One of the joys of having occasional bouts of insomnia is that you can spend hours in the dead of night pondering what might have happened in a particular scenario based on your experience and the experience of others.
For example, the IBTS has rushed to assure us that the data that was sent to New York was encrypted to 256bit-AES standard. To a non-technical person that sounds impressive. To a technical person, that sounds slightly impressive.
However, a file containing 171000+ records could be somewhat large, depending on how many fields of data it contained and whether that data contained long ‘free text’ fields etc. When data is extracted from database it is usually dumped to a text file format which has delimiters to identify the fields such as commas or tab characters or defined field widths etc.
When a file is particularly large, it is often compressed before being put on a disc for transfer – a bit like how we all try to compress our clothes in our suitcase when trying to get just one bag on Aer Lingus or Ryanair flights. One of the most common software tools used (in the microsoft windows environment) is called WinZip. It compresses files but can also encrypt the archive file so that a password is required to open it. When the file needs to be used, it can be extracted from the archive, so long as you have the password for the compressed file. 
.
So, it would not be entirely untrue for the IBTS to say that they had encrypted the data before sending it and it was in an encrypted state on the laptop if all they had done was compressed the file using Winzip and ticked the boxes to apply encryption. And as long as the password wasn’t something obvious or easily guessed (like “secret” or “passw0rd” or “bloodbank”) the data in the compressed file would be relatively secure behind the encryption.
However, for the data to be used for anything it would need to be uncompressed and would sit, naked and unsecure, on the laptop to be prodded and poked by the application developers as they went about their business. Where this to be the case then, much like the fabled emperor, the IBTS’s story has no clothes. Unencrypted data would have been on the laptop when it was stolen. Your unencrypted, non-anonymised data could have been on the laptop when it was stolen.
The other scenario is that the actual file itself was encrypted using appropriate software. There are many tools in the market to do this, some free, some not so free. In this scenario, the actual file is encrypted and is not necessarily compressed. To access the file one would need the appropriate ‘key’, either a password or a keycode saved to a memory stick or similar that would let the encryption software know you were the right person to open the file.
However, once you have the key you can unencrypt the file and save an unencrypted copy. If the file was being worked on for development purposes it is possible that an unencrypted copy might have been made. This may have happened contrary to policies and agreements because, sometimes, people try to take shortcuts to get to a goal and do silly things. In that scenario, personal data relating to Irish Blood donors could have wound up in an unencrypted state on a laptop that was stolen in New York.
[Update**] Having discussed this over the course of the morning with a knowledgable academic who used to run his own software development company, it seems pretty much inevitable that the data was actually in an unencrypted state on the laptop, unless there was an unusual level of diligence on the part of the New York Blood Clinic regarding the handling of data by developers when not in the office.
The programmer takes data home of an evening/weekend to work on some code without distractions or to beat a deadline. To use the file he/she would need to have unencrypted it (unless the software they were testing could access encrypted files… in which case does the development version have ‘hardened’ security itself?). If the file was unencrypted to be worked on at home, it is not beyond possiblity that the file was left unencrypted on the laptop at the time it was stolen.
All of which brings me back to a point I made yesterday….
Why was un-anonymised production data being used for a development/testing activity in contravention to the IBTS’s stated Data Protection policy, Privacy statement and Donor Charter and in breach of section 2 of the Data Protection Act?
If the data had been fake, the issue of encryption or non-encryption would not be an issue. Fake is fake, and while the theft would be embarrassing it would not have constituted a breach of the Data Protection Act. I notice from Tuppenceworth.ie that the IBTSB were not quick to respond to Simon’s innocent enquiry about why dummy data wasn’t used.
Daragh,
Bernard Tyers of DRI raised the same question on last night’s Drivetime on RTE Radio.
The IBTS came back later in the programme with a incomprehensible explanation in a follow up statement. They weren’t questioned on it.
I now can’t find that explanation to reproduce it on the Drivetime website.
I received a letter from the IBTS today stating that my details were on the laptop.
Right now I’m extremely angry. I cannot believe the crass stupidity and complete disregard for my privacy.
Fitz
I got a letter myself. Which confused me greatly because I didn’t give blood at all in the latter half of 2007 (no real excuse – just couldn’t prioritise it) and I don’t recall having had any blood tests in the latter half of 2007… I tend to be a fairly healthy bunny.
So, assuming that I’m right and my donation records shouldn’t have been updated during the period that the IBTSB says they took the data from…
… WHAT THE F**K WAS DATA ABOUT ME DOING IN NYC?
