[House Report 111-431] [From the U.S. Government Publishing Office] 111th Congress Report HOUSE OF REPRESENTATIVES 2d Session 111-431 ====================================================================== SECURE FEDERAL FILE SHARING ACT _______ March 11, 2010.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Towns, from the Committee on Oversight and Government Reform, submitted the following R E P O R T [To accompany H.R. 4098] [Including cost estimate of the Congressional Budget Office] The Committee on Oversight and Government Reform, to whom was referred the bill (H.R. 4098) to require the Director of the Office of Management and Budget to issue guidance on the use of peer-to-peer file sharing software to prohibit the personal use of such software by Government employees, and for other purposes, having considered the same, report favorably thereon without amendment and recommend that the bill do pass. CONTENTS Page Purpose and Summary.............................................. 2 Background and Need for Legislation.............................. 2 Legislative History.............................................. 2 Section-by-Section............................................... 4 Explanation of Amendments........................................ 6 Committee Consideration.......................................... 6 Roll Call Votes.................................................. 6 Application of Law to the Legislative Branch..................... 6 Statement of General Performance Goals and Objectives............ 6 Constitutional Authority Statement............................... 6 Federal Advisory Committee Act................................... 6 Unfunded Mandate Statement....................................... 6 Earmark Identification........................................... 6 Committee Estimate............................................... 7 Budget Authority and Congressional Budget Office Cost Estimate... 7 Changes in Existing Law Made by the Bill, as Reported............ 8 PURPOSE AND SUMMARY H.R. 4098, the Secure Federal File Sharing Act, was introduced by Chairman Towns on November 17, 2009. The purpose of the bill is to reduce improper disclosures of federal information by prohibiting the use of open network peer-to-peer file sharing software on all federal computers, computer systems, and networks, including those of contractors working on the government's behalf. H.R. 4098 directs the Office of Management and Budget (OMB) to issue new guidance to implement that purpose. In addition, the bill also directs OMB to set up a procedure by which agencies may seek approval to use specific file sharing software for legitimate government purposes. OMB must report annually to Congress on those peer-to-peer software programs that have been approved, the agencies that are using them, and for what purposes. BACKGROUND AND NEED FOR LEGISLATION Peer-to-peer file sharing software allows users to instantly connect with each other to search and copy electronic files. The popularity of such software has grown exponentially since being made widely available in the late 1990's and early 2000's by programs like Napster, Kazaa and LimeWire. Currently, it is estimated that there are up to 20 million peer-to-peer file sharing users online at any point in time, most commonly sharing music and movies. Despite the ongoing growth in users, not many people are aware of the privacy and security risks associated with open network peer-to-peer file sharing software. Since 2001, the Committee has looked into the dangers of peer-to-peer file sharing with particular emphasis on the prevalence of child pornography, the privacy and security risks, and the problem of inadvertently sharing electronic files. It is clear that efforts by the peer-to-peer file sharing industry to self- regulate since then have failed. At the Committee's hearing on inadvertent file sharing on July 29, 2009, it was revealed that the location of a Secret Service safe house for the First Family, financial information belonging to Supreme Court Justice Stephen Breyer, and thousands of medical records and tax filings were all available online on open peer-to-peer networks. H.R. 4098, the Secure Federal File Sharing Act, is intended to reduce the risk that those kinds of documents are exposed on file sharing networks by prohibiting the use of open network peer-to-peer file sharing software on all federal computers, computer systems, and networks, including those of contractors working on the government's behalf. LEGISLATIVE HISTORY During the 107th Congress, the Committee first sounded the alarm on some of the dangers of peer-to-peer file sharing software in a Minority Staff, Special Investigations Division report entitled Children's Access to Pornography Through Internet File-Sharing Programs (July 27, 2001). During the 108th Congress, the Committee followed up with a hearing on the issue entitled Stumbling onto Smut: The Alarming Ease of Access to Pornography on Peer-to-Peer Networks (March 13, 2003) where they released another staff report entitled Children's Exposure to Pornography on Peer-to-Peer Networks (March 13, 2003). During the same year, the Committee held another hearing on this issue focused on privacy and security threats entitled Overexposed: The Threats to Privacy and Security on File Sharing Networks (May 15, 2003). At that hearing, the Committee staff released the report File-Sharing Programs and Peer-To- Peer Networks: Privacy and Security Risks (May 15, 2003). Shortly thereafter, the Senate Committee on the Judiciary held the hearing, The Dark Side of a Bright Idea: Could Personal and National Security Risks Compromise the Potential of Peer-to-Peer File Sharing Networks? (June 17, 2003). At that hearing, Senator Feinstein emphasized the heightened risks of peer-to-peer file sharing use by government employees. She said: Of most concern is the use of peer-to-peer file sharing by government employees . . . A Federal employee intending to simply download and share music files . . . could easily make available every file on his or her computer, without intending to do so or even realizing it after the fact. This could include personal correspondence, private financial information, and even proprietary and sensitive government documents.\1\ --------------------------------------------------------------------------- \1\Opening Remarks by Senator Feinstein at the Senate Committee on the Judiciary hearing entitled The Dark Side of a Bright Idea: Could Personal and National Security Risks Compromise the Potential of Peer- to-Peer File Sharing Networks? (June 17, 2003). Chairman Davis and Ranking Member Waxman attempted to address that concern when they introduced H.R. 3159, the Government Network Security Act of 2003 on September 24, 2003. The bill required federal agencies to address the risks posed by peer-to-peer file sharing programs when developing their network security policy and procedures and was reported favorably with an amendment by the Committee on September 25, 2003, by a voice vote. The bill was agreed to in the House, as amended, under suspension of the rules on October 8, 2003, by a voice vote. It was later reported favorably by the Senate Committee on Governmental Affairs on November 10, 2003, without amendment and placed on the Senate Legislative Calendar, but the 108th Congress ended before the Senate took up the bill. During the 109th Congress, the Committee held the hearing, Inadvertent Filesharing over Peer-to-Peer Networks (July 24, 2007). In addition, the Subcommittees on Government Management, Organization, and Procurement and Information Policy, Census, and National Archives held a joint legislative hearing on H.R. 4791, the Federal Agency Data Protection Act (February 14, 2008). The legislation was introduced by Representatives Clay, Towns, and Waxman on December 18, 2007, and included language requiring federal agencies to develop plans to reduce the risks to federal networks posed by peer-to-peer file sharing software. H.R. 4791 was ordered reported, as amended, by the Committee on Oversight and Government Reform by a voice vote on April 16, 2008. The bill was agreed to in the House of Representatives, as amended, under suspension of the rules by a voice vote on June 3, 2008. On June 4, 2008, H.R. 4791 was referred to the Senate Committee on Homeland Security and Governmental Affairs. During the 111th Congress, the Committee held the hearing, Inadvertent File Sharing Over Peer-to-Peer Networks: How it Endangers Citizens and Jeopardizes National Security (July 29, 2009). The witnesses were Mark Gorton, Chairman, The Lime Group; Robert Boback, Chief Executive Officer, Tiversa, Inc.; and Tom Sydnor, Senior Fellow and Director, Center for the Study of Digital Property at the Progress and Freedom Foundation. H.R. 4098, the Secure Federal File Sharing Act, was introduced by Chairman Towns on November 17, 2009. The Committee held a business meeting on March 4, 2010, and ordered H.R. 4098 to be reported favorably by voice vote. SECTION-BY-SECTION Section 1. Short title This section provides that the short title of the bill is the ``Secure Federal File Sharing Act.'' Section 2. Requirements Subsection (a) requires the Director of the Office of Management and Budget, in consultation with the Federal Chief Information Officers Council, to issue guidance within 90 days on the use of peer-to-peer file sharing software to (1) prohibit the download, installation, or use by Government employees and contractors of open network peer-to-peer file sharing software on all Federal computers, computer systems, and networks, including those of contractors working on the government's behalf and (2) address the use of such software by Government employees and contractors as it relates to telework and remotely accessing Federal computers, computer systems, and networks. Subsection (b) requires the Director of the Office of Management and Budget to develop a procedure within 90 days by which the Director, in consultation with the Chief Information Officer, may receive requests from agency heads or chief information officers for approval for use by Government employees and contractors of specific open-network peer-to-peer file sharing software programs that are (1) necessary for the day-to-day business operations of the agency; (2) instrumental in completing a particular task or project that directly supports the agency's overall mission; (3) necessary for use between, among, or within Federal, State, or local government agencies in order to perform official agency business; or (4) necessary for use during the course of a law enforcement investigation. Subsection (c) outlines agency responsibilities. More specifically, it requires the Director of the Office of Management and Budget, within 180 days, to direct agencies to (1) establish or update their personal use policies to be consistent with the guidance issued pursuant to subsection (a); (2) require any contract awarded by the agency to include a requirement that the contractor comply with the guidance issued pursuant to subsection (a) in the performance of the contract; (3) update their information technology security or ethics training policies to ensure that all employees, including those of contractors working on the Government's behalf, are aware of the requirements of the guidance required by subsection (a) and the consequences of engaging in prohibited conduct; and (4) ensure that proper security controls are in place to prevent, detect, and remove file sharing software that is prohibited by the guidance issued pursuant to subsection (a) from all Federal computers, computer systems, and networks, including those operated by contractors on the Government's behalf. Section 3. Annual report This section describes the reporting requirement of the Director of the Office of Management and Budget to submit to the Committee on Oversight and Government Reform in the House of Representatives and the Committee on Homeland Security and Governmental Affairs in the Senate, within one year and annually thereafter, a report on the implementation of this Act including (1) a justification for each open-network peer-to- peer file sharing software program that is approved pursuant to subsection (b) and (2) an inventory of the agencies where such programs are being used. Section 4. Definitions This section defines ``agency'' as having the meaning given the term ``Executive agency'' by section 105 of title 5, United States Code. The term ``open-network,'' with respect to software, is defined as a network in which (A) access is granted freely, without limitation or restriction or (B) there are little or no security measures in place. As defined by this section, the term ``peer-to-peer file sharing software'' (A) means a program, application, or software that is commercially marketed or distributed to the public and that enables (i) a file or files on the computer on which such program is installed to be designated as available for searching and copying to one or more other computers; (ii) the searching of files on the computer on which such program is installed and the copying of any such file to another computer (I) at the initiative of such other computer and without requiring any action by an owner or authorized user of the computer on which such program is installed and (II) without requiring an owner or authorized user of the computer on which such program is installed to have selected or designated another computer as the recipient of any such file; and (iii) an owner or authorized user of the computer on which such program is installed to search files on one or more other computers using the same or a compatible program, application, or software, and copy such files to such owner or user's computer. In addition, the term ``peer-to-peer file sharing software'' (B) does not include a program, application, or software designed primarily to (i) operate as a server that is accessible over the Internet using the Internet Domain Name system; (ii) transmit or receive email messages, instant messages, real-time audio or video communications, or real-time voice communications; or (iii) provide network or computer security (including the detection or prevention of fraudulent activities), network management, maintenance, diagnostics, or technical support or repair. This section defines ``contractor'' as having the meaning given the terms ``prime contractor'' or ``subcontractor'' in the Federal Acquisition Regulation. EXPLANATION OF AMENDMENTS No amendments were offered to this legislation. COMMITTEE CONSIDERATION On Thursday, March 4, 2010, the Committee met in open session and ordered H.R. 4098 to be reported favorably to the House by a voice vote. ROLL CALL VOTES No roll call votes were held. APPLICATION OF LAW TO THE LEGISLATIVE BRANCH Section 102(b)(3) of Public Law 104-1 requires a description of the application of this bill to the legislative branch where the bill relates to terms and conditions of employment or access to public services and accommodations. H.R. 4098 relates to the use of open network peer-to-peer file sharing software at federal agencies and among federal contractors doing business with the government. Therefore, it does not apply to the legislative branch. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES In accordance with clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, the Committee's performance goals and objectives are reflected in the descriptive portions of this report, including protecting federal computer systems, networks, and government information from improper exposure. CONSTITUTIONAL AUTHORITY STATEMENT Under clause 3(d)(1) of rule XIII of the Rules of the House of Representatives, the Committee must include a statement citing the specific powers granted to Congress to enact the law proposed by H.R. 4098. Article I, Section 8, Clause 18 of the Constitution of the United States grants the Congress the power to enact this law. FEDERAL ADVISORY COMMITTEE ACT The Committee finds that the legislation does not establish or authorize the establishment of an advisory committee within the meaning of 5 U.S.C. App., Section 5(b). UNFUNDED MANDATE STATEMENT Section 423 of the Congressional Budget and Impoundment Control Act (as amended by Section 101(a)(2) of the Unfunded Mandates Reform Act, P.L. 104-4) requires a statement on whether the provisions of the report include unfunded mandates. In compliance with this requirement the Committee has received a letter from the Congressional Budget Office included herein. EARMARK IDENTIFICATION H.R. 4098 does not include any congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of rule XXI. COMMITTEE ESTIMATE Clause 3(d)(2) of rule XIII of the Rules of the House of Representatives requires an estimate and a comparison by the Committee of the costs that would be incurred in carrying out H.R. 4098. However, clause 3(d)(3)(B) of that rule provides that this requirement does not apply when the Committee has included in its report a timely submitted cost estimate of the bill prepared by the Director of the Congressional Budget Office under section 402 of the Congressional Budget Act. BUDGET AUTHORITY AND CONGRESSIONAL BUDGET OFFICE COST ESTIMATE With respect to the requirements of clause 3(c)(2) of rule XIII of the Rules of the House of Representatives and section 308(a) of the Congressional Budget Act of 1974 and with respect to requirements of clause 3(c)(3) of rule XIII of the Rules of the Houseof Representatives and section 402 of the Congressional Budget Act of 1974, the Committee has received the following cost estimate for H.R. 4098 from the Director of the Congressional Budget Office: March 10, 2010. Hon. Edolphus Towns, Chairman, Committee on Oversight and Government Reform, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 4098, the Secure Federal File Sharing Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Matthew Pickford. Sincerely, Douglas W. Elmendorf. Enclosure. H.R. 4098--Secure Federal File Sharing Act H.R. 4098 would require federal agencies to develop and implement a plan within six months to ensure that computer systems, including those used by contractors, are secure from the use of certain file-sharing software. Affected software, known as peer-to-peer (P2P) file-sharing programs, are applications that allow users to download and directly share electronic files from other users. The legislation would not prohibit the use of all file-sharing programs but would require the Office of Management and Budget (OMB) to develop a procedure for agencies to receive approval to use file-sharing programs. Finally, H.R. 4098 would require agencies to create plans to address security concerns for government computer networks. Most provisions of H.R. 4098 would codify and expand current practices of the federal government. Under the E- Government Act of 2002, federal agencies are already charged with protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction. In addition, OMB has already provided guidance on the use of file- sharing technology. Under H.R. 4098, OMB would be required to provide additional guidance and procedures for approving certain file- sharing programs, and agencies would have additional reporting and training requirements. Based on information from OMB and industry sources, and subject to the availability of appropriated funds, CBO estimates that implementing H.R. 4098 would cost about $10 million over the 2011-2014 period. Enacting H.R. 4098 could affect direct spending by agencies not funded through annual appropriations, such as the Tennessee Valley Authority and the Bonneville Power Administration; therefore, pay-as-you-go procedures would apply. However, CBO estimates that those budgetary effects would be insignificant for each year. H.R. 4098 contains no intergovernmental mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would not affect the budgets of state, local, or tribal governments. H.R. 4098 would impose a private-sector mandate, as defined in UMRA, to the extent that it would require federal government contractors that use file-sharing software to comply with new restrictions on downloading, installing, or using that software on computers used for federal work. Because any new contracts that contain such restrictions would be entered into voluntarily, the requirements of the bill would only constitute a mandate to the extent that they would affect existing contracts. The cost of the mandate would be the expenditures required to modify computer systems or software to comply with new requirements. According to several experts in information technology, most file-sharing programs that are related to work would not fit the bill's definition of P2P software and, therefore, would not be subject to the restrictions in the bill. Consequently, CBO expects that any compliance cost would fall below the annual threshold for private-sector mandates established in UMRA ($141 million in 2010, adjusted annually for inflation). The CBO staff contacts for this estimate are Matthew Pickford (for federal costs) and Sam Wice (for the private- sector impact). This estimate was approved by Theresa Gullo, Deputy Assistant Director for Budget Analysis. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED No changes to existing law are made by H.R. 4098, as reported.