Fairly serious data breach worth ukp4 per head?

[Roland Perry]

<https://ico.org.uk/about-the-ico/news-and-events/news-and-
blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>

"Information belonging to up to 250 people, including vulnerable
adults and children, was uploaded to the internet when the
barrister’s husband updated software on the couple’s home
computer."
--
Roland Perry

[Handsome Jack]

Roland Perry <rol...@perry.co.uk> posted

><https://ico.org.uk/about-the-ico/news-and-events/news-and-
>blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>
>
> "Information belonging to up to 250 people, including vulnerable
> adults and children, was uploaded to the internet when the

> barrister’s husband updated software on the couple’s home
> computer."

Fascinating case, thanks for posting it.

But I don't necessarily agree with your implication that the fine should
have been higher. Given that the offender was a private individual
(albeit a barrister) it is quite high enough to act as a deterrent, if
any were needed. Presumably any individual who suffered actual damage
from the leak can sue (although I suppose they might not know it had
happened).

On the technical side, I don't agree with the ICO's view that the data
should have been encrypted. Why bother? It was never intended to leave
the barrister's home. The wrongdoing was her husband's in uploading the
files to the Net. What a bloody silly thing to do when memory sticks are
cheap, widely available and more secure.

--
Jack

[Chris R]

On 17/03/2017 21:13, Roland Perry wrote:
> https://ico.org.uk/about-the-ico/news-and-events/news-and-
> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/

There is still widespread ignorance in the legal profession of the
technical measures needed to protect data, outside of organisations big
enough to have appropriate IT professionals.

I'm not sure many non-experts would have avoided this particular error,
which seems to relate to some form of cloud backup being exposed to
search engines on the internet. Very few lawyers have the resources to
test the promises made by suppliers. Though special precautions are
appropriate if the data is of a sensitive nature - it's not clear what
exactly this was.

Disk encryption would not have prevented this issue, as the files appear
to have been copied to the cloud from within the filesystem, though if
the drive had been encrypted the . In most legal practice it is not
practical to encrypt all files on a file-by-file basis. Access is too
frequent, passwords could not be managed and files need to be shared,
and accessible for supervisory and regulatory purposes. I can't help
feeling that this barrister was just unlucky.
--
Chris R

========legalstuff========
I post to be helpful but not claiming any expertise nor intending
anyone to rely on what I say. Nothing I post here will create a
professional relationship or duty of care. I do not provide legal
services to the public. My posts here refer only to English law except
where specified and are subject to the terms (including limitations of
liability) at http://www.clarityincorporatelaw.co.uk/legalstuff.html
======end legalstuff======

[Chris R]

On 18/03/2017 12:21, Handsome Jack wrote:
> Roland Perry <rol...@perry.co.uk> posted
>> <https://ico.org.uk/about-the-ico/news-and-events/news-and-
>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>
>>

> On the technical side, I don't agree with the ICO's view that the data
> should have been encrypted. Why bother? It was never intended to leave
> the barrister's home. The wrongdoing was her husband's in uploading the
> files to the Net. What a bloody silly thing to do when memory sticks are
> cheap, widely available and more secure.
>

But easily lost or stolen, and difficult for a layman to protect with
encryption.

It's not clear what form of upload to the internet this was. Use of
cloud services for sensitive data seems to be positively encouraged.

Having a system under which the person responsible for running and
backing up the system has no access to files is pretty much impossible.
--
Chris R

[Roland Perry]

In message <ikX56jQ+...@invalid.com>, at 12:21:18 on Sat, 18 Mar
2017, Handsome Jack <Ja...@nowhere.com> remarked:

>Roland Perry <rol...@perry.co.uk> posted
>><https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>
>>
>> "Information belonging to up to 250 people, including vulnerable
>> adults and children, was uploaded to the internet when the

>> barrister’s husband updated software on the
>>couple’s home

>> computer."
>
>Fascinating case, thanks for posting it.
>
>But I don't necessarily agree with your implication that the fine should
>have been higher. Given that the offender was a private individual
>(albeit a barrister) it is quite high enough to act as a deterrent, if
>any were needed. Presumably any individual who suffered actual damage

Since Vidal-Hall they can sue for distress too.

>from the leak can sue (although I suppose they might not know it had
>happened).
>
>On the technical side, I don't agree with the ICO's view that the data
>should have been encrypted. Why bother?

While in many cases it's a pointless mantra, in this instance the
precaution would have prevented the data leaking.

>It was never intended to leave
>the barrister's home. The wrongdoing was her husband's in uploading the
>files to the Net. What a bloody silly thing to do

If I'm reading it correctly, the uploading was due to re-installing a
major update, and so you need to park the "old config + data" somewhere.

>when memory sticks are cheap, widely available and more secure.

My laptop has about 80GB of data, and that's a bit on the low side these
days. My desktop has around 5TB. Memory sticks are not suitable for
backing up such amounts of data.
--
Roland Perry

[Roland Perry]

In message <oajduk$p1j$1...@dont-email.me>, at 13:52:46 on Sat, 18 Mar
2017, Chris R <invalid...@invalid.invalid.com> remarked:

>On 17/03/2017 21:13, Roland Perry wrote:
>> https://ico.org.uk/about-the-ico/news-and-events/news-and-
>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/
>
>There is still widespread ignorance in the legal profession of the
>technical measures needed to protect data, outside of organisations big
>enough to have appropriate IT professionals.
>
>I'm not sure many non-experts would have avoided this particular error,
>which seems to relate to some form of cloud backup being exposed to
>search engines on the internet.

More information about which cloud might help us analyse the situation.

>Very few lawyers have the resources to test the promises made by
>suppliers.

Some could backup services are explicitly compliant with the "Safe
Harbour" rules (as were), which should be good enough certification for
most purposes.

>Though special precautions are appropriate if the data is of a
>sensitive nature - it's not clear what exactly this was.

The report is fairly explicit on that matter.

>Disk encryption would not have prevented this issue, as the files
>appear to have been copied to the cloud from within the filesystem,

Microsoft's Encrypting File System (EFS) should allow this, with very
little of the pain you mention later.

>though if the drive had been encrypted the . In most legal practice it
>is not practical to encrypt all files on a file-by-file basis. Access
>is too frequent, passwords could not be managed and files need to be
>shared, and accessible for supervisory and regulatory purposes.

This wasn't a server, and if files need to be *sent* to someone else,
then encrypting that transfer of perhaps the plain text is another
fairly well solved problem.

>I can't help feeling that this barrister was just unlucky.

The way I read it, the files should never have been on a BYOD in the
first place.
--
Roland Perry

[Roland Perry]

In message <oaje5v$pod$1...@dont-email.me>, at 13:56:41 on Sat, 18 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>On 18/03/2017 12:21, Handsome Jack wrote:
>> Roland Perry <rol...@perry.co.uk> posted
>>> <https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>
>>>
>> On the technical side, I don't agree with the ICO's view that the data
>> should have been encrypted. Why bother? It was never intended to leave
>> the barrister's home. The wrongdoing was her husband's in uploading the
>> files to the Net. What a bloody silly thing to do when memory sticks are
>> cheap, widely available and more secure.
>>
>But easily lost or stolen, and difficult for a layman to protect with
>encryption.

They are trivially encrypted on standard Microsoft platforms.

Plus loads of utilities. If I tell you my oldest memory stick with
encryption is a then-max-available 32MB, you can see how long this has
been possible.

>It's not clear what form of upload to the internet this was.

Not which cloud, but the purpose seemed clear from the article.

>Use of cloud services for sensitive data seems to be positively
>encouraged.

I'd also encourage deleting things stored for temporary purposes in the
cloud.

>Having a system under which the person responsible for running and
>backing up the system has no access to files is pretty much impossible.

No normal system will have that restriction.
--
Roland Perry

[Caecilius]

On Sat, 18 Mar 2017 13:57:40 +0000, Roland Perry <rol...@perry.co.uk>
wrote:

>In message <ikX56jQ+...@invalid.com>, at 12:21:18 on Sat, 18 Mar
>2017, Handsome Jack <Ja...@nowhere.com> remarked:
>>Roland Perry <rol...@perry.co.uk> posted
>>><https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>>blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>
>>>
>>> "Information belonging to up to 250 people, including vulnerable
>>> adults and children, was uploaded to the internet when the
>>> barrister’s husband updated software on the
>>>couple’s home
>>> computer."
>>
>>Fascinating case, thanks for posting it.
>>
>>But I don't necessarily agree with your implication that the fine should
>>have been higher. Given that the offender was a private individual
>>(albeit a barrister) it is quite high enough to act as a deterrent, if
>>any were needed. Presumably any individual who suffered actual damage
>
>Since Vidal-Hall they can sue for distress too.
>
>>from the leak can sue (although I suppose they might not know it had
>>happened).
>>
>>On the technical side, I don't agree with the ICO's view that the data
>>should have been encrypted. Why bother?
>
>While in many cases it's a pointless mantra, in this instance the
>precaution would have prevented the data leaking.

