I was working for a multinational organisation recently on a project of a sensitive nature concerning a new product launch. The customer asked us (and all other suppliers and subcontractors) to make sure that all e-mail was encrypted and signed. This is a good policy. I don’t think they were particularly worried that international hackers were monitoring the e-mail servers (although they might well have been) but they were concerned about information being sent to the wrong people. This happened to me only last week when I got an e-mail from a company that we work with. The the e-mail contained minutes from a board meeting and an attachment concerning problems in meeting a service level agreement, and was meant for another Dave entirely. Naturally, I deleted the e-mail and informed the sender. This is just the sort of problem that would be solved if the mail had been encrypted to “the Board” (or whatever) and since I wouldn’t have the key for “the Board” I wouldn’t be able to read it. Anyway, we dutifully swapped the swapped the keys after a bit of messing around, and we’re soon up and running. The secure regime lasted a week: after a few days we were asked to stop encrypting because encrypted e-mails were causing problems with the e-mail firewall (because it couldn’t read them, obviosuly) and then after a few more days we were asked to stop signing as well because it was causing problems for Blackberry users in some way. Back to square one.
So what are we to do? We live in a world where you can’t even send your personal data to Her Majesties Revenue and Customs in encrypted form, where your bank can’t send you a digitally-signed e-mail despite the fact that you can’t buy an e-mail package that doesn’t have S/MIME in it and confidential corporate data is left on laptops. I know it’s Monday morning, but sometimes I think we’re not making any progress at all. Are lawyers at the root of this problem?
I was at a discussion about privacy recently. The group were discussing a response to the Ministry of Justice Thomas/ Walport data sharing review consultation. Pete Bramhall from HP sagely noted that the consultation document began with the statement that it assumed a familiarity with the Data Protection Act and other relevant legislation. How come, he pointed out, it did not assume a familiarity with rudimentary information technology, basic data security, elementary cryptography or, indeed, anything else that might help to develop a privacy-enhancing infrastructure for the modern world. Quite. Anything that comes out of this review will be by lawyers and for lawyers and, however much it may be subconscious, in the interests of lawyers.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]