I share your anger. I suggest that you annoy the hell out of them by formally requesting a copy of all data they hold about you. Will only cost about €6.00 and they must respond within 40 days with data in an intelligble format.
That’s what I’ll be doing.
So, I’ve written a letter. The more I think about this the more pissed off I am. I’ve written it and I fully expect a half-assed response:
—————————-
Mr. Andrew Kelly
Chief Executive
Irish Blood Transfusion Service
National Blood Centre
James’s Street
Dublin 8
Dear Mr. Kelly:
I am writing in response to your letter of February 22nd regarding the theft of a computer on which my personal records were stored.
I have a number of questions to which I require answers. Unfortunately the staff member on the IBTS information line was unable to answer any of the questions.
When I submitted my personal records to the IBTS to facilitate donation of blood products I was not informed that these records could be used for software development and/or testing. Have my records been used for any other purpose other than to facilitate donation of blood products at IBTS clinics?
Why was un-anonymised production data being used for a development/testing activity in contravention to the IBTS’s stated Data Protection policy, Privacy statement and Donor Charter and in breach of section 2 of the Data Protection Act?
Was the use of real data (as opposed to dummy or pseudo data) a requirement of the software development project being undertaken by the NYBC? If not why was real data used? Could this software development project have been completed using anonymous medical data? If not, why not?
Why was the data being transported on a computer laptop? Why was the data not secured onsite at IBTS or NYBC offices?
Who authorized the transfer of the personal records outside of the EU?
Was the transfer of the personal records strictly in compliance with all data protection laws in the Republic of Ireland and the European Economic Area? If yes, was this transfer confirmed to be in compliance before or after the transfer took place?
What file format was used to store the data on the CD-ROM? What file format was used to store the data on the laptop?
What software application was used to encrypt the data?
When the laptop was stolen was the CD-ROM containing the data stolen also?
At the time of the theft was the data stored on both the CD-ROM disc and the laptop?
During the course of the software development work was it necessary to unencrypt the data? If yes was unencrypted data stored in any place (including cache files or memory page files) on the laptop hard-disc?
At the time the laptop was stolen were there any unencrypted records stored on the laptop in any format?
If the laptop at any time contained unencrypted data containing personal records was this data deleted? How was it deleted? Was the data wiped from the hard disk of the laptop or was it moved to a ‘recycle bin’ (assuming the Microsoft Windows Operating System was installed on the laptop)?
Paragraph 3 of your letter is unclear. I would like a full explanation of why data was first encrypted on the CD-ROM, transferred to a laptop and then re-encrypted. Are you suggesting that the data was encrypted twice? Are you stating that at no time was the data unencrypted on the laptop?
Regarding the password used for the encrypted data:
Can the IBTS confirm that the password was not stored in any location on the laptop or in any case/packaging that was stolen with the laptop?
Is the IBTS satisfied that the password used can withstand a ‘brute force’ or ‘dictionary’ based attack?
How many people know the password?
Can the IBTS and/or NYBC confirm that the password was what is commonly known as a ‘strong’ (high-entropy) password that used non-sequential and random ASCII characters not limited to letters and numbers?
Did the password meet the IBTS and NYBC security policies for passwords?
Was the password a system-created random password or was it created by a person in the IBTS or NYBC?
Is the password unique to the data on the CD-ROM and laptop or it is in use for other data/applications/purposes?
What is the IBTS plan to indemnify people whose personal records were stored on the stolen laptop? I am concerned, despite your assurances to the contrary, that in the future this private data could be made publicly available and cause me to suffer financial loss or loss of reputation.
I wish to make an access request under the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form. I am making this request under section 4 of the Data Protection Acts.
Thank you for your assistance. I look forward to hearing from you.
Fitz,
remind me not to contradict you in a pub quiz. You strike me as a person who doesn’t get mad but gets even… I feel somewhat out-pedanted.
Would it be OK for me to reformat and publish the text of your letter as a standard form document that any visitor to this site might choose to send to the IBTSB?
Just to save people the hassle and all.
Not for any divilment. I swear. Honest.
(I particularly like the fact that you request manual data as well… it may not have registered with the IBTS that since the 27th of October last that that stuff in the filing cabinets they have also fall under the remit of the DPA…)
I feel almost flattered 🙂 as per my email I’m going to re-read it and edit if necessary. I’ll post a copy here for you to use and will put it on my own blog (which is more of a love-in for my music and family than a blog)
I can be a pedantic git if I want. If the Chief Executive wants to write to me the least I can do is respond. It’s only good manners after all . . .
