those programs is no longer being distributed, and the other we 
referred to foreign consumer protection law agencies.
    In addition to protecting consumers by encouraging better 
disclosures, the FTC has brought two successful law enforcement 
actions related to P2P file sharing. In the case of FTC v. 
Cashier Myricks, the Commission sued the operator of the Web 
site MP3DownloadCity.com for making allegedly deceptive claims 
that it was 100 percent legal for consumers to use the file-
sharing programs that the operator promoted to download and 
share movies, music, and computer games.
    In the case of FTC v. Odysseus Marketing, we filed suit 
against the operator of the Web site Kazanon.com for allegedly 
encouraging consumers to download software that the defendants 
falsely claimed would allow consumers to engage in anonymous 
P2P file sharing.
    In both cases, the defendants entered into settlement 
agreements that prohibit the alleged misrepresentations and 
required them to disgorge their ill-gotten gains.
    Educating consumers and businesses of the potential risks 
of file sharing is vital. In July 2003, the FTC issued a 
consumer alert warning consumers about these risks, including 
the risk of inadvertently sharing sensitive files and of 
receiving spyware, viruses, copyright-infringing materials, and 
unwanted pornography.
    The alert, which we updated this past December, recommends 
that consumers carefully set up file-sharing programs so that 
they don't open access to information on their hard drives, 
such as tax returns, e-mail messages, medical records, photos, 
or other personal documents. The consumer alert has been 
accessed on our Web site over 1.3 million times.
    In addition, the FTC's general Internet education Web site, 
OnGuardOnline.gov, contains information about the risks of P2P 
file sharing, including quick fax, an interactive quiz, and 
additional resources and lessons from i-SAFE, an organization 
that educates children and teens about Internet safety.
    The FTC will continue to assess the risks associated with 
P2P file sharing, education consumers, monitor and encourage 
industry self-regulation, and investigate and bring law 
enforcement actions when appropriate. In particular, we are 
closely examining the findings of the PTO report to determine 
if Commission involvement is appropriate.
    Thank you. I look forward to your questions.
    [The prepared statement of Ms. Engle follows:]

    [GRAPHIC] [TIFF OMITTED] T0150.029
    
    [GRAPHIC] [TIFF OMITTED] T0150.030
    
    [GRAPHIC] [TIFF OMITTED] T0150.031
    
    [GRAPHIC] [TIFF OMITTED] T0150.032
    
    [GRAPHIC] [TIFF OMITTED] T0150.033
    
    [GRAPHIC] [TIFF OMITTED] T0150.034
    
    [GRAPHIC] [TIFF OMITTED] T0150.035
    
    [GRAPHIC] [TIFF OMITTED] T0150.036
    
    [GRAPHIC] [TIFF OMITTED] T0150.037
    
    [GRAPHIC] [TIFF OMITTED] T0150.038
    
    [GRAPHIC] [TIFF OMITTED] T0150.039
    
    [GRAPHIC] [TIFF OMITTED] T0150.040
    
    Chairman Waxman. Thank you very much, Ms. Engle.
    Mr. Mintz.

                  STATEMENT OF DANIEL G. MINTZ

    Mr. Mintz. Mr. Chairman, Ranking Member Davis, and members 
of the committee, I would like to thank you for the opportunity 
to appear today to discuss the important issue of peer-to-peer 
file sharing and briefly mention an incident that occurred at 
the Department, and to talk about some of the actions we have 
been taking, both on an ongoing basis and in response to the 
incident.
    My name is Dan Mintz. I am the Chief Information Officer 
for the Department of Transportation, where I have been since 
May 1, 2006. I came to the Government from SUN Microsystems, 
where I chaired a corporate-wide team that studied the 
protection of sensitive Government information within SUN's 
corporate systems. The lessons learned from that experience 
have proven valuable during my time at the Department.
    Responsible peer-to-peer software can provide Government 
agencies with many benefits, including increased productivity 
and efficiency. Unfortunately, it also poses a significant risk 
to agencies' systems and networks and information, as well as 
to home computers, and problems with peer-to-peer software can 
be difficult to detect.
    A few incidents have occurred within Government recently. 
One involved a Department of Transportation employee, when her 
child, a teenager, unbeknownst to the employee, downloaded 
software on the employee's personal computer. The daughter did 
not realize this would expose information on the family 
computer to others using the same or compatible software.
    These incidents illustrate the challenges we face and the 
need for due diligence on all of our parts. At the Department 
we are continually improving overall security. We have policies 
in place regarding file sharing, and we have a training program 
already that emphasizes these policies. At the same time, I 
wanted to mention five areas where we are doing work related to 
this.
    First, we are performing an in-depth review of the security 
architecture that we have now integrated at our Department's 
new headquarters building at the Southeast Federal Center that 
we just finished moving into, and consolidating what had been 
individually managed networks run by each of the departmental 
operating administrations.
    Second, we are working with the Federal Aviation 
Administration to combine our two separately managed incident 
reporting centers into a single center to create an integrated 
approach for Department-wide monitoring of such incidents.
    Third, we are doing a review of the policies. We have asked 
the Department's IG to work with us to examine the policies and 
determine which ones are being effective right now, need 
auditing, and which ones where there are gaps that we need to 
fill in terms of the overall policies.
    Fourth, relating to telework, we are expanding our emphasis 
to move our employees to laptops. Right now the vast majority 
of employees have desktops; only a small percentage have 
laptops. We want to increase the percentage of laptops which, 
by policy and by practice, are encrypted, away from the 
traditional desktop configurations. In this fashion, we will 
increase the percentage of employees, when they do work at 
home, to be using Government-owned equipment and Government-
owned equipment that is encrypted.
    Fifth, we will be improving the messaging regarding peer-
to-peer software to new employees, and particularly those who 
are involved in our telework program. We find that the issues 
we are coming across are, in large part, cultural as well as 
they are technological.
    In closing, progress has been made at DOT in managing these 
threats stemming from peer-to-peer file sharing, but we will 
have to remain vigilant in educating our employees about these 
dangers and developing and implementing policies, procedures, 
and technologies which will safeguard the networks and our 
sensitive data. We also need to recognize that, regardless of 
the policies we write and put in place and how we make these 
policies available to our employees, we have to continually 
audit their performance and how they are used and reinforce 
them in order to have them be effective.
    Again, I would like to thank you for the opportunity to 
comment on the topic and I look forward to answering any 
questions that you have.
    [The prepared statement of Mr. Mintz follows:]

    [GRAPHIC] [TIFF OMITTED] T0150.041
    
    [GRAPHIC] [TIFF OMITTED] T0150.042
    
    [GRAPHIC] [TIFF OMITTED] T0150.043
    
    [GRAPHIC] [TIFF OMITTED] T0150.044
    
    [GRAPHIC] [TIFF OMITTED] T0150.045
    
    [GRAPHIC] [TIFF OMITTED] T0150.046
    
    [GRAPHIC] [TIFF OMITTED] T0150.047
    
    [GRAPHIC] [TIFF OMITTED] T0150.048
    
    [GRAPHIC] [TIFF OMITTED] T0150.049
    
    [GRAPHIC] [TIFF OMITTED] T0150.050
    
    [GRAPHIC] [TIFF OMITTED] T0150.051
    
    Chairman Waxman. Thank you very much, Mr. Mintz.
    Mr. Johnson.

                  STATEMENT OF M. ERIC JOHNSON

    Mr. Johnson. Chairman Waxman and Ranking Member Davis and 
members of the committee, I am Eric Johnson and it is a great 
honor to testify here today.
    You might wonder why is a business professional studying 
peer-to-peer security threats. First, let me be clear: I have 
no financial stake in the security industry, nor have I 
accepted funding from the recording industry. I became 
interested in peer-to-peer security risks as part of my ongoing 
research on information security in large corporations.
    My research center, the Center for Digital Strategies at 
the Tuck School of Business at Dartmouth, is focused on the 
problems facing chief information officers of Fortune 500 
companies. In 2002, with Cisco Systems, we founded the Thought 
Leadership Roundtable on Digital Strategies to bring CIOs 
together to talk about shared business problems.
    Over the past 5 years, security and trust have consistently 
been at the top of many CIOs' agendas, so as part of the I3P 
Research Consortium and through grants from the Department of 
Homeland Security, NIST, and the Department of Justice, we have 
been researching the challenges of information security in 
large, extended enterprises.
    For example, with the DHS funding we have been conducting 
workshops for chief information security officers and, driven 
by the key issues raised in those discussions, we have focused 
much of our attention on information leakage and inadvertent 
disclosure.
    Today we examine a common but widely misunderstood source 
of inadvertent disclosure, peer-to-peer file sharing.
    In the next few minutes I will summarize the results of two 
of my research papers, one that is forthcoming and one that has 
already been published in a peer-reviewed scientific 
publication.
    First, to illustrate the threat of P2P file sharing, we ran 
a set of honey pot experiments in conjunction with Tiversa. We 
posted the text of an e-mail containing an active Visa debit 
number and AT&T phone card in a music directory that was shared 
via LimeWire. We observed the activity on the file and tracked 
it across the P2P network. By the end of the first week, the 
Visa card had been used and its balance depleted. We observed 
its use through the accounts transaction statement posted by 
Visa on the Web.
    Not knowing the exact balance of the card, the users used 
PayPal and Nochex, both processors of online payments, to drain 
the funds from the card.
    Within another week, the calling card was also depleted. 
Examining the call records, all the calls were made from 
outside the United States into two U.S. area codes in the Bronx 
and Tacoma. This illustrates the threat both within and outside 
the United States.
    And even more interesting, long after we stopped sharing 
the files, they kept moving, continuing to new clients as they 
were leaked over and over again.
    In our second study we examined bank-related documents we 
found circulating on peer-to-peer networks over a 2-month 
period. Focusing on the Forbes Top 30 U.S. banks, we collected 
and analyzed their user-issued searches and leaked documents. 
First we found an astonishing number of searches targeted to 
uncover sensitive documents and data. For example, a user-
issued search for Bank of America data base, Wachovia Bank 
online user ID, or CitiBank balance transfer. Now, keep in mind 
these were searches issued in music-sharing networks, not the 
worldwide Web. Such directed searches clearly illustrate the 
intent of finding some confidential information.
    Next we examined thousands of bank-related documents 
circulating on the networks. Many of the documents were 
customer related, leaked by the customers, themselves, such as 
statements, dispute letters, completed loan application forms. 
Typically these documents contained enough information to 
easily commit identity theft or fraud.
    We also found business documents leaking from the banks' 
employees and suppliers, including performance evaluations, 
customer lists, spreadsheets with customer information, and 
clearly marked confidential bank material.
    From our sample of banks, we analyzed tens of thousands of 
relevant searches and documents, and we found a statistically 
significant link between the linkage and the firm employment 
base.
    We also found that, for many firms, coincidental 
association with a popular song brand or venue represented 
another problem we called digital wind. Millions of searches 
for that song increased the likelihood of exposing a sensitive 
bank document. Either by mistake or by curiosity, these 
documents are exposed and sometimes downloaded to other 
clients, thus spreading the file and making it more likely to 
fall into the hands of those who will try to exploit it.
    For example, someone looking for a live performance from 
the Wachovia Center would likely find documents related to the 
bank. Likewise, the popular rap singer PNC creates wind for PNC 
Bank. Such digital wind increases the P2P security threat for 
many organizations.
    Thank you.
    [The prepared statement of Mr. Johnson follows:]

