Comments on: Does Windows BitLocker spell the end of the office loan laptop?

By: Alan

Alan — Thu, 26 Nov 2009 10:03:43 +0000

Some fine legal “advice” here, quoting Acts and legal process. I wonder how many of you are experienced in the law, ie solicitors or the like. Very fine, it the written part of our legal framework.

No I wonder how many of you have experience of the receiving end of the law. Let me tell you, legal niceties get thrown out of the window. Plod is supposed to do a lot of things when they ransa^H^H^H^H^H search your house. They dont, because they can get away with no doing it. They can steal oyur property, because they can get away with it. They can destroy your property, and get away with it. In each case, because they didnt list it. And yes, that it is technicallity that can be bought up, without such a list you cannot prove the property existed. Catch22. They can detain you in a cell, in a cell block which has been closed due to a heating failure and so cold ice ohas formed on cell walls, and other prisoners moved to a detention centre, because PACE doesnt exclude it and perhaps they feel you need to be ’softened up’ prior to questioning.

I’ll stop before I go into full on rant mode. Why anyone thinks that RIPA, SOCA, Terrorist Act, were in any way todeal with the headline Act name is beyond me. They are all designed to give the state more power and control over the public than any terrorist or criminal organisation.

By: Steve Cassidy

Steve Cassidy — Mon, 16 Nov 2009 23:52:43 +0000

I think there’s some incredulity here, too, about police stops. My “Cable guy” was stopped in the depths of Gloucestershire one night, in the rain: The constabulary wanted to se what was in his van. He said there was over 20 grandsworth of stuff from Fluke, 3om, and Cisco, and he really didn’t want to get it all out in the rain (which was true). So they breathalysed him, checked his insurance (20 minutes on the phone) and eventually gave him 3 points and a £60 fine because he hadn’t informed the DVLA that he was no longer wearing glasses after having had LASIK surgery. It’s against that kind of background that I thought the issue of taking sensible precautionsaround BitLocker implementations should probably go a bit further than just the technical…

By: John T

John T — Mon, 16 Nov 2009 21:24:38 +0000

I can’t for the life of me see why Steve’s point was so difficult to grasp – seemed plain and simple enough to me.

No longer, but I used to work for a ‘megacorp’ myself, (1000+ in London alone) and they will definitely go for the BitLocker flavour of 7 – and the fact that a ‘four man a dog’ sized company may not be affected by this issue is probably not going to be of much comfort for anyone who DOES get caught up in it.

We all know that most coppers are just decent blokes doing a difficult job, but we all also know that there are some ‘rotten apples’ who take great pleasure in making your life a misery, simply because they can.

Add to that the stress they may be under if they think their life is in danger by being where they are, and casual belligerence could very easily become something else.

I think the point of this blog is valid – the law currently puts companies and their staff in a ‘heads I win, tails you lose’ scenario.

Ill considered and conflicting laws that impinge on our freedoms eh? Who’d have imagined it…

By: Steve Cassidy

Steve Cassidy — Mon, 16 Nov 2009 10:27:39 +0000

Thanks Charles, that’s exactly what I was driving at. I believe that there are already tensions (shall we say!) on the general subject of timeliness of getting at people’s stuff during any investigation which involves a computer; it’s hard to reconcile the duration of the detention/interrogation period, with a timeline of “weeks” to crack the netbook the poor bloke was arrested with!

My intent in pointing out this scenario isn’t about the scenarios where the cops have good reason to get into a machine; it’s where they have no reason, and are hunting for any way to mess with the life of the subject. I think the fix for this issue is a big sticker, with words on it to the effect of “this is the property of megacorp, as is all the data on the machine. The legal owner of this intellectual property is Mr. F. Kafka, Company Secretary”.

I know this means that in the kind of pointless interference stop I’ve experienced, the cops will just move on to some other basis for delay – but the important thing is, they can’t make use of a catch-22.

By: Charles Marsh

Charles Marsh — Mon, 16 Nov 2009 01:37:17 +0000

Steve Cassidy wrote, “…what the law says is not ‘temporarily unable to provide passwords until the IT helpdesk arrives in the morning’, or ‘unable to unlock the PC due to being absent minded and having the passwords somewhere down the back of the sofa on a “Hello Kitty” USB stick’…”

That’s exactly what the law does say. Section 49(4) states that the notice “must allow a period for compliance which is reasonable in all the circumstances.” Given the potentially serious penalty for getting it wrong, being given time to seek legal advice and to be absolutely sure you have fully complied is not unreasonable. In practice, this means weeks.

