Dangerous Security Policies Return To Haunt.

This is a very interesting story that holds important clues about the future of security as it relates to privacy and Fifth Amendment protections.

 A recent ruling by a judge in the federal district court in Eastern Pennsylvania may have established an important precedent about the definition of personal property access rights related to smart phones in the work place.

This case had to do with two data analysts charged with illegal insider trading by using their positions at Capital One Bank which gave them privileged information about consumer retail corporations, enabling them to make stock market bets on over 150 companies, turning a small investment into almost $3 million in illegal profiteering.

When they were caught and summarily dismissed, they were forced to return their company-issued smartphones to the Bank.

A key fact here is that the Bank, when issuing smartphones to their employees requested that their employees assign their own passcodes to the devices without keeping a written record of them so that there would be protection against someone finding the written record of their passcodes. In other words, a security measure designed to protect company information from prying unauthorized eyes.

The SEC, who is the plaintiff in this case, requested access to the smartphones so it could search for and establish evidence of their crime.

In an attempt to get around the personal information privacy argument, the SEC argued that in this case, the smartphones were actually owned by the company and provided to its employees for work-related activities only.

Here’s a fact you may or may not know:

Under US law, defendants can be compelled to hand over evidence, even if it is self-incriminating, if its existence has already been confirmed.

But what is more interesting is that the government cannot however, force someone to grant access to potentially self-incriminating evidence in cases where it has no specific knowledge that the evidence it seeks exists.

The SEC argued that because it knew the smartphones were used by the defendants, asking them to unlock them merely provided access and did not willfully incriminate them.

The federal district court Judge disagreed. His opinion is that the existence of evidence on the devices had not been proven. In short, the SEC didn’t KNOW whether any bank records actually existed on those smartphones and furthermore, the passcode request meant that the SEC was examining the defendant’s “thought processes” rather than searching for specific documents.

So, one takeaway lesson from this case is that you cannot be forced under the Fifth Amendment to provide undocumented passcodes (which you created) into computing devices that may contain self-incriminating evidence.

This creates a large and thorny mass of complexity on the future litigation landscape. Until a higher court issues a final ruling on passcodes applied to corporate devices, you and your company would be well-advised to create a strict policy of fingerprint-only authentication to the devices you hand out to employees.

Why biometrics? Prior court rulings have held that biometric data does not contain nor will it reveal anything a defendant knows (contrary to data like a passcode which requires mental knowledge) and therefore, when it is applied to computing device access, there is no possibility it can lead to any self-incriminating testimony.

The other takeaway lesson particularly for you IT managers is to make sure that your legal and/or HR departments are involved in all of your security policy decisions. You don’t want to be that guy on the 10 o’clock news.