    [GRAPHIC] [TIFF OMITTED] T0150.052
    
    [GRAPHIC] [TIFF OMITTED] T0150.053
    
    [GRAPHIC] [TIFF OMITTED] T0150.054
    
    [GRAPHIC] [TIFF OMITTED] T0150.055
    
    [GRAPHIC] [TIFF OMITTED] T0150.056
    
    [GRAPHIC] [TIFF OMITTED] T0150.057
    
    [GRAPHIC] [TIFF OMITTED] T0150.058
    
    [GRAPHIC] [TIFF OMITTED] T0150.059
    
    [GRAPHIC] [TIFF OMITTED] T0150.060
    
    [GRAPHIC] [TIFF OMITTED] T0150.061
    
    [GRAPHIC] [TIFF OMITTED] T0150.062
    
    [GRAPHIC] [TIFF OMITTED] T0150.063
    
    [GRAPHIC] [TIFF OMITTED] T0150.064
    
    [GRAPHIC] [TIFF OMITTED] T0150.065
    
    [GRAPHIC] [TIFF OMITTED] T0150.066
    
    Chairman Waxman. Thank you, Mr. Johnson.
    Mr. Gorton.

                    STATEMENT OF MARK GORTON

    Mr. Gorton. I would like to thank the Committee on 
Oversight and Government Reform for inviting me to speak today. 
My name is Mark Gorton, and I am the founder and chairman of 
LimeWire, LLC, the makers of the LimeWare file-sharing program.
    LimeWire takes the problem of inadvertent file sharing 
seriously. We strive to make the LimeWire file-sharing program 
clear and easy to understand. Warnings about inadvertent file 
sharing are displayed prominently on the LimeWire Web site. The 
LimeWire program contains a number of features designed to 
prevent inadvertent file sharing. In the library tab, users can 
see which files are being shared and how many times each file 
has been uploaded. They can also turn off or on sharing on a 
file-by-file or folder-by-folder basis. Monitor and logging 
tabs on the LimeWire client also show which files are being 
uploaded.
    Users are given warnings when they attempt to share folders 
which are likely to contain sensitive information, such as the 
My Document folders on Windows machines. A status bar is always 
present, which shows how many files are being shared, the 
number of files currently being uploaded, and the current 
upload bandwidth being used.
    At LimeWire we continue to be frustrated that, despite our 
warnings and precautions, a small fraction of users override 
the safety default settings that come with the program and end 
up inadvertently publishing information that they would prefer 
to keep private.
    However, despite all the work that we have done, 
inadvertent file sharing continues to be a problem, so LimeWire 
is working on a new generation of user interfaces and tools 
designed with neophyte users in mind. These interfaces will 
make it even easier for users to see which files they are 
sharing and to intuitively understand the controls that are 
available to them.
    I have sent this committee a document entitled, Inadvertent 
Sharing Precautions and LimeWire, which provides a more 
comprehensive list of measures that LimeWire takes to prevent 
accidental file sharing. I also invite you to go to our Web 
site and download the LimeWire client and see for yourself how 
easy it is to see which files are being shared with LimeWire.
    In addition to the problem of inadvertent file sharing, P2P 
networks are plagued by child pornography and copyright 
infringement. The Internet is a new technology which allows for 
many novel behaviors. Unfortunately, some of these new 
behaviors are detrimental to society. The regulatory framework 
that surrounds the Internet has not kept pace with technical 
advancements, and currently no effective enforcement mechanisms 
exist to address illegal behavior on P2P networks.
    Internet service providers, ISPs, are a unique point of 
control for every computer on the Internet. Universities 
frequently function as their own ISPs, and a handful of 
universities have implemented notice-based warning systems that 
result in the disconnection of users engaged in illegal 
behavior who ignore multiple warnings. These universities have 
sharply reduced child pornography and copyright infringement on 
their campus networks.
    Similar policies could be mandated for ISPs in the United 
States; however, these policies are unpopular with telecom and 
cable companies who would prefer not to have an enforcement 
relationship with their paying customers. The telecom industry 
has objected vigorously to previous attempts to involve ISPs in 
the enforcement process, and it continues to oppose policies 
that would allow for the establishment of moderate yet 
effective enforcement mechanisms to combat illegal behavior on 
the Internet.
    The only institution in the United States with the power to 
mandate the creation of an effective enforcement mechanism to 
police the Internet is the U.S. Congress. With the leadership 
of the U.S. Congress, a proper policing mechanism for the 
Internet can be established and the problems of child 
pornography and copyright infringement can be greatly reduced.
    Thank you.
    [The prepared statement of Mr. Gorton follows:]

    [GRAPHIC] [TIFF OMITTED] T0150.067
    
    [GRAPHIC] [TIFF OMITTED] T0150.068
    
    Chairman Waxman. Thank you very much, Mr. Gorton.
    General Clark.
    Mr. Boback. With your permission, Mr. Chairman, I would 
like to speak first prior to General Clark.
    Chairman Waxman. Certainly, Mr. Boback.

                   STATEMENT OF ROBERT BOBACK

    Mr. Boback. Thank you, Mr. Chairman. Good morning, Chairman 
Waxman, Ranking Member Davis, and distinguished members of the 
committee. My name is Robert Boback, and I am the chief 
executive officer of Tiversa, the company that provided some of 
the information and data for Professor Johnson's study. I wish 
to extend my most sincere appreciation for inviting us to 
testify on this important and serious issue facing our country 
today.
    First let me start by saying that I do agree with Mr. 
Gorton that the peer-to-peer is very powerful, and many members 
of the committee expressed similar concerns or similar 
statements, saying that the peer-to-peer is important and 
powerful technology, one of the most important in recent years 
for distributing the amount of user-generated content that is 
being delivered today.
    First, let me start with some background on Tiversa to help 
you understand the problem.
    In 2003 Tiversa developed technology that will allow us to 
position ourselves accordingly throughout the various peer-to-
peer networks, including Mr. Gorton's application of LimeWire, 
through what we would known as the Gnutella network. In doing 
so, we were able to then view all of the available searches and 
information that is now on the network, so it is not limited to 
that of just LimeWire.
    In doing so--and this is what is most astounding to most 
individuals--we are processing 300 million searches per day. 
For perspective's sake, Google processes 130 million searches 
per day. This is a massive network with many searches issued 
worldwide.
    If you think of Tiversa's technology in two buckets, our 
technology allows us to process all of the search requests, but 
we can also issue search requests in that same vein for 
available information, so as I testify we will break down the 
two: what are people looking for, in a sense; and what is out 
there to be had.
    As we were called to testify, I will address the consumer 
issue and the corporate issue and turn it over to General Clark 
to address the more serious national security risks associated 
with the Government issue.
    Searches? So what are people looking for? On this slide 
demonstrated on the side here--and I know it is small to see--
in a brief window we actually took a look to see what are 
people searching for. And this will be submitted to committee 
members. There are thousands upon thousands of searches issued 
for credit card and CD numbers, banking information, account 
log-in password, very specific terms to find confidential, 
inadvertently disclosed information on these peer-to-peer 
networks.
    And this information is not only limited to that of the 
financial service industry, as evidenced by the next slide. 
Medical information and medical identity theft is a rapid 
riser. This information has a lower security threshold to that 
of the financial information. Should someone question you about 
your medical information or getting a bill paid by the 
insurance, which most consumers would want, your likelihood to 
push back against that information or giving that information 
is much less than should someone ask you for your credit card 
information.
    If you think of a medical identity card or an insurance 
card, that is very similar to a credit card with a $1 million 
spending limit. Identity thieves seek these out, and they seek 
them out on the peer-to-peer.
    So in saying that, what disclosures are out there? These 
individuals issuing these searches, what is there to be found? 
Federal and State identification, including passports, driver's 
licenses, Social Security cards, dispute letters with banks, 
credit card companies, insurance companies, copies of credit 
reports--Experian, TransUnion, Equifax, individual bank card 
statements and credit card statements, signed copies of health 
insurance cards, full copies of tax returns, as Mr. Issa 
clearly demonstrated for us, extensive electronic records of 
active user names and passwords for online banking and 
brokerage accounts, confidential medical histories and records.
    For the committee's review, we are going to submit a number 
of documents that have been redacted to show this. One 
individual, as we find thousands of them, sharing their entire 
life, per se, of information, including their children's Social 
Security numbers, date of birth, all of their account log-ins 
and passwords. This individual put them on an Excel spreadsheet 
in an effort to organize their life and, unfortunately, lost 
this information.
    Another example is a doctor who performed a 
neuropsychological examination on a pediatric patient, a 9-year 
old fourth grader, and then disclosed that information as he 
had a peer-to-peer client on his system, disclosing the entire 
confidential results of this pediatric patient with very 
sensitive information.
    One thing that is interesting to point out with this doctor 
is that it is not the person that disclosed the information 
that is affected. In that case, the doctor disclosed on the 
patient; therefore, an obvious HIPAA violation. However, it is 
the extended enterprise. We are now in a wall-less society such 
that corporations can have the best policies and procedures and 
hardware measures to try to prevent this; however, in an out-
sourced world we share confidential information with attorneys, 
with this committee, with auditing firms, with out-source 
partners, and they have to also have the same policies, 
procedures, and safeguard measures, and that is just not 
happening.
    The searchable corporate documents are as prevalent as 
consumer-related documents. They can be highly targeted and 
very specific or general. The larger and better known the 
company and its brand, the more searches that will happen.
    It is important to note that existing security measures do 
not address this problem. That is an important fact. The 
current firewalls, anti-virus, the encryption services, the 
intrusion detection, the intrusion protection, it is not 
addressing this problem or we wouldn't see the prevalence that 
we are seeing.
    Some of the corporate documents that we have found--press 
releases of publicly traded companies in markup found prior to 
their release, a clear SEC violation; patent work up in markup; 
network systems related to documents, including administrative 
passwords and user IDs to private corporate networks; clinical 
drug trials before FDA approval; countless legal documents 
involving ongoing litigation, business contracts, nondisclosure 
agreements, and term sheets; human resources; accounting. It is 
extensive, it is enterprise-wide, and it affects all levels of 
corporations, as we have had examples. We can provide thousands 
of examples of each.
    One specific example is an out-sourced telecom provider 
which shared the entire wide area network of one of the 
largest, most recognized investment banks in the world. This 
information could be used by terrorists, by hackers across the 
world to loop--and what I mean by loop is they can reconfigure 
router configurations such that that wide area network would 
not function properly. This would significantly impact a 
greater than $50 billion company based in the United States 
here.
    Fortune 50 board minutes have been released, to where a 
confidential board minutes talking about compliance issues have 
been released on this very network.
    The entire 4X trading platform of a very large 
international bank has also been released.
    More importantly, where it starts to hit to Government 
issues, there was a large Government outsource provider that 
did security threats on various U.S. cities on the transit 
authorities for those cities. In that report they were given 
cart blanche access to the security measures of these various 
cities. Then they released the report inadvertently on the 
peer-to-peer. This information gives very precise information 
on where the bombs should be placed to have the maximum damage, 
where are the vulnerabilities in this city that could impact 
our national security. A city hired this company in an effort 
to decrease the risk facing that city, and, unfortunately, it 
increased it several-fold, as individuals are able to access 
that information, which is an important point.
    In seeing the searches, we can tell you that people are 
accessing this information from outside the United States. It 
has been our research that this information does head to 
Pakistan. It does head to Africa. It does head to Eastern 
Europe. There are individuals outside the United States that 
are grabbing this information.
    In closing, briefly on the screen we want to show you this 
is our technology running in real time, so as the system will 
bring up searches, these are people that are actually searching 
for and acquiring information. I know it is small and you can't 
read it, but we are going to provide a larger examples to the 
Members. This is information that is currently, right now, in 
real time, being disclosed. Thousands of it, as you can see. 
This is inadvertently disclosed and sought-after information on 
these peer-to-peer.
    This is the new threat to information security. Just as 4 
years ago we didn't understand phishing, we didn't understand 
virus, we do now.
    I commend this committee for the opportunity to present 
this today.
    Thank you, sir.
    [The prepared statement of Mr. Boback follows:]

