[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]




 INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS: HOW IT ENDANGERS 
               CITIZENS AND JEOPARDIZES NATIONAL SECURITY

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 29, 2009

                               __________

                           Serial No. 111-25

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                      http://www.house.gov/reform




                  U.S. GOVERNMENT PRINTING OFFICE
54-009 PDF                WASHINGTON : 2009
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001











              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                   EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania      DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York         DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland         JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio             JOHN L. MICA, Florida
JOHN F. TIERNEY, Massachusetts       MARK E. SOUDER, Indiana
WM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California          MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts      LYNN A. WESTMORELAND, Georgia
JIM COOPER, Tennessee                PATRICK T. McHENRY, North Carolina
GERALD E. CONNOLLY, Virginia         BRIAN P. BILBRAY, California
MIKE QUIGLEY, Illinois               JIM JORDAN, Ohio
MARCY KAPTUR, Ohio                   JEFF FLAKE, Arizona
ELEANOR HOLMES NORTON, District of   JEFF FORTENBERRY, Nebraska
    Columbia                         JASON CHAFFETZ, Utah
PATRICK J. KENNEDY, Rhode Island     AARON SCHOCK, Illinois
DANNY K. DAVIS, Illinois             ------ ------
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
------ ------

                      Ron Stroman, Staff Director
                Michael McCarthy, Deputy Staff Director
                      Carla Hultberg, Chief Clerk
                  Larry Brady, Minority Staff Director















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 29, 2009....................................     1
Statement of:
    Boback, Robert, chief executive officer, Tiversa, Inc.; Mark 
      Gorton, chairman, the Lime Group; and Tom Sydnor, senior 
      fellow and director, Center for the Study of Digital 
      Property, the Progress and Freedom Foundation..............    10
        Boback, Robert...........................................    10
        Gorton, Mark.............................................    26
        Sydnor, Tom..............................................    50
Letters, statements, etc., submitted for the record by:
    Boback, Robert, chief executive officer, Tiversa, Inc., 
      prepared statement of......................................    17
    Connolly, Hon. Gerald E., a Representative in Congress from 
      the State of Virginia, prepared statement of...............    91
    Gorton, Mark, chairman, the Lime Group, prepared statement of    29
    Issa, Hon. Darrell E., a Representative in Congress from the 
      State of California:
        July 28, 2009, screenshots in HTML format................    72
        Prepared statement of....................................     8
    Sydnor, Tom, senior fellow and director, Center for the Study 
      of Digital Property, the Progress and Freedom Foundation, 
      prepared statement of......................................    53
    Towns, Chairman Edolphus, a Representative in Congress from 
      the State of New York, prepared statement of...............     3

 
 INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS: HOW IT ENDANGERS 
               CITIZENS AND JEOPARDIZES NATIONAL SECURITY

                              ----------                              


                        WEDNESDAY, JULY 29, 2009

                          House of Representatives,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10 a.m., in room 
2154, Rayburn House Office Building, Hon. Edolphus Towns 
(chairman of the committee) presiding.
    Present: Representatives Towns, Issa, Maloney, Cummings, 
Kucinich, Tierney, Watson, Connolly, Norton, Cuellar, Hodes, 
Welch, Foster, Duncan, and Bilbray.
    Staff present: John Arlington, chief counsel, 
investigations; Linda Good, deputy chief clerk; Neema Guliani, 
investigative counsel; Adam Hodge, deputy press secretary; 
Carla Hultberg, chief clerk; Marc Johnson and Ophelia Rivas, 
assistant clerks; Phyllis Love and Alex Wolf, professional 
staff members; Mike McCarthy, deputy staff director; Jesse 
McCollum, senior advisor; Amy Miller, special assistant; Steven 
Rangel, senior counsel; Julie Rones, counsel, full committee, 
health; Ron Stroman, staff director; Lawrence Brady, minority 
staff director; John Cuaderes, minority deputy staff director; 
Jennifer Safavian, minority chief counsel for oversight and 
investigations; Frederick Hill, minority director of 
communications; Dan Blankenburg, minority director of outreach 
and senior advisor; Adam Fromm, minority chief clerk and Member 
liaison; Kurt Bardella, minority press secretary; Stephen 
Castor, minority senior counsel; and Mark Marin and John Ohly, 
minority professional staff members.
    Chairman Towns. The committee will come to order. Good 
morning and thank you all for being here.
    Imagine for a moment that you had special software on your 
computer that exposed many of the files on your hard drive to 
searches by other people. Any time your computer is connected 
to the Internet, other computer users with similar software can 
simply search your hard drive and copy unprotected files. 
Unfortunately, that is the sad reality for many unsuspecting 
computer users.
    Peer-to-peer file sharing software like LimeWire works in 
just that way. Most people who use peer-to-peer software do it 
to download music and movies over the Internet. Most people who 
use it are totally unaware that they may expose some of the 
most private files on their computers to being downloaded by 
others.
    Nine years ago this committee first held a hearing that 
revealed that Government, commercial, and private information 
was being stolen by peer-to-peer file sharing networks without 
knowledge of the users. In response to congressional pressure, 
the file sharing software industry agreed to regulate itself, 
implementing a code of conduct to address inadvertent file 
sharing. The efforts failed.
    Two years ago at our July 24, 2007 hearing, LimeWire's CEO 
Mark Gorton expressed surprise that sensitive personal 
information was available through LimeWire. He pledged to 
address the problem. That effort failed.
    Over the last year alone, there have been several reports 
of major security and privacy breaches involving LimeWire. 
Information about avionics for the President's Marine One 
helicopter and financial information belonging to Supreme Court 
Justice Stephen Breyer were leaked on LimeWire. LimeWire does 
not deny those reports but claims that recent changes to the 
software prevent inadvertent file sharing.
    To investigate LimeWire's assertion, the committee staff 
downloaded and explored LimeWire's software. The staff found 
copyrighted music and movies, Federal tax returns, Government 
files, medical records, and many other sensitive documents on 
the LimeWire network. Security experts from Tiversa found major 
problems. Specific examples of recent LimeWire leaks ranged 
from appalling to shocking.
    The Social Security numbers and family information for 
every Master Sergeant in the Army have been found on LimeWire. 
The medical records of some 24,000 patients of a Texas hospital 
were inadvertently released. Most of the files are still 
available on LimeWire. FBI files, including civilian 
photographs of an alleged mafia hit man, were leaked while he 
was on trial and before he was convicted. We were astonished to 
discover that a security breach involving the Secret Service 
resulted in the leak of a file on LimeWire containing a safe 
house location for the First Family.
    As far as I am concerned, the days of self regulation 
should be over for the file sharing industry. In the last 
administration, the Federal Trade Commission took a see-no-
evil, hear-no-evil approach to file sharing software industry. 
I hope the new administration is revisiting that approach. I 
hope to work with them on how to better protect the privacy of 
consumers.
    Today I look forward to hearing from our witnesses on the 
impact of peer-to-peer file sharing, and particularly how 
LimeWire proposes to help remedy the problems caused by its 
software.
    I now yield 5 minutes to the ranking member, Congressman 
Darrell Issa of California.
    [The prepared statement of Chairman Edolphus Towns 
follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    Mr. Issa. Thank you, Mr. Chairman. I think, as both of us 
are saying in various ways, today is clearly deja vu all over 
again.
    Two years ago in July 2007, this committee brought to light 
in a vivid but altogether too easy to demonstrate demonstration 
that, by design or at least with knowledge and allowance, 
unwitting sharing of personal information over this peer-to-
peer network was not just going on but was well known and going 
on in a rampant way. I remember all too well the details of the 
documents, including Social Security numbers, of a soldier and 
his colleagues with the 101st Airborne. Those Social Security 
numbers were there for everyone along with name, rank, date and 
place of birth, and anything and everything one would need to 
capture his identity and those of his colleagues.
    It is very clear that little has changed. In preparation 
for this hearing we noted that there was a brand new version, a 
version that at least went part of the way toward protecting 
the inadvertent loss of documents. But I say part of the way 
because, as you can imagine, in the world of the Internet we 
assume that you are protected unless you give up those 
protections. That is not true of this software.
    This software required essentially that for copyrighted 
works you opt into protecting the software rather than having 
to knowingly make copyrighted software available. You don't 
simply check and never again have to worry about your copy or 
someone else's copyrighted software being available to 
everyone.
    The committee's jurisdiction and the committee's primary 
interest today are contained on this disk and could be 
contained on thousands like it. These are zip files of names, 
addresses, Social Security numbers, and income tax returns from 
California once again showing that today, loading the current 
software--I should more accurately say yesterday--my staff, 
never having worked it before and with a brand new computer, 
downloaded the latest software and went sight seeing to find 
exactly what you might find. An engineer who only made about 
$37,000 took a standard deduction. In fact, his information, 
all of it, is available.
    Mr. Chairman, identity theft should be at the heart of our 
concern. I am personally on the Judiciary Committee and am 
concerned about the copyrighted software, about the hundreds of 
thousands and hundreds of millions of dollars that are being 
stolen through peer-to-peer transaction. But I think that when 
we look at the most important thing for the American people is 
to close once and for all in no uncertain terms the loophole 
that allows people's individual and sensitive information, 
company information, and employee information to be 
inadvertently and thoroughly disbursed in a way that leads 
without a doubt to PayPal registration, to MasterCard 
registration, and to the ruining of credit and lives.
    Mr. Chairman, there is no question that we have come not 
far enough in 2 years. I know that this hearing will shed more 
light on it. But I will tell you that this disk, Mr. Chairman, 
to me represents a referral to the AG and a referral to 
California's Attorney General if we cannot be satisfied in no 
uncertain terms that we have reached the end of this kind of 
activity. Otherwise, as we say too often on this committee but 
appropriately here, if you condone, allow, and induce this to 
happen, you are guilty of cooperation and participation in 
every criminal act that flows from the discovery of that 
information.
    Mr. Chairman, I ask unanimous consent to have the rest of 
my opening statement placed in the record. I yield back the 
balance of my time.
    [The prepared statement of Hon. Darrell E. Issa follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    Chairman Towns. Without objection, so ordered.
    It is the longstanding policy that we swear in all of our 
witnesses. Will you please stand and raise your right hands?
    [Witnesses sworn.]
    Chairman Towns. You may be seated. Let the record reflect 
that the witnesses answered in the affirmative.
    Mr. Robert Boback is the Chief Executive Officer of 
Tiversa, Inc. Mr. Boback will conduct a demonstration of the 
dangerous uses and activities of LimeWire that Tiversa has 
uncovered through monitoring technology and work with the 
Federal Bureau of Investigation.
    Let me welcome you, Mr. Boback. We are now prepared to hear 
your testimony.

