This has been an interesting week for the USB key.
No really; the ubiquitous key, which has been implicated in incidents of corporate data loss around the world, now occupies a central role in Microsoft’s view of corporate security.
Far from being the main means by which secrets slip out of your organisation, the Microsoft security technique depends on carrying your BitLocker keys around on a USB stick.
This is a great leap forward, and I can foresee lots of corporates finding themselves strongly obliged to take up BitLocker, especially when you consider the surprising hard line being taken by the Information Commissioner, as reported in this BBC article. Let’s put the headline conclusion up here so you bear it in mind: if your company loses data, then it’s half a million quid as a fine.
Now; remember the provisions of Section 49 of the Regulation of Investigatory Powers Act. This is that interesting bit of law that cropped up post 9/11, which requires those who carry data encrypted on some computing device, to provide the decryption keys to law enforcement on request. So let’s see what happens when we take these two laws, and add them to BitLocker’s method of operation.
BitLocker encrypts the entire of the hard drive of a Windows PC. All that goes on the USB key is the personal part of your decryption key – that’s a two-part key process, so your password is an important part of it. If your machine has a TPM security chip onboard, then there’s no USB key requirement; but with USB or TPM, there’s two ways to fall foul of The Law here.
First, allow me to reveal an enforcement scenario I’ve been through personally, then explain the ways you can be in bother if this happens to you while in possession of company kit.
The scenario is to drive through a part of London (or another big city) in the middle of a security scare which hasn’t yet reached the news, but certainly has reached the police forces. I’ve been through this three times, and the pattern is always the same: once stopped, the constabulary jump straight to the terrorism laws and parrot out their “we can now do whatever we want” mantra, which essentially means you have to wait for them to prove to their satisfaction that you aren’t loaded with binary explosive, drugs, or your tax disc isn’t expired.
So let’s say you’re stopped in this way, and in the back of the car is a laptop, borrowed from the common pool at work.
The first and simplest way to fall foul of the law is for that laptop to have multiple user profiles on it, only one of which is yours. You don’t know the passwords to the other profiles.
The second way is for you to have the laptop, and for it to contain only your profile – but you have forgotten the USB key (if it doesn’t have a TPM inside) or (if it does have a TPM) some ill has befallen it and it is asking for the TPM recvoery password. You don’t know this, because it’s centrally administered as part of your company domain’s Group Policy.
That’s how BitLocker is supposed to work; that’s what is required by the Information Commissioner, to stop you carelessly losing your firm’s information, whether it is 25 million patient records or the war plans for the Defence Of Pinner.
So, your over-excited constable ferrets his way through your car, emboldened by his anti-terrorism brief, and his hand falls upon the laptop. “What’s the password?” he asks. “No idea”, you reply. In the words of that famous board game – do not pass go. Do not collect £200. Go direct to jail…
I know, this is an extreme scenario – but what the law says is not “temporarily unable to provide passwords until the IT helpdesk arrives in the morning”, or “unable to unlock the PC due to being absent minded and having the passwords somewhere down the back of the sofa on a ‘Hello Kitty’ USB stick” – it says that if you don’t provide the passwords, that’s you nicked, that is.
What’s worse is that the Information Commissioners Get Tough policy on inadvertent leaks might make an over-excited IT manager actually refuse to divulge those passwords, down the phone to someone who CLAIMS they are a custody sergeant…
I would agree with those who say that this is the nature of the game when it comes to taking responsibility for data about people, which you’re carrying about in the course of your work: but I am rather concerned that the confluence of these two laws – which do not seem to contradict one another as they sit in the body of statute – add up to a nasty trap for those who are likely to end up both guilty, and fired, for trivial errors which do not add up to the crimes these laws are designed to deter.
The IT business – as found in corporates – needs to think through the impact of these regulations, and in some depth.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
