Business travelers will soon need to carry the name of their corporate lawyer in addition to their passport when returning home to the US, and may also need to bring with them a different business laptop as well. This is because the U.S. Customs can search and potentially confiscate your laptop without any prior cause, according to policies that have been posted online since a Ninth U.S. Circuit court ruling in April.
Alice Stitelman, a New Haven, Conn.-based consultant and author who writes about email usage and legal matters, says this is just one example of “what you don’t know about legal computer issues [that] can hurt you. Many business users mistakenly believe that their data is private — whether it is on their laptop, cell phone, or mobile device. In fact, they should have no expectation of privacy. Users have much less control over who reads their data than they may realize.”
There are other examples of new regulations and policies that will have profound impact on business technology policy in the coming years. As legal battles over content filtering, net neutrality, tracking Web history and laptop searches ensue; corporate IT managers will need to rethink their strategies on how they implement cloud computing, e-discovery and records retention policies, and how they safeguard business data carried by traveling executives using various mobile devices. Let’s examine the wider implications of each of these key legal and policy issues in more detail and what they mean for the IT manager.
The Department of Homeland Security has reaffirmed its policy that lets it search, copy or even impound your employees’ laptops when they return to the U.S. This is completely at the security screeners’ discretion, and applies to anyone entering the country, citizens and non-citizens alike. Security consultant Jeff Bardin, writing on the CSO Online blog, calls it a “virtual strip search” and cautions somewhat facetiously, “I’d best not forget to take the microdot off the woolly boogers that collect in my pockets.”
But all kidding aside, this policy is very much reality and isn’t just for the tin-hit paranoids. “It definitely has been happening more and more recently, and we have gotten lots of complaints,” says Danny O’Brien, the International Outreach Coordinator for the Electronic Frontier Foundation in San Francisco. “A CEO I know was detained and his computer’s hard drive was copied and returned,” says David Burg, a Washington, DC-based principal at Pricewaterhouse Coopers in the advisory and forensics practice. As a result, his client’s company has changed its practice and now “employees aren’t allowed to travel outside their home countries with their standard issue laptops,” he said. Instead, they are issued bare-bones laptops that have very little corporate data and use Virtual Private Networks (VPNs) to communicate securely back to their offices.
Other countries are also randomly inspecting laptops: “Canada has been looking for child pornography on laptops entering their country,” says John Pescatore, a Gartner security analyst based in Washington, DC and a former security engineer for the U.S. Secret Service. “It is hard for anyone to argue against that.” And as more countries claim the right to copy or confiscate laptops, or worse to install monitoring software, soon this idea of having a “travel laptop” will become more common practice so that sensitive corporate data is left behind. “And given that the majority of corporate PCs are laptops now, your data is now more vulnerable,” says O’Brien. “You might want to consider limiting the data on your laptop to what you are willing to share with the government,” says Kevin Clark, the network operations manager of Clearpointe, a managed services provider in Little Rock, Ark.
“I would never travel with any data that I cared about anyway,” says John Kindervag, a senior analyst for Forrester Research in Dallas. “I would put it on my iPod or encrypt it.” Certainly “you should have been encrypting the hard drives of your laptops, these are just more reasons to do so,” says Pescatore. But using encryption is no guarantee that the government won’t obtain your employee’s data, according to legal authorities, especially if a security screener demands your password to decrypt your files. “We would say that you have some strong protections against giving out your password, and believe that falls under self-incrimination,” says O’Brien and points to this blog post by Jennifer Granick of the EFF. Other lawyers argue that it could fall under unreasonable searches, but overall case law is still evolving.
“A lot of this is just security theater,” says Kindervag, meaning just for show. He was detained – although not at an airport – and “I stood my ground and refused to give up my data, and eventually the screener backed down.” Clearly, one prudent course of action is to have ready access to legal counsel when returning to the U.S.
If your execs’ laptops are impounded, you have several critical issues to address. First, do you have the executives’ data backed up so you can get him up and running quickly on a new computer? Second, is sensitive data protected from prying eyes — whether bored screeners or investigating authorities? This is where having the cleaned “travel laptop” begins to become compelling. Finally, does this change your corporate policies on other mobile devices besides laptops, such as smartphones and PDAs that often have all sorts of personal and customer confidential information on them?
But confiscating a laptop isn’t the only evolving computing legal worry. The topic of Net neutrality is also one that has unintended consequence for IT managers. This concept means that all Internet traffic should be treated the same, and not prioritized (in terms of service or price) by the carriers. The carriers have justified metering, blocking, and other traffic-control actions as necessary because a few people who continually access large video files or play bandwidth-intensive games all the time get in the way of everyone’s else’s access to the Internet.
