PDA Security and Church Data

[russellhltn]

by populating its database from MLS exports, make sure the CSV files are deleted from the SD card after they are imported by the app. That way you will be in compliance with church policy by keeping the MLS data password-protected (assuming you have activated the general login security on the phone).

How would you not be in compliance if you just left the CSV on the phone?

[RossEvans]

How would you not be in compliance if you just left the CSV on the phone?

Because the policy letter from the Presiding Bishopric says the data should be password-protected:

Church information downloaded to personal digital assistants (PDAs) for authorized use by priesthood leaders should also be password protected.

(I am interpreting "PDA" to include smartphones.)

The removable SD card storage on an Android is wide open, just like any basic flash drive. A lost or stolen phone, or the SD card itself, could be plugged into any computer and read. But if apps use internal storage for their persistent data store, as I believe Ward Roster does after importing the data, it is behind the barrier of the login to the phone itself.

[russellhltn]

The removable SD card storage on an Android is wide open, just like any basic flash drive. A lost or stolen phone, or the SD card itself, could be plugged into any computer and read. But if apps use internal storage for their persistent data store, as I believe Ward Roster does after importing the data, it is behind the barrier of the login to the phone itself.

Is it a PDA or is it a thumb drive? Since your consern is based on the thumb drive function, can you show any such policy for thumb drives?

It's a good precaution, but I'm not so sure as it's policy.

[aebrown]

Is it a PDA or is it a thumb drive? Since your consern is based on the thumb drive function, can you show any such policy for thumb drives?

It's a good precaution, but I'm not so sure as it's policy.

How about point #13 of the STS responsibilities from Policies and Guidelines for Computers Used by Clerks for Church Record Keeping:

Ensure that priesthood leaders who are authorized to export membership data to PDAs use passwords to protect that data in case the PDA is lost or stolen.

Surely a smart phone is in the same category as a PDA. If unsecured data is sitting on an SD card in a smart phone that is stolen, then that data can be accessed easily by simply removing the SD card and examining it on a computer with an SD card reader. The way I read it, it most certainly is policy to protect that data.

Of course, we don't want to get into policy debates, but I think it's helpful to read the relevant policy statements so that we can make informed decisions about the security precautions we need to take.

[russellhltn]

Hmmm. The policy doesn't seem to cover thumb drives at all. Since not everyone exports the data for PDAs, that raises some questions. Mostly the part about transporting the data on a flash drive.

[RossEvans]

Hmmm. The policy doesn't seem to cover thumb drives at all. Since not everyone exports the data for PDAs, that raises some questions. Mostly the part about transporting the data on a flash drive.

The policy also does not enumerate coverage of exported data on floppies, CDs or other removable media, or on personal computers for that matter. So a pharisee could argue either that users have been violating the policy for years, or that there is no policy at all covering these devices so anything goes. Neither view makes sense, in my view.

One can split hairs by overly literal interpretation of policy and say that a smartphone is not a PDA, but I think that creates an unreasonable loophole in the policy. I think the intent of the policy pretty clearly would treat all such handheld devices the same. Fewer and fewer people carry devices called "PDAs", which are rapidly being supplanted by a newer category of "smartphone" devices and other small computers.

You are right that there seems to be a glaring omission in MLS policy and practice with respect to flash drives, and other removable media. We discussed that in this thread.

My own opinion is that the policy should be interpreted to extend to smartphones, and to their attached memory. And policy or no policy, it is bad practice to carry this data around without some form of authenticated protection.

If one is looking to split hairs, one could also argue that the default authentication method for apps on an Android is not "password protected" at all, because the method relies on visual/graphical input rather than character input. (The policy doesn't cover retinal scans or other biometric authentication, for that matter.) But I think it also is not a reasonable interpretation of the policymakers' intent to say these methods violate policy.

[aebrown]

Hmmm. The policy doesn't seem to cover thumb drives at all. Since not everyone exports the data for PDAs, that raises some questions. Mostly the part about transporting the data on a flash drive.

Flash drives are not the subject of this thread. But using an SD card to transfer data to a smart phone is relevant.

But whether you are transporting data on an SD card to a smart phone, or on a flash drive to a personal computer, the policy does indeed cover keeping that data secure. See point #6 of the STS responsibilities from Policies and Guidelines for Computers Used by Clerks for Church Record Keeping:

Ensure that computers, software, and confidential Church information are kept secure.

Walking around with a flash drive or SD card that contains confidential Church information that is not password protected doesn't seem to meet that part of the policy. It's far too easy to lose those tiny items that can be packed with sensitive data.

