May 05, 2009, 5:17 PM — U.S. legislation aimed at curtailing the inadvertent file sharing of personal data on P2P networks could create new regulations for makers of other software, including Web browsers and cloud computing, groups told a congressional subcommittee.
The Informed P2P User Act , introduced in March by Representative Mary Bono Mack, would require that P2P software give users warnings that their files can be shared before installation and each time it's launched.
Although P2P vendors have said they're taking steps to prevent the inadvertent sharing of tax returns, medical records and other personal data, there are still widespread reports about continuing problems, said Bono Mack, a California Republican.
"This hands-off approach has not worked," she said at a Tuesday subcommittee hearing. "Any set of voluntary best practices put forth by the P2P industry can no longer be seen as credible."
In the past two months, Tiversa, a vendor of P2P monitoring services, found more than 3.9 million breaches of personal data, said company CEO Robert Boback. The problem of inadvertent sharing isn't going away, he told the House Energy and Commerce Committee's Subcommittee on Commerce, Trade, and Consumer Protection.
In addition, recent media reports have pointed to plans detailing U.S. President Barack Obama's new helicopter and a military fighter jet project leaked onto P2P networks.
"How many more medical records and tax returns is it going to take for us to act?" Bono Mack said. "How many more state secrets will be made available to those who want to harm us? I believe enough is enough, and the time to act is now."
But Bono Mack's bill defines P2P as software that allows a computer to designate files available for transmission to another computer, to transmit those files and to request that other computers transmit files to it. That definition could include Web browsers, automatic updates and streaming media services, said Robert Holleyman, president and CEO of the Business Software Alliance, a trade group.
"We know that is not the intent of the bill" to force browsers to give file-sharing warnings every time a user launches one, Holleyman said. Some changes to the definition of P2P in the bill could fix the problems with the bill, he said.
Bono Mack questioned why providing notice to consumers would be a problem for legitimate software vendors. "What is the harm?" she asked. "How is notice and consent an issue?"
Four other tech-related trade groups, including TechAmerica and the Computer & Communications Industry Association, also raised concerns about the bill in a letter sent to Bono Mack Monday. The bill's definition of P2P software could apply to e-mail providers, social networking sites and cloud computing services, the groups wrote.
"Each of the above-referenced technologies allows a user's computer to share and request content from other computers," the letter said."In fact, most services and applications on the Internet allow for such shared use. The vast majority of applications that utilize distributed computers to deliver or assist in the delivery of content do not contain the kind of recursive file-sharing features that the legislation seems intended to address."
Bono Mack said she was willing to refine the definition of P2P services.
But the CEO of the Distributed Computing Industry Association (DCIA), a trade group representing P2P vendors and other companies involved in distributed computing, suggested no legislation was needed. In July 2008, the DCIA announced a program of voluntary best practices for P2P software vendors to avoid inadvertent file sharing, and seven leading P2P vendors have adopted the standards, said Martin Lafferty, DCIA's CEO.
The bill could stifle innovative new technologies and it would not cover overseas P2P software, he said.
All the P2P vendors now provide software that does not share personal files by default, Lafferty said. "To the extent that legitimate consumer concerns persist in the area that the bill attempts to address, we strongly believe they can best be handled by ongoing self-regulation," he said. "The DCIA has committed to self-regulation ... and is making substantial progress."
The subcommittee also debated a data breach notification bill, the Data Accountability and Trust Act . The bill would require organizations that suffer a data breach that could result in a "reasonable risk" of identity theft to notify affected customers and the U.S. Federal Trade Commission.
The bill received significant support from members of the subcommittee, but representatives of privacy groups raised concerns that it could pre-empt existing state regulations on data breach notification with a weaker federal law.