Friday, July 27, 2007


Recently, at a hearing on P2P networks, Henry Waxman stated that he was considering laws aimed at the problem of inadvertent leaking of classified information (described here and here). Apparently, sensitive documents have been making their way onto P2P networks such as those accessed via Limewire or Kazaa. While this is obviously a problem, the solution proposed by Waxman - regulating the networks - is insane. I could access that sensitive data through my computer, and, in getting to my computer, that sensitive data would travel through a DSL line. However, Mr. Waxman isn't proposing that computer makers or telcos take responsibility for making sure that people can't access sensitive documents. The reason is obvious: telcos and computer makers can't be responsible for the actions of end users, because there is no effective way for them to control end users without effectively shutting down. P2P networks are no different. Looking at his comments charitably, it seems that Mr. Waxman simply doesn't understand the consequences of putting responsibility for the acts of consumers on the providers of P2P software.

Of course, it is also possible to look at Mr. Waxman's comments in a less charitable light. Currently, the federal government is scrambling to meet a White House directive on securing personal data (details can be found here) and it seems that there is an almost continuous stream of incidents of lost data involving government employees (e.g., the theft of a laptop containing records for 26.5 million veterans, described here), so attacking an easy target, such as P2P networks, could serve an instrumental purpose for Waxman of making it appear that he is doing something about information security. Further, by attacking P2P networks as a threat to national security, Waxman is undoubtedly pleasing the powerful recording industry, which has been seeking to destroy P2P technology ever since Napster. In this regard, it is telling that Waxman said that he would seek to achieve a balance between "sensitive government, personal and corporate information and copyright laws" (emphasis added). Given that protecting copyrights, while a valid concern, is an entirely different type of objective than protecting the physical well-being of Americans by improving national security, the inclusion of copyright law on that list seems strange. However, if the primary motivation to regulate P2P networks is to benefit copyright holders, then the list provided by Mr. Waxman makes perfect sense, with the national security concerns acting as window dressing for the desire to shut down P2P networks on behalf of copyright holders.

In any case, I think it is extremely unlikely that regulating P2P networks is a viable solution to the Federal Government's information security problems. Even if P2P networks were banned entirely, that would do nothing to stop people from stealing data, or from losing the media on which data are stored. However, when faced with a decision as to whether to spend time exercising oversight on HR or training policies which might increase information security, and blasting the enemies of the RIAA, it is clear where Congress' priorities lie. Disappointing, but not at all a surprise.

No comments: