Tuesday, 2 March 2010

File-sharing software may expose your private health & other data

It seems that "Healthcare professionals who take patient information home to personal computers containing peer-to-peer file-sharing software are jeopardizing patient confidentiality" because "some vendors use software containing dangerous sharing features", according to the authors of a study "The Inadvertent Disclosure of Personal Health Information through Peer-to-peer File Sharing Programs".

Prof. Khaled El Emam, Canada Research Chair in Electronic Health Information, and his team "used popular file sharing software to access documents they downloaded from a representative sample of IP addresses. They were able to access the personal and identifying health and financial information of individuals in Canada and the United States. The research for the study was approved by the CHEO ethics board…. During their research on this project, El Emam said he and his colleagues found evidence of outsiders actively searching for files that contain private health and financial data. “There is no obvious innocent reason why anyone would be looking for this kind of information,” stated El Emam. “Very simple search terms were quite effective in returning sensitive documents.”"

From the paper (emphasis added):

"We modified an open source peer-to-peer file sharing client to automatically search multiple peer-to-peer file sharing networks, and download and organize the files. This modified client performed a wild card search for all document files (Word documents, Outlook email files, PDF files, Access database files, and Excel spreadsheets). Whenever a match was found, the file was downloaded to a repository and its originating IP address recorded. The main networks that were targeted for search were FastTrack, Gnutella, and eDonkey. The specific tool we modified is called ShareAza… Files that came from IP addresses outside the USA and Canada were discarded…"

The paper also:

  • describes examples of peer-to-peer file sharing client features that encourage the inadvertent sharing of files (p.149), and
  • makes some recommendations (p.156) for managing risks from inadvertent disclosure from peer-to-peer file sharing clients.

The research was obviously only in a medical context, but it seems to me that if installing filesharing software on your computer exposes you to bad hat hackers searching your computer files for health information and (as the researchers mentioned) financial information, unbeknownst to you, it also exposes you to all sorts of other privacy intrusions too. Scary.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.