[House Report 111-431]
[From the U.S. Government Publishing Office]


111th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES
 2d Session                                                     111-431

======================================================================



 
                    SECURE FEDERAL FILE SHARING ACT

                                _______
                                

 March 11, 2010.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

   Mr. Towns, from the Committee on Oversight and Government Reform, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 4098]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on Oversight and Government Reform, to whom was 
referred the bill (H.R. 4098) to require the Director of the 
Office of Management and Budget to issue guidance on the use of 
peer-to-peer file sharing software to prohibit the personal use 
of such software by Government employees, and for other 
purposes, having considered the same, report favorably thereon 
without amendment and recommend that the bill do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     2
Background and Need for Legislation..............................     2
Legislative History..............................................     2
Section-by-Section...............................................     4
Explanation of Amendments........................................     6
Committee Consideration..........................................     6
Roll Call Votes..................................................     6
Application of Law to the Legislative Branch.....................     6
Statement of General Performance Goals and Objectives............     6
Constitutional Authority Statement...............................     6
Federal Advisory Committee Act...................................     6
Unfunded Mandate Statement.......................................     6
Earmark Identification...........................................     6
Committee Estimate...............................................     7
Budget Authority and Congressional Budget Office Cost Estimate...     7
Changes in Existing Law Made by the Bill, as Reported............     8

                          PURPOSE AND SUMMARY

    H.R. 4098, the Secure Federal File Sharing Act, was 
introduced by Chairman Towns on November 17, 2009. The purpose 
of the bill is to reduce improper disclosures of federal 
information by prohibiting the use of open network peer-to-peer 
file sharing software on all federal computers, computer 
systems, and networks, including those of contractors working 
on the government's behalf.
    H.R. 4098 directs the Office of Management and Budget (OMB) 
to issue new guidance to implement that purpose. In addition, 
the bill also directs OMB to set up a procedure by which 
agencies may seek approval to use specific file sharing 
software for legitimate government purposes. OMB must report 
annually to Congress on those peer-to-peer software programs 
that have been approved, the agencies that are using them, and 
for what purposes.

                  BACKGROUND AND NEED FOR LEGISLATION

    Peer-to-peer file sharing software allows users to 
instantly connect with each other to search and copy electronic 
files. The popularity of such software has grown exponentially 
since being made widely available in the late 1990's and early 
2000's by programs like Napster, Kazaa and LimeWire. Currently, 
it is estimated that there are up to 20 million peer-to-peer 
file sharing users online at any point in time, most commonly 
sharing music and movies.
    Despite the ongoing growth in users, not many people are 
aware of the privacy and security risks associated with open 
network peer-to-peer file sharing software. Since 2001, the 
Committee has looked into the dangers of peer-to-peer file 
sharing with particular emphasis on the prevalence of child 
pornography, the privacy and security risks, and the problem of 
inadvertently sharing electronic files. It is clear that 
efforts by the peer-to-peer file sharing industry to self-
regulate since then have failed. At the Committee's hearing on 
inadvertent file sharing on July 29, 2009, it was revealed that 
the location of a Secret Service safe house for the First 
Family, financial information belonging to Supreme Court 
Justice Stephen Breyer, and thousands of medical records and 
tax filings were all available online on open peer-to-peer 
networks.
    H.R. 4098, the Secure Federal File Sharing Act, is intended 
to reduce the risk that those kinds of documents are exposed on 
file sharing networks by prohibiting the use of open network 
peer-to-peer file sharing software on all federal computers, 
computer systems, and networks, including those of contractors 
working on the government's behalf.

                          LEGISLATIVE HISTORY

    During the 107th Congress, the Committee first sounded the 
alarm on some of the dangers of peer-to-peer file sharing 
software in a Minority Staff, Special Investigations Division 
report entitled Children's Access to Pornography Through 
Internet File-Sharing Programs (July 27, 2001).
    During the 108th Congress, the Committee followed up with a 
hearing on the issue entitled Stumbling onto Smut: The Alarming 
Ease of Access to Pornography on Peer-to-Peer Networks (March 
13, 2003) where they released another staff report entitled 
Children's Exposure to Pornography on Peer-to-Peer Networks 
(March 13, 2003).
    During the same year, the Committee held another hearing on 
this issue focused on privacy and security threats entitled 
Overexposed: The Threats to Privacy and Security on File 
Sharing Networks (May 15, 2003). At that hearing, the Committee 
staff released the report File-Sharing Programs and Peer-To-
Peer Networks: Privacy and Security Risks (May 15, 2003).
    Shortly thereafter, the Senate Committee on the Judiciary 
held the hearing, The Dark Side of a Bright Idea: Could 
Personal and National Security Risks Compromise the Potential 
of Peer-to-Peer File Sharing Networks? (June 17, 2003). At that 
hearing, Senator Feinstein emphasized the heightened risks of 
peer-to-peer file sharing use by government employees. She 
said:

