By now you’ve heard about a recent Federal Court of Appeals ruling that protects forced decryption of data under the Consitutional Fifth Amendment right of non self-incrimination. What does this mean to tech users in general?
The ruling said that jailing a man for contempt of court because he pled the Fifth and would not reveal his TrueCrypt key to a Grand Jury was a violation of his Constitutional rights. It’s the first time a court has protected data under constitutional rights — especially significant to law enforcement as there is no way to break the encryption and investigate TrueCrypt-encrypted drives.
Image Courtesy: Wikimedia Commons
Privacy advocates are celebrating. So far, anyway. Electronic Frontier Foundation (EFF) lawyers called it a major victory for privacy and constitutional rights in the digital age.
It also has a major impact on the enterprise. After all, said Lee Tien, an attorney with the Electronic Frontier Foundation, a person’s right to keep a password secret is a linchpin of the digital age. Encryption is “really the only way you can secure information against prying eyes,” he said. “If it’s too easy to compel people to produce their crypto keys, it’s not much of a protection.”
If a court held this true even in this alleged child pornography case, where just because the defendant says he knew what was on the drives was enough to amount self-incrimination if he produced the key, imagine what the effect is on on IT.
What if there were corporate data on those drives? The ruling would presumably prevent network admins from getting access to it. This is a prime example of interlapping of home and work life in IT.
Anyone can download TrueCrypt. Products like this give huge power to individual users in the enterprise.
Consider, earlier this month a former managing partner and two associates abruptly resigned at the Harrisburg, PA office of the Philadelphia law firm Elliot Greenleaf, which claims associates and the managing partner deleted about five percent of data on tape and, worse, that they have continued access to the firm’s Dropbox account with a password the firm doesn’t know. There is legal analysis here.
The law firm isn’t suing for the password. It wants its data. It wants to recover what it considers to be trade secrets and proprietary information. It isn’t about criminal versus civil. Obviously these are two quite different cases. But they have do have one key point in common.
It’s the password.
This is a new world entirely. Not too long ago there was a vast chasm between IT and its users. The user needed the help of IT to do most things technical. Before the days of Dropbox — or TrueCrypt available for free to anyone, for that matter — if a user wanted to store data offsite to continuously reach it from anywhere, the network admin would have installed an FTP client over a VPN, built a remote server, created an account and given the password to the user.
Not the golden password, mind you, but an account password.
The admin might also ask the business need. If the user left, the admin could return control FTP tunnel to the person who replaced him. But today products like Dropbox and TrueCrupt are so easy to use that anyone could store unlimited amounts of data offsite and/or encrypt it. The admin would never know it.
So now the barrier to the data is only the password. Speaking of passwords, even IT pros and sys admins have passwords the corporation will want to have access to and now may not be able to get. Terry Childs, the former network administrator for the City of San Francisco who refused to reveal the password of the city’s network for 12 days, served four years in prison because of it.
It’s a wonder we haven’t seen more examples of users who are holding a company’s data hostage.
Larger companies are able to build systems to prevent users from doing this but smaller companies, the fewer than 100-employee crowd, is opting for off-the-shelf tools like Dropbox and TrueCrypt. That gives the average user unprecedented power over company data.
Childs didn’t give the password to his supervisor because he thought she wasn’t unqualified to know it. He handed it off to the mayor. A network admin is one in a public position who is vetted (hopefully) by the hiring manager. But not every employee is going to have the same motivation protect data. Data is only a tool to help them do their job.
With consumerization, personal and professional lives — and their data — overlap. And when people leave companies for inimical reasons, the relationship may sour and the conflict becomes personal and that’s when the companies data is lost.
We haven’t heard of the last of this.