This Blog




AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.


AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

January 2012 - Posts

  • Data Encryption: Midlothian Council First Scottish ICO Fine, Largest To Date

    In a clear sign that it frowns on all data breaches, not just electronic ones, the UK's Information Commissioner's Office (ICO) has handed out its largest penalty to date to the Midlothian Council in Scotland.  It's the first ever ICO fine for any Scottish local government, and it underscores that, while laptop encryption software like AlertBoot goes a long way towards placating any concerns, it's not the only thing UK data controllers should be focusing on.

    Five Breaches in Four Months

    While it's true that the Midlothian Council has received the largest penalty to date (£140,000.  The next largest one is £130,000 handed to the Powys County Council in December 2011.  I keep a list of ICO monetary penalties), one could also argue that it's not a fine, but a total fine for 5 data breaches:

    • The wrong child's name was entered into an agreement
    • A GP was sent a request for a child's report.  The child wasn't registered with the GP
    • A file was unintentionally included with other documents and sent to unintended recipients
    • Minutes of a child's protection conference were sent to an old address
    • A letter on the foster care status of a child was sent to the wrong people

    The above occurred in a period of 4 months.  It could be argued that each breach cost the council £28,000, putting it at the bottom of the pile.

    Incidentally, the £140,000 was the reduced figure from £150,000 after the council appealed the fine.

    Human Error?  They Usually Are


    Midlothian Council said it referred itself to the commissioner and insisted its procedures were sound, despite the breaches.

    Colin Anderson, chief social work officer, said: "While the council accepts there were mistakes, they were caused by human error. Clear procedures were in place but were not followed."

    That the breach was a result of human error is a moot point: that's usually the case when it comes to the ICO handing monetary penalties.  With respect to the UK data breaches I've covered on this site, especially those that have involved a penalty from the ICO, almost all of them involved human error.  That is, I can't really recall a breach where someone caused the breach on purpose.

    That "clear procedures were in place but not followed" appears to exacerbate the situation, in my opinion.  In fact, if the procedures were so clear but ignored, couldn't one argue that this was not a case of human error?

    Related Articles and Sites:

  • Ruling on Fricosu: Much Ado About Nothing?

    The ruling by US District Court Judge Robert in US v. Fricosu has attracted a lot of attention.  It was covered by various media outlets who, in my opinion, largely got it wrong (at least, if you're only reading the headlines).  I'm not a lawyer, but there are plenty of those who are that have opined on the case in their blogs and elsewhere.  Opinions are divided, as it should be.  The case was a controversial one.

    Based on what I've read, it looks like there may less here than meets the eye.  That is, this case is not a precedent setting case where the US government can get a copy of your encrypted data whenever it wishes to.  Nor is it correct to state that "decrypting a laptop doesn't count as self-incrimination."

    Rather, as others have noted, it's a similar case to Boucher, where a court found that Fifth Amendment rights were not violated because of "foregone conclusion." 

    Clearing Up Past Posts, Laying Down the Facts

    I've covered the Fricosu case twice in the past, here and more recently here.  I had to go with what I could find on the internet, so some of the information on which I drew my opinions were factually incorrect.

    On reading the actual Judge's ruling, we get a clearer picture of what transpired.  Just laying out the facts:

    • Fricosu lived with her mother and her children (earlier stories alluded to roommates)
    • Six computers were seized when the search warrant was effected
    • Three computers were desktops, the other three were laptops.  Only one of them was encrypted with "PGP Desktop"
    • The encrypted computer was found in Fricosu's room
    • When booted, the computer displays the whole disk encryption screen, in which the machine is identified as RS.WORKGROUP.Ramona (earlier stories noted that there was no way to identify who the owner of the computer was)
    • A conversation was recorded between Fricosu and Scott Whatcott, her previous husband and partner in crime (and incarcerated at Four Mile Corretcional Center at the time of the conversation)

