"P2P" - What is it?

P2P file sharing began with Napster in 1999. Despite attempts by the media industry to shut down P2P file sharing networks, today they have grown to include millions of users worldwide with over 450 million copies of P2P software downloaded. LimeWire, one of the most popular file sharing programs, is on 30% of the world's computers. More searches for information occur each day on P2P file sharing networks, 1.5 billion, than occur on Google, 170 million.

P2P technology provides an efficient way for people to share files. For example, the technology can be used to leverage the power of the computers that it connects, creating informal, yet effective networks. Through these connections, computer users (known as "peers") can share communications, processing power, and data files. With respect to file sharing, P2P technology allows "decentralized" sharing; that is, sharing directly between two P2P users, rather than requiring the users to connect to a central location where the files are stored. Thus, the files do not go through any central computer server in the middle of the exchange.

The technology can yield significant benefits. Without a central storage point for files, file transfers are faster and "bandwidth" is conserved. In addition, because the technology treats each user as a separate server, businesses can lower central storage capacities by utilizing the collective capacities of the peers in the network. This results in lower maintenance and energy costs. For these reasons, P2P technologies are becoming as much a critical and integral part of the Internet's infrastructure as Web browsers.

What Risks Are Posed by P2P Technology?

By itself, P2P technology is harmless and useful. Significant risks emerge, however, because businesses either are not aware of P2P technology, do not know that it is present on their information systems, or are not careful in handling it. Some of these risks include:

Inadvertent File Sharing -An unintended consequence of this emergent technology is that as more and more information is converted to a digital format, that information is just as susceptible to being shared as the television shows and movies for which the technology was developed. Inadvertent file sharing happens when computer users mistakenly share more files than they intend. For example, an employee may only want to share music files or vacation photos, but instead, opens all files on his computer's hard drive to access on the P2P network. This typically occurs as a result of user error either in installing and/or using the software or from a virus in the P2P network.

As more employees work remotely, use laptops and other electronic devices, and communicate using a variety of networks, monitoring file sharing technology in your company can become a daunting task. This will become increasingly challenging as more young workers enter the workplace and as workplaces become still more dispersed, flexible and decentralized.

Spyware - File sharing software generally can be downloaded free or for a fee. Free file sharing software typically is bundled with other software in order to generate revenue for P2P file-sharing software companies. Unfortunately, bundled software may include programs commonly referred to as "spyware" and "adware". These can infiltrate and damage an individual's computer and the network to which it is connected. Spyware also can compromise privacy by facilitating personal information theft, monitoring communications, and tracking an individual's online activity. In some cases, these programs employ measures to prevent their deletion or use large P2P file-sharing networks to spread across the Internet more quickly.

Viruses - Downloading a file with a virus attached is likely when large numbers of users connect to P2P networks. Indeed, some viruses specifically target P2P networks. These viruses mask themselves as legitimate music or movies files to "bait" users into installing them. In some cases, viruses can reconfigure a computer's P2P software settings to allow more files to be shared than the user intended. Viruses also can create "back doors" that enable hackers to gain access to the computer later.

Pornography - Files shared on a P2P network often are mislabeled with innocuous or even deceptive keywords that hide the file's pornographic content. This can be particularly problematic in the workplace, as illustrated in the following case: a state appellate court in New Jersey held in a case of first impression that an employer has a duty to investigate an employee's Internet activities when it has noticed that the employee is using a workplace computer to access child pornography. See Doe v. XYC Corp., 2005 N.J. Super. LEXIS 377, *1-2 (N.J. Super. Ct. 2005).

In addition, the possession and transfer of these files can result in civil and criminal exposure, especially those that contain child pornography. This risk is enhanced in the case of P2P file sharing as the software is often configured so that downloaded files automatically are made available to others on the network.

Have Some of These Risks Materialized?

