Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

Posted by Soulskill on from the wouldn't-bet-on-it dept.

dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"

46 of 178 comments (clear)

  1. I wonder . . . by base3 · · Score: 4, Interesting

    . . . which Nevada legislator's friend or relative just happens to sell some kind of compliant encryption solution.

    --
    One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
    1. Re:I wonder . . . by neuromancer23 · · Score: 2, Insightful

      Forget selling software. The real money comes from selective prosecution of offenders.

      This law is absurd, an only goes to demonstrate how insane everyone on this planet is. An email address is potentially personally identifiable information. So is an IP address. So is a password.

      So based on this legislation, resetting a users password and sending them the new password via email is illegal?

    2. Re:I wonder . . . by clone53421 · · Score: 4, Funny

      You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    3. Re:I wonder . . . by Ferzerp · · Score: 4, Informative

      RTFL. There is "personal information"

            NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

                  1. Social security number.

                  2. Driver's license number or identification card number.

                  3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.

      Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.

                  (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

    4. Re:I wonder . . . by Cajun+Hell · · Score: 4, Interesting

      But the the best encryption is free and the text of the law doesn't even exclude it. If someone wanted this bill to make money for their friend, they sure screwed up.

      --
      "Believe me!" -- Donald Trump
    5. Re:I wonder . . . by morgan_greywolf · · Score: 4, Funny

      You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.

      Duh. Obviously that wouldn't work, since they don't know their old password. You'd have to password protect the password with their new password!

      --
      My blog
    6. Re:I wonder . . . by Anonymous Coward · · Score: 2, Informative

      Thats just "Personal Information". "Personal identifying information" is defined as follows:

      NRS 205.4617 "Personal identifying information" defined.

                  1. Except as otherwise provided in subsection 2, "personal identifying information" means any information designed, commonly used or capable of being used, alone or in conjunction with any other information, to identify a living or deceased person or to identify the actions taken, communications made or received by, or other activities or transactions of a living or deceased person, including, without limitation:

                  (a) The current or former name, driver's license number, identification card number, social security number, checking account number, savings account number, credit card number, debit card number, financial services account number, date of birth, place of employment and maiden name of the mother of a person.

                  (b) The unique biometric data of a person, including, without limitation, the fingerprints, facial scan identifiers, voiceprint, retina image and iris image of a person.

                  (c) The electronic signature, unique electronic identification number, address or routing code, telecommunication identifying information or access device of a person.

                  (d) The personal identification number or password of a person.

                  (e) The alien registration number, government passport number, employer identification number, taxpayer identification number, Medicaid account number, food stamp account number, medical identification number or health insurance identification number of a person.

                  (f) The number of any professional, occupational, recreational or governmental license, certificate, permit or membership of a person.

                  (g) The number, code or other identifying information of a person who receives medical treatment as part of a confidential clinical trial or study, who participates in a confidential clinical trial or study involving the use of prescription drugs or who participates in any other confidential medical, psychological or behavioral experiment, study or trial.

                  (h) The utility account number of a person.

                  2. To the extent that any information listed in subsection 1 is designed, commonly used or capable of being used, alone or in conjunction with any other information, to identify an artificial person, "personal identifying information" includes information pertaining to an artificial person.

                  (Added to NRS by 2003, 1355; A 2005, 2498; 2007, 2169)

  2. Just ROT-13 twice by Anonymous Coward · · Score: 5, Funny

    If they are not clear on the definition of encryption, just ROT-13 your messages twice and specify that's the type of encryption you use. You then have to ROT-13 it twice again to decrypt.

    1. Re:Just ROT-13 twice by Anonymous+Psychopath · · Score: 4, Informative

      For the humor-impaired, performing ROT-13 twice results in the same text as the original unencrypted message. Performing ROT-13 twice again to "decrypt" would once again result in the same text as the original, unencrypted message. It's just a joke, relax.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    2. Re:Just ROT-13 twice by gparent · · Score: 3, Funny

      Your username is very fitting.

    3. Re:Just ROT-13 twice by Beryllium+Sphere(tm) · · Score: 4, Funny

      This is irresponsible advice. There are known-plaintext attacks on reduced-round variants of ROT13. Always use the full 16 rounds to be sure you're actually getting the security that double ROT-13 promises.

  3. How about http web traffic? by cryfreedomlove · · Score: 3, Interesting

    If I am an ecommerce website, am I now expected to encrypt all http traffic destined for customers I know to be in Nevada?

    1. Re:How about http web traffic? by fm6 · · Score: 3, Insightful

      If you're an ecommerce website, and you don't already use https for sensitive data (like credit card info), you are just begging to be ripped off. Or hadn't you noticed that little padlock icon that appears whenever you buy something online?

    2. Re:How about http web traffic? by SoCalChris · · Score: 3, Interesting

      But from the sounds of this law, simply having a small "Hello fm6" message at the top of the page would require the entire page to be encrypted, not just the login/out and payment screens.