          Of most concern is the use of peer-to-peer file 
        sharing by government employees . . . A Federal 
        employee intending to simply download and share music 
        files . . . could easily make available every file on 
        his or her computer, without intending to do so or even 
        realizing it after the fact. This could include 
        personal correspondence, private financial information, 
        and even proprietary and sensitive government 
        documents.\1\
---------------------------------------------------------------------------
    \1\Opening Remarks by Senator Feinstein at the Senate Committee on 
the Judiciary hearing entitled The Dark Side of a Bright Idea: Could 
Personal and National Security Risks Compromise the Potential of Peer-
to-Peer File Sharing Networks? (June 17, 2003).

    Chairman Davis and Ranking Member Waxman attempted to 
address that concern when they introduced H.R. 3159, the 
Government Network Security Act of 2003 on September 24, 2003. 
The bill required federal agencies to address the risks posed 
by peer-to-peer file sharing programs when developing their 
network security policy and procedures and was reported 
favorably with an amendment by the Committee on September 25, 
2003, by a voice vote. The bill was agreed to in the House, as 
amended, under suspension of the rules on October 8, 2003, by a 
voice vote. It was later reported favorably by the Senate 
Committee on Governmental Affairs on November 10, 2003, without 
amendment and placed on the Senate Legislative Calendar, but 
the 108th Congress ended before the Senate took up the bill.
    During the 109th Congress, the Committee held the hearing, 
Inadvertent Filesharing over Peer-to-Peer Networks (July 24, 
2007).
    In addition, the Subcommittees on Government Management, 
Organization, and Procurement and Information Policy, Census, 
and National Archives held a joint legislative hearing on H.R. 
4791, the Federal Agency Data Protection Act (February 14, 
2008). The legislation was introduced by Representatives Clay, 
Towns, and Waxman on December 18, 2007, and included language 
requiring federal agencies to develop plans to reduce the risks 
to federal networks posed by peer-to-peer file sharing 
software. H.R. 4791 was ordered reported, as amended, by the 
Committee on Oversight and Government Reform by a voice vote on 
April 16, 2008. The bill was agreed to in the House of 
Representatives, as amended, under suspension of the rules by a 
voice vote on June 3, 2008. On June 4, 2008, H.R. 4791 was 
referred to the Senate Committee on Homeland Security and 
Governmental Affairs.
    During the 111th Congress, the Committee held the hearing, 
Inadvertent File Sharing Over Peer-to-Peer Networks: How it 
Endangers Citizens and Jeopardizes National Security (July 29, 
2009).
    The witnesses were Mark Gorton, Chairman, The Lime Group; 
Robert Boback, Chief Executive Officer, Tiversa, Inc.; and Tom 
Sydnor, Senior Fellow and Director, Center for the Study of 
Digital Property at the Progress and Freedom Foundation.
    H.R. 4098, the Secure Federal File Sharing Act, was 
introduced by Chairman Towns on November 17, 2009. The 
Committee held a business meeting on March 4, 2010, and ordered 
H.R. 4098 to be reported favorably by voice vote.

                           SECTION-BY-SECTION

Section 1. Short title

    This section provides that the short title of the bill is 
the ``Secure Federal File Sharing Act.''

Section 2. Requirements

    Subsection (a) requires the Director of the Office of 
Management and Budget, in consultation with the Federal Chief 
Information Officers Council, to issue guidance within 90 days 
on the use of peer-to-peer file sharing software to (1) 
prohibit the download, installation, or use by Government 
employees and contractors of open network peer-to-peer file 
sharing software on all Federal computers, computer systems, 
and networks, including those of contractors working on the 
government's behalf and (2) address the use of such software by 
Government employees and contractors as it relates to telework 
and remotely accessing Federal computers, computer systems, and 
networks.
    Subsection (b) requires the Director of the Office of 
Management and Budget to develop a procedure within 90 days by 
which the Director, in consultation with the Chief Information 
Officer, may receive requests from agency heads or chief 
information officers for approval for use by Government 
employees and contractors of specific open-network peer-to-peer 
file sharing software programs that are (1) necessary for the 
day-to-day business operations of the agency; (2) instrumental 
in completing a particular task or project that directly 
supports the agency's overall mission; (3) necessary for use 
between, among, or within Federal, State, or local government 
agencies in order to perform official agency business; or (4) 
necessary for use during the course of a law enforcement 
investigation.
    Subsection (c) outlines agency responsibilities. More 
specifically, it requires the Director of the Office of 
Management and Budget, within 180 days, to direct agencies to 
(1) establish or update their personal use policies to be 
consistent with the guidance issued pursuant to subsection (a); 
(2) require any contract awarded by the agency to include a 
requirement that the contractor comply with the guidance issued 
pursuant to subsection (a) in the performance of the contract; 
(3) update their information technology security or ethics 
training policies to ensure that all employees, including those 
of contractors working on the Government's behalf, are aware of 
the requirements of the guidance required by subsection (a) and 
the consequences of engaging in prohibited conduct; and (4) 
ensure that proper security controls are in place to prevent, 
detect, and remove file sharing software that is prohibited by 
the guidance issued pursuant to subsection (a) from all Federal 
computers, computer systems, and networks, including those 
operated by contractors on the Government's behalf.

