It is the ruling that has IT reaching to make sense of it all. Make that two rulings.
Last week in San Francisco, a federal court for the first time ruled that the Fifth Amendment of the U.S. Constitution — the right to not self-incriminate — protects against “forced decryption.” The judge, from the 11th Circuit in San Francisco, ruled that a Florida court violated a defendant’s rights when its Grand Jury gave him the choice to either reveal his TrueCrypt password or go to jail. The privacy watchdog group Electronic Frontier Foundation (EFF) called this “a major victory for constitutional rights in the digital age.” You can read the full ruling on the case –called United States v. Doe — here. Read it for yourself.
It’s a controversial ruling that enterprise should closely watch. The defendant, who is unidentified in the brief, pled the fifth when the court ordered him to reveal his TrueCrypt password. That strong, on-the-fly encryption program prevented the FBI agents who nabbed him from getting at any of the data on the notebook computers and external drives they also seized.
The EFF was exultant. “The government’s attempt to force this man to decrypt his data put him in the Catch-22 the 5th Amendment was designed to prevent — having to choose between self-incrimination or risking contempt of court,” EFF attorney Marcia Hoffman said in a statement. “We hope this ruling will discourage government from using abusive grand jury subpoenas to try to expose data people choose to protect with encryption.”
This is definitely a first. I called some of the CTOs and IT pros I know to get their take. What if your users use a program like TrueCrypt on the laptops or other personal devices they use with company data? If, say, a company terminates an employee — does this ruling mean the company could not legally force him or her to reveal the encryption password?
What about opposing rulings?
What if the company believed the employee had violated laws, too, civil or criminal? Or just policy? The questions run deep.
Another court — one in Colorado — not so long ago rejected an appeal in a similar case, where a court has ordered a woman to decrypt her laptop in a real estate fraud case. We’ve got a big gray area here. And, you might worry, a powerful precedent.
As legal experts weigh in on other side, here’s what a sampling of IT professionals told me.
Peter Baer Galvin, a Boston-based CTO at the VAR Corporate Technologies, said it is all too easy “to have a home directory that syncs automatically from the laptop back to the servers, caching the contents on the laptop. It’s easy for a user to create a separate encrypted file and keep the keys to themselves. Legally the contents of that file belong to the company because it’s stored on a company laptop.” Galvin says, “But of course the encryption would prevent the company from finding the contents. If those are important documents then the company seems to be out of luck.”
This wouldn’t let employees hide their email, Galvin emphasizes. “Email has to go through servers to get delivered. MS Exchange, for example, has a setting where it can save all email for period of time, even if the user deletes it or encrypts it at rest on the laptop.” But what of the rest of the data?
Jeremy Lesniak, an IT pro and the founder of Vermont Computing in Duxbury, VT, had harsher words. “If the company didn’t mandate any form of backup to their own servers, it deserves to lose its data. That’s an amateur mistake. There are certainly strong differences between this (alleged criminal) case and a company mandating that the data on a laptop be returned. Whether there are legal differences,” Lesniak says, isn’t as clear.
Eric Finkenbiner is a foreign service IT specialist for the U.S. Department of State, for which he is currently stationed in Rangoon, Burma. He expresses a mixed reaction. “There are a few different ways that I would approach this,” he says, boiling it all down to either “virtualization or lockdown/separation.”
“Currently, I see the pendulum swinging back in favor of virtualization (terminals) versus PCs. In many larger enterprises, even if a user has a laptop it is simply the hardware used to tunnel into a corporate portal where all the data actually resides. At that point, using Truecrypt locally should pose no risk to corporate data since it is in its own sandbox on the users device.
Not all businesses can afford such software and infrastructure. In those cases, any IT dept worth its salt would be wise to lock down PCs to the point where users wouldn’t have the proper rights to install truecrypt or any other encryption software. Additionally its important to educate users to keep their personal and business data separate.
My personal opinion is that this ruling is a good thing. The reality is that you can’t prevent this 100 percent of the time. But by making the right thing to do the easiest and most natural thing to do, you avoid most of the problems.”
Rob Maxwell, senior security engineer at the University of Maryland at College Park, said the decision initially startled him. And he provides some more background. “Businesses need to be using encryption to protect their data, but they need to be protecting it in other ways, as well. And they should be using an enterprise product with (at least) a key-escrow system. People lose passwords all the time, and sometimes things just break. There needs to be a master key with the company to ensure that important things don’t disappear by accident.
“If you have to worry about employees stealing documents, or not storing them as they should,” adds Maxwell, “you have HR problems, not encryption problems.”
An important distinction enterprise should make also: “Encryption only protects data at rest,” he says, emphasizing the words “at rest.” He continues: “If your machine is compromised by a hacker looking to steal your data, that hacker will wait until you decrypt the data to use it, then grab it. The user cannot work with their own data while it’s encrypted either. Encryption saves headaches when external drives or laptops are lost or stolen.”
What do you think? Let me know below. I’ll add to this as I get more reaction from CTOs, IT pros — and of course corporate and legal analysts.