[House Report 111-431]
[From the U.S. Government Publishing Office]
111th Congress Report
HOUSE OF REPRESENTATIVES
2d Session 111-431
======================================================================
SECURE FEDERAL FILE SHARING ACT
_______
March 11, 2010.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Towns, from the Committee on Oversight and Government Reform,
submitted the following
R E P O R T
[To accompany H.R. 4098]
[Including cost estimate of the Congressional Budget Office]
The Committee on Oversight and Government Reform, to whom was
referred the bill (H.R. 4098) to require the Director of the
Office of Management and Budget to issue guidance on the use of
peer-to-peer file sharing software to prohibit the personal use
of such software by Government employees, and for other
purposes, having considered the same, report favorably thereon
without amendment and recommend that the bill do pass.
CONTENTS
Page
Purpose and Summary.............................................. 2
Background and Need for Legislation.............................. 2
Legislative History.............................................. 2
Section-by-Section............................................... 4
Explanation of Amendments........................................ 6
Committee Consideration.......................................... 6
Roll Call Votes.................................................. 6
Application of Law to the Legislative Branch..................... 6
Statement of General Performance Goals and Objectives............ 6
Constitutional Authority Statement............................... 6
Federal Advisory Committee Act................................... 6
Unfunded Mandate Statement....................................... 6
Earmark Identification........................................... 6
Committee Estimate............................................... 7
Budget Authority and Congressional Budget Office Cost Estimate... 7
Changes in Existing Law Made by the Bill, as Reported............ 8
PURPOSE AND SUMMARY
H.R. 4098, the Secure Federal File Sharing Act, was
introduced by Chairman Towns on November 17, 2009. The purpose
of the bill is to reduce improper disclosures of federal
information by prohibiting the use of open network peer-to-peer
file sharing software on all federal computers, computer
systems, and networks, including those of contractors working
on the government's behalf.
H.R. 4098 directs the Office of Management and Budget (OMB)
to issue new guidance to implement that purpose. In addition,
the bill also directs OMB to set up a procedure by which
agencies may seek approval to use specific file sharing
software for legitimate government purposes. OMB must report
annually to Congress on those peer-to-peer software programs
that have been approved, the agencies that are using them, and
for what purposes.
BACKGROUND AND NEED FOR LEGISLATION
Peer-to-peer file sharing software allows users to
instantly connect with each other to search and copy electronic
files. The popularity of such software has grown exponentially
since being made widely available in the late 1990's and early
2000's by programs like Napster, Kazaa and LimeWire. Currently,
it is estimated that there are up to 20 million peer-to-peer
file sharing users online at any point in time, most commonly
sharing music and movies.
Despite the ongoing growth in users, not many people are
aware of the privacy and security risks associated with open
network peer-to-peer file sharing software. Since 2001, the
Committee has looked into the dangers of peer-to-peer file
sharing with particular emphasis on the prevalence of child
pornography, the privacy and security risks, and the problem of
inadvertently sharing electronic files. It is clear that
efforts by the peer-to-peer file sharing industry to self-
regulate since then have failed. At the Committee's hearing on
inadvertent file sharing on July 29, 2009, it was revealed that
the location of a Secret Service safe house for the First
Family, financial information belonging to Supreme Court
Justice Stephen Breyer, and thousands of medical records and
tax filings were all available online on open peer-to-peer
networks.
H.R. 4098, the Secure Federal File Sharing Act, is intended
to reduce the risk that those kinds of documents are exposed on
file sharing networks by prohibiting the use of open network
peer-to-peer file sharing software on all federal computers,
computer systems, and networks, including those of contractors
working on the government's behalf.
LEGISLATIVE HISTORY
During the 107th Congress, the Committee first sounded the
alarm on some of the dangers of peer-to-peer file sharing
software in a Minority Staff, Special Investigations Division
report entitled Children's Access to Pornography Through
Internet File-Sharing Programs (July 27, 2001).
During the 108th Congress, the Committee followed up with a
hearing on the issue entitled Stumbling onto Smut: The Alarming
Ease of Access to Pornography on Peer-to-Peer Networks (March
13, 2003) where they released another staff report entitled
Children's Exposure to Pornography on Peer-to-Peer Networks
(March 13, 2003).
During the same year, the Committee held another hearing on
this issue focused on privacy and security threats entitled
Overexposed: The Threats to Privacy and Security on File
Sharing Networks (May 15, 2003). At that hearing, the Committee
staff released the report File-Sharing Programs and Peer-To-
Peer Networks: Privacy and Security Risks (May 15, 2003).