STATEMENTS OF ROBERT BOBACK, CHIEF EXECUTIVE OFFICER, TIVERSA, 
 INC.; MARK GORTON, CHAIRMAN, THE LIME GROUP; AND TOM SYDNOR, 
  SENIOR FELLOW AND DIRECTOR, CENTER FOR THE STUDY OF DIGITAL 
         PROPERTY, THE PROGRESS AND FREEDOM FOUNDATION

                   STATEMENT OF ROBERT BOBACK

    Mr. Boback. Thank you, Chairman Towns, Ranking Member Issa, 
and distinguished members of this committee for the opportunity 
to testify here today. As the chairman mentioned, my name is 
Robert Boback and I am the CEO of Tiversa.
    What we are about to show you is information that is 
current. This is all within the last few months, disclosures 
that have not been publicly released, so this information you 
most likely haven't seen prior.
    As Ranking Member Issa points out, identity theft is going 
to be at the core of this. You will see that, despite the 
regulations around identity theft, the FTC has not addressed 
this fully. In fact, peer-to-peer is not even mentioned on the 
identity theft Web site of the FTC for the 9 million victims. 
You will find that this is where identity theft is occurring. 
This is the harvest ground.
    This is why your consumers will say they do not know where 
or how identity theft happened. We are going to show you a 
demonstration of just that fact. It affects every district. 
There are millions and million of individuals that are 
affected.
    If we could start through the demonstration, we are going 
to highlight this in a number of issues. The first one, of 
course, is the national security implication, of which there 
are many. What we are starting here, these are just excerpts 
from some of the files. They have been redacted. These are all 
military troops, hundreds of thousands of troops' Social 
Security numbers, different rosters, different information from 
around the world with their next of kin, their children's 
names, their Social Security numbers, and their dates of birth, 
as Ranking Member Issa pointed out. Again, it goes on and on 
and on. These are all current. They are still all available, by 
the way, on the peer-to-peer.
    If we could go on to the next one, as pointed out in the 
opening statement of the chairman, this is the safe house route 
for the U.S. Secret Service when they have to evacuate the 
First Lady in this case. This is found on the peer-to-peer. 
This is the location. I don't know how much the U.S. Government 
spends in preparing a safe house location but I presume it is 
pretty expensive. All of that is lost based on this information 
being disclosed.
    Now the safe house has to be moved. The locations have to 
be moved. We of course redacted all of this in order to protect 
what is left of the security of this. Some of the other 
information is the motorcade route.
    The next one, Sam? As you can see, this was a breach just 
as of yesterday. We found this yesterday but you can see the 
date, July 5, 2009. This is the entirety of the U.S. nuclear 
information, all of our facilities, everything. This is from 
the United States. This is from the President with the 
President's information listed on here, every nuclear facility 
and all the secure, highly confidential information. As you can 
read on the top, it says ``highly confidential, safeguard 
sensitive.'' This is every nuclear agency, every facility.
    The problem is that we found this in France, in four 
locations in France, not in the United States. Other countries 
know how to access this information and they are accessing this 
information. This was, you can see the date.
    If we push on to the next slide, this was the cover letter 
on it, right from the President of the United States with 
Barack Obama's signature at the end, with his writing at the 
end. This is not even subject to a FOIA request. You couldn't 
get this information on a Freedom of Information Act. You can, 
however, access it on the peer-to-peer in free open text. It 
just doesn't make sense.
    Switching over to another issue, again, identity theft, 
medical identity theft is hugely on the rise. People understand 
that they are looking for credit card information. I get that. 
But I don't look at my explanation of benefits from my 
insurance provider like I look at my credit card statement. I 
will tell you that you should because the identity thieves 
will. A medical insurance card is like a Visa card with a 
million dollar spending limit. They will buy online drugs, 
OxyContin, Viagra, and by the time you go to the doctor next 
time, all of a sudden the doctor has you listed as an OxyContin 
addict when you have never taken it in your life. This is the 
problem.
    This information has come out of a hospital, as you 
mentioned, in a southern State. Individuals will say, ``I don't 
even use peer-to-peer; I have never downloaded a thing so I am 
safe, right?'' Well, have you ever been to the emergency room? 
You just might not be safe. That is exactly what happened to 
these 20-some-thousand individuals. All they did was go to the 
doctor. They provided their information--as they should--to 
their facility for the insurance billing. At the billing 
company someone was listening to music while they were typing 
in their data entries and what ended up happening is that 
24,000 victims are affected.
    In this specific case we informed the company. This 
actually was the only one that occurred over a year ago. It 
occurred over a year ago and through our client, which was a 
large insurance carrier, we told the hospital that this was 
disclosed. Unfortunately, they said it is not their problem. It 
is not their problem. They don't want to go out publicly and 
say that they disclosed 24,000 individuals.
    That there is a House bill, H.R. 2221. H.R. 2221 provides 
for a national breach notification. It is long overdue. Forty-
one of the 50 States have breach notification laws and they 
vary in their severity. This hospital is a clear case. The 
State of Texas does have a breach notification law and this 
hospital is in direct violation of it. They have known about 
this for over a year. They haven't even told these victims that 
they are victims, so these people have been the victims of 
identity theft.
    The hospital was clearly negligent for handling this 
information in the way that they have but this is what you see. 
This is the pattern. No one wants to say, gosh, I had a data 
breach and it is my responsibility to address it. So there 
needs to be legislation in order to force companies to do the 
right thing. You would hope that they would do it without the 
pressing.
    Back up one, Sam, please. This is a Midwest-based HIV 
clinic with people's most sensitive information. These are AIDS 
victims, 184 patients, who are now victims of identity theft. 
The clinic released their information and has not addressed it. 
This information is still out there.
    This is everything you need as an identity thief. Why would 
you ever dive in a dumpster, which the FTC calls out as the No. 
1 reason where people get it? I can get 184 just from this one 
file and thousands from the other files.
    As we continue on, we have a major pharmaceutical company, 
information on all of their research. It has everyone and where 
they are going.
    It affects even the most robust security measures, which is 
what we are seeing. All of these companies have firewalls, 
anti-virus, intrusion detection, intrusion prevention, and 
encryption. Yet where is the security? There isn't any. They 
don't address it because the awareness isn't there. They say 
they don't allow downloading of peer-to-peer or that is a 
recording industry problem. No. In fact, it is their problem. 
Companies need to do this. Just as when anti-virus started out, 
it was unheard of at the beginning and then it evolved. That is 
how security and technology evolves.
    This information is out. If you have ever gone to a doctor, 
your complete patient records, everything, your soap notes, if 
you will, are all out there as well. Continuing on, there is 
behavioral health information, again, all with Social Security 
numbers. Everything we are showing you is a Social Security 
number in here.
    Continue on. This is one. If you have ever gone to the drug 
store and were buying Sudafed, you are required to give your 
driver's license information because they keep track of that 
for methamphetamine labs. The problem, though, remains that you 
now gave your driver's license information to buy Sudafed 
because you had a cold and now you could be the victim of 
identity theft around the Nation because that information may 
or may not have been secured. If it is not secured, as this one 
wasn't, you are now exposed. You are exposed forever. They may 
not even tell you when they find out. There is a serious issue.
    Then, moving on from there, here is an interesting example 
for corporations nationwide. This is an enormous organization 
that all of you have heard of. Unfortunately, we can't give the 
name in an open environment because this is a publicly traded 
company that is very well known in the Fortune 500. This 
individual is an M&A executive, the mergers and acquisitions 
executive that handles all of the M&A activity for the 
organization.
    In doing that, they were using peer-to-peer and exposed a 
file called a PST file. A PST file is your archive of your 
emails. It is you. Imagine someone being able to open up your 
Outlook and read every email that you sent, open every 
attachment, and also open your calendar to see what conference 
calls you have, the dialing numbers, and the pass codes. That, 
in fact, is what happened in this case.
    I am sure that the SEC would have an interest in looking at 
companies that do this and have this information. Not only are 
the emails on there but they also have the attachments of every 
acquisition that this company is going to make and the ranges 
of which they are willing to pay for these. As the next slide 
will show, it also has the financial information all the way 
listed through the third quarter, as you can see, third quarter 
2009.
    Now, if you were an investor, there is market manipulation 
that could happen from here because you know the internal 
financials of what the company is going to do for the next 3 
months or 6 months. I know what the stock is going to do 
because I see your financials. This information has to be 
protected. Again, they use state-of-the-art protection and 
spend millions of dollars on their security, yet this is still 
a problem.
    Going forward, there are other financial institutions with 
thousands, 5,000 entries of client information, of exposures on 
mortgage information. Here on the next file there are 12,000 
credit card numbers. Again, this is identity theft.
    Continuing on, as the chairman mentioned, these are photos, 
and we have redacted the photos to protect this, the organized 
crime case that we were talking about. These are their 
surveillance photos of an organized crime. This is a murder 
trial. These photos were disclosed while the trial was in 
process. There was no conviction before this. Who disclosed 
them, we still haven't investigated yet. But this was just 
found. Literally, the individual in the photos here is actually 
behind bars now on a life sentence. But this was disclosed 
while he was on trial.
    On the right hand side, Sam, could you jump up one? 
Obviously, in an organized crime case you don't want to 
disclose the Government witness list for obvious reasons. As 
you can see on the right hand side, we blurred it out so that 
you can't see the names, that is the entire confidential 
Government witness list in an organized crime case. Many of 
these people are in the Witness Protection Program. There is 
their information. This is not what you want to have out there.
    The next slide as we continue on, as Ranking Member Issa 
mentioned, there are tax returns from all over Brooklyn, 
Arizona, Massachusetts, Maryland, and Vermont. We could have 
gone on through all 50 States and had thousands of them from 
any 1 of these 50 States. This is where identity theft is 
happening. It is not out there; this is where it is happening. 
If you have been the victim of identity theft and you didn't 
lose your purse or wallet, think peer-to-peer because that is 
where it happened.
    As we go on, Sam, we are going to show a video. We are not 
on that one yet. We are going to do the tax return video. I 
want to show you using LimeWire. Tiversa has technology that 
allows us to see the entire network. We are going to use 
LimeWire. We did a LimeWire video here just to show you how 
easy it is for individuals to gain access to tax return 
information.
    Using LimeWire Pro here, we typed in ``tax return.'' There 
are five connections that you are connected to. We use this 
because people say you have fancy technology and that is the 
only reason you can gain access to this. No, it is not. He 
typed in ``tax return.'' There are only five connections so it 
is not even widely connected. As you can see, it is small on 
the screen, there are just hundreds of tax returns coming in. 
This is not using our technology. So, as you can see, it is 
this simple. This is in real time so you could click on any of 
those tax returns. That function used was a ``browse host'' 
function. Again, this software is still out there.
    Download the tax return and literally within minutes, as 
you are going to see here, it is downloading a couple of tax 
returns. We are going to show you just how easy this is as this 
loads in. Here they are coming in at the bottom there. As we 
click on those, you are going to see that this individual used 
H&R Block. It is not a problem with H&R Block. That is just who 
they used. They saved a copy of it.
    That person used TurboTax. As you can see, there is their 
Social Security number. There are their children's Social 
Security numbers. It is that simple. Why would you ever 
dumpster dive? It is right there. That is not our technology; 
that is theirs. It is that information.
    Sam, switching to information concentrator, we will show 
you that individuals do this. We call them information 
concentrators or identity thieves. This individual right here 
is an individual in Arizona. If you could see all the files 
that they have, this individual does exactly what I just showed 
you. He is collecting tax return files to sell them on the 
black market. We are working with the FBI to address this right 
now.
    This is an investigation here. This individual has 1,800 
files, if you can see with how small that is. He is just 
scrolling through all of those tax returns. All of those 
victims are identity theft victims. They are all going to be 
victims of identity theft if they haven't been already.
    Many have already been victims of identity theft. But my 
Social Security number has been my Social Security number for 
38 years and it will continue to be. So if someone has mine 
maybe they will wait a year or 2 years. Then they will do a 
thing like file my tax return for me. Yes, that is right. That 
is the new identity theft. I will file your tax return for you 
in January.
    In January, I will steal your return because no amount of 
monitoring, nothing is going to stop me. I will take the 
return. The U.S. Government, the Treasury pays that money. In 
working with the IRS, they told us that is $20 billion a year 
in cost to the U.S. Treasury, $20 billion a year of individuals 
filing someone else's tax return and stealing the refund. This 
is what is going down and this is how it is happening. This is 
how they gain access to the information.
    Again, just to close it all up, I am showing the Eagle 
Vision, our software. I am going to show you our software 
running here. It actually hits even closer to home as a parent 
of three daughters. These are, we can't even show this all 
because of the nature of it. This is our software running live 
right now. Every one of those little blips along the bottom 
there, those red little blips on the screen, every one of those 
is an individual that is either a child predator or child 
pornographer.
    That is happening live right now, taking information, child 
pornography. That is only child pornography. Here is a 4-year 
old, a 5-year old. You can see the searches as they go by. 
These are individual searches happening right now. This is live 
right this second. All of those little red blips, every one of 
those was a child pornographer. This is felony possession, 5 
years. You can't even possess it but they are not afraid on 
peer-to-peer because they know security can't catch them. So 
this is what is happening.
    Behind that, Sam, flip to the screen. This individual, we 
had to black it but this is a famous NASCAR driver. He is very 
well known. That is why I didn't want to show his face. That is 
an innocent picture of him with his son. There is nothing wrong 
with this. We found this picture in an investigation with the 
FBI in the hands of a child pornographer.
    Here is what they do. They take your picture which you may 
have on your computer and they will take it off of your 
computer. They will put that innocent little boy, the son of 
the NASCAR driver, in amongst the pictures of indecent 
pictures. What it will do is it will make law enforcement think 
that it is that person. They will only show midsections of the 
indecent pictures but once they show a face, obviously law 
enforcement is going to deduce that is the face of the victim. 
And in an effort to try to find the victim, it actually turns 
you the wrong direction.
    Imagine if this NASCAR driver were a potential victim in a 
sexually explicit case. It could ruin his career and he didn't 
do anything wrong. His daughter downloaded a peer-to-peer 
client, had it on her system, and she had a picture of her dad 
and her brother. That is nothing bad, but this is what happens.
    In closing, I would like to say that clearly there is a 
problem. There are a number of recommendations. Obviously a 
number of Government agencies are disclosing information across 
the board. Why are they not monitoring for this information? 
This would be like a bank shutting off the security cameras and 
saying the vault is safe enough so I don't need to worry about 
watching it. It doesn't make sense. All Government agencies 
should monitor for this information. You can't disclose this. 
We can't be the victim.
    These military individuals were disclosed by the military. 
You can't have that. We saw the press that it got when the body 
armor wasn't approved. Imagine these troops fighting. They are 
trying to stay off of an IED. They don't want to check their 
credit. They are not doing that. They are coming home and they 
are being victims of identity theft. We can't have that happen.
    There is legislation with H.R. 2221 that should be out 
there to give the FTC power to do this. As of now, they don't 
have the extensive power that they need. The DSS, the Defense 
Security Service, should look for the defense contractors that 
are disclosing information. The SEC should look and the FTC 
should also be engaged in changing their Web site to do that.
    I apologize. I know I was over time. Sir, I will yield 
back.
    [The prepared statement of Mr. Boback follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    Chairman Towns. Thank you very much, Mr. Boback.
    Mr. Gorton is the chairman of Lime Group and founder of the 
world's most popular peer-to-peer software called LimeWire. Mr. 
Gorton, I will give you 10 minutes to respond.