    [GRAPHIC] [TIFF OMITTED] T0150.069
    
    [GRAPHIC] [TIFF OMITTED] T0150.070
    
    [GRAPHIC] [TIFF OMITTED] T0150.071
    
    [GRAPHIC] [TIFF OMITTED] T0150.072
    
    [GRAPHIC] [TIFF OMITTED] T0150.073
    
    [GRAPHIC] [TIFF OMITTED] T0150.074
    
    [GRAPHIC] [TIFF OMITTED] T0150.075
    
    [GRAPHIC] [TIFF OMITTED] T0150.076
    
    [GRAPHIC] [TIFF OMITTED] T0150.077
    
    [GRAPHIC] [TIFF OMITTED] T0150.078
    
    [GRAPHIC] [TIFF OMITTED] T0150.079
    
    [GRAPHIC] [TIFF OMITTED] T0150.080
    
    [GRAPHIC] [TIFF OMITTED] T0150.081
    
    [GRAPHIC] [TIFF OMITTED] T0150.082
    
    [GRAPHIC] [TIFF OMITTED] T0150.083
    
    Chairman Waxman. Thank you, Mr. Boback.
    General Clark.

              STATEMENT OF GENERAL WESLEY K. CLARK

    General Clark. Good morning, Mr. Chairman and Ranking 
Member Davis, distinguished members of the committee. It is an 
honor to come before you today to talk about a topic that is 
critical to our national security and to the safety and privacy 
of our Nation's citizens and companies. I want to commend 
Congressman Waxman and Congressman Davis and members of the 
committee for both bringing this issue back to light and for 
the work this committee has done previously to try to highlight 
the risk.
    I want to just disclose now that I am an advisor to 
Tiversa, and in that role I do have a small equity stake in 
Tiversa. But my engagement here has just opened my eyes to 
activities that I think, if you saw the scope of the risk, I 
think you would agree that it is just totally unacceptable. The 
American people would be outraged if they were aware of what is 
inadvertently shared by Government agencies on P2P networks. 
They would demand solutions.
    Now, Bob Boback has just explained what is out there on the 
corporate side. I have submitted some material for the record. 
Let me just summarize quickly what we found.
    As I was preparing for the testimony, I asked Mr. Boback to 
search for anything marked classified secret, or secret no-
foreign. So he pulled up over 200 classified documents in a few 
hours running his search engine. These documents were 
everything from in-sums of what is going on in Iraq to 
contractor data on radio frequency information to defeat 
improvised explosive devices. This material was all secret, it 
was all legitimate.
    I called the chairman of the National Intelligence Advisory 
Board, who worked for Admiral McConnell, and shipped the 
information to him. He looked at it. He called NSA. NSA has it. 
They are now very seized with the problem, I think. But I think 
that the work of this committee has been a great assist in 
getting the agencies to look at this, because previously there 
have been contacts but we never have sort of engaged.
    As the chairman of the Advisory Committee told me when he 
looked at the documents, he said, my goodness, they are in full 
color. Yes, they are the complete documents. They are not faxed 
copies, they are not smudged. They are just as fresh as if they 
were printed off on the computer printer of the organization.
    Even more alarming, I got a call from Bob Boback on 
Wednesday night that he had found on the peer-to-peer net the 
entire Pentagon's secret backbone network infrastructure 
diagram, including the server and IP addresses, with password 
transcripts for Pentagon's secret network servers, the 
Department of Defense employees' contact information, secure 
sockets layer instructions, and certificates allowing access to 
the disclosing contractors' IT systems, and ironically, a 
letter from OMB which explicitly talks about the risks 
associated with P2P file-sharing networks.
    So I called the Office of the Secretary of Defense. I got 
the right people involved. They had some meetings on it this. 
It turns out that a woman with top secret clearance working for 
a contractor on her home computer, she did have LimeWire, and 
somehow, I guess, she had taken some material home to work on 
it, and so all this was out there.
    This material was not, strictly speaking, secret. It was, I 
think, labeled FOUO. But it was certainly information that 
would be sort of a hacker's dream.
    What we found at Tiversa was that many people were queued 
up to download this information. This looked so interesting 
that they wanted it. So we don't know how long it had been out 
there. There is no way of knowing that. But we called the 
company an obviously we got it stopped as soon as we found out 
about it.
    But these two examples illustrate the risks that are out 
there. Peer-to-peer file sharing is a wonderful tool. It is 
going to be a continuing part of the economy. It is a way that 
successfully moves large volumes of data, and that is not going 
to go away, but it has to be regulated and people have to be 
warned about the risks, and especially our Government 
agencies--our National Security Agency, DOD, people that run 
the Sipranet--have to take the appropriate precautions, because 
we can't have this kind of information bleeding out over the 
peer-to-peer network.
    Thank you, Mr. Chairman.
    Chairman Waxman. Thank you very much, General Clark.
    Let me start off the questioning. It is really stunning to 
see what you can get on a real-time basis, the kind of 
information that is being viewed even during the time we are 
holding this hearing. But I want to go into this issue, General 
Clark, about classified national security secrets.
    You described that you were able to find the entire 
Pentagon secret backbone network infrastructure diagram using 
P2P networks available to millions of users. They also could 
find this. You have also said you have found other types of 
classified information such as--and this is not a complete list 
of what you reported to find: one, a document with individual 
soldiers' names and Social Security numbers; two, physical 
threat assessments for multiple cities such as Philadelphia, 
St. Louis, and Miami; three, a document entitled NSA Security 
Handbook; four, numerous DOD directives on information 
security; five, DOD security system audits; six, numerous field 
security operations documents; and seven, numerous 
presentations for armed forces leadership on information 
security tactics, including how to profile hackers and 
potential internal information leakers.
    From a national security perspective, how significant is 
information you were able to find? You indicated that this was 
from one person who had taken material home to use and to work 
from home, but they weren't classified but they were secret. 
Would this kind of information jeopardize our national security 
if it fell into the wrong hands?
    General Clark. Of course it would, Mr. Chairman. It is very 
significant information, and the kinds of information that you 
list are simply what we found. We put the straw in the water. 
But we could have put the straw in the water and asked for 
something else. We didn't ask for top secret. We didn't ask for 
code word or SCI. This morning we found a document that shows 
the status of people receiving security clearances for SCI.
    So there are all kinds of materials out there that is 
leaking out inadvertently. This is a major channel of 
communication, and we don't want to shut it down, but people 
just don't understand the risks when they put this information 
onto a computer that it is broadcast all over the world and it 
is being taken.
    So we need a real program that sorts through this that 
observes it and watches for these kinds of violations and shuts 
it down immediately. We shut down this woman's computer 
instantly as soon as I called the CEO and told him what was on 
it, but there is no guarantee that there wasn't something 
equally damaging on another employee's computer that we just 
hadn't programmed a search for.
    Chairman Waxman. These are not Government employees 
directly, but more the contractors that might be using a P2P 
network?
    General Clark. Right. These are contractors who work in the 
Pentagon. Most of our agencies have a mixture of Government, 
Civil Service, or Schedule C appointees working, plus they 
augment with contractors.
    Chairman Waxman. Yes. Now, you indicated you promptly 
turned these documents over to officials in the intelligence 
community. Can you specify where you sent these documents?
    General Clark. They were sent to the chairman of Admiral 
McConnell's National Intelligence Advisory Board.
    Chairman Waxman. And what was their reaction? Were they 
aware of this risk to national security?
    General Clark. They were aware of it in general, but they 
were not aware in specific, and they weren't aware, for 
example, of how to monitor it.
    Again, I am not in this network now. I am a civilian and I 
am just in business, but my impression was--I have dealt with 
classified information all my life, and normally when you have 
a breach it is a pretty simple, clear-cut thing. You can pretty 
much trace it back to somebody making a mistake, carrying a 
document home, leaving a briefcase somewhere. Somehow it gets 
lost, turned in by somebody, and you can do a damage assessment 
on it.
    In this case, when the documents are presented, they are 
going to have to go to very elaborate measures to find out 
where the documents came from and who has actually viewed or 
downloaded these documents. It can be done, but they don't have 
the procedures in place to do it, so we are talking about 
opening up a new area of national security for document 
protection here.
    Chairman Waxman. So until we do something along those 
lines, it is an ongoing national security threat.
    General Clark. Right. What businesses are doing is they are 
having people screen the peer-to-peer space for their 
documents, and then it can be traced back normally to the 
source of that document, and then they can get the computer 
shut down or make the correction. And if it is done on a 
routine basis and it is up there all the time, hopefully the 
document doesn't leak very far.
    Apparently, we don't have that system in place yet in the 
U.S. Government, so we don't know what is really out there that 
is inadvertently leaked out in the peer-to-peer.
    Chairman Waxman. And that is something the Government 
should do, not the P2P network?
    General Clark. I don't think you can totally control it 
without observing it, so I don't think you can simply tell 
LimeWire and the other companies, change your software so this 
never happens again. I think you have to have an active 
defensive monitoring program for Government documents on the 
net, just like investment banks are starting to add, or law 
firms, because there are just so many opportunities for this 
material to get out there that if you wait for the lawsuit you 
have waited too long.
    Chairman Waxman. Thank you very much.
    Mr. Davis.
    Mr. Davis of Virginia. Let me ask, my first question is: we 
are focused really on privacy protections, proprietary 
information, secret information leaking out. But conceivably, 
if the wrong people got in through peer-to-peer into Government 
files, could it lead to a cyber Pearl Harbor? General Clark, do 
you have any thought on that?
    General Clark. This material obviously poses risks, because 
there are opportunities here for hacking, for covert entry, for 
inserting programs inside routers and servers and other things, 
all of which are very damaging.
    Now, we can't tell you at this moment who took the 
information on the secure Internet. We can do some detective 
work on it and we may find it, but at any given point a 
computer, an innocent computer, supposedly, let's say in Ghana, 
could have downloaded this information, printed it, and 
themselves then had it carried as a document, so you would lose 
the trail at that point.
    Mr. Davis of Virginia. Mr. Mintz, let me ask you, could 
conceivably the wrong people get inside the files at your 
Department? Could they take control? Is there a way that they 
could do that?
