File-sharing imperils US secrets

Sensitive military secrets may be available through the same file-sharing software used by millions to swap illegal music and movie files.

Rick Wallace, a computer user in Germany whose wife serves with the US Army there, said he has used the popular file-swapping program LimeWire to download military duty rosters, discussions of tactics, and other secret files. He said the problem is probably caused by military personnel who use LimeWire to download music files, unaware that they are also exposing secret information stored on their computers. A terrorist or enemy combatant with Net access could obtain valuable information about US military operations merely by downloading it, he said.

Wallace said that since first finding the sensitive material in May, he has repeatedly contacted officials at the Pentagon, the FBI, and the CIA, but secret materials remain available over the LimeWire network.

"It's a hot potato," Wallace said.

A Montana native, Wallace sent captured screen images of secret military files to Montana Republican Senator Conrad Burns.

"Senator Burns has personally viewed these documents and is concerned about it," said his spokesman, J.P. Donovan. Burns followed up with a July 8 letter to acting Army Secretary Les Brownlee, but Donovan said that Brownlee has not yet responded.

A CIA spokeswoman said the agency is aware of the problem, but would not say what is being done to solve it.

Spokesmen for the FBI and Army did not return calls seeking comment.

LimeWire's chief operating officer, Greg Bildson, said he was concerned that using his company's product could put secret information at risk.

"That was troubling to see," Bildson said. "We do go through a fair number of steps to keep people from sharing what they shouldn't be sharing."

A bill in Congress introduced last year would not ban file-sharing software in federal agencies, but would require each agency to establish its own security policies to prevent the leakage of sensitive information. The legislation has passed the House of Representatives and is currently awaiting action in the Senate.

The problem extends beyond the military. Wallace has also used LimeWire to find personal information stored on civilian computers. "I've downloaded stuff from different courts, police departments, you name it," Wallace said.

Some users may not realize that LimeWire and other file-sharing programs don't just allow them to download files from others. The software also offers to share the user's files. When properly configured, the software can be set up to share only certain kinds of files, or only files stored in a particular subdirectory on the drive. But it's easy for an inexperienced user to accidentally share the wrong documents.

One possible weakness in LimeWire is a feature that automatically scans the user's hard drive, looking for files to be shared over the network. Bildson said this feature can make it easy to expose private information by mistake. Bildson said that Wallace's discoveries may lead to changes in the design of the software.

"Given that some users need a little more handholding, we definitely should err on the side of caution," Bildson said.

Meanwhile, Wallace launched a website to draw attention to the problem, by displaying various files that he has found through LimeWire. The site, www.seewhatyoushare.com, does not include secret military information, but it does show other confidential documents. For example, Wallace posted a federal income tax return with the name and Social Security number blacked out. He has also displayed a visa application sent to the British consulate in Tehran, and a letter from the Seattle Police Department, in which a policeman apologizes to a citizen for his rudeness during a traffic stop.

Wallace didn't need expert computer skills to download the secret information. He said he discovered it by accident. The LimeWire program lets users find particular files by typing in all or part of a name. One day, Wallace typed in the letters "doc." All files created with Microsoft Corp.'s word processing program, Microsoft Word, have those letters in the file name.

The search produced a long list of documents available for downloading. To Wallace's surprise, some of the names suggested that they might contain confidential information.

"The first thing I noticed was something called a sworn statement," said Wallace. "I looked at it, and it was about something that happened between Kuwait and Iraq" involving a US military convoy. The document identified the military unit, and included the names and Social Security numbers of US military personnel. Wallace also found a file that contained 22 separate documents, each of them classified as secret military information.

Hiawatha Bray can be reached at bray@globe.com.