                    STATEMENT OF MARK GORTON

    Mr. Gorton. Thank you, Chairman Towns and Ranking Member 
Issa. My name is Mark Gorton and I am the founder and chairman 
of LimeWire, LLC.
    I am happy to be able to report that since the July 24, 
2003 hearing on inadvertent file sharing, LimeWire has made 
great progress in addressing inadvertent file sharing. With the 
most recent versions of the LimeWire application, the problem 
of inadvertent file sharing for current LimeWire users has been 
eliminated. The LimeWire team has put a huge amount of effort 
into resolving this problem. We have redesigned and re-
engineered the entire user interface for the application. This 
has been a large task and our efforts have proved worthwhile.
    The current version of LimeWire does not share any 
documents by default. In order for a LimeWire user to change 
their default settings to enable document sharing, they have to 
click nine times and disregard three warnings. Even then, if a 
user shares a folder, LimeWire will not share the documents in 
that folder.
    In LimeWire 5 there are no shared folders, meaning that if 
a user elects to share a folder, they are only electing to 
share the contents of that folder at that particular time. 
Nothing will be shared that a user adds to that folder at a 
later point in time. All LimeWire versions 5 and above 
automatically unshare documents that a user may have shared 
using an earlier version of LimeWire 4.
    I am confident that with the recent versions of LimeWire 
all sharing is intentional sharing. From the vast improvements 
that LimeWire has made on the front of inadvertent file 
sharing, I hope that the members of this committee can see that 
LimeWire is sincere and dedicated to working with this 
committee. In addition to this committee, LimeWire has 
successfully worked with the FBI, the New York State Attorney 
General's Office, and the FTC on a range of issues surrounding 
P2P file sharing.
    Unfortunately, the popular perception of LimeWire regarding 
inadvertent file sharing fails to match LimeWire's excellent 
record in addressing these problems. A good part of this 
misperception is due to the highly inaccurate and misleading 
report produced by Tom Sydnor of the Progress and Freedom 
Foundation. Mr. Sydnor's report is deceptive and filled with 
factual errors and misleading statements. The number of issues 
with Mr. Sydnor's report is too large for me to cover in my 
summary statement so, for the benefit of this committee, I have 
submitted a detailed critique of Mr. Sydnor's report in my 
written statement.
    It is probably worth me going a little bit into the 
technical details of how file sharing networks work so that 
people can understand the relationship of LimeWire to the file 
sharing networks in the world. LimeWire the application speaks 
a protocol called Gnutella. There are many common Internet 
protocols. There are the email protocols, the World Wide Web 
protocols, and FTP protocols. Using these open protocols, many 
applications that speak these protocols are capable of 
communicating with each other. So by using LimeWire, you are 
capable of communicating with dozens of applications that speak 
compatible protocols.
    When you do a search with LimeWire, you are not just 
talking to other LimeWire programs in the world. You are 
talking to dozens of other different types of programs, most of 
which are produced outside of the United States. So it is 
important to keep in mind that even though you might actually 
be using LimeWire, the results that you get with LimeWire don't 
necessarily come from another LimeWire client. It is somewhat 
analogous to the World Wide Web. You have Internet Explorer, 
you have Safari, and you have Firefox. Using each of those 
applications you can access a Web site, but the Web site that 
is being seen may not have anything to do with those particular 
applications.
    It is certainly true that in the past LimeWire has had 
issues with inadvertent file sharing. We have worked very hard 
to address those issues. I would like to point out that while 
using the recent versions of LimeWire it would have been very 
difficult for any individual to share any of the documents that 
Mr. Boback has shown us recently.
    I do understand that inadvertent file sharing is a problem 
in this world. LimeWire is committed to helping address it. But 
LimeWire is one company in a field where there are hundreds of 
P2P applications in this world. We are doing our best to set a 
standard that we hope other file sharing companies can follow. 
But most of these creators of file sharing applications are not 
based in the United States. They may not even be corporations. 
So I think it is important for the committee to understand when 
they are considering regulations in this regard the somewhat 
complicated nature of peer-to-peer networks in the world.
    In addition to inadvertent file sharing, there are a couple 
of other issues that I would like to at least cover in my 
opening statement and potentially in the question period. I 
would like to point out that LimeWire has been working to build 
a collaborative relationship with the recording industry. 
LimeWire has built a store for digital media at 
store.limewire.com which currently has over 3.5 million MP3s 
available for purchase. In addition, LimeWire is actively 
building an advertising solution to allow participating content 
holders to profit from advertising related to their media.
    Many of the very most senior people in the music industry 
support working constructively with LimeWire but building an 
industry-wide consensus on a policy change regarding P2P has 
been a slow and grueling process. After many meetings with 
record industry executives, I am convinced that the industry 
recognizes the benefits of embracing P2P in order to stay 
relevant going forward.
    I would also like to take this opportunity to discuss the 
current regulatory environment surrounding copyright and the 
Internet. The history of copyright regulation is one where new 
technologies have created issues for the old regulatory system. 
Then the new regulatory system was updated to take into account 
the abilities of these new technologies. The Internet has 
transformed media distribution and consumption, yet copyright 
regulation is yet to be updated to account for the new 
capabilities of digital technologies. The current lack of 
practical copyright enforcement mechanisms has put the 
recording industry in the unfortunate position of being pitted 
against its customers and technology companies.
    As a technologist, I have a good sense of the range of 
technical possibilities available to regulators as they 
consider updating regulations surrounding the Internet. The 
Internet is not un-policeable. With determined targeted 
regulation, almost any level of control of the Internet is 
possible. As Mr. Boback has shown, technology can play a role 
in this. The fact is, using and leveraging technology, law 
enforcement officials can with one person monitor millions and 
millions of computers. A lot of the behavior that is currently 
going on, with a little bit of technology, probably can be 
remedied fairly quickly. I think law enforcement has been a 
little bit behind the curve in using technology to police the 
Internet.
    In addition to simply law enforcement, it is also worth 
keeping in mind on the judiciary side that currently the 
procedural overhead in dealing with crime that occurs on the 
Internet is very time consuming and difficult to address. I am 
sure Mr. Boback can testify to that in terms of what it takes 
to contact the FBI, to get files taken down, and things like 
that. It is possible to set up enforcement mechanisms that are 
nearly automated. If we were to have a proper enforcement 
regime out there, it would be possible to simply address many 
of these problems.
    I think it is very important to keep in mind the need to 
address the problems at the root point of control. Every 
computer on the Internet is connected through an Internet 
service provider. That is a unique point of control for that 
single computer. That Internet service provider can cutoff 
access to the offending computer. I understand that when 
addressing these issues LimeWire is the superficial interface 
to all of these problems.
    As you are well aware, LimeWire is now the most popular 
peer-to-peer file sharing application. It hasn't always been 
that way. There is a list of file sharing applications that 
have come before LimeWire. Certainly there were Napster, Kazaa, 
Morpheus, BearShare, and iMesh. There is quite a long list. 
Most of the regulatory efforts, or perhaps prosecutorial 
efforts, on the part of the recording industry have focused on 
file sharing applications.
    But those file sharing applications are by no means a 
unique point of control. Consumers have the ability to switch 
between them very, very simply. So I think when people are 
considering regulation, it is very important to consider the 
effects of that regulation.
    Thank you.
    [The prepared statement of Mr. Gorton follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    
    Chairman Towns. Thank you very much, Mr. Gorton.
    Mr. Sydnor is senior fellow and director of the Center for 
the Study of Digital Property at the Progress and Freedom 
Foundation. He will testify about issues discussed in the 
recently published paper entitled, ``Inadvertent File Sharing 
Re-Invented: The Dangerous Design of LimeWire 5.''
    Mr. Sydnor.

