Security Manager Gets Into Spirit of the Law

Having been so uncomplimentary about lawyers a few weeks back, I've decided that it's time I knew more about the law -- at least the law as it affects our IT department. So I've been doing a bit of research into the Byzantine mess of rules and regulations that surrounds our everyday work.

It's hard stuff. My respect for lawyers is growing, if they can put up with a career full of documents of this complexity. Mind you, they probably say the same about IT.

The Law in Two Acts

This Week's Glossary

Carnivore: An e-mail surveillance system the FBI created and has proposed attaching to Internet service provider networks to monitor suspicious e-mail and Internet traffic. The tool is a version of a commercial Windows 2000 application that has been customized to intercept and view only the e-mail, Web browsing activity or other Internet traffic of a person named in a court order. But Carnivore must scan all the packets moving over a network to find those it wants to examine, which has alarmed privacy activists.

Cryptonomicon, by Neal Stephenson (Avon Press, 1999). A sprawling, intellectual, gripping thriller, with its roots firmly set in the insanities that surrounded the use of cryptography in World War II. Can you explain how tattooing a dead butcher, dressing him in a wet suit and dropping him into the Mediterranean helped the war effort? The book spans 50 years, four continents and a surprisingly large amount of computer security. Riveting stuff. Baltimore Technologies PLC's Web site includes information on security tools ranging from the UniCERT certificate manager to MIMEsweeper scanning software.

Apart from the issues of inappropriate e-mails and monitoring that I discussed last week, there are two legal worries at the back of my mind at the moment: the Regulation of Investigatory Powers Act (RIPA) and the Data Protection Act (DPA).

These laws are specific to the U.K., but security managers around the world face a patchwork of similar laws. For example, the RIPA debate is broadly similar to the Carnivore debate that's been going on in the U.S. Carnivore is the FBI's (apparently successful) attempt to enforce monitoring of e-mail traffic by installing "black box" devices at Internet service providers. RIPA takes a similar approach in the U.K. but goes quite a bit further.

At heart, RIPA is the British government's attempt to extend its powers of surveillance to cover the Internet. The previous law, the Interception of Communications Act, became law in 1985, when few foresaw the rise of mass e-mail and the Internet.

It gives the police and public authorities broad powers to conduct surveillance online that are similar to those they have off-line, which is reasonably understandable. However, as much as I dislike the idea oof someone potentially reading my e-mails, I recognize that surveillance is a necessary tool in law enforcement -- as long as the power to conduct surveillance is controlled and subject to appropriate checks and restrictions.

However, RIPA goes further than that. If encrypted data is being sent over your systems, the act gives the police the ability to demand access to the encryption key. Obviously, they've got to prove that you've got the key, right? Wrong. It is apparently enough for them to show that you once had it. If the appropriate authorities can show that you used to have the key, it's up to you to prove it's no longer in your possession.

Ethical issues aside, I've got to work out how my company would comply with this in practice. We use a variety of encryption technologies in a variety of places for a variety of reasons, and while I think it's very unlikely that we'll ever be given a disclosure notice under RIPA, we've got to be ready to comply with one if it ever does turn up. The alternative appears to be a potential jail term of up to two years.

Spirit of the Law

As far as I can work out, we have two alternatives. We can comply with either the spirit of the law or the letter of the law.

If we comply with the spirit of the law, we need a managed framework to record copies of any encryption keys we use -- wherever and however we use them. We've got to keep these records so that we can supply a key if asked -- otherwise, it's easy to show that we used to have a copy of the key because we encrypted some data with it. I have a feeling that if the police ever do show up at the door with a disclosure notice demanding access to some encryption keys, they're unlikely to be satisfied with me saying, "We're not quite sure what we've done with that key. Now, where did I see it last?"

If we do set up a database of encryption keys, then we've created a big risk. We'd better protect that database very well, because if anyone can get access to it, they have the keys to our security kingdom -- they could decrypt anything we've ever encrypted.

What we need is a proper public-key infrastructure (PKI) -- a hierarchy of keys -- managed, controlled and revoked by well-established and solidly enforced procedures. Unfortunately, PKI implementations aren't an easy task. Although companies like Dublin-based Baltimore Technologies PLC make some extremely good PKI products, implementing PKI is something you need to approach carefully and with a great deal of planning. It's not the sort of project I really want to get involved with unless there are some very clear, big benefits coming out of it.

Letter of the Law

So what if we comply with the letter of the law? RIPA says we can't be forced to give up a key if we can prove that we no longer have it, so why not set up a procedure mandating that we destroy encryption keys as soon as we're finished with them? That way, we should be exempt from having to comply with disclosure notices, as we could just point to our key deletion procedure and say we no longer have the key.

That's certainly not very helpful for the police, but it seems much easier than trying to implement a PKI system just so we can give our keys away. I have a feeling, however, that it is not quite as simple as I've made it sound, although I haven't yet worked out why. I'll have to keep digging a bit deeper into this one. Anyone out there know more about it than this?

Data Protection

The other piece of legislation that concerns me at the moment is the DPA. This one is a bit of an odd fish -- it's a piece of IT legislation that seems pretty sane and doesn't seem to have annoyed anyone. Everyone who comes across it seems to think it's a good thing -- protecting the privacy of the individual without going so far as to make it impossible to comply with the rule.

The DPA puts measures into place to ensure that if you hold daata about an individual, then you have to do so with their consent, and it must be accurate, held securely and used only for the correct purposes. It's been brought into force over the past few years, with its powers steadily increasing every year, although I've never heard of any companies getting prosecuted for failing to comply with it.

The U.K. data protection commissioner has just put out a code of practice setting out how we should manage employee data. It's all very sensible stuff, but like all such regulatory documents, it's written in very precise language -- 77 pages of very precise language, in fact -- and I have to try to work out what we actually have to do to comply with it.

Nevertheless, we have managed to comply with one part of the code of practice very quickly. Apparently, we have to make sure to "provide a means by which managers can effectively expunge e-mails they receive or send from the system and make them responsible for doing so." Simple -- they've got the delete key, haven't they?

This story, "Security Manager Gets Into Spirit of the Law " was originally published by Computerworld.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon