LimeWire Blocked Security Company’s Scans After Leaks, Committee Told

Perhaps the most surprising charge was that software maker Lime Wire had blocked the security company that identified the Marine One leak -- and withheld which software was responsible -- from searching traffic on its LimeWire P2P software earlier this year. Chairman Mark Gorton of parent Lime Group strongly denied anyone at Lime Wire intentionally blocked the IP address range for Tiversa, whose advisers include retired general and one-time presidential candidate Wesley Clark. LimeWire remains the most popular P2P software globally, and the company has been steadily adding former record-label executives despite ongoing label litigation.

Several lawmakers said Gorton made virtually the same arguments as in the last committee hearing, where Gorton first suggested that ISPs were in the best position to stop inadvertent file-sharing (WID July 25/07 p1). “It’s very clear that little has changed” in two years, said Ranking Member Darrell Issa, R-Calif. His staff installed LimeWire 5, the latest version of the software, which abandoned the recursive-sharing feature in which all subfolders of a shared folder would be shared as well (WID March 6 p4). They “went sightseeing” for sensitive data, finding tax returns among others, he said: “Identity theft should be at the heart of our concerns.”

“The days of self-regulation should be over,” Towns said, accusing the FTC under the George W. Bush administration of a “see no evil, hear no evil approach” to inadvertent sharing. Towns will meet with FTC Chairman Jon Leibowitz to discuss whether the agency can treat insufficient sharing safeguards as an unfair trade practice that can be punished, he said: “It is time to put a referee on the field.” Tiversa CEO Robert Boback faulted the FTC for not mentioning file-sharing on its identity theft Web site and for the agency’s longtime claim that “Dumpster diving” is a more prevalent avenue for ID theft.

Boback ran a mix of prepared and live demonstrations to show what was coming up through P2P searches. They included a roster of U.S. troops with Social Security numbers and relatives, the Secret Service “safe house route” for First Lady Michelle Obama in an emergency, and a list of all U.S. nuclear facilities as of July 5. “The problem is we found this [list] in France,” Boback said. A Texas hospital ignored Tiversa’s warning a year ago of a P2P breach affecting 24,000 patients and refused to notify them, a direct violation of state law, he said, which is why Tiversa backs the Data Accountability and Trust Act (HR-2221), a breach measure considered at the same hearing as Bono Mack’s bill. Del. Eleanor Holmes Norton, D-D.C., said she was worried about increasing leaks as hospitals upgrade to digitized records.

A mergers-and-acquisitions executive at an “enterprise software giant” saw his e-mail archive files shared -- grounds for SEC investigation, Boback said. Surveillance photos and a government witness list from an ongoing organized crime trial showed up too: “Why would you ever dive into a Dumpster?” Searching paid software LimeWire Pro in real time, Boback pulled up hundreds of tax returns and said their posting enabled others to fraudulently file and receive others’ IRS refunds, a loss of $20 billion a year. Using Tiversa software, he showed real-time queries for child pornography and pulled up an older photo of an unidentified NASCAR driver and his son shirtless. Child pornographers will clip faces out of such photos and put them in real child porn to mislead law enforcement, Boback said.

‘Dangerously Unpredictable’ Behavior in Version 5

Lime Group’s Gorton said “the threat has been eliminated” since the 2007 hearing, because of sharing protections in LimeWire 5. Documents aren’t shared by default -- users have to click nine times and disregard three warnings to share them, he said. Lime Wire has an “excellent record” of cooperation, working with the FBI, the New York attorney general’s office and the Justice Department on stopping inadvertent sharing. A critical report on LimeWire 5’s behavior by Thomas Sydnor of the Progress and Freedom Foundation is “filled with factual errors and misleading statements,” Gorton said. The central problem is LimeWire uses the Gnutella P2P network and searches for files through other P2P applications, mostly overseas, that run on Gnutella, he said.

LimeWire 5 is characterized by “dangerously unpredictable” behavior, Sydnor said. He installed the software on a test computer over the weekend, and by clicking “next” a few times immediately shared nearly 17,000 decoy documents meant to mirror Sydnor’s home computer. “If any normal computer user installs this program … they have no way to know what it will do to them by default,” he said. Sydnor said version 5 was violating eight rules from the Distributed Computing Industry Association’s inadvertent- sharing report (WID Feb 24 p3) that Lime Wire helped create.