The Federal Trade Commission, however, ruled that Comcast can’t entirely block peer file sharing traffic, at least not without prior notification of its customers. Its concerns were based on the potential impact on the overall access marketplace, and possible monopolist behaviors on the part of the carriers.
But the ruling has major implications for distributed corporate workforces and a greater reliance on cloud computing and Web-based services and applications. “Many global companies that have grown by acquisition have not integrated or optimized their technical environment, and the complexity and control of this is especially compounded when any of it is outsourced and administered in various countries around the world,” says Burg.
As more businesses make use of Internet-based services and store more of their data in the cloud, the assumption is that this data is universally accessible no matter where a user is located, and no matter what provider is used to get online. But not all providers in all countries’ cloud-based resources are equally available everywhere, as the OpenNet Initiative project found out in 2006, with countries such as China and Saudi Arabia filtering or blocking particular Web sites, ports, and applications.
Peer file-sharing services
Certainly, some corporations block or inhibit peer traffic, at least during work hours. But last month, FCC Commissioner Robert McDowell asked AT&T Wireless to provide the information on its peer-to-peer policy during a recent FCC hearing tied to broadband issues. While AT&T currently doesn’t block peer-to-peer traffic across its wireless network, there is concern that it and other major carriers may do so in the future. And then there is Comcast announcing last month that they will restrict their residential users to a monthly overall bandwidth limit of 250 GB.
lthough illegal music and video swapping is usually the context you hear by those who justify carriers blocking. metering or monitoring peer-to-peer traffic, the implications extend to other traffic that may be blocked and how corporations manage their Internet connections, and if they need to switch to a different Internet provider that doesn’t block their traffic. “Comcast in trying to block BitTorrent inadvertently was also blocking some Lotus Notes traffic,” says O’Brien. And at least one Canadian ISP has had a peer traffic block that also was affecting business-related traffic, too.
The EFF has developed a test tool called Switzerland that can be used to determine what ports a provider is blocking. “Anyone who signs up a new provider should consider adding a clause to their contracts about service level agreements that should hold the provider to any transparency about what network management and blocks that they are doing,” says O’Brien.
Privacy and Web history
Earlier this summer, senior members of the House Energy and Commerce Committee wrote to broadband Internet providers and other online companies, asking whether they have “tailored, or facilitated the tailoring of, Internet advertising based on consumers Internet search, surfing, or other use.” This brings up issues surrounding what is being monitored by corporate users outside of the corporate infrastructure, and whether this will become a legal liability later on if this information is subpoenaed by a court.
Certainly many companies use endpoint scanning technology, Web security gateways and other tools to view what is stored on their employee’s PCs when they are on the corporate network. But remote offices and traveling users may not be required to access the Internet through these devices. Gartner’s Pescatore asks: “Are you checking up on what your employees are doing with their laptops, even when they are outside of the corporate network? You need to know what your employees are doing when they are online. If I have an employee looking at kiddie porn sites with his corporate laptop, that is something that I should know before I get a call from some law enforcement agency.”
But these scans also have implications for potential data leaks of customer information. Who has access to the results of the scans, and what would happen if this were shared outside the corporate inadvertently, such as an employee mailing this data to their personal email account? And data leaks can also occur with users of social networks, who may inadvertently upload business contacts to their accounts.
There are other implications, such as for users of smartphones with integrated global positioning software. “Given that Google Maps can triangulate your location at any given point in time, imagine if I, as a forensic investigator, can use that data to track your movements as part of an investigation or in connection with discovery related to a legal proceeding,” says Burg.
One possibility is to insist on a service level agreement from your Internet providers that cover privacy issues. ”I want SLAs from my Internet providers that guarantee me that my e-mail isn’t going to be compromised. These agreements aren’t about uptime but for the purposes of privacy and security. I want secure and assured services, including the ability to browse and search the Web without having this information recorded on a server somewhere. I don’t think a lot of people are doing this right now,” says David O’Berry, Director of Information Technology Systems and Services for the South Carolina Department of Probation, Parole and Pardon services. He currently blocks access to peer file sharing sites and others that could compromise his network security.
Another solution is to segregate Internet users from those who have access to customer data. “We have taken the stance that if an employee doesn’t need the Internet to do his or her job, that computer won’t have access of any kind. Those with Web access don’t store medical data,” says Tony Maro, Chief Information Officer for HCR Imaging, Inc. in White Sulphur Springs, WVa.
Clearly, the legal landscape is shifting with respect to individual computing. But corporate IT managers need to consider these and other regulations and adjust their computing policies to ensure that they can deliver IT services yet remain compliant in the future.