Slashdot Mirror
Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st
dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"
. . . which Nevada legislator's friend or relative just happens to sell some kind of compliant encryption solution.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
... a start!
If they are not clear on the definition of encryption, just ROT-13 your messages twice and specify that's the type of encryption you use. You then have to ROT-13 it twice again to decrypt.
Does Rot 13 count?
God spoke to me.
Am I just being too cynical, or will putting everything in a password-protected ZIP file and then sending that, together with the password, will satisfy the rules?
"Little does he know, but there is no 'I' in 'Idiot'!"
If I am an ecommerce website, am I now expected to encrypt all http traffic destined for customers I know to be in Nevada?
So, start telling government agencies to start supporting SSL/TLS on their mail servers.
Also, SMIME or PGP? SMIME would be easier since mail clients do not tend to have built in support for PGP, especially Outlook.
... the encryption of my customer records at Nevada's brothels.
I just hope they do more than password protecting the word docs...
The technically illiterate are passing legislation on technology!
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.
Now, someone emails you with their name and address asking for a quote.
Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!
p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."
Can I start a lawsuit to sue some company that does NOT do this, go to a jury by trial, but then do a terribly bad job of defending my position and set precedent that the defendant does not need to encrypt this stuff before a 'real' lawsuit comes about and sets precedent the other way?
http://Communityville.com - A free place for new and old neighborhood webmasters to hang out.
As of posting time, representatives of the state had not gotten back to me with comment.
It was later found that the reason for this delay was a system-wide shutdown & widespread panic as they couldn't figure out how to encrypt or decrypt any of their correspondence properly.
He who knows best knows how little he knows. - Thomas Jefferson
ISTM we should phase out any unencrypted protocols going over the internet.
This particular law may have technical shortcomings - but if it takes close-but-not-quite right laws to raise awareness to the common person and politician that much internet traffic is unencrypted, I'm all for this law as a stalking horse to-be-improved-upon.
And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.
So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.
It's not like we've had any keys lost lately.
Some days it's just not worth
chewing through my restraints.
This comment is encrypted using Rot-13 twice!
If they can require people to encrypt their email, the next evil plan will be to force everybody to supply crytographic certificates with each email. This will make it impossible to send anonymous email! No poison pen messages, no mailbox bombing, no sp...
Oh. Never mind.
From now on all emails send by the company will include the XMAIL header To:
This header will marks the email as encrypted using ASCII character encoding encryption.
The authorized recipient specified in the To: header is permitted to decode the email.
Note that this email is covered under the DMCA and any unauthorized decryption is liable for criminal prosecution and civil damages.
This is about as complicated as the "don't record" flag being used in digital television.
An exchange of public keys has to take place first before data is encrypted? I don't know this is going to be enforced. The receiving party has to have your public key first. I bet all that happens out of this is a bunch of signed e-mails.
So based on this legislation, resetting a users password and sending them the new password via email is illegal?
This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.
An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Aught to be enough for anybody.
Personally identifiable information should be encrypted.
Sincerely,
xz'Kxv!y{Ycut="xgq'^e;
...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.
One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.
Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")
Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.
Consider - if a bank sent new ATM cards with the pin in the same envelope as the card, most consumers would go immediately berserk. The institution in question would rapidly see an erosion of their customer base, as well as being found liable for any losses incurred by people who had their mail intercepted by thieves.
That same bank can blithely send out e-mails with user account names, numbers and passwords all in one convenient, easy-to-sniff package and nobody gets upset. How often has anybody here clicked on "forgot my username/password" only to get a nice, convenient clickable link which allows unfettered access to private, smooth, creamy soft personal information? The solution isn't for the government to legislate the use of encryption; rather, it's a matter for market pressure. Let enough people become unhappy over the cavelier treatment their personal information garners from a corporation - they'll vote with their wallets, if they are once educated regarding the situation.
That last phrase is the hard part though, isn't it?
Use_Fred1234_For_Passwd_to_unzip.zip
Shop smart, Shop S-Mart.
I use rot26 because it's twice as powerful as rot13!
Although I am one of those who is appalled by the fact that Congress can get away with writing laws about nearly anything by waving their hands and yelling "commerce clause", it really seems that a law like this is just asking to get smacked down at the federal leve.
Maybe the answer is some type of smart card authentication. SIM cards have this built into the protocol, and most smartphones have secure memory for RSA public/private keypairs to prevent all but a chip fab from getting access.
Why not have some type of challenge/response system against the keypair. If someone forgets their website password, they punch a random into their phone, and type the result for a reset.
Bad thing, this will move theft from anonymous hacking to either forcing people to give access by cellphone, or theft of cellphones.
A lesson from the history of technology law: A legislature is unwise to require a specific technology like "encryption." --Benjamin Wright http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
I didn't know any state was even talking about this.