Gorton protested that Sydnor had to install LimeWire, turn off every security setting, “proactively” share files, uninstall the software, and then reinstall the software again to get his result. It’s common computer industry practice to leave behind some software settings in case users install the same software again, Gorton said. “It’s a very cleverly worded report” but Sydnor’s findings are based on “methodological tricks.” Sydnor said he had recreated a reported situation of a New York family whose tax returns were inadvertently shared and suffered ID theft. An “ordinary family computer” won’t fit the “ideal” scenario Gorton suggests, Sydnor said.

“We've done our best to communicate with” users of older LimeWire software to make them upgrade, but the company can’t “persuade” everyone, Gorton said. Issa said LimeWire.com was still offering a late build of version 4 as of Wednesday morning, to which Gorton professed ignorance. Issa suggested that LimeWire block older versions from accessing the Gnutella network, requiring users to upgrade to version 5, which Gorton said might be possible. “We're not perfect” and can’t identify every “weird” scenario like Sydnor does, but with the help of outside suggestions, “we'll get as close to perfect as we can,” Gorton said. Forced upgrades may be the only way, because version 5 is unpopular relative to earlier versions, Boback said.

Blocking Tiversa, Child Porn and ‘Nuclear Option’

Boback’s claim that Tiversa hadn’t been able to search LimeWire traffic since version 5 debuted -- harming its efforts with law enforcement -- set off a round of hostile questions. Tiversa’s IP address range was “hard-coded in a block so we would be unable to see every user of 5.0 and up,” and Lime Wire CEO George Searle hasn’t responded to questions, Boback said. “I don’t have any specific knowledge of that,” Gorton told Rep. Elijah Cummings, D-Md., but said LimeWire’s automated spam-mitigation measures may have incorrectly identified Tiversa as a malicious source. We couldn’t immediately reach Searle to confirm Boback’s claim.

“We are absolutely passive on the network,” Boback responded, claiming Lime Wire quickly ended talks with Tiversa after the 2007 hearing. Tiversa wanted business but Lime Wire didn’t want to simply “flag” problems, Gorton told Rep. John Tierney, D-Mass. Tiversa has been running the same searches on P2P networks for years, Sydnor said, questioning the timing of the block and proposing a law-enforcement investigation. Gorton insisted no one manually blocked Tiversa but told Issa he would answer forthcoming committee questions on who was responsible for managing IP ranges.

Rep. Paul Hodes, D-N.H., angrily demanded to know why LimeWire didn’t block access to sensitive files, and especially child porn, that come up in searches. That’s like asking a Web browser to identify and block such files, Gorton said, but noted Lime Wire was building a filter to block child porn in cooperation with the New York attorney general’s office. Lime Wire should have started two years ago, Hodes said, building to a shout: “Why didn’t you build the filter? Answer my question!” Lime Wire has worked with “outside third parties” to learn how to identify child porn, Gorton said, probably referring to the National Center for Missing and Exploited Children, which maintains a hashtag list of identified child porn that can be used to block further distributions. But Gorton couldn’t say when Lime Wire started on child-porn blocking efforts.

Rep. Bill Foster, D-Ill., asked whether Congress should consider a “nuclear option” of requiring software makers to avoid the Gnutella protocol altogether, so they can’t interface with less-secure P2P software abroad. Tiversa’s clients already block file-sharing applications and protocols, but employees who want to illegally download content can work around those blocks, Boback said. The military “discourages” P2P usage by troops but they are too “dispersed” to ban usage altogether, he said.

Lime Wire’s efforts have been a “total, complete and utter failure” for the past two years, said Rep. Peter Welch, D-Vt. “It’s a bit of a joke, and the joke may be on us if we're not a little firmer about it.” He said Lime Wire’s business depended on copyright infringement and it should be investigated by federal authorities. Issa seemed torn on Lime Wire’s motivations. He suggested the company could sell more premium versions of its software with better controls for sensitive data, but later said “if you do a good job for me … your product sells worse” by limiting the amount of content available to download. “You benefit from a lot of good, meaty, juicy shared material.”

Gorton said Lime Wire was trying to build a “collaborative relationship” with record labels, with a 3.5- million song MP3 store and an advertising system in development that shares revenue from organic LimeWire searches. “Most senior people” at the labels support Lime Wire’s efforts but it’s been a “slow and grueling process.” Gorton said the Internet could be tamed but the “procedural overhead” of investigating needs to be reduced. He proposed “nearly automated” enforcement mechanisms, targeted at the “root point of control,” the ISPs: LimeWire is simply the “superficial interface to all these problems.”