Now, don’t loose the run of yourself. You just beat me to the rabble-rousing. 😉
I do agree that the only polite response to the letter from the CEO is a letter to the CEO. If you copy it to his new best friend the Data Protection Commissioner it would be even more polite. Sending it registered post to make sure it gets to him would cap the politeness off in a manner that would satisfy the most pernickity of social etiquette gurus.
That would be:
Mr Billy Hawkes,
Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois.
So. I didn’t edit it much. Here is what I am sending to the IBTS Chief Executive and Data Protection Commissioner. Feel free to re-use any or part of this. I’m not an expert in data encyrption, law or software development. I do work for a software multinational and have limited knowledge of the software development process. I do have Project Management experience and qualifications. I am not a journalist and have no connection to any media organization.
======================================
Mr. Andrew Kelly
Chief Executive
Irish Blood Transfusion Service
National Blood Centre
James’s Street
Dublin 8
Cc: Mr Billy Hawkes,
Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois.
Dear Mr. Kelly:
I am writing in response to your letter of February 22nd regarding the theft of a computer on which my personal records were stored.
I have a number of questions to which I require answers. Unfortunately the staff member on the IBTS information line was unable to answer any of the questions. I respectfully request that my questions are not answered by multiple agents of the IBTS including press agents and functional managers and prefer a written response from you directly.
Regarding the use of personal records:
When I submitted my personal records to the IBTS to facilitate donation of blood products I was not informed that these records could be used for software development and/or testing. Have my records been used for any other purpose other than to facilitate donation of blood products at IBTS clinics?
Why was un-anonymised production data being used for a development/testing activity in contravention to the IBTS’s stated Data Protection policy, Privacy statement and Donor Charter and in breach of section 2 of the Data Protection Act?
Was the use of real data (as opposed to dummy or pseudo data) a requirement of the software development project being undertaken by the NYBC? If not why was real data used? Could this software development project have been completed using anonymous medical data? If not why not?
Regarding the transfer and transport of personal records:
Why was the data being transported on a computer laptop? Why was the data not secured onsite at IBTS or NYBC offices?
Who authorized the transfer of the personal records outside of the EU?
Was the transfer of the personal records strictly in compliance with all data protection laws in the Republic of Ireland and the European Economic Area? If yes, was this transfer confirmed to be in compliance before or after the transfer took place?
Regarding the data files (personal records) and encryption of same:
What file format was used to store the data on the CD-ROM? What file format was used to store the data on the laptop?
What software application was used to encrypt the data?
When the laptop was stolen was the CD-ROM containing the data stolen also?
At the time of the theft was the data stored on both the CD-ROM disc and the laptop?
During the course of the software development work was it necessary to un-encrypt the data? If yes was unencrypted data stored in any place (including cache files or memory page files) on the laptop hard-disc?
At the time the laptop was stolen were there any unencrypted records stored on the laptop in any format?
If the laptop at any time contained unencrypted data containing personal records was this data deleted? How was it deleted? Was the data wiped from the hard disk of the laptop or was it moved to a ‘recycle bin’ (assuming the Microsoft Windows Operating System was installed on the laptop)?
Paragraph 3 of your letter is unclear. I would like a full explanation of why data was first encrypted on the CD-ROM, transferred to a laptop and then re-encrypted. Are you suggesting that the data was encrypted twice? Are you stating that at no time was the data unencrypted on the laptop?
Regarding the password used for the encrypted data:
Can the IBTS confirm that the password was not stored in any location on the laptop or in any case/packaging that was stolen with the laptop?
Is the IBTS satisfied that the password used can withstand a ‘brute force’ or ‘dictionary’ based attack? If yes on what basis does the IBTS form this opinion?
How many people know the password?
Can the IBTS and/or NYBC confirm that the password was what is commonly known as a ‘strong’ (high-entropy) password that used non-sequential and random ASCII characters not limited to letters and numbers?
Did the password meet the IBTS and NYBC security policies for passwords?
Was the password a system-created random password or was it created by a person in the IBTS or NYBC?
Is the password unique to the data on the CD-ROM and laptop or it is in use for other data/applications/purposes?
I remain extremely concerned, despite your assurances to the contrary, that in the future this private data could be made publicly available and cause me to suffer financial loss or loss of reputation. What is the IBTS plan to indemnify people whose personal records were stored on the stolen laptop?
I wish to make an access request under the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form. I am making this request under section 4 of the Data Protection Acts.
Thank you for your assistance. I look forward to hearing from you.
Yours sincerely, etc
Pingback: You Know My Name « pushing and pulling, it's a tug of war