[House Hearing, 110 Congress] [From the U.S. Government Publishing Office] INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS ======================================================================= HEARING before the COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS FIRST SESSION __________ JULY 24, 2007 __________ Serial No. 110-39 __________ Printed for the use of the Committee on Oversight and Government Reform Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html http://www.house.gov/reform U.S. GOVERNMENT PRINTING OFFICE 40-150 WASHINGTON : 2008 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001 COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM HENRY A. WAXMAN, California, Chairman TOM LANTOS, California TOM DAVIS, Virginia EDOLPHUS TOWNS, New York DAN BURTON, Indiana PAUL E. KANJORSKI, Pennsylvania CHRISTOPHER SHAYS, Connecticut CAROLYN B. MALONEY, New York JOHN M. McHUGH, New York ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida DENNIS J. KUCINICH, Ohio MARK E. SOUDER, Indiana DANNY K. DAVIS, Illinois TODD RUSSELL PLATTS, Pennsylvania JOHN F. TIERNEY, Massachusetts CHRIS CANNON, Utah WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California MICHAEL R. TURNER, Ohio STEPHEN F. LYNCH, Massachusetts DARRELL E. ISSA, California BRIAN HIGGINS, New York KENNY MARCHANT, Texas JOHN A. YARMUTH, Kentucky LYNN A. WESTMORELAND, Georgia BRUCE L. BRALEY, Iowa PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of VIRGINIA FOXX, North Carolina Columbia BRIAN P. BILBRAY, California BETTY McCOLLUM, Minnesota BILL SALI, Idaho JIM COOPER, Tennessee JIM JORDAN, Ohio CHRIS VAN HOLLEN, Maryland PAUL W. HODES, New Hampshire CHRISTOPHER S. MURPHY, Connecticut JOHN P. SARBANES, Maryland PETER WELCH, Vermont Phil Schiliro, Chief of Staff Phil Barnett, Staff Director Earley Green, Chief Clerk David Marin, Minority Staff Director C O N T E N T S ---------- Page Hearing held on July 24, 2007.................................... 1 Statement of: Sydnor, Thomas D., II, Attorney-Advisor, Copyright Group, Office of International Relations, U.S. Patent and Trademark Office; Mary Koelbel Engle, Associate Director for Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission; Daniel G. Mintz, Chief Information Officer, U.S. Department of Transportation; General Wesley K. Clark, chairman and chief executive officer, Wesley K. Clark and Associates, board member, Tiversa, Inc.; Robert Boback, chief executive officer, Tiversa, Inc.; M. Eric Johnson, professor of operations management, director, Glassmeyer/McNamee Center for Digital Strategies, Tuck School of Business, Dartmouth College; and Mark Gorton, chief executive officer, the Lime Group....... 18 Boback, Robert........................................... 88 Clark, General Wesley K.................................. 106 Engle, Koelbel........................................... 40 Gorton, Mark............................................. 84 Johnson, M. Eric......................................... 67 Mintz, Daniel G.......................................... 54 Sydnor, Thomas D., II.................................... 18 Letters, statements, etc., submitted for the record by: Boback, Robert, chief executive officer, Tiversa, Inc., prepared statement of...................................... 91 Davis, Hon. Tom, a Representative in Congress from the State of Virginia, prepared statement of......................... 10 Engle, Mary Koelbel, Associate Director for Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission, prepared statement of.......................... 10 Gorton, Mark, chief executive officer, the Lime Group, prepared statement of...................................... 42 Issa, Hon. Darrell E., a Representative in Congress from the State of California, prepared statement of................. 15 Johnson, M. Eric, professor of operations management, director, Glassmeyer/McNamee Center for Digital Strategies, Tuck School of Business, Dartmouth College, prepared statement of............................................... 69 Mintz, Daniel G., Chief Information Officer, U.S. Department of Transportation, prepared statement of................... 56 Sydnor, Thomas D., II, Attorney-Advisor, Copyright Group, Office of International Relations, U.S. Patent and Trademark Office, prepared statement of.................... 20 Waxman, Chairman Henry A., a Representative in Congress from the State of California, prepared statement of............. 3 INADVERTENT FILE SHARING OVER PEER-TO-PEER NETWORKS ---------- TUESDAY, JULY 24, 2007 House of Representatives, Committee on Oversight and Government Reform, Washington, DC. The committee met, pursuant to notice, at 10 a.m. in room 2154, Rayburn House Office Building, Hon. Henry A. Waxman (chairman of the committee) presiding. Present: Representatives Waxman, Cummings, Tierney, Clay, Watson, Yarmuth, Norton, Cooper, Hodes, Welch, Davis of Virginia, Shays, Cannon, Issa, and Jordan. Staff present: Phil Schiliro, chief of staff; Phil Barnett, staff director and chief counsel; Kristin Amerling, general counsel; Roger Sherman, deputy chief counsel; Earley Green, chief clerk; Teresa Coufal, deputy clerk; Zhongrui ``JR'' Deng, chief information officer; Leneal Scott, information systems manager; Tony Haywood, Information Policy, Census and National Archives staff director; Kerry Gutknecht and Will Ragland, staff assistants; David Marin, minority staff director; Larry Halloran, minority deputy staff director; Jennifer Safavian, minority chief counsel for oversight and investigations; Keith Ausbrook, minority general counsel; Ellen Brown, minority legislative director and senior policy counsel; Charles Phillips, minority counsel; Allyson Blandford, minority professional staff member; Patrick Lyden, minority parliamentarian and member services coordinator; and Benjamin Chance, minority clerk. Chairman Waxman. The meeting of the committee will come to order. Just over 4 years ago, the Committee on Government Reform held a hearing entitled ``Overexposed: the Threats to Privacy and Security on File-Sharing Networks.'' Then, as now, the hearing was part of a bipartisan effort to investigate and understand the uses and risks of peer-to-peer file-sharing networks, also known as P2P networks. The committee previously looked at two problematic aspects associated with P2P networks: children's exposure to pornography on these P2P networks, and the privacy and security risks created by these networks. That investigation found that P2P networks were making highly personal data, such as tax returns and financial information, available to anybody using popular P2P applications like Kazaa, Morpheus, LimeWire, and Grokster. These documents were being shared with millions of computer users without the knowledge of their owners. After the hearing, numerous P2P file-sharing program distributors adapted a voluntary Code of Conduct to prevent inadvertent disclosures of sensitive information. Along with other Members, I had hoped the problem had been solved. In March, however, the Patent and Trademark Office released a report suggesting the inadvertent file sharing may still be a serious problem. Moreover, following the release of the PTO study, several news reports revealed that individuals and government entities were unknowingly sharing highly confidential information, including files from National Archives, the Department of Transportation, a Naval Hospital, and the Department of Defense. The committee staff did its own investigation. We used the most popular P2P program, LimeWire, and ran a series of basic searches. What we found was astonishing: personal bank records and tax forms, attorney/client communications, the corporate strategies of Fortune 500 companies, confidential corporate accounting documents, internal documents from political campaigns, government emergency response plans, and even military operations orders. All these files were found in unpublished Microsoft Word document format. All were found in limited searches over the past month. It is truly chilling to think of what a private organization, an organized operation or a foreign government could acquire with additional resources. In light of these developments, Ranking Member Davis and I agreed that the committee should take another look at the privacy and security issues posed by P2P networks. We will use this hearing to examine three basic questions. Does inadvertent file sharing over P2P networks create unacceptable risks for consumers, corporations, and Government? If so, how extensive is the problem? Does Congress need to intervene in this matter with legislation, or can the problems be addressed through available oversight tools and enhanced consumer education? We are fortunate to have with us a distinguished panel of experts. They include Government officials, representatives from computer security firms, academics, and the head of LimeWire. They can provide the committee with a wide range of perspectives on the risks and benefits of P2P networks. The purpose of this hearing is not to shut down P2P networks or bash P2P technology. P2P networks have the potential to deliver innovative and lawful applications that will enhance business and academic endeavors, reduce transaction costs, and increase available bandwidth across the country. At the same time, however, we must achieve a balance that protects sensitive government, personal, and corporate information and copyright laws. The goal of this hearing is to gain insights into how to strike this balance and ensure that inadvertent file sharing does not jeopardize the public's privacy and security. [The prepared statement of Chairman Henry A. Waxman follows:] [GRAPHIC] [TIFF OMITTED] T0150.001 [GRAPHIC] [TIFF OMITTED] T0150.002 [GRAPHIC] [TIFF OMITTED] T0150.003 [GRAPHIC] [TIFF OMITTED] T0150.004 [GRAPHIC] [TIFF OMITTED] T0150.005 The Chair now wishes to recognize Ranking Member Tom Davis, and we will call on Members for brief opening statements. Mr. Davis. Mr. Davis of Virginia. Mr. Chairman, thank you. Let me just say something at the beginning, and that is that last Thursday night an event took place on the Mall on a level playing field where the Waxman Team played the Davis Team in a softball game. I am happy to say that, for the first time this year, our side won something with this committee, an 8-7 victory. For the record, I had a hit and scored a run. The Cougar team of the chairman's staff was without the services of the chairman. He was detained on business that evening, or the score might have been different. But I just wanted to note that for the record. Chairman Waxman. You would have won by a bigger number. [Laughter.] Mr. Davis of Virginia. We did have a couple interns. One plays on the Harvard Baseball Team, and another on the Swarthmore Baseball Team. They helped us. Oh, and we had a Rhodes Scholar in left field that made a great catch. We will be ready for a rematch any time. I want to thank you again for this hearing today, Mr. Chairman. Four years ago, this committee undertook a detailed examination of peer-to-peer file-sharing programs. Since then, technology has advanced. Legal actions have been initiated, and the landscape of companies and programs has changed. But the risk to sensitive personal information and confidential records still exists. I am pleased the committee is continuing an effort we began 4 years ago. At that hearing we examined the growing problem of pornography, including child pornography, on these networks. The testimony was surprising and shocking. At the second hearing we examined issues similar to those we are focusing on today. We asked why highly personal information could be found on these networks. We looked at the prevalence of spyware or adware hidden within these programs, and we examined the growing risk of downloading computer viruses from files shared on these programs. Under my direction the committee prepared and released a staff report highlighting the types of sensitive personal information available on these networks. Four years later it appears these problems persist. As I said then, users of these programs may accidentally share information because of incorrect program information. We will learn today exactly what people are sharing, whether they know it or not. As I have noted before, secure information is the lifeblood of effective government policy and management; yet, sensitive personal and classified information continues to be placed at risk. The examples we will hear today will illustrate how far we have to go to reach the goal of strong, uniform, Government- wide information security policies and procedures, but this hearing will show the unique risks that we face. I have focused on Government-wide information, management, and security for a long time. The Privacy Act and the E- Government Act of 2002 outlined the parameters for the protection of personal information. The incidents we will examine today highlight the importance of establishing and following good security practices for safeguarding personal information, whether at home or at work. They highlight the need for proactive security breach notification requirements for organizations, including Federal agencies, dealing with sensitive personal information. And they demonstrate the need for personal vigilance and responsibility when online. Federal agencies present unique data security requirements and challenges, and this has been our focus. These incidents demonstrate the importance of strengthening the laws and rules protecting personal information held by Federal agencies. We need to do this quickly. As we have seen, our computers hold sensitive personal and classified information on every citizen and on every subject. We need to ensure this information remains where it should and the public knows when its sensitive personal information has been lost or compromised. Public confidence in Government in this area is essential. It is important for us to recognize that file-sharing programs can be beneficial. As file size increases and demands for bandwidth expands, these programs can move huge amounts of data efficiently among a large number of users, but I think the volume and type of sensitive information out there will surprise people. And if this information is being harvested and shared through deceptive practices or manipulative programs, then it must stop. For the past several years we have focused on improving and enhancing the information security posture of Federal agencies, because in the end the public demands effective Government, and effective Government depends on secure information, so this is an issue that must remain a priority for all of us. Mr. Chairman, thank you for continuing the committee's work in this important area. I want to welcome our witnesses and thank them for appearing today. [The prepared statement of Hon. Tom Davis follows:] [GRAPHIC] [TIFF OMITTED] T0150.006 [GRAPHIC] [TIFF OMITTED] T0150.007 [GRAPHIC] [TIFF OMITTED] T0150.008 Chairman Waxman. Thank you very much, Mr. Davis. I want to recognize Members who wish to make a brief opening statement, but I would like to point out to my colleagues that we have a long list of very distinguished panelists to make a presentation to us, so keep the opening statements as brief as possible, and certainly no longer than 5 minutes. Mr. Cummings. Mr. Cummings. No statement at this time. Chairman Waxman. Mr. Hodes. Mr. Hodes. Thank you, Mr. Chairman. Mr. Chairman, this is a very important hearing on peer-to- peer file-sharing networks. I want to thank all the witnesses in the distinguished panel who are here today. We are in an age when new technologies are constantly allowing us to share information in new ways, but these innovations bring with them new security threats, and with the rise of peer-to-peer sharing networks we are seeing new challenges on how to protect our society as it moves into a technologically advanced age. Unimaginable advances and the spread of home computers, laptops, work stations are now a part of everyday life, and significant concerns are raised and should be by peer-to-peer file-sharing networks: threats to individuals, personal financial security, the danger to our children, assaults on our national security, the possibility that peer-to-peer sharing networks allow terror groups to piece together classified information, and danger to banks and other corporations who may be inadvertent sharing confidential financial or proprietary information. I would like to be just parochial for a moment and welcome someone from my own District who is testifying here today. M. Eric Johnson is director of Tuck's Glassmeyer/McNamee Center for Digital Strategies and professor of operations management at the Tuck School of Business at Dartmouth College. We welcome your testimony, Mr. Johnson, along with the rest of the panel. I am sure you are enjoying drier weather here in Washington than they are experiencing in New England. I yield back. Thank you, Mr. Chairman. Chairman Waxman. Thank you, Mr. Hodes. Mr. Cannon. Mr. Cannon. Thank you, Mr. Chairman. I would like to thank you particularly for holding this hearing on what I think is an extraordinarily important topic. I think that the peer-to-peer is a profoundly important concept. It has problems, as we are going to deal with today, but it is a powerful tool that can have significant effects in health care and various other areas. I would like to introduce in the audience today we have Lee Hollaar, professor at the University of Utah, who is the co- author of the FTC Report that is referenced in the committee memo. Mr. Hollaar has been a profoundly important person in the area of technological development and understanding the legal context in which that happened. In fact, if you read the Grokster Opinion by the Supreme Court, it follows very closely the amicus brief that Professor Hollaar had submitted. He was heavily involved when I first met him. He was working with Senator Hatch on the Digital Millennial Copyright Act, and just this last week we actually got included in the markup of the patent reform bill in the Judiciary Committee a proposal for a special master's trial that I think may have a profound effect on our patent litigation system that he was deeply involved with. We are now working together on making some adjustments to trademark law that would allow users to control who has access to their computers with what kind of information in a way that would profoundly change, I think, the issue of pornography and how that is promulgated on a system that is still a little bit like the wild west. So I want to welcome Mr. Hollaar here today. Again, thank you, Mr. Chairman, for holding this hearing, and Mr. Davis. I yield back. Chairman Waxman. Thank you very much, Mr. Cannon. Mr. Cooper. Mr. Cooper. No statement, thank you, Mr. Chairman. Chairman Waxman. Mr. Welch. Mr. Welch. No, thanks, Mr. Chairman. Chairman Waxman. Mr. Tierney. Mr. Tierney. No. Chairman Waxman. Mr. Issa. Mr. Issa. Thank you, Mr. Chairman. I will be very brief. Since everyone is introducing somebody, I should recognize General Wesley Clark, who was twice my battalion commander when I was a Reservist. He's one of my claims to fame. I have very few, as you can imagine. But more to the subject here to day, Mr. Chairman, I think your calling this hearing is very timely because of the risk to the well-being of the Internet and the well-being of people who go on to the Internet. Although I can't submit this for the record until it is properly redacted, I took the liberty of having my staff just quickly go onto the LimeWire network, and we were able to download Natalia Gonzales' complete 2003 tax records, California resident. We now know about her un- reimbursed employee business expenses. We are very familiar with all of the California deductions and her gross and net taxes as a result of it, all of which was available. I hope today at the end of this hearing not only will we have started a trend for better responsibility by those who set up peer-to-peer networks, but I also hope that we will have informed the public of the need for them to question whether or not a service is inherently on their side or exposing their computers to the worst of all losses that they could imagine, including their Social Security number and even classified information. I will put the rest of my opening statement in for the record, and I truly appreciate your calling this hearing today and yield back. [The prepared statement of Hon. Darrell E. Issa follows:] [GRAPHIC] [TIFF OMITTED] T0150.095 [GRAPHIC] [TIFF OMITTED] T0150.096 Chairman Waxman. Thank you, Mr. Issa. Mr. Jordan. Mr. Jordan. No opening statement, Mr. Chairman. Chairman Waxman. Thank you. Without any other Members seeking recognition, let me introduce the panelists. Tom Sydnor is one of the authors of the PTO Report detailing the risks of inadvertent file sharing. He is currently serving as an Attorney Advisor in the Office of International Relations at the U.S. Patent and Trademark Office. Mary K. Engle is the Associate Director for Advertising Practices for the Federal Trade Commission's Division of Advertising Practices. She has been a staff attorney for the FTC since 1990. Daniel Mintz is the Chief Information Officer for the U.S. Department of Transportation. He serves as the principal advisor to the Secretary on matters involving information resources and information services and mortgage mitigation. M. Eric Johnson is director of Tuck's Glassmeyer/McNamee Center for Digital Strategies and professor of operations management at the Tuck School of Business, Dartmouth College. His teach and research focused on the impact of information technology on supply chain management. Mark Gorton is the founder and chief executive of the Lime Group, which owns Lime Brokerage, LLC; Tower Research; Capital, LLC; Lime Medical, LLC; and LimeWire, LLC, a leading maker of file-sharing technology. General Wesley K. Clark retired from the U.S. Army after 34 years, rising to the rank of four-star general. His last position was as NATO Supreme Allied Commander and the Commander-in-Chief of the U.S. European Command. In 2004 he started Wesley K. Clark and Associates, a strategic advisory and consulting firm, where he serves as chairman and CEO. In November 2006 he joined the Advisory Board of Tiversa, Inc. And Mr. Robert Boback, is co-founder and chief executive officer of Tiversa, Inc. As a result of his work at Tiversa, Mr. Boback has become a leading authority in the consequences of inadvertent information sharing, the P2P network. We are pleased to have all of you here for our hearing today. It is a practice of this committee that all witnesses take an oath. I would like to ask each of you if you would stand and please raise your right hands. [Witnesses sworn.] Chairman Waxman. Let the record show that the witnesses each responded in the affirmative. We are pleased to have you with us. Your prepared statements will be in the record in full. We would like to ask if you would to try to limit the oral presentation to around 5 minutes. Mr. Sydnor, why don't we start with you? We will have a clock that will give you a yellow light when there is 1 minute left, the red light meaning the time is expired. We hope all of you, not just you, alone, will be mindful of that and try to summarize at that point. Thank you. STATEMENTS OF THOMAS D. SYDNOR II, ATTORNEY-ADVISOR, COPYRIGHT GROUP, OFFICE OF INTERNATIONAL RELATIONS, U.S. PATENT AND TRADEMARK OFFICE; MARY KOELBEL ENGLE, ASSOCIATE DIRECTOR FOR ADVERTISING PRACTICES, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION; DANIEL G. MINTZ, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF TRANSPORTATION; GENERAL WESLEY K. CLARK, CHAIRMAN AND CHIEF EXECUTIVE OFFICER, WESLEY K. CLARK AND ASSOCIATES, BOARD MEMBER, TIVERSA, INC.; ROBERT BOBACK, CHIEF EXECUTIVE OFFICER, TIVERSA, INC.; M. ERIC JOHNSON, PROFESSOR OF OPERATIONS MANAGEMENT, DIRECTOR, GLASSMEYER/MCNAMEE CENTER FOR DIGITAL STRATEGIES, TUCK SCHOOL OF BUSINESS, DARTMOUTH COLLEGE; AND MARK GORTON, CHIEF EXECUTIVE OFFICER, THE LIME GROUP STATEMENT OF THOMAS D. SYDNOR II Mr. Sydnor. Thank you. I would like to thank this committee for holding this hearing on the issue of inadvertent file sharing. Other witnesses here today will focus on the consequences of inadvertent sharing; I want to focus on why inadvertent sharing occurs. When the U.S. PTO realized that inadvertent sharing was occurring, my co-authors and I were asked to prepare the U.S. PTO report, File-Sharing Programs and Technological Features to Induce Users to Share. This report analyzed publicly available data on five popular file-sharing programs to determine why their users share files inadvertently. It reached several disturbing conclusions. First, it concluded that the distributors of the five programs studied had repeatedly deployed at least five features that had a known or obvious tendency to cause inadvertent sharing of downloaded or existing files. Of these five features, the two most dangerous were the share folder and search wizard features condemned in the 2002 study Usability and Privacy, and in this committee's 2003 hearing. This committee had good reason to think that these features had been eliminated, as promised during its hearing. Many distributors soon devised a self-regulatory Code of Conduct that would have prohibited their use. The authors of this code told Congress that it rendered further concerns about inadvertent sharing completely without foundation, a mere urban myth. Nevertheless, in 2004 and 2005 we found similar share folder features in four of the five programs we studied, and search wizards in at least two. To illustrate what these features could do, consider what would happen to my family if a visiting friend installed one of these programs on my home computer and tried to store downloaded files in its My Documents folder so they would be easy to find. I would end up sharing bank statements; tax returns; passwords for investment accounts; scans of legal, medical, and financial records; all my family photos; my children's names, addresses, and Social Security numbers; and a scan of the sign that designates the car authorized to pick up my daughter from preschool. And I would also share over 3,000 copyrighted audio files. With one mistake, I could be set up for identity theft, an infringement lawsuit, or far worse. The situation becomes even more disturbing, because the U.S. PTO report also concluded that these five features had been deployed in waves. One study showed that many users were learning how to disable features previously deployed, new sets of features appeared and proliferated. Why might this be happening? In the Grokster case, the U.S. Supreme Court unanimously found overwhelming evidence that two distributors of popular file-sharing programs intended to induce users of their programs to infringe copyrights. On remand, the District Court found that nearly 97 percent of files requested for downloading on these networks were or were highly likely to be infringing. It also found that the distributor of one of these programs had claimed that the advantage of its business model was that it had no product cost to acquire music and an ability to get all the music. This business model also had a disadvantage. Modern file-sharing networks are not completely interconnected like the Internet. A given user can locate and download only a tiny percentage of the files available on the network. As a result, this business model would require many users to share many infringing files. But studies showed that when users were sued for sharing infringing files, their propensity to do so plunged. Then the deployment of features that could dupe users into sharing files unintentionally proliferated. As a result, it has become important to understand why features that had a known propensity to cause inadvertent sharing kept on being deployed. If this conduct was the result of error, then the risk of inadvertent sharing might be expected to decrease. Over time, mistakes should tend to be fixed. But if these features were intended to dupe users into sharing infringing files inadvertently, then the risk of inadvertent sharing might be expected to increase. Over time, duping schemes should tend to persist and proliferate. Consequently, the most disturbing thing about today's hearing is that it had to occur again. In 2003, this committee held a hearing on inadvertent sharing after the distributor of the then most popular file-sharing program deployed recursive sharing, search wizard, and share folder features. Today, this committee is holding a hearing on sharing after the distributor of today's most popular file-sharing program deployed recursive sharing, search wizard, and share folder features. The U.S. PTO report was written in the hope that by documenting conduct that occurred over the last few years, we could help ensure that neither inadvertent sharing nor hearings like this one will continue to recur. Thank you. [The prepared statement of Mr. Sydnor follows:] [GRAPHIC] [TIFF OMITTED] T0150.009 [GRAPHIC] [TIFF OMITTED] T0150.010 [GRAPHIC] [TIFF OMITTED] T0150.011 [GRAPHIC] [TIFF OMITTED] T0150.012 [GRAPHIC] [TIFF OMITTED] T0150.013 [GRAPHIC] [TIFF OMITTED] T0150.014 [GRAPHIC] [TIFF OMITTED] T0150.015 [GRAPHIC] [TIFF OMITTED] T0150.016 [GRAPHIC] [TIFF OMITTED] T0150.017 [GRAPHIC] [TIFF OMITTED] T0150.018 [GRAPHIC] [TIFF OMITTED] T0150.019 [GRAPHIC] [TIFF OMITTED] T0150.020 [GRAPHIC] [TIFF OMITTED] T0150.021 [GRAPHIC] [TIFF OMITTED] T0150.022 [GRAPHIC] [TIFF OMITTED] T0150.023 [GRAPHIC] [TIFF OMITTED] T0150.024 [GRAPHIC] [TIFF OMITTED] T0150.025 [GRAPHIC] [TIFF OMITTED] T0150.026 [GRAPHIC] [TIFF OMITTED] T0150.027 [GRAPHIC] [TIFF OMITTED] T0150.028 Chairman Waxman. Thank you very much, Mr. Sydnor. Ms. Engle. STATEMENT OF MARY KOELBEL ENGLE Ms. Engle. Mr. Chairman and members of the committee, I am Mary Engle, the Associate Director for Advertising Practices at the Federal Trade Commission. I appreciate this opportunity to provide an update regarding the FTC's work involving peer-to- peer file-sharing issues. We have submitted our written statement today, which reflects the FTC's views. My oral statements are my own and do not necessarily reflect the views of the Commission. Although P2P technology offers significant benefits, such as allowing for faster file transfers and easing computer storage requirements, it also poses risks to consumers. P2P file-sharing programs may come bundled with spyware or with viruses. In addition, as the recent Patent and Trademark Office report emphasizes, consumers may end up inadvertently sharing many sensitive files that are on their hard drive. The FTC has worked with industry to improve the disclosures of risk information on P2P file-sharing Web sites. They have also brought law enforcement actions where appropriate, and have taken steps to educate consumers and businesses on the risks involved. In December 2004, the FTC held a public workshop to consider the many issues raised by P2P file sharing. In June 2005, we issued a report on that workshop which concluded that the risks involved with P2P file sharing stem largely from the result of how individuals use the technology, rather than being inherent in the technology, itself. The report emphasized that many of the risks posed by P2P file sharing also exist when consumers engage in other Internet-related activities, such as surfing Web sites, using search engines, or e-mail. In the report, the FTC staff recommended that industry do a better job of informing consumers about the risks of P2P file sharing. Over the past 3 years, we have periodically reviewed the risk disclosures provided on major P2P software Web sites and found that these disclosures have steadily improved. We also reviewed P2P Web sites to determine if they were a source of spyware. In the fall of 2005 we downloaded the 10 largest P2P file- sharing programs to determine whether the distributors were bundling spyware or adware with their programs, and, if so, whether they were disclosing that fact. We found that, of those 10 programs, 2 bundled undisclosed spyware or adware. One of those programs is no longer being distributed, and the other we referred to foreign consumer protection law agencies. In addition to protecting consumers by encouraging better disclosures, the FTC has brought two successful law enforcement actions related to P2P file sharing. In the case of FTC v. Cashier Myricks, the Commission sued the operator of the Web site MP3DownloadCity.com for making allegedly deceptive claims that it was 100 percent legal for consumers to use the file- sharing programs that the operator promoted to download and share movies, music, and computer games. In the case of FTC v. Odysseus Marketing, we filed suit against the operator of the Web site Kazanon.com for allegedly encouraging consumers to download software that the defendants falsely claimed would allow consumers to engage in anonymous P2P file sharing. In both cases, the defendants entered into settlement agreements that prohibit the alleged misrepresentations and required them to disgorge their ill-gotten gains. Educating consumers and businesses of the potential risks of file sharing is vital. In July 2003, the FTC issued a consumer alert warning consumers about these risks, including the risk of inadvertently sharing sensitive files and of receiving spyware, viruses, copyright-infringing materials, and unwanted pornography. The alert, which we updated this past December, recommends that consumers carefully set up file-sharing programs so that they don't open access to information on their hard drives, such as tax returns, e-mail messages, medical records, photos, or other personal documents. The consumer alert has been accessed on our Web site over 1.3 million times. In addition, the FTC's general Internet education Web site, OnGuardOnline.gov, contains information about the risks of P2P file sharing, including quick fax, an interactive quiz, and additional resources and lessons from i-SAFE, an organization that educates children and teens about Internet safety. The FTC will continue to assess the risks associated with P2P file sharing, education consumers, monitor and encourage industry self-regulation, and investigate and bring law enforcement actions when appropriate. In particular, we are closely examining the findings of the PTO report to determine if Commission involvement is appropriate. Thank you. I look forward to your questions. [The prepared statement of Ms. Engle follows:] [GRAPHIC] [TIFF OMITTED] T0150.029 [GRAPHIC] [TIFF OMITTED] T0150.030 [GRAPHIC] [TIFF OMITTED] T0150.031 [GRAPHIC] [TIFF OMITTED] T0150.032 [GRAPHIC] [TIFF OMITTED] T0150.033 [GRAPHIC] [TIFF OMITTED] T0150.034 [GRAPHIC] [TIFF OMITTED] T0150.035 [GRAPHIC] [TIFF OMITTED] T0150.036 [GRAPHIC] [TIFF OMITTED] T0150.037 [GRAPHIC] [TIFF OMITTED] T0150.038 [GRAPHIC] [TIFF OMITTED] T0150.039 [GRAPHIC] [TIFF OMITTED] T0150.040 Chairman Waxman. Thank you very much, Ms. Engle. Mr. Mintz. STATEMENT OF DANIEL G. MINTZ Mr. Mintz. Mr. Chairman, Ranking Member Davis, and members of the committee, I would like to thank you for the opportunity to appear today to discuss the important issue of peer-to-peer file sharing and briefly mention an incident that occurred at the Department, and to talk about some of the actions we have been taking, both on an ongoing basis and in response to the incident. My name is Dan Mintz. I am the Chief Information Officer for the Department of Transportation, where I have been since May 1, 2006. I came to the Government from SUN Microsystems, where I chaired a corporate-wide team that studied the protection of sensitive Government information within SUN's corporate systems. The lessons learned from that experience have proven valuable during my time at the Department. Responsible peer-to-peer software can provide Government agencies with many benefits, including increased productivity and efficiency. Unfortunately, it also poses a significant risk to agencies' systems and networks and information, as well as to home computers, and problems with peer-to-peer software can be difficult to detect. A few incidents have occurred within Government recently. One involved a Department of Transportation employee, when her child, a teenager, unbeknownst to the employee, downloaded software on the employee's personal computer. The daughter did not realize this would expose information on the family computer to others using the same or compatible software. These incidents illustrate the challenges we face and the need for due diligence on all of our parts. At the Department we are continually improving overall security. We have policies in place regarding file sharing, and we have a training program already that emphasizes these policies. At the same time, I wanted to mention five areas where we are doing work related to this. First, we are performing an in-depth review of the security architecture that we have now integrated at our Department's new headquarters building at the Southeast Federal Center that we just finished moving into, and consolidating what had been individually managed networks run by each of the departmental operating administrations. Second, we are working with the Federal Aviation Administration to combine our two separately managed incident reporting centers into a single center to create an integrated approach for Department-wide monitoring of such incidents. Third, we are doing a review of the policies. We have asked the Department's IG to work with us to examine the policies and determine which ones are being effective right now, need auditing, and which ones where there are gaps that we need to fill in terms of the overall policies. Fourth, relating to telework, we are expanding our emphasis to move our employees to laptops. Right now the vast majority of employees have desktops; only a small percentage have laptops. We want to increase the percentage of laptops which, by policy and by practice, are encrypted, away from the traditional desktop configurations. In this fashion, we will increase the percentage of employees, when they do work at home, to be using Government-owned equipment and Government- owned equipment that is encrypted. Fifth, we will be improving the messaging regarding peer- to-peer software to new employees, and particularly those who are involved in our telework program. We find that the issues we are coming across are, in large part, cultural as well as they are technological. In closing, progress has been made at DOT in managing these threats stemming from peer-to-peer file sharing, but we will have to remain vigilant in educating our employees about these dangers and developing and implementing policies, procedures, and technologies which will safeguard the networks and our sensitive data. We also need to recognize that, regardless of the policies we write and put in place and how we make these policies available to our employees, we have to continually audit their performance and how they are used and reinforce them in order to have them be effective. Again, I would like to thank you for the opportunity to comment on the topic and I look forward to answering any questions that you have. [The prepared statement of Mr. Mintz follows:] [GRAPHIC] [TIFF OMITTED] T0150.041 [GRAPHIC] [TIFF OMITTED] T0150.042 [GRAPHIC] [TIFF OMITTED] T0150.043 [GRAPHIC] [TIFF OMITTED] T0150.044 [GRAPHIC] [TIFF OMITTED] T0150.045 [GRAPHIC] [TIFF OMITTED] T0150.046 [GRAPHIC] [TIFF OMITTED] T0150.047 [GRAPHIC] [TIFF OMITTED] T0150.048 [GRAPHIC] [TIFF OMITTED] T0150.049 [GRAPHIC] [TIFF OMITTED] T0150.050 [GRAPHIC] [TIFF OMITTED] T0150.051 Chairman Waxman. Thank you very much, Mr. Mintz. Mr. Johnson. STATEMENT OF M. ERIC JOHNSON Mr. Johnson. Chairman Waxman and Ranking Member Davis and members of the committee, I am Eric Johnson and it is a great honor to testify here today. You might wonder why is a business professional studying peer-to-peer security threats. First, let me be clear: I have no financial stake in the security industry, nor have I accepted funding from the recording industry. I became interested in peer-to-peer security risks as part of my ongoing research on information security in large corporations. My research center, the Center for Digital Strategies at the Tuck School of Business at Dartmouth, is focused on the problems facing chief information officers of Fortune 500 companies. In 2002, with Cisco Systems, we founded the Thought Leadership Roundtable on Digital Strategies to bring CIOs together to talk about shared business problems. Over the past 5 years, security and trust have consistently been at the top of many CIOs' agendas, so as part of the I3P Research Consortium and through grants from the Department of Homeland Security, NIST, and the Department of Justice, we have been researching the challenges of information security in large, extended enterprises. For example, with the DHS funding we have been conducting workshops for chief information security officers and, driven by the key issues raised in those discussions, we have focused much of our attention on information leakage and inadvertent disclosure. Today we examine a common but widely misunderstood source of inadvertent disclosure, peer-to-peer file sharing. In the next few minutes I will summarize the results of two of my research papers, one that is forthcoming and one that has already been published in a peer-reviewed scientific publication. First, to illustrate the threat of P2P file sharing, we ran a set of honey pot experiments in conjunction with Tiversa. We posted the text of an e-mail containing an active Visa debit number and AT&T phone card in a music directory that was shared via LimeWire. We observed the activity on the file and tracked it across the P2P network. By the end of the first week, the Visa card had been used and its balance depleted. We observed its use through the accounts transaction statement posted by Visa on the Web. Not knowing the exact balance of the card, the users used PayPal and Nochex, both processors of online payments, to drain the funds from the card. Within another week, the calling card was also depleted. Examining the call records, all the calls were made from outside the United States into two U.S. area codes in the Bronx and Tacoma. This illustrates the threat both within and outside the United States. And even more interesting, long after we stopped sharing the files, they kept moving, continuing to new clients as they were leaked over and over again. In our second study we examined bank-related documents we found circulating on peer-to-peer networks over a 2-month period. Focusing on the Forbes Top 30 U.S. banks, we collected and analyzed their user-issued searches and leaked documents. First we found an astonishing number of searches targeted to uncover sensitive documents and data. For example, a user- issued search for Bank of America data base, Wachovia Bank online user ID, or CitiBank balance transfer. Now, keep in mind these were searches issued in music-sharing networks, not the worldwide Web. Such directed searches clearly illustrate the intent of finding some confidential information. Next we examined thousands of bank-related documents circulating on the networks. Many of the documents were customer related, leaked by the customers, themselves, such as statements, dispute letters, completed loan application forms. Typically these documents contained enough information to easily commit identity theft or fraud. We also found business documents leaking from the banks' employees and suppliers, including performance evaluations, customer lists, spreadsheets with customer information, and clearly marked confidential bank material. From our sample of banks, we analyzed tens of thousands of relevant searches and documents, and we found a statistically significant link between the linkage and the firm employment base. We also found that, for many firms, coincidental association with a popular song brand or venue represented another problem we called digital wind. Millions of searches for that song increased the likelihood of exposing a sensitive bank document. Either by mistake or by curiosity, these documents are exposed and sometimes downloaded to other clients, thus spreading the file and making it more likely to fall into the hands of those who will try to exploit it. For example, someone looking for a live performance from the Wachovia Center would likely find documents related to the bank. Likewise, the popular rap singer PNC creates wind for PNC Bank. Such digital wind increases the P2P security threat for many organizations. Thank you. [The prepared statement of Mr. Johnson follows:] [GRAPHIC] [TIFF OMITTED] T0150.052 [GRAPHIC] [TIFF OMITTED] T0150.053 [GRAPHIC] [TIFF OMITTED] T0150.054 [GRAPHIC] [TIFF OMITTED] T0150.055 [GRAPHIC] [TIFF OMITTED] T0150.056 [GRAPHIC] [TIFF OMITTED] T0150.057 [GRAPHIC] [TIFF OMITTED] T0150.058 [GRAPHIC] [TIFF OMITTED] T0150.059 [GRAPHIC] [TIFF OMITTED] T0150.060 [GRAPHIC] [TIFF OMITTED] T0150.061 [GRAPHIC] [TIFF OMITTED] T0150.062 [GRAPHIC] [TIFF OMITTED] T0150.063 [GRAPHIC] [TIFF OMITTED] T0150.064 [GRAPHIC] [TIFF OMITTED] T0150.065 [GRAPHIC] [TIFF OMITTED] T0150.066 Chairman Waxman. Thank you, Mr. Johnson. Mr. Gorton. STATEMENT OF MARK GORTON Mr. Gorton. I would like to thank the Committee on Oversight and Government Reform for inviting me to speak today. My name is Mark Gorton, and I am the founder and chairman of LimeWire, LLC, the makers of the LimeWare file-sharing program. LimeWire takes the problem of inadvertent file sharing seriously. We strive to make the LimeWire file-sharing program clear and easy to understand. Warnings about inadvertent file sharing are displayed prominently on the LimeWire Web site. The LimeWire program contains a number of features designed to prevent inadvertent file sharing. In the library tab, users can see which files are being shared and how many times each file has been uploaded. They can also turn off or on sharing on a file-by-file or folder-by-folder basis. Monitor and logging tabs on the LimeWire client also show which files are being uploaded. Users are given warnings when they attempt to share folders which are likely to contain sensitive information, such as the My Document folders on Windows machines. A status bar is always present, which shows how many files are being shared, the number of files currently being uploaded, and the current upload bandwidth being used. At LimeWire we continue to be frustrated that, despite our warnings and precautions, a small fraction of users override the safety default settings that come with the program and end up inadvertently publishing information that they would prefer to keep private. However, despite all the work that we have done, inadvertent file sharing continues to be a problem, so LimeWire is working on a new generation of user interfaces and tools designed with neophyte users in mind. These interfaces will make it even easier for users to see which files they are sharing and to intuitively understand the controls that are available to them. I have sent this committee a document entitled, Inadvertent Sharing Precautions and LimeWire, which provides a more comprehensive list of measures that LimeWire takes to prevent accidental file sharing. I also invite you to go to our Web site and download the LimeWire client and see for yourself how easy it is to see which files are being shared with LimeWire. In addition to the problem of inadvertent file sharing, P2P networks are plagued by child pornography and copyright infringement. The Internet is a new technology which allows for many novel behaviors. Unfortunately, some of these new behaviors are detrimental to society. The regulatory framework that surrounds the Internet has not kept pace with technical advancements, and currently no effective enforcement mechanisms exist to address illegal behavior on P2P networks. Internet service providers, ISPs, are a unique point of control for every computer on the Internet. Universities frequently function as their own ISPs, and a handful of universities have implemented notice-based