Posted on November 13th, 2009 by Steve Cassidy

Does Windows BitLocker spell the end of the office loan laptop?

This has been an interesting week for the USB key.

No really; the ubiquitous key, which has been implicated in incidents of corporate data loss around the world, now occupies a central role in Microsoft’s view of corporate security.

Far from being the main means by which secrets slip out of your organisation, the Microsoft security technique depends on carrying your BitLocker keys around on a USB stick.

This is a great leap forward, and I can foresee lots of corporates finding themselves strongly obliged to take up BitLocker, especially when you consider the surprising hard line being taken by the Information Commissioner, as reported in this BBC article. Let’s put the headline conclusion up here so you bear it in mind: if your company loses data, then it’s half a million quid as a fine.

Now; remember the provisions of Section 49 of the Regulation of Investigatory Powers Act. This is that interesting bit of law that cropped up post 9/11, which requires those who carry data encrypted on some computing device, to provide the decryption keys to law enforcement on request. So let’s see what happens when we take these two laws, and add them to BitLocker’s method of operation.

BitLocker encrypts the entire of the hard drive of a Windows PC. All that goes on the USB key is the personal part of your decryption key – that’s a two-part key process, so your password is an important part of it. If your machine has a TPM security chip onboard, then there’s no USB key requirement; but with USB or TPM, there’s two ways to fall foul of The Law here.

First, allow me to reveal an enforcement scenario I’ve been through personally, then explain the ways you can be in bother if this happens to you while in possession of company kit.

The scenario is to drive through a part of London (or another big city) in the middle of a security scare which hasn’t yet reached the news, but certainly has reached the police forces. I’ve been through this three times, and the pattern is always the same: once stopped, the constabulary jump straight to the terrorism laws and parrot out their “we can now do whatever we want” mantra, which essentially means you have to wait for them to prove to their satisfaction that you aren’t loaded with binary explosive, drugs, or your tax disc isn’t expired.

So let’s say you’re stopped in this way, and in the back of the car is a laptop, borrowed from the common pool at work.

The first and simplest way to fall foul of the law is for that laptop to have multiple user profiles on it, only one of which is yours. You don’t know the passwords to the other profiles.

The second way is for you to have the laptop, and for it to contain only your profile – but you have forgotten the USB key (if it doesn’t have a TPM inside) or (if it does have a TPM) some ill has befallen it and it is asking for the TPM recvoery password. You don’t know this, because it’s centrally administered as part of your company domain’s Group Policy.

That’s how BitLocker is supposed to work; that’s what is required by the Information Commissioner, to stop you carelessly losing your firm’s information, whether it is 25 million patient records or the war plans for the Defence Of Pinner.

So, your over-excited constable ferrets his way through your car, emboldened by his anti-terrorism brief, and his hand falls upon the laptop. “What’s the password?” he asks. “No idea”, you reply. In the words of that famous board game – do not pass go. Do not collect £200. Go direct to jail…

I know, this is an extreme scenario – but what the law says is not “temporarily unable to provide passwords until the IT helpdesk arrives in the morning”, or “unable to unlock the PC due to being absent minded and having the passwords somewhere down the back of the sofa on a ‘Hello Kitty’ USB stick” – it says that if you don’t provide the passwords, that’s you nicked, that is.

What’s worse is that the Information Commissioners Get Tough policy on inadvertent leaks might make an over-excited IT manager actually refuse to divulge those passwords, down the phone to someone who CLAIMS they are a custody sergeant…

I would agree with those who say that this is the nature of the game when it comes to taking responsibility for data about people, which you’re carrying about in the course of your work: but I am rather concerned that the confluence of these two laws – which do not seem to contradict one another as they sit in the body of statute – add up to a nasty trap for those who are likely to end up both guilty, and fired, for trivial errors which do not add up to the crimes these laws are designed to deter.

The IT business – as found in corporates – needs to think through the impact of these regulations, and in some depth.

Tags: BitLocker, Microsoft, terrorism, Windows

Posted in: Real World Computing

Permalink

Follow any responses to this entry through the RSS 2.0 feed.

Social Bookmark this article: What is this?

You can skip to the end and leave a response. Pinging is currently not allowed.

