Thursday, May 25, 2006

Engineering Laptop Data Security, or, 26.5 Million Veterans Can't Be Wrong

On Monday, May 22, we learned that some time in the preceding three weeks, a burglar broke into the house of a mid-level analyst in the Department of Veterans Affairs in Washington, D. C. Among the items missing the next day was the employee's laptop computer. That by itself is not news—laptops are stolen every day. But the thing that motivated Veteran Affairs Secretary Jim Nicholson to announce the theft to the news media was the fact that on that laptop's hard drive were the names, Social Security numbers, and other personal information belonging to over 26 million veterans.

It is not hard to imagine what someone with the scruples of a burglar could do with that information. We can only hope that the miscreant does not read the newspapers, watch TV news, or download iPod newsblogs, and that he fenced the machine to someone who will divest it of all identifying indications, including the hard drive data. But the very small chance that a very big problem will occur is still a very big problem. And since Social Security numbers last for the lifetime of their owners, the concern that one of those veterans will be a victim of identity theft may not go away unless the machine is recovered with the knowledge that the data wasn't copied. This happy eventuality is, to say the least, unlikely.

As it does in many other areas, the advance of technology has blurred the distinction between two groups of people who formerly had very different responsibilities. Back in the 1970s when it took a roomful of refrigerator-size tape drives to store twenty-seven million personal records, there were only a handful of people in any given organization who had the technical ability to manipulate or copy the information. The computer-science specialists who designed, operated, and maintained the systems were generally aware of their special responsibilities that came with the power to work with personal data. Besides which, a putative thief would have had to bring a small loading van along to steal such a large amount of data. Although data theft and identity theft have been a problem at some level since the earliest days of computers, the sheer bulk and awkwardness of large amounts of data, and the relatively scarce and highly secure computer rooms in which they were housed, meant that such a theft had to be carefully planned and executed like a bank or payroll heist. For the average non-technical user of such information, the most data handled at once was contained in a bulky folder of green-and-white-striped computer paper, which nobody wanted to carry out of the office anyway. So computer security was an issue mainly for those few specialists who dealt directly with mainframe computers, and the rest of us scarcely knew it existed.

No longer. Because of the democratization of technology we now enjoy, most laptops sold today with 100 GB hard drives can hold the digital equivalent of all the printed contents of a small town's public library. The size of digital storage has changed, but the responsibilities are still the same. Every person who is in charge of a laptop with sensitive information on it has the same moral obligations as those (now retired) computer operators in the glass-walled computer rooms of yore. But in these days of high-pressure work and high-speed internet connections at home, what is more natural than to throw the laptop in the car and finish that special project in the evening just this once, even though you seem to recall some office rule against taking work home? That is just what the anonymous Veterans Administration employee did, and now look what's happened.

There are technological fixes for this technological problem, of course. A ten-second Google search turns up companies such as Eracom Technologies, which offers a variety of data encryption methods for servers, desktops, and laptops. The idea is that the authorized user types in a special password, and for extra security plugs in a special module to enable the laptop to boot up. Once the computer is satisfied that it is being used by the right person, it acts just like a normal computer. But all the data on the hard drive is actually encrypted with advanced techniques and de-encrypted as needed. Were a thief to steal the unit, he or she would be unable to start the machine. Even if the hard drive were removed and copied, the result would be nonsense.

Of course, Eracom doesn't give this technology away for free. I don't know what it costs, but it must be considerably less than the cost of a laptop, and they probably give quantity discounts for large organizations such as the U. S. Department of Veterans Affairs. But even advanced security technology like this can be thwarted if the user does something dumb, like writing the password on a note taped to the keyboard, or keeping the special unlocking module in the same bag with the computer. As an engineer told me recently, he tries to design systems that are foolproof, but doesn't bother to make them "damn-fool proof."

If a pattern of identity theft matching the stolen records does not emerge soon, our returning soldiers may not have to worry about the consequences of this particular laptop burglary. After all, they have seen and dealt with a lot bigger problems than this one. The rest of us, especially those who have any kind of sensitive data that we carry around in laptops, Blackberries, or data storage devices, should think twice before we take it out of a secure area. And ask what your organization does in case such data is stolen. If the answer isn't satisfactory, maybe someone should invest in a little added security. But all the data-security technology in the world cannot substitute for simply being careful.

Sources: An article describing the news conference at which Jim Nicholson revealed the laptop theft is at Information on encrypting hard-drive data is available at such sites as

No comments:

Post a Comment