warning systems that result in the disconnection of users engaged in illegal behavior who ignore multiple warnings. These universities have sharply reduced child pornography and copyright infringement on their campus networks. Similar policies could be mandated for ISPs in the United States; however, these policies are unpopular with telecom and cable companies who would prefer not to have an enforcement relationship with their paying customers. The telecom industry has objected vigorously to previous attempts to involve ISPs in the enforcement process, and it continues to oppose policies that would allow for the establishment of moderate yet effective enforcement mechanisms to combat illegal behavior on the Internet. The only institution in the United States with the power to mandate the creation of an effective enforcement mechanism to police the Internet is the U.S. Congress. With the leadership of the U.S. Congress, a proper policing mechanism for the Internet can be established and the problems of child pornography and copyright infringement can be greatly reduced. Thank you. [The prepared statement of Mr. Gorton follows:] [GRAPHIC] [TIFF OMITTED] T0150.067 [GRAPHIC] [TIFF OMITTED] T0150.068 Chairman Waxman. Thank you very much, Mr. Gorton. General Clark. Mr. Boback. With your permission, Mr. Chairman, I would like to speak first prior to General Clark. Chairman Waxman. Certainly, Mr. Boback. STATEMENT OF ROBERT BOBACK Mr. Boback. Thank you, Mr. Chairman. Good morning, Chairman Waxman, Ranking Member Davis, and distinguished members of the committee. My name is Robert Boback, and I am the chief executive officer of Tiversa, the company that provided some of the information and data for Professor Johnson's study. I wish to extend my most sincere appreciation for inviting us to testify on this important and serious issue facing our country today. First let me start by saying that I do agree with Mr. Gorton that the peer-to-peer is very powerful, and many members of the committee expressed similar concerns or similar statements, saying that the peer-to-peer is important and powerful technology, one of the most important in recent years for distributing the amount of user-generated content that is being delivered today. First, let me start with some background on Tiversa to help you understand the problem. In 2003 Tiversa developed technology that will allow us to position ourselves accordingly throughout the various peer-to- peer networks, including Mr. Gorton's application of LimeWire, through what we would known as the Gnutella network. In doing so, we were able to then view all of the available searches and information that is now on the network, so it is not limited to that of just LimeWire. In doing so--and this is what is most astounding to most individuals--we are processing 300 million searches per day. For perspective's sake, Google processes 130 million searches per day. This is a massive network with many searches issued worldwide. If you think of Tiversa's technology in two buckets, our technology allows us to process all of the search requests, but we can also issue search requests in that same vein for available information, so as I testify we will break down the two: what are people looking for, in a sense; and what is out there to be had. As we were called to testify, I will address the consumer issue and the corporate issue and turn it over to General Clark to address the more serious national security risks associated with the Government issue. Searches? So what are people looking for? On this slide demonstrated on the side here--and I know it is small to see-- in a brief window we actually took a look to see what are people searching for. And this will be submitted to committee members. There are thousands upon thousands of searches issued for credit card and CD numbers, banking information, account log-in password, very specific terms to find confidential, inadvertently disclosed information on these peer-to-peer networks. And this information is not only limited to that of the financial service industry, as evidenced by the next slide. Medical information and medical identity theft is a rapid riser. This information has a lower security threshold to that of the financial information. Should someone question you about your medical information or getting a bill paid by the insurance, which most consumers would want, your likelihood to push back against that information or giving that information is much less than should someone ask you for your credit card information. If you think of a medical identity card or an insurance card, that is very similar to a credit card with a $1 million spending limit. Identity thieves seek these out, and they seek them out on the peer-to-peer. So in saying that, what disclosures are out there? These individuals issuing these searches, what is there to be found? Federal and State identification, including passports, driver's licenses, Social Security cards, dispute letters with banks, credit card companies, insurance companies, copies of credit reports--Experian, TransUnion, Equifax, individual bank card statements and credit card statements, signed copies of health insurance cards, full copies of tax returns, as Mr. Issa clearly demonstrated for us, extensive electronic records of active user names and passwords for online banking and brokerage accounts, confidential medical histories and records. For the committee's review, we are going to submit a number of documents that have been redacted to show this. One individual, as we find thousands of them, sharing their entire life, per se, of information, including their children's Social Security numbers, date of birth, all of their account log-ins and passwords. This individual put them on an Excel spreadsheet in an effort to organize their life and, unfortunately, lost this information. Another example is a doctor who performed a neuropsychological examination on a pediatric patient, a 9-year old fourth grader, and then disclosed that information as he had a peer-to-peer client on his system, disclosing the entire confidential results of this pediatric patient with very sensitive information. One thing that is interesting to point out with this doctor is that it is not the person that disclosed the information that is affected. In that case, the doctor disclosed on the patient; therefore, an obvious HIPAA violation. However, it is the extended enterprise. We are now in a wall-less society such that corporations can have the best policies and procedures and hardware measures to try to prevent this; however, in an out- sourced world we share confidential information with attorneys, with this committee, with auditing firms, with out-source partners, and they have to also have the same policies, procedures, and safeguard measures, and that is just not happening. The searchable corporate documents are as prevalent as consumer-related documents. They can be highly targeted and very specific or general. The larger and better known the company and its brand, the more searches that will happen. It is important to note that existing security measures do not address this problem. That is an important fact. The current firewalls, anti-virus, the encryption services, the intrusion detection, the intrusion protection, it is not addressing this problem or we wouldn't see the prevalence that we are seeing. Some of the corporate documents that we have found--press releases of publicly traded companies in markup found prior to their release, a clear SEC violation; patent work up in markup; network systems related to documents, including administrative passwords and user IDs to private corporate networks; clinical drug trials before FDA approval; countless legal documents involving ongoing litigation, business contracts, nondisclosure agreements, and term sheets; human resources; accounting. It is extensive, it is enterprise-wide, and it affects all levels of corporations, as we have had examples. We can provide thousands of examples of each. One specific example is an out-sourced telecom provider which shared the entire wide area network of one of the largest, most recognized investment banks in the world. This information could be used by terrorists, by hackers across the world to loop--and what I mean by loop is they can reconfigure router configurations such that that wide area network would not function properly. This would significantly impact a greater than $50 billion company based in the United States here. Fortune 50 board minutes have been released, to where a confidential board minutes talking about compliance issues have been released on this very network. The entire 4X trading platform of a very large international bank has also been released. More importantly, where it starts to hit to Government issues, there was a large Government outsource provider that did security threats on various U.S. cities on the transit authorities for those cities. In that report they were given cart blanche access to the security measures of these various cities. Then they released the report inadvertently on the peer-to-peer. This information gives very precise information on where the bombs should be placed to have the maximum damage, where are the vulnerabilities in this city that could impact our national security. A city hired this company in an effort to decrease the risk facing that city, and, unfortunately, it increased it several-fold, as individuals are able to access that information, which is an important point. In seeing the searches, we can tell you that people are accessing this information from outside the United States. It has been our research that this information does head to Pakistan. It does head to Africa. It does head to Eastern Europe. There are individuals outside the United States that are grabbing this information. In closing, briefly on the screen we want to show you this is our technology running in real time, so as the system will bring up searches, these are people that are actually searching for and acquiring information. I know it is small and you can't read it, but we are going to provide a larger examples to the Members. This is information that is currently, right now, in real time, being disclosed. Thousands of it, as you can see. This is inadvertently disclosed and sought-after information on these peer-to-peer. This is the new threat to information security. Just as 4 years ago we didn't understand phishing, we didn't understand virus, we do now. I commend this committee for the opportunity to present this today. Thank you, sir. [The prepared statement of Mr. Boback follows:] [GRAPHIC] [TIFF OMITTED] T0150.069 [GRAPHIC] [TIFF OMITTED] T0150.070 [GRAPHIC] [TIFF OMITTED] T0150.071 [GRAPHIC] [TIFF OMITTED] T0150.072 [GRAPHIC] [TIFF OMITTED] T0150.073 [GRAPHIC] [TIFF OMITTED] T0150.074 [GRAPHIC] [TIFF OMITTED] T0150.075 [GRAPHIC] [TIFF OMITTED] T0150.076 [GRAPHIC] [TIFF OMITTED] T0150.077 [GRAPHIC] [TIFF OMITTED] T0150.078 [GRAPHIC] [TIFF OMITTED] T0150.079 [GRAPHIC] [TIFF OMITTED] T0150.080 [GRAPHIC] [TIFF OMITTED] T0150.081 [GRAPHIC] [TIFF OMITTED] T0150.082 [GRAPHIC] [TIFF OMITTED] T0150.083 Chairman Waxman. Thank you, Mr. Boback. General Clark. STATEMENT OF GENERAL WESLEY K. CLARK General Clark. Good morning, Mr. Chairman and Ranking Member Davis, distinguished members of the committee. It is an honor to come before you today to talk about a topic that is critical to our national security and to the safety and privacy of our Nation's citizens and companies. I want to commend Congressman Waxman and Congressman Davis and members of the committee for both bringing this issue back to light and for the work this committee has done previously to try to highlight the risk. I want to just disclose now that I am an advisor to Tiversa, and in that role I do have a small equity stake in Tiversa. But my engagement here has just opened my eyes to activities that I think, if you saw the scope of the risk, I think you would agree that it is just totally unacceptable. The American people would be outraged if they were aware of what is inadvertently shared by Government agencies on P2P networks. They would demand solutions. Now, Bob Boback has just explained what is out there on the corporate side. I have submitted some material for the record. Let me just summarize quickly what we found. As I was preparing for the testimony, I asked Mr. Boback to search for anything marked classified secret, or secret no- foreign. So he pulled up over 200 classified documents in a few hours running his search engine. These documents were everything from in-sums of what is going on in Iraq to contractor data on radio frequency information to defeat improvised explosive devices. This material was all secret, it was all legitimate. I called the chairman of the National Intelligence Advisory Board, who worked for Admiral McConnell, and shipped the information to him. He looked at it. He called NSA. NSA has it. They are now very seized with the problem, I think. But I think that the work of this committee has been a great assist in getting the agencies to look at this, because previously there have been contacts but we never have sort of engaged. As the chairman of the Advisory Committee told me when he looked at the documents, he said, my goodness, they are in full color. Yes, they are the complete documents. They are not faxed copies, they are not smudged. They are just as fresh as if they were printed off on the computer printer of the organization. Even more alarming, I got a call from Bob Boback on Wednesday night that he had found on the peer-to-peer net the entire Pentagon's secret backbone network infrastructure diagram, including the server and IP addresses, with password transcripts for Pentagon's secret network servers, the Department of Defense employees' contact information, secure sockets layer instructions, and certificates allowing access to the disclosing contractors' IT systems, and ironically, a letter from OMB which explicitly talks about the risks associated with P2P file-sharing networks. So I called the Office of the Secretary of Defense. I got the right people involved. They had some meetings on it this. It turns out that a woman with top secret clearance working for a contractor on her home computer, she did have LimeWire, and somehow, I guess, she had taken some material home to work on it, and so all this was out there. This material was not, strictly speaking, secret. It was, I think, labeled FOUO. But it was certainly information that would be sort of a hacker's dream. What we found at Tiversa was that many people were queued up to download this information. This looked so interesting that they wanted it. So we don't know how long it had been out there. There is no way of knowing that. But we called the company an obviously we got it stopped as soon as we found out about it. But these two examples illustrate the risks that are out there. Peer-to-peer file sharing is a wonderful tool. It is going to be a continuing part of the economy. It is a way that successfully moves large volumes of data, and that is not going to go away, but it has to be regulated and people have to be warned about the risks, and especially our Government agencies--our National Security Agency, DOD, people that run the Sipranet--have to take the appropriate precautions, because we can't have this kind of information bleeding out over the peer-to-peer network. Thank you, Mr. Chairman. Chairman Waxman. Thank you very much, General Clark. Let me start off the questioning. It is really stunning to see what you can get on a real-time basis, the kind of information that is being viewed even during the time we are holding this hearing. But I want to go into this issue, General Clark, about classified national security secrets. You described that you were able to find the entire Pentagon secret backbone network infrastructure diagram using P2P networks available to millions of users. They also could find this. You have also said you have found other types of classified information such as--and