12 Responses to “ Does Windows BitLocker spell the end of the office loan laptop? ”

Stephen Ferns Says:
November 13th, 2009 at 7:35 pm
Interestingly, BitLocker is not available on Windows 7 Professional, that will become the default version of choice for Businesses, so I fail to see how it can can make any significant impact … shame really
Steve Cassidy Says:
November 13th, 2009 at 9:20 pm
I’m not interested in the Default version. I’m interested in the decision made by a company secretary who can point to a BitLocker implementation that keeps him clear of a half million pound fine, by agreeing to a few percent more on the price of their corporate licence package.
James D Says:
November 13th, 2009 at 9:38 pm
“If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds—

(a) that a key to the protected information is in the possession of any person”

Seems to me that if you don’t have the key, then they can’t bust you for it.
Stephen Ferns Says:
November 13th, 2009 at 11:26 pm
Steve, I fear you are somewhat missing my point.
Looking back over previous versions of Windows, starting with XP, Professional was the full blown full version. Vista had a Business Edition. This was a everything the vast majority of businesses would want in a product, including BitLocker. Ultimate in Vista was seen as a more of a home product, that in the end promised many things to the users who purchased it and in the end, delivered little over Home Premium, with the addition of being able to be added to a domain.
Bring on Windows 7 and MS try to make life easier for those who have to chose. Away with the many versions, Vista Business becomes the Professional version again and Ultimate looks, at the outset, to be just a home user experience O/S with a small business cross over.
So, lets look at this from a real world perspective, rather than what happens to interest you. Most companies, at this time, do not even consider drive encryption when purchasing a laptop. Most companies do not have any kind of IT administrator and chose machines based on cost and whether it will do what they are aware that they need it to do, so, as I mentioned earlier, will opt for 7 Professional aka Business. Somewhere down the line, the issue of drive encryption may come up for some of these companies, at which point they will realise that if they want this feature from MS, they will have to fork out more money. Now given that pretty much the only people in the world who would ever want drive encryption would be business users, why, as a company, would you not include this feature in what you advertise as being your business package … more so, given that they included it in their older business offering
Steve Cassidy Says:
November 13th, 2009 at 11:53 pm
James; I can’t really see what you are saying from what you’ve quoted. Yes, the law permits discretion – but that runs both ways: You can either be let off because the desk sergeant desides you are being reasonable – or you can be banged up because your IT team are under instruction not to divulge passwords, on pain of a half million pound fine. It seems like there’s a sizeable gap in the “reasonableness” stakes here, between what’s expected of firms, and what individual employees need to establish about the kit they use, before they come into contact with the law.

Stephen: You are right about a particular segment of the market. That is however, not the segment I’m addressing.
David W Says:
November 14th, 2009 at 10:36 am
Vista had Enterprise, the same as Windows 7.

Steve, he means that SOHO PCs will be using Windows 7 Business, so BitLocker is not an issue, they need to either use W7 Ultimate or be part of a corporate licensing scheme and get W7 Enterprise. in order to be able to use BitLocker – and a majority of other features Business users would find interesting.

As to profiles, even today, if the laptop is set-up correctly, the user will only have access to their profile, they won’t be able to see the profiles of other users, without either the other users’ passwords or the administrator password.

Okay, for the forensic expert, there are ways around this, but the average user and the average bobby won’t know how to look at other users’ profiles.
Steve Cassidy Says:
November 14th, 2009 at 12:44 pm
OK, let’s be clear. Yes, I a talking about a situation which is of concern only to those with corporate-licenced laptops. Not to all those other licences that don’t include BitLocker. That’s probably why I put “BitLocker” in the blog title…

Secondly: Yes, this depends on the reaction and skill-set of the average Bobby, as is the case with most laws. I think there’s an interesting question there about profiles – how does an arresting officer decide that the data he is looking at is merely secured (no rights) versus actually encrypted (needs a key)? The first sort is legal, the second sort, isn’t. There seems to be no guidance on this matter. However – I don’t think you can make company policies out of an assumption that Dimbleby will simply be too thick to spot the problem – I wouldn’t be happy to work for a boss who says “and if any coppers ask you for the password, tell them to sod off…”, on the same simple basis as bus drivers are not expected to keep to schedules that require them to break the speedl imit.
Charles Marsh Says:
November 16th, 2009 at 1:37 am
Steve Cassidy wrote, “…what the law says is not ‘temporarily unable to provide passwords until the IT helpdesk arrives in the morning’, or ‘unable to unlock the PC due to being absent minded and having the passwords somewhere down the back of the sofa on a “Hello Kitty” USB stick’…”

That’s exactly what the law does say. Section 49(4) states that the notice “must allow a period for compliance which is reasonable in all the circumstances.” Given the potentially serious penalty for getting it wrong, being given time to seek legal advice and to be absolutely sure you have fully complied is not unreasonable. In practice, this means weeks.

