Q&A: Jon Callas of PGP

PGP is synonymous with encryption and secure file transfer, and as chief technology officer, Jon Callas is at the forefront of the company's technology development. Late last week we sat down with Jon Callas and him for his opinions on the severity of the security breach at HM Revenue and Customs (HMRC) and whether the underlying problem is technical or political.

Is the HMRC data loss a symptom of a cavalier attitude to data security in government?

Yes, but. Among those buts: there is a cavalier attitude towards data security in industry, too. Government isn't alone. This loss occurred because someone was trying to be helpful, as opposed to a stereotypical bureaucrat, and frugal. Lastly, they were upfront and told everyone. I'm sure someone could have come up with a justification for why they didn't have to disclose it. As awful as this is, let us not forget that this was an accident, and the government owned up to it.

And excuse me - why are we blaming the bureaucrat and not the courier company? They're the ones who lost it. Why are we not being outraged about the courier system so incompetent? On our list of who we can "blame" there's whoever negotiated the contract to save a bit of money without tracking. Everything I buy from Amazon gets shipped with tracking; large-scale mass consumer goods shipping all comes with tracking on it, because the customers want to know.

Should people worry more about the data that might have been exposed this time, about the system that might have exposed them whether it did or not, or about other systems that routinely expose data?

I would worry more about the exposures we don't know about. Around the world there are documented cases of government workers selling drivers license data, as well as rogue employees in credit card companies and merchants selling personal information. It is most likely that those discs are in the wheel well of a truck, or the plastic shards are in a landfill. They could be in the hands of bad people, and I hope they are not.

However, there are many known data thefts, and this is not one. Last year, one of my previous employers lost a CD with financial records of all current and past employees. The consultant who had it left it in the seat jacket pocket of an airline. The week after that, another previous employer lost all pension records of all employees. I empathize with everyone this happened to.

What about the issue of transferring that much data in the first place?

It sounds like we have some real structural issues that include a completely incompetent courier service. It is very likely that there was a real business need to move this data around - they were not doing it just because. Nevertheless, why this much data? There is the whole issue with outsourced IT where it would be horribly expensive to sanitize this data and that's a huge problem - if the data had been sanitized, what was lost would not have been an issue. If they only needed demographic data they got too much - so why was it difficult to get what needed? Why was it easier to give them the entire database than the extract?

And does it matter that it was going by CD rather than over a network?

Email to a friend

Print this page