The Paradox named Security & Private Investigators
Hands up anyone who encrypts emails? Hard drives? Attachments?
What? No one?
Seems it's time I get onto my hobby horse again. Security and privacy. Or lack of it when it comes to people and organisations who should know better. I am speaking of private investigators. And their company clients.
What is encryption? Encoding data in such a way that no one, no one at all, can decode it to read it. Unless the correct passcode is used.
Imagine you have done an investigation and your client, some big insurance show, asks you to email the report urgently. Being a true pro, you package up the report nicely and click SEND. And a week later the confidential report starts appearing on forums all over the place. Or on the desk of the plaintiff's solicitor.
Or, you have a very cool website with a special client interface. You make a big deal telling everyone about your latest technology and how clients access their reports, invoices, video etc through a special web-based interface.
But you forgot that many people use generic passwords.
"Hacking" often means nothing more than guessing a username and a password. And suddenly some stranger on the other side of the world logs into your important client's special section on your site and grabs a whole pile of DOC files. Nice reports. Guess what he's going to do with them?
Get the message?
How can your client decrypt your encrypted reports? You create a self-decrypting archive which is basically the encrypted data which includes a decryption mechanism. You email the file to the client and then the passcode in a separate email. Or personally hand him the passcode for future use.
Let's say you're updating your PC so the old one is going out. You've done the right thing and formatted the hard drive before flogging off the computer on eBay. And the buyer uses some readily available little program and restores the majority of your hard drive content. Some incriminating accounts? Juicy client reports? Can't be done? You bet! I can recover files from a hard drive that's been formatted three times. And so can most other people.
And what about your USB memory stick? Ever lost one?
How to wipe data? Most encryption programs, certainly PGP, includes a wiping component which overwrites data in such a way that it is not possible to recover it.
How come that the very people who should know better don't bother to secure data on their computer or when using the internet?
I've been running this site for many years. And been in the investigation business for many more, yet I am yet to come across a single person, a single agency, a single company, that asked me to encrypt before sending a report by email. No, not right. Actually about 10 years ago or so an agency in Israel insisted on encrypted email attachments. That was the only time.
Installing and using something like PGP doesn't take a degree in IT. Exchanging attachments with clients is quite simple even if the client does not have PGP installed.
I accept that emailing reports and invoices is not a daily event for most private investigators. But using the PC is. And most are online most of the time, therefore exposed to serious risk of attack. The attack does not necessarily have to come from the outside. It can easily come from within by way of some Trojan or keylogger which is often slipped into your computer by infected software downloaded from who knows where. Or through visiting some sites which, well…. You don't want to admit to.
At a minimum you should get PGP and install it. Then encrypt all your sensitive data. And wipe deleted files so they can never be recovered. By anyone.
Find out more about encryption from privacy advocates Electronic Frontiers Australia and download PGP from PGPI.ORG. It's free.
Michael Hessenthaler