For the London Free Press – March 3, 2008
File-sharing programs are being installed on personal computers both in the home and at the office.
A recent incident in Newfoundland involving the file-sharing program Limewire on a government consultant’s computer shows how this type of software can lead to security and privacy breaches.
Limewire is but one example of file-sharing, or peer-to-peer (P2P) software that makes it easy to find and download things stored on other people’s computers. Most people think of the software just in the context of music or video, but they can be used to transfer any kind of file.
P2P software can be used for downloading copyrighted materials that one perhaps should not. But it also can be used to download material that the owner or creator is legitimately offering to share.
Many forget, however, that P2P software usually is configured to allow others to upload files from their own computer. Since that includes any type of file, it includes things such as spreadsheets containing personal finances, Microsoft Word documents containing personal information — and in the Newfoundland case, a database containing names, addresses, dates of birth and medical and work histories of dozens of people.
Discussions about file-sharing software usually focus on the downloading side, and the debate over the legalities of downloading music, video and software. Uploading issues are often overlooked.
The upside of these programs is that they allow computer users to share files with ease and without cost. The downside is that they often allow other computer users to access information on your personal computer with the same ease that you download new files.
This creates a significant security risk, but the answer is not necessarily to un-install any file-sharing programs you currently use.
One of the greatest risks for individuals using file-sharing programs is that their personal information could be accessed by potential identity thieves. Few people would like to have the contents of their hard drives available to the world to see.
The consequences for businesses could be wider ranging.
In the Newfoundland incident, the personal information of more than 150 people was exposed when an outside consultant installed Limewire on his computer. The information remained accessible for three weeks before a security company brought it to the Government’s attention.
For individuals, the answer is to make sure that file-uploading parameters in your P2P software are set so only specified file folders can be used to upload files from. Those file folders should contain only material that you would like to share with others.
Businesses should make its employees and consultants aware of the issue, especially where they may use home computers to work on company business occasionally. P2P software should not be installed on business computers unless it’s necessary, and upload folders should be controlled.