    Mr. Mintz. Well, certainly if people got access to 
information, password information or something like that, it 
would be possible for them to get in. Typically, within our own 
network we are able to stop this kind of activity fairly 
quickly. The problem, however, is the release of information 
that would go out would be the greater problem, I think, for 
us. They'd be able to get access to information we don't want 
them to have.
    Mr. Davis of Virginia. Well, let me ask you this, if you 
know. FISMA guides agency information security postures. In the 
context of Federal agencies, should we address these issues 
then under FISMA?
    Mr. Mintz. The issue of the peer-to-peer?
    Mr. Davis of Virginia. Yes.
    Mr. Mintz. Peer-to-peer, in fact, is a requirement of the 
FISMA report. There is a part of it that we have to respond to 
what we are doing with peer-to-peer activity. It certainly 
should be an important part of FISMA.
    What we found here also, I think, beyond just the 
technologies I mentioned, there are two issues that I think we 
have to look at. One is what do we do in terms of training to 
make sure that people are paying attention to these issues, 
because often the use is home computers, not just the use in 
the system.
    And the second is to emphasize the need to audit. That is, 
we do a lot of times, I think, what I call policy on the shelf. 
We put together a lot of the policies, but what is it we do to 
make sure that the policies are actually being followed and 
paid attention to? So we needed some kind of an auditing 
process to go back and check to see that.
    Mr. Davis of Virginia. Let me ask Mr. Johnson and Mr. 
Boback, what portion of the volume on file-sharing programs is 
basically music and video sharing?
    Mr. Johnson. In terms of just the sheer size of the files, 
video content makes up a huge fraction of what is moving out 
there, video and other media.
    Mr. Davis of Virginia. Any ballpark?
    Mr. Johnson. Documents are just a tiny fraction, because 
they are so small, but there are many of them, but a document 
is so small compared to a music file or a video file.
    Mr. Boback. Sir, in our research we found that MP3s are 
actually 38 percent of the information that we have found. We 
are not talking just document size, as Professor Johnson 
mentioned, kind of skews the data, but we are also talking just 
in the number. So MP3s are 38 percent, m-PEGS, which are 
movies, are another 19 percent in our research. But, again, 
this is irrelevant of the size.
    Mr. Davis of Virginia. Right.
    Mr. Boback. Just the number.
    Mr. Davis of Virginia. How much of this activity comes from 
overseas actors? Any evidence of any state-sponsored activity 
in these areas, seeking classified or proprietary information 
from file-sharing networks?
    Mr. Boback. We have found information, classified 
information, from multiple foreign governments. What we can 
testify to is that there are multiple foreign entities that are 
actively using the peer-to-peer to issue what we would say are 
illicit searches. If someone were to issue a search for, as 
General Clark mentioned, Sipranet, and that search originated--
which one just recently happened--out of Ghana, West Africa, 
that should be an area of concern to the U.S. Government.
    As Professor Johnson testified, that is a Sipranet search 
being issued on a file-based network most notably known for 
movies and music. Why is that search being issued from Africa?
    As to who issued that search, we can target back to an 
actual IP address, but, unfortunately, I cannot, without 
further investigation, get to an individual.
    Mr. Davis of Virginia. Thank you.
    Chairman Waxman. Thank you, Mr. Davis. Your time has 
expired.
    Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    I want to go back to something Mr. Waxman said to you, 
General Clark, about the threat to our national security. As a 
member of the Armed Services Committee and as chairman of the 
Coast Guard Subcommittee, we go into a lot of classified 
briefings. I look at what we go through. You have to sign the 
documents, you have to swear that they will never mumble one 
syllable. And then to find out that this kind of information is 
out there is frightening.
    When you talk about, for example, the schematic of a city 
and the threat level, and then we think about this report that 
just came out about Al Qaeda trying to do things in this 
country, the idea that, in the hands right now of somebody who 
wants to do some harm, they have the necessary information to 
effectively--and this is some serious stuff. In the past we 
have heard about them taking pictures of the World Trade Center 
and things like this.
    What we are saying here, if I understand you correctly, it 
is quite possible that they actually have the information to be 
most effective and efficient in bringing hell to this country.
    So I guess what I am thinking about, General Clark, you 
said something, and the chairman took you a little farther down 
the road. I want to bring you back. It is one thing to find out 
who got the information. It is one thing to find out who is 
searching for it. It is another thing to know what is already 
out there.
    See, that is what bothers me. I mean, it sounds like, Mr. 
Boback, you all want to work with the Government and try to 
figure out how we can address these issues, but a lot of stuff 
is out there and it seems to me that this is something that 
would call for the utmost urgency or we may find ourselves 
sadly in a worse situation than 9/11 because now they may have 
the kind of information that they could do a whole lot of harm.
    Again, from the national intelligence estimate report, they 
talked about how Al Qaeda is trying to find all kinds of ways 
that we might least expect to bring massive harm to our 
country. I just want you to comment on that. And what can you 
all do?
    I mean, if I am looking at this on C-SPAN, I am asking the 
question, all right, I have heard all of that. Now, what can we 
do to make a difference? What can the companies do?
    And the other thing that we have to keep in mind is not 
everybody is sophisticated in all of this computer language as 
you all are. So I am just wondering can you just help me with 
that, or anybody else.
    General Clark. Well, first of all, Congressman, I think 
your statement of the urgency of the problem is accurate. I 
think it is an urgent problem. We do not know what is already 
out there.
    In the case of the information on the city vulnerability, 
of course, we immediately contacted the contractor and the city 
and so forth. They denied the problem. They don't understand 
what has been leaked.
    So the first thing we need are some pretty hard-nosed 
policies about businesses and Government contractors that 
simply prevent people from doing Government work on computers 
that have anything to do with the P2P network and have LimeWire 
or any of the other file-sharing information on it. Even when 
people are sophisticated and understand LimeWire and are 
sophisticated with computers, they can still make a mistake and 
all that material could be gone in an instant.
    The woman who had the Sipranet backbone was an experienced 
woman in IT infrastructure. That was her specialty in the 
Department of Defense. Yet, she had inadvertently broadcast it.
    So I do think that it is an urgent problem. I think that 
strong policies can help. I think a dedicated search effort 
needs to be run on some of the key sensitive items or sensitive 
terms. Tiversa is in discussions with the Department of Defense 
and National Security Agency now to try to start doing it. But 
the horse is out of the barn, and unless we have some specific 
key words that we want to follow, it is almost impossible to 
know what could be out there. Anybody who wrote a draft of a 
secret document at home, brought it into the office on a hard 
drive, loaded the hard drive in, prepared it in the office, 
took it back and worked on it at home in the hard drive, and 
his daughter uploads the music-sharing program, that document 
could be out on the Internet.
    So there is just no way of knowing everything that is out 
there right now. What we do need is, as soon as possible, an 
active monitoring program, and we need a greater awareness and 
the right policies in place in our Government agencies.
    Mr. Boback. Mr. Cummings, I think you are spot on on the 
process that you suggested. First, we do need to assess what 
information has been disclosed across the board using specific 
terms that are provided by the various agencies of information 
that they are interested in protecting. We also need to know 
where did that information go, who has it, and what are their 
intentions.
    If I may, early on in Tiversa's history we actually 
provided information. We saw an individual searching for 
pictures of the President's daughter, not that specific. Then 
they issued a same search that said pictures of Air Force I. 
Again, not that impactful. Then they issued a very specific 
search that said active White House security force, which 
obviously prompted our concern and said what is this person 
looking for. We file shared with the individual to say, what 
other files do you have? Let's download some of the files that 
they have actively already downloaded. The person had, I 
believe it was 47 files of sniper, sniper training, sniper 
tactics, avoiding police investigations, extensive training in 
sniper tactics.
    We immediately alerted the U.S. Secret Service. The Secret 
Service actually showed up at my doorstep 6:30 in the morning 
to retrieve this information, and we were able to locate the 
individual. When the Secret Service found this information that 
individual was 55 miles away from the Crawford Ranch. Criminals 
are using this information today. We need to find what is out 
there. We need to find it right now.
    Chairman Waxman. The gentleman's time has expired.
    Mr. Issa.
    Mr. Issa. Thank you, Mr. Chairman.
    I know we have piled on pretty good on all the things that 
can happen, and I am just going to pile on a little more 
quickly and then ask a couple of questions.
    I think it is humorous that I have in front of me Charles 
Fuller's Alternate Pistol Qualification Course. This is a 
Tradoc document, Wes. He got 132, 33 hits out of 40, so he is 
pretty fair. That could be humorous.
    Now, a little like that other document, I have Mike's 
credit cards and accounts, including all the passwords. I can't 
even redact this and turn it in for the record, because all you 
would have is staples followed by everything redacted. A 
MasterCard, AMX. Everything redacted. It is exactly that. It is 
everything that you want to keep secret. I don't know whether 
it was Mike that messed up, or Mike's son or daughter, but it 
happened.
    This one I am not going to turn in for the record, but I 
will be contacting the 101st Airborne Division Air Assault, 
because I have 20--and I could have had 200--records of orders. 
Clearly, this was not an individual. This was an asset that 
either had directly or indirectly permanent change of station 
and other orders, each one with Social Security number, name, 
rank, and date on it. I guess the kids don't actually come in 
on Saturday into the commanding officers' office and download 
LimeWire, but maybe somebody did it.
    There is an elephant in the room, and I figure we have all 
missed him, so, Mr. Gorton, I want to talk to you for a moment.
    You know, we have been talking about you and we haven't 
given you a chance in the Q&A, so I am going to give you that 
chance. Last year we held hearings on steroids and we put Major 
League baseball players where you all are. You are all 
handsome, but you don't quite--except for you, actually. Nobody 
else up there looks like a current baseball player. At the end 
of it all, professional baseball banned steroids and made it 
very harsh to use them.
    We are here today talking about the defaults on your 
