House Passes Ban On File Sharing Use By Government Employees
from the sharing-is-bad,-you-see dept
For a few years now, one of the tactics of the entertainment industry to get another foot in the legislative door towards outlawing file sharing programs, is to push ridiculous stories about how secret gov’t documents were showing up on file sharing networks. Of course, there’s a reason why that’s happening: clueless gov’t staffers not being careful. But, in typical Congressional fashion, the response is to overreact, very much at the urging (and legislative guidance) of the entertainment industry. After trying for a few years, it looks like the industry has been marginally successful this time. Slashdot points out that the House has passed legislation that would bar government employees from using file sharing, but notes that the language of the bill is so broad that it likely forbids all sorts of useful applications.
Of course, this was only passed in the House, and it looks like the Senate is going in a different direction — instead preferring an equally pointless bill that would require any file sharing software (again, so broadly worded that it would include browsers, FTP software, backup software, etc.) to pop up an alert that you would have to click every time you opened the software.
Hey Congress, here’s a better idea: instead of passing dumb laws with serious unintended consequences, why not have a bit of basic computer security training for your staffers so they don’t do idiotic things like putting top secret plans in a shared folder?
Filed Under: congress, file sharing
Comments on “House Passes Ban On File Sharing Use By Government Employees”
Without reading the whole thing, only your story, I can’t see why a government employee on a government computer would actually need that sort of software.
Sort of like people losing their jobs for surfing porn – it’s not their computer, the rules are there, so they only have themselves to blame.
Re: Re:
The article doesn’t give a lot of information, so we’d have to read the actual bill to be sure. That being said, given that I deal with end-users on a regular basis, a PARTIAL ban may be the only viable solution.
While some users do actually pay attention in training, a lot do what they can to breeze through so they can get back to their desks. I believe a reliance on training for all users to allow all users to have access to P2P software is just as problematic as banning the software for all users.
I think a ban is acceptable with one caveat – exceptions can be requested and easily granted. Where I work, our machines are regularly scanned for unapproved software. If it’s detected, you get an email saying “XX app was detected. If there is a valid reason for using this software, please submit an exemption request via {link}”. Requests go to your manager and if approved, on to IT.
Most people won’t bother. The ones that need it, will. It works for us (30,000+ employees worldwide), they should be able to make it work for the government.
Re: Re:
“I can’t see why a government employee on a government computer would actually need that sort of software.”
I think that depends on the particular government employee. Say you’re in the IT department (as I am, though I’m non-government) and you need a copy of the newest Linux distro to install a new server toot-sweet because you’re on a deadline. Bittorrent is the perfect way to get those .iso files. Unfortunately, because you’re a government employee, you can no longer use Bittorrent. So, now you’re going to have to download the .iso files via another source, at a much slower rate and miss your deadline.
Now, in this scenario, should you be running the Bittorrent software on one of your other, active, servers? Hell no! But you could run it on a clean laptop that’s located outside the hardware firewall (but with a software firewall in place on the laptop), burn the .iso files to disc, and then reimage the laptop to make sure nothing has been compromised during it’s time outside the firewall.
I’ve done something similar quite often in my company, and it works very well. As long as some common-sense safety rules are followed, there’s no harm.
The harm is in these “zero-tolerance” situations. They’re so worried about P2P that they don’t realize that the real threats are often from downloading things from standard web pages. Sure, block P2P traffic from the receptionist and Finance and departments that really have no need to access it, but don’t ban it from the people that can actually use it and know the precautions to take.
The issue is about security. If you (or Congress) think that P2P is the root of the security problems, they you and they are fools.
Re: Re:
What if a governement employee needs to share a large file with another government employee? Say a large PPT presentation which is too big to email? They can’t use a thumb drive – as the usb ports should not be enabled for this on govt computers. They have to use file sharing – sharepoint server or ftp server. This bill will effect all of those – not just things like kazaa or others used publicly.
Perhaps you know something not generally know to your readers, but I could not find anything suggesting that content industries were associated with the legislation.
Re: Re:
Yes, because it’s the public who are clamoring to stamp out file sharing. The content industries have never had a problem with file sharing.
Govenrments shouldn’t share files because some files might be top secret. They should also stop sharing documents too. And information.
The public gets what the public wants, after all.
Re: Re: Re:
The public is unimportant, the only thing we’re good for is paying taxes.
