United States Department of the Interior

FISH AND WILDLIFE SERVICE 
Washington, D.C. 20240

November 30, 2004

To:

All U.S. Fish and Wildlife Service Employees

From:

AD -  Information Resources and Technology Management

Subject:

Peer-to-Peer File Sharing Technology and Copyright Restrictions 

On July 28, 2003, the Department of Interior (DOI) Chief Information Officer (CIO) issued OCIO Technical Bulletin no. 2003-nnn prohibiting the use of Peer-to-Peer file sharing technologies.  This prohibition encompasses all offices and bureaus in DOI.

Additionally, on September 8, 2004, OMB issued M-04-26, titled “Personal Use Policies and File Sharing Technology.”  The purpose of this memorandum is to detail specific actions agencies must take to ensure the appropriate use of certain technologies used for file sharing across networks. These actions are based on recommended guidance developed by the Federal CIO Council in 1999.  OMB has directed the agencies to “Establish or Update Agency Personal Use Policies to be Consistent with CIO Council Recommended Guidance.”

Definitions of inappropriate personnel use made by the Federal CIO Council include:  

· “The unauthorized acquisition, use, reproduction, transmission, or distribution of any controlled information including computer software and data, that includes privacy information, copyrighted, trade marked or material with other intellectual property rights (beyond fair use), proprietary data, or export controlled software or data.”

· “The creation, download, viewing, storage, copying, or transmission of materials related to illegal gambling, illegal weapons, terrorist activities, and any other illegal activities or activities otherwise prohibited, etc.”

· “Any use that could generate more than minimal additional expense to the government.”

This memorandum reinforces the DOI policy on the use of Peer-to-Peer (P2P) file-sharing applications and the OMB memorandum on Personal Use Policies and File Sharing Technology. Service computer systems or networks (as well as those operated by contractors on the government’s behalf) should not be used for the downloading or storage of illegal and/or unauthorized copyrighted content.  

Users who do not comply with this memorandum, may be subject to penalties, including official, written reprimands, suspension of system privileges, temporary suspension from duty, reassignment/removal from current position, termination of employment, and even criminal and/or civil prosecution. 

The use of P2P file-sharing technologies is categorized as a medium level threat in the Service’s Computer Security Incident Response Team (CSIRT) Handbook and should be handled as such.

Background:
A type of file sharing technology known as Peer-to-Peer (P2P) refers to any software or system allowing individual users of the Internet to connect to each other and trade files. These systems are usually highly decentralized and are designed to facilitate connections between persons who are looking for certain types of files. While there are some appropriate uses of this technology, the vast majority of files traded on P2P networks are copyrighted music files and pornography. 

Although many materials have been placed on P2P networks with a creator’s consent, much of the material (images, software, movies, music, video) have been duplicated from copyrighted materials. Downloading or storing such files onto a Service network or workstation places the Service at significant risk for legal action by the copyright holder and other organizations. File-sharing networks also provide ready access to pornography or other prohibited material, subjecting the Service to additional legal risk.

Network performance can degrade significantly when P2P file-sharing applications are used, especially when large files are being downloaded. This problem is compounded when other users on the P2P network use Service bandwidth to download files from the employee’s computer, which can significantly slow other services on the network.

P2P networks can also introduce significant gaps in an otherwise secure network. Threats such as worms and viruses can easily be introduced into the company’s network. P2P applications, if exploited, can also allow users outside the company to gain access to data residing on Service networks.  Some P2P applications will also allow third parties to see the user’s IP address.  The use of P2P file-sharing applications can, in some cases, allow other members of the P2P network to have access to everything on your local machine, putting the Service’s data at risk.

Examples of P2P File-Sharing Technologies:
 

 
Questions concerning the use of file sharing software should be directed the Service Bureau IT Security Manager or the IT Security Program Office.

If you have any questions or comments regarding this memorandum, please contact Michael Howell, Assistant Director - Information Resources and Technology Management and Chief Information Officer at (703) 358-1727.