Big Risks Come in Small Packages

By Bruce Schneier
Wired News
January 26, 2006

Some years ago, I left my laptop computer on a train from Washington to New York. Replacing the computer was expensive, but at the time I was more worried about the data.

Of course I had good backups, but now a copy of all my e-mail, client files, personal writings and book manuscripts were ... well, somewhere. Probably the drive would be erased by the computer's new owner, but maybe my personal and professional life would end up in places I didn't want them to be.

If anything, this problem has gotten worse. Our digital devices have all gotten smaller, while at the same time they're carrying more and more sensitive information.

My laptop is my primary computer. It could easily contain every e-mail I've sent and received over the past 12 years, an enormous amount of work-related documents, and my personal everything.

I have several USB thumb drives, including a 2-gig drive that serves as my primary backup. The one I carry with me contains a complete dump of the past 12 months of my life, in a device so easy to lose some people I know buy them in bulk.

My cell phone is a Treo. It holds not only my frequently called phone numbers, but my entire address book -- including any personal notes I've made -- my calendar for the past six years, hundreds of e-mails, all my SMS messages, and a log of every phone call I've made and received. At least, it would if I didn't take specific pains to clean that information out once in a while.

A friend of mine has a habit of leaving his iPod on airplanes; he's been through three so far. The most recent one he lost contained not only his full music library, but his address book and calendar as well. And the press regularly reports stories about lost and stolen laptops with sensitive corporate documents or personal information of hundreds of thousands of individuals.

I could go on forever.

The point is that it's now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I'd never know it.

This problem isn't going away anytime soon.

There are two solutions that make sense. The first is to protect the data. Hard-disk encryption programs like PGP Disk allow you to encrypt individual files, folders or entire disk partitions. Several manufacturers market USB thumb drives with built-in encryption. Some PDA manufacturers are starting to add password protection -- not as good as encryption, but at least it's something -- to their devices, and there are some aftermarket PDA encryption programs.

The second solution is to remotely delete the data if the device is lost. This is still a new idea, but I believe it will gain traction in the corporate market. If you give an employee a BlackBerry for business use, you want to be able to wipe the device's memory if he loses it. And since the device is online all the time, it's a pretty easy feature to add.

But until these two solutions become ubiquitous, the best option is to pay attention and erase data. Delete old e-mails from your BlackBerry, SMSs from your cell phone and old data from your address books -- regularly. Find that call log and purge it once in a while. Don't store everything on your laptop, only the files you might actually need.

I don't think we can make these devices harder to lose; that's a human problem and not a technological one. But we can make the loss just cost money, not privacy.

earlier essay: Anonymity Won't Kill the Internet
later essay: Fighting Fat-Wallet Syndrome
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..