Shortly thereafter, the Senate Committee on the Judiciary
held the hearing, The Dark Side of a Bright Idea: Could
Personal and National Security Risks Compromise the Potential
of Peer-to-Peer File Sharing Networks? (June 17, 2003). At that
hearing, Senator Feinstein emphasized the heightened risks of
peer-to-peer file sharing use by government employees. She
said:
Of most concern is the use of peer-to-peer file
sharing by government employees . . . A Federal
employee intending to simply download and share music
files . . . could easily make available every file on
his or her computer, without intending to do so or even
realizing it after the fact. This could include
personal correspondence, private financial information,
and even proprietary and sensitive government
documents.\1\
---------------------------------------------------------------------------
\1\Opening Remarks by Senator Feinstein at the Senate Committee on
the Judiciary hearing entitled The Dark Side of a Bright Idea: Could
Personal and National Security Risks Compromise the Potential of Peer-
to-Peer File Sharing Networks? (June 17, 2003).
Chairman Davis and Ranking Member Waxman attempted to
address that concern when they introduced H.R. 3159, the
Government Network Security Act of 2003 on September 24, 2003.
The bill required federal agencies to address the risks posed
by peer-to-peer file sharing programs when developing their
network security policy and procedures and was reported
favorably with an amendment by the Committee on September 25,
2003, by a voice vote. The bill was agreed to in the House, as
amended, under suspension of the rules on October 8, 2003, by a
voice vote. It was later reported favorably by the Senate
Committee on Governmental Affairs on November 10, 2003, without
amendment and placed on the Senate Legislative Calendar, but
the 108th Congress ended before the Senate took up the bill.
During the 109th Congress, the Committee held the hearing,
Inadvertent Filesharing over Peer-to-Peer Networks (July 24,
2007).
In addition, the Subcommittees on Government Management,
Organization, and Procurement and Information Policy, Census,
and National Archives held a joint legislative hearing on H.R.
4791, the Federal Agency Data Protection Act (February 14,
2008). The legislation was introduced by Representatives Clay,
Towns, and Waxman on December 18, 2007, and included language
requiring federal agencies to develop plans to reduce the risks
to federal networks posed by peer-to-peer file sharing
software. H.R. 4791 was ordered reported, as amended, by the
Committee on Oversight and Government Reform by a voice vote on
April 16, 2008. The bill was agreed to in the House of
Representatives, as amended, under suspension of the rules by a
voice vote on June 3, 2008. On June 4, 2008, H.R. 4791 was
referred to the Senate Committee on Homeland Security and
Governmental Affairs.
During the 111th Congress, the Committee held the hearing,
Inadvertent File Sharing Over Peer-to-Peer Networks: How it
Endangers Citizens and Jeopardizes National Security (July 29,
2009).
The witnesses were Mark Gorton, Chairman, The Lime Group;
Robert Boback, Chief Executive Officer, Tiversa, Inc.; and Tom
Sydnor, Senior Fellow and Director, Center for the Study of
Digital Property at the Progress and Freedom Foundation.
H.R. 4098, the Secure Federal File Sharing Act, was
introduced by Chairman Towns on November 17, 2009. The
Committee held a business meeting on March 4, 2010, and ordered
H.R. 4098 to be reported favorably by voice vote.
SECTION-BY-SECTION
Section 1. Short title
This section provides that the short title of the bill is
the ``Secure Federal File Sharing Act.''
Section 2. Requirements
Subsection (a) requires the Director of the Office of
Management and Budget, in consultation with the Federal Chief
Information Officers Council, to issue guidance within 90 days
on the use of peer-to-peer file sharing software to (1)
prohibit the download, installation, or use by Government
employees and contractors of open network peer-to-peer file
sharing software on all Federal computers, computer systems,
and networks, including those of contractors working on the
government's behalf and (2) address the use of such software by
Government employees and contractors as it relates to telework
and remotely accessing Federal computers, computer systems, and
networks.
Subsection (b) requires the Director of the Office of
Management and Budget to develop a procedure within 90 days by
which the Director, in consultation with the Chief Information
Officer, may receive requests from agency heads or chief
information officers for approval for use by Government
employees and contractors of specific open-network peer-to-peer
file sharing software programs that are (1) necessary for the
day-to-day business operations of the agency; (2) instrumental
in completing a particular task or project that directly
supports the agency's overall mission; (3) necessary for use
between, among, or within Federal, State, or local government
agencies in order to perform official agency business; or (4)
necessary for use during the course of a law enforcement
investigation.
