This note is intended to provide criminal defence lawyers working in the CJS with guidance in relation to the selection of encryption products to protect information. Note that the Treasury Solicitors Department has produced its own guidance (which differs to this) aimed at barristers on their panel list. Advocates who prosecute on behalf of any government agency should make sure that they comply with that guidance.
Encryption is used to protect data such as files on computers and storage devices (e.g. USB drives). Encryption software uses a complex series of embedded mathematical algorithms to protect and encrypt information, "hiding" (or more accurately "disguising") the data and preventing any inadvertent access or unauthorised disclosure of information. Encrypting files helps protect them should physical security measures fail and is also used to protect data in transit, (e.g. via email and over the Internet).
Government organisations often insist that data is encrypted to a "FIPS140-2" standard. This is a US government computer security standard used to accredit cryptographic modules and applies to specific products that have been validated. Whilst MOJ and the CPS will often quote this is a required standard for systems that receive or store data received via the Criminal Justice Secure eMail Service ("CJSM"), such a provision is not included in CJSM's terms and conditions. In fact, what a defence lawyer needs to ensure is that "portable computers and devices, e.g. USB flash drives, that will be used for sending/receiving CJSM email or for storing ?Restricted? data are appropriately protected against unauthorised use and that data is encrypted to safeguard against unauthorised disclosure". This is no more onerous than the data protection requirements lawyers are already subject to.
Personal information, which is stored, transmitted or processed in information, communication and technical infrastructures, should also be managed and protected in accordance with your organisation?s security policy and using best practice methodologies such as using the International Standard 27001. Further information on that standard is available here. There is no "one size fits all" solution to information security, and your approach needs to be "risk based". This means that you need to assess the risks posed by the unuathorised access to personal data and / or the accidental loss or destruction of or damage to that personal data and then put in place "appropriate" measures to control those risks that cannot be eliminated. You need to assess the likelihood of such an event occurring and how serious the harm might be, and then consider what steps could be taken to reduce the risk. The likelihood and harm must be then be weighed against one another ? so, if it would involve an enormous effort and/or cost in time and/or money to take a given step, such that it would be wholly out of proportion to the harm, then the taking of that step will not be appropriate.
The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information. The ICO provides further information on practical security measures that will help protect the personal data lawyers hold.
Encryption standards are always evolving, but the ICO's current recommendation is that data controllers ensure that any solution which is implemented meets "the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS?197". "FIPS-197" is a reference to the FIPS Advanced Encryption Standard ("AES")
There are a number of different commercial options available to protect stored information on mobile and static devices and in transmission, such as across the internet.
TrueCrypt is free, open source, cross-platform software that purports to be FIPS-197 compliant (see here) but has not been validated as such by the NVLAP. However, to my knowledge it has been used by agencies such as the UK's Counter-Terrorism Unit, and I am aware that a file encrypted using this software and recovered from the laptop of a convicted terrorist was not able to be compromised by the security services. In my opinion, therefore, and provided a user follows the "golden rules" of computer safety, relying on TrueCrypt to protect the personal data contained in witness statements and other evidential material served as part of the prosecution's case is an appropriate step. Note that TrueCrypt is not suitable for use by advocates on the TSol panel simply because it has not been formally accredited.
A list of vendors offering encryption modules that have been validated to conform to FIPS140-2 can be found here.
A list of encryption products validated as conforming tonFIPS-197, as tested by NVLAP accredited Cryptographic And Security Testing (CST) Laboratories can be found here.
< li>Don't leave your laptop alone. When you are in a public place, it should be within sight at all times.