The legislation is written so that a section 49 notice can only be imposed on a regular employee as a last resort. For encryption managed by a business, the notice can be imposed on an employee only if it is impractical to impose it on a senior officer of the company or partner of the firm.

Also, an over-excited constable can’t authorise a section 49 notice. The police must first seek the approval of the National Technical Assistance Centre. While it’s then possible for certain high-ranking police officers to authorise a notice without getting further permission, for the last reported year, the permission of a Judge was always sought.

While a computer can be seized in an instant, Part III of RIPA is part of the subsequent, slow investigation. Recently, Deputy Assistant Commissioner Janet Williams said that police computer forensics was so slow that it was too slow. Section 49 notices don’t provide for at-the-scene decryption. The process is complex, burdensome and, unsurprisingly, not very often used.

Of course, none of this is much comfort to you as an employee if the police decide, for whatever reason, that they want to arrest you.
Steve Cassidy Says:
November 16th, 2009 at 10:27 am
Thanks Charles, that’s exactly what I was driving at. I believe that there are already tensions (shall we say!) on the general subject of timeliness of getting at people’s stuff during any investigation which involves a computer; it’s hard to reconcile the duration of the detention/interrogation period, with a timeline of “weeks” to crack the netbook the poor bloke was arrested with!

My intent in pointing out this scenario isn’t about the scenarios where the cops have good reason to get into a machine; it’s where they have no reason, and are hunting for any way to mess with the life of the subject. I think the fix for this issue is a big sticker, with words on it to the effect of “this is the property of megacorp, as is all the data on the machine. The legal owner of this intellectual property is Mr. F. Kafka, Company Secretary”.

I know this means that in the kind of pointless interference stop I’ve experienced, the cops will just move on to some other basis for delay – but the important thing is, they can’t make use of a catch-22.
John T Says:
November 16th, 2009 at 9:24 pm
I can’t for the life of me see why Steve’s point was so difficult to grasp – seemed plain and simple enough to me.

No longer, but I used to work for a ‘megacorp’ myself, (1000+ in London alone) and they will definitely go for the BitLocker flavour of 7 – and the fact that a ‘four man a dog’ sized company may not be affected by this issue is probably not going to be of much comfort for anyone who DOES get caught up in it.

We all know that most coppers are just decent blokes doing a difficult job, but we all also know that there are some ‘rotten apples’ who take great pleasure in making your life a misery, simply because they can.

Add to that the stress they may be under if they think their life is in danger by being where they are, and casual belligerence could very easily become something else.

I think the point of this blog is valid – the law currently puts companies and their staff in a ‘heads I win, tails you lose’ scenario.

Ill considered and conflicting laws that impinge on our freedoms eh? Who’d have imagined it…
Steve Cassidy Says:
November 16th, 2009 at 11:52 pm
I think there’s some incredulity here, too, about police stops. My “Cable guy” was stopped in the depths of Gloucestershire one night, in the rain: The constabulary wanted to se what was in his van. He said there was over 20 grandsworth of stuff from Fluke, 3om, and Cisco, and he really didn’t want to get it all out in the rain (which was true). So they breathalysed him, checked his insurance (20 minutes on the phone) and eventually gave him 3 points and a £60 fine because he hadn’t informed the DVLA that he was no longer wearing glasses after having had LASIK surgery. It’s against that kind of background that I thought the issue of taking sensible precautionsaround BitLocker implementations should probably go a bit further than just the technical…
Alan Says:
November 26th, 2009 at 10:03 am
Some fine legal “advice” here, quoting Acts and legal process. I wonder how many of you are experienced in the law, ie solicitors or the like. Very fine, it the written part of our legal framework.

No I wonder how many of you have experience of the receiving end of the law. Let me tell you, legal niceties get thrown out of the window. Plod is supposed to do a lot of things when they ransa^H^H^H^H^H search your house. They dont, because they can get away with no doing it. They can steal oyur property, because they can get away with it. They can destroy your property, and get away with it. In each case, because they didnt list it. And yes, that it is technicallity that can be bought up, without such a list you cannot prove the property existed. Catch22. They can detain you in a cell, in a cell block which has been closed due to a heating failure and so cold ice ohas formed on cell walls, and other prisoners moved to a detention centre, because PACE doesnt exclude it and perhaps they feel you need to be ’softened up’ prior to questioning.

I’ll stop before I go into full on rant mode. Why anyone thinks that RIPA, SOCA, Terrorist Act, were in any way todeal with the headline Act name is beyond me. They are all designed to give the state more power and control over the public than any terrorist or criminal organisation.