Business travelers will soon need to carry the name of their corporate lawyer in addition to their passport when returning home to the United States, and they may need to bring with them a different business laptop as well. This is because U.S. Customs can search and confiscate your laptop without any prior cause, according to policies that have been posted online since a Ninth U.S. Circuit Court ruling in April.
Alice Stitelman, a consultant who writes about e-mail usage and legal matters, says this is just one example of "what you don't know about legal computer issues [that] can hurt you. Many business users mistakenly believe that their data is private -- whether it is on their laptop, cell phone, or mobile device. In fact, they should have no expectation of privacy. Users have much less control over who reads their data than they may realize."
There are other examples of new regulations and policies that will have a profound impact on business technology policy in the coming years. As legal battles over content filtering, Net neutrality, tracking Web history, and laptop searches ensue, corporate IT managers will need to rethink their strategies on how they implement cloud computing, formulate their e-discovery and records retention policies, and safeguard business data carried by traveling executives using various mobile devices.
Confiscated laptops: Time to revise data access strategies for execs
The Department of Homeland Security has reaffirmed its policy that lets it search, copy, or even impound your employees' laptops when they return to the United States. This is completely at the security screeners' discretion, and applies to anyone entering the country -- citizens and noncitizens alike. Security consultant Jeff Bardin, writing on the CSO Online blog, calls it a "virtual strip search" and cautions somewhat facetiously, "I'd best not forget to take the microdot off the woolly boogers that collect in my pockets."
But all kidding aside, this policy is very much a reality and not just for the tin-hat paranoids. "It definitely has been happening more and more recently, and we have gotten lots of complaints," says Danny O'Brien, the international outreach coordinator for the Electronic Frontier Foundation, an advocacy group.
"A CEO I know was detained and his computer's hard drive was copied and returned," says David Burg, a principal at PricewaterhouseCoopers' advisory and forensics practice. As a result, his client's company has changed its practice, so "employees aren't allowed to travel outside their home countries with their standard-issue laptops," he says. Instead, they are issued bare-bones laptops that have very little corporate data and use VPNs to communicate securely back to their offices.
Other countries are also randomly inspecting laptops: "Canada has been looking for child pornography on laptops entering their country," says John Pescatore, a Gartner security analyst and a former security engineer for the U.S. Secret Service. "It is hard for anyone to argue against that." And as more countries claim the right to copy or confiscate laptops -- or, worse, to install monitoring software -- soon this idea of having a "travel laptop" will become more common practice so that sensitive corporate data is left behind.
"Given that the majority of corporate PCs are laptops now, your data is now more vulnerable," says the EFF's O'Brien.
"You might want to consider limiting the data on your laptop to what you are willing to share with the government," says Kevin Clark, network operations manager of Clearpointe, a managed services provider.
"I would never travel with any data that I cared about anyway," says John Kindervag, a senior analyst for Forrester Research. "I would put it on my iPod or encrypt it." Certainly, "you should have been encrypting the hard drives of your laptops; these are just more reasons to do so," says Gartner's Pescatore.
But using encryption is no guarantee that the government won't obtain your employee's data, according to legal authorities, especially if a security screener demands your password to decrypt your files. "We would say that you have some strong protections against giving out your password, and believe that falls under self-incrimination," says the EFF's O'Brien. Other lawyers agree that requiring users to give up their passwords to the government could fall under the category of unreasonable searches that the courts have long ruled are impermissible, but they note that overall case law is still evolving, so there's no hard-and-fast rule to rely on.
"A lot of this is just security theater," says Forrester's Kindervag, meaning it's just for show. He was detained -- although not at an airport -- and "I stood my ground and refused to give up my data, and eventually the screener backed down." Clearly, one prudent course of action is to have ready access to legal counsel when returning to the United States.
If your execs' laptops are impounded, you have several critical issues to address. First, do you have the executives' data backed up so that you can get them up and running quickly on new computers? Second, is sensitive data protected from prying eyes -- whether bored screeners or investigating authorities? This is where having the cleaned "travel laptop" begins to sound compelling. Finally, does this change your corporate policies on other mobile devices besides laptops, such as smartphones and PDAs that often have all sorts of personal and customer confidential information on them?
Net neutrality: Carrier controls could limit remote work and cloud computing
The topic of Net neutrality also has unintended consequence for IT managers. The concept of Net neutrality is that all Internet traffic should be treated the same and not prioritized (in terms of service or price) by the carriers. The carriers have justified non-neutral traffic management, such as metering and blocking, as necessary because of a few people who continually access large video files or play bandwidth-intensive games. The carriers argue this traffic fills their networks and gets in the way of everyone else's access to the Internet. They also cite the rise of peer-to-peer sharing of music and video files, which the entertainment industry says is a form of theft.
But in a Net neutrality case involving Comcast, the Federal Trade Commission recently ruled that Comcast can't entirely block peer-to-per file sharing traffic, at least not without prior notification to its customers. The FTC's concerns were based on how such controls might limit the overall Internet access marketplace and lead to possibly monopolist practices by carriers as their policies favored certain types of usage or providers.
