News

Schools fall victim to P2P security breaches

By Dennis Carter, Assistant Editor
February 24th, 2010

 

Sharing files over unsecured P2P networks can result in data breaches.

Sharing files over unsecured P2P networks can result in data breaches.

 

Peer-to-peer file sharing in schools and colleges has come under scrutiny again after a Federal Trade Commission (FTC) probe turned up massive security breaches that made student grades, Social Security numbers, and medical records accessible to anyone connected to the peer-to-peer networks at several institutions.

The FTC sent letters to 100 schools and companies Feb. 22, warning them of data breaches that made sensitive information vulnerable to an unknown number of people on open P2P networks.

P2P networks, when working correctly, allow groups to share information online, such as software, music, videos, and documents. The openness of these networks, however, can leave sensitive data available to people who are supposed to be barred from seeing that information if the file-sharing software is not configured properly.

In a statement, FTC Chairman Jon Leibowitz said schools, colleges, and businesses “should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”

Leibowitz added: “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

Letters sent to school and campus administrators included federal warnings that student and faculty information might have been exposed through popular file-sharing sites BitTorrent and Limewire. The letters urged campus decision makers to consult their technology officials about how to protect information from exposure on P2P networks.

The FTC also directed institutions to contact employees, students, and customers who might have been affected by the security breach. The agency would not disclose which institutions received letters.

Schools victimized by the security breaches might have broken a federal law that requires institutions using P2P networks to take “reasonable and appropriate security measures to protect sensitive personal information.”

“Failure to prevent such information from being shared to a P2P network may violate such laws,” according to the FTC’s web site.

Campus technology officials have struggled to find legal file-sharing alternatives to illegal sites once prevalent on campuses, used by students to download songs and movies for free.

Last year, Ruckus—a download service supported by advertisements and available free of charge to college students—shut down, continuing a string of early departures by free or low-cost music sites. Ruckus went under after Universal Music Group and Sony did away with their Total Music venture, which owned Ruckus.

Cdigix, along with Napster, which switched to a legal downloading service after beginning as a controversial free file-sharing site in the late 1990s, were other affordable music sites that have closed down or stopped catering to colleges in recent months.

Low-cost digital music services have failed on college campuses in part because music choices were so limited that students were driven to illegal file-sharing web sites where more songs were available—and free.