Lime Group Chairman Mark Gorton found himself in the hot seat last week during a hearing on the problem of inadvertent data leaks on peer-to-peer (P2P) networks including his company's, LimeWire. The hearing was held by the House Oversight and Government Reform Committee.
Furious lawmakers blasted Gorton over what they claimed was his company's continued failure to ensure that users of LimeWire software did not share files inadvertently. The scathing criticism came in the wake of testimony by two witnesses at the hearing. Robert Boback, CEO of Tiversa Inc., a P2P networking monitoring service, disclosed how he had discovered highly sensitive government data, ncluding presidential motorcade routes, on LimeWire networks.
The other witness was Progress and Freedom Foundation's Thomas Sydnor, who said his experiments with LimeWire's P2P software had revealed it to be extremely susceptible to inadvertent file sharing. The disclosures led to committee chairman Edolphus Towns (D-NY) saying he would soon introduce a bill seeking to ban the use of P2P software on government networks.
In a conversation with Computerworld, Gorton flatly rejected some of the testimony. He claimed that concerns about data leaks on P2P networks are being fueled and orchestrated by music labels concerned more about copyright infringement on P2P networks than anything else.
Were you surprised at the criticism directed at you and LimeWire during the hearing?
I'm not sure I had that much in the way of expectations going into it so I am not sure if I was surprised. I mean this hearing was more or less orchestrated by the RIAA (Recording Industry Association of America). I am personally of the opinion that you cannot view these hearings outside of the context of the litigation which the recording industry has going on with LimeWire.
Why do you say that?
If you look at the testimony by Tom Sydnor, his firm is supported by the major record labels. If you look at his report it is completely biased. It seems superficially kind of shocking. But when you start parsing it, it really is very tricky and deceptive.
Is there an example of this that you can show?
Sure. Sydnor says he went and installed LimeWire on a computer and that it immediately started sharing (all of the files) on the computer and that it was a security disaster. What he failed to mention is that in order to achieve that result he had to have taken that computer and installed a previous version of LimeWire on it. He then, really, deliberately had to go and remove all of the security settings on it, ignore countless warnings and consciously share file by file all of the files he was talking about. He then had to uninstall LimeWire from that computer and then reinstall the newer version which just picked up the settings he previously had put on it. He gives the impression that any time you install Limewire it goes and shares all these files and that is just absolutely untrue. He manages to parse the facts cleverly enough to give a highly misleading picture of reality.
What about the testimony from Tiversa?
Tiversa is a company that sells a service to businesses and to the government. It attempts to monitor peer-to-peer networks and to notify [clients] if they find a document (belonging to their clients). Tiversa has a strong monetary incentive to make the problem of inadvertent file-sharing seem as bad as it can possibly be. It is not to say that they were completely inaccurate. But they seem to want make the situation a lot more serious than it necessarily is.
What do you think about the response from committee members to the testimony?
Certainly many of them did not approach the hearing with an open mind at all. You can go and look at the campaign contributions for some of those members. They receive contributions from the recording industry. Based on that, many of them did not seem to have an open mind at all. To some extent I think many of them are also not familiar with the technical details of file sharing and don't understand the difference between a search using LimeWire and finding a file that is served by a completely different program. It is a distinction that is very important in terms of understanding the security issues. But I think most of them did not come there to learn. Most of them came there to be angry at me without taking the time to understand the facts. That's not to say there isn't a problem. That's why LimeWire has been working in the last couple of years to do what it can to eliminate inadvertent file-sharing.But grandstanding and deliberately ignoring the facts does not help address the problems that are out there.
So, is the latest version of LimeWire safe?
It does not share documents by default. If you install LimeWire, it will not share documents automatically. In order to share documents you have to go through a process in which you click nine times and pass three warning signs in order to share a document. That is not the sort of thing people are going to do by accident. We have really changed the interface, the way file sharing is done or the way you can send files to be shared. We have gotten rid of the entire concept of shared folders. It doesn't exist anymore. We completely reengineered that entire process top to bottom. We very clearly, very visibly show people which files they are sharing and give them controls to be able to control that. No files are shared automatically. It is only by taking affirmative steps that users can share files.