                    STATEMENT OF TOM SYDNOR

    Mr. Sydnor. Thank you, Chairman Towns, Ranking Member Issa, 
and honorable members of the committee. I thank all of you for 
holding this, the committee's third hearing on inadvertent file 
sharing.
    I note in his written testimony that Mr. Gorton has said 
that 2 years ago after the last hearing ``LimeWire began the 
process that culminated in all but eliminating inadvertent file 
sharing with the LimeWire application.'' Recent media reports 
from, for example, Today Investigates as well as Mr. Boback's 
testimony make clear that statement is simply not true. In my 
testimony today I hope to explain a little bit about why.
    The essential question in this hearing is, as I think the 
ranking member phrased it, is this ``deja vu all over again.'' 
After the committee's 2003 hearing identified two features in 
file sharing programs that had been shown to cause what I would 
call catastrophic inadvertent file sharing, that is to share 
thousands of personal files that clearly no one would ever want 
to share over the Gnutella file sharing network, after that 
hearing highlighted the dangers of those features, LimeWire 
worked with its then trade association, P2P United, to develop 
a code of conduct that would have prohibited their use.
    It looked as if the problem was solved. But what actually 
happened is that LimeWire went out and actually systematically 
disregarded that code of conduct, incorporating both of those 
features into its program. As a result, LimeWire found itself 
starring in many of the high profile incidents of catastrophic 
inadvertent file sharing.
    Now in the aftermath of the committee's 2007 hearing, 
LimeWire found a new trade association, the Distributed 
Computing Industry Association, and worked with it to 
promulgate a new set of industry self-regulations which it 
allegedly implemented in the versions of its program called 
LimeWire 5. LimeWire provided compliance data that led its 
trade association to deem it the poster child for compliance 
with those voluntary best practices.
    The question is, has LimeWire this time actually done what 
it claimed it would do? In my report, the Inadvertent File 
Sharing Re-Invented: Dangerous Design of LimeWire 5, the answer 
is clearly no. It has not. Nothing that has happened since the 
release of that report changes that conclusion. Essentially, my 
report identified three fundamental problems in the recent 
versions of LimeWire that we could call LimeWire 5.1.
    First, these programs are dangerously unpredictable. The 
simple truth of the matter is this: Mr. Gorton says his program 
won't share document files by default. If you will look in my 
written testimony, you will find a screenshot taken this 
weekend on a test computer that was set up to look exactly like 
my personal computer at home, my main home computer, which is 
to say that it had 16,798 document, image, video, and audio 
files stored in subfolders of its My Documents folder.
    In this test computer there was no version of LimeWire 
presently installed. I completed a default installation just as 
Mr. Gorton described in his 2007 testimony by clicking next, 
next, next all the way through the process. The result was 
16,798 files shared, including document files, shared by 
default simply by installing the program.
    That is an entirely unacceptable result. That is LimeWire 
5. The truth of the matter is that if any normal computer user 
installs this program on an ordinary home computer, they have 
no way to know what it will do to them by default. It is 
dangerously unpredictable. It is dangerously unpredictable 
because LimeWire has failed to correct the causes of that 
dangerous unpredictability that have been disclosed to it for 
years.
    The second fundamental problem is that it manifests at 
least eight violations of the voluntary best practices that it 
supposedly implements. These are not technical violations. 
These are violations of the key substantive requirements. There 
are eight. LimeWire appears to be taking voluntary self-
regulation no more seriously in 2009 than it did in 2003.
    Finally, what LimeWire told the committee in a letter dated 
May 1, 2009 is that it had eliminated the problem of 
catastrophic inadvertent sharing of sensitive files by 
eliminating from its program something it called ``recursive 
sharing of folders.'' This means that if you selected a folder 
to be shared, not only would you share the files in that 
folder, you would share all the files in all of its subfolders.
    This design is indeed extremely dangerous. It enables one 
mistake to result in the sharing of literally thousands of 
files, personal files, all your documents, all your family 
photographs, all your scanned documents, all your home movies, 
and your entire music collection.
    If that happens, you are set up for at least three forms of 
financial ruin. You can lose your job. You can become a victim 
of identity theft. You can be sued for copyright infringement. 
There are devastating results from virtually every type of file 
you would be sharing.
    Chairman Towns. Could you summarize, Mr. Sydnor?
    Mr. Sydnor. Pardon?
    Chairman Towns. Could you summarize?
    Mr. Sydnor. Certainly. The short of it is that LimeWire's 
own Web site design proves that it knew that this design was 
dangerous. Has it corrected it in LimeWire 5.2.8? No. What it 
did was to take out the dangerous feature that I identified in 
LimeWire 5.1 and reinsert an old dangerous feature, the 
recursive sharing of folders.
    Mr. Gorton's written testimony tells you that there are 
three ways to share files in the most recent version of his 
program. That is wrong. There are four. The fourth way is to 
click the ``Add Files'' button revealed in his own screenshots. 
There you will once again be recursively sharing folders, the 
very feature that Mr. Gorton and his trade association told 
this committee and other committees was the cause of 
catastrophic inadvertent file sharing.
    We are not, still years later, witnessing good faith 
behavior. Thank you.
    [The prepared statement of Mr. Sydnor follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Chairman Towns. Thank you very much. Let me thank all of 
you for your testimony.
    Mr. Gorton. Mr. Chairman, may I make a brief comment?
    Chairman Towns. You will have an opportunity.
    Mr. Gorton, the latest edition of LimeWire came out just 
last week. Are you telling us that the latest edition of 
LimeWire prevents unintentional file sharing?
    Mr. Gorton. I believe in almost all cases it prevents 
unintentional file sharing.
    May I briefly comment on Mr. Sydnor's statement? He tells a 
story of installing LimeWire on a computer that has no LimeWire 
currently installed and by default it shares thousands and 
thousands of files, including documents. I think it is 
important to point out what Mr. Sydnor didn't state. Again, I 
am assuming that this was the same thing that was in his 
written report.
    In order to achieve the result that Mr. Sydnor just 
described, what he had to do was install a version of LimeWire 
on a computer and turn off all of the security settings that 
prohibit document sharing. Again, that single step in itself 
takes nine clicks and three warnings. He had to proactively go 
and share thousands and thousands of files.
    So he basically sets up the program for the most dangerous 
possible situation. He then uninstalls LimeWire from his 
computer, which uninstalls the program but does leave settings. 
That is common industry practice. I mean, this is what is done 
by Microsoft, by Apple, and by Google. This is how settings are 
generally kept when programs are uninstalled. He then goes 
through the steps that he refers to in his testimony where he 
installs a new version of the program which then has its 
prompt.
    But a user who affirmatively goes and sets up his computer 
and disregards so many warnings, at some point people do 
actually wish to share files. It is not that all sharing is 
inadvertent sharing.
    I would just like to point that out as just one example of 
the methodological tricks that Mr. Sydnor plays in his reports. 
I would just encourage you to be careful and look very hard at 
his statements. I read his report and I was sort of shocked at 
first until I started parsing the words. It is a very cleverly 
worded report but I don't find it to be very accurate.
    Chairman Towns. Mr. Sydnor.
    Mr. Sydnor. Thank you, Mr. Chairman. To frame what Mr. 
Gorton just said in a slightly different way, what I did is 
exactly what the Bucci family profiled in the Today 
Investigates report on inadvertent file sharing back in 2009 
did. What happened is that their daughters installed a version 
of LimeWire on the family computer but misconfigured it.
    The next thing you know, the family is inadvertently 
sharing tax returns and becomes the victim of identity theft. 
Then the Bucci family did exactly what you would think a normal 
person would do when they discover that type of problem. They 
uninstalled the program. That is exactly what I did in my test 
setup. I set up a version of LimeWire, created inadvertent file 
sharing, and then, to correct it, uninstalled it just the way 
an ordinary consumer might do.
    In other words, the hypothetical that I presented to the 
committee is not at all hypothetical for the Bucci family or 
probably hundreds of thousands of other families and computer 
users who have uninstalled some version of LimeWire 5. Mr. 
Gorton is asking you to accept the proposition that if somebody 
removes his program from their computer, that indicates their 
desire at some point in the future to restart all of the 
sharing that it might have been causing. That assumption simply 
does not accord to reality.
    The difference between Mr. Gorton's account of how his 
program behaves and my report is that I try to look at how 
ordinary people would actually be using this program. Mr. 
Gorton is talking to you about ideal situations. Yes, if you 
install his program on a computer that you know no third party 
has ever had access to and you know that you have never ever 
installed any version of LimeWire on even years earlier, it 
will not share files by default. But that is not the ordinary 
situation for an ordinary family computer. It is certainly not 
the situation with mine and certainly not the situation for 
your constituents. Thank you.
    Chairman Towns. I am going to ask you some questions now 
because my time is about to expire on me.
    Mr. Gorton, the testimony we heard this morning 
demonstrates that there are still major problems with the most 
recent version of your software. By default it shares 
downloaded files. By default it shares images, music, and 
videos that may have been inadvertently shared in previous 
versions of LimeWire. It leaves behind hidden files when a user 
attempts to completely remove the software from their computer. 
Why haven't you fixed these problems and when will you fix the 
problems?
    Mr. Gorton. Mr. Chairman, I am sorry. Let me just quickly 
address Mr. Sydnor's most recent answer.
    Chairman Towns. But my time is expiring.
    Mr. Gorton. The example he just gave about the Bucci family 
where the daughter accidentally set things up to share files, I 
strongly suspect that probably happened with a version of 
LimeWire 4 and not LimeWire 5. If there was an old version of 
LimeWire 4 that was uninstalled, if someone installs a version 
of LimeWire 5, it automatically unshares all documents, 
including tax returns. This is even if you upgrade from a 
version of LimeWire 5 to a new version of LimeWire 5. It puts 
up a warning that says, do you want to share these? It makes 
you very conscious of these things.
    We have worked very hard to try and bring all of these 
issues up to the front and make it very transparent to users.
    Mr. Issa. I would ask unanimous consent, Mr. Chairman, for 
you to have such time as may be necessary for them to answer 
your questions.
    Chairman Towns. Thank you very much. Because we try to run 
this committee by rules.
    Mr. Gorton. I am sorry but would you mind repeating the 
question?
    Chairman Towns. I would be delighted to. First of all, let 
me go back. The testimony we heard this morning demonstrates 
that there are still major problems with the most recent 
versions of your software. By default it shares downloaded 
files. By default it shares images, music, and videos that may 
have been inadvertently shared in previous versions of 
LimeWire. It leaves behind hidden files when a user attempts to 
completely remove the software from their computer. My question 
is, why haven't you fixed these problems? I guess the second 
part will be, since you haven't fixed them, when will you fix 
them?
    Mr. Gorton. I think as I just said, I believe that most of 
the problems that you are talking about we actually have 
already fixed. Again, I would caution you to be very careful of 
taking the testimony that you hear literally. I would encourage 
you to go through the steps that Mr. Sydnor----
    Chairman Towns. You saw the demonstration.
    Mr. Gorton. Yes. I am not saying that inadvertent file 
sharing does not happen in this world. What I am saying is that 
the sorts of things that you are seeing would be very unlikely 
to happen with the current version of LimeWire. There are 
hundreds of file sharing applications in the world. There are 
dozens of different file sharing applications which LimeWire is 
capable of searching. So the fact that you are seeing tax 
returns and other documents that were shared inadvertently does 
not mean that they are coming from a new version of LimeWire.
    I will say that probably many of those documents are coming 
from old versions of LimeWire. I would encourage all people in 
the world who are running old versions of LimeWire to upgrade 
to the new versions to address these problems. Unfortunately, 
though we have done our best to try to communicate to people to 
upgrade to the new versions, we have not been able to persuade 
everyone to do that.
    Chairman Towns. Mr. Gorton, reading back over your 
testimony from the last time, you are basically saying the same 
thing you said then. I just want to let you know that.
    I now yield to the ranking member.
    Mr. Issa. Thank you, Mr. Chairman.
    Mr. Gorton, you said you are a technologist in your 
statement. Some would say I am an old technologist so bear with 
me. Do you know who Peter Norton is?
    Mr. Gorton. Of Norton Anti-virus?
    Mr. Issa. Yes.
