FTC Closes Data Security Investigation of P2P Software Provider

On August 19, 2010, FTC staff closed an investigation into Limewire, LLC. Limewire provides both a free and purchasable version of P2P software. Based on the staff's closing letter, available here, the investigation focused on a security vulnerability in legacy versions of the P2P software that put users at risk of inadvertently sharing sensitive information stored on their computers.

FTC staff decided to voluntarily close the investigation. Among the factors considered as part of closing the investigation were:

• Limewire's incorporation of safeguards into the updated software's user interface to help users avoid the inadvertent sharing of sensitive documents;
• the high attrition rate for legacy versions of the software;
• Limewire's inability to force users to update to a newer software version; and
• users of some of the older software versions may have been able to avoid disclosure of sensitive PII (noting that an act/practice is not "unfair" under Section 5 unless it causes consumer injury that is not reasonably avoidable by consumers).

Given the staff's ongoing concern that consumers using the legacy software may remain at risk of PII disclosures, the staff stated its expectation that Limewire would continue to advise consumers to upgrade the software and participate in industry efforts to inform consumers about how best to avoid inadvertent sharing of sensitive documents.

This closing follows the FTC's press release earlier this year that it had notified nearly 100 organizations that their sensitive PII records were on P2P networks, and that it was investigating several organizations whose customer or employee information had been exposed on P2P networks. That press release is available here.