The legislation is written so that a section 49 notice can only be imposed on a regular employee as a last resort. For encryption managed by a business, the notice can be imposed on an employee only if it is impractical to impose it on a senior officer of the company or partner of the firm.

Also, an over-excited constable can’t authorise a section 49 notice. The police must first seek the approval of the National Technical Assistance Centre. While it’s then possible for certain high-ranking police officers to authorise a notice without getting further permission, for the last reported year, the permission of a Judge was always sought.

While a computer can be seized in an instant, Part III of RIPA is part of the subsequent, slow investigation. Recently, Deputy Assistant Commissioner Janet Williams said that police computer forensics was so slow that it was too slow. Section 49 notices don’t provide for at-the-scene decryption. The process is complex, burdensome and, unsurprisingly, not very often used.

Of course, none of this is much comfort to you as an employee if the police decide, for whatever reason, that they want to arrest you.

By: Steve Cassidy

Steve Cassidy — Sat, 14 Nov 2009 12:44:51 +0000

OK, let’s be clear. Yes, I a talking about a situation which is of concern only to those with corporate-licenced laptops. Not to all those other licences that don’t include BitLocker. That’s probably why I put “BitLocker” in the blog title…

Secondly: Yes, this depends on the reaction and skill-set of the average Bobby, as is the case with most laws. I think there’s an interesting question there about profiles – how does an arresting officer decide that the data he is looking at is merely secured (no rights) versus actually encrypted (needs a key)? The first sort is legal, the second sort, isn’t. There seems to be no guidance on this matter. However – I don’t think you can make company policies out of an assumption that Dimbleby will simply be too thick to spot the problem – I wouldn’t be happy to work for a boss who says “and if any coppers ask you for the password, tell them to sod off…”, on the same simple basis as bus drivers are not expected to keep to schedules that require them to break the speedl imit.

By: David W

David W — Sat, 14 Nov 2009 10:36:50 +0000

Vista had Enterprise, the same as Windows 7.

Steve, he means that SOHO PCs will be using Windows 7 Business, so BitLocker is not an issue, they need to either use W7 Ultimate or be part of a corporate licensing scheme and get W7 Enterprise. in order to be able to use BitLocker – and a majority of other features Business users would find interesting.

As to profiles, even today, if the laptop is set-up correctly, the user will only have access to their profile, they won’t be able to see the profiles of other users, without either the other users’ passwords or the administrator password.

Okay, for the forensic expert, there are ways around this, but the average user and the average bobby won’t know how to look at other users’ profiles.

By: Steve Cassidy

Steve Cassidy — Fri, 13 Nov 2009 23:53:00 +0000

James; I can’t really see what you are saying from what you’ve quoted. Yes, the law permits discretion – but that runs both ways: You can either be let off because the desk sergeant desides you are being reasonable – or you can be banged up because your IT team are under instruction not to divulge passwords, on pain of a half million pound fine. It seems like there’s a sizeable gap in the “reasonableness” stakes here, between what’s expected of firms, and what individual employees need to establish about the kit they use, before they come into contact with the law.

Stephen: You are right about a particular segment of the market. That is however, not the segment I’m addressing.

By: Stephen Ferns

Stephen Ferns — Fri, 13 Nov 2009 23:26:01 +0000

Steve, I fear you are somewhat missing my point.
Looking back over previous versions of Windows, starting with XP, Professional was the full blown full version. Vista had a Business Edition. This was a everything the vast majority of businesses would want in a product, including BitLocker. Ultimate in Vista was seen as a more of a home product, that in the end promised many things to the users who purchased it and in the end, delivered little over Home Premium, with the addition of being able to be added to a domain.
Bring on Windows 7 and MS try to make life easier for those who have to chose. Away with the many versions, Vista Business becomes the Professional version again and Ultimate looks, at the outset, to be just a home user experience O/S with a small business cross over.
So, lets look at this from a real world perspective, rather than what happens to interest you. Most companies, at this time, do not even consider drive encryption when purchasing a laptop. Most companies do not have any kind of IT administrator and chose machines based on cost and whether it will do what they are aware that they need it to do, so, as I mentioned earlier, will opt for 7 Professional aka Business. Somewhere down the line, the issue of drive encryption may come up for some of these companies, at which point they will realise that if they want this feature from MS, they will have to fork out more money. Now given that pretty much the only people in the world who would ever want drive encryption would be business users, why, as a company, would you not include this feature in what you advertise as being your business package … more so, given that they included it in their older business offering

By: James D

James D — Fri, 13 Nov 2009 21:38:49 +0000

“If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds—

(a) that a key to the protected information is in the possession of any person”

Seems to me that if you don’t have the key, then they can’t bust you for it.