    Mr. Gorton. I have heard of him.
    Mr. Issa. I go back to when he was just Peter. That is how 
old I am.
    What was his goal in his product from what you can see from 
Norton Anti-virus? Wasn't it to protect customers from losses, 
from damage to their computers? Didn't he create a whole 
industry to do it? These are semantics now, but isn't that the 
history?
    Mr. Gorton. I believe so.
    Mr. Issa. Are your customers less important to you than his 
customers?
    Mr. Gorton. No.
    Mr. Issa. Do you try to protect your customers?
    Mr. Gorton. Yes, we do.
    Mr. Issa. OK, then let us go through some steps. Why is it 
that you still have 4.18 on your site? You still offer today 
for download out of date software that is inherently more 
vulnerable by your own statements. Why do you still do that?
    Mr. Gorton. I am not aware of us doing that.
    Mr. Issa. My own people who are not technologists checked 
on it today. It is still there.
    Now, you talked about de facto standards. You quoted 
Microsoft. I will leave Microsoft out of it for a moment. When 
I uninstall your product, do you provide an uninstall 
capability?
    Mr. Gorton. Yes.
    Mr. Issa. So you don't rely on the default of Microsoft. 
You control the uninstall. Isn't it true that when you 
uninstall with your own software, your software programmers or 
your technologists could move those switches back or allow the 
customer to make that decision? Isn't that something you could 
easily write into the code?
    Mr. Gorton. Yes.
    Mr. Issa. OK. So you still have the old software. You have 
an uninstall routine that does not, in fact, re-protect or 
offer an opportunity to re-protect the customers. Isn't that 
true, at least as of today?
    Mr. Gorton. So document sharing is turned off by default in 
LimeWire 5. In LimeWire 4, when you reinstall----
    Mr. Issa. No, no. Hold on for a second. I have LimeWire 
4.18.
    Mr. Gorton. Yes.
    Mr. Issa. I update to LimeWire 5.2.8.
    Mr. Gorton. Yes.
    Mr. Issa. I go to uninstall. Does your software give me the 
opportunity to fully protect, to take those items which I had 
maybe chosen to turn on or not, I notice, by the way, that MP3, 
MPEG, and so are not on this list but DOC, WRI, DVI, LaTeX, and 
so on, do you in your uninstall provide the re-protection or do 
you leave it sort of switched as it was?
    Mr. Gorton. If you have version of LimeWire 4 and you 
upgrade or install----
    Mr. Issa. I have already updated. I am talking about your 
current version, when I uninstall your current version.
    Mr. Gorton. No, when you install the current version it 
automatically will unshare documents that were previously 
shared.
    Mr. Issa. Right. But now I have chosen to share them. Now I 
am uninstalling the software. Does your software allow me to 
unshare them at the time that I am uninstalling? You are in 
control of that, right? This is not a Microsoft standard. You 
are in control of that decision.
    Mr. Gorton. That is true but when you----
    Mr. Issa. OK. So I think we have kind of come through some 
of the things you could do. I am not saying you must do them 
all. I am saying you could do them. You are not doing them for 
your customer. Now, you are not forcing people to upgrade to 
LimeWire 5?
    Mr. Gorton. We have no mechanism to do that.
    Mr. Issa. Oh, you don't? Wouldn't it be relatively simple? 
As an old software guy to a younger software guy, you could 
create the capability where when LimeWire 4 users try to share 
they would see that they are blocked from sharing with LimeWire 
5.2 and above unless they upgrade. That wouldn't be hard for 
you to do. LimeWire 5.2 could deliberately be incompatible with 
LimeWire 4.1. You could create a block on that. That is doable, 
isn't it?
    Mr. Gorton. Yes, we could break compatibility with it.
    Mr. Issa. So, if you care about your customers and you know 
that LimeWire 5.2.8 has much better protection for them, if you 
wanted to protect your customers one of the easiest ways is to 
force out the older generation software. That is something 
which, since you write the software, you are in control of 
doing.
    I spent 20 years in automotive security. I think about 
security and I think about what can I do for my customers. I 
also think about how to make car alarms not go off. That is the 
hard part. Making them go off was easy. It sounds like sharing, 
which is easy, is what you do.
    These are simple questions and I could go on for a lot 
longer with them. Any consultant you hire could help you with 
those. If you were thinking in terms of security, you would 
have asked and answered those questions for your customer.
    Anyone can make a car alarm that goes off all night. It is 
hard to make one that doesn't go off except when someone is 
stealing your car. Anyone can make file sharing easy. What are 
you doing to protect your customers so that file sharing is not 
something that leads to these inadvertent acts for them or 
others?
    Mr. Gorton. We have taken a large number of steps, which I 
have documented in my written testimony. But I also----
    Mr. Issa. I appreciate that but you don't get credit for 
what you can't answer today that was that simple.
    Mr. Gorton. Many of the steps that we have taken have come 
from outside suggestions. We would be happy to look at any 
suggestions that you have or anyone else has as to how we can 
improve our program. We have taken a large number of steps. Are 
we perfect? No, we are not perfect. We would be happy to look 
at anything and continue to work going forward to get as close 
to perfect as we can get.
    Mr. Issa. I appreciate that. My time for new questions has 
expired. Could the other two gentlemen just comment on the line 
of questioning I explored, please?
    Mr. Sydnor. Ranking Member Issa, thank you. I think that is 
exactly correct. The problem that you have illustrated and that 
I think you can see live here is that Mr. Gorton has made some 
improvements, but he made improvements that relate to types of 
documents that don't actually drive a lot of traffic toward the 
Gnutella network. So whenever you see somebody who is 
inadvertently sharing document files, sensitive personal 
documents, my experience of actually looking at what happens on 
Mr. Gorton's network, something that LimeWire itself really 
does not do much of, shows that whenever that is happening they 
are sharing many other types of files.
    I illustrated the dangers of that in my 2007 testimony, 
basically pointing out that if that happened to my family, yes, 
the document files would be important to me but the most 
dangerous files in terms of identity theft and the safety of my 
children would actually be the image files. Those would be the 
most dangerous. I laid that out in my 2007 testimony.
    Lest anyone think that I was wrong, I will just quote some 
testimony from Mr. Boback. ``Tiversa has documented cases where 
child pornographers and predators are actively searching P2P 
networks for personal photographs of children and others that 
are stored on private computers. Once the photographs are 
downloaded and viewed, these individuals use the browse host 
function provided to view and download all additional 
information being shared from that computer.''
    The changes Mr. Gorton's program makes don't solve that 
problem. They don't solve the massive copyright infringement 
problem. They are half measures.
    Mr. Boback. My only comment is that LimeWire has made 
changes in the time since our last testimony. However, from our 
oversight view of that, they have lost market share since that 
time. Users have transitioned to other places and other clients 
as LimeWire has made the changes.
    Our own personal concern with LimeWire 5.0 and up is that 
for some unexplained reason, Tiversa, which is the only 
oversight to a number of peer-to-peers, was hard coded in a 
block so that we would be unable to see every user of 5.0 and 
up. Now, we don't interfere with the network at all. We don't 
touch LimeWire clients. We don't stop downloads. We have never 
taken a dollar from the Motion Picture Association or the 
recording industry. However, for some reason our entire IP 
address range that Tiversa uses to monitor has been hard coded, 
which means someone literally typed into the LimeWire code to 
not ever connect to anyone associated with Tiversa. We posed 
the question to the CEO of LimeWire and I still have yet to 
have a response.
    Mr. Issa. Mr. Chairman, I would ask unanimous consent to 
include in the record at this time the screenshots in HTML 
format from July 28, 2009 showing the previous versions of 
LimeWire that were available as of that date. I would like that 
included in the record.
    Chairman Towns. Without objection, so ordered.
    [The information referred to follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Mr. Issa. Mr. Chairman, it is interesting that Mr. Gorton 
was so livid in saying that ISPs could protect and then showed 
that he can protect from a specific range of a particular ISP.
    Chairman Towns. That is interesting. I now yield to the 
gentleman from Maryland, Mr. Cummings.
    Mr. Cummings. I am sitting here and listening to all of 
this. I heard what Mr. Issa said from the beginning. He said 
that if we were to find certain things happening here, this is 
something that should be referred to the Justice Department. 
After seeing what Mr. Boback presented here a moment ago, it is 
chilling what the public now has available to it, the idea that 
you can look at the First Lady's information, figure out where 
she is going, how she is getting there, and so forth and so on 
and tax records and things of that nature. In some kind of way 
we have to get to the bottom of this.
    I have been sitting here listening to you, Mr. Gorton, 
trying to figure out whether you have sincerely done everything 
you can to protect the American people with regard to this kind 
of information being put out there. But now I am going to pick 
up right where we left off with Mr. Boback, with what you just 
said.
    Why did LimeWire, Mr. Gorton, block Tiversa from access to 
its portals after assuring the Committee on Oversight and 
Government Reform, this committee, that it was fully committed 
to correcting the inadvertent file sharing troubles to which it 
had contributed? First of all, is what he just said true? Did 
you all block Tiversa?
    Mr. Gorton. I don't have any specific knowledge of that so 
I can't say.
    Mr. Cummings. Wait, wait. So you are saying you don't know 
whether it happened?
    Mr. Gorton. That is correct.
    Mr. Cummings. OK, go ahead.
    Mr. Gorton. But I can tell you a little bit about what 
LimeWire does to fight spam. Again, now we are getting into a 
little bit of sort of the technical details of the way peer-to-
peer networks work. But peer-to-peer networks are distributed. 
What that means is that each of the computers on that network 
are connected to each other through sort of a chain effect. 
Messages and searches are conducted as messages are passed from 
one computer to the next. There are certain people and 
computers in this world who are spammers who respond to every 
search that is done on LimeWire with all sorts of messages and 
things like that.
    Mr. Cummings. Mr. Gorton, I am going to have to cut you 
off. The only reason I am going to cut you off is that I don't 
have that much time. They only give us 5 minutes.
    Let me just ask this of you, Mr. Boback. I am going to come 
back to you if I have time. Do you think he is doing all that 
he can to address the problems that you showed us in the 
demonstration? What else could he do? That is what my 
constituents want to know.
    Tonight I am going to have a town hall meeting over the 
phone. If people saw this while we have this new piece about 
digital records and all that, people are going to say, ``wait a 
minute, hold it. The fact that I have cancer or my whole IRS 
return and all my records will all be out there in 
cyberspace?''
    Has he done all that he could have done in your opinion? 
Were you blocked from helping him?
    Mr. Boback. In my opinion, no, they have not done 
everything that they could possibly do. We provided an option 
after the 2007 hearing where we were willing to work with them, 
to say we see some obvious solutions of how you can do this. 
Rather than just blocking at the ISP, there are a number of 
things you can do. Those conversations ceased shortly 
thereafter. Then 6 months after that we were blocked.
    We are not a spammer. We don't respond to searches. We are 
absolutely passive on the network. When our system gets a 
search, it passes it right on through without changing the 
search, without downloading it, without doing anything. We are 
absolutely passive on the network. We don't block a single 
file. We don't spam advertising. We don't do $1 in advertising. 
So therefore we are not a spammer and we were, in fact, blocked 
as of March 2008. They blocked us 6 months after they ceased 
discussions as to the solutions that we offered.
    Mr. Cummings. Mr. Gorton, back on July 24, 2007, you said 
that you had no idea there was that amount of classified 
information out there or that there are people actively looking 
for that and for credit card information. Is this shocking to 
you? Does it bother you that this information is out there like 
that?
    Mr. Gorton. Absolutely.
    Mr. Cummings. So you are going to promise us some more 
today of things you are going to do?
    Mr. Gorton. I can promise you our ongoing commitment to 
continue working on this problem. I will say that I think we 
have made enormous strides in the past 2 years and that 
certainly the vast, vast, vast majority of inadvertent file 
sharing with LimeWire has been eliminated in the new versions. 
We are happy to continue working going forward to do whatever 
we can do.
    We take our responsibility to our users very seriously. We 
don't want anyone to have an unpleasant experience in any way 
from using LimeWire. I can certainly see that if someone has 
their tax records revealed publicly that is a pretty serious 
thing. We take this seriously and that is why we put in so much 
effort. We are a small company. A good fraction of the 
programming resources of our entire company has gone to 
combating this problem. I think we have made very good 
progress.
    Mr. Cummings. I see my time has expired. Thank you, Mr. 
Chairman.
    Chairman Towns. I thank the gentleman from Maryland. I now 
yield to the gentleman from New Hampshire, Mr. Hodes.
