Thursday, October 29, 2009

House Ethics Committee staffer used peer-to-peer software; 'shared' confidential document

The Washington Post just published a great scoop, getting its hands on a confidential internal memo compiled by the House Committee on Standards of Official Conduct (aka the Ethics Committee) that summarizes ongoing investigations into possible wrongdoing by 30 members and several staffers. And how did such a highly sensitive document become public? According to a statement released by the committee's chairwoman and ranking member:
Neither the Standards Committee's nor the House's information systems have been breached in any way. Our initial review suggests that this unlawful access to confidential information involved the use of peer-to-peer file sharing software on the personal computer of a junior staffer, who is no longer employed by the Committee, while working from home.
You heard that right: a staffer on the Ethics Committee was using "peer-to-peer file sharing software" at home. Of course, I'm sure this highly ethical staffer was simply "sharing" the King James Bible, the works of Shakespeare, and The Odyssey...

And can anyone explain why this staffer had placed the confidential work memo in his or her "shared" folder, where it was exposed to the world?

Update: Some background on inadvertent "sharing" via p2p from Tom Sydnor of the Progress & Freedom Foundation and Patrick Ross of the Copyright Alliance.


  1. Some of these P2P systems share the whole machine by default.

  2. Ditto overton. All kinds of private information and media files are shared over p2p unknowingly.

  3. Another P2P canard.

    Really, Ben, if someone is stupid enough to leave their house or car unlocked, should we outlaw houses and cars?

    You may as well outlaw stupidity itself. That would surely solve the a lot of problems in this world, right? ;-)

  4. Ben I think your implied attack on the use of peer to peer technology being potentially unethical is completely unjustified. In fact the technology has many legitimate uses. Just look at Skype for example, a fine example of P2P.

    Do you support technological freedom to innovate using P2P or not?

    The actions of the staffer cannot be excused however, it is merely a case of a security breach which is all too commonplace in both government and the private sector.

  5. Thank goodness this was a pretty harmless leak unlike the leaks by US Antartica Program employees which resulting in the US banning those employees from using P2P. The USAP employees shared "data of the Obama presidential safe houses, the first family's motorcade routes and several leaked documents that contained detailed locations of all the US nuclear facilities."

    Do you really think this staffer was using the P2P for solely legal sharing? The strong odds are that the staffer was using it to download copyrighted media. Until most people use P2P for solely legal means, I think it's completely "justified" to assume it was for nefarious purposes.

    Copyright in the Internet Age

  6. Do we even know yet if the computer is a shared computer or controlled strictly by the staffer?

    Without such knowledge, it seems premature to make the broad assumptions articulated in Ben's post.

  7. The Washington Post's reporting makes clear that the staffer was indeed responsible:

    "The staff member was fired this week. She told committee leaders she had saved a copy of the investigation summary to her personal computer without realizing it, a congressional source said, speaking on the condition of anonymity because of the sensitivity of the matter. The file was stored in a part of her computer files where peer-to-peer file-sharing software could operate, but she told the leaders that she did not realize that it was actively running."

  8. "In fact the technology has many legitimate uses. "

    The inconceivable amount of copyright infringement aside, what exactly would those uses be? Skype, WoW patches, and linux isos? I'd venture a guess that a miniscule percentage of P2P traffic qualifies as legitimate.

  9. "Some of these P2P systems share the whole machine by default"
    No overton, no P2P application shares the root folder by default. I have some basic knowledge of Shareaza, LimeWire, Ares Galaxy, eMule, FrostWire and gtk-gnutella, and none of these applications does this. In fact many implement additional security features which prevent users from inadvertently sharing sensitive folders or file types. Feel free to prove me wrong by giving a simple P2P servent example that shares the root folder by default.

    As for Sydnor (the behavior of this guy was already discussed here before), the URL you provided is crystal clear. He modified default permissions of a previous version of LimeWire, uninstalled it, then installed version 5 which is very restrictive about the files one can share by default, and since that version kept relying on the config file of the previous version (which is the normal thing to do) he pretended that LW was dangerous. Some may call this a lie from a paid attack dog, others tend to call it "legitimate, ethical" lobbying.

    So talking about ethics, I think the choice is easy to make between the guy who shared files and some lobbyists. Besides I upload over one or two gigabytes per day (and I limit my upload bandwidth, otherwise it could well be much more than that), and only legal stuff, so indeed, P2P has purely legal uses. Finally, illegal doesn't necessarily mean unethical, but hey, this comment is already too long...

  10. Sometimes it's just easier to share the "C drive". You know how it is. -eyes rolled skyward-

  11. Trouble starts with T, and that rhymes with P, and that stands for P2P, right? That we allow articles like this to be framed as a debate on the evils of IP theft is as unsurprising as it is offensive. Some kid was sloppy and breached security; that's it. He could as easily have left his jump drive at a McDonald's.

    American and Brit culture both exalt feigned super-morality and hyperbolic lobbying as "the way the world works." If something isn't profitable, it's okay to claim it's dangerous, or at least useless. Articles like this are perfect opportunities to take back rational debate from those who seek to control IP for profit. "Taking the high road" is nice, but sometimes we need to use their tools to get their attention. I promise you won't go to hell for the judicious use of condescension and derision. =)

    But since we're on the topic, I like that the world offers checks on evil profit overlords. P2P:RIAA as bankruptcy:creditors, baby!

  12. I thought overton was being cynical.

  13. You're all missing the point.

    The fact that P2P software was involved in this breach is completely irrelevant, and is only being brought up to spark interest in yet another stupid incident involving an intern, which would otherwise not be interesting at all. Its a consipracy by interns to become more important. You should protest by not ever mentioning this incident again. Also, you could just walk up to an intern at your office, and punch him in the face.

  14. Ben, I realize that the Darwinians will probably feel that the gene pool is replenished by dimissively pinning responsibility for the Ethics Committee document "sharing" on someone "junior" or on someone who is "stupid". That's kind of like saying all of Madoff's investors should have known better, so why prosecute Madoff because his investors were too stupid to catch him.

    Analogies aside, the Ethics Committee failure is not with the junior person, the failure is with the senior people. If the Tenenbaum case provides any insight into the intellectual training provided by colleges regarding the wisdom of file sharing, I think we can all feel grateful that no one has had to explain to "juniors" why nuclear missle launch codes is information that does not really want to be free.

    As one computer security guy told me once, the best online security is to be offline. If the network is going to be online, then it is the responsibility of the senior staff to enforce network rules about what personal software can be installed on government computers. I know that is certainly what I think I pay them for, at a minimum.

    One would think that anti-espionage rules would prevent the opportunity for these leaks. I'd like to know exactly which House rule was violated when the p2p software was installed--if any. And if there wasn't one, there should have been. I suspect there wasn't such a rule. And that would not be the fault of the junior person.

    As usual--different spanks for different ranks.


Comments here are moderated. I appreciate substantive comments, whether or not they agree with what I've written. Stay on topic, and be civil. Comments that contain name-calling, personal attacks, or the like will be rejected. If you want to rant about how evil the RIAA and MPAA are, and how entertainment companies' employees and attorneys are bad people, there are plenty of other places for you to go.