Subsection (c) outlines agency responsibilities. More
specifically, it requires the Director of the Office of
Management and Budget, within 180 days, to direct agencies to
(1) establish or update their personal use policies to be
consistent with the guidance issued pursuant to subsection (a);
(2) require any contract awarded by the agency to include a
requirement that the contractor comply with the guidance issued
pursuant to subsection (a) in the performance of the contract;
(3) update their information technology security or ethics
training policies to ensure that all employees, including those
of contractors working on the Government's behalf, are aware of
the requirements of the guidance required by subsection (a) and
the consequences of engaging in prohibited conduct; and (4)
ensure that proper security controls are in place to prevent,
detect, and remove file sharing software that is prohibited by
the guidance issued pursuant to subsection (a) from all Federal
computers, computer systems, and networks, including those
operated by contractors on the Government's behalf.
Section 3. Annual report
This section describes the reporting requirement of the
Director of the Office of Management and Budget to submit to
the Committee on Oversight and Government Reform in the House
of Representatives and the Committee on Homeland Security and
Governmental Affairs in the Senate, within one year and
annually thereafter, a report on the implementation of this Act
including (1) a justification for each open-network peer-to-
peer file sharing software program that is approved pursuant to
subsection (b) and (2) an inventory of the agencies where such
programs are being used.
Section 4. Definitions
This section defines ``agency'' as having the meaning given
the term ``Executive agency'' by section 105 of title 5, United
States Code.
The term ``open-network,'' with respect to software, is
defined as a network in which (A) access is granted freely,
without limitation or restriction or (B) there are little or no
security measures in place.
As defined by this section, the term ``peer-to-peer file
sharing software'' (A) means a program, application, or
software that is commercially marketed or distributed to the
public and that enables (i) a file or files on the computer on
which such program is installed to be designated as available
for searching and copying to one or more other computers; (ii)
the searching of files on the computer on which such program is
installed and the copying of any such file to another computer
(I) at the initiative of such other computer and without
requiring any action by an owner or authorized user of the
computer on which such program is installed and (II) without
requiring an owner or authorized user of the computer on which
such program is installed to have selected or designated
another computer as the recipient of any such file; and (iii)
an owner or authorized user of the computer on which such
program is installed to search files on one or more other
computers using the same or a compatible program, application,
or software, and copy such files to such owner or user's
computer.
In addition, the term ``peer-to-peer file sharing
software'' (B) does not include a program, application, or
software designed primarily to (i) operate as a server that is
accessible over the Internet using the Internet Domain Name
system; (ii) transmit or receive email messages, instant
messages, real-time audio or video communications, or real-time
voice communications; or (iii) provide network or computer
security (including the detection or prevention of fraudulent
activities), network management, maintenance, diagnostics, or
technical support or repair.
This section defines ``contractor'' as having the meaning
given the terms ``prime contractor'' or ``subcontractor'' in
the Federal Acquisition Regulation.
EXPLANATION OF AMENDMENTS
No amendments were offered to this legislation.
COMMITTEE CONSIDERATION
On Thursday, March 4, 2010, the Committee met in open
session and ordered H.R. 4098 to be reported favorably to the
House by a voice vote.
ROLL CALL VOTES
No roll call votes were held.
APPLICATION OF LAW TO THE LEGISLATIVE BRANCH
Section 102(b)(3) of Public Law 104-1 requires a
description of the application of this bill to the legislative
branch where the bill relates to terms and conditions of
employment or access to public services and accommodations.
H.R. 4098 relates to the use of open network peer-to-peer
file sharing software at federal agencies and among federal
contractors doing business with the government. Therefore, it
does not apply to the legislative branch.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the Committee's performance
goals and objectives are reflected in the descriptive portions
of this report, including protecting federal computer systems,
networks, and government information from improper exposure.
CONSTITUTIONAL AUTHORITY STATEMENT
Under clause 3(d)(1) of rule XIII of the Rules of the House
of Representatives, the Committee must include a statement
citing the specific powers granted to Congress to enact the law
proposed by H.R. 4098. Article I, Section 8, Clause 18 of the
Constitution of the United States grants the Congress the power
to enact this law.
FEDERAL ADVISORY COMMITTEE ACT
The Committee finds that the legislation does not establish
or authorize the establishment of an advisory committee within
the meaning of 5 U.S.C. App., Section 5(b).
