Sharing files over unsecured P2P networks can result in data breaches.

Sharing files over unsecured P2P networks can result in data breaches.

 

Peer-to-peer file sharing in schools and colleges has come under scrutiny again after a Federal Trade Commission (FTC) probe turned up massive security breaches that made student grades, Social Security numbers, and medical records accessible to anyone connected to the peer-to-peer networks at several institutions.

The FTC sent letters to 100 schools and companies Feb. 22, warning them of data breaches that made sensitive information vulnerable to an unknown number of people on open P2P networks.

P2P networks, when working correctly, allow groups to share information online, such as software, music, videos, and documents. The openness of these networks, however, can leave sensitive data available to people who are supposed to be barred from seeing that information if the file-sharing software is not configured properly.

In a statement, FTC Chairman Jon Leibowitz said schools, colleges, and businesses “should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”

Leibowitz added: “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

Letters sent to school and campus administrators included federal warnings that student and faculty information might have been exposed through popular file-sharing sites BitTorrent and Limewire. The letters urged campus decision makers to consult their technology officials about how to protect information from exposure on P2P networks.

The FTC also directed institutions to contact employees, students, and customers who might have been affected by the security breach. The agency would not disclose which institutions received letters.

Schools victimized by the security breaches might have broken a federal law that requires institutions using P2P networks to take “reasonable and appropriate security measures to protect sensitive personal information.”

“Failure to prevent such information from being shared to a P2P network may violate such laws,” according to the FTC’s web site.

Campus technology officials have struggled to find legal file-sharing alternatives to illegal sites once prevalent on campuses, used by students to download songs and movies for free.

Last year, Ruckus—a download service supported by advertisements and available free of charge to college students—shut down, continuing a string of early departures by free or low-cost music sites. Ruckus went under after Universal Music Group and Sony did away with their Total Music venture, which owned Ruckus.

Cdigix, along with Napster, which switched to a legal downloading service after beginning as a controversial free file-sharing site in the late 1990s, were other affordable music sites that have closed down or stopped catering to colleges in recent months.

Low-cost digital music services have failed on college campuses in part because music choices were so limited that students were driven to illegal file-sharing web sites where more songs were available—and free.

Despite an onslaught of legal threats from the music industry, illegal P2P networks are attracting more users, including college students. The average number of illegal P2P users “almost doubled globally” between 2003 and 2005, according to market research firm Big Champagne.

Although P2P file sharing is a common way to exchange copyright-protected files illegally, such as movies and music, many schools, companies, and other organizations also use P2P file-sharing services for legal distribution of videos and other large files. For instance, educators, students, and researchers often use BitTorrent and other P2P services to share large data sets compiled during their research.

Common ways to avoid security failures on P2P networks include disconnecting the file-sharing program when it’s not being used to download files; updating the program with security patches designed to stop hackers; and occasionally using spyware to scan computers for any unwanted or unidentified downloads that can pose a threat to everyone using the file-sharing program, the FTC said.

Link:

FTC data breach announcement