Yes. According to an Information Systems Audit and Control Association national study of U.S. white-collar workers, more than 33% of employees have violated their company's information technology policies at least once, and nearly 15% of employees have indulged in P2P file-sharing activities at least once while at work. The study finds that at a company with 1,000 white-collar employees, up to 70 employees are likely to be using peer-to-peer file sharing technology. "Internal" risk is compounded when you consider that exposure of sensitive or confidential information often occurs when third parties, such as contractors, suppliers, auditors, partners, put your organization at risk even if you protect your own networks and your employees follow policies and procedures.

The following illustrate where P2P technology has resulted in an exposure or misuse of information:

* In August 2008, in a case of first impression, 19-year-old Jason M. Milmont of Cheyenne, Wyoming, pled guilty in federal court to charges alleging that he compromised 5,000 to 15,000 computers by modifying the file-sharing program LimeWire. He faces up to five years in prison, a $250,000 fine, and has agreed to pay more than $73,000 in restitution.

* In June 2008, Walter Reed Army Medical Center reported that it was investigating the possible disclosure of the personal information of approximately 1,000 Military Health System beneficiaries, which it believed was disclosed through unauthorized sharing on a P2P network.

* In September 2007, Citi's ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when one of its business analysts in Florida - or a member of her family - signed up to use the P2P file sharing service LimeWire on a home computer containing the personal information.

* In September 2007, Gregery Kopkiloff was arrested and later convicted of using file sharing programs to "search" the computers of others for federal income tax returns, student financial aid applications, and credit reports stored in private computers. Kopkiloff then used the identity, and banking, financial, and credit information to open credit accounts over the Internet to make fraudulent online purchases of merchandise he had shipped to various mailboxes, and then sell for about half the normal retail value. Law enforcement has linked Kopkiloff's fraud to some 80 victims and more than $70,000 in fraud.

What Steps Can Your Organization Take to Deal with P2P Technology?

* Get Educated - P2P technology and the risks associated with it must be understood by key groups in an organization, including risk management and human resources, not just the IT department, in order to identify and deal with its critical challenges. An important first step in dealing with P2P is gaining a basic understanding of how it works. Next, the appropriate persons in the organization must understand the company's information systems and the needs of the company's business model in order to assess the risks and adopt measures to deal effectively with them. For example, a company that has most of its workforce working from home or in remote locations likely will have greater challenges than a company with a more centralized network.

* Determine if the Company Already Has Been Affected - Network monitoring companies can search P2P file sharing networks to locate and retrieve files that were inadvertently shared from a company or third party computer. One such company, Tiversa, Inc., centralizes what was previously a decentralized P2P file-sharing network in order to gather in one place all previously untraceable activity on the network to analyze searches and requests. Tiversa can then investigate fully to determine the intent of those requests, as well as access the files available to users of P2P networks who issue those searches. This is critical to: (i) locating files with sensitive company information, (ii) halting their further spread, and (iii) prosecuting those who have improperly accessed or used the information.

* Consider the "Extended Enterprise" - It is critical to consider the information security technologies, policies, and procedures of those outside your organization to whom you entrust sensitive or confidential information. With the explosion of outsourcing, this is more important than ever. Consider adding provisions in vendor contracts, including indemnity provisions, governing disclosure of your confidential information via P2P file sharing networks. To ensure vendors are complying with promised safeguards, companies should monitor P2P file sharing networks to discover third party disclosures of information.

* Implement and Enforce Policies and Procedures - After assessing the risks and considering the needs of the business, the company should adopt effective policies that limit the risks posed by P2P technology. For example, companies might consider limiting downloads of company information to non-company computers, such as personal home computers. Policies and procedures that are adopted need to be enforced and updated to keep pace with changes in technology. It is also critical to continue to monitor P2P file sharing networks to determine that your policies and procedures are effective. Simply adopting handbook policies, without more, will do little to close the holes created by P2P file sharing technology in a company's information systems.

* Ensure Spyware and Virus Protections are Up-to-date - Because use of a P2P network can make a computer or network more susceptible to spyware and viruses, companies should make sure to install anti-spyware and anti-virus software and configure them to scan regularly.Adopting and enforcing a policy of limiting certain downloads also can be helpful.