Justice Department inspector general auditors found LimeWire, a peer-to-peer download client, on a government owned laptop.

Auditors were testing laptops from the DOJ's criminal division to see whether they were encrypted in accordance with departmental full disk encryption policies when they found LimeWire downloaded onto an International Criminal Investigative Training Assistance Program (ICITAP) laptop.

The U.S. Attorney's Office successfully prosecuted a Seattle man in 2007 for using LimeWire to search the hard drives of other LimeWire users for information in order to commit identity theft. LimeWire is a client for the Gnutella file sharing network, though it also supports torrent. It has a reputation for transmitting malware.

ICITAP officials recalled the 10 laptops, including the LimeWire laptop, it had loaned auditors and re-imaged them, the inspector general report states. The audit was performed from July through December 2009.

As for whether Criminal Division laptops were encrypted, the report found that of the 40 Justice laptops it tested, 10 were not, and nine of those 10 didn't have Windows password protection, either.

All 10 laptops came from ICITAP, and contained information such as reports on development programs in Iraq and Pakistan. The criminal division only allows "sensitive but unclassified" information onto laptops. Departmental policy is to consider all information as "sensitive" unless designated otherwise.

Justice department contractors were likewise lax in their full disk encryption, auditors found. Seven of the nine tested contractors on Offices, Boards and Divisions (OBD 47) contracts, which are used for paying expert witnesses or litigation consultants, lacked encryption on their laptops. Companies performing work under the Justice "Mega 3" indefinite-delivery, indefinite-quantity contract have a waiver from encryption requirements, but they were nonetheless "not securing data in accord with DOJ requirements," auditors wrote.

For more:
- check out DOJ IG audit 10-23 (.pdf)
- see this March 17, 2008 U.S. Attorney, Western District of Washington press release announcing the 51-month prison term of Seattle man Gregory Kopiloff for mail fraud, accessing a protected computer without authorization and identity theft.
- read this Federal Computer Week story on the audit

Related Articles:
FTC: Data breaches linked to P2P services 
Bill would ban feds from P2P networks