UNFUNDED MANDATE STATEMENT
Section 423 of the Congressional Budget and Impoundment
Control Act (as amended by Section 101(a)(2) of the Unfunded
Mandates Reform Act, P.L. 104-4) requires a statement on
whether the provisions of the report include unfunded mandates.
In compliance with this requirement the Committee has received
a letter from the Congressional Budget Office included herein.
EARMARK IDENTIFICATION
H.R. 4098 does not include any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9(e), 9(f), or 9(g) of rule XXI.
COMMITTEE ESTIMATE
Clause 3(d)(2) of rule XIII of the Rules of the House of
Representatives requires an estimate and a comparison by the
Committee of the costs that would be incurred in carrying out
H.R. 4098. However, clause 3(d)(3)(B) of that rule provides
that this requirement does not apply when the Committee has
included in its report a timely submitted cost estimate of the
bill prepared by the Director of the Congressional Budget
Office under section 402 of the Congressional Budget Act.
BUDGET AUTHORITY AND CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
With respect to the requirements of clause 3(c)(2) of rule
XIII of the Rules of the House of Representatives and section
308(a) of the Congressional Budget Act of 1974 and with respect
to requirements of clause 3(c)(3) of rule XIII of the Rules of
the Houseof Representatives and section 402 of the
Congressional Budget Act of 1974, the Committee has received the
following cost estimate for H.R. 4098 from the Director of the
Congressional Budget Office:
March 10, 2010.
Hon. Edolphus Towns,
Chairman, Committee on Oversight and Government Reform,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 4098, the Secure
Federal File Sharing Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Matthew
Pickford.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
H.R. 4098--Secure Federal File Sharing Act
H.R. 4098 would require federal agencies to develop and
implement a plan within six months to ensure that computer
systems, including those used by contractors, are secure from
the use of certain file-sharing software. Affected software,
known as peer-to-peer (P2P) file-sharing programs, are
applications that allow users to download and directly share
electronic files from other users. The legislation would not
prohibit the use of all file-sharing programs but would require
the Office of Management and Budget (OMB) to develop a
procedure for agencies to receive approval to use file-sharing
programs. Finally, H.R. 4098 would require agencies to create
plans to address security concerns for government computer
networks.
Most provisions of H.R. 4098 would codify and expand
current practices of the federal government. Under the E-
Government Act of 2002, federal agencies are already charged
with protecting information from unauthorized access, use,
disclosure, disruption, modification, or destruction. In
addition, OMB has already provided guidance on the use of file-
sharing technology.
Under H.R. 4098, OMB would be required to provide
additional guidance and procedures for approving certain file-
sharing programs, and agencies would have additional reporting
and training requirements. Based on information from OMB and
industry sources, and subject to the availability of
appropriated funds, CBO estimates that implementing H.R. 4098
would cost about $10 million over the 2011-2014 period.
Enacting H.R. 4098 could affect direct spending by agencies
not funded through annual appropriations, such as the Tennessee
Valley Authority and the Bonneville Power Administration;
therefore, pay-as-you-go procedures would apply. However, CBO
estimates that those budgetary effects would be insignificant
for each year.
H.R. 4098 contains no intergovernmental mandates as defined
in the Unfunded Mandates Reform Act (UMRA) and would not affect
the budgets of state, local, or tribal governments.
H.R. 4098 would impose a private-sector mandate, as defined
in UMRA, to the extent that it would require federal government
contractors that use file-sharing software to comply with new
restrictions on downloading, installing, or using that software
on computers used for federal work. Because any new contracts
that contain such restrictions would be entered into
voluntarily, the requirements of the bill would only constitute
a mandate to the extent that they would affect existing
contracts. The cost of the mandate would be the expenditures
required to modify computer systems or software to comply with
new requirements. According to several experts in information
technology, most file-sharing programs that are related to work
would not fit the bill's definition of P2P software and,
therefore, would not be subject to the restrictions in the
bill. Consequently, CBO expects that any compliance cost would
fall below the annual threshold for private-sector mandates
established in UMRA ($141 million in 2010, adjusted annually
for inflation).
The CBO staff contacts for this estimate are Matthew
Pickford (for federal costs) and Sam Wice (for the private-
sector impact). This estimate was approved by Theresa Gullo,
Deputy Assistant Director for Budget Analysis.
CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
No changes to existing law are made by H.R. 4098, as
reported.
