[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS: HOW IT ENDANGERS
CITIZENS AND JEOPARDIZES NATIONAL SECURITY
=======================================================================
HEARING
before the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
JULY 29, 2009
__________
Serial No. 111-25
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
54-009 PDF WASHINGTON : 2009
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio JOHN L. MICA, Florida
JOHN F. TIERNEY, Massachusetts MARK E. SOUDER, Indiana
WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts LYNN A. WESTMORELAND, Georgia
JIM COOPER, Tennessee PATRICK T. McHENRY, North Carolina
GERALD E. CONNOLLY, Virginia BRIAN P. BILBRAY, California
MIKE QUIGLEY, Illinois JIM JORDAN, Ohio
MARCY KAPTUR, Ohio JEFF FLAKE, Arizona
ELEANOR HOLMES NORTON, District of JEFF FORTENBERRY, Nebraska
Columbia JASON CHAFFETZ, Utah
PATRICK J. KENNEDY, Rhode Island AARON SCHOCK, Illinois
DANNY K. DAVIS, Illinois ------ ------
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
------ ------
Ron Stroman, Staff Director
Michael McCarthy, Deputy Staff Director
Carla Hultberg, Chief Clerk
Larry Brady, Minority Staff Director
C O N T E N T S
----------
Page
Hearing held on July 29, 2009.................................... 1
Statement of:
Boback, Robert, chief executive officer, Tiversa, Inc.; Mark
Gorton, chairman, the Lime Group; and Tom Sydnor, senior
fellow and director, Center for the Study of Digital
Property, the Progress and Freedom Foundation.............. 10
Boback, Robert........................................... 10
Gorton, Mark............................................. 26
Sydnor, Tom.............................................. 50
Letters, statements, etc., submitted for the record by:
Boback, Robert, chief executive officer, Tiversa, Inc.,
prepared statement of...................................... 17
Connolly, Hon. Gerald E., a Representative in Congress from
the State of Virginia, prepared statement of............... 91
Gorton, Mark, chairman, the Lime Group, prepared statement of 29
Issa, Hon. Darrell E., a Representative in Congress from the
State of California:
July 28, 2009, screenshots in HTML format................ 72
Prepared statement of.................................... 8
Sydnor, Tom, senior fellow and director, Center for the Study
of Digital Property, the Progress and Freedom Foundation,
prepared statement of...................................... 53
Towns, Chairman Edolphus, a Representative in Congress from
the State of New York, prepared statement of............... 3
INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS: HOW IT ENDANGERS
CITIZENS AND JEOPARDIZES NATIONAL SECURITY
----------
WEDNESDAY, JULY 29, 2009
House of Representatives,
Committee on Oversight and Government Reform,
Washington, DC.
The committee met, pursuant to notice, at 10 a.m., in room
2154, Rayburn House Office Building, Hon. Edolphus Towns
(chairman of the committee) presiding.
Present: Representatives Towns, Issa, Maloney, Cummings,
Kucinich, Tierney, Watson, Connolly, Norton, Cuellar, Hodes,
Welch, Foster, Duncan, and Bilbray.
Staff present: John Arlington, chief counsel,
investigations; Linda Good, deputy chief clerk; Neema Guliani,
investigative counsel; Adam Hodge, deputy press secretary;
Carla Hultberg, chief clerk; Marc Johnson and Ophelia Rivas,
assistant clerks; Phyllis Love and Alex Wolf, professional
staff members; Mike McCarthy, deputy staff director; Jesse
McCollum, senior advisor; Amy Miller, special assistant; Steven
Rangel, senior counsel; Julie Rones, counsel, full committee,
health; Ron Stroman, staff director; Lawrence Brady, minority
staff director; John Cuaderes, minority deputy staff director;
Jennifer Safavian, minority chief counsel for oversight and
investigations; Frederick Hill, minority director of
communications; Dan Blankenburg, minority director of outreach
and senior advisor; Adam Fromm, minority chief clerk and Member
liaison; Kurt Bardella, minority press secretary; Stephen
Castor, minority senior counsel; and Mark Marin and John Ohly,
minority professional staff members.
Chairman Towns. The committee will come to order. Good
morning and thank you all for being here.
Imagine for a moment that you had special software on your
computer that exposed many of the files on your hard drive to
searches by other people. Any time your computer is connected
to the Internet, other computer users with similar software can
simply search your hard drive and copy unprotected files.
Unfortunately, that is the sad reality for many unsuspecting
computer users.
Peer-to-peer file sharing software like LimeWire works in
just that way. Most people who use peer-to-peer software do it
to download music and movies over the Internet. Most people who
use it are totally unaware that they may expose some of the
most private files on their computers to being downloaded by
others.
Nine years ago this committee first held a hearing that
revealed that Government, commercial, and private information
was being stolen by peer-to-peer file sharing networks without
knowledge of the users. In response to congressional pressure,
the file sharing software industry agreed to regulate itself,
implementing a code of conduct to address inadvertent file
sharing. The efforts failed.
Two years ago at our July 24, 2007 hearing, LimeWire's CEO
Mark Gorton expressed surprise that sensitive personal
information was available through LimeWire. He pledged to
address the problem. That effort failed.
Over the last year alone, there have been several reports
of major security and privacy breaches involving LimeWire.
Information about avionics for the President's Marine One
helicopter and financial information belonging to Supreme Court
Justice Stephen Breyer were leaked on LimeWire. LimeWire does
not deny those reports but claims that recent changes to the
software prevent inadvertent file sharing.
To investigate LimeWire's assertion, the committee staff
downloaded and explored LimeWire's software. The staff found
copyrighted music and movies, Federal tax returns, Government
files, medical records, and many other sensitive documents on
the LimeWire network. Security experts from Tiversa found major
problems. Specific examples of recent LimeWire leaks ranged
from appalling to shocking.
The Social Security numbers and family information for
every Master Sergeant in the Army have been found on LimeWire.
The medical records of some 24,000 patients of a Texas hospital
were inadvertently released. Most of the files are still
available on LimeWire. FBI files, including civilian
photographs of an alleged mafia hit man, were leaked while he
was on trial and before he was convicted. We were astonished to
discover that a security breach involving the Secret Service
resulted in the leak of a file on LimeWire containing a safe
house location for the First Family.
As far as I am concerned, the days of self regulation
should be over for the file sharing industry. In the last
administration, the Federal Trade Commission took a see-no-
evil, hear-no-evil approach to file sharing software industry.
I hope the new administration is revisiting that approach. I
hope to work with them on how to better protect the privacy of
consumers.
Today I look forward to hearing from our witnesses on the
impact of peer-to-peer file sharing, and particularly how
LimeWire proposes to help remedy the problems caused by its
software.
I now yield 5 minutes to the ranking member, Congressman
Darrell Issa of California.
[The prepared statement of Chairman Edolphus Towns
follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Issa. Thank you, Mr. Chairman. I think, as both of us
are saying in various ways, today is clearly deja vu all over
again.
Two years ago in July 2007, this committee brought to light
in a vivid but altogether too easy to demonstrate demonstration
that, by design or at least with knowledge and allowance,
unwitting sharing of personal information over this peer-to-
peer network was not just going on but was well known and going
on in a rampant way. I remember all too well the details of the
documents, including Social Security numbers, of a soldier and
his colleagues with the 101st Airborne. Those Social Security
numbers were there for everyone along with name, rank, date and
place of birth, and anything and everything one would need to
capture his identity and those of his colleagues.
It is very clear that little has changed. In preparation
for this hearing we noted that there was a brand new version, a
version that at least went part of the way toward protecting
the inadvertent loss of documents. But I say part of the way
because, as you can imagine, in the world of the Internet we
assume that you are protected unless you give up those
protections. That is not true of this software.
This software required essentially that for copyrighted
works you opt into protecting the software rather than having
to knowingly make copyrighted software available. You don't
simply check and never again have to worry about your copy or
someone else's copyrighted software being available to
everyone.
The committee's jurisdiction and the committee's primary
interest today are contained on this disk and could be
contained on thousands like it. These are zip files of names,
addresses, Social Security numbers, and income tax returns from
California once again showing that today, loading the current
software--I should more accurately say yesterday--my staff,
never having worked it before and with a brand new computer,
downloaded the latest software and went sight seeing to find
exactly what you might find. An engineer who only made about
$37,000 took a standard deduction. In fact, his information,
all of it, is available.
Mr. Chairman, identity theft should be at the heart of our
concern. I am personally on the Judiciary Committee and am
concerned about the copyrighted software, about the hundreds of
thousands and hundreds of millions of dollars that are being
stolen through peer-to-peer transaction. But I think that when
we look at the most important thing for the American people is
to close once and for all in no uncertain terms the loophole
that allows people's individual and sensitive information,
company information, and employee information to be
inadvertently and thoroughly disbursed in a way that leads
without a doubt to PayPal registration, to MasterCard
registration, and to the ruining of credit and lives.
Mr. Chairman, there is no question that we have come not
far enough in 2 years. I know that this hearing will shed more
light on it. But I will tell you that this disk, Mr. Chairman,
to me represents a referral to the AG and a referral to
California's Attorney General if we cannot be satisfied in no
uncertain terms that we have reached the end of this kind of
activity. Otherwise, as we say too often on this committee but
appropriately here, if you condone, allow, and induce this to
happen, you are guilty of cooperation and participation in
every criminal act that flows from the discovery of that
information.
Mr. Chairman, I ask unanimous consent to have the rest of
my opening statement placed in the record. I yield back the
balance of my time.
[The prepared statement of Hon. Darrell E. Issa follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Towns. Without objection, so ordered.
It is the longstanding policy that we swear in all of our
witnesses. Will you please stand and raise your right hands?
[Witnesses sworn.]
Chairman Towns. You may be seated. Let the record reflect
that the witnesses answered in the affirmative.
Mr. Robert Boback is the Chief Executive Officer of
Tiversa, Inc. Mr. Boback will conduct a demonstration of the
dangerous uses and activities of LimeWire that Tiversa has
uncovered through monitoring technology and work with the
Federal Bureau of Investigation.
Let me welcome you, Mr. Boback. We are now prepared to hear
your testimony.
STATEMENTS OF ROBERT BOBACK, CHIEF EXECUTIVE OFFICER, TIVERSA,
INC.; MARK GORTON, CHAIRMAN, THE LIME GROUP; AND TOM SYDNOR,
SENIOR FELLOW AND DIRECTOR, CENTER FOR THE STUDY OF DIGITAL
PROPERTY, THE PROGRESS AND FREEDOM FOUNDATION
STATEMENT OF ROBERT BOBACK
Mr. Boback. Thank you, Chairman Towns, Ranking Member Issa,
and distinguished members of this committee for the opportunity
to testify here today. As the chairman mentioned, my name is
Robert Boback and I am the CEO of Tiversa.
What we are about to show you is information that is
current. This is all within the last few months, disclosures
that have not been publicly released, so this information you
most likely haven't seen prior.
As Ranking Member Issa points out, identity theft is going
to be at the core of this. You will see that, despite the
regulations around identity theft, the FTC has not addressed
this fully. In fact, peer-to-peer is not even mentioned on the
identity theft Web site of the FTC for the 9 million victims.
You will find that this is where identity theft is occurring.
This is the harvest ground.
This is why your consumers will say they do not know where
or how identity theft happened. We are going to show you a
demonstration of just that fact. It affects every district.