I'm not sure it would have. "encryption" is often bandied about as if
it's some sort of cure for all ills, when it's not really.

For example, the desktop may well have had full-disk encryption using
bitlocker or similar. That would protect the data in the case of
unauthorised physical access, but in this example the husband would
have authenticated and legitimately gained access to the decrypted
disk contents. Full-disk encryption wouldn't have helped.

Also, the connection between the PC and the Internet cloud service
that was used to store the data could have been (and likely was)
encrypted using SSL/TLS. But that only protects the data in transit;
not the data at rest and therefore wouldn't have helped.

What could have helped is if the barrister had seperately encrypted
the files containing the confidential data. But that's not a trivial
thing to do, and I don't know many people who do it.

>>It was never intended to leave
>>the barrister's home. The wrongdoing was her husband's in uploading the
>>files to the Net. What a bloody silly thing to do
>
>If I'm reading it correctly, the uploading was due to re-installing a
>major update, and so you need to park the "old config + data" somewhere.
>
>>when memory sticks are cheap, widely available and more secure.
>
>My laptop has about 80GB of data, and that's a bit on the low side these
>days. My desktop has around 5TB. Memory sticks are not suitable for
>backing up such amounts of data.

When you get above about 100GB, USB disks are the way to go. As you
say, it's too much for USB sticks (although they're getting bigger all
the time), and it's also too much for a cloud upload unless you're
happy to wait for a day or so.

[Chris R]

On 18/03/2017 14:26, Roland Perry wrote:
> In message <oajduk$p1j$1...@dont-email.me>, at 13:52:46 on Sat, 18 Mar
> 2017, Chris R <invalid...@invalid.invalid.com> remarked:
>> On 17/03/2017 21:13, Roland Perry wrote:
>>> https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/
>>

>> Very few lawyers have the resources to test the promises made by
>> suppliers.
>
> Some could backup services are explicitly compliant with the "Safe
> Harbour" rules (as were), which should be good enough certification for
> most purposes.

Only relevant if the data is being transferred outside the EU, and you
are still reliant on the supplier actually doing what they say they do.
Most promises of "military grade encryption" etc are pretty worthless. I
don't suppose the supplier who exposed the data to the internet
mentioned that intention in its marketing blurb or policy statements.

>
>> Though special precautions are appropriate if the data is of a
>> sensitive nature - it's not clear what exactly this was.
>
> The report is fairly explicit on that matter.

It contained data relating to "vulnerable persons" but so does the phone
book. If she was handling 250 child abuse cases, that's a different
league to routine divorces that might mention the name and age of a child.

>
>> Disk encryption would not have prevented this issue, as the files
>> appear to have been copied to the cloud from within the filesystem,
>
> Microsoft's Encrypting File System (EFS) should allow this, with very
> little of the pain you mention later.

Does EFS offer any advantages over Bitlocker (or the consumer-grade
Device Encryption) in this respect? I don't know about EFS, but
Bitlocker is only protection against the bad guy without access to the
user account - once logged in as the user, the files are accessible and
if moved or copied elsewhere to an unencrypted drive, they won't be
encrypted. I imagine that's what the barrister's husband did.

>
>> though if the drive had been encrypted the . In most legal practice it
>> is not practical to encrypt all files on a file-by-file basis. Access
>> is too frequent, passwords could not be managed and files need to be
>> shared, and accessible for supervisory and regulatory purposes.
>
> This wasn't a server, and if files need to be *sent* to someone else,
> then encrypting that transfer of perhaps the plain text is another
> fairly well solved problem.

I agree as regards sending things, although a shockingly large amount of
legal work still goes entirely unprotected, by email with unencrypted
attachments.

But the legal regulators insist both that you must protect the
confidentiality of data, and have it accessible if some disaster happens
and a colleague takes over, or the regulator wants to take possession of
it. Not easy to reconcile if you are a sole practitioner.

>
>> I can't help feeling that this barrister was just unlucky.
>
> The way I read it, the files should never have been on a BYOD in the
> first place.

Where should they have been? I don't suppose most barristers have more
than one PC.
--
Chris R

[Chris R]

On 18/03/2017 15:02, Caecilius wrote:
> On Sat, 18 Mar 2017 13:57:40 +0000, Roland Perry <rol...@perry.co.uk>
> wrote:
>
>> In message <ikX56jQ+...@invalid.com>, at 12:21:18 on Sat, 18 Mar
>> 2017, Handsome Jack <Ja...@nowhere.com> remarked:
>>> Roland Perry <rol...@perry.co.uk> posted
>>>> <https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>
>>>>
>>>> "Information belonging to up to 250 people, including vulnerable
>>>> adults and children, was uploaded to the internet when the

>>>> barrister’s husband updated software on the
>>>> couple’s home

>>>> computer."
>>>
>>> Fascinating case, thanks for posting it.
>>>
>>> But I don't necessarily agree with your implication that the fine should
>>> have been higher. Given that the offender was a private individual
>>> (albeit a barrister) it is quite high enough to act as a deterrent, if
>>> any were needed. Presumably any individual who suffered actual damage
>>
>> Since Vidal-Hall they can sue for distress too.
>>
>> >from the leak can sue (although I suppose they might not know it had
>>> happened).
>>>
>>> On the technical side, I don't agree with the ICO's view that the data
>>> should have been encrypted. Why bother?
>>
>> While in many cases it's a pointless mantra, in this instance the
>> precaution would have prevented the data leaking.
>
> I'm not sure it would have. "encryption" is often bandied about as if
> it's some sort of cure for all ills, when it's not really.
>
> For example, the desktop may well have had full-disk encryption using
> bitlocker or similar. That would protect the data in the case of
> unauthorised physical access, but in this example the husband would
> have authenticated and legitimately gained access to the decrypted
> disk contents. Full-disk encryption wouldn't have helped.

Quite.

>
> Also, the connection between the PC and the Internet cloud service
> that was used to store the data could have been (and likely was)
> encrypted using SSL/TLS. But that only protects the data in transit;
> not the data at rest and therefore wouldn't have helped.
>
> What could have helped is if the barrister had seperately encrypted
> the files containing the confidential data. But that's not a trivial
> thing to do, and I don't know many people who do it.

Not unless the document is extremely sensitive. It just isn't practical
for documents you need to access often and in large volumes. I was
trying to imagine the barrister in court, taking the judge through the
5,000 document bundles, with a unique strong password for each.

>
>>> It was never intended to leave
>>> the barrister's home. The wrongdoing was her husband's in uploading the
>>> files to the Net. What a bloody silly thing to do
>>
>> If I'm reading it correctly, the uploading was due to re-installing a
>> major update, and so you need to park the "old config + data" somewhere.
>>
>>> when memory sticks are cheap, widely available and more secure.
>>
>> My laptop has about 80GB of data, and that's a bit on the low side these
>> days. My desktop has around 5TB. Memory sticks are not suitable for
>> backing up such amounts of data.
>
> When you get above about 100GB, USB disks are the way to go. As you
> say, it's too much for USB sticks (although they're getting bigger all
> the time), and it's also too much for a cloud upload unless you're
> happy to wait for a day or so.
>

But unless the external drive is also protected with full-disk
encryption, the files are en clair on it. Versions of Windows below Pro
don't have the ability to protect external USB drives with Bitlocker. It
took about 24 hours for me to add Bitlocker encryption to my external
drive last week.

[Chris R]

On 18/03/2017 14:44, Roland Perry wrote:
> In message <oaje5v$pod$1...@dont-email.me>, at 13:56:41 on Sat, 18 Mar
> 2017, Chris R <invalid...@invalid.invalid.com> remarked:
>> On 18/03/2017 12:21, Handsome Jack wrote:
>>> Roland Perry <rol...@perry.co.uk> posted
>>>> <https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>

>>> On the technical side, I don't agree with the ICO's view that the data
>>> should have been encrypted. Why bother? It was never intended to leave
>>> the barrister's home. The wrongdoing was her husband's in uploading the
>>> files to the Net. What a bloody silly thing to do when memory sticks are
>>> cheap, widely available and more secure.
>>>
>> But easily lost or stolen, and difficult for a layman to protect with
>> encryption.
>
> They are trivially encrypted on standard Microsoft platforms.

Not trivial at all - Windows versions below Pro have no means of doing
this, and a non-technical user would have no idea how to do it, or that
it was necessary.

>
> Plus loads of utilities. If I tell you my oldest memory stick with
> encryption is a then-max-available 32MB, you can see how long this has
> been possible.