software--essentially, just hit enter, enter, enter--making all 
these things happen, or be able to happen. Do you feel any 
obligation today that you should change your defaults to 
secure, secure, secure as a result of what you are hearing here 
today?
    Mr. Gorton. I think right now the defaults are secure. So 
if you just go hit enter, enter, enter using LimeWire you don't 
share any files and there is no information that would be on 
your computer that would be made public to anybody.
    Now, I think what you have here is a situation where people 
override the safe defaults and end up disclosing things that 
they didn't mean to disclose, and clearly that happens more 
than it should.
    I had no idea that there was the amount of classified 
information out there or that there are people who are actively 
looking for that and looking for credit card information.
    Mr. Issa. Now that you are aware of it, the first question 
I am going to ask briefly, because I will run out of time 
pretty quickly, is, are you prepared here today to say you are 
going to make significant changes in the software to help 
prevent this in the future?
    Mr. Gorton. Absolutely. And we have some in the works right 
now.
    It seems like, as far as I can see, there are two big 
categories of things that we can do. One of them addresses how 
people share directories and folders. I think probably a lot of 
the information that gets out there now is because people 
accidentally share directories that they wouldn't mean to 
share.
    We have warnings in the program that currently warn people 
when they try and share directories that they shouldn't be 
sharing. Clearly, those warnings are not enough, at least in a 
handful of cases.
    Mr. Issa. Let me ask you a final question, and others may 
answer it also. We did not heavily weight today's panel with 
lawyers, but many of us on this panel up on the dais also serve 
on Judiciary. Would it surprise you if you have a string of 
lawsuits for inherent defect in your product if people like 
Charlie Mueller of Missouri--I will say no more--finds out that 
he has lost his IRS filings and finds he has been damaged? 
Would it surprise you that you would be potentially not 
dismissible in tens of thousands or hundreds of thousands of 
venues around the country for your software, even 
inadvertently, but in their opinion being defective, you know, 
causing these releases? Would that surprise you?
    Mr. Gorton. LimeWire has always tried to make the program 
clear and easy to understand for users. I think it works for 
the vast majority of users. There is clearly a minority who 
make mistakes using the program, and those mistakes can have 
consequences more serious than I ever imagined. So we want to 
work to fix that. I mean, I am not a lawyer and I honestly 
can't tell you the legal answer to the question you asked.
    Mr. Issa. Well, I will tell you, and then I will return the 
balance of the time, but I would not be surprised that, not 
only on the part we are not talking about here today, which is 
all of the proprietary music and video that is being downloaded 
by people who may not have been properly warned by your 
software that they were violating copyright laws in essentially 
publishing this, but also in these people who feel they have 
been damaged.
    I would hope today that you are sincere in what you are 
telling us, that very quickly you are going to make each and 
every change and encourage your industry to, because with what 
we got in a quick scan it is not anecdotal. This is not once in 
a while. This is happening, I am going to guess, more often 
than not by your users.
    I yield back and thank the chairman.
    Thank you, Mr. Issa.
    Mr. Tierney.
    Mr. Tierney. Thank you, Mr. Chairman.
    I thank all of the witnesses for testifying here today. I 
think it is apparent to someone like myself, who is not all 
that computer savvy, that this is a problem that can affect 
every type of computer. It is important to families who could 
disclose financial information and other personal matters, 
families, businesses, and goes right on down the line. So is 
this a matter of people just carelessly using their computers, 
or does it go to even more sophisticated people who are 
experienced on this who have also been affected by it? Mr. 
Boback.
    Mr. Boback. Thank you for the question, sir. It is 
experienced users. It is not just careless users; however, 
careless users do play a role. It is also important to note 
that it is not only LimeWire, that Tiversa has evaluated over 
200 applications. LimeWire is just one of over 200, most of 
which are not U.S.-based and will not follow U.S. law. So I 
commend Mr. Gorton for coming forth today and doing that. 
However, the problem is widespread across the network. Again, 
it is not just the inexperienced user.
    Mr. Tierney. Mr. Gorton, do you share that perspective?
    Mr. Gorton. I have to say I am probably a little less 
informed on this issue, in some ways, than Mr. Boback, because 
he is searching the network looking for this stuff. He probably 
has a better grasp on that.
    I think I have always felt that it was inexperienced users 
who didn't know what they were doing; however, when you see 
documents coming from people who specialize in computer 
security about military documents, it really makes you think 
twice.
    My first job after grad school was working at Martin 
Marietta, where I worked with classified information. We had 
very tight protocols as to which computers you could use 
information on and who was allowed to use those computers. The 
fact that classified documents are ending up on home computers 
I think is a little disturbing and that is sort of a separate 
point. It is surprising to me that professionals in this field 
would do that sort of stuff.
    Mr. Tierney. I am going to ask a question. I would ask each 
member of the panel to answer briefly, if possible, from right 
to left. Can we legislate policies that will positively impact 
this situation? Or is there something different that Government 
agencies should do to protect at least the Government 
information? And how do consumers protect themselves?
    Maybe, Mr. Sydnor, we will start with you and move right 
along.
    Mr. Sydnor. Can this problem be legislated away? Probably 
not. As Mr. Boback indicated, there are peer-to-peer 
applications that have developed overseas. They are available 
over the Internet. Some of the developers are beyond the reach 
of U.S. law.
    Could legislation be part of a solution? Certainly. One of 
the problems that we documented in our report, the trouble with 
them is a lot of them were identified very, very clearly, 
spelled out specifically in the 2002 study that led to this 
committee's 2003 hearing, and those lessons have not been 
learned.
    Some of the problems that still exist in the programs are 
exactly the problems that are documented in that study. Self-
regulation certainly had a chance to work and has not been 
entirely effective.
    As far as how consumers can protect themselves, I believe 
Mr. Boback might be able to speak to that. In doing the study, 
we tried to look and think about, if you wanted to keep these 
programs off your home computer, what would you do. The short 
of it is we really did not think there were great answers that 
would be particularly accessible to a normal home computer 
user.
    So, for example, I do understand that this is a serious 
risk. Is there anything I can do at the moment to keep somebody 
from signing one of these on one of my computers? Not very 
effectively. If it try to use very lock-down settings on the 
firewall, it will not prove to be practical on a day-to-day 
basis.
    Mr. Tierney. I'd like to jump to Mr. Boback. I am sorry to 
interrupt, but I will skip all the others after saying I was 
going to ask everybody, but since you were mentioned, Mr. 
Boback, what do you think about that? What is a consumer to do?
    Mr. Boback. As we recognized this problem several years 
back, we started to extend our services that we provide to the 
largest corporations in the country. We wanted to try to 
develop a product that would protect consumers from this 
inadvertent issue. So we actually just launched a product that 
we call File Detector. What File Detector does is it causes an 
ink stamp of the drive, itself. In layman's terms, it causes a 
marker to be put in each individual file such that the user now 
cannot be duped. And when I say duped, I mean that with respect 
to Mr. Gorton. They cannot be tricked or an executable cannot 
be acted upon that computer that will allow a shared folder to 
be shared.
    So we constantly monitor the network, but if I can access 
your My Documents file, for example, if I can access that file 
that I put in there without seeing any other information that 
the individual has, then that system is now subject to 
inadvertent file sharing, so we are now offering that product, 
as well. We just started to offer that to consumers. It is an 
extension of our product to corporations.
    If I may, legislatively, the legislation should be enacted 
to protect this Government information, particularly on 
Government computers, particularly the classified information. 
That information can be scanned. We can provide it globally. 
Other systems can also look at this information, but we see the 
puzzle in its entirety rather than looking at a piece, which is 
why most corporations don't understand this problem. They make 
assessments and audits looking at one piece of a one thousand 
piece puzzle. We have the entire puzzle put together and can 
make very accurate assessments associated with it.
    Mr. Tierney. I yield back, Mr. Chairman.
    Chairman Waxman. Thank you, Mr. Tierney.
    Mr. Cooper.
    Mr. Cooper. Thank you, Mr. Chairman.
    The title of this hearing is Inadvertent File Sharing. It 
is important to remember that intentional file sharing is 
probably the backbone of this entire industry. In representing 
Nashville, TN, I probably have more victims of this theft of 
property than the representative of any other District, with 
the possible exception of the Los Angeles or New York areas.
    Mr. Gorton, you strike me as one of the most naive chairman 
or CEOs I have ever run across. As Mr. Sydnor pointed out, most 
of these problems were disclosed and available years ago. The 
FTC has brought some significant enforcement actions and 
succeeded, and yet--and I hope you don't have a family, because 
if you do some of your own personal information may have 
already been in danger, although you probably have taken 
appropriate defensive measures yourself, since you must be a 
software expert.
    But it strikes me as an odd situation where you essentially 
are in the business of making and distributing skeleton keys, 
and Mr. Boback will help everybody buy new locks, and then, 
with your business plan of remaining one step ahead of the law, 
then you will probably make and distribute burglar tools, and 
then Mr. Boback or someone else will further improve the locks. 
So we are going back and forth.
    You call for regulation, saying that Congress is the only 
entity with the power to step in here. I think it has already 
been established that there are hundreds of companies from 
outside U.S. borders that we do not have legal jurisdiction 
over, so it is going to take more than congressional 
enforcement, new laws, to try to solve this problem.
    If I were you--and obviously I am not--I would feel more 
than a shade of guilt at this point for having made the laptop 
a dangerous weapon against the security of the United States. 
The 9/11 Commission reported that the central failure was a 
failure of imagination. Mr. Gorton, you, in particular, seem to 
lack imagination for how your company and its product can be 
deliberately misused by evildoers against this country.
    Imagine someone downloading the material necessary to go 