Re: Re: Re:
“…it’s the public who are clamoring to stamp out file sharing. The content industries have never had a problem with file sharing.”
This is a nice reminder that the content industries monitor news sites and respond anonymously with ridiculous lies to any story that makes them look bad.
Re: Re:
Perhaps you know something not generally know to your readers, but I could not find anything suggesting that content industries were associated with the legislation.
The various entertainment industry lobbyists have been pushing bills like this for five years now… In this case, the lobbyists for Arts+Labs pushed the story of P2P leaking helicopter secrets to the press relentlessly, and entertainment industry folks spoke out in favor of this bill.
Re: Re: Re:
Psshhh. Everybody knows that lobbyists have very little power over the government!
Re: Self Incrimination
It common sense that the content industry would “hide” its involvement. For purposes of public consumption the legislation has to be “hidden” behind some lofty motherhood goal such as “national security”.
Re: Re: Self Incrimination
ACTA says what?
Re: Re: Re: Self Incrimination
????????? “The purpose of ACTA is to establish international standards to combat counterfeiting and piracy. All the negotiation sessions are conducted in secrecy and the details are not revealed by any of the participating nations at all. Initially, public didn’t even know who the participating nations are exactly! I wonder why negotiations which involve intellectual property laws should be kept secret!” TechDirt has published numerous similar articles concerning the lack of transparency.
Government Training
As a government employee that uses government furnished computers and networks, I am required to complete annual training on computer security. Prior to 2009, the training was pretty pointless “click-thru” type where you just kept hitting next until you wee done. In 2009 and 2010, a much more annoying “interactive” training was developed, in which you have to interact with and and answer questions about different scenarios. The “file-sharing or P2P” portion pretty much pushes the same agenda, word for word, that the entertainment lobby puts out: that you can “leak” classified information, you can get viruses, you can lose sensitive information.
Re: Government Training
“that you can “leak” classified information, you can get viruses, you can lose sensitive information.”
Well, you can. Once again, I say that using a government computer (or not your own) you shouldn’t be using p2p software.
Re: Re: Government Training
Yes, but you can do all of those things using e-mail, thumb drives, cd-roms, Blackberrys, cell phones, landlines, or hard copy documents (well, except for viruses on some of them) also. And there is no outcry to ban the use of MS Outlook on gov’t computers or to not use phones anymore either.
Re: Re: Re: Government Training
Yes, and most government places have rules against using usb sticks etc. When I worked for the “gov’t” (gee I hate that Mike) there were rules about taking those sort of things to work and using them on your work computer.
Sometimes you need actual rules/laws to stop stupid people (speaking as a sysadmin here – users are *brainless*).
Re: Re: Re:2 Government Training
The smart phones must drive security folks batshit. Now the average Joe has the ability to snap a photo & email it elsewhere. Cold war spies must be jealous.
Re: Re: Re:2 Government Training
You, and other admins like you are the reason I HATE IT departments. You think that just because users don’t work in your batcave, we are all stupid. At my company, there are MUCH smarter people working outside the hallowed IT room who know a SHITLOAD more about their systems. You admins know our network, you know how to keep it safe (which is VERY important, don’t think I don’t know that), but you sure as hell don’t know EVERYTHING, and you are not the only one’s who know how to keep shit safe.
Re: Re: Re:3 Government Training
My comment was related to users in a general sense. Of course there are very smart users, I don’t deny that. But here’s the thing. It only takes one stupid user to open the entire network to the outside. And even smart people make mistakes. This is why the black hats almost always win. When you’re managing a network with a population of users in the 10s of thousands, you can be sure at least one of them is stupid. Basically one bad apple spoils the barrel. Admins/security people don’t necessarily like this types of ‘all or nothing’ decisions, but they do have different priorities than general users.
Your comment and general attitude is typical of many users who think they know more than the admins. it’s probably why your admins/security people don’t like you.
Re: Re: Re: Government Training
Yes, all of those things can cause those results, that’s why most of them have been banned from sensitive/classified systems and areas. I have little to no confidence that “security training” will keep these incidents from happening. Users, as a general rule, just don’t care. There is already security training, it’s all click through, and people do just that, click through. They don’t understand the broader implications, becuase mostly, they don’t really understand or care about computers or how they work. All they want to do is complete their training checklist so the boss doesn’t yell at them for not having their checkbox ticked off.