Section 3. Annual report

    This section describes the reporting requirement of the 
Director of the Office of Management and Budget to submit to 
the Committee on Oversight and Government Reform in the House 
of Representatives and the Committee on Homeland Security and 
Governmental Affairs in the Senate, within one year and 
annually thereafter, a report on the implementation of this Act 
including (1) a justification for each open-network peer-to-
peer file sharing software program that is approved pursuant to 
subsection (b) and (2) an inventory of the agencies where such 
programs are being used.

Section 4. Definitions

    This section defines ``agency'' as having the meaning given 
the term ``Executive agency'' by section 105 of title 5, United 
States Code.
    The term ``open-network,'' with respect to software, is 
defined as a network in which (A) access is granted freely, 
without limitation or restriction or (B) there are little or no 
security measures in place.
    As defined by this section, the term ``peer-to-peer file 
sharing software'' (A) means a program, application, or 
software that is commercially marketed or distributed to the 
public and that enables (i) a file or files on the computer on 
which such program is installed to be designated as available 
for searching and copying to one or more other computers; (ii) 
the searching of files on the computer on which such program is 
installed and the copying of any such file to another computer 
(I) at the initiative of such other computer and without 
requiring any action by an owner or authorized user of the 
computer on which such program is installed and (II) without 
requiring an owner or authorized user of the computer on which 
such program is installed to have selected or designated 
another computer as the recipient of any such file; and (iii) 
an owner or authorized user of the computer on which such 
program is installed to search files on one or more other 
computers using the same or a compatible program, application, 
or software, and copy such files to such owner or user's 
computer.
    In addition, the term ``peer-to-peer file sharing 
software'' (B) does not include a program, application, or 
software designed primarily to (i) operate as a server that is 
accessible over the Internet using the Internet Domain Name 
system; (ii) transmit or receive email messages, instant 
messages, real-time audio or video communications, or real-time 
voice communications; or (iii) provide network or computer 
security (including the detection or prevention of fraudulent 
activities), network management, maintenance, diagnostics, or 
technical support or repair.
    This section defines ``contractor'' as having the meaning 
given the terms ``prime contractor'' or ``subcontractor'' in 
the Federal Acquisition Regulation.

                       EXPLANATION OF AMENDMENTS

    No amendments were offered to this legislation.

                        COMMITTEE CONSIDERATION

    On Thursday, March 4, 2010, the Committee met in open 
session and ordered H.R. 4098 to be reported favorably to the 
House by a voice vote.

                            ROLL CALL VOTES

    No roll call votes were held.

              APPLICATION OF LAW TO THE LEGISLATIVE BRANCH

    Section 102(b)(3) of Public Law 104-1 requires a 
description of the application of this bill to the legislative 
branch where the bill relates to terms and conditions of 
employment or access to public services and accommodations.
    H.R. 4098 relates to the use of open network peer-to-peer 
file sharing software at federal agencies and among federal 
contractors doing business with the government. Therefore, it 
does not apply to the legislative branch.

         STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    In accordance with clause 3(c)(4) of rule XIII of the Rules 
of the House of Representatives, the Committee's performance 
goals and objectives are reflected in the descriptive portions 
of this report, including protecting federal computer systems, 
networks, and government information from improper exposure.

                   CONSTITUTIONAL AUTHORITY STATEMENT

    Under clause 3(d)(1) of rule XIII of the Rules of the House 
of Representatives, the Committee must include a statement 
citing the specific powers granted to Congress to enact the law 
proposed by H.R. 4098. Article I, Section 8, Clause 18 of the 
Constitution of the United States grants the Congress the power 
to enact this law.

                     FEDERAL ADVISORY COMMITTEE ACT

    The Committee finds that the legislation does not establish 
or authorize the establishment of an advisory committee within 
the meaning of 5 U.S.C. App., Section 5(b).

