Sunday, July 30, 2006

'Access controlled by a password'

Emergent Chaos is debating Indiana's Breach Law, in particular the 'lost laptop' clause:


(2) Unauthorized acquisition of a portable electronic device on
which personal information is stored if access to the device is protected
by a password that has not been disclosed.


It probably makes sense to have an exception of this type in the first instance when the law is enacted. Otherwise we may well drown in privacy disclosure notices.

In the longer term the problem with such exceptions is that lost laptops are a major cause of data loss and there is at least anecdotal evidence to suggest that stolen laptops do trade for the information on them.

I suspect that at some point someone will point out that in practice a laptop disk is only password protected in a meaningful sense if and only if the data is actually encrypted. Otherwise it is a trivial matter to mount the disk on a different machine and read the data. Since file encryption is now available on Windows as part of the base build and Linux as several well supported packages there is no real excuse for not using it.

Ultimately there will be a requirement to apply content management to privacy sensistive data as a matter of course.

2 comments:

xchatty said...

I wasn't expecting that my private comments to you over lunch would end up in your blog.

PHB said...

Sorry, I thought you had published that.