Re: Government Training
The problem is that you can “leak” classified documents,” get viri(?) and lose information. Have you ever searched for documents on p2p? I have seen bank statements(with account number) and other things best kept off the interwebs. What makes you think your fellow gov’t employees are any smarter than the rest of the country?
I, for one, think this is a good idea only because i know people are generally idiots, and they will share top secret information on p2p networks.
I was reading about this story for a while now and something never quite added up:
They claimed that government documents were on P2P networks, but I could never find a claim that that’s how they originally leaked. They could have come out a million different ways, and simply ended up posted on a tracker by an amateur snoop.
This makes their bill seem even more pointless.
Government Training
A lot of users rather than making a FTP server, or other posting arrangement use the file sharing system to pass large blocks of data to many users at once, like if your entire office needs a piece of information that is several megs/gigs in size such as a updated proposal package with timelines and software updates.
This is the legal use for filesharing, not the omgwtfpirateeeeeessss!!!! use that congress has been shown in a picture paper clipped to a big check.
Perhaps a whiteliest instead of blacklist = *
perhaps they shouldn’t just ban ALL file sharing applications, but instead appoint a ‘committee’ or person (who already exists, no reason to hire one JUST for this) the task of reviewing which software is acceptable, and which is not, and then telling employees that if they use other software they will be fired(and/or fines and/or jail time)… I know having non-IT,etc people making decisions isn’t ideal by any means, but it would at least be a middle of the road approach.
Seperation between personal and work
Surely it would be much simpler to stop all personal activities on work computers. Besides why aren’t government computers locked down? That staffers have sufficient privileges to install software at will is a huge security breach.
Re: Seperation between personal and work
Some versions of Windows were virtually useless when fully locked down.
Re: Re: Seperation between personal and work
“All versions of Windows were virtually useless.”
TFTFY
Fundamentally Flawed
It seems that the proposed legislation is the “WRONG” solution.
According to the article: “We can no longer ignore the threat to sensitive government information, businesses, and consumers that insecure peer-to-peer networks pose,” Towns said in the statement. “Securing federal computer files is critical to our national security.”
If the real concern is security, then the obvious solution would be to have your IT department develop a secure computer. Passing a law that criminalizes certain behavior fundamentally does not actually improve security.
I guess this is a case of putting lipstick on a pig and hoping that nobody will notice.
Actually, if the Top Secret data is residing on a computer that has internet access period, that person is committing a serious violation. It should go without saying that the computer being used to store classified material shouldn’t have any P2P software on it let alone even have access to the internet.
Re: Tony
“Actually, if the Top Secret data is residing on a computer that has internet access period, that person is committing a serious violation. It should go without saying that the computer being used to store classified material shouldn’t have any P2P software on it let alone even have access to the internet.”
I think we can safely substitute “politically embarrassing” for “Top Secret” in terms of the data in the minds of the members of Congress who voted for this bill.
Great
This will spawn a new industry for application development to automatically click the stupid button on the dialog when it appears.
Re: Great
Patent infringement lawsuits will explode.
No Big Deal At all
As a government worker I know the user policy and abide by it. No file sharing with third party software. Further, the PC are lock down and nobody except SysAds can install anything. Turns out, this is no big deal. There are several collaborative environments where large work files can be uploaded and shared via the web to all concerned, to include other agencies, contractors and team members. The difference is these are official and you are accountable for what is uploaded. Key work accountable.
There is nothing that P2P can offer that I can’t accomplish by the provided web sites available to me. Except, to share the latest “new movie” not available on DVD yet!
For those who feel that a work provided computer and access should be used however you feel, there are plenty (Not as many lately) of other jobs out there with much more lax rules.
Quite easy to find what the house is up to.
H.R.4098 Secure Federal File Sharing Act via
http://theweekincongress.com/member/MAR10_FULL/HR4098SECUREhMAR26.htm
About users. Yes, some are clueless and should not have a computer but on
average most users get blindsided at least once. Security lives and dies by
keeping that locked down.
P2P software: My experience in a federal position taught me that P2P should
only be used by or under control of IT and or Software Engineering
personnel. There is little need at the user level for configuring client
software. If the correctly configured client cannot be modified then the P2P
network is secure. May be more secure than older methods like “secure FTP”.
It is not the technology that is bad it is the misuse of or the lack of skill by
the installer that is bad. Both are governed by existing law and regulations.
Done.