This legislation will force industry to develop and pay for it, regardless of whether the customers want it or not. Yes, we all want encryption on everything; but an overwhelming majority of computer users don't care enough to actually do anything, even though it would only take a bit of time and effort. Now, what happens when your bank send you your private encryption key and instructions? Most recipients will either delete or (at best) ignore the key. Later that month imagine their anger when their bank statement is encrypted and they have no idea how to decrypt it? Or do you really get the impression that the average American (Nevadan?) consumer is intelligent enough to implement, say, GPG? If so, do you think the average consumer is energetic enough to do so?
Leave this job up to market forces - the free-enterprise economy is infinitely more responsive to the needs and wants of the average consumer than is the Federal or even any of the State governments.
What makes a fax so secure? If eFax delivers a fax to my email box, what's to keep it from being intercepted and OCR'd?
When faxes were more or less point-to-point transmissions, they may have been more secure. But now...
Businesses that are registered through the state due to their sales tax breaks but are not physically located within the state? (Of course I didn't RTFA....)
The way the government's going, I wouldn't be surprised if the businesses have to use a particular package that gives the government backdoor access.
Hail Eris, full of mischief...
E pluribus sanguinem
but if you run a business and aren't tech savy you don't.
I already deal with having to encrypt everything in my current job (electronic medical claims). Believe me, there is still a ton of money to be made, even if you don't sell the software to them.
Your government advocates a
(X) technical (X) legislative ( ) market-based ( ) vigilante
approach to fighting identity theft. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop identity theft for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from identity thieves
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) identity thieves don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of identity theft
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Dishonesty on the part of identity thieves themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about your legislature:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're stupid people for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
I am officially gone from
What they could do, is define lack of encryption as negligent, for liability purposes. Lawmakers do weird things like this all the time: for example if you possess more than x weight of drugs, then you have intent to distribute (regardless of whether or not there's actually any reason to believe you had such intent).
They could pass a law that if you lose info and didn't encrypt it, and then someone comes after you for damages resulting from such negligence, then your position is far weaker than it would be if you had encrypted. (I generally disapprove of those types of laws, but as long as we're keeping them around, then something like this might be a good idea.)
"Believe me!" -- Donald Trump
If this is the first step to encrypting EVERYTHING, then i think its worth a few of the speed-bumps this will cause in the beginning.
---- Booth was a patriot ----
Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
Under this definition of "encryption", I could argue that by compressing the file it would "delay access" by making them wait for the time 7zip takes to unzip. So now zipped files are encrypted?
As usual, some lawmakers, who know next to nothing about technology, create a half-assed law to govern something they know nothing about. You would think that they would at least bring on an expert adviser to tell them what his realistic and what is not. Don't they understand that such a law will create millions upon millions of costs on their own local businesses, which will gain them next to nothing in security, and only hurt their competitiveness?
Encryption takes too much time and energy. It would be much easier for Nevada to just distribute an email template that has a picture of Kathy Lee Gifford at the top of the message. That would deter anyone one trying to read anyone's super-important-business-critical emails. Keep It Simple Stupid!
What method of password recovery do you suggest ?
1. Either, as I said, the password (or reset URL) should be considered as compromisable and thus only temporary and should be replaced as soon as possible.
2. Or, a secure channel should be used (crypted, as suggested by the - although badly worded - law)
3. A last possibility would be simply to try using a completely separate channel. As in, the user asks for a password reset by classical ways, but the replacement is sent by SMS. Not as secure as nÂ2, but requires a little bit more effort to compromise.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The hard part of this problem is getting MS Windows users to use email encryption. Your pretty much screwed if you use MS LookOut. Sometimes it works, sometimes it doesn't.
I would encrypted all my email if people that I'm sending to could read it. I would refuse any email that is not encrypted if I could get people to encrypt their email.
The above is not worth reading.
If you read the statute, it says that you ONLY need to encrypt the data if you have either 1) Their name AND either SSN or drivers license number or identification card number, or 2) Their name AND account number, credit card number or debit card number AND any required security code, access code or password that would permit access to the person's financial account. Seriously, how many single communications ever have all that in a single email?
...Igpay Atinlay!
Seriously...show me one governmental agency that does ANYTHING with technology well and I'll accept governmental agencies telling me what the rules are regarding said technology.
Seems there is no easy way to win this.
Like you said, if they defined encryption to the tee, then they'd have a problem next year when that defininition is out of date or broken.
Seems to me that leaving it vague is better, since it lets people choose how they comply. We're always saying on here that government should keep their hands off things. Maybe this is a good thing?
Either way, this decision sounds like a step forward. It might be a very small step, and even slightly off the desired path, but at least we're moving forward.
-David
That's right. Punish innocent people for not understanding technology that *OTHER PEOPLE* are using.
With people like you, it's no wonder the US is in it's current state.
In the UK, most large companies have long accepted that this is an implicit requirement of our Data Protection Act. In my area of work, you'd certainly be subject to disciplinary action if you failed to encrypt an email that contained personal data.
Perhaps it's time for the USA to catch up with the rest of the world.
