Slashdot Mirror
New State Laws Could Make Encryption Widespread
New laws that took effect in Nevada on Oct. 1 and will kick in on Jan. 1 in Massachusetts may effectively mandate encryption for companies' hard drives, portable devices, and data transmissions. The laws will be binding on any organization that maintains personal information about residents of the two states. (Washington and Michigan are considering similar legislation.) Nevada's law deals mostly with transmitted information and Massachusetts's emphasizes stored information. Between them the two laws should put more of a dent into lax security practices than widespread laws requiring customer notification of data breaches have done. (Such laws are on the books in 40 states and by one estimate have reduced identity theft by 2%.) Here are a couple of legal takes on the impact of the new laws.
Only laptops. I was worried that we would have to encrypt our entire database.
What kind of n00b do you think I am? Like I'm really going to click through a link to mofo.com.
Jesus.
Information wants to be free. This is information prosion at the hands of the State.
Forcing idiots to encrypt sensitive files will ...
force idiots to encrypt files (not the ones they should encrypt, obviously) using the password "password" ...
and
lose half the data, believing they encrypted it
and
send the data to half their family, especially anyone claiming to be a hacker, with the subject line "can you tell me the password for this file", who'll put it online on wikileaks (who'll happily -and proudly- publish extremely private information on anyone they don't like, laws and privacy be damned)
Well at least, when the honeymoon's over and it's time for Barack O. to publish his email correspondance he can claim to have "encrypted it" and then send a random string, telling the judge the password has something to do with a very dark hole where apparently many claim the sun does not shine.
How interesting and ironic that not that long ago (1991) possessing encryption tools was considered as munitions!
It used to be that Philip Zimmermann was getting hassled for his creation of PGP.
Boy we've come a long way. Check out the Wikipedia entry on PGP if you can
but clueless users will write the password on a post it note, and probably burn a plaintext CD copy to leave lying around.
Government agencies will be worse.
There are still people running legacy systems that do not support encryption. Nor is it fast, easy, cheap, to get them to do so.
Also I could see huge problems later on when the only IT guy who knows the key is fired, hit by the obligatory train, or quits. Forcing encryption isn't the answer but penalties and legal repercussions if your data stolen is more appropriate.
While it is not the right time to politically say this. It is a case where they don't really need government intervention as most companies will regulate themseles on this front especially if they don't have immunity to legal problems if something goes wrong.
It seems like the Democrats are doing the same thing the republicans did after 9/11. Just as after 9/11 the Republicans pushed Security to an extremist state, Democrats are using the financial crisis to push down all those heave regulations down our mouth. Jast as 7 years ago. They went those Damn Democrats were to soft on security and look what happened, now the democrats are going, Those damn republicans they were so soft on regulating companies and look what happened.
Same old Same old... Sigh....
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Given that this does not affect personal computers, only corporate data stored about private individuals, how does this warrant a nannystate tag?
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
Or if they are in the UK.
Let's say that this (good) idea is properly implemented (rather then just pretend implemented), and all the laptops have full disk encryption in place.
Now someone with one of these laptops travels outside the US, and then flies back in and is asked to boot up the laptop. They will do so of course, and then, suddenly, there is no point to having the encryption, at that point. Sure it's still useful for cases where the laptop gets left on a train or something (assuming that they also require a password when opening a closed laptop, something that should be the case anyway), but it doesn't stop over-zealous and possibly corrupt government agents from looking over the info anyway.
It is even worse if such a laptop goes with someone who knows the password to the UK...
-----
Over all though? Great idea, and anything that opens more people up to the idea of encryption and the need for it is probably good as well. The more people who can prevent the govt. from looking at their data, the better. (And see a previous comment in a different story about hiding data to prevent the govt. from forcing you to hand over your keys.)
I wank in the shower.
Here comes the flood of complaints that their systems are slow, not responsive or too busy.
We have gunfights with our encryption client almost on a daily basis, being a resource hog and all that.
First rule of holes; When in one, stop digging.
Okay, why is this already tagged "nanny state"? Is it somehow a fascist imposition on the free market to make companies protect the personal data of their customers? Aren't slashdot articles run all the time criticizing how lax many corporations (including financial companies that should know better) are with their customers' data?
I am the man with no sig!
This should have been done a long time ago! The fact that credit cards and ssns are just floating around is stupid. But will this really solve the whole identity theft issue? I don't really believe it will change the situation too much. Generally when there is a security breach the company notifies everyone, putting them on alert. It's the morons who see a popup that says "your pc is infected get winantivirus2008 to fix it" and actually pay for malware that are the most at risk. And what about when you go to a restaurant and pay with a credit card and the server writes down the numbers before handing it back to you. That is where the real danger lies.
I'm not surprised it has made so little difference.
As we know, technical solutions are rarely enough to protect data. Human processes and policies can be much more important.