It's possible if you are a sufficiently technical user to be willing to
select, install and use an appropriate utility. I think downloading and
entrusting your security to a random app found on the web would be just
as dangerous ans not encrypting.

[GB]

I back up my most important files to a Google Drive. I don't encrypt
them at all. I rely on Google's assurances that the data is secure.

I appreciate that I could do more, but Google assure me that my data is
encrypted at their end. Of course, they have the encryption keys, but
there's nothing there worth their time to look at.

Am I so wrong about this?

[Mark Goodge]

On Sat, 18 Mar 2017 12:21:18 +0000, Handsome Jack <Ja...@nowhere.com>
wrote:

>On the technical side, I don't agree with the ICO's view that the data
>should have been encrypted. Why bother? It was never intended to leave
>the barrister's home.

That's not the ICO's view. That's a recommendation of both the Bar
Council in general, and, specifically, the Chambers to which the
barrister in question belonged (see paragraph 13 of the detailed
report). So it would not be reasonable for her to claim that she was
unaware of such guidance. Had she needed assistance in securing the
data, I'm sure her Chambers could have offered it. The fact that
another family member (the barrister's husband) had access to the
files via an administration account on the PC means that they were not
secure, even within the home.

>The wrongdoing was her husband's in uploading the
>files to the Net. What a bloody silly thing to do when memory sticks are
>cheap, widely available and more secure.

The wrongdoing by the barrister was allowing her husband access to the
data. Even if he had not done something as stupid as upload it to the
public Internet, that alone would have been a fairly serious data
breach. It's just that his foolish brought that breach to light.

It might have been different had the barrister herself been the only
administrator of the PC, in which case she could reasonably have
assumed that the PC's own security was sufficient (and, in any case,
the egregious error by her husband would have been avoided, so she
wouldn't have had the ICO on her back anyway). But a barrister (an
anyone else entrusted with personal data on their home PC) is not
entitled to trust family members. They have to treat everyone who is
not explicitly authorised to view the data as untrusted, and take
suitable measures to prevent them accessing it.

Mark

[Roland Perry]

In message <o5iqcc9mqb01jgrru...@4ax.com>, at 15:02:31 on
Sat, 18 Mar 2017, Caecilius <nos...@spamless.invalid> remarked:

>What could have helped is if the barrister had seperately encrypted
>the files containing the confidential data. But that's not a trivial
>thing to do, and I don't know many people who do it.

See my earlier reply to ChrisR. It's as easy as setting files to "read
only".

>>>It was never intended to leave
>>>the barrister's home. The wrongdoing was her husband's in uploading the
>>>files to the Net. What a bloody silly thing to do
>>
>>If I'm reading it correctly, the uploading was due to re-installing a
>>major update, and so you need to park the "old config + data" somewhere.
>>
>>>when memory sticks are cheap, widely available and more secure.
>>
>>My laptop has about 80GB of data, and that's a bit on the low side these
>>days. My desktop has around 5TB. Memory sticks are not suitable for
>>backing up such amounts of data.
>
>When you get above about 100GB, USB disks are the way to go. As you
>say, it's too much for USB sticks (although they're getting bigger all
>the time),

Actually, some USB disks are in the "day or two" category. I have a 500G
one which was the biggest and best available at the time, and a full
copy to that takes more than a day.

>and it's also too much for a cloud upload unless you're happy to wait
>for a day or so.

I agree. Cloud backup is an incremental thing, really.
--
Roland Perry

[Mark Goodge]

On Sat, 18 Mar 2017 16:05:23 +0000, Chris R
<invalid...@invalid.invalid.com> wrote:

>On 18/03/2017 14:44, Roland Perry wrote:
>> In message <oaje5v$pod$1...@dont-email.me>, at 13:56:41 on Sat, 18 Mar
>> 2017, Chris R <invalid...@invalid.invalid.com> remarked:
>>> On 18/03/2017 12:21, Handsome Jack wrote:
>>>> Roland Perry <rol...@perry.co.uk> posted
>>>>> <https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>>>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>
>
>>>> On the technical side, I don't agree with the ICO's view that the data
>>>> should have been encrypted. Why bother? It was never intended to leave
>>>> the barrister's home. The wrongdoing was her husband's in uploading the
>>>> files to the Net. What a bloody silly thing to do when memory sticks are
>>>> cheap, widely available and more secure.
>>>>
>>> But easily lost or stolen, and difficult for a layman to protect with
>>> encryption.
>>
>> They are trivially encrypted on standard Microsoft platforms.
>
>Not trivial at all - Windows versions below Pro have no means of doing
>this, and a non-technical user would have no idea how to do it, or that
>it was necessary.

It's arguable that if you are using Windows for professional purposes,
you should be using the Pro version. Microsoft would certainly argue
that, anyway, and I think they have a fair point :-)

Mark

[Chris R]

On 18/03/2017 20:03, Mark Goodge wrote:
> On Sat, 18 Mar 2017 12:21:18 +0000, Handsome Jack <Ja...@nowhere.com>
> wrote:
>
>> On the technical side, I don't agree with the ICO's view that the data
>> should have been encrypted. Why bother? It was never intended to leave
>> the barrister's home.
>
> That's not the ICO's view. That's a recommendation of both the Bar
> Council in general, and, specifically, the Chambers to which the
> barrister in question belonged (see paragraph 13 of the detailed
> report). So it would not be reasonable for her to claim that she was
> unaware of such guidance. Had she needed assistance in securing the
> data, I'm sure her Chambers could have offered it. The fact that
> another family member (the barrister's husband) had access to the
> files via an administration account on the PC means that they were not
> secure, even within the home.

The Bar Council's guidance is actually fairly relaxed:
http://www.barcouncil.org.uk/media/414748/information_security.pdf . The
requirement for encryption is more a recommendation, and it refers back
to the ICO's own recommendation; and it makes it clear that the
encryption referred to is whole-disk encryption, which would not have
helped in this case. Perhaps she would have got off, or been fined less,
had she used encryption, even if the leak still happened.

>
>> The wrongdoing was her husband's in uploading the
>> files to the Net. What a bloody silly thing to do when memory sticks are
>> cheap, widely available and more secure.
>
> The wrongdoing by the barrister was allowing her husband access to the
> data. Even if he had not done something as stupid as upload it to the
> public Internet, that alone would have been a fairly serious data
> breach. It's just that his foolish brought that breach to light.

There was a clear breach, but she was very unlucky to be found out. I
doubt if many home workers take serious measures to protect against
their own family. Who may well be a lot more trustworthy and less likely
to leak data than the entire staff of chambers, or of a solicitors'
firm. Especially as they probably also have access to all the same
documents in the paper file the lawyer brought home to work on. As does
the cleaner in chambers. And the office junior in the IT support company
probably has remote access to all the computers.

>
> It might have been different had the barrister herself been the only
> administrator of the PC, in which case she could reasonably have
> assumed that the PC's own security was sufficient (and, in any case,
> the egregious error by her husband would have been avoided, so she
> wouldn't have had the ICO on her back anyway).

Unless he provides her technical support.

> But a barrister (an
> anyone else entrusted with personal data on their home PC) is not
> entitled to trust family members. They have to treat everyone who is
> not explicitly authorised to view the data as untrusted, and take
> suitable measures to prevent them accessing it.
>

Which is true, but often honoured in the breach, and in reality well
down the list of possible threats.
--
Chris R

[Chris R]

On 18/03/2017 16:10, Roland Perry wrote:
> In message <o5iqcc9mqb01jgrru...@4ax.com>, at 15:02:31 on
> Sat, 18 Mar 2017, Caecilius <nos...@spamless.invalid> remarked:
>
>> What could have helped is if the barrister had seperately encrypted
>> the files containing the confidential data. But that's not a trivial
>> thing to do, and I don't know many people who do it.
>
> See my earlier reply to ChrisR. It's as easy as setting files to "read
> only".

If you are still referring to EFS, the files are decrypted if moved to a
different storage location, so it would not have helped at all.
--
Chris R

[Chris R]

Again, non-technical users are unlikely to know the difference. Is there
any licence condition against using Home for business? Most PC's come
with the Home edition as standard - Pro wasn't even offered as a factory
upgrade last time I looked at buying a new PC - so users would have to
seek it out and pay $70 on top of the cost of their new PC, which I
doubt if many do. Bitlocker is the only thing I could find that I would
use in the Pro version that isn't in Home. Home encrypts the system
drive by default but doesn't allow encryption of USB drives.

[Caecilius]

EFS protects files on a per-user basis. So it *might* have helped,
depending on whether the family share login credentials.

If the barrister used her own user account for her work, and didn't
share the password with the husband, then he wouldn't be able to
decrypt the contents of the files.