    The conversation runs as follows (my emphasis.  It's slightly long; my apologies):

    Ramona: Oh so anyway, earlier we were talking about that lawyer thing
    Scott:  Yes
    Ramona:  So um, in a way I want them to find it
    Scott:  OK
    Ramona:  in a way I don’t just for the hell of it
    Scott:  OK
    . . . .
    Ramona:  Ookay (pause) uhm in a way I want them to find it
    Scott:  Mm-hmm
    Ramona:  and uhm because they will have to ask for my help uhm and in another way I don’t want them to find it let them let them work for it
    Scott:  Right
    Ramona: you know what I mean
    Scott: right (pause) yeah, if it’s there, they, they will find it
    Ramona: uhm, can they get past what they need to get past to get to it
    Scott: they will listen first
    Ramona: it will shut off
    Scott: (pause) what
    Ramona: it was on my laptop
    Scott: oh yeah
    Ramona:  yeah
    Scott: OK
    Ramona:  I don’t know if they can get to it
    Scott: it was on your laptop
    Ramona: yes
    Scott:  OK (pause) and did you have any something like anything on your computer to protect it or something
    Ramona: yeah
    Scott:  OK then I don’t know.
    Ramona:  I mean, I think I did
    Scott:  OK
    Ramona: Ya know I haven’t
    Scott: (SC [simultaneous conversation]) oh yeah that’s right it was on your laptop wasn’t it
    Ramona:  I think so but I’m not sure
    Scott: OK
    Ramona: yeah cause they kept asking me for passwords and I said, ya know no I just didn’t answer them
    Scott: right (SC).  Because when you went there you took your laptop
    Ramona: yeah I think so I think I did
    Scott: and so (SC) it would been on there
    Ramona: yeah
    Scott:  OK
    Ramona: and my lawyer said I’m not obligated by law to give them any passwords or anything they need to figure things out for themselves

    While there is nothing conclusive in the conversation, it's quite obvious that there is something of an incriminating nature in one of the laptops, based on the facts that I've listed above,  Not just any laptop, though; one that requires a password for access.  Which has also been identified as Ramona's, per the name on the computer.

    Is It a Foregone Conclusion?

    Earlier this month, I noted that a defendant had to cough up his encrypted hard disk's data in another case involving a cryptographically protected laptop.  To summarize the case, a man, Mr. Boucher, had given a US Border guard access to his computer, on which child pornography was present.  The man was detained for this.  When the government booted up the computer again, after the arrest, full disk encryption stopped them from accessing the evidence.

    The court ruled that an unencrypted copy of the disk's contents had to me made available by the defendant because the government already knew that the evidence was in the laptop.  Producing this evidence was not in violation of the Fifth Amendment because of the foregone conclusion doctrine.  That is, producing the evidence is not self-incrimination because the government already knows about it: where it is, what it looks like, etc.

    The question is, does the foregone conclusion doctrine apply in the Fricosu case?  According to the judge, yes it does.  Based on the evidence and the taped conversation, it's not far-fetched to say that the government knows of the existence of evidence; that's it's on Ramona's computer; and that a password is required to access it.

    Of course, the situation is not as clear-cut as the Boucher case because no government official has actually seen it on the computer, nor do they know, based on the conversation, what type of evidence it is (images, spreadsheets, a word processing document, etc).

    There is also the question whether Ramona's computer is, in fact, Ramona's.  Sure, it's labeled as such, but this wouldn't be the first time a computer is set up one way and passes its ownership unchanged.  On the other hand, I'm led to believe that there was only one computer that was protected with a password, meaning that Ramona's computer could be easily identified: just look for the one that demands a password.

    So, to summarize, there's a computer in Ramona's room, named Ramona, which is the only one that requires a password to access, and, according to a taped conversation, there's certainly a computer that belongs to Ramona which requires a password.

    I don't know.  I'm inclined to think that the encrypted laptop is Ramona's.

