The story is familiar—even though its details are new. A person entrusted with power and responsibility comes under suspicion of misconduct, and sensitive information controlled by that person suddenly goes missing.
These events could have taken place at any time since the invention of writing. As befits the current century, however, the affair at hand did not involve anything so quaint as “inadvertent” loss or shredding of paper documents. In 2004, the central figure is not a secretary but a piece of data-destruction software—supposedly downloaded free from a pop-up ad.
This “scrubbing” software was used earlier this month, it appears, to avoid the embarrassment of inconvenient records—whether of thoughts or actions—on the PC of the chairman of DPL (parent company of Dayton Power and Light).
Investigation of the DPL affair about the question of control of critical corporate information. The story should focus attention on the need to get our systems back in balance—to strengthen our disciplines for keeping our acts together but also to preserve the rights of individuals facing prosecution. That balance may prove elusive.
The question is not new. In the Watergate inquiry, it was framed as, “What did the president know, and when did he know it?” In the post-Enron and post-Martha Stewart era, the defining statement of enterprise IT is quickly becoming, “This is what X told Y, and this is when.” The systems we have now cannot answer such questions, but the mandates of law and the marketplace are intensifying the demand for believable answers.
We have too much data and too little.
With wireless e-mail, cell phone cameras and other connected devices, information overflows its intended paths. Unfortunately, the paths it then follows arent the ones that assign accountability for knowledge and action. When information outruns process, a person whos trying to do things correctly can wind up looking as if he or she is trying to hide something.
We have too little data because we dont capture our communications in a systematic and reliable way. At the first two companies where I worked, every memo got a serial number and was copied to a collection of loose-leaf binders for future reference. Todays e-mail archives should be better, with their rapid search facilities, but in practice theyre worse because of haphazard policies for enforcing storage quotas and for applying retention policies.
Even where good “corporate memory” systems are in place, we lose information to technology changes, technology failures and individual acts of carelessness or concealment. Historians can compare 19th-century purchasing power against todays by looking at old paper records; I doubt that payrolls and price lists from the 1980s stored on obsolete hardware in undocumented formats will be equally accessible in 2100. Digital media are useless artifacts without devices and drivers to read them.
For that matter, I once had to smack an old hard drive with a hammer to free stuck bearings and read old files. Its in the interest of every enterprise to revisit data-retention practices with a practical eye toward the realities of hardware.
What, then, of information thats been made inaccessible, not by hardware misadventures but by deliberate actions such as “scrubbing” or encryption? I cant be compelled to testify against myself. However, many laws treat a hard disk or an encryption key as ordinary evidence or business records that I can be compelled to hand over under power of subpoena—and under penalty of contempt if I refuse. Where do we draw the line of self-incrimination?
If an encrypted storage device were surgically implanted in my brain, would that make a difference? It wont be long before we need to make this and similar determinations. I hope that we will decide after informed debate and with appropriate judicial scrutiny—not just let it happen as a side effect of ill-considered laws and rulings, based on ignorance or misunderstanding of technologys powers and limitations.
Technology Editor Peter Coffee can be reached at [email protected]