But if they share an account, or the husband knew her password and
logged into her account to perform the backup, it wouldn't have
helped.

[Chris R]

On 19/03/2017 07:48, Caecilius wrote:
> On Sun, 19 Mar 2017 00:19:22 +0000, Chris R
> <invalid...@invalid.invalid.com> wrote:
>
>> On 18/03/2017 16:10, Roland Perry wrote:
>>> In message <o5iqcc9mqb01jgrru...@4ax.com>, at 15:02:31 on
>>> Sat, 18 Mar 2017, Caecilius <nos...@spamless.invalid> remarked:
>>>
>>>> What could have helped is if the barrister had seperately encrypted
>>>> the files containing the confidential data. But that's not a trivial
>>>> thing to do, and I don't know many people who do it.
>>>
>>> See my earlier reply to ChrisR. It's as easy as setting files to "read
>>> only".
>>
>> If you are still referring to EFS, the files are decrypted if moved to a
>> different storage location, so it would not have helped at all.
>
> EFS protects files on a per-user basis. So it *might* have helped,
> depending on whether the family share login credentials.
>
> If the barrister used her own user account for her work, and didn't
> share the password with the husband, then he wouldn't be able to
> decrypt the contents of the files.
>

But he wouldn't be able to back them up, either, so by doing the
reinstall he might have deleted them.
--
Chris R

[Caecilius]

On Sun, 19 Mar 2017 10:36:44 +0000, Chris R

That would have compromised the availability of the information, but
not the confidentiality.

Generally you're interested in some of: confidentiality, integrity
and/or availability. In this case, confidentiality was important.
Availability might be important if they were the only copies
available, but there might be original copies stored at her chambers
or something.

[The Todal]

I think one point that should be made here is that barristers work in a
very different way from solicitors. A solicitor is usually (well,
nowadays) part of a large firm with an IT department, various policies,
various approved methods of storing and retrieving data. Barristers are
by tradition solitary workers, self-employed, using their chambers to
have meetings and to provide typing services and services for supplying
email. They tend to have their own computers, rather than a computer
issued by chambers. They usually devise their own ways of solving IT
problems. They are usually unaware of gaps in their IT knowledge because
they spend their time getting up to date with law and procedure, not
security and encryption.

[Roland Perry]

In message <uodsccdtsen3tron5...@4ax.com>, at 07:48:48 on
Sun, 19 Mar 2017, Caecilius <nos...@spamless.invalid> remarked:

>>>> What could have helped is if the barrister had seperately encrypted
>>>> the files containing the confidential data. But that's not a trivial
>>>> thing to do, and I don't know many people who do it.
>>>
>>> See my earlier reply to ChrisR. It's as easy as setting files to "read
>>> only".
>>
>>If you are still referring to EFS, the files are decrypted if moved to a
>>different storage location, so it would not have helped at all.
>
>EFS protects files on a per-user basis. So it *might* have helped,
>depending on whether the family share login credentials.
>
>If the barrister used her own user account for her work, and didn't
>share the password with the husband, then he wouldn't be able to
>decrypt the contents of the files.

The report has passing mention of the potential risk of the husband
viewing the files, but it was people on the wider Internet who stumbled
over them after the upload, and that some had been indexed by a search
engine which was the focus.

>But if they share an account, or the husband knew her password and
>logged into her account to perform the backup, it wouldn't have
>helped.

If the husband has Administrator status (assuming this is Windows) then
he'll have access to the files, even if he can't decrypt them. Any
backup solution which would work for the wife (in terms of ways[1] to
send password protected files to the cloud, rather than a USB drive),
would work just as well for him.

[1] I'll be expanding on this later.
--
Roland Perry

[Chris R]

On 19/03/2017 10:53, Caecilius wrote:
> On Sun, 19 Mar 2017 10:36:44 +0000, Chris R
> <invalid...@invalid.invalid.com> wrote:
>
>> On 19/03/2017 07:48, Caecilius wrote:
>>> On Sun, 19 Mar 2017 00:19:22 +0000, Chris R
>>> <invalid...@invalid.invalid.com> wrote:
>>>
>>>> On 18/03/2017 16:10, Roland Perry wrote:
>>>>> In message <o5iqcc9mqb01jgrru...@4ax.com>, at 15:02:31 on
>>>>> Sat, 18 Mar 2017, Caecilius <nos...@spamless.invalid> remarked:
>>>>>

>> But he wouldn't be able to back them up, either, so by doing the
>> reinstall he might have deleted them.
>
> That would have compromised the availability of the information, but
> not the confidentiality.
>
> Generally you're interested in some of: confidentiality, integrity
> and/or availability. In this case, confidentiality was important.
> Availability might be important if they were the only copies
> available, but there might be original copies stored at her chambers
> or something.
>

That's kind of my point: you will get it in the neck from the regulators
if you get any one of those less than perfect, without regard to the
need for the others.
--
Chris R

[Chris R]

Though there is also a new breed of solicitors in small or sole
practices, often working from home, with similar problems.
--
Chris R

[Roland Perry]

In message <oakili$4po$1...@dont-email.me>, at 00:19:22 on Sun, 19 Mar
2017, Chris R <invalid...@invalid.invalid.com> remarked:

>>> What could have helped is if the barrister had seperately encrypted
>>> the files containing the confidential data. But that's not a trivial
>>> thing to do, and I don't know many people who do it.
>>
>> See my earlier reply to ChrisR. It's as easy as setting files to "read
>> only".
>
>If you are still referring to EFS, the files are decrypted if moved to
>a different storage location, so it would not have helped at all.

You can move them to a USB drive, and there are some ruses to
encapsulate them to upload to the cloud. There are other file-encryption
schemes (integrated with clouds, and not) which I hope to have time to
describe later.
--
Roland Perry

[Roland Perry]

In message <oalsfi$8hi$1...@dont-email.me>, at 12:12:58 on Sun, 19 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>> Generally you're interested in some of: confidentiality, integrity
>> and/or availability. In this case, confidentiality was important.
>> Availability might be important if they were the only copies
>> available, but there might be original copies stored at her chambers
>> or something.
>>
>That's kind of my point: you will get it in the neck from the
>regulators if you get any one of those less than perfect, without
>regard to the need for the others.

Solutions exist which easily cope with all the issues. Details later.

--
Roland Perry

[Roland Perry]

In message <oalmr4$l6c$1...@dont-email.me>, at 10:36:44 on Sun, 19 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>> If the barrister used her own user account for her work, and didn't
>> share the password with the husband, then he wouldn't be able to
>> decrypt the contents of the files.
>>
>But he wouldn't be able to back them up, either, so by doing the
>reinstall he might have deleted them.

That's simply not true, if he had admin access.
--
Roland Perry

[Roland Perry]

In message <oakia3$441$1...@dont-email.me>, at 00:13:14 on Sun, 19 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>> It's arguable that if you are using Windows for professional purposes,
>> you should be using the Pro version. Microsoft would certainly argue
>> that, anyway, and I think they have a fair point :-)
>>
>Again, non-technical users are unlikely to know the difference.

I don't have such a low opinion of the capability of people with enough
brains to become a "senior Barrister" dealing with cases sufficient
complex to have been escalated to them.
--
Roland Perry

[Roland Perry]

In message <oajlna$k23$1...@dont-email.me>, at 16:05:23 on Sat, 18 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>> Plus loads of utilities. If I tell you my oldest memory stick with
>> encryption is a then-max-available 32MB, you can see how long this has
>> been possible.
>
>It's possible if you are a sufficiently technical user to be willing to
>select, install and use an appropriate utility. I think downloading and
>entrusting your security to a random app found on the web would be just
>as dangerous ans not encrypting.

No-one is suggesting that. I have some examples here from IBM and
Toshiba. More details later.
--
Roland Perry

[Roland Perry]

In message <ej779a...@mid.individual.net>, at 11:10:33 on Sun, 19
Mar 2017, The Todal <the_...@icloud.com> remarked:

>They are usually unaware of gaps in their IT knowledge because they
>spend their time getting up to date with law and procedure, not
>security and encryption.

Do they also not keep up with traffic law, and hence keep on getting
tickets for things they did on the drive to work that they didn't
realise they shouldn't?

To use different terminology, this IT capability is "mainstream" now.
--
Roland Perry

[Roland Perry]

In message <oajlna$k23$1...@dont-email.me>, at 16:05:23 on Sat, 18 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>> They are trivially encrypted on standard Microsoft platforms.
>
>Not trivial at all - Windows versions below Pro have no means of doing
>this

As someone once said "don't bring a knife to a gunfight". Last time I
looked, Barristers were professionals. (And to stretch the analogy, it's
easier to kill someone with a gun than a knife).
--
Roland Perry

[Caecilius]

On Fri, 17 Mar 2017 21:13:15 +0000, Roland Perry <rol...@perry.co.uk>
wrote:

><https://ico.org.uk/about-the-ico/news-and-events/news-and-
>blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>
>
> "Information belonging to up to 250 people, including vulnerable
> adults and children, was uploaded to the internet when the

> barrister’s husband updated software on the couple’s home
> computer."