    What I Didn't Know About the Fifth Amendment

    Amidst all the articles, comments, and opinions, some have been especially helpful in understanding the situation.

    One of the commentators at the site gives this helpful explanation:

    The 5th amendment is a protection against compelled testimony incriminating oneself. However, you don't have a right to refuse to turn over incriminating evidence — such as documents, video or records of any type.

    The issue in the instant case is the defendant was arguing that divulging the password would show that the defendant had ownership/control over the computer — that, not the information that was already contained on the hard drive, is the testimonial aspect. The court simply found that the Feds already knew and could prove that the defendant had ownership/control over the computer and therefore there was no 5th amendment privilege that attached. The contents of the drive may incriminate the defendant more but those contents are not testimonial in nature — only the act of divulging the password is testimonial and the defendant's ownership of the computer has already been established so she is not going to be further incriminated by giving up the password. [, disintelligentsia]

    The definition of testimony, under the law, according to Wikipedia:

    In the law, testimony is a form of evidence that is obtained from a witness who makes a solemn statement or declaration of fact. Testimony may be oral or written, and it is usually made by oath or affirmation under penalty of perjury. Unless a witness is testifying as an expert witness, testimony in the form of opinions or inferences is generally limited to those opinions or inferences that are rationally based on the perceptions of the witness and are helpful to a clear understanding of the witness' testimony.

    What the government is seeking is not testimony.

    Also from

    I think some folks are hung up on the "foregone conclusion" notion.

    If the police have a warrant to search the defendant's office for documentary evidence of a criminal fraud and find a locked file cabinet, the warrant reaches the contents of that cabinet. Issues about: (1) "expectation of privacy" in a locked cabinet; or (2) "proof" of what the government believes is in the cabinet are now irrelevant issues. Whatever may be inside is reachable by the police because they already satisfied the Fourth Amendment and got a warrant. This is true even if the cabinet contains evidence of a wholly separate crime, like possession of child pornography.

    It has long been the rule that a defendant does not "testify", against him/herself by handing over the key to the cabinet, nor by telling the police where the key is. This is true UNLESS the identity of the owner of the cabinet is in doubt. That's why police questioning resulting in, "here's the key to my cellar door" does not raise Fifth Amendment concerns, while "give us the key to the door behind which the loot is stashed" does. [, FmrADA]

    Based on what I've covered so far, I'd say that the judge's decision was, strangely enough, pretty straight-forward.  I say strangely enough because, if it's so straight-forward, why all the controversy?  Especially among those who don't appear to be flame-baiting trolls?

    Fricosu - Questions Remain

    If you go to the site (link below), you'll see a very spirited discussion why.  Some pertinent questions:

    • Can you say that plain text data "exists" when it's encrypted?
    • What if you actually don't remember the password?
    • What if the information is doubly encrypted?
    • Is encryption like a digital safe or something else completely?
    • And others

    As far as I can tell, the controversy can be summarized like this: let's say that you have a paper document, encrypted by hand, inside a locked safe.  The court orders you to produce the contents of the safe.  Do you only produce the key to the safe?  Or do you also have to decrypt the document?

    If disintelligentsia and FmrADA's comments are correct, the document has to be produced in its decrypted form, if the government knows (or can prove that it knows) that the document is incriminating evidence -- even if the government doesn't know what the document's contents are, exactly.  The fact that the document is encrypted is immaterial, since the government knows that its contents are incriminating evidence.  And, producing it is legal because it's not testimony.

    On the other hand, if the encryption key exists in the defendant's mind (it's not written down somewhere), then that is testimony.  Does forcing a person not to provide the encryption key but only the decrypted contents provide a way to legally gain access to the document's contents?  It looks like we'll have to wait for a decision from the higher courts.

    There are, of course, other approaches listed to explain why the Fricosu decision is wrong...and why it's right.