Businesses had more immediate concerns about Comcast's actions since it affected their home-based workers. "Comcast, in trying to block BitTorrent, inadvertently was also blocking some Lotus Notes traffic," says the EFF's O'Brien. And at least one Canadian ISP has had a peer traffic block that also affected business-related traffic.
The ruling has major implications for distributed corporate workforces and on the projected greater reliance on cloud computing and Web-based services and applications in the coming years. As more businesses make use of Internet-based services and store more of their data in the cloud, the assumption is that this data is universally accessible no matter where a user is located and no matter what provider is used to get online. That may not be an assumption businesses can count on.
The FTC ruling was not conclusive, and Comcast has appealed, so the door is still open to carriers controlling traffic that passes through them to the Internet. And other countries -- such as China and Saudi Arabia -- already block and regulate Internet traffic, so global companies may face this issue even if the United States ends up supporting Net neutrality.
And Comcast continues to find ways to regulate Internet access. After the FTC ruled against controlling peer-to-peer traffic specifically, Comcast decided to place a blanket cap of 250GB of data usage per month per residential account.
The FTC action was not the only place where federal policymakers have shown concern over carriers' actions or possible actions to regulate Internet traffic. Last month, FCC commissioner Robert McDowell asked AT&T Wireless to provide the information on its peer-to-peer policy during a recent hearing tied to broadband issues. Although AT&T doesn't block peer-to-peer traffic today across its wireless network, there is concern that it and other major carriers may do so in the future.
In the meantime, businesses can see what their carriers are doing to Internet traffic to find out if it hinders business and employee access to the Internet. The EFF has developed a test tool called Switzerland that shows what ports a provider is blocking. And it recommends that IT use its purchasing power to make the carriers come clean on what they are controlling, O'Brien recommends: "Anyone who signs up a new provider should consider adding a clause to their contracts about service level agreements that should hold the provider to any transparency about what network management and blocks that they are doing."
Privacy and Web history: Is your corporate information actually confidential?
Earlier this summer, senior members of the U.S. House Energy and Commerce Committee wrote to broadband Internet providers and other online companies, asking whether they have "tailored, or facilitated the tailoring of, Internet advertising based on consumers' Internet search, surfing, or other use." Although seemingly a consumer issue, this inquiry also raises issues over what is being monitored by corporate users outside of the corporate infrastructure, and whether this will become a legal liability later on if this information is subpoenaed by a court.
Within the enterprise, many companies use end-point scanning technology, Web security gateways, and other tools to view what is stored on and transmitted through their employees' PCs when they are on the corporate network. But remote offices and traveling users may not be required to access the Internet through that network. So company-confidential information may be accessible by outsiders.
Or consider the implications of smartphones with integrated GPS or other location-detection capabilities. "Given that Google Maps can triangulate your location at any given point in time, imagine if I, as a forensic investigator, can use that data to track your movements as part of an investigation or in connection with discovery related to a legal proceeding," says PricewaterhouseCoopers' Burg.
Other risks include the use of external threat-detection services, in which your e-mail and other traffic passes through their services to be scanned for data leaks. Who has access to the results of the scans?
More likely is the risk of naïve user actions, such as sending files to their personal e-mail accounts so that they can work on a project at home, or inadvertently posting confidential information and business contacts on social networks. For example, Google scans all e-mail sent through its Gmail system so that it can target ads, and while the first version of its Chrome browser's terms of service gave Google nonexclusive ownership of all content that passes through its browsers, this was later removed. Employees that use Gmail or Chrome could be putting corporate information into an outsider's hands. And LinkedIn, for example, now aggressively promotes a contact-import feature when you log in, making it easy for employees to upload business contacts outside the corporate system.
Gartner's Pescatore asks, "Are you checking up on what your employees are doing with their laptops, even when they are outside of the corporate network? You need to know what your employees are doing when they are online."
One possibility is to insist on a service level agreement from your Internet providers that cover privacy issues. "I want SLAs from my Internet providers that guarantee me that my e-mail isn't going to be compromised. These agreements aren't about uptime, but for the purposes of privacy and security. I want secure and assured services, including the ability to browse and search the Web without having this information recorded on a server somewhere. I don't think a lot of people are doing this right now," says David O'Berry, director of Information Technology Systems and Services for the South Carolina Department of Probation, Parole, and Pardon Services. He blocks access to peer-to-peer file-sharing sites and others that could compromise his network security.
Another solution is to segregate Internet users from those who have access to customer data. "We have taken the stance that if an employee doesn't need the Internet to do his or her job, that computer won't have access of any kind. Those with Web access don't store medical data," says Tony Maro, CIO at HCR Imaging, which processes medical scans and is subject to the strict HIPAA privacy regulations for health care.
Clearly, the legal landscape is shifting with respect to individual computing. But the implications reach far beyond the individual and into corporate IT. Technology managers need to consider these and other regulations and adjust their computing policies to ensure that they can deliver IT services in the shifting landscape.
A correction was made to this article on Sept. 17, 2008.