this is not a complete list of what you reported to find: one, a document with individual soldiers' names and Social Security numbers; two, physical threat assessments for multiple cities such as Philadelphia, St. Louis, and Miami; three, a document entitled NSA Security Handbook; four, numerous DOD directives on information security; five, DOD security system audits; six, numerous field security operations documents; and seven, numerous presentations for armed forces leadership on information security tactics, including how to profile hackers and potential internal information leakers. From a national security perspective, how significant is information you were able to find? You indicated that this was from one person who had taken material home to use and to work from home, but they weren't classified but they were secret. Would this kind of information jeopardize our national security if it fell into the wrong hands? General Clark. Of course it would, Mr. Chairman. It is very significant information, and the kinds of information that you list are simply what we found. We put the straw in the water. But we could have put the straw in the water and asked for something else. We didn't ask for top secret. We didn't ask for code word or SCI. This morning we found a document that shows the status of people receiving security clearances for SCI. So there are all kinds of materials out there that is leaking out inadvertently. This is a major channel of communication, and we don't want to shut it down, but people just don't understand the risks when they put this information onto a computer that it is broadcast all over the world and it is being taken. So we need a real program that sorts through this that observes it and watches for these kinds of violations and shuts it down immediately. We shut down this woman's computer instantly as soon as I called the CEO and told him what was on it, but there is no guarantee that there wasn't something equally damaging on another employee's computer that we just hadn't programmed a search for. Chairman Waxman. These are not Government employees directly, but more the contractors that might be using a P2P network? General Clark. Right. These are contractors who work in the Pentagon. Most of our agencies have a mixture of Government, Civil Service, or Schedule C appointees working, plus they augment with contractors. Chairman Waxman. Yes. Now, you indicated you promptly turned these documents over to officials in the intelligence community. Can you specify where you sent these documents? General Clark. They were sent to the chairman of Admiral McConnell's National Intelligence Advisory Board. Chairman Waxman. And what was their reaction? Were they aware of this risk to national security? General Clark. They were aware of it in general, but they were not aware in specific, and they weren't aware, for example, of how to monitor it. Again, I am not in this network now. I am a civilian and I am just in business, but my impression was--I have dealt with classified information all my life, and normally when you have a breach it is a pretty simple, clear-cut thing. You can pretty much trace it back to somebody making a mistake, carrying a document home, leaving a briefcase somewhere. Somehow it gets lost, turned in by somebody, and you can do a damage assessment on it. In this case, when the documents are presented, they are going to have to go to very elaborate measures to find out where the documents came from and who has actually viewed or downloaded these documents. It can be done, but they don't have the procedures in place to do it, so we are talking about opening up a new area of national security for document protection here. Chairman Waxman. So until we do something along those lines, it is an ongoing national security threat. General Clark. Right. What businesses are doing is they are having people screen the peer-to-peer space for their documents, and then it can be traced back normally to the source of that document, and then they can get the computer shut down or make the correction. And if it is done on a routine basis and it is up there all the time, hopefully the document doesn't leak very far. Apparently, we don't have that system in place yet in the U.S. Government, so we don't know what is really out there that is inadvertently leaked out in the peer-to-peer. Chairman Waxman. And that is something the Government should do, not the P2P network? General Clark. I don't think you can totally control it without observing it, so I don't think you can simply tell LimeWire and the other companies, change your software so this never happens again. I think you have to have an active defensive monitoring program for Government documents on the net, just like investment banks are starting to add, or law firms, because there are just so many opportunities for this material to get out there that if you wait for the lawsuit you have waited too long. Chairman Waxman. Thank you very much. Mr. Davis. Mr. Davis of Virginia. Let me ask, my first question is: we are focused really on privacy protections, proprietary information, secret information leaking out. But conceivably, if the wrong people got in through peer-to-peer into Government files, could it lead to a cyber Pearl Harbor? General Clark, do you have any thought on that? General Clark. This material obviously poses risks, because there are opportunities here for hacking, for covert entry, for inserting programs inside routers and servers and other things, all of which are very damaging. Now, we can't tell you at this moment who took the information on the secure Internet. We can do some detective work on it and we may find it, but at any given point a computer, an innocent computer, supposedly, let's say in Ghana, could have downloaded this information, printed it, and themselves then had it carried as a document, so you would lose the trail at that point. Mr. Davis of Virginia. Mr. Mintz, let me ask you, could conceivably the wrong people get inside the files at your Department? Could they take control? Is there a way that they could do that? Mr. Mintz. Well, certainly if people got access to information, password information or something like that, it would be possible for them to get in. Typically, within our own network we are able to stop this kind of activity fairly quickly. The problem, however, is the release of information that would go out would be the greater problem, I think, for us. They'd be able to get access to information we don't want them to have. Mr. Davis of Virginia. Well, let me ask you this, if you know. FISMA guides agency information security postures. In the context of Federal agencies, should we address these issues then under FISMA? Mr. Mintz. The issue of the peer-to-peer? Mr. Davis of Virginia. Yes. Mr. Mintz. Peer-to-peer, in fact, is a requirement of the FISMA report. There is a part of it that we have to respond to what we are doing with peer-to-peer activity. It certainly should be an important part of FISMA. What we found here also, I think, beyond just the technologies I mentioned, there are two issues that I think we have to look at. One is what do we do in terms of training to make sure that people are paying attention to these issues, because often the use is home computers, not just the use in the system. And the second is to emphasize the need to audit. That is, we do a lot of times, I think, what I call policy on the shelf. We put together a lot of the policies, but what is it we do to make sure that the policies are actually being followed and paid attention to? So we needed some kind of an auditing process to go back and check to see that. Mr. Davis of Virginia. Let me ask Mr. Johnson and Mr. Boback, what portion of the volume on file-sharing programs is basically music and video sharing? Mr. Johnson. In terms of just the sheer size of the files, video content makes up a huge fraction of what is moving out there, video and other media. Mr. Davis of Virginia. Any ballpark? Mr. Johnson. Documents are just a tiny fraction, because they are so small, but there are many of them, but a document is so small compared to a music file or a video file. Mr. Boback. Sir, in our research we found that MP3s are actually 38 percent of the information that we have found. We are not talking just document size, as Professor Johnson mentioned, kind of skews the data, but we are also talking just in the number. So MP3s are 38 percent, m-PEGS, which are movies, are another 19 percent in our research. But, again, this is irrelevant of the size. Mr. Davis of Virginia. Right. Mr. Boback. Just the number. Mr. Davis of Virginia. How much of this activity comes from overseas actors? Any evidence of any state-sponsored activity in these areas, seeking classified or proprietary information from file-sharing networks? Mr. Boback. We have found information, classified information, from multiple foreign governments. What we can testify to is that there are multiple foreign entities that are actively using the peer-to-peer to issue what we would say are illicit searches. If someone were to issue a search for, as General Clark mentioned, Sipranet, and that search originated-- which one just recently happened--out of Ghana, West Africa, that should be an area of concern to the U.S. Government. As Professor Johnson testified, that is a Sipranet search being issued on a file-based network most notably known for movies and music. Why is that search being issued from Africa? As to who issued that search, we can target back to an actual IP address, but, unfortunately, I cannot, without further investigation, get to an individual. Mr. Davis of Virginia. Thank you. Chairman Waxman. Thank you, Mr. Davis. Your time has expired. Mr. Cummings. Mr. Cummings. Thank you very much, Mr. Chairman. I want to go back to something Mr. Waxman said to you, General Clark, about the threat to our national security. As a member of the Armed Services Committee and as chairman of the Coast Guard Subcommittee, we go into a lot of classified briefings. I look at what we go through. You have to sign the documents, you have to swear that they will never mumble one syllable. And then to find out that this kind of information is out there is frightening. When you talk about, for example, the schematic of a city and the threat level, and then we think about this report that just came out about Al Qaeda trying to do things in this country, the idea that, in the hands right now of somebody who wants to do some harm, they have the necessary information to effectively--and this is some serious stuff. In the past we have heard about them taking pictures of the World Trade Center and things like this. What we are saying here, if I understand you correctly, it is quite possible that they actually have the information to be most effective and efficient in bringing hell to this country. So I guess what I am thinking about, General Clark, you said something, and the chairman took you a little farther down the road. I want to bring you back. It is one thing to find out who got the information. It is one thing to find out who is searching for it. It is another thing to know what is already out there. See, that is what bothers me. I mean, it sounds like, Mr. Boback, you all want to work with the Government and try to figure out how we can address these issues, but a lot of stuff is out there and it seems to me that this is something that would call for the utmost urgency or we may find ourselves sadly in a worse situation than 9/11 because now they may have the kind of information that they could do a whole lot of harm. Again, from the national intelligence estimate report, they talked about how Al Qaeda is trying to find all kinds of ways that we might least expect to bring massive harm to our country. I just want you to comment on that. And what can you all do? I mean, if I am looking at this on C-SPAN, I am asking the question, all right, I have heard all of that. Now, what can we do to make a difference? What can the companies do? And the other thing that we have to keep in mind is not everybody is sophisticated in all of this computer language as you all are. So I am just wondering can you just help me with that, or anybody else. General Clark. Well, first of all, Congressman, I think your statement of the urgency of the problem is accurate. I think it is an urgent problem. We do not know what is already out there. In the case of the information on the city vulnerability, of course, we immediately contacted the contractor and the city and so forth. They denied the problem. They don't understand what has been leaked. So the first thing we need are some pretty hard-nosed policies about businesses and Government contractors that simply prevent people from doing Government work on computers that have anything to do with the P2P network and have LimeWire or any of the other file-sharing information on it. Even when people are sophisticated and understand LimeWire and are sophisticated with computers, they can still make a mistake and all that material could be gone in an instant. The woman who had the Sipranet backbone was an experienced woman in IT infrastructure. That was her specialty in the Department of Defense. Yet, she had inadvertently broadcast it. So I do think that it is an urgent problem. I think that strong policies can help. I think a dedicated search effort needs to be run on some of the key sensitive items or sensitive terms. Tiversa is in discussions with the Department of Defense and National Security Agency now to try to start doing it. But the horse is out of the barn, and unless we have some specific key words that we want to follow, it is almost impossible to know what could be out there. Anybody who wrote a draft of a secret document at home, brought it into the office on a hard drive, loaded the hard drive in, prepared it in the office, took it back and worked on it at home in the hard drive, and his daughter uploads the music-sharing program, that document could be out on the Internet. So there is just no way of knowing everything that is out there right now. What we do need is, as soon as possible, an active monitoring program, and we need a greater awareness and the right policies in place in our Government agencies. Mr. Boback. Mr. Cummings, I think you are spot on on the process that you suggested. First, we do need to assess what information has been disclosed across the board using specific terms that are provided by the various agencies of information that they are interested in protecting. We also need to know where did that information go, who has it, and what are their intentions. If I may, early on in Tiversa's history we actually provided information. We saw an individual searching for pictures of the President's daughter, not that specific. Then they issued a same search that said pictures of Air Force I. Again, not that impactful. Then they issued a very specific search that said active White House security force, which obviously prompted our concern and said what is this person looking for. We file shared with the individual to say, what other files do you have? Let's download some of the files that they have actively already downloaded. The person had, I believe it was 47 files of sniper, sniper training, sniper tactics, avoiding police investigations, extensive training in sniper tactics. We immediately alerted the U.S. Secret Service. The Secret Service actually showed up at my doorstep 6:30 in the morning to retrieve this information, and we were able to locate the individual. When the Secret Service found this information that individual was 55 miles away from the Crawford Ranch. Criminals are using this information today. We need to find what is out there. We need to find it right now. Chairman Waxman. The gentleman's time has expired. Mr. Issa. Mr. Issa. Thank you, Mr. Chairman. I know we have piled on pretty good on all the things that can happen, and I am just going to pile on a little more quickly and then ask a couple of questions. I think it is humorous that I have