IT Laymen Misconstrue Security Procedures

Opinion: Data protection and retention policies should be formalized and to reduce the chance that those policies could be labeled a reactive cover-up in future litigation.

When technology laymen look at enterprise information systems, they can easily misperceive a necessary tool as an instrument of criminal conduct.

Two incidents in the past month illustrate the potential for misunderstanding. An appellate court in Minnesota ruled May 3 that "the presence of an encryption program" (the widely used Pretty Good Privacy, or PGP) on a defendants PC "was relevant to the states case" in prosecuting that accused child pornographer. The record shows no finding of encrypted files, pornographic or otherwise, on that machine. Even so, the court found the mere presence of PGP to be admissible as evidence consistent with criminal acts.

This unfortunate ruling comes at a time when enterprise use of encryption is quickly growing: when e-mail and tape backups, for example, are getting increased attention as candidates for encrypted storage. Weve endorsed such protection in response to mandates such as HIPAA and as protection against mishandling of tapes.

We support the position of PGP creator Phil Zimmermann, who rhetorically asks in the PGP Users Guide: "If you really are a law-abiding citizen with nothing to hide, then why dont you always send your paper mail on postcards?" Zimmermann continued with this call to action: "It would be nice if everyone routinely used encryption for all their e-mail, innocent or not, so that no one drew suspicion by asserting their e-mail privacy." As much as wed prefer not to associate ourselves with terrorists and pornographers, its essential that both enterprises and individuals have the freedom to protect their information, with neither law nor precedent putting that action in the false light of implied guilt.

We likewise note the unanimous decision of the U.S. Supreme Court, whose May 31 ruling overturned the witness-tampering conviction of the accounting firm Arthur Andersen. That ruling found fault with trial-court jury instructions downplaying the need to prove criminal intent in what the defendant claimed to be routine acts of document destruction.

We commend this decision. Document retention rules are already complex enough, as a result of numerous overlapping statutes bearing on such diverse areas as corporate finance and employee safety. Enterprises are staggering under the resulting load of storage management. They should not be further burdened by needing to prove the innocence of their intentions.

Going forward, though, its clear CIOs face continuing risk that their IT maintenance and security procedures will be misconstrued. Data protection and retention policies should be formalized and the application of those policies should be automated to reduce the chance that those policies could be labeled a reactive cover-up in future litigation.

IT vendors should offer tools that carry out such policies reliably without complex administration. Legislators and regulators must educate themselves on the difference between criminal obstruction and responsible data management.

What do you think? Tell us at


Check out eWEEK.coms for the latest news, reviews and analysis on IT management.