    Mr. Hodes. Thank you, Mr. Chairman. Thank you all for your 
testimony.
    Mr. Gorton, I find your testimony today stunning. You 
promised us 2 years ago that you were going to fix what ails 
LimeWire. Your testimony today basically for me is essentially, 
``why are you picking on me.'' There are others out there who 
are facilitating breaches of national security, who are 
facilitating commission of child sex crimes, who are 
facilitating the theft of property from musicians and owners of 
copyright, and who are facilitating identity theft.
    Mr. Boback, Mr. Gorton testified essentially that using a 
recent version of LimeWire you couldn't engage in the kind of 
activity that you highlighted by showing us in real time what 
was going on. He then modified that testimony when asked a 
question by the chairman to say it was very unlikely to happen. 
Are either of those statements true?
    Mr. Boback. He is correct in saying that it less likely on 
LimeWire than it is in some other peer-to-peer clients. 
However, all of the demonstrations that we showed here today 
were in fact LimeWire disclosures occurring from a LimeWire 
client. I could have shown BearShare and other disclosures as 
well but we specifically have LimeWire.
    Mr. Hodes. Were you using current versions of LimeWire to 
do the demonstration today?
    Mr. Boback. The tax return video was actually a 4.18 
version of LimeWire but it accessed information that was out 
there. What I have found is that most of the users don't want 
to upgrade to 5.0 because it further decreases their access to 
other information. Therefore, they don't want to do it.
    Mr. Hodes. Mr. Gorton, you have heard about the incident in 
which the blueprints for Marine One, the Presidential 
helicopter, ended up in Iran?
    Mr. Gorton. Yes.
    Mr. Hodes. Did anyone in your organization attempt to 
remove that file or take any other action when you heard about 
that?
    Mr. Gorton. We have no mechanism to remove files from 
people's personal computers.
    Mr. Hodes. But did you do anything to block access to that 
information in any way?
    Mr. Gorton. Again, the Gnutella network is a decentralized 
network which LimeWire doesn't run. So I think maybe using an 
Internet browser is perhaps analogous.
    Mr. Hodes. Let me ask you this question: When you heard 
about the plans for Marine One, the Presidential helicopter, 
ending up in Iran, did you take any action at all? Yes or no.
    Mr. Gorton. Yes.
    Mr. Hodes. What did you do?
    Mr. Gorton. We have made changes to the current version of 
LimeWire so that such a breach would not happen today.
    Mr. Hodes. Is there any file of information you would try 
to have removed if it was brought to your attention? For 
example, if you heard or found there was a file containing 
directions for making an IED that could harm our soldiers in 
Iraq or Afghanistan, is there anything you would do?
    Mr. Gorton. Again, I think those files should be removed 
from the network but LimeWire does not control the computers of 
people around the country.
    Mr. Hodes. How about child pornography? You understand that 
LimeWire is being used as we speak to facilitate the commission 
of child sex crimes? You understand that, right?
    Mr. Gorton. Yes.
    Mr. Hodes. What are you going to do about it?
    Mr. Gorton. LimeWire is in the process of working with the 
New York State Attorney General's Office on specifically this 
problem. We, in conjunction with the New York State Attorney 
General's Office, are building a filter to remove child 
pornographic material.
    Mr. Hodes. Why didn't you do that 2 years ago?
    Mr. Gorton. We do not have a list of----
    Mr. Hodes. Why didn't you build the filter you were just 
telling me about 2 years ago when you came before this 
committee? We talked about the problem and you promised us you 
would fix it. Why didn't you do it 2 years ago? Answer my 
question.
    Mr. Gorton. Again, I am pointing out that in order to solve 
the problem which you are describing, you need to know which 
material is child pornographic material. LimeWire by itself 
does not have that knowledge. So we have had to work with 
outside third parties in order to gain knowledge of what that 
material is. There are certain organizations in the world whose 
job it is to maintain lists of that material. LimeWire is in 
the process of working with them in order to filter that 
material from the network.
    Mr. Hodes. Did you start 2 years ago when you promised us 
you were going to fix the problem? Yes or no, just a simple yes 
or no, Mr. Gorton.
    Mr. Gorton. I don't know the date we started working on 
this.
    Mr. Hodes. So you can't tell us that after leaving this 
committee room 2 years ago when you promised us you would fix 
it that you started fixing it, right?
    Mr. Gorton. I know that it is an ongoing effort that we are 
working on today and that we hope to resolve it soon.
    Mr. Hodes. Thank you.
    Mr. Tierney [presiding]. Thank you, Mr. Hodes. Mr. Foster, 
you are recognized for 5 minutes.
    Mr. Foster. The hidden files that persist as you update, 
are these things files, registry entries, or hidden files? What 
is the exact nature of these? Is there anything special about 
them, Mr. Gorton?
    Mr. Gorton. I have to say that I am not 100 percent sure 
but I believe that they are regular files. I believe when they 
are called hidden they are by no means obscured from the user. 
If you were to go look in the directory, you would see the 
preference files. They are not invisible in any way except that 
people don't normally choose to examine them.
    Mr. Sydnor. Representative Foster, could I correct the 
record on this?
    Mr. Foster. Certainly.
    Mr. Sydnor. That is simply false. I am familiar with the 
nature of the files. I have looked at them. They are stored in 
a place where users never go in a hidden folder. It is 
invisible to the ordinary user. Yes, if they de-hide that 
folder, they could conceivably find it. But by default that 
folder is invisible. If you can't find that folder, you can't 
find the files in it. It is as simple as that.
    Mr. Foster. But this is a standard industry practice to 
hold things like which could be registry entries or detailed 
settings?
    Mr. Sydnor. Not that I am aware of. LimeWire leaves an 
enormous amount of material behind when it uninstalls. I am 
simply not aware, I just don't believe that it is accurate when 
Mr. Gorton claims that companies like Microsoft and Google do 
this. I do not believe that they leave behind the types of 
configuration files that could have dangerous effects if they 
are reactivated by another version of the program that chooses 
not to overwrite them. It is not true.
    Mr. Foster. Mr. Gorton, your statement that you can't force 
an update when this sort of problem occurs, is that a feature 
of your most recent software as well?
    Mr. Gorton. Our current software does have update 
capabilities but the old LimeWire 4 something, I don't know 
exactly at what point but there are old versions in which we 
are not able to send an update message.
    Mr. Foster. I guess this would be best directed at Mr. 
Boback. The nuclear option is to block the Gnutella protocol at 
the very high level Internet router level if this really 
becomes intolerable, if you start seeing nuclear weapons 
designs out on this thing and it becomes important to do. The 
obvious risks there are free speech risks. I personally don't 
see any mechanism instead of technologies that would allow you 
to block child pornography that would also not allow you to 
shut down Falun Gong. This is the tough situation we are in.
    First off, businesses, however, can choose to block the 
Gnutella protocol. A hospital, for example, could just say, 
``we don't want any file sharing on our computers.'' Many 
businesses, I believe, do that. National laboratories, I 
believe, do block file sharing protocols. Is that consistent 
with your experience?
    Mr. Boback. All of our clients block peer-to-peer 
applications from being downloaded. The problem is that people 
work around those because they want music, for one. I will tell 
you that all of our clients of the Fortune 500 have all had 
disclosures on peer-to-peer despite the recommendations for 
them to avoid that. In fact, we even found the rules and 
regulations for IT security saying to block peer-to-peer on a 
large Fortune 100 company.
    Mr. Foster. These come from people bringing their computers 
and files home to places where they are not protected. At least 
at the workplace there is a simple thing to just wipe out the 
Gnutella protocol.
    Mr. Boback. For the most part.
    Mr. Foster. Similarly, the military, do they block all 
peer-to-peer connections on the military networks?
    Mr. Boback. I believe that the military does discourage the 
use of peer-to-peer. However, being a disbursed group, there is 
no way to stop it entirely. It is like stopping crime. You have 
to monitor it and that is what we have chosen to do.
    Mr. Foster. But on the military subnets, they can 
presumably just block it. Do you know for a fact whether they 
do or do not?
    Mr. Boback. I do not know for a fact.
    Mr. Foster. Mr. Gorton, it seems to me that the sensible 
solution to this is that instead of having an exclusive list, a 
list of things we are not going to share, that the user should 
have to say yes, I want to share this file and click on it. 
They should have to march through every single file and 
explicitly say yes, I recognize this file instead of just 
clicking on the whole C: drive.
    Mr. Gorton. What you describe is the current practice with 
LimeWire. You have to affirmatively select each file or----
    Mr. Foster. Every single file, including everything you 
download?
    Mr. Gorton. Downloaded files, I believe on installation you 
have a choice whether you want to automatically reshare or not 
reshare files that you download.
    Mr. Foster. OK. Then this question of trying to recall old 
versions of it, my understanding is that would be essentially 
impossible because the Gnutella protocol is a multi-vendor open 
protocol. There is no way that you can stop those old versions 
from working. Is that correct?
    Mr. Gorton. Yes. It is a piece of software on a person's 
individual computer and they control it.
    Mr. Foster. Right. So the only way to stop old versions 
from working would be, for example, basically for the whole 
world to block the old Gnutella protocol and reimplement a 
Gnutella protocol where you actually had control over who gets 
to write clients and what the procedures are on that. To me, 
that would be the only the solution that would allow you to 
actually flush out the problems with the current system. 
Otherwise you would be left with the old Gnutella protocol 
doing whatever bad features with whatever bad old versions of 
the software are out there. Are you aware of any other way that 
we can flush out the old versions of the software?
    Mr. Gorton. It is certainly very difficult because those 
versions of LimeWire don't just connect to the new versions of 
LimeWire. They connect to dozens of other P2P clients.
    Mr. Foster. Which could only be shut down by a worldwide 
effort to block them and then reimplement a new version that 
didn't have these problems.
    I yield back.
    Mr. Tierney. Thank you, Mr. Foster. Mr. Connolly, you are 
recognized for 5 minutes.
    Mr. Connolly. Thank you, Mr. Chairman. Mr. Gorton, Mr. 
Sydnor sort of laid out three broad critiques of LimeWire. I 
wonder if you would respond. The first was that it is 
dangerously unpredictable. In installing the software, his 
experience was that just by default 16,798 documents showed up 
inadvertently displayed. Could you comment? Is your software 
dangerously unpredictable from your point of view?
    Mr. Gorton. I do not believe it is dangerously 
unpredictable. Again, I think it is worth talking about the 
situation. In order to get the result that Mr. Sydnor 
described, he had to install a version of LimeWire 5.0 or 
greater, disable all of the security features that are built 
into it, disregard the many warnings, and affirmatively choose 
to share thousands of files. Then he had to uninstall that 
version of LimeWire and install a new version of LimeWire. 
Then, once that new version of LimeWire was installed, there 
would be warnings that would pop up that would ask him----
    Mr. Connolly. I am going to have to interrupt you because 
we have limited time here. I just want to get at the essence of 
your answer. I get it. Your view is that he is the one who is 
dangerously unpredictable, not your software?
    Mr. Gorton. I am not sure I would characterize him that 
way.
    Mr. Connolly. But you just went through all the steps he 
had to take that made him dangerously unpredictable. Is it your 
contention that if we directed our committee staff to do what 
Mr. Sydnor did we would or would not come up with the same 
results here at the committee?
    Mr. Gorton. If you got a version of LimeWire 5, removed all 
the security settings, ignored all the warnings, chose to share 
files, uninstalled that program and then installed a new 
upgraded version, you would still be presented with warnings 
which you could then ignore.
    LimeWire is file sharing software. It is not unreasonable 
to think that people who install file sharing software might 
actually want to share files. What we try and do is make it so 
that the files they share are only files they want to share.
    Mr. Connolly. Mr. Chairman, I may be a freshman but the 
light has stayed on red.
    Mr. Tierney. It is because you are a freshman. [Laughter.]
    So you gave the answer and the question in the same breath. 
[Laughter.]
    Mr. Connolly. I thank the Chair.
    Mr. Sydnor also said that in addition to being dangerously 
unpredictable, one of his three points was that you were 
knowingly dangerously unpredictable. In other words, this isn't 
accidental or this isn't just a feature of the software that is 
something we can't really control. You knowingly have, in fact, 
manufactured, sold, and operated software that has this 
dangerous default with what he characterized as ``devastating 
results.'' I assume your view is that is just not true.
    Mr. Gorton. That is absolutely untrue. I can tell you that 
we take this problem seriously. We are actively working to 
resolve it. I will say that there are situations which can 
occur in the world which didn't occur to us in testing 
involving weird combinations of installing old software and new 