It would be interesting to see whether the encryption used on DVDs, or similarly poor encryption, passes muster in Nevada. Might make for an amusing precedent.
linquendum tondere
It's okay - go back to your bananas and your blocks, leave everything up to those of us who can read. It's okay.
Don't for one minute believe that this idea is enforceable on a widespread basis.
Here in the UK we've got the Data Protection Act (which doesn't specify "encryption" but does specify "reasonable care" and the watchdog tasked with monitoring compliance describes using encryption as an example of "reasonable care") and yet there have been loads of instances where personal data has been compromised.
The purpose of a law like this is to give the judiciary something definite to charge someone with when the inevitable data losses take place. It might be difficult to prove carelessness if a laptop with just a Windows password is stolen because a lot of people aren't aware of how easily compromised that is. However, if suddenly your IT department can legitimately be asked to stand up and testify as to whether or not they provide any means for end-users to encrypt customer data then suddenly it's a lot easier to determine guilt.
If all our emails are encrypted how is the govenrment going to snoop on everything we do?
if you are an ecommerce company, website you already have to comply with extremely strict PCI compliance rules, one of which specifically requires email encryption whenever any financial or personally identifiable information is sent in the email. Not hard to do, nor hard to enforce regardless of the system its done on. Once again, we have news media scaring the shit out of people who then look to government to do something about an issue that government has no damn reason sticking their incompetent noses into when technology and plain common sense will eventually figure out the solution.....
I know some systems record the IP of the user who wanted to reset the password and only allows that IP to do so, and ensures the same session (cookies) is used also.
Technically it's akin to using several factors, so if one is compromised, the others will still remain (akin to sending part of the information in an SMS).
The problem : these additional data all transit exactly on the same medium as the e-mail. They aren't separate channels and thus don't really offer any additional protect : someone who has snooped on the mail will very likely know the target IP and be able to spoof it.
Nonetheless, in your situation this won't be a problem, because it's a reset email, done in order to let a user change the password. It's a temporary situation and although it could be snooped, the user is expected anyway to create a new password anyway. The compromised information has little value for the hacker.
We were complaining - the parent post and I - about systems where the "Help, I lost my password !" sends the new password that the user is supposed to use from now on (or worse, send the previous password in plain text).
In that situation the compromised info isn't a temporary token that the user will use to reset the password, but it is an *actual* password. And I'm complaining that e-mail isn't a channel secure enough for this kind of transmission.
So not only would some hacker have to break into their email account or run a packet sniffer along the line of communication between the email servers but they would need to grab the cookie information and/or send the request from the user IP address.
The attack as I envision it doesn't require any one compromising an e-mail account Palin-style.
But simply intercept the traffic. Wifi is pervasive. Few use sufficiently crypted transmission, and free access point use plain transmission. /.er and other technically literate people, almost nobody else uses a secure VPN when surfing from some free wifi, nor doesn't even know where in Outlook Express to configure secured connection to the mail server.
Outside the
Snooping emails is as simple as recording the unencrypted packet broadcast over the air.
Thankfully, with web2.0 clients working entirely over https, this trend is going to diminish.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I can't get my own company to do that internally
Which means FINALLY we will get people educated on encryption. See the problem is that people are too lazy to do it. The slashdot crowds position has been that encryption should be used. What do we see but all kinds of excuses from them about how hard it will be or how much money it will cost.
I'm glad this law was passed. Maybe now we will have easy to use encryption programs. The problem we've had is that the software was available, but was mostly used by enthusiasts. Now that all the communications need to be encrypted we should finally start seeing stuff like the lock icon on email icons, an "encryption bit" in the IP header and people maintaining a digital signature.
They ARE out to get you simply because They are in it for themselves and they don't care about you.
But the the best encryption is free
Do the popular gratis webmail services and the preinstalled e-mail clients on name-brand PCs support GnuPG or compatible crypto?
... key management is hard.
No point encrypting using AES256 using a password written on a post-it note stuck to the CD .
No point using "pa55word" either.
Not for the first time in the last 13 months I wonder why I decided to incorporate my business in Nevada.
Talk about the epitome of a law designed to make it harder for small businesses to survive. Do the idiots that passed this law realize that 99 percent of businesses in the United States are small business with 20 employees or less? Small businesses who live on the knife edge of financial survival and who don't have the financial luxury of IT departments with nothing better to do with their time than network with $250/hour legal counselors to help them wade through the technical and legal questions of ensuring this kind of security.
And how many of that 99 percent are too damn busy doing 1001 other things that they aren't going to be know how to set up an RSS feed to get the latest from Slashdot and similar places.
Much less keep up with the 100,000 or so pages of federal, state, regulations put into play every frigging year.
I incorporated in Nevada in part because I thought Nevada was slightly less insane than other states in this regard.
Silly me. The only thing I was right about was the "slightly."
Listen. Think. Repeat.
Rants of this author can also be ignored at www.listenthinkrepeat.com/wordpress.