Looking at the penalty (paras. 58 - 60 in the penalty notice), the ICO
say the penalty is GBP 1,000 payable by 12th April at the latest. An
"early payment discount" of 20% is applicable if payment is made by
11th April, but this discount is not available if the person exercises
their right of appeal.

A cynical person might think this "early payment discount" for paying
one day before the deadline was actually a way to reduce the chances
of respondents appealing.

Why shouldn't the respondent be allowed to pay the "early payment
discount" rate (if that's really what it is) by the required date and
then lodge an appeal if they feel it's warrented?

[Chris R]

On 19/03/2017 18:21, Caecilius wrote:
> On Fri, 17 Mar 2017 21:13:15 +0000, Roland Perry <rol...@perry.co.uk>
> wrote:
>
>> <https://ico.org.uk/about-the-ico/news-and-events/news-and-
>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/>

> Looking at the penalty (paras. 58 - 60 in the penalty notice), the ICO
> say the penalty is GBP 1,000 payable by 12th April at the latest. An
> "early payment discount" of 20% is applicable if payment is made by
> 11th April, but this discount is not available if the person exercises
> their right of appeal.
>
> A cynical person might think this "early payment discount" for paying
> one day before the deadline was actually a way to reduce the chances
> of respondents appealing.
>
> Why shouldn't the respondent be allowed to pay the "early payment
> discount" rate (if that's really what it is) by the required date and
> then lodge an appeal if they feel it's warrented?
>

It's a common issue in criminal and disciplinary proceedings. Principles
of justice say it shouldn't matter whether or not the defendant contest
the charge. But cost and expediency require that he be given some
incentive to plead guilty, or not to appeal, as otherwise no-one would
ever plead guilty, all defendants would appeal and the system would be
gridlocked. The trick is to pitch these incentives so they don't unduly
distort the course of justice by making innocent people plead guilty.

It also saves the regulator the costs of enforcement, which would well
exceed £200.

--
Chris R

[Roland Perry]

In message <oajl9q$ibp$1...@dont-email.me>, at 15:58:12 on Sat, 18 Mar
2017, Chris R <invalid...@invalid.invalid.com> remarked:

>> What could have helped is if the barrister had seperately encrypted
>> the files containing the confidential data. But that's not a trivial
>> thing to do, and I don't know many people who do it.
>
>Not unless the document is extremely sensitive. It just isn't practical
>for documents you need to access often and in large volumes. I was
>trying to imagine the barrister in court, taking the judge through the
>5,000 document bundles, with a unique strong password for each.

That's where EFS is helpful as the encryption/decryption is virtually
instantaneous and transparent to the user, and just the initial log-on.

>>> My laptop has about 80GB of data, and that's a bit on the low side these
>>> days. My desktop has around 5TB. Memory sticks are not suitable for
>>> backing up such amounts of data.
>>
>> When you get above about 100GB, USB disks are the way to go. As you
>> say, it's too much for USB sticks (although they're getting bigger all
>> the time), and it's also too much for a cloud upload unless you're
>> happy to wait for a day or so.
>>
>But unless the external drive is also protected with full-disk
>encryption, the files are en clair on it. Versions of Windows below Pro
>don't have the ability to protect external USB drives with Bitlocker. It
>took about 24 hours for me to add Bitlocker encryption to my external
>drive last week.

If this is just a temporary local copy of everything while upgrading the
laptop, encryption isn't an issue.

If it's to make a sneakernet out of the external drive, partition off
only as much as you actually need for the documents to be transferred.
--
Roland Perry

[Roland Perry]

In message <oak9rp$3pn$1...@dont-email.me>, at 21:49:06 on Sat, 18 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>On 18/03/2017 20:03, Mark Goodge wrote:
>> On Sat, 18 Mar 2017 12:21:18 +0000, Handsome Jack <Ja...@nowhere.com>
>> wrote:
>>
>>> On the technical side, I don't agree with the ICO's view that the data
>>> should have been encrypted. Why bother? It was never intended to leave
>>> the barrister's home.
>>
>> That's not the ICO's view. That's a recommendation of both the Bar
>> Council in general, and, specifically, the Chambers to which the
>> barrister in question belonged (see paragraph 13 of the detailed
>> report). So it would not be reasonable for her to claim that she was
>> unaware of such guidance. Had she needed assistance in securing the
>> data, I'm sure her Chambers could have offered it. The fact that
>> another family member (the barrister's husband) had access to the
>> files via an administration account on the PC means that they were not
>> secure, even within the home.
>
>The Bar Council's guidance is actually fairly relaxed: http://www.barco
>uncil.org.uk/media/414748/information_security.pdf . The requirement
>for encryption is more a recommendation, and it refers back to the
>ICO's own recommendation;

via a broken link :(

>and it makes it clear that the encryption referred to is whole-disk
>encryption,

No (the ICO's advice isn't that detailed) the Bar Council's guidance is
being cautious in a "well, if you use a sledgehammer you are bound to
crack all the nuts" sort of way. There's also some remarks about
directory-level encryption potentially alleviating:

Forgetting to designate email folders. Well, I've been using an email
client that encrypts the message files by default for over 20 yrs.
Ain't no rocket science.

Temporary files might have plain text in them. Getting out my
sledgehammer, designate that temporary (and we might as well be
thorough and include swap-) files all get put in a dedicated
wholly-encrypted partition. Simples!

>which would not have helped in this case. Perhaps she would have got
>off, or been fined less, had she used encryption, even if the leak
>still happened.
>>
>>> The wrongdoing was her husband's in uploading the
>>> files to the Net. What a bloody silly thing to do when memory sticks are
>>> cheap, widely available and more secure.
>>
>> The wrongdoing by the barrister was allowing her husband access to the
>> data. Even if he had not done something as stupid as upload it to the
>> public Internet, that alone would have been a fairly serious data
>> breach. It's just that his foolish brought that breach to light.
>
>There was a clear breach, but she was very unlucky to be found out. I
>doubt if many home workers take serious measures to protect against
>their own family. Who may well be a lot more trustworthy and less
>likely to leak data than the entire staff of chambers, or of a
>solicitors' firm.

Accidental leakage is as likely as deliberate.

>Especially as they probably also have access to all the same documents
>in the paper file the lawyer brought home to work on. As does the
>cleaner in chambers.

That argument cuts no ice, I'm afraid. Those folks should not have
access to the paper documents either.

>And the office junior in the IT support company probably has remote
>access to all the computers.

You either need a support company that'll certify compliance for its
staff in those circumstances, or once again resort to file-level
encryption of the documents they won't want to see anyway.

It might be worth asking around to see how small GP surgeries cope with
this issue.

>> It might have been different had the barrister herself been the only
>> administrator of the PC, in which case she could reasonably have
>> assumed that the PC's own security was sufficient (and, in any case,
>> the egregious error by her husband would have been avoided, so she
>> wouldn't have had the ICO on her back anyway).
>
>Unless he provides her technical support.

You could just as easily say "The lift I got from work by the chap who
has no driving licence is OK because he's my husband and I trust his
skills".

>> But a barrister (an
>> anyone else entrusted with personal data on their home PC) is not
>> entitled to trust family members. They have to treat everyone who is
>> not explicitly authorised to view the data as untrusted, and take
>> suitable measures to prevent them accessing it.
>>
>Which is true, but often honoured in the breach, and in reality well
>down the list of possible threats.

Enough of a threat for the ICO to apparently take it quite seriously.
--
Roland Perry

[Roland Perry]

In message <oajkpk$gfh$1...@dont-email.me>, at 15:49:33 on Sat, 18 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>On 18/03/2017 14:26, Roland Perry wrote:
>> In message <oajduk$p1j$1...@dont-email.me>, at 13:52:46 on Sat, 18 Mar

>> 2017, Chris R <invalid...@invalid.invalid.com> remarked:

>>> On 17/03/2017 21:13, Roland Perry wrote:
>>>> https://ico.org.uk/about-the-ico/news-and-events/news-and-
>>>> blogs/2017/03/fine-for-lawyer-who-stored-client-files-on-home-computer/
>>>
>>> Very few lawyers have the resources to test the promises made by
>>> suppliers.
>>
>> Some could backup services are explicitly compliant with the "Safe
>> Harbour" rules (as were), which should be good enough certification for
>> most purposes.
>
>Only relevant if the data is being transferred outside the EU, and you
>are still reliant on the supplier actually doing what they say they do.

