washingtonpost.com
Thieves' Indifference May Mean VA Laptop's Data Is Secure

By Rob Pegoraro
Saturday, July 1, 2006

If your Social Security Number was on that wayward, now-recovered Department of Veterans Affairs laptop -- or any of the other computers recently lost with sensitive data onboard -- it's probably still safe. But not certainly so.

And you're just going to have to live with whatever uncertainty that realization stirs in you.

That's not the message that the government wanted to convey Thursday, when the Federal Bureau of Investigation's Baltimore field office issued a press release saying, "A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen."

But can you take that statement to the bank? No (well, unless the feds have some new forensic technology we don't know about.)

"The FBI can't really make the claim it's making," said Tim Leehealey, executive vice president of business and corporate development at Guidance Software, a Pasadena, Calif., developer of data-forensics software. "Nobody can make that claim for sure."

(A press representative reached yesterday afternoon at the FBI's Baltimore office could not locate officials to comment on this story.)

Just turning on the computer and opening or copying files will leave numerous traces behind. But there are too many other ways to extract data without detection. You can run specialized tools to clone the computer's entire hard drive to a different machine; you can use a CD of Linux to boot up the computer and copy files; you can physically remove the hard drive and plug it into another computer.

When the VA or other offices try to ensure that lost records haven't landed on identity thieves' hard drives, they run into the same problem that's undermined the entertainment industry's efforts to stop people from circulating music and movies on the Internet.

Namely, computer data, by its nature, wants to go places. You can duplicate it infinitely and perfectly, then distribute those copies at near-zero cost. That's neither bad nor good; it just is.

So in a worst-case scenario, every personal record on that VA laptop could now be online. And you'd never know until the symptoms of identity theft showed up in your bank account.

That said, Leehealey was careful to add that the odds of that scenario are exceedingly low -- for one thing, what kind of idiot would let a stolen laptop be found? "The people smart enough to do this are smart enough not to do it this way," he said.

This is likely true of most stolen corporate computers. They're only good for a quick profit through fraudulent resale -- in the same way most muggers won't bother creating a new ID from the Social Security card in a wallet when they can just spend the victim's cash and credit cards instead.

But that doesn't mean it's smart to carry around your Social Security card, or that a government or company should keep critical data on portable, easy-to-steal devices.

These offices need to keep that data out of circulation as much as possible to limit the damage from mistakes and accidents. Those things will inevitably happen, even to companies that deal with security for a living -- Guidance, for example, lost a few thousand of its customers' credit card numbers to an online break-in last year.

Living with technology, or trying to? E-mail Rob Pegoraro atrob@twp.com.

View all comments that have been posted about this article.

© 2006 The Washington Post Company