[russellhltn]

But whether you are transporting data on an SD card to a smart phone, or on a flash drive to a personal computer, the policy does indeed cover keeping that data secure. See point #6 of the STS responsibilities from Policies and Guidelines for Computers Used by Clerks for Church Record Keeping:

Yes, but it seems to be wide open to local/personal interpretation of what is secure. Someone may interpret constant physical possession as being adequately secure. I don't find your interpretation with respect to removable media to be unreasonable, but OTOH, I don't think we can say that it is church policy.

The reason I jumped into this line was not because it was a bad idea, but because it was claimed be required "to conform with policy."

I will make an observation about the difference between a PDA and a Flash/Thumb/SD card: With a unsecured PDA, ti's possible to see the data with just casual handling. With a flash/thumb/SD card it would typically requires a more permanent loss or even theft. And then it would have to be connected to a computer before any sensitive data is viewed.

But, no matter where we draw the line, someone will want to draw it higher. Because of that, I'm not sure as it's a subject I'd want to continue other then to allow everyone to come to their own informed conclusion.

[RossEvans]

Yes, but it seems to be wide open to local/personal interpretation of what is secure. Someone may interpret constant physical possession as being adequately secure. I don't find your interpretation with respect to removable media to be unreasonable, but OTOH, I don't think we can say that it is church policy.

The reason I jumped into this line was not because it was a bad idea, but because it was claimed be required "to conform with policy."

I will make an observation about the difference between a PDA and a Flash/Thumb/SD card: With a unsecured PDA, ti's possible to see the data with just casual handling. With a flash/thumb/SD card it would typically requires a more permanent loss or even theft. And then it would have to be connected to a computer before any sensitive data is viewed.

The problem with that reasoning is that it utterly fails to grapple with the other policy requirement quoted above (to which you never responded):

How about point #13 of the STS responsibilities from Policies and Guidelines for Computers Used by Clerks for Church Record Keeping:

[quote]Ensure that priesthood leaders who are authorized to export membership data to PDAs use passwords to protect that data in case the PDA is lost or stolen.

[/quote]

So the policy does cover the case of protecting data stored on the device when it is permanently out of the authorized user's possession, not just against "casual handling" by an unauthorized person. And it is not sufficient for anyone to assume "constant physical possession," because the policy expressly covers the hypothetical case when such possession does not obtain.

As for your argument that the SD card is merely functioning as a flash drive and policy does not cover flash drives, that simply does not fit the facts of the Android case.

When an Android user is carrying around the phone, the SD card is not functioning as a USB flash drive. It is functioning as memory attached to the smartphone. The only way to make it function as a USB flash drive while inserted in the phone is to plug in the USB cable and manually configure the memory card for that mode through the user interface, but that cannot occur if the phone is locked by its password pattern.

But if the locked device is lost or stolen (again, see the policy quoted above) it is trivially easy to remove the SD card -- which by design is removable -- plug it into a $5 adapter and read it with a computer.

Of course, the immediate onus of that particular policy provision is not on the end user but on the STS, who somehow is supposed to "ensure" that the data on all end-users' devices is password-protected. I'm not an STS, which is a good thing because I've never understood how that responsibility can be feasibly carried out without proactive, good-faith compliance by the end users. I suppose a pharasitical priesthood leader with an Android could simply ignore the policy unless the STS brings it to his attention. But if I were an STS, I think it would be clear to me as a matter of fact that the Android's SD card is not protected if it is lost or stolen.

[russellhltn]

After giving this some thought and doing some research, I have to concede the issue. While I don't think the authors had considered removable media when requiring password protection in 2005, it does seem a reasonable extension given the expressed concern.

It justs irks me that the same file, on the same media, stored in the same pants pocket is somehow has a policy just because it's inserted into a PDA/Smart phone. The removable media oversight seems to be large since it had to be involved from the first use of PDAs. (Unless you want to go into the "personally licensed software" on a church computer zone.)

However, in conceding that, I'd have to point out that this now extends to any data files used internally by the applications. Since it's not possible to password protect the file itself, the data would have to be stored in the phone's internal memory (assuming that it's not easy to get to) or encrypted/obscured in some fashion. Fortunately it appears that Ward Roster does save the data in internal memory, for I can't find it on the card.

Of course, the immediate onus of that particular policy provision is not on the end user but on the STS, who somehow is supposed to "ensure" that the data on all end-users' devices is password-protected.

And that's a sizable issue as well. While I'm glad the church put the policy in a place that the STS would know about it, the STS doesn't really have the authority to "insure" something is done on each data import. Had it said something along the lines of "Teach" or "Remind the unit leader to instruct", I think it would have been a better match for the STS's actual authority.

Even then, I would still prefer for the policy to be stated in a more authoritative area (like the CHI) with the reference given to the STS. That way the STS is simply reminding the leaders of their responsibly rather then pulling out policy from a publication that some might consider "not applicable" to them.