Portable IT privacy

19 September 2013

The 'tablet' computer has, within just a few years, become an established feature of everyday life.

What explains the exponential growth in the popularity of these devices? Several factors have played an important role, including portability, and the increasing acceptance of touchscreen displays.

Perhaps the major selling point, however, has been the high quality of the displays. Older people, usually the last to adapt to new technology, have found that the exceptional screen clarity aids reading.

And the technology is getting even better. In-Plane Switching (IPS) screen technology, for example, offers rated viewing angles of over 170 degrees, horizontally and vertically.
However, the risk of all this innovation is often overlooked. Workers need to be aware of who is capable of reading their screens, and consider that if used out of the office or in a 'third space' working environment, those third parties  could include business rivals.
 
A simple and readily available solution exists to instantly minimise these risks - the privacy filter. These filters provide the user with a clear view, but almost totally obscure the view from either side. The modern versions of these can easily be removed, even those on tablet devices, in the event that the user wants to collaborate and share a screen in certain situations.

It makes sense, therefore, that organisations consider giving every user of a laptop or tablet a filter where appropriate. Generally portable IT users underestimate the risk, overestimate their own ability to avoid the issue and ignore their legal obligation to protect sensitive data, and therefore resist this low-cost remedy.


What's the risk?
Improvements in technology are increasing the risk, in particular the growth of 'capturing' devices, such as smartphones. Reductions in weight, size, and an increase in memory capacity and image clarity make it easier for third parties to capture a permanent record. The latest generation of smartphones have between 8-12 megapixels, for example, and photo-making functions will only improve in future models.

All of the modern smartphone platforms have apps that  make it simple to perform post processing on camera images, such as de-skewing and optical character recognition. Wider viewing angles and improved resolutions on mobile device displays allow the image to be captured from further away and at more oblique angles.

People are increasingly getting used to using smartphones to store information as images. They are very likely to capture interesting material overseen on a nearby computer screen - duplicating the information without the user being any the wiser. This information can be sent to a rival, the media or posted on social media, bringing significant embarrassment
to an organisation.


Beyond vigilance
Although educating portable IT users about the risks is important, this should not be considered a replacement to a privacy filter. The ubiquity of wi-fi in every airport lounge, hotel foyer and restaurant, as well as many trains, means that workers who connect to the office network wirelessly should get used to switching that wireless connection off when they leave the premises.

Once documents are open on an unprotected screen, any confidential or sensitive documents cannot be regarded as private. The temptation to work on such material mounts in the face of work pressures: tight deadlines, sales opportunities, or emergencies. Often it is precisely those pieces of work that are the most confidential.

Although it is possible to position a laptop to make it hard or next to impossible to be overlooked, it is still very difficult to really cover all angles. Make no mistake, 'shoulder surfing' is very commonplace behaviour. Polling conducted by Comres showed that 71 per cent of UK professionals admitted to having read what another person was working on over their shoulder. Similarly, in France, 46 per cent of people polled indicated that they had previously been concerned that confidential information they had worked on might have been overseen - too late, of course, if that information had already been stolen.


Legal framework
The use of a privacy screen is not specifically mandated by the EU Data Protection Directive,, but the onus is on the company and the user to protect data against 'known and foreseeable threats.'

According to the text of the directive, "such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected." (Article 17(1)).

The UK implementation of the directive, the Data Protection Act, includes eight principles, one of which is: "[7] Appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."


Conclusion
Today, shoulder surfers pose a significant threat, to workers both within an open office environment or accessing work data in a public place. The pace of technological change and users' awareness of what their devices are capable of means any work data brough up on screens is vulnerable. Personal vigilance alone is never enough; images can be captured silently, quickly and from quite some distance. Back in the 1990s,  inexpensive privacy filters were a staple on PC screens. For today's new technology they remain an effective tool to ensure that on-screen data doesn't fall into into someone else's hands.

Wendy Goucher, senior information security consultant, Idrach Limited