    If I've learned one thing that's unequivocally certain from this case, it's that this case definitely does not claim that decrypting a laptop or giving your password out is not a violation of the Fifth Amendment.  If anything, it appears that every care and effort has been made to ensure that such a claim cannot be made.  The correct headlines should have been "decrypting a laptop or giving your password out is not a violation of the Fifth Amendment...under certain conditions that have applied for decades."

    Related Articles and Sites:

  • Disk Encryption Software: Follow Up On Edmonton Public School Board Data Breach

    The Canadian Office of the Information and Privacy Commissioner has finalized its investigation on the Edmonton Public School Board breach, nine months after the incident took place.  If you'll recall, a USB disk was lost.  A number of the school's IT policies had been broken, including the non-use of data encryption software.

    More Information Revealed, Not Much Changed

    I had covered the incident back in April 2011.  It looks like there isn't much more to report, although a number of details have been cleared up.

    More than 7,600 employees of Edmonton Public School District were affected by the data breach.  Of these, 2,826 had "considerable personal information, including social insurance numbers, banking information or both" in the lost USB disk.  The remaining 4,836 had minimal information stored in the unsecured device.

    The data included but was not limited to:

    employment applications, resumes, transcripts, completed direct deposit forms (including cheques), copies of identity verification (i.e. driver’s licenses, first page of passports, birth certificates, etc.), injury forms, payroll correspondence, pension correspondence, benefits forms and correspondence, education credentials (i.e. certificate, degree, diploma etc.), job information history, pay-benefits history, performance evaluations, police criminal records check reports

    In my previous post, I had also noted that no one knew how the information had been breached.  In other words, a USB flashdisk was lost, but nobody knew when or how.  That still remains the case.  According to the findings, "an IT staff member pocketed it while at work but could not find it two hours later."

    The breach cost $46,000 to resolve, including "staff time, overtime, supplies, postage, and other miscellaneous expenses."

    USB Encryption

    It's often said that USB devices that contain sensitive information should be encrypted.  There's something wrong with that wording.  You see, it's not that USB devices that contains sensitive data should be encrypted -- that's putting the horse before the carriage.  Instead, sensitive data ought to be saved to encrypted devices.  You might think it's mere verbal judo, but it's more than that.

    You see, disk encryption takes some time to implement.  What are the chances that someone will grab a USB disk, save sensitive data to it, and then go through the routine of deploying disk encryption on it?  The answer is "nearly zero."  It won't happen.  The person will save the files to the flashdrive and call it a day, promising he won't take the USB device out of the office, etc.  Sooner or later: data breach.

    Instead, data ought to be saved to USB disks that are already protected with encryption software.  This, however, poses its own problems.  If an encrypted USB disk cannot be found, what are the chances that a person will go looking around for one instead of just grabbing the unsecured USB disk lying two inches to the right from the mouse?

    This leads to the only sane conclusion and best practice: assume that all USB disks used at an organization that deals with sensitive data will be used to store sensitive data at some point, meaning that all USB disks should be encrypted.  It's not that crazy.  One company came to a similar conclusion regarding laptops the hard way.

    Related Articles and Sites:

  • Backup Disk Encryption: Univ. Of Victoria Data Breach

    The University of Victoria had a data breach that left thousands exposed.  While the details are not being given, it looks like an external drive was stolen during a break-in.  The device was not properly secured with disk encryption software like AlertBoot, increasing the risk of identity theft for over 11,000 current and former UVic employees.

    Existing Technology in Place

    The site quotes Stephen Neville, the director of the Centre for Advanced Security, Privacy, and Information Systems Research at UVic, who notes that the university "had the existing technology in place that should've stopped last weekend’s breach from happening."

    He went on to say:

    "The degree to which people may be aware of these (available) options is the issue,"  Neville said. "It comes down to an employee saying, 'I need to back up (this information),' as opposed to saying, 'Are there better ways of backing up the information that protects the privacy of the data?'"