in front of me Charles Fuller's Alternate Pistol Qualification Course. This is a Tradoc document, Wes. He got 132, 33 hits out of 40, so he is pretty fair. That could be humorous. Now, a little like that other document, I have Mike's credit cards and accounts, including all the passwords. I can't even redact this and turn it in for the record, because all you would have is staples followed by everything redacted. A MasterCard, AMX. Everything redacted. It is exactly that. It is everything that you want to keep secret. I don't know whether it was Mike that messed up, or Mike's son or daughter, but it happened. This one I am not going to turn in for the record, but I will be contacting the 101st Airborne Division Air Assault, because I have 20--and I could have had 200--records of orders. Clearly, this was not an individual. This was an asset that either had directly or indirectly permanent change of station and other orders, each one with Social Security number, name, rank, and date on it. I guess the kids don't actually come in on Saturday into the commanding officers' office and download LimeWire, but maybe somebody did it. There is an elephant in the room, and I figure we have all missed him, so, Mr. Gorton, I want to talk to you for a moment. You know, we have been talking about you and we haven't given you a chance in the Q&A, so I am going to give you that chance. Last year we held hearings on steroids and we put Major League baseball players where you all are. You are all handsome, but you don't quite--except for you, actually. Nobody else up there looks like a current baseball player. At the end of it all, professional baseball banned steroids and made it very harsh to use them. We are here today talking about the defaults on your software--essentially, just hit enter, enter, enter--making all these things happen, or be able to happen. Do you feel any obligation today that you should change your defaults to secure, secure, secure as a result of what you are hearing here today? Mr. Gorton. I think right now the defaults are secure. So if you just go hit enter, enter, enter using LimeWire you don't share any files and there is no information that would be on your computer that would be made public to anybody. Now, I think what you have here is a situation where people override the safe defaults and end up disclosing things that they didn't mean to disclose, and clearly that happens more than it should. I had no idea that there was the amount of classified information out there or that there are people who are actively looking for that and looking for credit card information. Mr. Issa. Now that you are aware of it, the first question I am going to ask briefly, because I will run out of time pretty quickly, is, are you prepared here today to say you are going to make significant changes in the software to help prevent this in the future? Mr. Gorton. Absolutely. And we have some in the works right now. It seems like, as far as I can see, there are two big categories of things that we can do. One of them addresses how people share directories and folders. I think probably a lot of the information that gets out there now is because people accidentally share directories that they wouldn't mean to share. We have warnings in the program that currently warn people when they try and share directories that they shouldn't be sharing. Clearly, those warnings are not enough, at least in a handful of cases. Mr. Issa. Let me ask you a final question, and others may answer it also. We did not heavily weight today's panel with lawyers, but many of us on this panel up on the dais also serve on Judiciary. Would it surprise you if you have a string of lawsuits for inherent defect in your product if people like Charlie Mueller of Missouri--I will say no more--finds out that he has lost his IRS filings and finds he has been damaged? Would it surprise you that you would be potentially not dismissible in tens of thousands or hundreds of thousands of venues around the country for your software, even inadvertently, but in their opinion being defective, you know, causing these releases? Would that surprise you? Mr. Gorton. LimeWire has always tried to make the program clear and easy to understand for users. I think it works for the vast majority of users. There is clearly a minority who make mistakes using the program, and those mistakes can have consequences more serious than I ever imagined. So we want to work to fix that. I mean, I am not a lawyer and I honestly can't tell you the legal answer to the question you asked. Mr. Issa. Well, I will tell you, and then I will return the balance of the time, but I would not be surprised that, not only on the part we are not talking about here today, which is all of the proprietary music and video that is being downloaded by people who may not have been properly warned by your software that they were violating copyright laws in essentially publishing this, but also in these people who feel they have been damaged. I would hope today that you are sincere in what you are telling us, that very quickly you are going to make each and every change and encourage your industry to, because with what we got in a quick scan it is not anecdotal. This is not once in a while. This is happening, I am going to guess, more often than not by your users. I yield back and thank the chairman. Thank you, Mr. Issa. Mr. Tierney. Mr. Tierney. Thank you, Mr. Chairman. I thank all of the witnesses for testifying here today. I think it is apparent to someone like myself, who is not all that computer savvy, that this is a problem that can affect every type of computer. It is important to families who could disclose financial information and other personal matters, families, businesses, and goes right on down the line. So is this a matter of people just carelessly using their computers, or does it go to even more sophisticated people who are experienced on this who have also been affected by it? Mr. Boback. Mr. Boback. Thank you for the question, sir. It is experienced users. It is not just careless users; however, careless users do play a role. It is also important to note that it is not only LimeWire, that Tiversa has evaluated over 200 applications. LimeWire is just one of over 200, most of which are not U.S.-based and will not follow U.S. law. So I commend Mr. Gorton for coming forth today and doing that. However, the problem is widespread across the network. Again, it is not just the inexperienced user. Mr. Tierney. Mr. Gorton, do you share that perspective? Mr. Gorton. I have to say I am probably a little less informed on this issue, in some ways, than Mr. Boback, because he is searching the network looking for this stuff. He probably has a better grasp on that. I think I have always felt that it was inexperienced users who didn't know what they were doing; however, when you see documents coming from people who specialize in computer security about military documents, it really makes you think twice. My first job after grad school was working at Martin Marietta, where I worked with classified information. We had very tight protocols as to which computers you could use information on and who was allowed to use those computers. The fact that classified documents are ending up on home computers I think is a little disturbing and that is sort of a separate point. It is surprising to me that professionals in this field would do that sort of stuff. Mr. Tierney. I am going to ask a question. I would ask each member of the panel to answer briefly, if possible, from right to left. Can we legislate policies that will positively impact this situation? Or is there something different that Government agencies should do to protect at least the Government information? And how do consumers protect themselves? Maybe, Mr. Sydnor, we will start with you and move right along. Mr. Sydnor. Can this problem be legislated away? Probably not. As Mr. Boback indicated, there are peer-to-peer applications that have developed overseas. They are available over the Internet. Some of the developers are beyond the reach of U.S. law. Could legislation be part of a solution? Certainly. One of the problems that we documented in our report, the trouble with them is a lot of them were identified very, very clearly, spelled out specifically in the 2002 study that led to this committee's 2003 hearing, and those lessons have not been learned. Some of the problems that still exist in the programs are exactly the problems that are documented in that study. Self- regulation certainly had a chance to work and has not been entirely effective. As far as how consumers can protect themselves, I believe Mr. Boback might be able to speak to that. In doing the study, we tried to look and think about, if you wanted to keep these programs off your home computer, what would you do. The short of it is we really did not think there were great answers that would be particularly accessible to a normal home computer user. So, for example, I do understand that this is a serious risk. Is there anything I can do at the moment to keep somebody from signing one of these on one of my computers? Not very effectively. If it try to use very lock-down settings on the firewall, it will not prove to be practical on a day-to-day basis. Mr. Tierney. I'd like to jump to Mr. Boback. I am sorry to interrupt, but I will skip all the others after saying I was going to ask everybody, but since you were mentioned, Mr. Boback, what do you think about that? What is a consumer to do? Mr. Boback. As we recognized this problem several years back, we started to extend our services that we provide to the largest corporations in the country. We wanted to try to develop a product that would protect consumers from this inadvertent issue. So we actually just launched a product that we call File Detector. What File Detector does is it causes an ink stamp of the drive, itself. In layman's terms, it causes a marker to be put in each individual file such that the user now cannot be duped. And when I say duped, I mean that with respect to Mr. Gorton. They cannot be tricked or an executable cannot be acted upon that computer that will allow a shared folder to be shared. So we constantly monitor the network, but if I can access your My Documents file, for example, if I can access that file that I put in there without seeing any other information that the individual has, then that system is now subject to inadvertent file sharing, so we are now offering that product, as well. We just started to offer that to consumers. It is an extension of our product to corporations. If I may, legislatively, the legislation should be enacted to protect this Government information, particularly on Government computers, particularly the classified information. That information can be scanned. We can provide it globally. Other systems can also look at this information, but we see the puzzle in its entirety rather than looking at a piece, which is why most corporations don't understand this problem. They make assessments and audits looking at one piece of a one thousand piece puzzle. We have the entire puzzle put together and can make very accurate assessments associated with it. Mr. Tierney. I yield back, Mr. Chairman. Chairman Waxman. Thank you, Mr. Tierney. Mr. Cooper. Mr. Cooper. Thank you, Mr. Chairman. The title of this hearing is Inadvertent File Sharing. It is important to remember that intentional file sharing is probably the backbone of this entire industry. In representing Nashville, TN, I probably have more victims of this theft of property than the representative of any other District, with the possible exception of the Los Angeles or New York areas. Mr. Gorton, you strike me as one of the most naive chairman or CEOs I have ever run across. As Mr. Sydnor pointed out, most of these problems were disclosed and available years ago. The FTC has brought some significant enforcement actions and succeeded, and yet--and I hope you don't have a family, because if you do some of your own personal information may have already been in danger, although you probably have taken appropriate defensive measures yourself, since you must be a software expert. But it strikes me as an odd situation where you essentially are in the business of making and distributing skeleton keys, and Mr. Boback will help everybody buy new locks, and then, with your business plan of remaining one step ahead of the law, then you will probably make and distribute burglar tools, and then Mr. Boback or someone else will further improve the locks. So we are going back and forth. You call for regulation, saying that Congress is the only entity with the power to step in here. I think it has already been established that there are hundreds of companies from outside U.S. borders that we do not have legal jurisdiction over, so it is going to take more than congressional enforcement, new laws, to try to solve this problem. If I were you--and obviously I am not--I would feel more than a shade of guilt at this point for having made the laptop a dangerous weapon against the security of the United States. The 9/11 Commission reported that the central failure was a failure of imagination. Mr. Gorton, you, in particular, seem to lack imagination for how your company and its product can be deliberately misused by evildoers against this country. Imagine someone downloading the material necessary to go after the President of the United States's daughters. You just didn't know. Members of this committee, as Mr. Issa has already pointed out, have been able to download, themselves, unbelievable information, and you didn't know. Well, I hope you care, because this is an abuse. The Internet is a shining, wonderful technology, and to have this pollution be so easily available--and remember, the business plan of many companies is to promote illegal copyright infringement. Today we are just talking about inadvertent use of peripheral problems. So it is such a shame that we are not using the productive minds of this country to have cleaner, better uses of this fantastic thing. I appreciate your bravery in being willing to testify today, but, as Mr. Issa pointed out, I would think you would be the target of multiple suits at this point, as you helped produce the skeleton keys, the enabling software, to do a lot of damage, including to the security of this Nation. I would be delighted, with my time remaining, to give you a response. Mr. Gorton. Well, I guess there are several points you made there. First of all, I absolutely want to do everything in my power to fight inadvertent file sharing. I am sorry to say that I didn't realize the scope of the problem. You say I lack imagination. Perhaps that is true. But this sort of series of events, I didn't have the imagination to imagine that computer security experts from the Government would be publishing their information publicly. But I do want to combat the problem and I do want to be part of the solution. As to the copyright infringement that you pointed out, copyright infringement is clearly a problem on peer-to-peer networks. The solution that I am advocating, which involves regulating the ISPs, is one that cannot be circumvented by foreign software makers, because every computer in the United States is connected to a domestic ISP. There is no such thing as a fly by-night ISP. They are all very large companies with large capital investments and wires in the ground and things like that. They are all subject to U.S. regulation. If it was the policy of the United States that those ISPs could not keep connected to their network computers engaged in illegal activity, then I think you would see that consumer behavior would change rather rapidly, because I think P2P is a great technology, and I am pleased a number of people here have said that. But clearly we have a way to go before the good parts of the technology stand alone without the bad parts standing so tall next to them. I want to come here, because I have thought a lot about this problem. Clearly, there have been previous solutions