Are there any "private" messages anymore?
Regulatory Compliance has become such a burden on the fiancial and health industries (think Sarbanes Oxley and HIPAA) that any form of "off the record" messaging is welcomed by insiders. Sure it's not in compliance, but it is out of earshot of the compliance manager, right?
Not so fast, especially if you've been direct messaging your buddis using Blackberry's PIN messaging (direct messaging between Blackberry devices, without a server in the middle).
A recent lawsuit presented PIN message records between executives working with CIBC in Toronto. CIBC filed the lawsuit against Genuity Capital Management, and the messages were sent between Genuity execs when they were still CIBS execs. Apparently, CIBC had deployed software which allowed CIBC to capture PIN messages as they traversed the cell towers. Security experts have also shown that the Blackberry devices themselves can retain PIN message data on board unless the user purposefully cleans the memory.
Logging of PIN messages was not thought to be possible, according to the reporter at ComputerWorld (print) who wrote the article "Lawsuit Reveals Open BlackBerry" (KJanuary 17, 2004 print edition). I fnd that odd but not surprising. Technologists understand that data can be logged, but ther are still technology users who think they can operate devices anonymously without anonymizing proxy servers and other security safeguards.
If you think education is expensive, just try ignorance.
Comments