    You'll notice that Mr. Neville concentrates on the data, never brining up "hardware" as an issue.  That's because, regardless of where the data ends up, it can be easily protected using encryption software.  I'm pretty sure the "existing technology" he refers to is a passing reference to encryption.

    And, my, should have encryption been used.  According to the details that were released, the banking information and Social Insurance Numbers for over 11,000 past and present UVic employees (beginning from January 20120) were lost in the data breach. speculates the information was stored in an optical disk or hard drive that was locked in an office cabinet.

    Encrypting Backup External Drives

    Data backups are important, in more ways than one.  Certainly, backups allow one to recover data in the event something happens to the original: theft, data corruption, disasters like flooding and fires, etc.  But, backups are trickier than they appear because they need to be secured as well.

    For example, scores of backup devices have made their way to the consumer market, in many cases external hard drives with a single, prominent button, to be pressed when you're ready to perform a backup -- literally "one-button backup solutions."

    You press the button and problem solved.  Right?  Not quite.

    Backing up the data is only the first in a chain of multiple decisions.  You still have to consider other aspects, such as, where will I keep this backed up data?  You don't want to keep it right next to the computer, since whatever befalls on the computer could extend to the backup as well.  Think of fire, water, coffee spills, a prank gone awry, etc.

    Keeping it in the same office but away from the computer also poses its own problems.  As in the UVic situation, a thief could make off with the backup.  And the original.  And your petty cash.  All at once.  Or, the backup could be stolen while the original remains in place.

    But, the biggest problem may come from the fact that many people will secure their originals while not extending the same security to their backup.  Sometimes, this is due to a lack of education.

    Take AlertBoot, for example.  It's a hard disk encryption solution.  Most people already have an understanding on what it does: it encrypts all the data on your hard drive.  This is not wrong, but it's also not right.  Yes, all the data in your hard drive ends up encrypted.

    But, "encrypts all the data on your hard drive" allows certain miscues to arise.  For example, most users think this means that copies of the encrypted data will also be encrypted.  Like when data is backed up.  But it's not, that's not how hard disk encryption works (well, not always anyhow).  Under hard disk encryption, it's accurate to say that the entire hard disk is encrypted.  And because the hard disk is encrypted, the data you place in it is also encrypted.

    In other words, the data is encrypted as long as it's on the hard disk.  Copy it to some other device that is not encrypted, and the data won't be secure anymore.

    This is why AlertBoot has the option to encrypt any external media devices that are connected to an encrypted computer.  It's not just meant for backups but for any instances where data is copied off of a protected device.  We realize that it's the data that you're securing, so that it makes no sense to encrypt the contents of your entire computer while allowing your USB port to become a security fail point.

    With something aking to AlertBoot, perhaps UVic wouldn't have had to deal with this particular data breach.

    Related Articles and Sites:

  • Full Disk Encryption: Assume All Portable Devices Contain Sensitive Information

    The CEO of the Massachusetts eHealth Collaborative, Micky Tripathi, recounts the eight lessons he learned when his company was involved in a data breach when a laptop computer was stolen.  It all stemmed from the fact that a laptop, which was not protected with the likes of AlertBoot hard drive encryption, was stolen.

    First Hand Account - An Excellent and Insightful Read

    Tripathi submitted a first-hand account of his thoughts and actions to  He starts off by noting that most might find the "details fascinating... because you realize through hard experience that protecting privacy and security is about incredible attention to the small stuff."

    In keeping with that statement, he has penned a very, very long (but extremely worthwhile) article with lots of details.  If you're into Cliffnotes, I'd suggest's summary (and I'd suggest reading the original article over that).

    My own concise summary (just the facts, ma'am): a laptop computer was stolen from an employee's car while the employee was having lunch.  The breach affected approximately 14,314 patients (out of which approximately 1,000 had to be notified under the "significant risk of harm" clause, which is still in effect under the HITECH Interim Final Rule), and required nearly $300,000 to resolve.  Security software was implemented; however, encryption software was not one of them.

