1

As part of a new eDiscovery effort, we send large amounts of data on encrypted hardware to third parties (outside counsel) that are not very technically proficient (so no key exchange via PGP desktop). Our compliance policy states no passwords in emails but IT Sec team has no great workaround other than voice communication. What other ways can we communicate this password? Is the fact that the email is completely separated from the hardware good enough?

Edited with more info

A little more information after doing some additional digging. There are some third-party tools that appear to be made for this kind of issue: self-destructing password notes, pay utilities, etc... Joel Spolsky mentions using file-sharing sites. That seems like a good compromise, put the password in a file and share the file with the specific email of the person you are sending the drive to. Any further thoughts on these approaches?

Deer Hunter
  • 5,347
  • 6
  • 35
  • 50
SDH
  • 111
  • 2
  • I'm still not sure what's wrong with a phone call to transfer the password. Some form of self destructing note is probably OK, but I personally prefer simplicity to solutions. It doesn't provide as much authentication as a phone call does. Anyone that routinely has access to the email address would have access to the password until it's viewed and destroyed. It's hard to know really how secure this should be without knowing the value of the data, and who and how someone might benefit from decrypting it. – Steve Sether Dec 29 '14 at 01:13

2 Answers2

4

As a matter of policy, I wouldn't use any form of communication that's by default recorded because you never have control over what happens to it and who might have access to it in the future. That rules out email. As you mentioned, the public key methods are out too, since the lawyer isn't technically savy enough.

Data normally is unlikely to be stolen in transit, but far more likely to be stolen at rest. So while email, and a voice call are both unencrypyed, the voice call is far more secure since they normally aren't recorded. Though these days it's possible that even a voice call to a lawyer might be recorded.

You'll have to set your own level of paranoia, but it sound like you're not the NSA, so I'd say if you and the lawyer both know each other and can recognize each others voice, that's going to be "secure enough" to thwart evil doers. You'd still be vulnerable to government snooping of course. Check with your lawyer if exchanging a password is protected by attorney/client privilege.

Steve Sether
  • 21,620
  • 8
  • 51
  • 78
2

My experience is that the least horrible solution is to arrange a phone call at a specified time, and authenticate them via knowledge that you both share, but which would be unlikely for an adversary to know.

For example, in the invitation to the call, let them know that you will ask them a case-related question to authenticate themselves.

me: Hi, Bob. How're the kids?   
Bob: Hi. They're alright. You said you had a question for me   
me: Yes. What was the name again of that witness who alleged they were out of town when the plaintiff hurt his ankle?    
Bob: Oh, Mary? Yeah, not sure her story stands up   
me: I know. So anyway, the password is: SIERRA SIERRA FOXTROT NINER SIX FOXTROT SEVEN PAPA ONE ZERO   
Bob: Thanks. I got SSF96F7P10   
me: Yep. See you in the next phase of discovery
DTK
  • 1,190
  • 7
  • 8