In an alert entitled Widespread Data Breaches Uncovered by FTC Probe, the Federal Trade Commission has warned the public that the FTC has had to notify "almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations' computer networks." FTC Chairman Jon Leibowitz warned, "we found health-related information, financial records, and drivers' license and social-security numbers--the kind of information that could lead to identity theft."
This probe represents a welcome change in both the attitude and the approach of the FTC. This probe shows that the FTC is now taking the risks created by distributors of file-sharing programs seriously, and it is assessing them by doing what distributors themselves refuse to do: by actually studying what is happening on file-sharing networks. Had the FTC adopted the attitude and the approach now taken by Chairman Leibowitz back in 2004--when Congress first asked the FTC to investigate whether distributors of file-sharing programs had actually eliminated defects in their programs that were known to cause inadvertent sharing--years of misery, national-security violations, leaked risk-assessments that could increase the lethality of terrorist attacks on American cities, corporate data-breaches, gross breaches of personal privacy, widespread piracy, identity theft, and medical identity theft could have been avoided.
I thus congratulate Chairman Leibowitz, the new Administration, and the FTC for their new attitude and new approach towards the serious problem of inadvertent sharing. As they build upon this initial success, I hope that they will keep the following points squarely in mind:
First, inadvertent sharing is a far more serious threat to ordinary families than it has ever been to "organizations." As Chairman Leibowitz correctly noted "health-related information, financial records, and drivers' license and social-security numbers" are "the kind of information that could lead to identity theft." They are also the kind of information likely to be stored on most ordinary home computers. Indeed, there is no way to contain the threat that inadvertent sharing poses to both sensitive governmental and corporate data unless ordinary consumers and families are also protected--the recent disclosure of ongoing investigations by the House Ethics Committee makes this brutally clear.
Second, inadvertent sharing of sensitive personal files is but the most obvious manifestation of a far larger problem: inadvertent sharing of any type of file--including copyrighted music, movies, images, games, or software--that would be illegal or dangerous to "share" with thousands or millions of anonymous strangers. Right now, far too many families are inadvertently sharing not only more than the 1,700 copyrighted songs that put Jammie Thomas-Rasset on the wrong end of a 1.9-million-dollar jury verdict, but also entire collections of family photos that file-sharing pedophiles are using to identify and target attractive children (p.11).
Third, historically, inadvertent sharing has been "inadvertent" only from the perspective of users of file-sharing programs--and those who suffer as a result of their mistakes. By contrast, from the perspective of many distributors of file-sharing programs, inadvertent sharing appears to be frighteningly deliberate: for example, the distributors of the file-sharing program LimeWire have repeatedly deployed "features" that were known to dupe many users of such programs into inadvertently sharing tens of thousands of personal files--including their entire collections of music and movies.
The FTC's new probe into inadvertent file-sharing should be welcomed and applauded. It could turn out to be the beginning of the end of a seemingly deliberately created crisis that should have been remediated eight years ago--when the computer-science study Usability and Privacy first warned all competent developers of file-sharing programs about reality and the consequences of inadvertent sharing.