There are millions and million of individuals that are
affected.
If we could start through the demonstration, we are going
to highlight this in a number of issues. The first one, of
course, is the national security implication, of which there
are many. What we are starting here, these are just excerpts
from some of the files. They have been redacted. These are all
military troops, hundreds of thousands of troops' Social
Security numbers, different rosters, different information from
around the world with their next of kin, their children's
names, their Social Security numbers, and their dates of birth,
as Ranking Member Issa pointed out. Again, it goes on and on
and on. These are all current. They are still all available, by
the way, on the peer-to-peer.
If we could go on to the next one, as pointed out in the
opening statement of the chairman, this is the safe house route
for the U.S. Secret Service when they have to evacuate the
First Lady in this case. This is found on the peer-to-peer.
This is the location. I don't know how much the U.S. Government
spends in preparing a safe house location but I presume it is
pretty expensive. All of that is lost based on this information
being disclosed.
Now the safe house has to be moved. The locations have to
be moved. We of course redacted all of this in order to protect
what is left of the security of this. Some of the other
information is the motorcade route.
The next one, Sam? As you can see, this was a breach just
as of yesterday. We found this yesterday but you can see the
date, July 5, 2009. This is the entirety of the U.S. nuclear
information, all of our facilities, everything. This is from
the United States. This is from the President with the
President's information listed on here, every nuclear facility
and all the secure, highly confidential information. As you can
read on the top, it says ``highly confidential, safeguard
sensitive.'' This is every nuclear agency, every facility.
The problem is that we found this in France, in four
locations in France, not in the United States. Other countries
know how to access this information and they are accessing this
information. This was, you can see the date.
If we push on to the next slide, this was the cover letter
on it, right from the President of the United States with
Barack Obama's signature at the end, with his writing at the
end. This is not even subject to a FOIA request. You couldn't
get this information on a Freedom of Information Act. You can,
however, access it on the peer-to-peer in free open text. It
just doesn't make sense.
Switching over to another issue, again, identity theft,
medical identity theft is hugely on the rise. People understand
that they are looking for credit card information. I get that.
But I don't look at my explanation of benefits from my
insurance provider like I look at my credit card statement. I
will tell you that you should because the identity thieves
will. A medical insurance card is like a Visa card with a
million dollar spending limit. They will buy online drugs,
OxyContin, Viagra, and by the time you go to the doctor next
time, all of a sudden the doctor has you listed as an OxyContin
addict when you have never taken it in your life. This is the
problem.
This information has come out of a hospital, as you
mentioned, in a southern State. Individuals will say, ``I don't
even use peer-to-peer; I have never downloaded a thing so I am
safe, right?'' Well, have you ever been to the emergency room?
You just might not be safe. That is exactly what happened to
these 20-some-thousand individuals. All they did was go to the
doctor. They provided their information--as they should--to
their facility for the insurance billing. At the billing
company someone was listening to music while they were typing
in their data entries and what ended up happening is that
24,000 victims are affected.
In this specific case we informed the company. This
actually was the only one that occurred over a year ago. It
occurred over a year ago and through our client, which was a
large insurance carrier, we told the hospital that this was
disclosed. Unfortunately, they said it is not their problem. It
is not their problem. They don't want to go out publicly and
say that they disclosed 24,000 individuals.
That there is a House bill, H.R. 2221. H.R. 2221 provides
for a national breach notification. It is long overdue. Forty-
one of the 50 States have breach notification laws and they
vary in their severity. This hospital is a clear case. The
State of Texas does have a breach notification law and this
hospital is in direct violation of it. They have known about
this for over a year. They haven't even told these victims that
they are victims, so these people have been the victims of
identity theft.
The hospital was clearly negligent for handling this
information in the way that they have but this is what you see.
This is the pattern. No one wants to say, gosh, I had a data
breach and it is my responsibility to address it. So there
needs to be legislation in order to force companies to do the
right thing. You would hope that they would do it without the
pressing.
Back up one, Sam, please. This is a Midwest-based HIV
clinic with people's most sensitive information. These are AIDS
victims, 184 patients, who are now victims of identity theft.
The clinic released their information and has not addressed it.
This information is still out there.
This is everything you need as an identity thief. Why would
you ever dive in a dumpster, which the FTC calls out as the No.
1 reason where people get it? I can get 184 just from this one
file and thousands from the other files.
As we continue on, we have a major pharmaceutical company,
information on all of their research. It has everyone and where
they are going.
It affects even the most robust security measures, which is
what we are seeing. All of these companies have firewalls,
anti-virus, intrusion detection, intrusion prevention, and
encryption. Yet where is the security? There isn't any. They
don't address it because the awareness isn't there. They say
they don't allow downloading of peer-to-peer or that is a
recording industry problem. No. In fact, it is their problem.
Companies need to do this. Just as when anti-virus started out,
it was unheard of at the beginning and then it evolved. That is
how security and technology evolves.
This information is out. If you have ever gone to a doctor,
your complete patient records, everything, your soap notes, if
you will, are all out there as well. Continuing on, there is
behavioral health information, again, all with Social Security
numbers. Everything we are showing you is a Social Security
number in here.
Continue on. This is one. If you have ever gone to the drug
store and were buying Sudafed, you are required to give your
driver's license information because they keep track of that
for methamphetamine labs. The problem, though, remains that you
now gave your driver's license information to buy Sudafed
because you had a cold and now you could be the victim of
identity theft around the Nation because that information may
or may not have been secured. If it is not secured, as this one
wasn't, you are now exposed. You are exposed forever. They may
not even tell you when they find out. There is a serious issue.
Then, moving on from there, here is an interesting example
for corporations nationwide. This is an enormous organization
that all of you have heard of. Unfortunately, we can't give the
name in an open environment because this is a publicly traded
company that is very well known in the Fortune 500. This
individual is an M&A executive, the mergers and acquisitions
executive that handles all of the M&A activity for the
organization.
In doing that, they were using peer-to-peer and exposed a
file called a PST file. A PST file is your archive of your
emails. It is you. Imagine someone being able to open up your
Outlook and read every email that you sent, open every
attachment, and also open your calendar to see what conference
calls you have, the dialing numbers, and the pass codes. That,
in fact, is what happened in this case.
I am sure that the SEC would have an interest in looking at
companies that do this and have this information. Not only are
the emails on there but they also have the attachments of every
acquisition that this company is going to make and the ranges
of which they are willing to pay for these. As the next slide
will show, it also has the financial information all the way
listed through the third quarter, as you can see, third quarter
2009.
Now, if you were an investor, there is market manipulation
that could happen from here because you know the internal
financials of what the company is going to do for the next 3
months or 6 months. I know what the stock is going to do
because I see your financials. This information has to be
protected. Again, they use state-of-the-art protection and
spend millions of dollars on their security, yet this is still
a problem.
Going forward, there are other financial institutions with
thousands, 5,000 entries of client information, of exposures on
mortgage information. Here on the next file there are 12,000
credit card numbers. Again, this is identity theft.
Continuing on, as the chairman mentioned, these are photos,
and we have redacted the photos to protect this, the organized
crime case that we were talking about. These are their
surveillance photos of an organized crime. This is a murder
trial. These photos were disclosed while the trial was in
process. There was no conviction before this. Who disclosed
them, we still haven't investigated yet. But this was just
found. Literally, the individual in the photos here is actually
behind bars now on a life sentence. But this was disclosed
while he was on trial.
On the right hand side, Sam, could you jump up one?
Obviously, in an organized crime case you don't want to
disclose the Government witness list for obvious reasons. As
you can see on the right hand side, we blurred it out so that
you can't see the names, that is the entire confidential
Government witness list in an organized crime case. Many of
these people are in the Witness Protection Program. There is
their information. This is not what you want to have out there.
The next slide as we continue on, as Ranking Member Issa
mentioned, there are tax returns from all over Brooklyn,
Arizona, Massachusetts, Maryland, and Vermont. We could have
gone on through all 50 States and had thousands of them from
any 1 of these 50 States. This is where identity theft is
happening. It is not out there; this is where it is happening.
If you have been the victim of identity theft and you didn't
lose your purse or wallet, think peer-to-peer because that is
where it happened.
As we go on, Sam, we are going to show a video. We are not
on that one yet. We are going to do the tax return video. I
want to show you using LimeWire. Tiversa has technology that
allows us to see the entire network. We are going to use
LimeWire. We did a LimeWire video here just to show you how
easy it is for individuals to gain access to tax return
information.
Using LimeWire Pro here, we typed in ``tax return.'' There
are five connections that you are connected to. We use this
because people say you have fancy technology and that is the
only reason you can gain access to this. No, it is not. He
typed in ``tax return.'' There are only five connections so it
is not even widely connected. As you can see, it is small on
the screen, there are just hundreds of tax returns coming in.
This is not using our technology. So, as you can see, it is
this simple. This is in real time so you could click on any of
those tax returns. That function used was a ``browse host''
function. Again, this software is still out there.
Download the tax return and literally within minutes, as
you are going to see here, it is downloading a couple of tax
returns. We are going to show you just how easy this is as this
loads in. Here they are coming in at the bottom there. As we
click on those, you are going to see that this individual used
H&R Block. It is not a problem with H&R Block. That is just who
they used. They saved a copy of it.
That person used TurboTax. As you can see, there is their
Social Security number. There are their children's Social
Security numbers. It is that simple. Why would you ever
dumpster dive? It is right there. That is not our technology;
that is theirs. It is that information.
Sam, switching to information concentrator, we will show
you that individuals do this. We call them information
concentrators or identity thieves. This individual right here
is an individual in Arizona. If you could see all the files
that they have, this individual does exactly what I just showed
you. He is collecting tax return files to sell them on the
black market. We are working with the FBI to address this right
now.
This is an investigation here. This individual has 1,800
files, if you can see with how small that is. He is just
scrolling through all of those tax returns. All of those
victims are identity theft victims. They are all going to be
victims of identity theft if they haven't been already.
Many have already been victims of identity theft. But my
Social Security number has been my Social Security number for
38 years and it will continue to be. So if someone has mine
maybe they will wait a year or 2 years. Then they will do a
thing like file my tax return for me. Yes, that is right. That
is the new identity theft. I will file your tax return for you
in January.
In January, I will steal your return because no amount of
monitoring, nothing is going to stop me. I will take the
return. The U.S. Government, the Treasury pays that money. In
working with the IRS, they told us that is $20 billion a year
in cost to the U.S. Treasury, $20 billion a year of individuals
filing someone else's tax return and stealing the refund. This
is what is going down and this is how it is happening. This is
how they gain access to the information.
Again, just to close it all up, I am showing the Eagle
Vision, our software. I am going to show you our software
running here. It actually hits even closer to home as a parent
of three daughters. These are, we can't even show this all
because of the nature of it. This is our software running live
right now. Every one of those little blips along the bottom
there, those red little blips on the screen, every one of those
is an individual that is either a child predator or child
pornographer.
That is happening live right now, taking information, child
pornography. That is only child pornography. Here is a 4-year
old, a 5-year old. You can see the searches as they go by.
These are individual searches happening right now. This is live
right this second. All of those little red blips, every one of
those was a child pornographer. This is felony possession, 5
years. You can't even possess it but they are not afraid on
peer-to-peer because they know security can't catch them. So
this is what is happening.