after the President of the United States's daughters. You just 
didn't know.
    Members of this committee, as Mr. Issa has already pointed 
out, have been able to download, themselves, unbelievable 
information, and you didn't know.
    Well, I hope you care, because this is an abuse. The 
Internet is a shining, wonderful technology, and to have this 
pollution be so easily available--and remember, the business 
plan of many companies is to promote illegal copyright 
infringement. Today we are just talking about inadvertent use 
of peripheral problems.
    So it is such a shame that we are not using the productive 
minds of this country to have cleaner, better uses of this 
fantastic thing. I appreciate your bravery in being willing to 
testify today, but, as Mr. Issa pointed out, I would think you 
would be the target of multiple suits at this point, as you 
helped produce the skeleton keys, the enabling software, to do 
a lot of damage, including to the security of this Nation.
    I would be delighted, with my time remaining, to give you a 
response.
    Mr. Gorton. Well, I guess there are several points you made 
there.
    First of all, I absolutely want to do everything in my 
power to fight inadvertent file sharing. I am sorry to say that 
I didn't realize the scope of the problem. You say I lack 
imagination. Perhaps that is true. But this sort of series of 
events, I didn't have the imagination to imagine that computer 
security experts from the Government would be publishing their 
information publicly. But I do want to combat the problem and I 
do want to be part of the solution.
    As to the copyright infringement that you pointed out, 
copyright infringement is clearly a problem on peer-to-peer 
networks. The solution that I am advocating, which involves 
regulating the ISPs, is one that cannot be circumvented by 
foreign software makers, because every computer in the United 
States is connected to a domestic ISP. There is no such thing 
as a fly by-night ISP. They are all very large companies with 
large capital investments and wires in the ground and things 
like that. They are all subject to U.S. regulation.
    If it was the policy of the United States that those ISPs 
could not keep connected to their network computers engaged in 
illegal activity, then I think you would see that consumer 
behavior would change rather rapidly, because I think P2P is a 
great technology, and I am pleased a number of people here have 
said that. But clearly we have a way to go before the good 
parts of the technology stand alone without the bad parts 
standing so tall next to them.
    I want to come here, because I have thought a lot about 
this problem. Clearly, there have been previous solutions 
before. There has been action in the courts, and we have 
certainly had talks with media companies and things like that. 
Generally, in my talks with people who are performances engaged 
in this topic, I have found them not to have a sense that this 
is a solvable problem. Generally, most of the people I have met 
sort of feel like this is a hopeless problem, and it is not a 
hopeless problem. It can be solved. I would be happy to talk to 
anyone about that.
    I think I have laid out the bare bones of my ideas already.
    Chairman Waxman. Thank you, Mr. Cooper.
    Mr. Hodes.
    Mr. Hodes. Thank you, Mr. Chairman.
    This hearing has been particularly disturbing to me. I am 
not in the computer field. I have used computers a long time. I 
am now thankful that, although I have been involved in the 
media and entertainment industries, I am a dinosaur and I have 
not engaged in P2P file sharing, and so I am thanking my lucky 
starts that I simply haven't had the time to put myself at that 
kind of risk.
    Mr. Boback, would you comment on the suggestion that 
regulation of ISPs is the way to solve the problem we have been 
facing today?
    Mr. Boback. We looked at that as a solution as we found 
this early on, as well. One of the problems with implementing 
an ISP solution is that the amazing amount of traffic that has 
to go through these systems, if you were to put a hardware 
device at the ISP, that would create a choke point and 
information would have to be analyzed at the ISP. It would, in 
turn, slow down usage across the network, slow down.
    The reason why Mr. Gorton testified that users don't want 
that is because users want increased speed. They don't want 
decreased speed. They don't want the pictures to slowly load 
back to dial-up.
    Solving at the ISP is not--we want to solve it at data at 
rest, not data in transition, trying to catch it as it passes 
by on a freeway and snatch it off. We want to find it where it 
is at rest and keep it at rest, where it should be.
    Mr. Hodes. Ms. Engle, in 2005 the FTC staff concluded that 
P2P file sharing, like many other consumer technologies, is a 
``neutral technology which risks result largely from how 
individuals use the technology rather than being inherent in 
the technology, itself.'' I suppose, based on what we have 
heard today, compared to a time bomb, you are right. It is a 
neutral technology.
    Does what you have heard today change your view about the 
inherent risks in P2P networks? And does it give rise for you 
to an you thoughts about what you ought to be doing to help 
cure the issues we are discussing today?
    Ms. Engle. It is certainly true that P2P technology causes 
these substantial risks about sensitive data getting out. We 
have certainly seen that there is a lot that individuals and 
businesses and the Government can to do better secure their 
data.
    We have all heard about lost or stolen laptops, for 
example, that have left very widespread breaches. That having 
been said, the PTO report raises some very difficult, serious 
questions about the design of the technology which has not been 
previously brought to our attention, and we are looking at it 
very closely to see whether further FTC involvement in this 
area is appropriate.
    Mr. Hodes. Thank you.
    Mr. Mintz, because you are the CIO at a Government agency, 
I want to direct the next question to you. It sounds to me--and 
from some of the other hearings that I have been part of, for 
instance, I'm part of the Subcommittee on Information of this 
full committee--that Government agency protocols may not be 
adequate at least to begin to address the problems we have been 
facing today. Do you think that current Government agency 
protocols which are designed to prevent inadvertent P2P file 
sharing are in place? Do they need to be beefed up? If that is 
so, what is the touchstone? Where is the central place to go to 
make sure that, throughout the Federal Government, we are 
dealing with this at our agencies? Or is it a matter of 
legislation from Congress?
    Mr. Mintz. I would say that the place that I would look in 
terms that the biggest issue is--I think Congressman Davis 
talked about this--the FISMA report and making sure that this 
review process looks at this technology.
    In terms of policy, we have what we need. I am not saying 
we do it right, but we, in fact, have peer-to-peer policy in 
place. We have as policy you are not supposed to use it on any 
computer that has Government information on it.
    One of the challenges we have, particularly with people 
working at home so much, is that people don't always pay 
attention to it. So the question is: what is the kind of 
oversight that we have to put in place? And perhaps the 
oversight on us to make sure that we are really pushing the 
policy as opposed to just putting it on a piece of paper. But 
we have enough authority right now to take care of the network, 
in terms of our own networks and the employee use.
    Mr. Hodes. Thank you. I see my time has expired. Thank you, 
Mr. Chairman.
    Chairman Waxman. Thank you, Mr. Hodes.
    Mr. Welch.
    Mr. Welch. Thank you, Mr. Chairman.
    Mr. Boback, the sensitive national security information 
that you mentioned, General Clark testified to, that was picked 
up off of LimeWire?
    Mr. Boback. That was picked up off of multiple peer-to-peer 
applications, one of which was LimeWire, yes.
    Mr. Welch. OK. Mr. Gorton, do you have any knowledge about 
how much usage of LimeWire involves people getting sensitive 
national security information?
    Mr. Gorton. No. Most of what I know about that I have 
learned in this room today.
    Mr. Welch. How many subscribers do you have?
    Mr. Gorton. There are, on a monthly basis, about 50 million 
users of LimeWire.
    Mr. Welch. And what is the purpose for which most 
subscribers go to your site?
    Mr. Gorton. To share files.
    Mr. Welch. Well, I know that, but the nature of the files.
    Mr. Gorton. Most of them are media files.
    Mr. Welch. They are what?
    Mr. Gorton. Media files.
    Mr. Welch. Media as in music?
    Mr. Gorton. Music and video.
    Mr. Welch. And what percentage of your subscribers would be 
getting music files?
    Mr. Gorton. I don't have those numbers. I mean, the ones 
that Mr. Boback had earlier sound approximately right to me.
    Mr. Welch. Wait a minute. How long have you been in 
business?
    Mr. Gorton. LimeWire was started in 2000.
    Mr. Welch. And I assume that you do analytical work to 
determine how your business plan is working?
    Mr. Gorton. No. I mean, we don't do any analysis of what 
goes on on the network. We make a piece of software and we 
distribute it. So I have a general idea of what goes on on the 
network because I read the papers and I talk to people, but we 
don't have any analytical----
    Mr. Welch. It is not relevant to you why more people might 
be coming onto your system or less, depending on how your 
system is operating?
    Mr. Gorton. I mean, we make a great effort to make the 
LimeWire program easy to use and clear to understand so that 
our users have a positive experience.
    Mr. Welch. But I was looking for an answer to the question.
    Mr. Gorton. And what was the question?
    Mr. Welch. The question is: how many of your subscribers go 
on there for music?
    Mr. Gorton. I mean, like I said, I don't know specifically, 
but, you know, he said 38 percent of the files were MP3s. That 
sounds plausible to me.
    Mr. Welch. We have some data here that says in January 2005 
your market share was about 21 percent. This is people looking 
to get music downloads. Does that sound about right?
    Mr. Gorton. That is 21 percent of what?
    Mr. Welch. Households.
    Mr. Gorton. So 21 percent, that could be correct. Yes, that 
sounds----
    Mr. Welch. And it is now up to about 75 percent.
    Mr. Gorton. That sounds a bit high. I mean, 75 percent of 
households?
    Mr. Welch. That are looking for music downloads, get their 
music downloads through LimeWire.
    Mr. Gorton. I mean, LimeWire is the most popular file-
sharing application in America.
    Mr. Welch. Music file sharing?
    Mr. Gorton. Well, all types of file sharing. Music is a 
large use among that.
    Mr. Welch. Let's get to the point here. I mean, the main 
reason people go to LimeWire is to get music.
    Mr. Gorton. Certainly one of the biggest, yes. They also 
get videos.
    Mr. Welch. Is this a complicated question? Do they go there 
for music or----
    Mr. Gorton. Yes, they go there for music.
    Mr. Welch [continuing]. National security data?
    Mr. Gorton. Hopefully not for----
    Mr. Welch. What is so hard about this question? Is it 
national security or is it music?
    Mr. Gorton. The only thing that competes with music is 
video.
    Mr. Welch. All right. Are you familiar with the Grokster 
decision?
    Mr. Gorton. Yes.
    Mr. Welch. June 2005.
    Mr. Gorton. Yes.
    Mr. Welch. And you, I am sure, are aware that you went from 
about 22 percent, 23 percent, to 75 percent of market share 
after that, correct?
    Mr. Gorton. It actually happened before the decision.
    Mr. Welch. Started to go a little bit before. And do you 
know what happened? Some of your competitors are Imesh, 
BearShare, Kazaa, correct?