software. As these edge cases come up and they are pointed out 
to us, we address each one as it comes along.
    I would like to think that we have caught every last 
problem. That is probably not true. But as they are pointed out 
to us, we go and take the steps that are necessary to ensure 
that those problems don't continue.
    Mr. Connolly. The third point he made was that he could 
identify at least eight violations of voluntary best practices, 
suggesting that self-regulation in your case doesn't work.
    Mr. Gorton. He did not say what those violations were. This 
is coming from his paper and my recall of the specifics is not 
perfect, but I believe that many of those claims about us 
disregarding those eight best practices are false. I think he 
may have pointed out an issue or two which we have since 
resolved. I believe that all eight issues which he discussed 
before are currently nonexistent.
    Mr. Tierney. The red light, Mr. Connolly, has truly come on 
now.
    Mr. Connolly. Thank you, Mr. Chairman.
    Mr. Tierney. We appreciate your questions and thank you for 
them. Mr. Duncan, you are recognized for 5 minutes.
    Mr. Duncan. Mr. Chairman, thank you very much. Mr. Boback, 
I was interested to read in the briefing paper that your 
company did a demonstration in January 2009. It says that 
Tiversa was able to locate and download more than 275,000 tax 
returns. Is that accurate?
    Mr. Boback. That is accurate. Yes, sir.
    Mr. Duncan. Do you feel that you basically can get 
anybody's tax return that you want to?
    Mr. Boback. Surprisingly we can get a great deal of 
information. Yes, sir. I don't know about anyone, but most 
people.
    Mr. Duncan. When we run for Congress, we basically forfeit 
or give up any right to privacy and we sort of have to accept 
that. But do you think there is any real privacy in this 
country anymore if anybody can get almost anybody's tax returns 
or medical records or bank records or anything else that they 
want to get?
    Mr. Boback. It has definitely been depleted quite a bit 
with this application, yes.
    Mr. Duncan. I know that we have taught all of the young 
people to worship the computers now and so forth and to become 
addicted to them, but it seems to me that it is sad that we are 
so controlled now that we basically have done away with almost 
any privacy that private citizens should have in this country.
    How skilled a computer user does one need to be to hack 
into files that are not intended to be shared?
    Mr. Boback. It is as simple as doing a Google search. 
Literally you would type in ``tax return'' and hit ``search.''
    Mr. Duncan. That is what I thought you would say. In fact, 
several years ago I was driving back from lunch in Knoxville 
one day and I heard on the CBS radio national news that 
computer hackers had hacked into the top secret files of the 
Pentagon that year. It was many thousands of times. I don't 
remember exactly how many.
    Then I remember a few years ago when the front page of the 
Washington Post had a story about a 12 year old boy hundreds of 
miles away from the Hoover Dam who had opened the floodgates at 
the Hoover Dam. I suppose in one way that is funny but in 
another way it is pretty sad and it is also pretty dangerous, 
it seems to me, to our national security.
    At any rate, Mr. Chairman, thank you very much for holding 
this hearing.
    Mr. Tierney. Thank you, Mr. Duncan. We appreciate that.
    Mr. Gorton, I just want to ask you a question. You said 
that you personally knew nothing about the fact that Mr. 
Boback's system had been shut out of your software, I guess, 
right?
    Mr. Gorton. That is correct.
    Mr. Tierney. So will you reinstate it now? Will you remove 
that barrier?
    Mr. Gorton. We can certainly talk to Mr. Boback.
    Mr. Tierney. What would that discussion involve?
    Mr. Gorton. As I was saying before, LimeWire has a system 
for identifying spammers. And then----
    Mr. Tierney. You consider Mr. Boback's group a spammer?
    Mr. Gorton. I do not.
    Mr. Tierney. So what else is going to be involved in the 
discussion?
    Mr. Gorton. But it may be that there is something about the 
profile of the way his systems behave that matched our 
identification for a spammer. We can try and work with Mr. 
Boback to make sure that he is not falsely identified as a 
spammer.
    Mr. Tierney. Why did you break off the conversations with 
him? I assume those would be the type of things you would have 
discussed with him after the last hearing. Mr. Boback says you 
were working along and you stopped the discussion.
    Mr. Gorton. I believe the conversations he was referring to 
were his attempt to get LimeWire to purchase and distribute the 
software which he is selling and the service which he is 
selling. He has a system which flags security concerns. It was 
our preference with LimeWire, rather than to create a system 
which identified security problems, we would rather eliminate 
them. We felt that if we did a proper job eliminating 
inadvertent file sharing there would not be a need for Mr. 
Boback's software.
    Mr. Tierney. Set aside whether you want to buy his services 
or anything of that nature. Why would you block him?
    Mr. Gorton. This is what I was saying. We have an automated 
system which goes and looks for spammers. I believe that his 
company's systems in some way have a profile of a spammer and 
they were inadvertently flagged as a spammer.
    Mr. Tierney. Does this make any sense to you, Mr. Sydnor?
    Mr. Sydnor. Mr. Chairman, no, none whatsoever. Tiversa's 
service has been operating. I first encountered them some years 
ago when I began investigating this problem. It has been 
operating for years. If it triggered some automatic spam 
filter, it should have done so years ago.
    The timing would suggest that right after the last big 
round of very significant disclosures about very significant 
episodes of inadvertent file sharing involving LimeWire, which 
Tiversa did help, as I recall correctly, the reporters and the 
military identify, that is when the block occurred. That is 
interesting timing for an automated spam detection system.
    Mr. Tierney. Mr. Gorton, let me tell you that is how it 
looks from here. Disabuse us of that notion if you can.
    Mr. Gorton. Certainly. First of all, let me start by saying 
that I think that systems like Mr. Boback's have a positive and 
constructive role to play. I have no desire to see them shut 
down.
    Mr. Tierney. So who in your company do you think had that 
desire and then physically blocked them?
    Mr. Gorton. Like I said, it is an automated system.
    Mr. Tierney. No, no. Let us back up a second. Somebody had 
to physically go in and block them out. So who in your company 
is in charge of doing that?
    Mr. Gorton. No. Like I was saying, we have an automated 
system which identifies IP addresses. There is no human being 
involved.
    Mr. Tierney. All right, we have heard that before. What do 
you think of that, Mr. Sydnor?
    Mr. Sydnor. Mr. Chairman, I simply don't think it is 
credible. I have known Mr. Boback's company for years, worked 
with them for years. Their service, so far as I know, has 
operated relatively similarly. It simply does not make sense 
that right after the latest round of disclosures that they 
somehow for the first time would have tripped the automatic 
spam filter. That is exactly the sort of very interesting 
question that I think a law enforcement agency could 
investigate.
    If I could add one final point, it is that I realize there 
has been a bit of he said/she said between Mr. Gorton and I 
today about how his program actually behaves. That is totally 
unnecessary. We are talking about the behavior of a computer 
program. It will do the same thing every time. I am happy to 
come in and demonstrate for any member of the committee or the 
staff exactly how I do my testing and draw my conclusions.
    Mr. Tierney. Mr. Boback, do you want to add anything to 
that conversation? I think Mr. Gorton's credibility here is at 
risk so I want to caution you to that.
    Mr. Boback. It is clear that we are blocked. We don't spam. 
We are engaged in Federal, State, and local investigations with 
law enforcement. The mere fact of his blocking our technology 
is a direct infringement on our ability to actually prosecute 
and to work with Federal law enforcement to address these 
issues. We don't spam. That was clear.
    To say that it is automated is not accurate. There is no 
automated programming. There is no automated system that learns 
how to program. You can automate updates. You can automate a 
number of things, but literally someone typed in our IP range. 
There is no random fitting into your software code. That is 
hard coded into there, which means someone literally did it. I 
don't know who that was.
    Mr. Tierney. Thank you, sir.
    Mr. Welch, you are recognized for 5 minutes.
    Mr. Welch. Thank you very much, Mr. Chairman. Mr. Gorton, 
you were here before and I asked a few questions. You indicated 
in December 2008 that you were going to engage in a concerted 
effort to combat and eliminate inadvertent file sharing. Is 
that right?
    Mr. Gorton. Yes.
    Mr. Welch. You saw the results of the test this morning. 
Apparently using your service we can get information about 
troop rosters, names, and Social Security numbers in the U.S. 
Army. Is that anything you approve of?
    Mr. Gorton. No.
    Mr. Welch. We can get through your site information about 
the First Lady's safe house route from the Secret Service. Is 
that anything you approve of?
    Mr. Gorton. Certainly not.
    Mr. Welch. Obviously you don't approve of getting access to 
confidential information about motorcade routes?
    Mr. Gorton. Exactly.
    Mr. Welch. So is it fair to say that whatever it is that 
you did to ``combat and eliminate inadvertent file sharing'' 
was a total, complete, and utter failure?
    Mr. Gorton. No, I disagree with that statement.
    Mr. Welch. So however effective it was, it did not 
successfully stop access to motorcade routes, First Lady safe 
house information, and troop rosters. That is a fact.
    Mr. Gorton. If I may, again, I think----
    Mr. Welch. No, I actually think it is a bit of a joke. The 
joke may be on us if we don't get a little firmer about this. 
You have a business model that basically is all about denying 
intellectual property rights to folks who create music and 
movies and fostering the sharing of that without any type of 
respect for the intellectual property rights of people.
    It has an over-broad application so that anybody who wants 
to go on the Web site and get information about Marine One, the 
First Lady's safe house, or troop rosters can get it. Your 
routine is to come in here and tell us you are ``doing 
everything [you] possibly can'' and profess concern. But your 
concern doesn't extend to doing that which is effective to stop 
the problem.
    At a certain point reasonable people have to ask the 
question as to whether the efforts that you are taking are 
cosmetic, essentially slow walking so that you can maintain the 
pretext that there is a solution. At a certain point I think we 
have to ask in Congress whether we are going to take what 
action is required to protect confidential national security 
information and intellectual property or not.
    Mr. Chairman, if we have another hearing, another hearing, 
and another hearing after that we are going to have the same 
story from Mr. Gorton. Then we are going to have another 
demonstration from Tiversa that shows us whatever he has done 
lately has failed.
    At a certain point it may be appropriate for us to ask 
folks from the FTC, the U.S. Attorney's Office, and maybe some 
State Attorneys General who are concerned about access to 
pornography as to whether there is some legal action that 
should be taken in order to protect intellectual property, 
protect our kids from pornography, and essentially protect 
classified medical and national security information.
    I want to thank Tiversa. There is the old Groucho Marx 
line, do we want to believe Mr. Gorton or our own two eyes? I 
think your demonstration makes it irrefutable that whatever 
actions LimeWire has taken to supposedly deal with this 
inadvertent file sharing are a failure. My conclusion is that 
they have no serious intention of being successful and stopping 
it because the main agenda item is providing access to 
intellectual property to anybody who wants it without any kind 
of compensation.
    I yield back the balance of my time.
    Mr. Tierney. The gentleman yields back. Mr. Issa.
    Mr. Issa. Thank you, Mr. Chairman.
    Mr. Gorton, in light of this hard coding question that 
there isn't time to resolve here, will you agree to answer 
questions we submit and to provide information as to the people 
who wrote the software and who would directly know how these IP 
ranges got in?
    Mr. Gorton. Yes, we would be happy to help the committee 
with that.
    Mr. Issa. I appreciate that.
    There was a followup question that I want to understand. I 
asked earlier and I thought I got an affirmative that you could 
force users who were using 4.x but wanted access to your 
switches, that you could create a situation where if they 
didn't upgrade to the 5 level the new software, I guess it 
would be 5.2.9, could say it only deals with 5.0 and above or 
whatever. Then Mr. Foster implied that the open format would 
deny you that. Could you respond on that and followup?
    Mr. Gorton. I guess it is possible for us to come out with 
a new version of LimeWire that would not connect to other 
versions. However, with the decentralized network you have a 
situation where we don't just connect to other LimeWires. We 
might connect so some other Gnutella compatible program which 
then itself connected to 4.x. So even if we ourselves deny the 
connections, the network itself would probably still maintain 
them.
    Mr. Issa. Following up, I am an old business man so I 
generally want to figure out where the money goes. That helps 
me understand the business model. Or you can ask the business 
model where the money goes. Either way, how do you make your 
revenue?
    Mr. Gorton. We sell LimeWire Pro.
    Mr. Issa. You make it only on the software?
    Mr. Gorton. That is correct.
    Mr. Issa. Would you sell more or less software if you 
better protected your customer, the installer of the product, 
from inadvertent file sharing?
    Mr. Gorton. I suspect we would sell more.
    Mr. Issa. So if, like Peter Norton, the name from the past 