Behind that, Sam, flip to the screen. This individual, we
had to black it but this is a famous NASCAR driver. He is very
well known. That is why I didn't want to show his face. That is
an innocent picture of him with his son. There is nothing wrong
with this. We found this picture in an investigation with the
FBI in the hands of a child pornographer.
Here is what they do. They take your picture which you may
have on your computer and they will take it off of your
computer. They will put that innocent little boy, the son of
the NASCAR driver, in amongst the pictures of indecent
pictures. What it will do is it will make law enforcement think
that it is that person. They will only show midsections of the
indecent pictures but once they show a face, obviously law
enforcement is going to deduce that is the face of the victim.
And in an effort to try to find the victim, it actually turns
you the wrong direction.
Imagine if this NASCAR driver were a potential victim in a
sexually explicit case. It could ruin his career and he didn't
do anything wrong. His daughter downloaded a peer-to-peer
client, had it on her system, and she had a picture of her dad
and her brother. That is nothing bad, but this is what happens.
In closing, I would like to say that clearly there is a
problem. There are a number of recommendations. Obviously a
number of Government agencies are disclosing information across
the board. Why are they not monitoring for this information?
This would be like a bank shutting off the security cameras and
saying the vault is safe enough so I don't need to worry about
watching it. It doesn't make sense. All Government agencies
should monitor for this information. You can't disclose this.
We can't be the victim.
These military individuals were disclosed by the military.
You can't have that. We saw the press that it got when the body
armor wasn't approved. Imagine these troops fighting. They are
trying to stay off of an IED. They don't want to check their
credit. They are not doing that. They are coming home and they
are being victims of identity theft. We can't have that happen.
There is legislation with H.R. 2221 that should be out
there to give the FTC power to do this. As of now, they don't
have the extensive power that they need. The DSS, the Defense
Security Service, should look for the defense contractors that
are disclosing information. The SEC should look and the FTC
should also be engaged in changing their Web site to do that.
I apologize. I know I was over time. Sir, I will yield
back.
[The prepared statement of Mr. Boback follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Towns. Thank you very much, Mr. Boback.
Mr. Gorton is the chairman of Lime Group and founder of the
world's most popular peer-to-peer software called LimeWire. Mr.
Gorton, I will give you 10 minutes to respond.
STATEMENT OF MARK GORTON
Mr. Gorton. Thank you, Chairman Towns and Ranking Member
Issa. My name is Mark Gorton and I am the founder and chairman
of LimeWire, LLC.
I am happy to be able to report that since the July 24,
2003 hearing on inadvertent file sharing, LimeWire has made
great progress in addressing inadvertent file sharing. With the
most recent versions of the LimeWire application, the problem
of inadvertent file sharing for current LimeWire users has been
eliminated. The LimeWire team has put a huge amount of effort
into resolving this problem. We have redesigned and re-
engineered the entire user interface for the application. This
has been a large task and our efforts have proved worthwhile.
The current version of LimeWire does not share any
documents by default. In order for a LimeWire user to change
their default settings to enable document sharing, they have to
click nine times and disregard three warnings. Even then, if a
user shares a folder, LimeWire will not share the documents in
that folder.
In LimeWire 5 there are no shared folders, meaning that if
a user elects to share a folder, they are only electing to
share the contents of that folder at that particular time.
Nothing will be shared that a user adds to that folder at a
later point in time. All LimeWire versions 5 and above
automatically unshare documents that a user may have shared
using an earlier version of LimeWire 4.
I am confident that with the recent versions of LimeWire
all sharing is intentional sharing. From the vast improvements
that LimeWire has made on the front of inadvertent file
sharing, I hope that the members of this committee can see that
LimeWire is sincere and dedicated to working with this
committee. In addition to this committee, LimeWire has
successfully worked with the FBI, the New York State Attorney
General's Office, and the FTC on a range of issues surrounding
P2P file sharing.
Unfortunately, the popular perception of LimeWire regarding
inadvertent file sharing fails to match LimeWire's excellent
record in addressing these problems. A good part of this
misperception is due to the highly inaccurate and misleading
report produced by Tom Sydnor of the Progress and Freedom
Foundation. Mr. Sydnor's report is deceptive and filled with
factual errors and misleading statements. The number of issues
with Mr. Sydnor's report is too large for me to cover in my
summary statement so, for the benefit of this committee, I have
submitted a detailed critique of Mr. Sydnor's report in my
written statement.
It is probably worth me going a little bit into the
technical details of how file sharing networks work so that
people can understand the relationship of LimeWire to the file
sharing networks in the world. LimeWire the application speaks
a protocol called Gnutella. There are many common Internet
protocols. There are the email protocols, the World Wide Web
protocols, and FTP protocols. Using these open protocols, many
applications that speak these protocols are capable of
communicating with each other. So by using LimeWire, you are
capable of communicating with dozens of applications that speak
compatible protocols.
When you do a search with LimeWire, you are not just
talking to other LimeWire programs in the world. You are
talking to dozens of other different types of programs, most of
which are produced outside of the United States. So it is
important to keep in mind that even though you might actually
be using LimeWire, the results that you get with LimeWire don't
necessarily come from another LimeWire client. It is somewhat
analogous to the World Wide Web. You have Internet Explorer,
you have Safari, and you have Firefox. Using each of those
applications you can access a Web site, but the Web site that
is being seen may not have anything to do with those particular
applications.
It is certainly true that in the past LimeWire has had
issues with inadvertent file sharing. We have worked very hard
to address those issues. I would like to point out that while
using the recent versions of LimeWire it would have been very
difficult for any individual to share any of the documents that
Mr. Boback has shown us recently.
I do understand that inadvertent file sharing is a problem
in this world. LimeWire is committed to helping address it. But
LimeWire is one company in a field where there are hundreds of
P2P applications in this world. We are doing our best to set a
standard that we hope other file sharing companies can follow.
But most of these creators of file sharing applications are not
based in the United States. They may not even be corporations.
So I think it is important for the committee to understand when
they are considering regulations in this regard the somewhat
complicated nature of peer-to-peer networks in the world.
In addition to inadvertent file sharing, there are a couple
of other issues that I would like to at least cover in my
opening statement and potentially in the question period. I
would like to point out that LimeWire has been working to build
a collaborative relationship with the recording industry.
LimeWire has built a store for digital media at
store.limewire.com which currently has over 3.5 million MP3s
available for purchase. In addition, LimeWire is actively
building an advertising solution to allow participating content
holders to profit from advertising related to their media.
Many of the very most senior people in the music industry
support working constructively with LimeWire but building an
industry-wide consensus on a policy change regarding P2P has
been a slow and grueling process. After many meetings with
record industry executives, I am convinced that the industry
recognizes the benefits of embracing P2P in order to stay
relevant going forward.
I would also like to take this opportunity to discuss the
current regulatory environment surrounding copyright and the
Internet. The history of copyright regulation is one where new
technologies have created issues for the old regulatory system.
Then the new regulatory system was updated to take into account
the abilities of these new technologies. The Internet has
transformed media distribution and consumption, yet copyright
regulation is yet to be updated to account for the new
capabilities of digital technologies. The current lack of
practical copyright enforcement mechanisms has put the
recording industry in the unfortunate position of being pitted
against its customers and technology companies.
As a technologist, I have a good sense of the range of
technical possibilities available to regulators as they
consider updating regulations surrounding the Internet. The
Internet is not un-policeable. With determined targeted
regulation, almost any level of control of the Internet is
possible. As Mr. Boback has shown, technology can play a role
in this. The fact is, using and leveraging technology, law
enforcement officials can with one person monitor millions and
millions of computers. A lot of the behavior that is currently
going on, with a little bit of technology, probably can be
remedied fairly quickly. I think law enforcement has been a
little bit behind the curve in using technology to police the
Internet.
In addition to simply law enforcement, it is also worth
keeping in mind on the judiciary side that currently the
procedural overhead in dealing with crime that occurs on the
Internet is very time consuming and difficult to address. I am
sure Mr. Boback can testify to that in terms of what it takes
to contact the FBI, to get files taken down, and things like
that. It is possible to set up enforcement mechanisms that are
nearly automated. If we were to have a proper enforcement
regime out there, it would be possible to simply address many
of these problems.
I think it is very important to keep in mind the need to
address the problems at the root point of control. Every
computer on the Internet is connected through an Internet
service provider. That is a unique point of control for that
single computer. That Internet service provider can cutoff
access to the offending computer. I understand that when
addressing these issues LimeWire is the superficial interface
to all of these problems.
As you are well aware, LimeWire is now the most popular
peer-to-peer file sharing application. It hasn't always been
that way. There is a list of file sharing applications that
have come before LimeWire. Certainly there were Napster, Kazaa,
Morpheus, BearShare, and iMesh. There is quite a long list.
Most of the regulatory efforts, or perhaps prosecutorial
efforts, on the part of the recording industry have focused on
file sharing applications.
But those file sharing applications are by no means a
unique point of control. Consumers have the ability to switch
between them very, very simply. So I think when people are
considering regulation, it is very important to consider the
effects of that regulation.
Thank you.
[The prepared statement of Mr. Gorton follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Towns. Thank you very much, Mr. Gorton.
Mr. Sydnor is senior fellow and director of the Center for
the Study of Digital Property at the Progress and Freedom
Foundation. He will testify about issues discussed in the
recently published paper entitled, ``Inadvertent File Sharing
Re-Invented: The Dangerous Design of LimeWire 5.''
Mr. Sydnor.
STATEMENT OF TOM SYDNOR
Mr. Sydnor. Thank you, Chairman Towns, Ranking Member Issa,
and honorable members of the committee. I thank all of you for
holding this, the committee's third hearing on inadvertent file
sharing.
I note in his written testimony that Mr. Gorton has said
that 2 years ago after the last hearing ``LimeWire began the
process that culminated in all but eliminating inadvertent file
sharing with the LimeWire application.'' Recent media reports
from, for example, Today Investigates as well as Mr. Boback's
testimony make clear that statement is simply not true. In my
testimony today I hope to explain a little bit about why.
The essential question in this hearing is, as I think the
ranking member phrased it, is this ``deja vu all over again.''
After the committee's 2003 hearing identified two features in
file sharing programs that had been shown to cause what I would
call catastrophic inadvertent file sharing, that is to share
thousands of personal files that clearly no one would ever want
to share over the Gnutella file sharing network, after that
hearing highlighted the dangers of those features, LimeWire
worked with its then trade association, P2P United, to develop
a code of conduct that would have prohibited their use.
It looked as if the problem was solved. But what actually
happened is that LimeWire went out and actually systematically
disregarded that code of conduct, incorporating both of those
features into its program. As a result, LimeWire found itself
starring in many of the high profile incidents of catastrophic
inadvertent file sharing.
Now in the aftermath of the committee's 2007 hearing,
LimeWire found a new trade association, the Distributed
Computing Industry Association, and worked with it to
promulgate a new set of industry self-regulations which it
allegedly implemented in the versions of its program called
LimeWire 5. LimeWire provided compliance data that led its
trade association to deem it the poster child for compliance
with those voluntary best practices.
The question is, has LimeWire this time actually done what
it claimed it would do? In my report, the Inadvertent File
Sharing Re-Invented: Dangerous Design of LimeWire 5, the answer
is clearly no. It has not. Nothing that has happened since the
release of that report changes that conclusion. Essentially, my
report identified three fundamental problems in the recent
versions of LimeWire that we could call LimeWire 5.1.