    Mr. Gorton. Yes, or used to be.
    Mr. Welch. All right. And, subsequent to the Grokster 
decision, they installed filters in their system, correct?
    Mr. Gorton. Yes.
    Mr. Welch. Making it impossible or very difficult for 
individuals who are seeking to get music, infringing without 
respecting the copyright, to do so, correct?
    Mr. Gorton. Yes.
    Mr. Welch. And have you installed the same type of filters 
at LimeWire?
    Mr. Gorton. Yes. At LimeWire we have built a filter that 
allows copyright holders to flag specific files as----
    Mr. Welch. I am going to ask you a favor.
    Mr. Gorton. OK.
    Mr. Welch. I am going to ask you to answer the question I 
asked----
    Mr. Gorton. Yes, we have a filter.
    Mr. Welch [continuing]. Not the question that you would 
like me to ask.
    Mr. Gorton. Yes, we have the filter.
    Mr. Welch. It is a little bit more. You have offered, if I 
understood your answer, to permit an individual, if I go on to 
LimeWire, to opt into the filter, correct?
    Mr. Gorton. Yes.
    Mr. Welch. And your competitors, they have installed a 
filter at the site; yes or no?
    Mr. Gorton. When you say site, I take it, I mean, the file-
sharing programs are not Web sites, so----
    Mr. Welch. They have a filter, so if I ask for a particular 
song it will be blocked when I go to BearShare or Imesh or 
Kazaa.
    Mr. Gorton. The functioning of the LimeWire filter is 
substantially similar to that of other file-sharing companies.
    Mr. Welch. But it is elective. I, the user, have to say I 
want that filter?
    Mr. Gorton. Yes.
    Mr. Welch. But the other competitors, after the Grokster 
decision, they have installed it so it is not an election, 
right?
    Mr. Gorton. Yes.
    Mr. Welch. All right. And that is a modest difference. If I 
am a person who wants to get music in violation of a copyright, 
and I am offered the opportunity to not get it when I go 
seeking it, most of the time I will probably ignore the offer 
that you have given me.
    Chairman Waxman. Mr. Welch, your time has expired.
    Mr. Welch. Mr. Chairman, I thank you. I just find that 
there is an interesting inter-connection between teenage music 
and national security.
    Chairman Waxman. Thank you.
    Mr. Yarmuth.
    Mr. Yarmuth. Thank you, Mr. Chairman.
    It occurs to me, Mr. Chairman, that after today's hearing 
we may have found an alternative to subpoenas in trying to get 
information from the administration that we haven't been able 
to get. [Laughter.]
    Mr. Sydnor, the PTO report design is long and detailed and 
very technical. I would like to cut through some of that and 
ask you a very simple question: do you think that users that 
download P2P software applications are being tricked into 
sharing files that they would not ordinarily share?
    Mr. Sydnor. Yes. They are inadvertently sharing files they 
do not intend to share. In the report we attempt to explain 
why, although the user does not intend that result, that result 
may have been intended by others. That is not a question we 
purport to be able to answer based on the publicly available 
data that we were able to review.
    But the short answer is yes, people are making catastrophic 
mistakes with these programs. Although we have focused today on 
perhaps the most high-profile incidents, it is all too 
important to note, as was just discussed, a lot of the files 
that are traded over these networks are copyrighted. If people 
are inadvertently sharing copyrighted files, they are violating 
the law and they are setting themselves up for an enforcement 
lawsuit.
    That is also a very important part of the problem, and 
people who do not want to be distributors of pirated goods on 
these networks should be able to make that choice and have it 
be very easy, and right now it is simply not.
    Mr. Yarmuth. Maybe the answer is obvious, but explain the 
benefits of tricking users in this way.
    Mr. Sydnor. Well, that was the question that sort of 
prompted us as we began working on the report, because it was 
just stunning to see that, after this committee's 2003 hearing, 
features that really are incredibly easy to misuse--you can go 
to an interface and use programs that looks like you are doing 
nothing except choosing a place to store files, like you are 
using the Save As button in Microsoft Word, and you end up 
sharing recursively all the folders on your computer. Very easy 
to make a catastrophic mistake.
    The problems were very well documented. This committee 
called additional attention to them. Yet, they persisted.
    That type of feature we found in four out of five programs 
that we looked at after this committee's hearing, after 
usability and privacy, and that led to the question why would 
anyone continue to do this.
    In trying to think about why someone might do this if they 
knew or really should have known that this was going to cause 
problems, why would you keep doing this?
    The only thing that we could see is that if people make 
mistakes with these--we call them share folder features--what 
they tend to do is they are trying to store files in a place 
that will be easy to find. They pick either root directory C or 
My Documents folder or maybe My Music. You pick any of those 
three. You pick your root directory, you share the whole hard 
drive. You pick My Documents, you will share all the data files 
you care about. You pick MyMusic, you will share all your 
entire collection of audio files that you may have ripped from 
lawfully purchased CDs.
    In each case, though, in addition to all your personal 
data, you will also share My Music. The access, as Mr. Gorton 
mentioned, to media files, there is also a My Media folder, 
subfolder of My Documents. That is driving traffic on these 
networks. That seemed to us to be a possible explanation for 
why this conduct continues. It would have catastrophic 
consequence for users, but it would also put more infringing 
files on the network.
    Thank you.
    Mr. Yarmuth. Thanks.
    Mr. Gorton, do you share Mr. Sydnor's analysis? Do you have 
another perspective?
    Mr. Gorton. Yes. I think my perspective is maybe a little 
bit more benign. I don't think there are sinister motives 
behind this. I mean, I can certainly speak for ourselves. I 
mean, we have been trying to build a program that is easy for 
consumers to use that allows them to share files.
    In the case of the root directories, the C directory, and 
the My Documents directory, LimeWire pops up a warning that 
says, you know, be careful, you could share confidential 
information, when they try and share those folders. So we 
recognize that this is a problem. We try and warn consumers.
    Clearly, some people are not paying attention to our 
warnings, and we need to do a better job of making it very, 
very, very difficult for users to accidentally share files. But 
I think there is a difference in opinion that probably has more 
to do with motive than the result.
    Chairman Waxman. The gentleman's time is expired.
    Mr. Sydnor. If I could clarify one point?
    Chairman Waxman. Yes.
    Mr. Sydnor. It is not accurate to say that if users share a 
sensitive file like My Documents or documents and settings that 
they will share all the files of all the users of the network, 
that they will get a warning indicating that they are doing 
something that could be dangerous. There are three different 
interfaces in LimeWire that can share folders.
    One of those, the most obvious, is, of course, the sharing 
interface. If the users happens to be in that interface and 
they happen to try to share a folder like documents and 
settings, they will receive a warning saying, this folder may 
contain sensitive information, do you want to share this 
folder? If they are in one of the other interfaces, they won't 
receive any warning. They won't receive that warning. So from 
the LimeWire library you can share documents and settings. You 
won't get a warning of any kind.
    The warning that they get doesn't provide them critical 
information, because it says, do you want to share this folder? 
I can look in My Documents and settings, and there is a 
documents and settings folder on my computer, there is no 
sensitive information in it. No sensitive files. But what I am 
not being told is I am not going to share just this folder; I 
am going to share all of the folders that are subfolders of it. 
This is a problem that was documented in the usability and 
privacy study that this committee highlighted in its 2003 
hearing, and it is still going on.
    Chairman Waxman. Thank you, Mr. Yarmuth.
    Ms. Watson.
    Ms. Watson. I want to thank you, Mr. Chairman, and all the 
witnesses. I know that as we create more and more higher 
technology, there is always a way to use that technology in a 
cynical way.
    I represent Hollywood, and we also have here in Congress a 
Protection of Intellectual Property Caucus, because, as you 
know, our creative works are every day taken and duplicated 
around the world. I am just fascinated when I go into a foreign 
country how our products are sold for such little money and the 
profit never gets back to the creators.
    So as we develop this technology so that peers can share 
with each other and it can be done quickly--you know, we are in 
a hurry in this country, and it is spreading around the globe. 
We want information immediately. We create holes and glitches. 
We saw the results of the computer codes where 19 million 
veterans' Social Security numbers were stolen. We saw 2.2 
million active duty military personnel information that was 
part of this data exposed; 1.1 million active duty military 
personnel had their names, Social Security numbers, and birth 
dates in this data base, and that was some way taken.
    So we have some real, real holes and glitches and problems 
that we must address. We have held hearings, and there is 
technology that can protect or can trace the artful products 
that are being duplicated illegally, but I throw this question 
out to all of you. You just might want to answer in a 20 or 30 
second clip.
    What do you know that we can do to protect this most 
sensitive data, to protect intellectual property? And what can 
we do for the future? Is the technology there to guarantee that 
the businesses in my District can protect their property so the 
creators then can enjoy the benefits of their work and so that 
those who are in the military, General Clark, can feel secure 
that their most vital information is protected? So can you just 
go down the line and tell me what you see needs to be done, 
starting with Attorney Sydnor.
    Mr. Sydnor. Thank you, Representative Watson. What can be 
done? Certainly I know that the content industries are working 
hard to find technological ways to both protect their content 
and exploit the opportunities that the Internet provides. 
Potentially, it could be a wonderful tool for both content 
creators and users of content.
    As someone who is more of a user than a creator, I think 
one of the important aspects of all that will be that we need 
to make sure that, as content is distributed over the Internet, 
it gets to consumers in ways that they are basically safe to 
use. That is a big part of this whole problem is, you know, 
right now, you know, it certainly is tragic to see, with the 
peer-to-peer file-sharing networks, really the first time 
copyright enforcement against end users. Hopefully, by more 
action by some of the middle, those sort of situations can be a 
thing of the past, I would hope.
    Ms. Watson. Thank you.
    Ms. Engle.
    Ms. Engle. Well, I am definitely not a technology expert 
and can't really offer views----
    Ms. Watson. But what do you think we need to do?
    Ms. Engle. Well, I think the kind of attention that this 
hearing is putting on this issue is extremely important. The 
more consumers and businesses and especially Government 
agencies know about this problem, the more they can take steps 
internally to prevent further breaches.
