Locking up agency information

If the CIA had owned PageVault software, the John Deutch scandal never would have happened, contends PageVault developer Authentica Inc. And if its WebVault product were available for the Energy Department to use, Wen Ho Lee might be just another scientist.

Deutch and Lee's sagas are the most recent high-profile examples of government employees who have violated information security policies. Deutch, the former CIA director, kept classified information on a nonsecure computer at home, and Lee, the DOE scientist, transferred secrets to storage tapes.

Both lapses could have been blocked, or at least minimized, if information owners, including the CIA and DOE, had a way to control information even after users have transferred it out of agency-owned computers.

That may sound impossible, but Waltham, Mass.-based Authentica says it has developed three software packages that do just that. The capability is called "dynamic post-delivery control," said Stevan Vigneaux, Authentica vice president of marketing.

"That means I can control whether you can print [information], copy and paste it, save on your disk drive or forward it," he said.

No matter who obtains a copy of information or where it goes — even out on the Internet — the owner retains control, Vigneaux said.

PageVault, WebVault and their sister application, MailVault, work by encrypting information and requiring the user to get the decryption key from the owner each time he wants to use it. In addition to holding the access key, the information owner can control varying degrees of use, from read-only to permitting copying, forwarding or altering information.

Vigneaux called it "persistent control. I will know every time you look at each page for as long as I choose to," he said.

A House of Representatives committee — Vigneaux wouldn't say which one — uses PageVault to let members see sensitive material while ensuring that it cannot be distributed to anyone not authorized to see it. Committee members can read, but not copy, print or forward, information protected by PageVault. And the software packages keep a comprehensive audit trail of who reads what documents and when, Vigneaux said.

The three Vault products go beyond the simple encryption and public-key infrastructure that many federal agencies are considering to help solve privacy problems that stand in the way of electronic government.

While encryption and PKI may keep information from being accessed by unauthorized users, once the infor-mation has been accessed, the provider loses all control over it. Under these methods, an authorized user — such as Lee, for example — can obtain information and then use it for unauthorized purposes.

With the Authentica software, DOE could have let Lee view the information but not allowed him to copy it to a tape or forward it. And once Deutch stepped down as head spy, the CIA could have revoked his access to his decryption key, thus denying him access to the secret information in his home computer.

More mundane uses are legion. With assured privacy, government agencies and companies can use World Wide Web sites to distribute important but sensitive information to their employees.

And for the first time, information can be made available on a rental basis, Vigneaux said. It is possible for information owners to make it available over the Internet on a pay-per-view basis.

PageVault has been available since last year. WebVault will begin shipping this week, while MailVault is expected to begin shipping in May. Prices range from $40 to $200 per user, depending on the number of licenses. More information is available on the Authenica Web site.