First, these programs are dangerously unpredictable. The
simple truth of the matter is this: Mr. Gorton says his program
won't share document files by default. If you will look in my
written testimony, you will find a screenshot taken this
weekend on a test computer that was set up to look exactly like
my personal computer at home, my main home computer, which is
to say that it had 16,798 document, image, video, and audio
files stored in subfolders of its My Documents folder.
In this test computer there was no version of LimeWire
presently installed. I completed a default installation just as
Mr. Gorton described in his 2007 testimony by clicking next,
next, next all the way through the process. The result was
16,798 files shared, including document files, shared by
default simply by installing the program.
That is an entirely unacceptable result. That is LimeWire
5. The truth of the matter is that if any normal computer user
installs this program on an ordinary home computer, they have
no way to know what it will do to them by default. It is
dangerously unpredictable. It is dangerously unpredictable
because LimeWire has failed to correct the causes of that
dangerous unpredictability that have been disclosed to it for
years.
The second fundamental problem is that it manifests at
least eight violations of the voluntary best practices that it
supposedly implements. These are not technical violations.
These are violations of the key substantive requirements. There
are eight. LimeWire appears to be taking voluntary self-
regulation no more seriously in 2009 than it did in 2003.
Finally, what LimeWire told the committee in a letter dated
May 1, 2009 is that it had eliminated the problem of
catastrophic inadvertent sharing of sensitive files by
eliminating from its program something it called ``recursive
sharing of folders.'' This means that if you selected a folder
to be shared, not only would you share the files in that
folder, you would share all the files in all of its subfolders.
This design is indeed extremely dangerous. It enables one
mistake to result in the sharing of literally thousands of
files, personal files, all your documents, all your family
photographs, all your scanned documents, all your home movies,
and your entire music collection.
If that happens, you are set up for at least three forms of
financial ruin. You can lose your job. You can become a victim
of identity theft. You can be sued for copyright infringement.
There are devastating results from virtually every type of file
you would be sharing.
Chairman Towns. Could you summarize, Mr. Sydnor?
Mr. Sydnor. Pardon?
Chairman Towns. Could you summarize?
Mr. Sydnor. Certainly. The short of it is that LimeWire's
own Web site design proves that it knew that this design was
dangerous. Has it corrected it in LimeWire 5.2.8? No. What it
did was to take out the dangerous feature that I identified in
LimeWire 5.1 and reinsert an old dangerous feature, the
recursive sharing of folders.
Mr. Gorton's written testimony tells you that there are
three ways to share files in the most recent version of his
program. That is wrong. There are four. The fourth way is to
click the ``Add Files'' button revealed in his own screenshots.
There you will once again be recursively sharing folders, the
very feature that Mr. Gorton and his trade association told
this committee and other committees was the cause of
catastrophic inadvertent file sharing.
We are not, still years later, witnessing good faith
behavior. Thank you.
[The prepared statement of Mr. Sydnor follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Towns. Thank you very much. Let me thank all of
you for your testimony.
Mr. Gorton. Mr. Chairman, may I make a brief comment?
Chairman Towns. You will have an opportunity.
Mr. Gorton, the latest edition of LimeWire came out just
last week. Are you telling us that the latest edition of
LimeWire prevents unintentional file sharing?
Mr. Gorton. I believe in almost all cases it prevents
unintentional file sharing.
May I briefly comment on Mr. Sydnor's statement? He tells a
story of installing LimeWire on a computer that has no LimeWire
currently installed and by default it shares thousands and
thousands of files, including documents. I think it is
important to point out what Mr. Sydnor didn't state. Again, I
am assuming that this was the same thing that was in his
written report.
In order to achieve the result that Mr. Sydnor just
described, what he had to do was install a version of LimeWire
on a computer and turn off all of the security settings that
prohibit document sharing. Again, that single step in itself
takes nine clicks and three warnings. He had to proactively go
and share thousands and thousands of files.
So he basically sets up the program for the most dangerous
possible situation. He then uninstalls LimeWire from his
computer, which uninstalls the program but does leave settings.
That is common industry practice. I mean, this is what is done
by Microsoft, by Apple, and by Google. This is how settings are
generally kept when programs are uninstalled. He then goes
through the steps that he refers to in his testimony where he
installs a new version of the program which then has its
prompt.
But a user who affirmatively goes and sets up his computer
and disregards so many warnings, at some point people do
actually wish to share files. It is not that all sharing is
inadvertent sharing.
I would just like to point that out as just one example of
the methodological tricks that Mr. Sydnor plays in his reports.
I would just encourage you to be careful and look very hard at
his statements. I read his report and I was sort of shocked at
first until I started parsing the words. It is a very cleverly
worded report but I don't find it to be very accurate.
Chairman Towns. Mr. Sydnor.
Mr. Sydnor. Thank you, Mr. Chairman. To frame what Mr.
Gorton just said in a slightly different way, what I did is
exactly what the Bucci family profiled in the Today
Investigates report on inadvertent file sharing back in 2009
did. What happened is that their daughters installed a version
of LimeWire on the family computer but misconfigured it.
The next thing you know, the family is inadvertently
sharing tax returns and becomes the victim of identity theft.
Then the Bucci family did exactly what you would think a normal
person would do when they discover that type of problem. They
uninstalled the program. That is exactly what I did in my test
setup. I set up a version of LimeWire, created inadvertent file
sharing, and then, to correct it, uninstalled it just the way
an ordinary consumer might do.
In other words, the hypothetical that I presented to the
committee is not at all hypothetical for the Bucci family or
probably hundreds of thousands of other families and computer
users who have uninstalled some version of LimeWire 5. Mr.
Gorton is asking you to accept the proposition that if somebody
removes his program from their computer, that indicates their
desire at some point in the future to restart all of the
sharing that it might have been causing. That assumption simply
does not accord to reality.
The difference between Mr. Gorton's account of how his
program behaves and my report is that I try to look at how
ordinary people would actually be using this program. Mr.
Gorton is talking to you about ideal situations. Yes, if you
install his program on a computer that you know no third party
has ever had access to and you know that you have never ever
installed any version of LimeWire on even years earlier, it
will not share files by default. But that is not the ordinary
situation for an ordinary family computer. It is certainly not
the situation with mine and certainly not the situation for
your constituents. Thank you.
Chairman Towns. I am going to ask you some questions now
because my time is about to expire on me.
Mr. Gorton, the testimony we heard this morning
demonstrates that there are still major problems with the most
recent version of your software. By default it shares
downloaded files. By default it shares images, music, and
videos that may have been inadvertently shared in previous
versions of LimeWire. It leaves behind hidden files when a user
attempts to completely remove the software from their computer.
Why haven't you fixed these problems and when will you fix the
problems?
Mr. Gorton. Mr. Chairman, I am sorry. Let me just quickly
address Mr. Sydnor's most recent answer.
Chairman Towns. But my time is expiring.
Mr. Gorton. The example he just gave about the Bucci family
where the daughter accidentally set things up to share files, I
strongly suspect that probably happened with a version of
LimeWire 4 and not LimeWire 5. If there was an old version of
LimeWire 4 that was uninstalled, if someone installs a version
of LimeWire 5, it automatically unshares all documents,
including tax returns. This is even if you upgrade from a
version of LimeWire 5 to a new version of LimeWire 5. It puts
up a warning that says, do you want to share these? It makes
you very conscious of these things.
We have worked very hard to try and bring all of these
issues up to the front and make it very transparent to users.
Mr. Issa. I would ask unanimous consent, Mr. Chairman, for
you to have such time as may be necessary for them to answer
your questions.
Chairman Towns. Thank you very much. Because we try to run
this committee by rules.
Mr. Gorton. I am sorry but would you mind repeating the
question?
Chairman Towns. I would be delighted to. First of all, let
me go back. The testimony we heard this morning demonstrates
that there are still major problems with the most recent
versions of your software. By default it shares downloaded
files. By default it shares images, music, and videos that may
have been inadvertently shared in previous versions of
LimeWire. It leaves behind hidden files when a user attempts to
completely remove the software from their computer. My question
is, why haven't you fixed these problems? I guess the second
part will be, since you haven't fixed them, when will you fix
them?
Mr. Gorton. I think as I just said, I believe that most of
the problems that you are talking about we actually have
already fixed. Again, I would caution you to be very careful of
taking the testimony that you hear literally. I would encourage
you to go through the steps that Mr. Sydnor----
Chairman Towns. You saw the demonstration.
Mr. Gorton. Yes. I am not saying that inadvertent file
sharing does not happen in this world. What I am saying is that
the sorts of things that you are seeing would be very unlikely
to happen with the current version of LimeWire. There are
hundreds of file sharing applications in the world. There are
dozens of different file sharing applications which LimeWire is
capable of searching. So the fact that you are seeing tax
returns and other documents that were shared inadvertently does
not mean that they are coming from a new version of LimeWire.
I will say that probably many of those documents are coming
from old versions of LimeWire. I would encourage all people in
the world who are running old versions of LimeWire to upgrade
to the new versions to address these problems. Unfortunately,
though we have done our best to try to communicate to people to
upgrade to the new versions, we have not been able to persuade
everyone to do that.
Chairman Towns. Mr. Gorton, reading back over your
testimony from the last time, you are basically saying the same
thing you said then. I just want to let you know that.
I now yield to the ranking member.
Mr. Issa. Thank you, Mr. Chairman.
Mr. Gorton, you said you are a technologist in your
statement. Some would say I am an old technologist so bear with
me. Do you know who Peter Norton is?
Mr. Gorton. Of Norton Anti-virus?
Mr. Issa. Yes.
Mr. Gorton. I have heard of him.
Mr. Issa. I go back to when he was just Peter. That is how
old I am.
What was his goal in his product from what you can see from
Norton Anti-virus? Wasn't it to protect customers from losses,
from damage to their computers? Didn't he create a whole
industry to do it? These are semantics now, but isn't that the
history?
Mr. Gorton. I believe so.
Mr. Issa. Are your customers less important to you than his
customers?
Mr. Gorton. No.
Mr. Issa. Do you try to protect your customers?
Mr. Gorton. Yes, we do.
Mr. Issa. OK, then let us go through some steps. Why is it
that you still have 4.18 on your site? You still offer today
for download out of date software that is inherently more
vulnerable by your own statements. Why do you still do that?
Mr. Gorton. I am not aware of us doing that.
Mr. Issa. My own people who are not technologists checked
on it today. It is still there.
Now, you talked about de facto standards. You quoted
Microsoft. I will leave Microsoft out of it for a moment. When
I uninstall your product, do you provide an uninstall
capability?
Mr. Gorton. Yes.
Mr. Issa. So you don't rely on the default of Microsoft.
You control the uninstall. Isn't it true that when you
uninstall with your own software, your software programmers or
your technologists could move those switches back or allow the
customer to make that decision? Isn't that something you could
easily write into the code?
Mr. Gorton. Yes.
Mr. Issa. OK. So you still have the old software. You have
an uninstall routine that does not, in fact, re-protect or
offer an opportunity to re-protect the customers. Isn't that
true, at least as of today?
Mr. Gorton. So document sharing is turned off by default in
LimeWire 5. In LimeWire 4, when you reinstall----
Mr. Issa. No, no. Hold on for a second. I have LimeWire
4.18.