                       UNFUNDED MANDATE STATEMENT

    Section 423 of the Congressional Budget and Impoundment 
Control Act (as amended by Section 101(a)(2) of the Unfunded 
Mandates Reform Act, P.L. 104-4) requires a statement on 
whether the provisions of the report include unfunded mandates. 
In compliance with this requirement the Committee has received 
a letter from the Congressional Budget Office included herein.

                         EARMARK IDENTIFICATION

    H.R. 4098 does not include any congressional earmarks, 
limited tax benefits, or limited tariff benefits as defined in 
clause 9(e), 9(f), or 9(g) of rule XXI.

                           COMMITTEE ESTIMATE

    Clause 3(d)(2) of rule XIII of the Rules of the House of 
Representatives requires an estimate and a comparison by the 
Committee of the costs that would be incurred in carrying out 
H.R. 4098. However, clause 3(d)(3)(B) of that rule provides 
that this requirement does not apply when the Committee has 
included in its report a timely submitted cost estimate of the 
bill prepared by the Director of the Congressional Budget 
Office under section 402 of the Congressional Budget Act.

     BUDGET AUTHORITY AND CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

    With respect to the requirements of clause 3(c)(2) of rule 
XIII of the Rules of the House of Representatives and section 
308(a) of the Congressional Budget Act of 1974 and with respect 
to requirements of clause 3(c)(3) of rule XIII of the Rules of 
the Houseof Representatives and section 402 of the 
Congressional Budget Act of 1974, the Committee has received the 
following cost estimate for H.R. 4098 from the Director of the 
Congressional Budget Office:

                                                    March 10, 2010.
Hon. Edolphus Towns,
Chairman, Committee on Oversight and Government Reform,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 4098, the Secure 
Federal File Sharing Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                              Douglas W. Elmendorf.
    Enclosure.

H.R. 4098--Secure Federal File Sharing Act

    H.R. 4098 would require federal agencies to develop and 
implement a plan within six months to ensure that computer 
systems, including those used by contractors, are secure from 
the use of certain file-sharing software. Affected software, 
known as peer-to-peer (P2P) file-sharing programs, are 
applications that allow users to download and directly share 
electronic files from other users. The legislation would not 
prohibit the use of all file-sharing programs but would require 
the Office of Management and Budget (OMB) to develop a 
procedure for agencies to receive approval to use file-sharing 
programs. Finally, H.R. 4098 would require agencies to create 
plans to address security concerns for government computer 
networks.
    Most provisions of H.R. 4098 would codify and expand 
current practices of the federal government. Under the E-
Government Act of 2002, federal agencies are already charged 
with protecting information from unauthorized access, use, 
disclosure, disruption, modification, or destruction. In 
addition, OMB has already provided guidance on the use of file-
sharing technology.
    Under H.R. 4098, OMB would be required to provide 
additional guidance and procedures for approving certain file-
sharing programs, and agencies would have additional reporting 
and training requirements. Based on information from OMB and 
industry sources, and subject to the availability of 
appropriated funds, CBO estimates that implementing H.R. 4098 
would cost about $10 million over the 2011-2014 period.
    Enacting H.R. 4098 could affect direct spending by agencies 
not funded through annual appropriations, such as the Tennessee 
Valley Authority and the Bonneville Power Administration; 
therefore, pay-as-you-go procedures would apply. However, CBO 
estimates that those budgetary effects would be insignificant 
for each year.
    H.R. 4098 contains no intergovernmental mandates as defined 
in the Unfunded Mandates Reform Act (UMRA) and would not affect 
the budgets of state, local, or tribal governments.
    H.R. 4098 would impose a private-sector mandate, as defined 
in UMRA, to the extent that it would require federal government 
contractors that use file-sharing software to comply with new 
restrictions on downloading, installing, or using that software 
on computers used for federal work. Because any new contracts 
that contain such restrictions would be entered into 
voluntarily, the requirements of the bill would only constitute 
a mandate to the extent that they would affect existing 
contracts. The cost of the mandate would be the expenditures 
required to modify computer systems or software to comply with 
new requirements. According to several experts in information 
technology, most file-sharing programs that are related to work 
would not fit the bill's definition of P2P software and, 
therefore, would not be subject to the restrictions in the 
bill. Consequently, CBO expects that any compliance cost would 
fall below the annual threshold for private-sector mandates 
established in UMRA ($141 million in 2010, adjusted annually 
for inflation).
    The CBO staff contacts for this estimate are Matthew 
Pickford (for federal costs) and Sam Wice (for the private-
sector impact). This estimate was approved by Theresa Gullo, 
Deputy Assistant Director for Budget Analysis.

         CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    No changes to existing law are made by H.R. 4098, as 
reported.

                                  
