When the gods dance...

Wednesday, September 12, 2012

FBI's Password Stance Has Enterprise Implications

FBI's Password Stance Has Enterprise Implications

Written by Kim Davis

One thing that's been overlooked in coverage of the FBI's increasingly hawkish attempts to obtain smartphone passwords is that it's not just the smartphone owners' personal data that is at stake.

As Julia Angwin reported in the Wall Street Journal last week, law enforcement and tech companies are increasingly at loggerheads over whether the former can obtain users' passwords from the latter.

Law enforcement agents often use forensic equipment to simply download the contents of a phone's memory, without attempting to unlock the phone. But sometimes officers fail to break into a phone or the data they find is encrypted. In that case, they can send a grand jury subpoena to the cellphone owner asking them to turn over their password. Those requests are legally tricky because the Constitution's Fifth Amendment protects people from self-incrimination.

Instead, agencies like the FBI have been pressing smartphone software vendors for assistance in bypassing passwords. Reports suggest that Google, at least, has been pushing back, although both Google and Apple are refusing to discuss the details or frequency of such requests.

There's a deeper issue here, though. It's analogous to the problem with Facebook scraping contact details from the cellphones of anyone using its "sync" feature: Facebook was collecting information about people who might not even be Facebook users -- and certainly without their knowledge.

Armed with a password, and acting outside strict supervision by a court, there's nothing to stop a law enforcement agency browsing freely through any data to which the smartphone provides access. There's nothing to stop the downloading of data, and no control over its storage or disposal. That's potentially a problem, as I said, not just for the smartphone's owner, but for his or her contacts.

In many cases, of course, that includes his or her employer.

In this BYOD age, enterprises are wrestling with the challenge of allowing employees convenient remote access to networks, and to the files and data they need to do their jobs, while limiting exposure to security risks. If the FBI prevails in its efforts to retrieve passwords from vendors, the enterprise has something new to worry about.

I don't mean malevolent exploits or espionage, of course. I just mean the negligence with which law officers, searching for evidence, might treat commercial information they don't even recognize as sensitive. As for whether it would be legal to remotely wipe enterprise data from a smartphone being examined by the FBI -- well, I'm willing to bet that's something the courts haven't even started to think about.

The message, as always, is that we're all connected. When an individual's data is exposed, whatever the circumstances, it's never just their data that's at risk. 

No comments:

Post a Comment