Data doubts - people are the weakest link

How secure is your memory stick?

USB “key drives”, contrary to what their name suggests, can be a security nightmare. A new, patented European design of key drive improves security by keeping fallible humans out of the loop, using hardware techniques to lock up sensitive data.

To organisations concerned with computer security, the ubiquitous USB “key drive” or “memory stick” is a problem. Such drives are quick to use, easy to conceal, and are available in huge capacities. A USB drive containing private information can easily be stolen from a pocket or briefcase, or used to smuggle confidential files out of an office.

Some USB drives encrypt data so that it can only be written or copied by someone who knows the password or has the correct fingerprint. This is useful if the device itself is stolen, but cannot stop the theft of data by someone who is authorised to access it.



What is needed in such cases is a technology that eliminates human fallibility. Ensuring that a certain USB drive could only be read by a particular PC would remove the need for passwords or fingerprints, while a PC that rejects unauthorised USB drives would go a long way to preventing data theft within organisations.
Reliable hardware fingerprints

French company MobileGov has developed and patented just such a technology as a spin-off from an EU-supported project to transform Europe’s legal systems through technology. MobileGov’s Device Linker is a secure USB drive that can only be used on PCs for which it has been authorised. Another product, called Device Authenticator, performs a complementary function: it allows a PC to reject unauthorised USB keys or other hardware devices.

The ability to authorise any kind of computer hardware has all kinds of applications, points out Michel Frenkiel, president of MobileGov. For instance, he says, security based on biometric indicators such as fingerprints is becoming common — but what if someone unplugs a fingerprint reader and replaces it with a similar one that has been programmed to accept a data thief’s fingerprints? The MobileGov technology could prevent this by refusing to accept the unauthorised device.

Key to MobileGov’s patent is the use of a “hardware fingerprint” — a unique number calculated from the hardware and software components of a PC, PDA, mobile phone, USB drive or other device. Limited forms of hardware coding are sometimes used to prevent software theft, Frenkiel notes, but the MobileGov system is more powerful and flexible. Manufacturers could even use it to detect tampering in equipment that is under warranty, for instance.

MobileGov launched Device Authenticator in 2006 and Device Linker in 2007, to strong interest from the French media. The company is currently working with both the French defence ministry and Microsoft, whose future Vista Professional operating system will offer such features, Frenkiel says.
A wider view of legal processes

MobileGov’s technology is only the most visible of several useful results to emerge from a much broader R&D initiative. The two-year eJustice project, which finished in February 2006, aimed to make legal procedures more efficient by using information and communications technology to replace cumbersome paper-based workflows. The main focus was on biometric authentication via smart ID cards. The researchers developed ways of combining face recognition and fingerprinting that reduce the error rate by a factor of 30, to an average of 1 in 10,000, compared to using either technology on its own.

eJustice created a card-based combined biometric security solution that works with most of the systems currently used for electronic signatures and is technically ready for use. The result, say the project partners, will be legal systems that are highly secure, yet easy to use and which protect personal data strongly. With current biometric passports, for instance, a computer extracts personal data from the passport and compares it with information from a face or fingerprint scanner. The eJustice ID card is more secure because it stores personal data in a form that cannot be extracted; it is the card itself that compares the stored and scanned profiles.

Another part of eJustice concerned the translation of traditional legal workflows into processes that computers can understand. An example of the work done during the project is Lexecute, a software package produced by eJustice partners led by the Max Planck Institut für Informatik in Germany.

Lexecute shows the stages of a legal case from the viewpoint of both legal professionals and their clients. It has applications across e-government as a tool for case study management, documentation and education, and is already being used in Germany to train clerks. By improving people’s understanding of how legal processes are supposed to work, tools like Lexecute can increase transparency and highlight opportunities for improvement, Frenkiel says.

The work of eJustice was taken up in another project, egov.eu">R4eGov, also coordinated by Michel Frenkiel. R4eGov, which started in 2006 and runs until 2009, is helping to create the security and interoperability needed for the EU’s i2010 initiative, which aims to deliver a single European Information Area, improve public services and quality of life, and promote innovation.

Ten years from now, the eJustice partners believe, legal procedures will be based on integrated technologies that will make them simpler, quicker and more secure. Relieved of the need to handle so much paper, legal professionals will have more time to think and learn, so their performance will improve and trust in the law will increase. Cross-border legal processes of all kinds, including those that deal with crime, will become more effective.