Practice and Procedure

Encryption and data protection for lawyers

PUBLISHED February 2, 2012

This note is intended to provide criminal defence lawyers working in the CJS with guidance in relation to the selection of encryption products to protect information. Note that the Treasury Solicitors Department has produced its own guidance (which differs to this) aimed at barristers on their panel list. Advocates who prosecute on behalf of any government agency should make sure that they comply with that guidance.

What do I mean by the term "encryption"

Encryption is used to protect data such as files on computers and storage devices (e.g. USB drives). Encryption software uses a complex series of embedded mathematical algorithms to protect and encrypt information, "hiding" (or more accurately "disguising") the data and preventing any inadvertent access or unauthorised disclosure of information. Encrypting files helps protect them should physical security measures fail and is also used to protect data in transit, (e.g. via email and over the Internet).

Government organisations often insist that data is encrypted to a "FIPS140-2" standard. This is a US government computer security standard used to accredit cryptographic modules and applies to specific products that have been validated. Whilst MOJ and the CPS will often quote this is a required standard for systems that receive or store data received via the Criminal Justice Secure eMail Service ("CJSM"), such a provision is not included in CJSM's terms and conditions. In fact, what a defence lawyer needs to ensure is that "portable computers and devices, e.g. USB flash drives, that will be used for sending/receiving CJSM email or for storing ?Restricted? data are appropriately protected against unauthorised use and that data is encrypted to safeguard against unauthorised disclosure". This is no more onerous than the data protection requirements lawyers are already subject to.

Data Protection - Information Commissioner's Office (ICO) Guidance

Personal information, which is stored, transmitted or processed in information, communication and technical infrastructures, should also be managed and protected in accordance with your organisation?s security policy and using best practice methodologies such as using the International Standard 27001. Further information on that standard is available here. There is no "one size fits all" solution to information security, and your approach needs to be "risk based". This means that you need to assess the risks posed by the unuathorised access to personal data and / or the accidental loss or destruction of or damage to that personal data and then put in place "appropriate" measures to control those risks that cannot be eliminated. You need to assess the likelihood of such an event occurring and how serious the harm might be, and then consider what steps could be taken to reduce the risk. The likelihood and harm must be then be weighed against one another ? so, if it would involve an enormous effort and/or cost in time and/or money to take a given step, such that it would be wholly out of proportion to the harm, then the taking of that step will not be appropriate.

The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information. The ICO provides further information on practical security measures that will help protect the personal data lawyers hold.


Encryption standards are always evolving, but the ICO's current recommendation is that data controllers ensure that any solution which is implemented meets "the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS?197". "FIPS-197" is a reference to the FIPS Advanced Encryption Standard ("AES")


Software encryption products available

There are a number of different commercial options available to protect stored information on mobile and static devices and in transmission, such as across the internet.

TrueCrypt is free, open source, cross-platform software that purports to be FIPS-197 compliant (see here) but has not been validated as such by the NVLAP. However, to my knowledge it has been used by agencies such as the UK's Counter-Terrorism Unit, and I am aware that a file encrypted using this software and recovered from the laptop of a convicted terrorist was not able to be compromised by the security services. In my opinion, therefore, and provided a user follows the "golden rules" of computer safety, relying on TrueCrypt to protect the personal data contained in witness statements and other evidential material served as part of the prosecution's case is an appropriate step. Note that TrueCrypt is not suitable for use by advocates on the TSol panel simply because it has not been formally accredited.

A list of vendors offering encryption modules that have been validated to conform to FIPS140-2 can be found here.

A list of encryption products validated as conforming tonFIPS-197, as tested by NVLAP accredited Cryptographic And Security Testing (CST) Laboratories can be found here.

The "Golden Rules" of computer safety

  1. Always use a strong password, and do not share it with anyone! If you must write it down, do not store it in an easily accessible location, and NEVER store it with your computer. The best password is a string that you can easily remember but that no one can easily guess (maybe a line from your favourie song or a quote from a film), ideally a long succession of uppercase letters, lowercase letters, numbers and valid punctuation marks. Passwords should never contain any information about yourself, like name, address or date of birth.
  2. Never store your password in a web browser or application.
  3. Install a current antivirus program and scan your computer regularly.
  4. Always install the latest updates to each operating system on your computer.
  5. Scan your computer regularly for spyware and adware.
  6. Always logout of applications when you are finished. When using a computer at a public site, always restart the machine after you are finished.
  7. Don't use any CDs, DVDs, floppy disks, memory keys or files given to you by others without scanning them first for viruses.
  8. Never open unexpected email attachments or accept unexpected file transfers.
  9. Backup your computer and/or important files regularly. Make sure that the back-up itself is encrypted, or stored on an encrypted device!
  10. Limit the amount of information you post on the Internet about yourself, your friends and your family. Remember that your personal information is accessible to everyone in the public domain when you post it on websites like Facebook.
  11. Be informed about hoaxes, scams and phishing attacks. Attacks frequently come in the form of a message from a supposedly trusted source asking for confidential information.
  12. < li>Don't leave your laptop alone. When you are in a public place, it should be within sight at all times.

  13. Whenever possible, secure your laptop to a fixed object with a laptop security cable.
  14. If you are leaving your laptop unattended you should shut it doen or lock it electronically (Windows Key + L in Windows XP and Vista) to prevent access by any unauthorized user.
  15. Always use a screensaver with password protection.