    On the side of intellectual property protection, setting 
aside for data security, I think we have seen the industry 
innovate on its own to make legal methods of downloading more 
available, and it is helping in that area.
    Ms. Watson. Thank you.
    Mr. Mintz.
    Mr. Mintz. I can't speak in terms of the consumer industry 
so much. In terms of the Government information, as I have 
said, I think the biggest focus we have is making sure that the 
policies and the technologies we have in place right now are 
followed and protected, and to become more aware of the fact 
that there is a lot of this kind of software, particularly in 
terms of the home use. I think the publicity, even the 
attention the committee puts on this, is very helpful. It has 
brought a lot more attention to the Department for these kinds 
of issues.
    I think you are faced with a big challenge, as a number of 
other members of the panel have talked about. A lot of this 
activity is international in scope, so the question is what do 
you do about that, also.
    Mr. Johnson. Education is the key right now. I am working 
with financial firms. They have been quite successful in 
educating consumers about phishing, and this is a case very 
similar to that.
    But one of the things I think that has to be thought of 
over and over again is that in this program case, when 
information is leaked it is out there, and the digital wind 
will carry it everywhere. It is very hard to get it back. It is 
a very different kind of concept than what we are used to, a 
physical piece of paper that we can go grab and bring back and 
put in the filing cabinet. Once that information is out there, 
it is going to be blown around and spread, and very, very hard 
to control.
    Mr. Gorton. I think there are two separate issues that you 
are talking about here. One is the release of classified 
information with inadvertent file sharing. Certainly LimeWire 
can be part of the solution by improving the functioning of our 
program. I also think companies like Tiversa can be part of 
this solution by providing technologies which allow notice and 
monitoring of the networks.
    On the front of copyright infringement, as I mentioned 
before, I think the ISPs need to be part of the solution. There 
are proven technologies out there that work. The USC and UCLA 
have policies in place, these warning systems that result in 
the disconnection of students' computers who continue to engage 
in copyright infringement. Those universities have succeeded in 
suppressing the problems of copyright infringement on their 
campuses, and I think we can use that successful model. That 
can be rolled out across the country so that it is not just a 
handful of universities that have successfully dealt with these 
problems, but can be the entire country and all the ISPs.
    General Clark. As far as classified information is 
concerned, I think the Government is aware of the right 
policies; that is, to keep file-sharing applications off 
Government computers and to separate the Government and 
personal computers. I don't think these policies are always 
enforced appropriately, and until now there is a lack of the 
ability to monitor through the peer-to-peer space to determine 
whether there are violations.
    What we detected with Tiversa's software is we have now got 
the capacity to monitor, and we can, to protect these from 
violations. So I think that, in addition to the separating 
Government and personal, preventing file-sharing applications, 
that you have to do some defensive monitoring of the peer-to-
peer space so that you know what is out there, you know if you 
had had any compromises of information. You can do the 
investigations and followup work to seal off that leak of 
information and to prevent it from happening again.
    Mr. Boback. And I echo the other speeches about the 
education being a first step. I also echo General Clark's 
thoughts as to the auditing of Government classified 
information.
    As far as the intellectual property issue for the media 
industry, that is something--I mean, my personal belief is that 
the media industry should look to work with the peer-to-peer to 
actually use that as a distribution method to find a way, as 
there are so many users, as Mr. Gorton has testified to. Its 
users are on the peer-to-peer. It would be more appropriate for 
them to figure out business models that act in conjunction with 
the peer-to-peer, rather than trying to just eliminate the 
peer-to-peer as a threat.
    I believe that legislation in the Supreme Court, while 
attempting to do just that, has not succeeded, and the peer-to-
peer has spread offshore. But if the media industry were to 
look to protect their content by including that as a 
distribution channel, very similarly to iTunes, looking to 
distribute in alternative methods, the peer-to-peer is a--I 
once read that there are over 14,000 movies made in Hollywood 
in your District each year, and less than 100 of those movies 
actually are profitable. The other 13,900 movies will never see 
the inside of a movie theater. It is not financially viable for 
them to distribute it in any other method. They can distribute 
this information, full-length videos, on the peer-to-peer. 
These artists could arrange, it is some work, no doubt. There 
are business models that need to start to look to distribute 
this information.
    Tiversa's original work was looking in that very angle 
until we found the massive security issues that existed and we 
said, you know, as U.S. citizens we need to address this issue 
before a functional, viable distribution method could be found 
for the media industry.
    I think that there is incredible opportunity for your 
District, particularly, to be able to distribute that 
additional 13,900 movies that are made each and every year and 
actually reap some revenue from that as the user demand goes 
up. There are 50 million, as Mr. Gorton testified to, users 
every month that are starving for content. They want this 
content. They have no access to it.
    One of our clients----
    Chairman Waxman. Mr. Boback, we are going to have to move 
on.
    Mr. Boback. I'm sorry.
    Chairman Waxman. Thank you, Ms. Watson.
    Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman.
    My questions are directed at Mr. Mintz. Mr. Mintz, in your 
testimony you described an inadvertent disclosure that occurred 
at the Transportation Department. A diligent, well-meaning 
employee was working on a home computer. Unbeknownst to her, a 
teenager sharing the family computer downloaded the LimeWire 
P2P file-sharing program. Next thing, the Government employee's 
work documents are all over the Internet and the employee is 
being called by a reporter.
    To confirm your statement here today, DOT has completed its 
forensic analysis of the employee's computer and no sensitive 
documents were compromised; is that correct?
    Mr. Mintz. Sensitive in the sense of classified, no. There 
was personally identifiable information. There was one piece of 
personal identifiable information from the Department of 
Defense, her own, and there was a small amount but there was 
some personally identifiable information from her previous job 
of approximately, I believe, six or seven people. That was 
available. We don't know if it was released, but it was 
available and it was sharable. Other than that, there was 
nothing. There were no classified documents.
    Mr. Clay. And that sensitive information----
    Mr. Mintz. No.
    Mr. Clay [continuing]. Has not shown up anywhere else?
    Mr. Mintz. No.
    Mr. Clay. OK. This example also illustrates the potential 
conflict between encouraging and promoting telework and the 
flexible workplace and data security that was exposed. Mr. 
Mintz, how do you balance the tension between telework and data 
security?
    Mr. Mintz. This is a big challenge. As a number of people 
here have said, the average person that is going to be using 
this is not necessarily computer literate or knowledgeable that 
we want to make use of, so one of the things we are doing is we 
are increasing the education process. We have already had a 
security leak. And we also have online training. We are 
increasing the training for that. Then the other activity we 
are doing is we are going to be moving more from desktop 
computers where the standard computer is a desktop computer 
that would always stay on a Government site, to a laptop 
computer, which is a Government-owned computer where we have 
encrypted it and we control the contents.
    So for those people who are actively involved in telework, 
they will be using Government-owned equipment. That will be 
done over a period of time.
    Mr. Clay. And you think that will be more secure than what 
is used now?
    Mr. Mintz. It will help. The reality is that at the end of 
the day you are always dependent on the procedures that people 
follow. A user could always work around any security 
environment. But we think it will make it more secure.
    Mr. Clay. In this case, Mr. Mintz, it appears that very 
few, if any, measures were taken to protect the employee's 
computer or the work product she produced. She is working from 
her home computer, which was shared with other members of her 
family over her own Internet connection; is that accurate?
    Mr. Mintz. Yes.
    Mr. Clay. And was this in compliance with DOT telework 
requirements?
    Mr. Mintz. Yes. The telework requirements were that she was 
not to keep personally identifiable information on a non-
Government-owned computer, and, except for her own, at least 
from the Department of Defense, she did not.
    She did make a mistake. We talk about that. When she left 
her previous employment, chances are she should have deleted 
that information. We have added that as a process at the 
Department, to remind people to do that.
    Mr. Clay. Does the Department need to revise its telework 
program?
    Mr. Mintz. We are going to have to enhance, at a minimum, 
the training, and we are going to have to give increased advice 
to employees as to how they set up their own personal computer. 
And, as I have said, we have to do a better job of auditing the 
process to make sure that people are reminded of the 
responsibilities. Just putting the policy in place is clearly 
not sufficient.
    We have set up a Tele-Work Committee led by the sponsorship 
of the Deputy Secretary to look at these issues. The IT CIO has 
a representative on there. My office has a representative on 
it. We are very active in looking at those policies, but we are 
going to have to re-look at all of them.
    Mr. Clay. Thank you for your responses.
    Mr. Chairman, I yield back.
    Chairman Waxman. Thank you very much, Mr. Clay.
    I want to thank the members of this panel, as well, for 
your presentations to us. I think it has been a very useful, 
helpful, constructive hearing, and I appreciate the Members 
asking so many probing questions.
    Clearly, this issue merits further review and closer 
analysis. Although most agree P2P technology has great 
potential in its present form, it appears to come with 
significant risks. We need to figure out if there is a way we 
can protect national, corporate, and individual security 
without hindering lawful innovation in this area. That is a 
challenge for all of us and we need to work together.
    That concludes our business today. The hearing stands 
adjourned. Thank you.
    [Whereupon, at 12:15 p.m., the committee was adjourned.]
    [Additional information submmitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T0150.084

[GRAPHIC] [TIFF OMITTED] T0150.085

[GRAPHIC] [TIFF OMITTED] T0150.086

[GRAPHIC] [TIFF OMITTED] T0150.087

[GRAPHIC] [TIFF OMITTED] T0150.088

[GRAPHIC] [TIFF OMITTED] T0150.089

[GRAPHIC] [TIFF OMITTED] T0150.090

[GRAPHIC] [TIFF OMITTED] T0150.091

[GRAPHIC] [TIFF OMITTED] T0150.092

[GRAPHIC] [TIFF OMITTED] T0150.093

[GRAPHIC] [TIFF OMITTED] T0150.094

                                 
