Aaron Adams’s Blowhard Blog

Recently, Microsoft released a utility called Microsoft Private Folder 1.0, which allows (actually, allowed) Windows users to encrypt and password protect a folder to keep its contents away from prying eyes, much the same way Mac users have been able to store data via encrypted disk images for some time now. According to this article from CNET News, Microsoft has withdrawn this utility because of the complaints of IT managers and staff. Those persons responsible for the smooth operation of the network and the integrity of data contained on machines connected to it were worried about the possibility of lost data in a private folder for which the user has forgotten the password, or the storage of malicious or otherwise inappropriate data in a format where the IT people responsible cannot access it, and therefore prevent it from harming the network and connected devices. I would also imagine that, in many circumstances, such encryption of company or personal data on a company machine violates the network and computer usage policies that employees agree to when they are hired.

Some users have accused IT personnel of asking Microsoft to retract Private Folder because, in so many words, it reduces the IT person’s ability to “spy” on users. As an IT person, I can assure you this is not the case. When important data disappears into a private folder, and the password is forgotten by the user, that user will expect the IT person to know how to recover it, which the IT person cannot do. Then management will ask why important data was lost in such a way, and why that application was allowed to be used to begin with, and, because of the manager’s lack of understanding about how encryption works, why the IT person can’t recover it. The user may, in some circumstances, take some of the blame, but experience tells me that IT people will take the brunt of it because it’s considered their responsibility to control the network and the devices connected to it. The buck stops at your IT person’s desk.

That being said, there seems to be a couple of options for making Private Folder acceptable to users, IT personnel, and management:

1. Add the ability for IT personnel to set a flag in Active Directory that disallows the use of Private Folder. This ensures that everyone is treated equally, and that Private Folder cannot be the cause of data loss.
2. If Private Folder is allowed by AD, enable the admin to set a master password for all Private Folders created by AD clients, such as Mac OS X does for encrypted home folders. That way, when a user forgets the password, data can be recovered using the admin password, and re-encrypted in another folder, should the user choose to do so.

These two ideas would work for Private Folder, but the fact is that other freeware applications with similar functionality exist, and have existed for some time, so there is no true safeguard against encrypted data loss. The issue was brought to the forefront in the past several days, however, because Microsoft released such a utility, and that means users are more likely to try it.