No, you are conflating two issues. The certification is about the data
being held to EU-required-standards, and as it's a cloud then you need
for EU-EU working, let alone third countries.

I wasn't going to raise it again [I'm still in mid flow on the same
topic in another thread, but have been preoccupied elsewhere recently]
but the husband's backup, if to a cloud, could easily have involved a
third country transfer without his knowledge (unless that was a feature
he had specifically purchased).

>Most promises of "military grade encryption" etc are pretty worthless.

Maybe they often are, but the cloud in question (IBM Connections Cloud)
says it has does have certification [without using silly generalities
that that], and I'm inclined to believe them.

Of course, it also has multiple access/login protocols for those "under
a bus" scenarios which trouble you so much.

Meanwhile, the second of promised solutions is a laptop with a
fingerprint scanner built in. Toshiba's implementation [which I've seen]
again has multiple prints for human resilience, and can log into
Windows, or Websites, on a fingerprint; and can also encrypt files to a
fingerprint. As you can export and save the fingerprint data, then it's
transferable to and from clouds and between machines, independent of the
Windows login password.

>I don't suppose the supplier who exposed the data to the internet
>mentioned that intention in its marketing blurb or policy statements.

I think they should be named and shamed too. It could be something as
daft as in the small print of Google Documents, if you don't set it up
non-default. I don't know (comments from others more familiar, welcome).

>>> Though special precautions are appropriate if the data is of a
>>> sensitive nature - it's not clear what exactly this was.
>>
>> The report is fairly explicit on that matter.
>
>It contained data relating to "vulnerable persons" but so does the
>phone book. If she was handling 250 child abuse cases, that's a
>different league to routine divorces that might mention the name and
>age of a child.

If the ICO says "six of the 15 documents contained confidential and
highly sensitive information", I'm inclined to believe them. The
implication is that each document had multiple persons' data.

>>> Disk encryption would not have prevented this issue, as the files
>>> appear to have been copied to the cloud from within the filesystem,
>>
>> Microsoft's Encrypting File System (EFS) should allow this, with very
>> little of the pain you mention later.
>
>Does EFS offer any advantages over Bitlocker (or the consumer-grade
>Device Encryption) in this respect?

It's on a file by file (or directory by directory) basis.

>I don't know about EFS, but Bitlocker is only protection against the
>bad guy without access to the user account - once logged in as the
>user, the files are accessible

The only better protection would be two-step (ie a second password) or
two-factor (such as password + fingerprint or Yubikey).

>and if moved or copied elsewhere to an unencrypted drive, they won't be
>encrypted. I imagine that's what the barrister's husband did.

There are apparently some tricks to uploading, such as wrapping the file
in another layer of encryption and uploading that. I've finally got
around to testing that (wrap, upload, download elsewhere, unwrap) and it
works. Obviously you still need to log into the original Windows user to
later see 'through' the EFS.

>>> though if the drive had been encrypted the . In most legal practice it
>>> is not practical to encrypt all files on a file-by-file basis. Access
>>> is too frequent, passwords could not be managed and files need to be
>>> shared, and accessible for supervisory and regulatory purposes.
>>
>> This wasn't a server, and if files need to be *sent* to someone else,
>> then encrypting that transfer of perhaps the plain text is another
>> fairly well solved problem.
>
>I agree as regards sending things, although a shockingly large amount
>of legal work still goes entirely unprotected, by email with
>unencrypted attachments.

Using Office document-passwords would be better than nothing. Another
which is less vulnerable to people snooping via third party mail
servers, and easy to use just like conventional email is to go back to
first principles and set up SMTP servers both ends, with direct
transmission. None of this is more complicated than learning how Excel
works.

Finally, a bit more fiddly than the last one, but much more secure, is
setting up an ss*h* server on the destination site and using ssh-ftp
(this is something I've had available when needed since 1999).

>But the legal regulators insist both that you must protect the
>confidentiality of data, and have it accessible if some disaster
>happens and a colleague takes over, or the regulator wants to take
>possession of it. Not easy to reconcile if you are a sole practitioner.

Welcome to the world of Data Controllers. Every self employed
professional, tradesman, micro company etc has to obey the DPA just like
the big boys. It's not an excuse to say "it's too difficult". See above
for some solutions, but lower tech "break the glass" (usually a sealed
envelope in the safe) is a probably adequate for mot smaller firms.

>>> I can't help feeling that this barrister was just unlucky.
>>
>> The way I read it, the files should never have been on a BYOD in the
>> first place.
>
>Where should they have been? I don't suppose most barristers have more
>than one PC.

That must be a bit inconvenient, having to secure it suitable for
transporting from chambers to home to court etc. Where best practice
would say it should be encrypted in transit anyway!

With a reasonable spec laptop costing less than half a day's fees for
a regular barrister, let alone a senior one, seems like a useful
investment to have two. Or in this day and age perhaps one laptop/
desktop plus a compatible tablet/keyboard combo for use in the field.
--
Roland Perry

[Roger Hayter]

Roland Perry <rol...@perry.co.uk> wrote:



>
> It might be worth asking around to see how small GP surgeries cope with
> this issue.

They all use central NHS servers and centrally managed NHS technicians
to administer local 'terminals'. Hopefully the NHS won't let them put
things on external storage so they can really only misuse paper records
if they have any.

--

Roger Hayter

[Roland Perry]

In message <1n3bapw.1sj4vzvw6rw12N%ro...@hayter.org>, at 23:58:43 on
Wed, 22 Mar 2017, Roger Hayter <ro...@hayter.org> remarked:

>> It might be worth asking around to see how small GP surgeries cope with
>> this issue.
>
>They all

All, really?

>use central NHS servers and centrally managed NHS technicians
>to administer local 'terminals'.

I must mention that to my GP surgery's in-house IT chappy who supports
the practice's use of one of the common private sector platforms
(Systmonline by TPP)

Maybe he'll disappear in a puff of logic?
--
Roland Perry

[Chris R]

The MoJ has a closed system for communicating between courts, lawyers
and local authorities in child protection cases. Unfortunately this kind
of security is not easily extendable to more general cases, not least
because clients need to be in the loop. I have seen one firm that was
receiving case documents on the MoJ secure system an then emailing them
internally via Gmail.

I have often warned clients about the insecurity of email, but not one
has ever agreed to use a more secure method of communication. Even
document passwords cause endless problems and are rarely used.
--
Chris R

[Chris R]

As so often, Roland, you are missing the point. There are no methods of
protecting data that don't impose burdens on users that cause a tradeoff
between usability, integrity and security. And I think you hugely
overestimate the technical skills of the average user and small business.

I'm not going to engage in a technical debate, but any security that
encrypts whole drives or folders (such as EFS or Bitlocker) does nothing
to protect copies of those files made by a logged-in user onto other
media. It only protects against theft of the device without access to
the operating system. Secure messaging systems to replace email that
require installation both ends don't work because your clients don't use
them and won't install them - you can't even get them to install a
certificate to use encrypted email within Outlook. Lawyers communicate
mainly with third parties, not within their own organisation.
--
Chris R

[Mark Goodge]

This relates back to the oft-repeated claim, in relation to various
forms of mass surveillance and communication interception, that
"You've got nothing to fear if you've got nothing to hide". The
reality is that a lot of people do have something entirely legitimate
to hide, such as confidential client documents and sensitive personal
data. And the best way to ensure that such data is protected in
transit is to routinely use encrypted communication methods for
everything that isn't public, not just the things that you think need
special treatment. That way, nothing falls through the gaps.

Email is a challenge in that respect, because reverse-engineering end
to end encryption onto it means the use of things like PGP, which
isn't particularly intuitive. It's better, IMO, to start from the
presumption that all email is inherently insecure (as we used to say
when I worked for an ISP: never put anything in an email that you
wouldn't write on a postcard), and use other forms of communication
for anything considered private.

Mark

[Roland Perry]

In message <ob61js$8l6$1...@dont-email.me>, at 15:19:05 on Sat, 25 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>On 22/03/2017 23:58, Roger Hayter wrote:
>> Roland Perry <rol...@perry.co.uk> wrote:
>>
>>> It might be worth asking around to see how small GP surgeries cope with
>>> this issue.
>>
>> They all use central NHS servers and centrally managed NHS technicians
>> to administer local 'terminals'. Hopefully the NHS won't let them put
>> things on external storage so they can really only misuse paper records
>> if they have any.
>>
>The MoJ has a closed system for communicating between courts, lawyers
>and local authorities in child protection cases.

That will very soon be rolled out much more widely.

>Unfortunately this kind of security is not easily extendable to more
>general cases, not least because clients need to be in the loop. I have
>seen one firm that was receiving case documents on the MoJ secure
>system an then emailing them internally via Gmail.