Mr. Gorton. Yes.
Mr. Issa. I update to LimeWire 5.2.8.
Mr. Gorton. Yes.
Mr. Issa. I go to uninstall. Does your software give me the
opportunity to fully protect, to take those items which I had
maybe chosen to turn on or not, I notice, by the way, that MP3,
MPEG, and so are not on this list but DOC, WRI, DVI, LaTeX, and
so on, do you in your uninstall provide the re-protection or do
you leave it sort of switched as it was?
Mr. Gorton. If you have version of LimeWire 4 and you
upgrade or install----
Mr. Issa. I have already updated. I am talking about your
current version, when I uninstall your current version.
Mr. Gorton. No, when you install the current version it
automatically will unshare documents that were previously
shared.
Mr. Issa. Right. But now I have chosen to share them. Now I
am uninstalling the software. Does your software allow me to
unshare them at the time that I am uninstalling? You are in
control of that, right? This is not a Microsoft standard. You
are in control of that decision.
Mr. Gorton. That is true but when you----
Mr. Issa. OK. So I think we have kind of come through some
of the things you could do. I am not saying you must do them
all. I am saying you could do them. You are not doing them for
your customer. Now, you are not forcing people to upgrade to
LimeWire 5?
Mr. Gorton. We have no mechanism to do that.
Mr. Issa. Oh, you don't? Wouldn't it be relatively simple?
As an old software guy to a younger software guy, you could
create the capability where when LimeWire 4 users try to share
they would see that they are blocked from sharing with LimeWire
5.2 and above unless they upgrade. That wouldn't be hard for
you to do. LimeWire 5.2 could deliberately be incompatible with
LimeWire 4.1. You could create a block on that. That is doable,
isn't it?
Mr. Gorton. Yes, we could break compatibility with it.
Mr. Issa. So, if you care about your customers and you know
that LimeWire 5.2.8 has much better protection for them, if you
wanted to protect your customers one of the easiest ways is to
force out the older generation software. That is something
which, since you write the software, you are in control of
doing.
I spent 20 years in automotive security. I think about
security and I think about what can I do for my customers. I
also think about how to make car alarms not go off. That is the
hard part. Making them go off was easy. It sounds like sharing,
which is easy, is what you do.
These are simple questions and I could go on for a lot
longer with them. Any consultant you hire could help you with
those. If you were thinking in terms of security, you would
have asked and answered those questions for your customer.
Anyone can make a car alarm that goes off all night. It is
hard to make one that doesn't go off except when someone is
stealing your car. Anyone can make file sharing easy. What are
you doing to protect your customers so that file sharing is not
something that leads to these inadvertent acts for them or
others?
Mr. Gorton. We have taken a large number of steps, which I
have documented in my written testimony. But I also----
Mr. Issa. I appreciate that but you don't get credit for
what you can't answer today that was that simple.
Mr. Gorton. Many of the steps that we have taken have come
from outside suggestions. We would be happy to look at any
suggestions that you have or anyone else has as to how we can
improve our program. We have taken a large number of steps. Are
we perfect? No, we are not perfect. We would be happy to look
at anything and continue to work going forward to get as close
to perfect as we can get.
Mr. Issa. I appreciate that. My time for new questions has
expired. Could the other two gentlemen just comment on the line
of questioning I explored, please?
Mr. Sydnor. Ranking Member Issa, thank you. I think that is
exactly correct. The problem that you have illustrated and that
I think you can see live here is that Mr. Gorton has made some
improvements, but he made improvements that relate to types of
documents that don't actually drive a lot of traffic toward the
Gnutella network. So whenever you see somebody who is
inadvertently sharing document files, sensitive personal
documents, my experience of actually looking at what happens on
Mr. Gorton's network, something that LimeWire itself really
does not do much of, shows that whenever that is happening they
are sharing many other types of files.
I illustrated the dangers of that in my 2007 testimony,
basically pointing out that if that happened to my family, yes,
the document files would be important to me but the most
dangerous files in terms of identity theft and the safety of my
children would actually be the image files. Those would be the
most dangerous. I laid that out in my 2007 testimony.
Lest anyone think that I was wrong, I will just quote some
testimony from Mr. Boback. ``Tiversa has documented cases where
child pornographers and predators are actively searching P2P
networks for personal photographs of children and others that
are stored on private computers. Once the photographs are
downloaded and viewed, these individuals use the browse host
function provided to view and download all additional
information being shared from that computer.''
The changes Mr. Gorton's program makes don't solve that
problem. They don't solve the massive copyright infringement
problem. They are half measures.
Mr. Boback. My only comment is that LimeWire has made
changes in the time since our last testimony. However, from our
oversight view of that, they have lost market share since that
time. Users have transitioned to other places and other clients
as LimeWire has made the changes.
Our own personal concern with LimeWire 5.0 and up is that
for some unexplained reason, Tiversa, which is the only
oversight to a number of peer-to-peers, was hard coded in a
block so that we would be unable to see every user of 5.0 and
up. Now, we don't interfere with the network at all. We don't
touch LimeWire clients. We don't stop downloads. We have never
taken a dollar from the Motion Picture Association or the
recording industry. However, for some reason our entire IP
address range that Tiversa uses to monitor has been hard coded,
which means someone literally typed into the LimeWire code to
not ever connect to anyone associated with Tiversa. We posed
the question to the CEO of LimeWire and I still have yet to
have a response.
Mr. Issa. Mr. Chairman, I would ask unanimous consent to
include in the record at this time the screenshots in HTML
format from July 28, 2009 showing the previous versions of
LimeWire that were available as of that date. I would like that
included in the record.
Chairman Towns. Without objection, so ordered.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Issa. Mr. Chairman, it is interesting that Mr. Gorton
was so livid in saying that ISPs could protect and then showed
that he can protect from a specific range of a particular ISP.
Chairman Towns. That is interesting. I now yield to the
gentleman from Maryland, Mr. Cummings.
Mr. Cummings. I am sitting here and listening to all of
this. I heard what Mr. Issa said from the beginning. He said
that if we were to find certain things happening here, this is
something that should be referred to the Justice Department.
After seeing what Mr. Boback presented here a moment ago, it is
chilling what the public now has available to it, the idea that
you can look at the First Lady's information, figure out where
she is going, how she is getting there, and so forth and so on
and tax records and things of that nature. In some kind of way
we have to get to the bottom of this.
I have been sitting here listening to you, Mr. Gorton,
trying to figure out whether you have sincerely done everything
you can to protect the American people with regard to this kind
of information being put out there. But now I am going to pick
up right where we left off with Mr. Boback, with what you just
said.
Why did LimeWire, Mr. Gorton, block Tiversa from access to
its portals after assuring the Committee on Oversight and
Government Reform, this committee, that it was fully committed
to correcting the inadvertent file sharing troubles to which it
had contributed? First of all, is what he just said true? Did
you all block Tiversa?
Mr. Gorton. I don't have any specific knowledge of that so
I can't say.
Mr. Cummings. Wait, wait. So you are saying you don't know
whether it happened?
Mr. Gorton. That is correct.
Mr. Cummings. OK, go ahead.
Mr. Gorton. But I can tell you a little bit about what
LimeWire does to fight spam. Again, now we are getting into a
little bit of sort of the technical details of the way peer-to-
peer networks work. But peer-to-peer networks are distributed.
What that means is that each of the computers on that network
are connected to each other through sort of a chain effect.
Messages and searches are conducted as messages are passed from
one computer to the next. There are certain people and
computers in this world who are spammers who respond to every
search that is done on LimeWire with all sorts of messages and
things like that.
Mr. Cummings. Mr. Gorton, I am going to have to cut you
off. The only reason I am going to cut you off is that I don't
have that much time. They only give us 5 minutes.
Let me just ask this of you, Mr. Boback. I am going to come
back to you if I have time. Do you think he is doing all that
he can to address the problems that you showed us in the
demonstration? What else could he do? That is what my
constituents want to know.
Tonight I am going to have a town hall meeting over the
phone. If people saw this while we have this new piece about
digital records and all that, people are going to say, ``wait a
minute, hold it. The fact that I have cancer or my whole IRS
return and all my records will all be out there in
cyberspace?''
Has he done all that he could have done in your opinion?
Were you blocked from helping him?
Mr. Boback. In my opinion, no, they have not done
everything that they could possibly do. We provided an option
after the 2007 hearing where we were willing to work with them,
to say we see some obvious solutions of how you can do this.
Rather than just blocking at the ISP, there are a number of
things you can do. Those conversations ceased shortly
thereafter. Then 6 months after that we were blocked.
We are not a spammer. We don't respond to searches. We are
absolutely passive on the network. When our system gets a
search, it passes it right on through without changing the
search, without downloading it, without doing anything. We are
absolutely passive on the network. We don't block a single
file. We don't spam advertising. We don't do $1 in advertising.
So therefore we are not a spammer and we were, in fact, blocked
as of March 2008. They blocked us 6 months after they ceased
discussions as to the solutions that we offered.
Mr. Cummings. Mr. Gorton, back on July 24, 2007, you said
that you had no idea there was that amount of classified
information out there or that there are people actively looking
for that and for credit card information. Is this shocking to
you? Does it bother you that this information is out there like
that?
Mr. Gorton. Absolutely.
Mr. Cummings. So you are going to promise us some more
today of things you are going to do?
Mr. Gorton. I can promise you our ongoing commitment to
continue working on this problem. I will say that I think we
have made enormous strides in the past 2 years and that
certainly the vast, vast, vast majority of inadvertent file
sharing with LimeWire has been eliminated in the new versions.
We are happy to continue working going forward to do whatever
we can do.
We take our responsibility to our users very seriously. We
don't want anyone to have an unpleasant experience in any way
from using LimeWire. I can certainly see that if someone has
their tax records revealed publicly that is a pretty serious
thing. We take this seriously and that is why we put in so much
effort. We are a small company. A good fraction of the
programming resources of our entire company has gone to
combating this problem. I think we have made very good
progress.
Mr. Cummings. I see my time has expired. Thank you, Mr.
Chairman.
Chairman Towns. I thank the gentleman from Maryland. I now
yield to the gentleman from New Hampshire, Mr. Hodes.
Mr. Hodes. Thank you, Mr. Chairman. Thank you all for your
testimony.
Mr. Gorton, I find your testimony today stunning. You
promised us 2 years ago that you were going to fix what ails
LimeWire. Your testimony today basically for me is essentially,
``why are you picking on me.'' There are others out there who
are facilitating breaches of national security, who are
facilitating commission of child sex crimes, who are
facilitating the theft of property from musicians and owners of
copyright, and who are facilitating identity theft.
Mr. Boback, Mr. Gorton testified essentially that using a
recent version of LimeWire you couldn't engage in the kind of
activity that you highlighted by showing us in real time what
was going on. He then modified that testimony when asked a
question by the chairman to say it was very unlikely to happen.
Are either of those statements true?
Mr. Boback. He is correct in saying that it less likely on
LimeWire than it is in some other peer-to-peer clients.
However, all of the demonstrations that we showed here today
were in fact LimeWire disclosures occurring from a LimeWire
client. I could have shown BearShare and other disclosures as
well but we specifically have LimeWire.
Mr. Hodes. Were you using current versions of LimeWire to
do the demonstration today?