    3. Re:How about http web traffic? by rtfa-troll · · Score: 4, Informative

      Yes and no. The law says that you have to encrypt when you send personal data. The definition of encryption is pretty broad but the definition of personal data is very narrow so you could have a web site which is unencrypted except for the part where the customers identified themselves.

      Overall, I don't see the problem with this. That they allow weak encryption is a red herring. Strong encryption will also comply with the ruling and so most people will use that. Weak encryption is often better than nothing. There are loopholes, but those can be closed later. This looks like a good start.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    4. Re:How about http web traffic? by Anonymous Coward · · Score: 3, Informative

      No. As others here have noted:

      NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. ÃS The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

      Thus, simply having the username or first + last name on a page is insufficient to require encryption - if however, you are presenting the user with a credit card number of any of the above, then that page must be encrypted, which makes sense. This actually is a good piece of legislation if they defined what constitutes encryption - I don't know, and I don't feel like looking through the legalese.

    5. Re:How about http web traffic? by SleptThroughClass · · Score: 2, Funny

      That they allow weak encryption is a red herring.

      Actually it's a red herring with a bicycle.

  4. I approve... by elzbal · · Score: 4, Funny

    ... the encryption of my customer records at Nevada's brothels.

    I just hope they do more than password protecting the word docs...

  5. Say it ain't so! by Phizzle · · Score: 2, Insightful

    The technically illiterate are passing legislation on technology!

    --
    I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
    1. Re:Say it ain't so! by darguskelen · · Score: 2, Insightful

      Sarcasm noted.
      Are they aware just how much money this is going to cost businesses in training?
      Not to mention they will have to have every company (and possibly every employee of every company) submit and maintain a proper public key in a public database, no matter how technically savvy they are. I can't get my own company to do that internally...

  6. Re:Force Encryption eh by Mhtsos · · Score: 2, Funny

    It's too weak. You can use it, but you must encrypt everything twice just to be safe.

  7. And if you don't have an IT department? by Morris+Thorpe · · Score: 3, Insightful

    Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.
    Now, someone emails you with their name and address asking for a quote.

    Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!

    p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
    "Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."

    1. Re:And if you don't have an IT department? by clone53421 · · Score: 3, Funny

      p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
      "Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."

      Obviously they're being very optimistic about the economic impact...

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    2. Re:And if you don't have an IT department? by Cajun+Hell · · Score: 3, Funny

      It looks like you're going to have to stop including people's Social Security Numbers in your lawnmowing quotes.

      --
      "Believe me!" -- Donald Trump
    3. Re:And if you don't have an IT department? by Rob+the+Bold · · Score: 2, Informative

      Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!

      For that matter -- if you're in a business like lawnmowing that only uses its "web presence" as a virtual billboard or PO Box -- good luck knowing this law even exists!

      --
      I am not a crackpot.
    4. Re:And if you don't have an IT department? by carambola5 · · Score: 2, Funny

      Obviously, you either have never been to Nevada or have very poor business sense.

      A lawn mowing business would never succeed in Nevada.

      --
      IWARS.
      People, in general, disappoint me. Politicians even more so.
  8. Re:Force Encryption eh by Angostura · · Score: 4, Funny

    I have developed a system by which each character is taken and broken up into a pattern of ones and zeros. The exact pattern is determined by looking up the character in a table. The receiver has to unscramble this pattern of ones and zeros by looking the pattern up in a similar table and then regenerating the character.

    I call this system ASCII and I believe that it is a simple type of encryption, albeit with a very public public key, and no private key.

  9. How about this? by JustCallMeRich · · Score: 2, Funny

    Can I start a lawsuit to sue some company that does NOT do this, go to a jury by trial, but then do a terribly bad job of defending my position and set precedent that the defendant does not need to encrypt this stuff before a 'real' lawsuit comes about and sets precedent the other way?

    --
    http://Communityville.com - A free place for new and old neighborhood webmasters to hang out.
  10. Encryption Conniption by digitaldc · · Score: 3, Funny

    As of posting time, representatives of the state had not gotten back to me with comment.

    It was later found that the reason for this delay was a system-wide shutdown & widespread panic as they couldn't figure out how to encrypt or decrypt any of their correspondence properly.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  11. GOOD! by Anonymous Coward · · Score: 2, Insightful

    ISTM we should phase out any unencrypted protocols going over the internet.

    This particular law may have technical shortcomings - but if it takes close-but-not-quite right laws to raise awareness to the common person and politician that much internet traffic is unencrypted, I'm all for this law as a stalking horse to-be-improved-upon.

    And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.

  12. Re:Force Encryption eh by clone53421 · · Score: 2, Funny

    0101011101101000011000010111010000111111

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  13. Bad summary by russotto · · Score: 4, Informative
    The statute forces businesses to encrypt "Personal Information", which by law consists ONLY of the following

    NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

    So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.

