Many people ask me about the issues surrounding encrypted devices and whether they can (or should) encrypt data. So, to clear up any confusion, here’s my take on this issue.

First point: Encrypting data, especially on removable devices, is a good idea

Given recent events relating to the loss of sensitive data (like, the loss of nursery data on a USB stick, Government user IDs stolen from a parked car, the banks losing customer data, Number 10 staff losing their Blackberry’s in China… This list is endless), it is blindingly obvious that some form of protection for data while not stored in a physically secure environment is needed. The losses actually reported are dwarfed by those that companies elect not to report. There is a great debate going on about whether companies should be compelled to report these sort of breaches under Data Protection legislation, as currently most organisations don’t have to.

In addition, individuals should ensure that their own data is adequately secured. It’s not just companies that have this problem. How many people store their passwords to their online banking on their laptops and then carry them around with them all over the place? And, given that most operating systems have built in encryption capabilities these days (Microsoft Windows XP and Vista do, as does Mac OS X), people should really consider turning these on.

Second point: There are lots of different applications for encryption

There’s device encryption, full disk encryption, e-mail encryption, SSL encryption for websites and other types of traffic, VPNs… Plenty of different applications for very different purposes. And managing this becomes a bit of headache…

Third point: In an organisation, it’s not that simple…

Having said all of the above, it would easy (but wrong) to assume that it’s very simple to implement encryption in an organisation. It isn’t. There are three choices: 1. Implement stand alone encryption for everyone who needs it, using a variety of different standards and without the capability to access these in the event of a disclosure requirement; 2. Implement an integrated encryption service, managing people’s keys centrally (or at least having an administrative key for access in the event of a disclosure requirement), or; 3. Take the risk and don’t do anything.

The trouble with option 1 is that the organisation is liable for everything that gets sent or stored from or on its systems. In the event that a request to disclose some information stored in an encrypted file or e-mail is made by the authorities, it is essential that, given the right safeguards, an organisation can access that data. If everything is set up in a standalone fashion, this becomes difficult.

Option 2, therefore, looks much more attractive, but it does come at a cost, both in terms of infrastructure and management. Many organisations opt for option 1, but ensure that each user of encryption software sign a disclosure agreement that warrants their co-operation in the event the organisation is requested for data held in a system that they, themselves, control.

Finally, option 3. I would not recommend going down this route. The Information Commissioner seems to be blowing hot and cold over the absolute requirement for device encryption, but it looks likely that principle 7 of the Data Protection Act 1998 will be breached if laptops and other personal data aren’t encrypted.

Fourth point: Travelling with encrypted files

This may come as a bit of a surprise, but different countries have wildly different laws about encryption, so it is essential that people check out what the legislation is in the country that they are travelling to, in case they are accused of espionage activities (I’m not kidding!). For a comprehensive overview, the University of Tilburg, in the Netherlands, is hosting a page on the Wassenaar Arrangement. This details how different countries license the export and import of different levels of military materials. To quote:

“The Wassenaar Arrangement controls the export of weapons and of dual-use goods, that is, goods that can be used both for a military and for a civil purpose; cryptography is such a dual-use good.”

As an example, I’ve picked Russia. It states: “A license is required for the importation of encryption facilities manufactured abroad. The export of cryptography is subjected to a tightened state control. Importers and exporters need licenses by the Ministry of Trade.”

I am not a lawyer, and I suggest getting legal advice rather than ever relying on something you’ve read in a blog.

More information:

Surfing Safer: Advice on choosing encryption products

Laptop encryption in Russia, China

Advertisements