Mr. Boback. The tax return video was actually a 4.18
version of LimeWire but it accessed information that was out
there. What I have found is that most of the users don't want
to upgrade to 5.0 because it further decreases their access to
other information. Therefore, they don't want to do it.
Mr. Hodes. Mr. Gorton, you have heard about the incident in
which the blueprints for Marine One, the Presidential
helicopter, ended up in Iran?
Mr. Gorton. Yes.
Mr. Hodes. Did anyone in your organization attempt to
remove that file or take any other action when you heard about
that?
Mr. Gorton. We have no mechanism to remove files from
people's personal computers.
Mr. Hodes. But did you do anything to block access to that
information in any way?
Mr. Gorton. Again, the Gnutella network is a decentralized
network which LimeWire doesn't run. So I think maybe using an
Internet browser is perhaps analogous.
Mr. Hodes. Let me ask you this question: When you heard
about the plans for Marine One, the Presidential helicopter,
ending up in Iran, did you take any action at all? Yes or no.
Mr. Gorton. Yes.
Mr. Hodes. What did you do?
Mr. Gorton. We have made changes to the current version of
LimeWire so that such a breach would not happen today.
Mr. Hodes. Is there any file of information you would try
to have removed if it was brought to your attention? For
example, if you heard or found there was a file containing
directions for making an IED that could harm our soldiers in
Iraq or Afghanistan, is there anything you would do?
Mr. Gorton. Again, I think those files should be removed
from the network but LimeWire does not control the computers of
people around the country.
Mr. Hodes. How about child pornography? You understand that
LimeWire is being used as we speak to facilitate the commission
of child sex crimes? You understand that, right?
Mr. Gorton. Yes.
Mr. Hodes. What are you going to do about it?
Mr. Gorton. LimeWire is in the process of working with the
New York State Attorney General's Office on specifically this
problem. We, in conjunction with the New York State Attorney
General's Office, are building a filter to remove child
pornographic material.
Mr. Hodes. Why didn't you do that 2 years ago?
Mr. Gorton. We do not have a list of----
Mr. Hodes. Why didn't you build the filter you were just
telling me about 2 years ago when you came before this
committee? We talked about the problem and you promised us you
would fix it. Why didn't you do it 2 years ago? Answer my
question.
Mr. Gorton. Again, I am pointing out that in order to solve
the problem which you are describing, you need to know which
material is child pornographic material. LimeWire by itself
does not have that knowledge. So we have had to work with
outside third parties in order to gain knowledge of what that
material is. There are certain organizations in the world whose
job it is to maintain lists of that material. LimeWire is in
the process of working with them in order to filter that
material from the network.
Mr. Hodes. Did you start 2 years ago when you promised us
you were going to fix the problem? Yes or no, just a simple yes
or no, Mr. Gorton.
Mr. Gorton. I don't know the date we started working on
this.
Mr. Hodes. So you can't tell us that after leaving this
committee room 2 years ago when you promised us you would fix
it that you started fixing it, right?
Mr. Gorton. I know that it is an ongoing effort that we are
working on today and that we hope to resolve it soon.
Mr. Hodes. Thank you.
Mr. Tierney [presiding]. Thank you, Mr. Hodes. Mr. Foster,
you are recognized for 5 minutes.
Mr. Foster. The hidden files that persist as you update,
are these things files, registry entries, or hidden files? What
is the exact nature of these? Is there anything special about
them, Mr. Gorton?
Mr. Gorton. I have to say that I am not 100 percent sure
but I believe that they are regular files. I believe when they
are called hidden they are by no means obscured from the user.
If you were to go look in the directory, you would see the
preference files. They are not invisible in any way except that
people don't normally choose to examine them.
Mr. Sydnor. Representative Foster, could I correct the
record on this?
Mr. Foster. Certainly.
Mr. Sydnor. That is simply false. I am familiar with the
nature of the files. I have looked at them. They are stored in
a place where users never go in a hidden folder. It is
invisible to the ordinary user. Yes, if they de-hide that
folder, they could conceivably find it. But by default that
folder is invisible. If you can't find that folder, you can't
find the files in it. It is as simple as that.
Mr. Foster. But this is a standard industry practice to
hold things like which could be registry entries or detailed
settings?
Mr. Sydnor. Not that I am aware of. LimeWire leaves an
enormous amount of material behind when it uninstalls. I am
simply not aware, I just don't believe that it is accurate when
Mr. Gorton claims that companies like Microsoft and Google do
this. I do not believe that they leave behind the types of
configuration files that could have dangerous effects if they
are reactivated by another version of the program that chooses
not to overwrite them. It is not true.
Mr. Foster. Mr. Gorton, your statement that you can't force
an update when this sort of problem occurs, is that a feature
of your most recent software as well?
Mr. Gorton. Our current software does have update
capabilities but the old LimeWire 4 something, I don't know
exactly at what point but there are old versions in which we
are not able to send an update message.
Mr. Foster. I guess this would be best directed at Mr.
Boback. The nuclear option is to block the Gnutella protocol at
the very high level Internet router level if this really
becomes intolerable, if you start seeing nuclear weapons
designs out on this thing and it becomes important to do. The
obvious risks there are free speech risks. I personally don't
see any mechanism instead of technologies that would allow you
to block child pornography that would also not allow you to
shut down Falun Gong. This is the tough situation we are in.
First off, businesses, however, can choose to block the
Gnutella protocol. A hospital, for example, could just say,
``we don't want any file sharing on our computers.'' Many
businesses, I believe, do that. National laboratories, I
believe, do block file sharing protocols. Is that consistent
with your experience?
Mr. Boback. All of our clients block peer-to-peer
applications from being downloaded. The problem is that people
work around those because they want music, for one. I will tell
you that all of our clients of the Fortune 500 have all had
disclosures on peer-to-peer despite the recommendations for
them to avoid that. In fact, we even found the rules and
regulations for IT security saying to block peer-to-peer on a
large Fortune 100 company.
Mr. Foster. These come from people bringing their computers
and files home to places where they are not protected. At least
at the workplace there is a simple thing to just wipe out the
Gnutella protocol.
Mr. Boback. For the most part.
Mr. Foster. Similarly, the military, do they block all
peer-to-peer connections on the military networks?
Mr. Boback. I believe that the military does discourage the
use of peer-to-peer. However, being a disbursed group, there is
no way to stop it entirely. It is like stopping crime. You have
to monitor it and that is what we have chosen to do.
Mr. Foster. But on the military subnets, they can
presumably just block it. Do you know for a fact whether they
do or do not?
Mr. Boback. I do not know for a fact.
Mr. Foster. Mr. Gorton, it seems to me that the sensible
solution to this is that instead of having an exclusive list, a
list of things we are not going to share, that the user should
have to say yes, I want to share this file and click on it.
They should have to march through every single file and
explicitly say yes, I recognize this file instead of just
clicking on the whole C: drive.
Mr. Gorton. What you describe is the current practice with
LimeWire. You have to affirmatively select each file or----
Mr. Foster. Every single file, including everything you
download?
Mr. Gorton. Downloaded files, I believe on installation you
have a choice whether you want to automatically reshare or not
reshare files that you download.
Mr. Foster. OK. Then this question of trying to recall old
versions of it, my understanding is that would be essentially
impossible because the Gnutella protocol is a multi-vendor open
protocol. There is no way that you can stop those old versions
from working. Is that correct?
Mr. Gorton. Yes. It is a piece of software on a person's
individual computer and they control it.
Mr. Foster. Right. So the only way to stop old versions
from working would be, for example, basically for the whole
world to block the old Gnutella protocol and reimplement a
Gnutella protocol where you actually had control over who gets
to write clients and what the procedures are on that. To me,
that would be the only the solution that would allow you to
actually flush out the problems with the current system.
Otherwise you would be left with the old Gnutella protocol
doing whatever bad features with whatever bad old versions of
the software are out there. Are you aware of any other way that
we can flush out the old versions of the software?
Mr. Gorton. It is certainly very difficult because those
versions of LimeWire don't just connect to the new versions of
LimeWire. They connect to dozens of other P2P clients.
Mr. Foster. Which could only be shut down by a worldwide
effort to block them and then reimplement a new version that
didn't have these problems.
I yield back.
Mr. Tierney. Thank you, Mr. Foster. Mr. Connolly, you are
recognized for 5 minutes.
Mr. Connolly. Thank you, Mr. Chairman. Mr. Gorton, Mr.
Sydnor sort of laid out three broad critiques of LimeWire. I
wonder if you would respond. The first was that it is
dangerously unpredictable. In installing the software, his
experience was that just by default 16,798 documents showed up
inadvertently displayed. Could you comment? Is your software
dangerously unpredictable from your point of view?
Mr. Gorton. I do not believe it is dangerously
unpredictable. Again, I think it is worth talking about the
situation. In order to get the result that Mr. Sydnor
described, he had to install a version of LimeWire 5.0 or
greater, disable all of the security features that are built
into it, disregard the many warnings, and affirmatively choose
to share thousands of files. Then he had to uninstall that
version of LimeWire and install a new version of LimeWire.
Then, once that new version of LimeWire was installed, there
would be warnings that would pop up that would ask him----
Mr. Connolly. I am going to have to interrupt you because
we have limited time here. I just want to get at the essence of
your answer. I get it. Your view is that he is the one who is
dangerously unpredictable, not your software?
Mr. Gorton. I am not sure I would characterize him that
way.
Mr. Connolly. But you just went through all the steps he
had to take that made him dangerously unpredictable. Is it your
contention that if we directed our committee staff to do what
Mr. Sydnor did we would or would not come up with the same
results here at the committee?
Mr. Gorton. If you got a version of LimeWire 5, removed all
the security settings, ignored all the warnings, chose to share
files, uninstalled that program and then installed a new
upgraded version, you would still be presented with warnings
which you could then ignore.
LimeWire is file sharing software. It is not unreasonable
to think that people who install file sharing software might
actually want to share files. What we try and do is make it so
that the files they share are only files they want to share.
Mr. Connolly. Mr. Chairman, I may be a freshman but the
light has stayed on red.
Mr. Tierney. It is because you are a freshman. [Laughter.]
So you gave the answer and the question in the same breath.
[Laughter.]
Mr. Connolly. I thank the Chair.
Mr. Sydnor also said that in addition to being dangerously
unpredictable, one of his three points was that you were
knowingly dangerously unpredictable. In other words, this isn't
accidental or this isn't just a feature of the software that is
something we can't really control. You knowingly have, in fact,
manufactured, sold, and operated software that has this
dangerous default with what he characterized as ``devastating
results.'' I assume your view is that is just not true.
Mr. Gorton. That is absolutely untrue. I can tell you that
we take this problem seriously. We are actively working to
resolve it. I will say that there are situations which can
occur in the world which didn't occur to us in testing
involving weird combinations of installing old software and new
software. As these edge cases come up and they are pointed out
to us, we address each one as it comes along.
I would like to think that we have caught every last
problem. That is probably not true. But as they are pointed out
to us, we go and take the steps that are necessary to ensure
that those problems don't continue.
Mr. Connolly. The third point he made was that he could
identify at least eight violations of voluntary best practices,
suggesting that self-regulation in your case doesn't work.
Mr. Gorton. He did not say what those violations were. This
is coming from his paper and my recall of the specifics is not
perfect, but I believe that many of those claims about us
disregarding those eight best practices are false. I think he
may have pointed out an issue or two which we have since
resolved. I believe that all eight issues which he discussed
before are currently nonexistent.
