The House bill was prompted by a series of embarrassing leaks of government-held data on everything from nuclear facilities to Army officers’ Social Security numbers to confidential congressional ethics investigations.  Those ethics panel leaks were labeled by the Recording Industry Association of America as “a powerful catalyst to enact real reforms to protect consumers.”  A recent report revealing the troubling degree of insecurity in federal government file transfers will probably only add urgency to the debate on the Senate bill.  The study, titled “Why Encrypt? Federal File Transfer Report,” was released on May 11, 2010 by MeriTalk, a government IT network, in conjunction with Axway, a company specializing in business-to-business integration software.  The report surveyed 200 federal IT and information security professionals.  It found that an alarming number of these personnel use unsafe file-transfer methods, including physical media (66%), FTP (60%), and personal email accounts like Gmail or Yahoo (52%).  Although 80% claimed their agency had adequate transfer-security policies, only 58% said employees were aware of those policies, and just 42% said such policies were consistently followed. 

It will be worth staying tuned to see whether these damning statistics will convince the entire Senate to bolster federal file-transfer security — and raise awareness about the issue — by passing the Secure Federal File Sharing Act.  One might also wonder whether these legislative developments would influence private-sector policymakers — in corporations and other institutions — to follow the federal government’s lead in banning P2P software use. 

In any event, P2P security initiatives in the private sector may get a direct boost from the federal government through “The P2P Cyber Protection and Informed User Act”, introduced by Senators John Thune (R-SD) and Amy Klobuchar (D-MN). 

If the Secure Federal File Sharing Act seeks to protect the government and the public alike from the dangers of data leaks within federal networks, the Thune-Klobuchar legislation seeks to protect all individual users of P2P software from inadvertently exposing their own private files to the public.  Thune saidhis bill will take aim at “the privacy and security threats associated with” P2P file-sharing.  Klobuchar explained to the Minneapolis Star Tribune that “without proper precautions, P2P software can allow anyone on the network to gain access to all the files on your computer, not just the ones you intend to share.”  She said that because such software often “allow[s] access to private financial or family records, it’s an invitation to identity thieves and sexual predators.” 

The Klobuchar-Thune bill, whose companion legislation has already been passed in the House as the “Informed P2P User Act” (H.R. 1319), includes two major components.  First, it would require all P2P software to provide a user with “clear and conspicuous” notice of the program’s function, and obtain the user’s consent, before the software is downloaded or installed.  Second, the bill would make it illegal to prevent a user from blocking, disabling, or removing P2P software.  The bill would bestow enforcement authority upon the FTC, which in February 2010 notified about 100 private and public organizations that they had suffered P2P-based data breaches.    

It would be worth speculating on whether this wider regulation of P2P software could ultimately have a chilling effect on the general public’s use of programs like uTorrent, Shareaza, Ares, Limewire, and BitComet.  If so, one might imagine that content owners may get behind the bill in an effort to stem the losses from P2P-based infringement.  The bill has received support from the RIAA, the Direct Marketing Association, Stop Child Predators, and 41 state attorneys general.     

Stay tuned.

**  Nathaniel Fintz, a summer associate with the Firm, assisted in the preparation of this post.

If adopted, the new Act would bar government employees and contractors from downloading, installing or even using P2P file sharing software, such as LimeWire, without official approval.  In response to the most recent leak, the bill would also require the White House to develop rules for employees working on home or personal computers.  In order to use file sharing networks, an agency head or CIO would have to make a special request to use the P2P software.  Furthermore, agencies would be obliged to establish P2P use policies, require that employees and contractors comply with them, and then create security mechanisms to detect and remove prohibited software. 

In 2004, the White House Office of Management and Budget advised federal agencies simply not to use any P2P software.  As evidenced by the most recent embarrassment, this “advice” was not sufficient and now hopes that putting the prohibition into federal law will grant it much greater weight.  Critics of P2P software complain that personal data including social security numbers, medical records and tax returns are being shared because users are unaware of how the software operates, primarily because inadvertent filing sharing occurs (for example, when a user wants to share music or video files from a specific location or folder on his/her PC, a variety of other personal data and files, in all different formats, may also be shared). 

Security industry experts appearing at Congressional hearings earlier this year testified that file sharing software has resulted in the release of personally identifiable information associated with members of the U.S. Military, including social security number of master sergeants, medical records and even surveillance photos.  In addition, information accidentally released from a Fortune 100 company included thousands of e-mails, contact addresses, phone numbers and passcodes.  Rep. Towns’ goal is to “put a referee on the field” in terms of regulating use of such software in response to what he deems as the file-sharing industry’s unwillingness and/or inability to ensure user safety.  It appears he will also dedicate resources to encourage the government to launch a national consumer education campaign about the dangers associated with the use file-sharing software. 

Rep. Towns also proposed that the Federal Communications Commission and Federal Trade Commission look to aid in preventing this growing problem.  Right now, however, it is unclear what kind of influence is statutorily granted to the FCC, if any at all. 

Regardless, it will also be very interesting to see if or when the specter of enacting this new bill into law will affect future P2P file sharing program use in the commercial sector, or lead to additional policy and regulatory initiatives in the area.

*  Kari Hirsch, who recently joined the DigitalHHR team, contributed to the preparation of this post.