before. There has been action in the courts, and we have certainly had talks with media companies and things like that. Generally, in my talks with people who are performances engaged in this topic, I have found them not to have a sense that this is a solvable problem. Generally, most of the people I have met sort of feel like this is a hopeless problem, and it is not a hopeless problem. It can be solved. I would be happy to talk to anyone about that. I think I have laid out the bare bones of my ideas already. Chairman Waxman. Thank you, Mr. Cooper. Mr. Hodes. Mr. Hodes. Thank you, Mr. Chairman. This hearing has been particularly disturbing to me. I am not in the computer field. I have used computers a long time. I am now thankful that, although I have been involved in the media and entertainment industries, I am a dinosaur and I have not engaged in P2P file sharing, and so I am thanking my lucky starts that I simply haven't had the time to put myself at that kind of risk. Mr. Boback, would you comment on the suggestion that regulation of ISPs is the way to solve the problem we have been facing today? Mr. Boback. We looked at that as a solution as we found this early on, as well. One of the problems with implementing an ISP solution is that the amazing amount of traffic that has to go through these systems, if you were to put a hardware device at the ISP, that would create a choke point and information would have to be analyzed at the ISP. It would, in turn, slow down usage across the network, slow down. The reason why Mr. Gorton testified that users don't want that is because users want increased speed. They don't want decreased speed. They don't want the pictures to slowly load back to dial-up. Solving at the ISP is not--we want to solve it at data at rest, not data in transition, trying to catch it as it passes by on a freeway and snatch it off. We want to find it where it is at rest and keep it at rest, where it should be. Mr. Hodes. Ms. Engle, in 2005 the FTC staff concluded that P2P file sharing, like many other consumer technologies, is a ``neutral technology which risks result largely from how individuals use the technology rather than being inherent in the technology, itself.'' I suppose, based on what we have heard today, compared to a time bomb, you are right. It is a neutral technology. Does what you have heard today change your view about the inherent risks in P2P networks? And does it give rise for you to an you thoughts about what you ought to be doing to help cure the issues we are discussing today? Ms. Engle. It is certainly true that P2P technology causes these substantial risks about sensitive data getting out. We have certainly seen that there is a lot that individuals and businesses and the Government can to do better secure their data. We have all heard about lost or stolen laptops, for example, that have left very widespread breaches. That having been said, the PTO report raises some very difficult, serious questions about the design of the technology which has not been previously brought to our attention, and we are looking at it very closely to see whether further FTC involvement in this area is appropriate. Mr. Hodes. Thank you. Mr. Mintz, because you are the CIO at a Government agency, I want to direct the next question to you. It sounds to me--and from some of the other hearings that I have been part of, for instance, I'm part of the Subcommittee on Information of this full committee--that Government agency protocols may not be adequate at least to begin to address the problems we have been facing today. Do you think that current Government agency protocols which are designed to prevent inadvertent P2P file sharing are in place? Do they need to be beefed up? If that is so, what is the touchstone? Where is the central place to go to make sure that, throughout the Federal Government, we are dealing with this at our agencies? Or is it a matter of legislation from Congress? Mr. Mintz. I would say that the place that I would look in terms that the biggest issue is--I think Congressman Davis talked about this--the FISMA report and making sure that this review process looks at this technology. In terms of policy, we have what we need. I am not saying we do it right, but we, in fact, have peer-to-peer policy in place. We have as policy you are not supposed to use it on any computer that has Government information on it. One of the challenges we have, particularly with people working at home so much, is that people don't always pay attention to it. So the question is: what is the kind of oversight that we have to put in place? And perhaps the oversight on us to make sure that we are really pushing the policy as opposed to just putting it on a piece of paper. But we have enough authority right now to take care of the network, in terms of our own networks and the employee use. Mr. Hodes. Thank you. I see my time has expired. Thank you, Mr. Chairman. Chairman Waxman. Thank you, Mr. Hodes. Mr. Welch. Mr. Welch. Thank you, Mr. Chairman. Mr. Boback, the sensitive national security information that you mentioned, General Clark testified to, that was picked up off of LimeWire? Mr. Boback. That was picked up off of multiple peer-to-peer applications, one of which was LimeWire, yes. Mr. Welch. OK. Mr. Gorton, do you have any knowledge about how much usage of LimeWire involves people getting sensitive national security information? Mr. Gorton. No. Most of what I know about that I have learned in this room today. Mr. Welch. How many subscribers do you have? Mr. Gorton. There are, on a monthly basis, about 50 million users of LimeWire. Mr. Welch. And what is the purpose for which most subscribers go to your site? Mr. Gorton. To share files. Mr. Welch. Well, I know that, but the nature of the files. Mr. Gorton. Most of them are media files. Mr. Welch. They are what? Mr. Gorton. Media files. Mr. Welch. Media as in music? Mr. Gorton. Music and video. Mr. Welch. And what percentage of your subscribers would be getting music files? Mr. Gorton. I don't have those numbers. I mean, the ones that Mr. Boback had earlier sound approximately right to me. Mr. Welch. Wait a minute. How long have you been in business? Mr. Gorton. LimeWire was started in 2000. Mr. Welch. And I assume that you do analytical work to determine how your business plan is working? Mr. Gorton. No. I mean, we don't do any analysis of what goes on on the network. We make a piece of software and we distribute it. So I have a general idea of what goes on on the network because I read the papers and I talk to people, but we don't have any analytical---- Mr. Welch. It is not relevant to you why more people might be coming onto your system or less, depending on how your system is operating? Mr. Gorton. I mean, we make a great effort to make the LimeWire program easy to use and clear to understand so that our users have a positive experience. Mr. Welch. But I was looking for an answer to the question. Mr. Gorton. And what was the question? Mr. Welch. The question is: how many of your subscribers go on there for music? Mr. Gorton. I mean, like I said, I don't know specifically, but, you know, he said 38 percent of the files were MP3s. That sounds plausible to me. Mr. Welch. We have some data here that says in January 2005 your market share was about 21 percent. This is people looking to get music downloads. Does that sound about right? Mr. Gorton. That is 21 percent of what? Mr. Welch. Households. Mr. Gorton. So 21 percent, that could be correct. Yes, that sounds---- Mr. Welch. And it is now up to about 75 percent. Mr. Gorton. That sounds a bit high. I mean, 75 percent of households? Mr. Welch. That are looking for music downloads, get their music downloads through LimeWire. Mr. Gorton. I mean, LimeWire is the most popular file- sharing application in America. Mr. Welch. Music file sharing? Mr. Gorton. Well, all types of file sharing. Music is a large use among that. Mr. Welch. Let's get to the point here. I mean, the main reason people go to LimeWire is to get music. Mr. Gorton. Certainly one of the biggest, yes. They also get videos. Mr. Welch. Is this a complicated question? Do they go there for music or---- Mr. Gorton. Yes, they go there for music. Mr. Welch [continuing]. National security data? Mr. Gorton. Hopefully not for---- Mr. Welch. What is so hard about this question? Is it national security or is it music? Mr. Gorton. The only thing that competes with music is video. Mr. Welch. All right. Are you familiar with the Grokster decision? Mr. Gorton. Yes. Mr. Welch. June 2005. Mr. Gorton. Yes. Mr. Welch. And you, I am sure, are aware that you went from about 22 percent, 23 percent, to 75 percent of market share after that, correct? Mr. Gorton. It actually happened before the decision. Mr. Welch. Started to go a little bit before. And do you know what happened? Some of your competitors are Imesh, BearShare, Kazaa, correct? Mr. Gorton. Yes, or used to be. Mr. Welch. All right. And, subsequent to the Grokster decision, they installed filters in their system, correct? Mr. Gorton. Yes. Mr. Welch. Making it impossible or very difficult for individuals who are seeking to get music, infringing without respecting the copyright, to do so, correct? Mr. Gorton. Yes. Mr. Welch. And have you installed the same type of filters at LimeWire? Mr. Gorton. Yes. At LimeWire we have built a filter that allows copyright holders to flag specific files as---- Mr. Welch. I am going to ask you a favor. Mr. Gorton. OK. Mr. Welch. I am going to ask you to answer the question I asked---- Mr. Gorton. Yes, we have a filter. Mr. Welch [continuing]. Not the question that you would like me to ask. Mr. Gorton. Yes, we have the filter. Mr. Welch. It is a little bit more. You have offered, if I understood your answer, to permit an individual, if I go on to LimeWire, to opt into the filter, correct? Mr. Gorton. Yes. Mr. Welch. And your competitors, they have installed a filter at the site; yes or no? Mr. Gorton. When you say site, I take it, I mean, the file- sharing programs are not Web sites, so---- Mr. Welch. They have a filter, so if I ask for a particular song it will be blocked when I go to BearShare or Imesh or Kazaa. Mr. Gorton. The functioning of the LimeWire filter is substantially similar to that of other file-sharing companies. Mr. Welch. But it is elective. I, the user, have to say I want that filter? Mr. Gorton. Yes. Mr. Welch. But the other competitors, after the Grokster decision, they have installed it so it is not an election, right? Mr. Gorton. Yes. Mr. Welch. All right. And that is a modest difference. If I am a person who wants to get music in violation of a copyright, and I am offered the opportunity to not get it when I go seeking it, most of the time I will probably ignore the offer that you have given me. Chairman Waxman. Mr. Welch, your time has expired. Mr. Welch. Mr. Chairman, I thank you. I just find that there is an interesting inter-connection between teenage music and national security. Chairman Waxman. Thank you. Mr. Yarmuth. Mr. Yarmuth. Thank you, Mr. Chairman. It occurs to me, Mr. Chairman, that after today's hearing we may have found an alternative to subpoenas in trying to get information from the administration that we haven't been able to get. [Laughter.] Mr. Sydnor, the PTO report design is long and detailed and very technical. I would like to cut through some of that and ask you a very simple question: do you think that users that download P2P software applications are being tricked into sharing files that they would not ordinarily share? Mr. Sydnor. Yes. They are inadvertently sharing files they do not intend to share. In the report we attempt to explain why, although the user does not intend that result, that result may have been intended by others. That is not a question we purport to be able to answer based on the publicly available data that we were able to review. But the short answer is yes, people are making catastrophic mistakes with these programs. Although we have focused today on perhaps the most high-profile incidents, it is all too important to note, as was just discussed, a lot of the files that are traded over these networks are copyrighted. If people are inadvertently sharing copyrighted files, they are violating the law and they are setting themselves up for an enforcement lawsuit. That is also a very important part of the problem, and people who do not want to be distributors of pirated goods on these networks should be able to make that choice and have it be very easy, and right now it is simply not. Mr. Yarmuth. Maybe the answer is obvious, but explain the benefits of tricking users in this way. Mr. Sydnor. Well, that was the question that sort of prompted us as we began working on the report, because it was just stunning to see that, after this committee's 2003 hearing, features that really are incredibly easy to misuse--you can go to an interface and use programs that looks like you are doing nothing except choosing a place to store files, like you are using the Save As button in Microsoft Word, and you end up sharing recursively all the folders on your computer. Very easy to make a catastrophic mistake. The problems were very well documented. This committee called additional attention to them. Yet, they persisted. That type of feature we found in four out of five programs that we looked at after this committee's hearing, after usability and privacy, and that led to the question why would anyone continue to do this. In trying to think about why someone might do this if they knew or really should have known that this was going to cause problems, why would you keep doing this? The only thing that we could see is that if people make mistakes with these--we call them share folder features--what they tend to do is they are trying to store files in a place that will be easy to find. They pick either root directory C or My Documents folder or maybe My Music. You pick any of those three. You pick your root directory, you share the whole hard drive. You pick My Documents, you will share all the data files you care about. You pick MyMusic, you will share all your entire collection of audio files that you may have ripped from lawfully purchased CDs. In each case, though, in addition to all your personal data, you will also share My Music. The access, as Mr. Gorton mentioned, to media files, there is also a My Media folder, subfolder of My Documents. That is driving traffic on these networks. That seemed to us to be a possible explanation for why this conduct continues. It would have catastrophic consequence for users, but it would also put more infringing files on the network. Thank you. Mr. Yarmuth. Thanks. Mr. Gorton, do you share Mr. Sydnor's analysis? Do you have another perspective? Mr. Gorton. Yes. I think my perspective is maybe a little bit more benign. I don't think there are sinister motives behind this. I mean, I can certainly speak for ourselves. I mean, we have been trying to build a program that is easy for consumers to use that allows them to share files. In the case of the root directories, the C directory, and the My Documents directory, LimeWire pops up a warning that says, you know, be careful, you could share confidential information, when they try and share those folders. So we recognize that this is a problem. We try and warn consumers. Clearly, some people are not paying attention to our warnings, and we need to do a better job of making it very, very, very difficult for users to accidentally share files. But I think there is a difference in opinion that probably has more to do with motive than the result. Chairman Waxman. The gentleman's time is expired. Mr. Sydnor. If I could clarify one point? Chairman Waxman. Yes. Mr. Sydnor. It is not accurate to say that if users share a sensitive file like My Documents or documents and settings that they will share all the files of all the users of the network, that they will get a warning indicating that they are doing something that could be dangerous. There are three different interfaces in LimeWire that can share