Mr. Tierney. The red light, Mr. Connolly, has truly come on
now.
Mr. Connolly. Thank you, Mr. Chairman.
Mr. Tierney. We appreciate your questions and thank you for
them. Mr. Duncan, you are recognized for 5 minutes.
Mr. Duncan. Mr. Chairman, thank you very much. Mr. Boback,
I was interested to read in the briefing paper that your
company did a demonstration in January 2009. It says that
Tiversa was able to locate and download more than 275,000 tax
returns. Is that accurate?
Mr. Boback. That is accurate. Yes, sir.
Mr. Duncan. Do you feel that you basically can get
anybody's tax return that you want to?
Mr. Boback. Surprisingly we can get a great deal of
information. Yes, sir. I don't know about anyone, but most
people.
Mr. Duncan. When we run for Congress, we basically forfeit
or give up any right to privacy and we sort of have to accept
that. But do you think there is any real privacy in this
country anymore if anybody can get almost anybody's tax returns
or medical records or bank records or anything else that they
want to get?
Mr. Boback. It has definitely been depleted quite a bit
with this application, yes.
Mr. Duncan. I know that we have taught all of the young
people to worship the computers now and so forth and to become
addicted to them, but it seems to me that it is sad that we are
so controlled now that we basically have done away with almost
any privacy that private citizens should have in this country.
How skilled a computer user does one need to be to hack
into files that are not intended to be shared?
Mr. Boback. It is as simple as doing a Google search.
Literally you would type in ``tax return'' and hit ``search.''
Mr. Duncan. That is what I thought you would say. In fact,
several years ago I was driving back from lunch in Knoxville
one day and I heard on the CBS radio national news that
computer hackers had hacked into the top secret files of the
Pentagon that year. It was many thousands of times. I don't
remember exactly how many.
Then I remember a few years ago when the front page of the
Washington Post had a story about a 12 year old boy hundreds of
miles away from the Hoover Dam who had opened the floodgates at
the Hoover Dam. I suppose in one way that is funny but in
another way it is pretty sad and it is also pretty dangerous,
it seems to me, to our national security.
At any rate, Mr. Chairman, thank you very much for holding
this hearing.
Mr. Tierney. Thank you, Mr. Duncan. We appreciate that.
Mr. Gorton, I just want to ask you a question. You said
that you personally knew nothing about the fact that Mr.
Boback's system had been shut out of your software, I guess,
right?
Mr. Gorton. That is correct.
Mr. Tierney. So will you reinstate it now? Will you remove
that barrier?
Mr. Gorton. We can certainly talk to Mr. Boback.
Mr. Tierney. What would that discussion involve?
Mr. Gorton. As I was saying before, LimeWire has a system
for identifying spammers. And then----
Mr. Tierney. You consider Mr. Boback's group a spammer?
Mr. Gorton. I do not.
Mr. Tierney. So what else is going to be involved in the
discussion?
Mr. Gorton. But it may be that there is something about the
profile of the way his systems behave that matched our
identification for a spammer. We can try and work with Mr.
Boback to make sure that he is not falsely identified as a
spammer.
Mr. Tierney. Why did you break off the conversations with
him? I assume those would be the type of things you would have
discussed with him after the last hearing. Mr. Boback says you
were working along and you stopped the discussion.
Mr. Gorton. I believe the conversations he was referring to
were his attempt to get LimeWire to purchase and distribute the
software which he is selling and the service which he is
selling. He has a system which flags security concerns. It was
our preference with LimeWire, rather than to create a system
which identified security problems, we would rather eliminate
them. We felt that if we did a proper job eliminating
inadvertent file sharing there would not be a need for Mr.
Boback's software.
Mr. Tierney. Set aside whether you want to buy his services
or anything of that nature. Why would you block him?
Mr. Gorton. This is what I was saying. We have an automated
system which goes and looks for spammers. I believe that his
company's systems in some way have a profile of a spammer and
they were inadvertently flagged as a spammer.
Mr. Tierney. Does this make any sense to you, Mr. Sydnor?
Mr. Sydnor. Mr. Chairman, no, none whatsoever. Tiversa's
service has been operating. I first encountered them some years
ago when I began investigating this problem. It has been
operating for years. If it triggered some automatic spam
filter, it should have done so years ago.
The timing would suggest that right after the last big
round of very significant disclosures about very significant
episodes of inadvertent file sharing involving LimeWire, which
Tiversa did help, as I recall correctly, the reporters and the
military identify, that is when the block occurred. That is
interesting timing for an automated spam detection system.
Mr. Tierney. Mr. Gorton, let me tell you that is how it
looks from here. Disabuse us of that notion if you can.
Mr. Gorton. Certainly. First of all, let me start by saying
that I think that systems like Mr. Boback's have a positive and
constructive role to play. I have no desire to see them shut
down.
Mr. Tierney. So who in your company do you think had that
desire and then physically blocked them?
Mr. Gorton. Like I said, it is an automated system.
Mr. Tierney. No, no. Let us back up a second. Somebody had
to physically go in and block them out. So who in your company
is in charge of doing that?
Mr. Gorton. No. Like I was saying, we have an automated
system which identifies IP addresses. There is no human being
involved.
Mr. Tierney. All right, we have heard that before. What do
you think of that, Mr. Sydnor?
Mr. Sydnor. Mr. Chairman, I simply don't think it is
credible. I have known Mr. Boback's company for years, worked
with them for years. Their service, so far as I know, has
operated relatively similarly. It simply does not make sense
that right after the latest round of disclosures that they
somehow for the first time would have tripped the automatic
spam filter. That is exactly the sort of very interesting
question that I think a law enforcement agency could
investigate.
If I could add one final point, it is that I realize there
has been a bit of he said/she said between Mr. Gorton and I
today about how his program actually behaves. That is totally
unnecessary. We are talking about the behavior of a computer
program. It will do the same thing every time. I am happy to
come in and demonstrate for any member of the committee or the
staff exactly how I do my testing and draw my conclusions.
Mr. Tierney. Mr. Boback, do you want to add anything to
that conversation? I think Mr. Gorton's credibility here is at
risk so I want to caution you to that.
Mr. Boback. It is clear that we are blocked. We don't spam.
We are engaged in Federal, State, and local investigations with
law enforcement. The mere fact of his blocking our technology
is a direct infringement on our ability to actually prosecute
and to work with Federal law enforcement to address these
issues. We don't spam. That was clear.
To say that it is automated is not accurate. There is no
automated programming. There is no automated system that learns
how to program. You can automate updates. You can automate a
number of things, but literally someone typed in our IP range.
There is no random fitting into your software code. That is
hard coded into there, which means someone literally did it. I
don't know who that was.
Mr. Tierney. Thank you, sir.
Mr. Welch, you are recognized for 5 minutes.
Mr. Welch. Thank you very much, Mr. Chairman. Mr. Gorton,
you were here before and I asked a few questions. You indicated
in December 2008 that you were going to engage in a concerted
effort to combat and eliminate inadvertent file sharing. Is
that right?
Mr. Gorton. Yes.
Mr. Welch. You saw the results of the test this morning.
Apparently using your service we can get information about
troop rosters, names, and Social Security numbers in the U.S.
Army. Is that anything you approve of?
Mr. Gorton. No.
Mr. Welch. We can get through your site information about
the First Lady's safe house route from the Secret Service. Is
that anything you approve of?
Mr. Gorton. Certainly not.
Mr. Welch. Obviously you don't approve of getting access to
confidential information about motorcade routes?
Mr. Gorton. Exactly.
Mr. Welch. So is it fair to say that whatever it is that
you did to ``combat and eliminate inadvertent file sharing''
was a total, complete, and utter failure?
Mr. Gorton. No, I disagree with that statement.
Mr. Welch. So however effective it was, it did not
successfully stop access to motorcade routes, First Lady safe
house information, and troop rosters. That is a fact.
Mr. Gorton. If I may, again, I think----
Mr. Welch. No, I actually think it is a bit of a joke. The
joke may be on us if we don't get a little firmer about this.
You have a business model that basically is all about denying
intellectual property rights to folks who create music and
movies and fostering the sharing of that without any type of
respect for the intellectual property rights of people.
It has an over-broad application so that anybody who wants
to go on the Web site and get information about Marine One, the
First Lady's safe house, or troop rosters can get it. Your
routine is to come in here and tell us you are ``doing
everything [you] possibly can'' and profess concern. But your
concern doesn't extend to doing that which is effective to stop
the problem.
At a certain point reasonable people have to ask the
question as to whether the efforts that you are taking are
cosmetic, essentially slow walking so that you can maintain the
pretext that there is a solution. At a certain point I think we
have to ask in Congress whether we are going to take what
action is required to protect confidential national security
information and intellectual property or not.
Mr. Chairman, if we have another hearing, another hearing,
and another hearing after that we are going to have the same
story from Mr. Gorton. Then we are going to have another
demonstration from Tiversa that shows us whatever he has done
lately has failed.
At a certain point it may be appropriate for us to ask
folks from the FTC, the U.S. Attorney's Office, and maybe some
State Attorneys General who are concerned about access to
pornography as to whether there is some legal action that
should be taken in order to protect intellectual property,
protect our kids from pornography, and essentially protect
classified medical and national security information.
I want to thank Tiversa. There is the old Groucho Marx
line, do we want to believe Mr. Gorton or our own two eyes? I
think your demonstration makes it irrefutable that whatever
actions LimeWire has taken to supposedly deal with this
inadvertent file sharing are a failure. My conclusion is that
they have no serious intention of being successful and stopping
it because the main agenda item is providing access to
intellectual property to anybody who wants it without any kind
of compensation.
I yield back the balance of my time.
Mr. Tierney. The gentleman yields back. Mr. Issa.
Mr. Issa. Thank you, Mr. Chairman.
Mr. Gorton, in light of this hard coding question that
there isn't time to resolve here, will you agree to answer
questions we submit and to provide information as to the people
who wrote the software and who would directly know how these IP
ranges got in?
Mr. Gorton. Yes, we would be happy to help the committee
with that.
Mr. Issa. I appreciate that.
There was a followup question that I want to understand. I
asked earlier and I thought I got an affirmative that you could
force users who were using 4.x but wanted access to your
switches, that you could create a situation where if they
didn't upgrade to the 5 level the new software, I guess it
would be 5.2.9, could say it only deals with 5.0 and above or
whatever. Then Mr. Foster implied that the open format would
deny you that. Could you respond on that and followup?
Mr. Gorton. I guess it is possible for us to come out with
a new version of LimeWire that would not connect to other
versions. However, with the decentralized network you have a
situation where we don't just connect to other LimeWires. We
might connect so some other Gnutella compatible program which
then itself connected to 4.x. So even if we ourselves deny the
connections, the network itself would probably still maintain
them.
Mr. Issa. Following up, I am an old business man so I
generally want to figure out where the money goes. That helps
me understand the business model. Or you can ask the business
model where the money goes. Either way, how do you make your
revenue?
Mr. Gorton. We sell LimeWire Pro.
Mr. Issa. You make it only on the software?
Mr. Gorton. That is correct.
Mr. Issa. Would you sell more or less software if you
better protected your customer, the installer of the product,
from inadvertent file sharing?
