Howard Oakley
Companies no longer need to worry about spies with miniature cameras. These days, anyone with an iPod can make off with valuable data.
As every good James Bond fan knows, the essential tool of the trade used to be a subminiature Minox camera. The spy’s daily drudge would involve sneaking into an office in the dead of night, drawing the blinds, turning on the mandatory desk light, dipping into a pocket to retrieve the Minox and making copious copies of secret documents.
By the Thatcher era, the ubiquity of photocopiers had not entirely replaced the Minox, but made spying and leaking very different trades. Key documents could now be duplicated near-perfectly in the course of a few minutes seized during a lunch hour. Predictably, the Iron Lady was incensed at the series of damaging leaks, to the point where administrative processes required to make a copy consumed more time and effort than the copying itself – a desperate but ever-futile bid to stem the outflow of secrets.
Now the spy or leaker has only to bring in a blank DVD or their usual iPod in order to make off with gigabytes of governmental embarrassment. As Wikileaks has shown for both corporations and governments alike, those rich pickings don’t even have to be passed to an enemy, merely placed in the public domain. Whether it’s a modest collection of emails between climatologists or a massive database of US military intelligence from Afghanistan, it can be internationally influential.
The problem isn’t one of security – many secrets that end up in the hands of spies, or on Wikileaks, have been stolen by those working inside their organisations, who would have had legitimate access to them in the first place – it’s of traceability. While many printers and copiers, particularly those that support colour, leave hidden signatures on their output, hardly any digital documents contain any information as to their provenance, except in easily stripped or forged metadata.
Most of us have documents or data that we would rather were not seen by others, such as commercial competitors. Even if you use a high-end document management system, there’ll probably be no indelible fingerprint applied to each copy of a document, or export from a database, that establishes by whom and when that material was checked out of the system’s control. Outside specific sectors such as healthcare, uncontrolled content is easily passed around authorised users. When sensitive documents appear in the hands of competitors or on a publicly accessible website, it’s beyond the abilities of even the sharpest Miss Marple to prove who released them.
The answer may lie with steganography, the ability to hide data inside a file without the concealment being apparent. All it needs is a document management system that fingerprints each released copy of sensitive content so that the transaction can be identified against its access logs. When a sensitive PDF or Word document surfaces on Wikileaks, with it would then come the stigmata that could trace the leak back to those responsible. There are some specialist developers who appear to offer such features, but few of us use document management systems, and even fewer of them offer traceability as standard.
You might, of course, think Wikileaks a good thing, as long as it doesn’t damage you. Given the furore that resulted from its release of US military intelligence reports, it’s surprising that little effort seems to have gone into making sensitive documents more traceable. Meanwhile, the largely anonymous, unrepresentative and unaccountable group behind Wikileaks can continue to ride roughshod through world politics.