folders. One of those, the most obvious, is, of course, the sharing interface. If the users happens to be in that interface and they happen to try to share a folder like documents and settings, they will receive a warning saying, this folder may contain sensitive information, do you want to share this folder? If they are in one of the other interfaces, they won't receive any warning. They won't receive that warning. So from the LimeWire library you can share documents and settings. You won't get a warning of any kind. The warning that they get doesn't provide them critical information, because it says, do you want to share this folder? I can look in My Documents and settings, and there is a documents and settings folder on my computer, there is no sensitive information in it. No sensitive files. But what I am not being told is I am not going to share just this folder; I am going to share all of the folders that are subfolders of it. This is a problem that was documented in the usability and privacy study that this committee highlighted in its 2003 hearing, and it is still going on. Chairman Waxman. Thank you, Mr. Yarmuth. Ms. Watson. Ms. Watson. I want to thank you, Mr. Chairman, and all the witnesses. I know that as we create more and more higher technology, there is always a way to use that technology in a cynical way. I represent Hollywood, and we also have here in Congress a Protection of Intellectual Property Caucus, because, as you know, our creative works are every day taken and duplicated around the world. I am just fascinated when I go into a foreign country how our products are sold for such little money and the profit never gets back to the creators. So as we develop this technology so that peers can share with each other and it can be done quickly--you know, we are in a hurry in this country, and it is spreading around the globe. We want information immediately. We create holes and glitches. We saw the results of the computer codes where 19 million veterans' Social Security numbers were stolen. We saw 2.2 million active duty military personnel information that was part of this data exposed; 1.1 million active duty military personnel had their names, Social Security numbers, and birth dates in this data base, and that was some way taken. So we have some real, real holes and glitches and problems that we must address. We have held hearings, and there is technology that can protect or can trace the artful products that are being duplicated illegally, but I throw this question out to all of you. You just might want to answer in a 20 or 30 second clip. What do you know that we can do to protect this most sensitive data, to protect intellectual property? And what can we do for the future? Is the technology there to guarantee that the businesses in my District can protect their property so the creators then can enjoy the benefits of their work and so that those who are in the military, General Clark, can feel secure that their most vital information is protected? So can you just go down the line and tell me what you see needs to be done, starting with Attorney Sydnor. Mr. Sydnor. Thank you, Representative Watson. What can be done? Certainly I know that the content industries are working hard to find technological ways to both protect their content and exploit the opportunities that the Internet provides. Potentially, it could be a wonderful tool for both content creators and users of content. As someone who is more of a user than a creator, I think one of the important aspects of all that will be that we need to make sure that, as content is distributed over the Internet, it gets to consumers in ways that they are basically safe to use. That is a big part of this whole problem is, you know, right now, you know, it certainly is tragic to see, with the peer-to-peer file-sharing networks, really the first time copyright enforcement against end users. Hopefully, by more action by some of the middle, those sort of situations can be a thing of the past, I would hope. Ms. Watson. Thank you. Ms. Engle. Ms. Engle. Well, I am definitely not a technology expert and can't really offer views---- Ms. Watson. But what do you think we need to do? Ms. Engle. Well, I think the kind of attention that this hearing is putting on this issue is extremely important. The more consumers and businesses and especially Government agencies know about this problem, the more they can take steps internally to prevent further breaches. On the side of intellectual property protection, setting aside for data security, I think we have seen the industry innovate on its own to make legal methods of downloading more available, and it is helping in that area. Ms. Watson. Thank you. Mr. Mintz. Mr. Mintz. I can't speak in terms of the consumer industry so much. In terms of the Government information, as I have said, I think the biggest focus we have is making sure that the policies and the technologies we have in place right now are followed and protected, and to become more aware of the fact that there is a lot of this kind of software, particularly in terms of the home use. I think the publicity, even the attention the committee puts on this, is very helpful. It has brought a lot more attention to the Department for these kinds of issues. I think you are faced with a big challenge, as a number of other members of the panel have talked about. A lot of this activity is international in scope, so the question is what do you do about that, also. Mr. Johnson. Education is the key right now. I am working with financial firms. They have been quite successful in educating consumers about phishing, and this is a case very similar to that. But one of the things I think that has to be thought of over and over again is that in this program case, when information is leaked it is out there, and the digital wind will carry it everywhere. It is very hard to get it back. It is a very different kind of concept than what we are used to, a physical piece of paper that we can go grab and bring back and put in the filing cabinet. Once that information is out there, it is going to be blown around and spread, and very, very hard to control. Mr. Gorton. I think there are two separate issues that you are talking about here. One is the release of classified information with inadvertent file sharing. Certainly LimeWire can be part of the solution by improving the functioning of our program. I also think companies like Tiversa can be part of this solution by providing technologies which allow notice and monitoring of the networks. On the front of copyright infringement, as I mentioned before, I think the ISPs need to be part of the solution. There are proven technologies out there that work. The USC and UCLA have policies in place, these warning systems that result in the disconnection of students' computers who continue to engage in copyright infringement. Those universities have succeeded in suppressing the problems of copyright infringement on their campuses, and I think we can use that successful model. That can be rolled out across the country so that it is not just a handful of universities that have successfully dealt with these problems, but can be the entire country and all the ISPs. General Clark. As far as classified information is concerned, I think the Government is aware of the right policies; that is, to keep file-sharing applications off Government computers and to separate the Government and personal computers. I don't think these policies are always enforced appropriately, and until now there is a lack of the ability to monitor through the peer-to-peer space to determine whether there are violations. What we detected with Tiversa's software is we have now got the capacity to monitor, and we can, to protect these from violations. So I think that, in addition to the separating Government and personal, preventing file-sharing applications, that you have to do some defensive monitoring of the peer-to- peer space so that you know what is out there, you know if you had had any compromises of information. You can do the investigations and followup work to seal off that leak of information and to prevent it from happening again. Mr. Boback. And I echo the other speeches about the education being a first step. I also echo General Clark's thoughts as to the auditing of Government classified information. As far as the intellectual property issue for the media industry, that is something--I mean, my personal belief is that the media industry should look to work with the peer-to-peer to actually use that as a distribution method to find a way, as there are so many users, as Mr. Gorton has testified to. Its users are on the peer-to-peer. It would be more appropriate for them to figure out business models that act in conjunction with the peer-to-peer, rather than trying to just eliminate the peer-to-peer as a threat. I believe that legislation in the Supreme Court, while attempting to do just that, has not succeeded, and the peer-to- peer has spread offshore. But if the media industry were to look to protect their content by including that as a distribution channel, very similarly to iTunes, looking to distribute in alternative methods, the peer-to-peer is a--I once read that there are over 14,000 movies made in Hollywood in your District each year, and less than 100 of those movies actually are profitable. The other 13,900 movies will never see the inside of a movie theater. It is not financially viable for them to distribute it in any other method. They can distribute this information, full-length videos, on the peer-to-peer. These artists could arrange, it is some work, no doubt. There are business models that need to start to look to distribute this information. Tiversa's original work was looking in that very angle until we found the massive security issues that existed and we said, you know, as U.S. citizens we need to address this issue before a functional, viable distribution method could be found for the media industry. I think that there is incredible opportunity for your District, particularly, to be able to distribute that additional 13,900 movies that are made each and every year and actually reap some revenue from that as the user demand goes up. There are 50 million, as Mr. Gorton testified to, users every month that are starving for content. They want this content. They have no access to it. One of our clients---- Chairman Waxman. Mr. Boback, we are going to have to move on. Mr. Boback. I'm sorry. Chairman Waxman. Thank you, Ms. Watson. Mr. Clay. Mr. Clay. Thank you, Mr. Chairman. My questions are directed at Mr. Mintz. Mr. Mintz, in your testimony you described an inadvertent disclosure that occurred at the Transportation Department. A diligent, well-meaning employee was working on a home computer. Unbeknownst to her, a teenager sharing the family computer downloaded the LimeWire P2P file-sharing program. Next thing, the Government employee's work documents are all over the Internet and the employee is being called by a reporter. To confirm your statement here today, DOT has completed its forensic analysis of the employee's computer and no sensitive documents were compromised; is that correct? Mr. Mintz. Sensitive in the sense of classified, no. There was personally identifiable information. There was one piece of personal identifiable information from the Department of Defense, her own, and there was a small amount but there was some personally identifiable information from her previous job of approximately, I believe, six or seven people. That was available. We don't know if it was released, but it was available and it was sharable. Other than that, there was nothing. There were no classified documents. Mr. Clay. And that sensitive information---- Mr. Mintz. No. Mr. Clay [continuing]. Has not shown up anywhere else? Mr. Mintz. No. Mr. Clay. OK. This example also illustrates the potential conflict between encouraging and promoting telework and the flexible workplace and data security that was exposed. Mr. Mintz, how do you balance the tension between telework and data security? Mr. Mintz. This is a big challenge. As a number of people here have said, the average person that is going to be using this is not necessarily computer literate or knowledgeable that we want to make use of, so one of the things we are doing is we are increasing the education process. We have already had a security leak. And we also have online training. We are increasing the training for that. Then the other activity we are doing is we are going to be moving more from desktop computers where the standard computer is a desktop computer that would always stay on a Government site, to a laptop computer, which is a Government-owned computer where we have encrypted it and we control the contents. So for those people who are actively involved in telework, they will be using Government-owned equipment. That will be done over a period of time. Mr. Clay. And you think that will be more secure than what is used now? Mr. Mintz. It will help. The reality is that at the end of the day you are always dependent on the procedures that people follow. A user could always work around any security environment. But we think it will make it more secure. Mr. Clay. In this case, Mr. Mintz, it appears that very few, if any, measures were taken to protect the employee's computer or the work product she produced. She is working from her home computer, which was shared with other members of her family over her own Internet connection; is that accurate? Mr. Mintz. Yes. Mr. Clay. And was this in compliance with DOT telework requirements? Mr. Mintz. Yes. The telework requirements were that she was not to keep personally identifiable information on a non- Government-owned computer, and, except for her own, at least from the Department of Defense, she did not. She did make a mistake. We talk about that. When she left her previous employment, chances are she should have deleted that information. We have added that as a process at the Department, to remind people to do that. Mr. Clay. Does the Department need to revise its telework program? Mr. Mintz. We are going to have to enhance, at a minimum, the training, and we are going to have to give increased advice to employees as to how they set up their own personal computer. And, as I have said, we have to do a better job of auditing the process to make sure that people are reminded of the responsibilities. Just putting the policy in place is clearly not sufficient. We have set up a Tele-Work Committee led by the sponsorship of the Deputy Secretary to look at these issues. The IT CIO has a representative on there. My office has a representative on it. We are very active in looking at those policies, but we are going to have to re-look at all of them. Mr. Clay. Thank you for your responses. Mr. Chairman, I yield back. Chairman Waxman. Thank you very much, Mr. Clay. I want to thank the members of this panel, as well, for your presentations to us. I think it has been a very useful, helpful, constructive hearing, and I appreciate the Members asking so many probing questions. Clearly, this issue merits further review and closer analysis. Although most agree P2P technology has great potential in its present form, it appears to come with significant risks. We need to figure out if there is a way we can protect national, corporate, and individual security without hindering lawful innovation in this area. That is a challenge for all of us and we need to work together. That concludes our business today. The hearing stands adjourned. Thank you. [Whereupon, at 12:15 p.m., the committee was adjourned.] [Additional information submmitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T0150.084 [GRAPHIC] [TIFF OMITTED] T0150.085 [GRAPHIC] [TIFF OMITTED] T0150.086 [GRAPHIC] [TIFF OMITTED] T0150.087 [GRAPHIC] [TIFF OMITTED] T0150.088 [GRAPHIC] [TIFF OMITTED] T0150.089 [GRAPHIC] [TIFF OMITTED] T0150.090 [GRAPHIC] [TIFF OMITTED] T0150.091 [GRAPHIC] [TIFF OMITTED] T0150.092 [GRAPHIC] [TIFF OMITTED] T0150.093 [GRAPHIC] [TIFF OMITTED] T0150.094