Oops, potentially a transfer to a third country. Reminds me, I must try
and finish off the loose ends in "that thread".

>I have often warned clients about the insecurity of email, but not one
>has ever agreed to use a more secure method of communication. Even
>document passwords cause endless problems and are rarely used.

We can't just let people flout the DPA "because it's too difficult to
comply". [And someone has a £1000 bill to prove it]

Do they drive round unlicenced on powerful motorbikes because the
transition course from a car licence is "too difficult"?
--
Roland Perry

[Roland Perry]

In message <ce5ddcdu3qvm61h2r...@4ax.com>, at 16:14:18 on
Sat, 25 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>
remarked:

>>emailing them internally via Gmail.
>>
>>I have often warned clients about the insecurity of email, but not one
>>has ever agreed to use a more secure method of communication. Even
>>document passwords cause endless problems and are rarely used.
>
>This relates back to the oft-repeated claim, in relation to various
>forms of mass surveillance and communication interception, that
>"You've got nothing to fear if you've got nothing to hide". The
>reality is that a lot of people do have something entirely legitimate
>to hide, such as confidential client documents and sensitive personal
>data. And the best way to ensure that such data is protected in
>transit is to routinely use encrypted communication methods for
>everything that isn't public,

like https://mail.google.com, you mean?

(The ensuing copy on Google's servers in the clear is a different can of
worms).

> not just the things that you think need
>special treatment. That way, nothing falls through the gaps.
>
>Email is a challenge in that respect, because reverse-engineering end
>to end encryption onto it means the use of things like PGP, which
>isn't particularly intuitive.

Depends on the implementation. I agree many are seriously suboptimal.
Never trust a coder to design a user interface!

Here on Turnpike it's actually a no-click process assuming some time in
the past you one-clicked a "PGP by default" option.

>It's better, IMO, to start from the presumption that all email is
>inherently insecure (as we used to say when I worked for an ISP: never
>put anything in an email that you wouldn't write on a postcard),

I agree 100%, unless you have in fact enabled PGP or whatever. But even
then the stuff can lak at the other end. But so can a letter in
someone's in-tray.

>and use other forms of communication for anything considered private.

iMessage? But even those can be screen-shot once arrived.
--
Roland Perry

[Mark Goodge]

On Sat, 25 Mar 2017 16:31:42 +0000, Roland Perry <rol...@perry.co.uk>
wrote:

>In message <ce5ddcdu3qvm61h2r...@4ax.com>, at 16:14:18 on
>Sat, 25 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>
>remarked:
>>>emailing them internally via Gmail.
>>>
>>>I have often warned clients about the insecurity of email, but not one
>>>has ever agreed to use a more secure method of communication. Even
>>>document passwords cause endless problems and are rarely used.
>>
>>This relates back to the oft-repeated claim, in relation to various
>>forms of mass surveillance and communication interception, that
>>"You've got nothing to fear if you've got nothing to hide". The
>>reality is that a lot of people do have something entirely legitimate
>>to hide, such as confidential client documents and sensitive personal
>>data. And the best way to ensure that such data is protected in
>>transit is to routinely use encrypted communication methods for
>>everything that isn't public,
>
>like https://mail.google.com, you mean?

It's only guaranteed to be end to end encrypted if it's Google all the
way. Once you add in any other recipient, you have no further control.

>>It's better, IMO, to start from the presumption that all email is
>>inherently insecure (as we used to say when I worked for an ISP: never
>>put anything in an email that you wouldn't write on a postcard),
>
>I agree 100%, unless you have in fact enabled PGP or whatever. But even
>then the stuff can lak at the other end. But so can a letter in
>someone's in-tray.
>
>>and use other forms of communication for anything considered private.
>
>iMessage? But even those can be screen-shot once arrived.

All communications are vulnerable to being leaked by the sender or
recipient. That's unavoidable, because of necessity both sender and
recipient must be in a position to view the decrypted (or not yet
encrypted) version. Even supposedly ephemeral communications, such as
Snapchat, can be copied by the recipient or sender. The important
thing is to minimise the possibility of someone other than the sender
or recipient having access.

https://twitter.com/aleph_one/status/840393596947771392 is an amusing
illustration of the fallacy that you can prevent the recipient leaking
the communication.

Mark

[Chris R]

I agree, but in the commercial world email is used for everything,
unless unusually sensitive, and there is confidential information flying
about all over the place, with unencrypted attachments. The convenience
of it to users defeats all attempts to induce them to use more secure
methods.

The main obstacle to encrypted email or equivalents is the need to set
it up between sender and recipient. That requires some technical skill,
and in many organisations the end user would be banned form doing it.
But the biggest obstacle is that email allows you to communicate with no
prior setup other than knowing someone's email address.
--
Chris R

[Roger Hayter]

Chris R <invalid...@invalid.invalid.com> wrote:


>
> The main obstacle to encrypted email or equivalents is the need to set
> it up between sender and recipient. That requires some technical skill,
> and in many organisations the end user would be banned form doing it.
> But the biggest obstacle is that email allows you to communicate with no
> prior setup other than knowing someone's email address.

A common procedure is to send the weakly-encryped Microsoft file in one
email, and the password in another. This sort of makes sense if you
believe the only cause of email interception is purely random events.


--

Roger Hayter

[Mark Goodge]

What we need is a WhatsApp type system that works for email addresses
in the same way that WhatsApp itself works for telephone numbers.
Provided you know someone's phone number and you both have WhatsApp
installed, you can communicate securely with them without any need to
swap encryption keys or, indeed, arrange anything else in advance
other than exchanging phone numbers (which, like email addresses, can
be published on a website or a business card).

WhatsApp itself doesn't adapt to the kind of usage as email, though,
not least because it's a smartphone based system which doesn't easily
translate to the kind of usage of a desktop PC email client. You can
use a web-based version of WhatsApp, and you can use it to send
attachments, just like email, but there's no desktop (or even tablet)
client. And it doesn't scale to the quantity of emails that most
professional users of email send and receive, because it doesn't have
any concept of filters and folders.

The principle, though, of a secure messaging system based on the
Telegram protocol (as used by WhatsApp, among others) but with an
email-like user interface is potentially promising. Maybe I should
pitch it to Dragons Den.

Mark

[Chris R]

There are some crucial differences, though. Voice communications are not
as susceptible to man-in-the-middle attacks and authentication can be
achieved by a voice call in WhatsApp. Encryption is no protection
without authentication. And it's device to device, not person to person,
making it hard to receive and manage messages across locations and
devices. I think everyone aware that something of that nature is needed,
but no-one has come up with a system that gets enough traction to become
the standard. And of course even with WhatsApp, both parties need to
have accounts; we tried to circulate a picture only today, only to find
that one family member out of three didn't have WhatsApp, so it had to
go by a different route. By default, WhatsApp doesn't even tell you if
the other party's certificate changes (which could mean a man in the
middle) and most users would ignore such a message anyway. And it's a
service, not just a protocol, which means you have to trust the supplier
with your security and to maintain continuity of service. Fine if you
are consumer, less attractive if you are a bank.
--
Chris R

[Roland Perry]

In message <44qfdc9ftgco8o8pf...@4ax.com>, at 17:19:05 on
Sun, 26 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>
remarked:

>What we need is a WhatsApp type system that works for email addresses
>in the same way that WhatsApp itself works for telephone numbers.

Things like Apple Mail do that, but have the show-stopper as far as
ChrisR is concerned that both ends need to subscribe to a common app[1].

Actually, MS "Outlook in the cloud" is what you really need because it's
available on many more platforms (both in terms of diversity, and
installed base).

Or perhaps Gmail, as that has wide apps and browser support.

(all of those above, including WhatsApp) have as yet unresolved issues
to do with "safe harbourism".

[1] Either a phone implementation or a PC one, but obviously
interoperability between the two is necessary.
--
Roland Perry

[Roland Perry]

In message <ob8ric$vkd$1...@dont-email.me>, at 17:54:15 on Sun, 26 Mar

2017, Chris R <invalid...@invalid.invalid.com> remarked:

>you have to trust the supplier with your security and to maintain
>continuity of service. Fine if you are consumer, less attractive if you
>are a bank.

Don't use consumer-grade solutions for industrial-strength requirements.

Many of the well known consumer platforms also have versions with extra
certifications/QoS for the business user.
--
Roland Perry

[Mark Goodge]

On Sun, 26 Mar 2017 19:49:34 +0100, Roland Perry <rol...@perry.co.uk>
wrote:

But that still has problems when it comes to communicating with random
strangers (or even random customers and clients, if you have enough of
them). The advantage of email is that it's ubiquitous; if you are on
the Internet, you have it. Nothing else reaches anywhere near that
level of market penetration.