    1. Re:Bad summary by ptbarnett · · Score: 2, Insightful

      So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good.

      If any business is currently sending SS and driver's license numbers via email, they are being irresponsible.

  14. Re:Knowing the law... by moderatorrater · · Score: 2, Informative

    Even if it is, setting up certificates is a hell of a lot easier than what you proposed. The very best security systems are where good security is easier than bad security. Unfortunately, this doesn't happen very often.

  15. What can go wrong? by oDDmON+oUT · · Score: 2, Insightful

    It's not like we've had any keys lost lately.

    --
    Some days it's just not worth
    chewing through my restraints.
  16. Re:Force Encryption eh by LordEd · · Score: 4, Funny

    I use ROT26. It must be twice as secure at ROT13.

  17. Insecure anyway... by DrYak · · Score: 4, Informative

    So based on this legislation, resetting a users password and sending them the new password via email is illegal?

    This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.

    An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Insecure anyway... by ropiku · · Score: 2, Interesting

      This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.

      An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.

      What method of password recovery do you suggest ?

  18. This is a good idea by JeanBaptiste · · Score: 3, Funny

    Personally identifiable information should be encrypted.

    Sincerely,
    xz'Kxv!y{Ycut="xgq'^e;

  19. The Real Problem... by lax-goalie · · Score: 4, Informative

    ...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.

    One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.

    Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")

    Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.

  20. The technical solution isn't the point . . . by mmell · · Score: 2, Insightful
    Hellfire, the government could issue an RSA code to every citizen and publish the public keys in a phone book. The government could even provide the necessary software to make it work. It'd be secure - that's the beauty of public key encryption systems such as RSA or knapsack. But it'll never happen. Nobody wants it. Nobody wants to pay for it.

    This legislation will force industry to develop and pay for it, regardless of whether the customers want it or not. Yes, we all want encryption on everything; but an overwhelming majority of computer users don't care enough to actually do anything, even though it would only take a bit of time and effort. Now, what happens when your bank send you your private encryption key and instructions? Most recipients will either delete or (at best) ignore the key. Later that month imagine their anger when their bank statement is encrypted and they have no idea how to decrypt it? Or do you really get the impression that the average American (Nevadan?) consumer is intelligent enough to implement, say, GPG? If so, do you think the average consumer is energetic enough to do so?

    Leave this job up to market forces - the free-enterprise economy is infinitely more responsive to the needs and wants of the average consumer than is the Federal or even any of the State governments.

  21. Obligatory (with slight variation) by dkleinsc · · Score: 2, Funny

    Your government advocates a

    (X) technical (X) legislative ( ) market-based ( ) vigilante

    approach to fighting identity theft. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop identity theft for two weeks and then we'll be stuck with it
    (X) Users of email will not put up with it
    (X) Microsoft will not put up with it
    ( ) The police will not put up with it
    ( ) Requires too much cooperation from identity thieves
    (X) Requires immediate total cooperation from everybody at once
    (X) Many email users cannot afford to lose business or alienate potential employers
    ( ) identity thieves don't care about invalid addresses in their lists
    (X) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    (X) Lack of centrally controlling authority for email
    (X) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (X) Asshats
    (X) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    ( ) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of identity theft
    ( ) Joe jobs and/or identity theft
    (X) Technically illiterate politicians
    ( ) Dishonesty on the part of identity thieves themselves
    ( ) Bandwidth costs that are unaffected by client filtering
    (X) Outlook

    and the following philosophical objections may also apply:

    ( ) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    (X) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    ( ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    ( ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    (X) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    (X) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about your legislature:

    ( ) Sorry dude, but I don't think it would work.
    (X) This is a stupid idea, and you're stupid people for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
    1. Re:Obligatory (with slight variation) by MostAwesomeDude · · Score: 2, Funny

      Asshats are an eternal problem, second only to the Dutch.

      --
      ~ C.
  22. Delay access? Not good enough. by isBandGeek() · · Score: 2, Insightful

    Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

    Under this definition of "encryption", I could argue that by compressing the file it would "delay access" by making them wait for the time 7zip takes to unzip. So now zipped files are encrypted?

  23. The Hard Part of This by rawg · · Score: 2, Informative

    The hard part of this problem is getting MS Windows users to use email encryption. Your pretty much screwed if you use MS LookOut. Sometimes it works, sometimes it doesn't.

    I would encrypted all my email if people that I'm sending to could read it. I would refuse any email that is not encrypted if I could get people to encrypt their email.

    --
    The above is not worth reading.
  24. Estbay encryptionyay orfay ureaucratsbay isyay... by stewbacca · · Score: 2, Funny

    ...Igpay Atinlay!

    Seriously...show me one governmental agency that does ANYTHING with technology well and I'll accept governmental agencies telling me what the rules are regarding said technology.