    As an "implementation services company" they normally wouldn't have patient data on their machines, except that they also have to deal with what Tripathi termed "kick-outs," patient information that was rejected by a system.  The company, as a consultancy, helps clients figure out why the data is getting kicked out.  This means patient data is transferred to their machines.  The rest, as they say, is history.

    Unsurprisingly, his #2 lesson learned is "assume that your portable devices contain sensitive information."  This assumption is often more correct than it is wrong.

    One Observation

    As Tripathi has himself noted, the company wouldn't have had to deal with the situation had the computer been encrypted.  Certainly, the odds of some random thief accessing his data were marginal at best, with the security software that was already used.  Regardless:

    And yet … the files were no longer in our control and, without encryption, were indisputably vulnerable. I’d heard the term “my knees weakened” before, but had never experienced it myself … up until that moment, that is.

    Without encryption, data is indisputably vulnerable.  That's why most state, federal, and international law will grant safe harbor if encryption is used -- if they do grant them.  Exceptions are rarely made for other data security solutions, and when they are, they tend to be dropped later in favor of encryption.

    You know what's really frustrating to me?  This:

    The bad news kept on coming. In April 2010, we had instituted a company-wide policy requiring encryption of any files containing patient information. If the laptop or the files had been appropriately encrypted, this theft would not have been a breach issue. Turns out that we had been shopping around for whole disk encryption options to reinforce our security policy, but regrettably we hadn’t yet implemented a solution at the time of this incident.

    Cases like these, where a data breach occurs while you're considering options, are not unusual.  But still reviewing options 21 months later? (The breach occurred on December 2011).  Well, that's a bit unusual.

    Tripathi sounds like a very smart, conscientious guy, so what gives?  My guess is that he failed the way most people fail when it comes to such issues: out of sight, out of mind.  He himself notes that he doesn't deal with "practice-level data" (read: protected health information), so, my guess is that he just assumed there must have been encryption in place for any employees who did deal with practice-level data on a day-to-day basis.  After all, they began looking into it around April 2010.  Why would someone assume encryption was not being used nearly two years after you started looking for something?

    Related Articles and Sites:

  • Drive Encryption Software: Kansas Department Of Aging Loses Laptop, Flash Disk

    The Kansas Department of Aging is cautioning clients that there was a data breach of members' information.  A laptop computer, flash disk, and paper files were stolen from a state employee on January 12.  It's quite apparent from what's floating in the media that the appropriate laptop encryption software and flash disk encryption software were not used.

    100 SSNs Lost, 7000 At-Risk

    According to, a laptop computer and other media were stolen last week from a Kansas Department of Aging employee's car.  The incident impacts 100 people who were part of the Senior Care Act program, who had their Social Security numbers compromised.

    An additional 7,000 seniors, including participants in the Older American Act program, were also affected.  While their SSNs were not involved, other personal information was stolen, such as names, addresses, dates of birth, gender, service information, Medicaid identification numbers, and case management information.  Financial information was not included.

    As I noted at the top, there is no mention of how the information was secured.  In this day and age, not mentioning how data was protected generally tends to mean that data security protection was not used, especially when combined with pleas to keep an eye out for "unusual activities."

    Lots of Similar Breaches

    This is not the first time I've come across a story where some department, agency, or division involving the elderly has been caught in a data breach.  There was this one involving 21,000 Pennsylvania senior citizens, this other one in Ohio, and this one in North Carolina.

    In each of the above cases, the affected numbered in the tens of thousands.  The stolen devices generally were designed for portability.  It doesn't take a genius to figure out that

    Tens of thousands of sensitive data points + unsecured data device = bad idea

    And yet, here we are, a little over four years after I've blogged my first "Aging" data breach post, rehashing the same story involving different people in a different place but under similar circumstances.  How long does the insanity have to go on before something is done about it?

    Related Articles and Sites:,0,3335860.story

More Posts Next page »