Network Security, Vulnerability Management

FTC closes probe into LimeWire inadvertent file sharing

The Federal Trade Commission (FTC) will not take any action against LimeWire following an investigation the agency opened into the popular file-sharing program's security controls.

The FTC was probing reports that some older versions of LimeWire allowed users to accidentally share sensitive information stored on their computers, according to an Aug. 19 letter addressed to LimeWire CEO George Searle.

The letter, written by FTC Associate Director Mary Koelbel Engle, said the agency was satisfied with LimeWire's adoption of safeguards to prevent the inadvertent sharing of personal data and the understanding that the company is unable to force users to upgrade to new versions. In addition, the agency accepted that some older versions were "able to avoid" disclosing confidential data and that many users upgraded anyway.

"We remain concerned, however, about consumers who are still using insecure legacy versions and are therefore subject to a risk of inadvertent sharing of sensitive, personal information," Engle wrote. "We expect LimeWire to continue to advise consumers to upgrade legacy versions of its software because of the potential safety benefits of doing so, and to participate in industry efforts to inform consumers about how best to avoid the inadvertent sharing of sensitive documents. Based on that expectation, it appears that no further action by the FTC staff is warranted at this time, and the investigation is closed."

Minaxi Gupta, an associate professor of computer science at Indiana University who has studied the risks of peer-to-peer (P2P) networks, said she doesn't know the specific reason for the FTC's investigation, but assumes it was the result of vulnerable software.

"Peer-to-peer networks generally only serve things available in the shared directory," she said. "However, it's quite conceivable that some of these older versions had vulnerabilities. [Cybercriminals] certainly can use those vulnerabilities to get out of the shared directory and look around on [someone's] machine."

Gupta likened such an exploit to an attacker changing DNS records on a victim's PC and forcing them to visit a website of their choosing.

But she said she understands that LimeWire was limited in what it could do to resolve the issue after the fact.

"People don't apply patches and it's difficult to get everyone to comply," Gupta said.

LimeWire applauded the FTC's decision to drop the investigation.

“The factors noted by the FTC in voluntarily closing the investigation speak for themselves," said a statement, reported in numerous media outlets. "We have incorporated many safeguards and have taken active steps to educate users of current and older software versions to avoid disclosure of sensitive information. We will remain dedicated to ensuring the security and serving the needs of our global user base."

P2P leaks have been making the news in recent months. In February, the FTC notified 100 organizations whose sensitive information, including personal data about customers and employees, resided on P2P networks. And in March, the U.S. House of Representatives passed legislation that would restrict the use P2P software on federal computers.

Still, while inadvertent file sharing certainly is a risk for users, Gupta said the sharing of copyrighted material in these P2P channels still remains the predominant concern.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.