Not always encrypted, but IRS PCs do phone home

The U.S. IRS may not be doing a very good job of encrypting data on its laptops, but it does have a way to recover its lost equipment.

In fact, thieves looking to steal from the U.S. Department of the Treasury may find themselves behind bars, thanks to tracking software used by the IRS to contact investigators whenever a laptop is stolen.

Nearly 500 IRS laptops went missing in a three year period between 2003 and 2006, according to the agency that oversees the IRS, called TIGTA (Treasury Inspector General for Tax Administration).

TIGTA recently published a memo illustrating how the agency could do a better job at protecting taxpayers’ data. For example, TIGTA found that nearly half of the 100 IRS laptop computers that it tested had unencrypted sensitive data relating to both IRS employees and taxpayers.

The report’s conclusion? Well, TIGTA left little room for guesswork there, entitling its memo: “The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers.”

However, in an earlier TIGTA report presented to Congress late last year, the oversight agency listed a few of the high-tech tricks the IRS uses for security.

The agency has combined video technology with specialized software to keep track of some PCs, the report says.

The IRS uses video-over-Internet technology to remotely operate surveillance cameras on its premises, and it also has special software that lets IRS PCs notify government agencies if the computer goes missing. The software can also provide investigators with the machine’s IP address once it pops back up on the Internet. With the IP address in hand, Treasury Department investigators have been able to identify criminal suspects and recover stolen equipment, the report states.

Although PC thefts have been making front page news for more than a year now, observers say these type of laptop recovery systems are just starting to get the government’s attention. “I think this is below a lot of people’s radar,” said Richard Smith, an Internet security consultant with Boston Software Forensics.

One company that sells this type of PC recovery service, Vancouver’s Absolute Software, says that it has been stepping up dialogue with the U.S federal government over the past year and a half.

To date, the company counts NASA and the U.S. General Services Administration among its customers.

Absolute’s software, which is installed in the firmware and the PC’s hard drive, is extremely difficult to remove. It can not only report the location of a stolen computer, but it can also be used to wipe data from a machine after it’s been stolen, said John Livingston, the company’s chairman and CEO.

Absolute is one of about a half-dozen companies, including CyberAngel Security Solutions and Brigadoon Software, that sell this type of PC recovery product. And while Livingston admits that the market for these services is “still in the early part of the adoption curve,” he says that Absolute has now signed up about 1 million subscribers. “We’ve gotten thousands of stolen computers back. We do it every day,” he said.