Mark

[Roland Perry]

In message <vg8ddchls07qt4r8b...@4ax.com>, at 17:10:44 on

Sat, 25 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>
remarked:

>>>the best way to ensure that such data is protected in
>>>transit is to routinely use encrypted communication methods for
>>>everything that isn't public,
>>
>>like https://mail.google.com, you mean?
>
>It's only guaranteed to be end to end encrypted if it's Google all the
>way. Once you add in any other recipient,

"Don't do that then".

>you have no further control.

Sure, although it always pays to quantify the risk. At what point
between the Gmail server exploding it, and it arriving in a non-Gmail
mailbox, do you think the main risk is?
--
Roland Perry

[Roland Perry]

In message <tk8gdc5lojm8pmqfs...@4ax.com>, at 21:22:54 on
Sun, 26 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>

remarked:
>>>you have to trust the supplier with your security and to maintain
>>>continuity of service. Fine if you are consumer, less attractive if you
>>>are a bank.
>>
>>Don't use consumer-grade solutions for industrial-strength requirements.
>>
>>Many of the well known consumer platforms also have versions with extra
>>certifications/QoS for the business user.
>
>But that still has problems when it comes to communicating with random
>strangers (or even random customers and clients, if you have enough of
>them).

Yes, I realise that's a problem (and I'm composing a longer reply direct
to ChrisR), but so is being fined for not being Principle 7 compliant.

>The advantage of email is that it's ubiquitous;

Motor cars are ubiquitous, doesn't mean you are supposed to drive one
without passing your test (or its test).

>if you are on the Internet, you have it. Nothing else reaches anywhere
>near that level of market penetration.

That's not an excuse, it's an apologia.
--
Roland Perry

[Mark Goodge]

On Sun, 26 Mar 2017 21:43:49 +0100, Roland Perry <rol...@perry.co.uk>
wrote:

>In message <vg8ddchls07qt4r8b...@4ax.com>, at 17:10:44 on
>Sat, 25 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>
>remarked:
>>>>the best way to ensure that such data is protected in
>>>>transit is to routinely use encrypted communication methods for
>>>>everything that isn't public,
>>>
>>>like https://mail.google.com, you mean?
>>
>>It's only guaranteed to be end to end encrypted if it's Google all the
>>way. Once you add in any other recipient,
>
>"Don't do that then".

Which you can't avoid, if one of the people you need to communicate
with doesn't use Gmail. Of even if any of those who do use it, also
have it set to forward to a different address.

>>you have no further control.
>
>Sure, although it always pays to quantify the risk. At what point
>between the Gmail server exploding it, and it arriving in a non-Gmail
>mailbox, do you think the main risk is?

If it's transmitted in the clear at any point, then it's vulnerable to
even trivial interception. For the most part, that may not be an issue
if the only people with easy access to the message in transit are ISP
employees. But deliberate access isn't necessarily the main concern.
AS this thread itself illustrates, inadvertantly making data public is
no less a breach of the DPA or other privacy concerns.

It doesn't have to be what hackers are looking for, as such. It could
just be what they stumble across. A good example of that is the late,
unlamented ACS:Law - they accidentally made their entire email archive
public due to a hurried (and botched) attempt to deal with a fairly
minor DDoS attack. One of the more widely held fallacies is that
security can be a low priority because "I'm not the sort of person
that hackers/identity fraudsters/whatever are interested in". In
reality, many of the more serious breaches of security don't come from
a targetted attack, but from just shaking the tree and seeing what
falls out.

Mark

[Roland Perry]

In message <ob6168$7c3$1...@dont-email.me>, at 15:11:50 on Sat, 25 Mar

It's one of those irregular verbs:

"I am talking past you; you missing the point; they are at cross
purposes".

>There are no methods of protecting data that don't impose burdens on
>users that cause a tradeoff between usability, integrity and security.

Exactly, no gain without (some) pain.

> And I think you hugely overestimate the technical skills of the
>average user and small business.

You are addressing the wrong question which isn't:

"How can we train our staff to implement sufficient security" or even
"How are we supposed to find compliant solutions when non-compliant SMTP
mail is staring us in the face", but
"How do we make our operation Principle-7 compliant, which is a legal
requirement"

>I'm not going to engage in a technical debate,

Fair enough, although to be frank isn't EFS and Bitlocker [see below]
"technical"?

> but any security that encrypts whole drives or folders (such as EFS or
>Bitlocker) does nothing to protect copies of those files made by a
>logged-in user onto other media. It only protects against theft of the
>device without access to the operating system.

I've already answered all that in detail, so no need for me to get into
a technical debate today, either.

>Secure messaging systems to replace email that require installation
>both ends don't work because your clients don't use them and won't
>install them - you can't even get them to install a certificate to use
>encrypted email within Outlook. Lawyers communicate mainly with third
>parties, not within their own organisation.

I understand all that [hand-wringing] and have seen it in action (and
solved by me, three times now between 2001 and 2014) in scenarios
requiring "Caeser's wife" Principle-7 compliance.

To play fair, I won't mention any more technical solutions, but I have
an organisational solution for you [modulo the issue of picking a cloud
file system that's meets at least "safe harbour" certification].

I'm also going to put aside any "rubber hammering" of classic email
platforms as I can see that's becoming a dead end in this debate.

All your correspondents need is a web browser and a mobile phone.

You email them a link [and some warmly comforting trivial instructions]
to a password-protected area on a server (a compliant cloud will do) to
which you will both be able to read and write files via a browser (you
using a master password, the other person their unique password).

Then SMS them their password. SMS is secure enough for online banking to
use as part of two-factor authentication.

As an alert system for new uploads, emailing (in either direction) the
links will suffice. Yes, a small amount of pain, but worth it for the
gain.
--
Roland Perry

[Roland Perry]

In message <3hbgdctfeg00953pm...@4ax.com>, at 22:20:45 on
Sun, 26 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>

remarked:
>On Sun, 26 Mar 2017 21:43:49 +0100, Roland Perry <rol...@perry.co.uk>
>wrote:
>
>>In message <vg8ddchls07qt4r8b...@4ax.com>, at 17:10:44 on
>>Sat, 25 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>
>>remarked:
>>>>>the best way to ensure that such data is protected in
>>>>>transit is to routinely use encrypted communication methods for
>>>>>everything that isn't public,
>>>>
>>>>like https://mail.google.com, you mean?
>>>
>>>It's only guaranteed to be end to end encrypted if it's Google all the
>>>way. Once you add in any other recipient,
>>
>>"Don't do that then".
>
>Which you can't avoid, if one of the people you need to communicate
>with doesn't use Gmail.

Or can't set up a Gmail account for the purpose. If it's a Family Court
case with a barrister involved, the process will be a drop in the ocean
of the kerfuffle surrounding the hearing.

>Of even if any of those who do use it, also have it set to forward to a
>different address.

And finger trouble in setting up such forwards is a good reason to avoid
entirely if confidentiality is important. Or you could perhaps say "once
arrived at the forwarding server, it's 100% the recipient's leak, not
the sender. And we've already agreed that if using email then leaks from
a sender are hard to prevent.

>>>you have no further control.
>>
>>Sure, although it always pays to quantify the risk. At what point
>>between the Gmail server exploding it, and it arriving in a non-Gmail
>>mailbox, do you think the main risk is?
>
>If it's transmitted in the clear at any point, then it's vulnerable to
>even trivial interception.

Yes, Telehouse is teeming with crooks bearing croc-clips, or is that
ethernet cables and a PC with Wireshark installed?

>For the most part, that may not be an issue
>if the only people with easy access to the message in transit are ISP
>employees. But deliberate access isn't necessarily the main concern.
>AS this thread itself illustrates, inadvertantly making data public is
>no less a breach of the DPA or other privacy concerns.

Yes, and it reminds me that cc: lists are an absolutely classic way to
leak stuff to people you forgot (or in some cases where people just
didn't care) were on the list.

--
Roland Perry

[Mark Goodge]

On Tue, 28 Mar 2017 12:06:01 +0100, Roland Perry <rol...@perry.co.uk>
wrote:

>In message <3hbgdctfeg00953pm...@4ax.com>, at 22:20:45 on
>Sun, 26 Mar 2017, Mark Goodge <use...@listmail.good-stuff.co.uk>
>remarked:

>>If it's transmitted in the clear at any point, then it's vulnerable to
>>even trivial interception.
>
>Yes, Telehouse is teeming with crooks bearing croc-clips, or is that
>ethernet cables and a PC with Wireshark installed?

More plausibly, Wireshark on a PC in the same home or office as the
sender or recipient. A domestic abuser, say, who wants to monitor
their partner's emails. Or a disgruntled employee gathering data for
nefarious use.

Mark