Mr. Gorton. I suspect we would sell more.
Mr. Issa. So if, like Peter Norton, the name from the past
for us old folks, the DOS 3.3 type people, if you improved your
product to have features that would reduce inadvertent file
sharing, you would actually sell more product?
Mr. Gorton. That is true. I believe we have done that. I
think your conclusion is probably true.
Mr. Issa. Let me ask you a couple of simple followup
questions. Would it be hard to create a browser so that the
user can simply, like the search engine or maybe even
leveraging the Microsoft and Apple search engines, see what
files are presently sharable and unsharable in red and black or
whatever? Is there any reason that you couldn't create an easy
ability for someone to see the folders that are vulnerable and
the files that are vulnerable?
Mr. Gorton. We already have the functionality you are
talking about with two different colors. You can click one
button to see all the files that you are sharing. We do our
best to make it transparent specifically what people are
sharing because we want people to be able to check to make sure
they are not sharing anything they don't want to share.
Mr. Issa. Would you be able to build an engine that allowed
people to then in mass do a better job of protecting files they
want to protect?
Mr. Gorton. I guess I am not really quite sure what you
mean by that.
Mr. Issa. In other words, if I am looking at that, can I
quickly click a red file and make it a black file or do the
whole subfolder?
Mr. Gorton. That functionality currently exists.
Mr. Issa. OK. You protect basically DOCs and some of their
equivalents, including HTML. Why didn't you include PSTs in
that? That is unlikely that output from a Microsoft Outlook
file, that is kind of an unusual one to want to share, isn't
it?
Mr. Gorton. I am not familiar with that particular file
extension. It is possible that there are file extensions in
this world that should be on our documents list which are not
currently there. We can add them if there are.
Mr. Issa. Going back to your model, you would be more
popular if you did a better job of protecting your customers,
you say. But you have a lot of files that you need to get to
looking at and procedures to help protect them. Isn't that
right?
Mr. Gorton. We currently do a lot of things to prevent
inadvertent file sharing.
Mr. Issa. Let me ask one question, though. People buy
LimeWire in order to be part of a file sharing community. But
isn't the primary attraction of LimeWire the fact that there is
a tremendous amount of LimeWire-based content out there that
they are quickly able to download, including MP3s, MPEGs, and
other video and visual files?
Mr. Gorton. People download and install LimeWire primarily
to share files. Media files are popular on that list.
Mr. Issa. Let me ask the final, closing question. If you
did a better job, although the individual customer would
appreciate it, isn't your model then vulnerable? If you do a
good job for me, when I go out to look there is less out there.
Without the propagation or the huge amount of interesting
content, your product sells worse.
So don't you have an interesting conflict in which it is
clear that you should be protecting your customers more but
then, if you protect them and they all use the product, what
ends up happening is less content is available and therefore
the whole category is less desirable? Isn't that essentially
your conundrum, that you benefit from a lot of good meaty,
juicy shared material and that the failure of your software to
protect me has more to do with the fact that you have to create
this huge amount of content in order for your whole industry to
do well?
Mr. Gorton. I don't think there is a dichotomy the way you
phrase it there.
Mr. Issa. Thank you, Mr. Chairman. I appreciate your
indulgence. I yield back.
Mr. Tierney. That was the best one question we ever heard.
At this time I want to recognize the chairman, Mr. Towns,
for a brief statement. Then I will go to the remaining two
people on the panel who have questions. Mr. Towns.
Chairman Towns. I have to leave. Let me just say that from
what I have heard today, it is clear that private citizens,
businesses, and the Government continue to be victims of
unintentional and illicit file sharing. At its best, with the
proper safeguards in place, peer-to-peer software has great
potential. At its worst, it isn't peer-to-peer but predator-to-
prey. For our sensitive Government information, the risk is
simply too great to ignore.
I am planning to introduce a bill to ban this type of
insecure open network peer-to-peer software from all Government
and contractor computers and networks. I plan to meet with the
new chairman of the Federal Trade Commission to request that
the FTC investigate whether inadequate safeguards on file
sharing software such as LimeWire constitute an unfair trade
practice. The administration should initiate a national
campaign to educate consumers about the dangers involved with
file sharing software. The FTC needs to look at this, too. The
file sharing software industry has shown that it is unwilling
or unable to ensure user safety. It is time to put a referee on
the field and to begin to play by rules.
Mr. Chairman, I yield back.
Mr. Tierney. Thank you, Mr. Towns.
Ms. Norton, you are recognized for 5 minutes.
Ms. Norton. Thank you, Mr. Chairman. You see that there
have been breaches of national security through what is only
politely called inadvertent file sharing but the average
American, I think, would have been even more concerned about
their personal security and especially medical files. I can
think of nothing more personal than medical information. I am
with the President and people on both sides of the aisle who
say that there will be lots of money saved if we could
computerize these files so that they could be shared, getting
beyond the point of how much that would cost, not to mention
making them secure.
Mr. Chairman it probably was in my subcommittee that a
number of hearings were held on computerizing the FEHB files,
the files for Federal employees. I recall that the unions were
basically for it but we always came up with terrible
compunctions about the security of these files.
Mr. Boback, in your testimony you apparently spoke of
records from a hospital that had been inadvertently shared.
This would be every person's nightmare when you talk about
inadvertent sharing. They have already seen their personal
records, their Social Security, and their financial information
get leaked. In the case that you reported, the records contain
not only the patients' names but their diagnoses and other
sensitive information.
How widespread do you believe the leaking of such
information to third parties is from hospitals and medical
facilities, Mr. Boback?
Mr. Boback. It is extensive. As a matter of fact, that
specific file has been out for nearly 16 months now on the
peer-to-peer networks and has been taken extensively. It has
been downloaded a number of times. So these individuals will be
affected for years. In fact, they are not even aware that they
are on the list at this point because they have never been
told.
Ms. Norton. That would be my next question. Their files
have been breached in the most terrible way. The most sensitive
information you have about a person is just out there in the
stratosphere. Are patients generally informed that their
information has been leaked?
Mr. Boback. Forty-one of the 50 States require breach
notification.
Ms. Norton. Forty-one of the 50?
Mr. Boback. Forty-one of the 50. At this time there is no
national breach notification law. There should be. As patients
travel across State lines for medical care, there needs to be a
national breach notification law. I believe there was one
proposed, H.R. 2221, that gives the FTC some oversight and
actually punishment if organizations do not identify these to
their consumers. That should pass.
Ms. Norton. That seems, Mr. Chairman, to be minimally
necessary. But let me ask you this: Suppose you do know. You
can change your Social Security number maybe. You can take your
credit cards and get new ones. What in the world can you do if
information that is true and will forever be true about your
medical condition is out there? So now you know it. What do you
do?
Mr. Boback. At this point there is not much to do. There
are credit monitoring and identity theft systems that are
trying to work toward protecting medical information, companies
like LifeLock. They are trying to put these procedures in
place. Are they there yet? No. But identity theft is evolving
so rapidly that I will assure you that it is not just a $50
credit card loss or a nuisance to the consumer. It will be very
impactful to the consumer and the family in the upcoming years
if this is not addressed immediately. This is out of control.
Ms. Norton. Mr. Chairman, if 41 of the 50 States already
understand this, it does seem to me with what you have been
able to find at this hearing that we would want to bring
forward a bill to make sure that this is done nationally.
I might say that when it comes to the FEHB, our Federal
employees here, until there is some such software in place,
given our work force, it tends to be an older work force, I do
not see how we could take this very important step that
everyone knows needs to be taken in computerizing the records
of Federal employees.
Thank you, Mr. Chairman.
Mr. Tierney. Thank you, Ms. Norton.
Mr. Bilbray, you are recognized for 5 minutes.
Mr. Bilbray. Thank you, Mr. Chairman.
Mr. Gorton, I think that historically we have basically
felt that it is the obligation of the consumer to protect their
own files. That is part of the process that historically we
have used. Basically, you have to at least move through the
system and keep clicking to move those files across.
What I am really concerned about is that history has proven
that this is not just a consumer problem. There is the SWIF
example where you had 300 people who are illegally in the
country being able to access records and use those records for
illegal employment. There are people who are able to use this
document for other issues that we don't even know about.
National security could be one of them.
This issue is going to be addressed now, not just as an
individual's privacy issue but as a national security issue. We
need to be more proactive in making sure that this data is not
out in the stratosphere. Are you ready to be more aggressive
with your industry? Are you ready to be proactive working with
this Congress at shutting down this opportunity to breach
information systems that can be used as a threat to this
country?
Mr. Gorton. Absolutely. We worked with this committee in
the past and I hope we have the chance to do so going forward.
Mr. Bilbray. My question to you is if you were going to
legislate from the Federal level, and I know this is counter-
intuitive for you to think about, but if you were going to
legislate, what would you do to address this problem?
Mr. Gorton. I touched on this earlier in my testimony.
There are a number of problems where computers can essentially
break the law or have these security issues. The unique point
of control for every computer is its ISP. From a legislative
point of view, that is really the only practical place you can
attack because--let's say you have a child pornographer. If
they are identified, as Mr. Boback's software can easily
identify in an automated way many, many people very easily, if
there were a quick and effective mechanism where his computer
quickly routes a message to an ISP, maybe the child
pornographer is cutoff the Internet or law enforcement is
notified. Again, you have to come up with reasonable
procedures.
You have to ask some hard questions like under what
circumstances we cut a computer off from the Internet. If he
finds a document that has nuclear secrets, is that enough to
shut the computer off first and then go do an investigation
after? These are hard questions that need to be answered.
In the first wave of regulations surrounding the Internet,
I think there was a lot of euphoria with the Internet. There
wasn't as clear of an issue of what the negative consequences
of some of these amazing technologies are. We have a clear idea
now.
Again, in order to do this, you have to deal with the ISPs,
which are basically telecom companies. I am sure you are aware,
these are politically quite powerful institutions. But I don't
think that it is possible for this country to really wrestle
these questions to the ground without having the ISPs play a
constructive role in that.
Mr. Bilbray. Look, we were all enamored, too, with computer
training and then we placed restrictions on the application of
that technology. My question really gets into the fact, and I
guess I would close with a challenge to you, that this isn't
just about the technology application by certain agencies or
certain companies. It is also a national protocol or procedure
that tightens up and makes it more proactive to open up your
record files. We need a procedure. We need to be looking at
having regulations on this.
You don't have to answer this but the challenge to you is
not to be obstructionist. Be proactive at saying, ``OK, we have
this procedure now.'' We think this, this, this, and this will
make it harder or tougher for people to inadvertently transfer
files and will basically make them more responsive. It will be
less user friendly at opening up the files but will address the
problem.
That challenge of balance, if you want this committee and
Congress to do the right thing, then you have to be willing to
move from a historical position and be proactive. Take the hit
to some degree, inconvenience the consumer to some degree, but
address the crisis in a manner that is less obtrusive than what
we would propose working from the regulatory side.
I yield back, Mr. Chairman.
Mr. Tierney. Thank you, Mr. Bilbray.
I thank all of our witnesses for their testimony here
today, and for their time and their expertise. We do appreciate
it. I am sure the chairman has further intentions to followup
on this issue.
The meeting is adjourned.
[Whereupon, at 11:40 a.m., the committee was adjourned.]
[The prepared statement of Hon. Gerald E. Connolly and
additional information submitted for the hearing record
follow:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