for us old folks, the DOS 3.3 type people, if you improved your 
product to have features that would reduce inadvertent file 
sharing, you would actually sell more product?
    Mr. Gorton. That is true. I believe we have done that. I 
think your conclusion is probably true.
    Mr. Issa. Let me ask you a couple of simple followup 
questions. Would it be hard to create a browser so that the 
user can simply, like the search engine or maybe even 
leveraging the Microsoft and Apple search engines, see what 
files are presently sharable and unsharable in red and black or 
whatever? Is there any reason that you couldn't create an easy 
ability for someone to see the folders that are vulnerable and 
the files that are vulnerable?
    Mr. Gorton. We already have the functionality you are 
talking about with two different colors. You can click one 
button to see all the files that you are sharing. We do our 
best to make it transparent specifically what people are 
sharing because we want people to be able to check to make sure 
they are not sharing anything they don't want to share.
    Mr. Issa. Would you be able to build an engine that allowed 
people to then in mass do a better job of protecting files they 
want to protect?
    Mr. Gorton. I guess I am not really quite sure what you 
mean by that.
    Mr. Issa. In other words, if I am looking at that, can I 
quickly click a red file and make it a black file or do the 
whole subfolder?
    Mr. Gorton. That functionality currently exists.
    Mr. Issa. OK. You protect basically DOCs and some of their 
equivalents, including HTML. Why didn't you include PSTs in 
that? That is unlikely that output from a Microsoft Outlook 
file, that is kind of an unusual one to want to share, isn't 
it?
    Mr. Gorton. I am not familiar with that particular file 
extension. It is possible that there are file extensions in 
this world that should be on our documents list which are not 
currently there. We can add them if there are.
    Mr. Issa. Going back to your model, you would be more 
popular if you did a better job of protecting your customers, 
you say. But you have a lot of files that you need to get to 
looking at and procedures to help protect them. Isn't that 
right?
    Mr. Gorton. We currently do a lot of things to prevent 
inadvertent file sharing.
    Mr. Issa. Let me ask one question, though. People buy 
LimeWire in order to be part of a file sharing community. But 
isn't the primary attraction of LimeWire the fact that there is 
a tremendous amount of LimeWire-based content out there that 
they are quickly able to download, including MP3s, MPEGs, and 
other video and visual files?
    Mr. Gorton. People download and install LimeWire primarily 
to share files. Media files are popular on that list.
    Mr. Issa. Let me ask the final, closing question. If you 
did a better job, although the individual customer would 
appreciate it, isn't your model then vulnerable? If you do a 
good job for me, when I go out to look there is less out there. 
Without the propagation or the huge amount of interesting 
content, your product sells worse.
    So don't you have an interesting conflict in which it is 
clear that you should be protecting your customers more but 
then, if you protect them and they all use the product, what 
ends up happening is less content is available and therefore 
the whole category is less desirable? Isn't that essentially 
your conundrum, that you benefit from a lot of good meaty, 
juicy shared material and that the failure of your software to 
protect me has more to do with the fact that you have to create 
this huge amount of content in order for your whole industry to 
do well?
    Mr. Gorton. I don't think there is a dichotomy the way you 
phrase it there.
    Mr. Issa. Thank you, Mr. Chairman. I appreciate your 
indulgence. I yield back.
    Mr. Tierney. That was the best one question we ever heard.
    At this time I want to recognize the chairman, Mr. Towns, 
for a brief statement. Then I will go to the remaining two 
people on the panel who have questions. Mr. Towns.
    Chairman Towns. I have to leave. Let me just say that from 
what I have heard today, it is clear that private citizens, 
businesses, and the Government continue to be victims of 
unintentional and illicit file sharing. At its best, with the 
proper safeguards in place, peer-to-peer software has great 
potential. At its worst, it isn't peer-to-peer but predator-to-
prey. For our sensitive Government information, the risk is 
simply too great to ignore.
    I am planning to introduce a bill to ban this type of 
insecure open network peer-to-peer software from all Government 
and contractor computers and networks. I plan to meet with the 
new chairman of the Federal Trade Commission to request that 
the FTC investigate whether inadequate safeguards on file 
sharing software such as LimeWire constitute an unfair trade 
practice. The administration should initiate a national 
campaign to educate consumers about the dangers involved with 
file sharing software. The FTC needs to look at this, too. The 
file sharing software industry has shown that it is unwilling 
or unable to ensure user safety. It is time to put a referee on 
the field and to begin to play by rules.
    Mr. Chairman, I yield back.
    Mr. Tierney. Thank you, Mr. Towns.
    Ms. Norton, you are recognized for 5 minutes.
    Ms. Norton. Thank you, Mr. Chairman. You see that there 
have been breaches of national security through what is only 
politely called inadvertent file sharing but the average 
American, I think, would have been even more concerned about 
their personal security and especially medical files. I can 
think of nothing more personal than medical information. I am 
with the President and people on both sides of the aisle who 
say that there will be lots of money saved if we could 
computerize these files so that they could be shared, getting 
beyond the point of how much that would cost, not to mention 
making them secure.
    Mr. Chairman it probably was in my subcommittee that a 
number of hearings were held on computerizing the FEHB files, 
the files for Federal employees. I recall that the unions were 
basically for it but we always came up with terrible 
compunctions about the security of these files.
    Mr. Boback, in your testimony you apparently spoke of 
records from a hospital that had been inadvertently shared. 
This would be every person's nightmare when you talk about 
inadvertent sharing. They have already seen their personal 
records, their Social Security, and their financial information 
get leaked. In the case that you reported, the records contain 
not only the patients' names but their diagnoses and other 
sensitive information.
    How widespread do you believe the leaking of such 
information to third parties is from hospitals and medical 
facilities, Mr. Boback?
    Mr. Boback. It is extensive. As a matter of fact, that 
specific file has been out for nearly 16 months now on the 
peer-to-peer networks and has been taken extensively. It has 
been downloaded a number of times. So these individuals will be 
affected for years. In fact, they are not even aware that they 
are on the list at this point because they have never been 
told.
    Ms. Norton. That would be my next question. Their files 
have been breached in the most terrible way. The most sensitive 
information you have about a person is just out there in the 
stratosphere. Are patients generally informed that their 
information has been leaked?
    Mr. Boback. Forty-one of the 50 States require breach 
notification.
    Ms. Norton. Forty-one of the 50?
    Mr. Boback. Forty-one of the 50. At this time there is no 
national breach notification law. There should be. As patients 
travel across State lines for medical care, there needs to be a 
national breach notification law. I believe there was one 
proposed, H.R. 2221, that gives the FTC some oversight and 
actually punishment if organizations do not identify these to 
their consumers. That should pass.
    Ms. Norton. That seems, Mr. Chairman, to be minimally 
necessary. But let me ask you this: Suppose you do know. You 
can change your Social Security number maybe. You can take your 
credit cards and get new ones. What in the world can you do if 
information that is true and will forever be true about your 
medical condition is out there? So now you know it. What do you 
do?
    Mr. Boback. At this point there is not much to do. There 
are credit monitoring and identity theft systems that are 
trying to work toward protecting medical information, companies 
like LifeLock. They are trying to put these procedures in 
place. Are they there yet? No. But identity theft is evolving 
so rapidly that I will assure you that it is not just a $50 
credit card loss or a nuisance to the consumer. It will be very 
impactful to the consumer and the family in the upcoming years 
if this is not addressed immediately. This is out of control.
    Ms. Norton. Mr. Chairman, if 41 of the 50 States already 
understand this, it does seem to me with what you have been 
able to find at this hearing that we would want to bring 
forward a bill to make sure that this is done nationally.
    I might say that when it comes to the FEHB, our Federal 
employees here, until there is some such software in place, 
given our work force, it tends to be an older work force, I do 
not see how we could take this very important step that 
everyone knows needs to be taken in computerizing the records 
of Federal employees.
    Thank you, Mr. Chairman.
    Mr. Tierney. Thank you, Ms. Norton.
    Mr. Bilbray, you are recognized for 5 minutes.
    Mr. Bilbray. Thank you, Mr. Chairman.
    Mr. Gorton, I think that historically we have basically 
felt that it is the obligation of the consumer to protect their 
own files. That is part of the process that historically we 
have used. Basically, you have to at least move through the 
system and keep clicking to move those files across.
    What I am really concerned about is that history has proven 
that this is not just a consumer problem. There is the SWIF 
example where you had 300 people who are illegally in the 
country being able to access records and use those records for 
illegal employment. There are people who are able to use this 
document for other issues that we don't even know about. 
National security could be one of them.
    This issue is going to be addressed now, not just as an 
individual's privacy issue but as a national security issue. We 
need to be more proactive in making sure that this data is not 
out in the stratosphere. Are you ready to be more aggressive 
with your industry? Are you ready to be proactive working with 
this Congress at shutting down this opportunity to breach 
information systems that can be used as a threat to this 
country?
    Mr. Gorton. Absolutely. We worked with this committee in 
the past and I hope we have the chance to do so going forward.
    Mr. Bilbray. My question to you is if you were going to 
legislate from the Federal level, and I know this is counter-
intuitive for you to think about, but if you were going to 
legislate, what would you do to address this problem?
    Mr. Gorton. I touched on this earlier in my testimony. 
There are a number of problems where computers can essentially 
break the law or have these security issues. The unique point 
of control for every computer is its ISP. From a legislative 
point of view, that is really the only practical place you can 
attack because--let's say you have a child pornographer. If 
they are identified, as Mr. Boback's software can easily 
identify in an automated way many, many people very easily, if 
there were a quick and effective mechanism where his computer 
quickly routes a message to an ISP, maybe the child 
pornographer is cutoff the Internet or law enforcement is 
notified. Again, you have to come up with reasonable 
procedures.
    You have to ask some hard questions like under what 
circumstances we cut a computer off from the Internet. If he 
finds a document that has nuclear secrets, is that enough to 
shut the computer off first and then go do an investigation 
after? These are hard questions that need to be answered.
    In the first wave of regulations surrounding the Internet, 
I think there was a lot of euphoria with the Internet. There 
wasn't as clear of an issue of what the negative consequences 
of some of these amazing technologies are. We have a clear idea 
now.
    Again, in order to do this, you have to deal with the ISPs, 
which are basically telecom companies. I am sure you are aware, 
these are politically quite powerful institutions. But I don't 
think that it is possible for this country to really wrestle 
these questions to the ground without having the ISPs play a 
constructive role in that.
    Mr. Bilbray. Look, we were all enamored, too, with computer 
training and then we placed restrictions on the application of 
that technology. My question really gets into the fact, and I 
guess I would close with a challenge to you, that this isn't 
just about the technology application by certain agencies or 
certain companies. It is also a national protocol or procedure 
that tightens up and makes it more proactive to open up your 
record files. We need a procedure. We need to be looking at 
having regulations on this.
    You don't have to answer this but the challenge to you is 
not to be obstructionist. Be proactive at saying, ``OK, we have 
this procedure now.'' We think this, this, this, and this will 
make it harder or tougher for people to inadvertently transfer 
files and will basically make them more responsive. It will be 
less user friendly at opening up the files but will address the 
problem.
    That challenge of balance, if you want this committee and 
Congress to do the right thing, then you have to be willing to 
move from a historical position and be proactive. Take the hit 
to some degree, inconvenience the consumer to some degree, but 
address the crisis in a manner that is less obtrusive than what 
we would propose working from the regulatory side.
    I yield back, Mr. Chairman.
    Mr. Tierney. Thank you, Mr. Bilbray.
    I thank all of our witnesses for their testimony here 
today, and for their time and their expertise. We do appreciate 
it. I am sure the chairman has further intentions to followup 
on this issue.
    The meeting is adjourned.
    [Whereupon, at 11:40 a.m., the committee was adjourned.]
    [The prepared statement of Hon. Gerald E. Connolly and 
additional information submitted for the hearing record 
follow:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 