Personally I prefer the UK approach, the Data Protection Act. No doubt it is flawed, and sadly not enforced as rigorously as it should be, but the concept is better. Rather than mandate specific technological approaches, it imposes a set of general requirements on any organisation that holds personal data:
The DPA is one of the few generally excellent pieces of legislation in the UK. It's just a shame that the Information Commisioner's Office that enforces it isn't as active as it could be. But it gives you quite a bit of power to take on companies yourself.
Paul Leader
It sounds to me like all you need to do is encrypt the hard drive and require a password, but if so, why so much? It seems $300 per person is probably on the expensive end for the software, but I'll let that one slide. However, $50 per person per month just to maintain the system? What is this cost for? What is there to maintain? The only thing I can think of is dealing with forgotten passwords, which will require restoring the system and losing whatever was on the laptop and not backed up. $600 per employee per year seems high for this.
Why do I have a sneaking suspicion that specific software will be endorsed and/or required to meet this new requirement? Probably whichever one spends the most money to "demonstrate" its capabilities to the lawmakers by treating them all to free vacations in the Bahamas. How much do you want to bet that a free solution like Truecrypt just won't meet the "standards" set by this new law?
End of lesson. You may press the button.
openssl des3 -d -salt -in file.des3 -out file.txt -k horsefeathers
That's why. That's why your mother doesn't use it, and it's also why CEOs don't do it. It's too cryptic, if you'll pardon the expression.
I wonder if Massachusetts concern about encrypting stored data has anything to do with EMC being headquartered in the state. Considering that EMC owns RSA (the company), a law like this would probably benefit EMC. Also, Massachusetts is home to TJX, famous for having had a major data breach.
[Note: I work for EMC, but have no inside knowledge related to this topic.]
"If it don't encrypt, you must acquit" (c) Johnny Cochran
Seriously, its about damn time that states required companies with our personal data to do something smart with it. Yes I don't like business being forced to act at the whim of a government but in this case, with so much of our data out there and being transmitted to third parties controls are important.
It amuses me to see how government always wants to have its cake and eat it too. I agree that widespread use of strong encryption and good security practices is of great benefit to society, but some Senator or law enforcement agency is bound to complain that their ability to wiretap or access encrypted data is being compromised by these better private security measures. Strong encryption and good security are two edged swords, they help us and they help our enemies as well, there is no way around that. Personally, I don't have a problem with that. I would rather live in a society were encryption is used, privacy is paramount, and some criminals and evil doers are a bit harder to catch, not a bad trade-off IMHO. However, there will doubtless be howls of indignation from the law enforcement community, which contains more than its fair share of self-righteous authoritarian pricks, about how criminals are getting away with crimes and going unpunished. I suppose that my response to them would be to make better use of the tools and laws that we already have instead of depending upon ever more egregious invasions of our collective personal privacy and abridgements of our Constitutional rights merely to prevent some drug addict from getting his fix or some high school students from posting pictures of themselves on MySpace or Facebook.
Just because a state mandates something, does not mean it automatically happens. Look at speeding, look at drug laws, look at overtime rules for P/T and F/T employees, look at many other unenforced business regulations.
This stuff is like when a judge ordered a server's RAM chips removed and stored as evidence, as they were a 'data storage device'. Government typically sucks at anything like this.
I want to delete my account but Slashdot doesn't allow it.
...who thought that the link to MOFO.com would be some kind of Samuel L. Jackson fan site and not a law office?
LETS DECOMPOSE & ENJOY ASSEMBLING
as was discussed yesterday, could be pointless, as good part of the breach could go thru social engineering and trojans that could defeat several kinds of encryption schemes.
If you want to force users to be safe, educate and give them tools to be safe, be the information in their HDs encrypted or not.
Wonder how this combines with the tendency of US government to monitor ISPs to detect terrorism, IP violation or whatever excuse is hot in that moment. The encryption needed is a backdoored one or we could have a conflict in the future here?
Any lawyers reading want to comment on Massachusetts's attempt to impose this regulation on any business (even one without a presence in Massachusetts) storing information about Massachusetts residents? My take on this is that they are WAY overstepping the boundaries of what state laws can do, but IANAL.
Nevada's legal definition of encryption sucks, and covers just about any technology that obstructs a bad guy's access to data. That includes such cryptographic wonders as, say, passwords or 2-factor auth.
The weaknesses of this law have been pointed out repeatedly -- for example by Schneier in a crypto-gram from probably 2004 (this is from memory), and by various bloggers interested in data breach legislation.
I am sure MA could not do a worse job, but Nevada did an absolutely terrible one.
Millenium Development Goals :
Yes, you're right, that is un-American.
Encrypting drives and portable devices are certainly doable as there are generally a finite number of devices. Data transmissions are a little more difficult because of the sheer number of possible endpoints.
If someone were to create a standards compliant Opportunistic Encryption scheme for IPV6, this could be a boon for adoption. FreeSWAN was certainly ahead of its time.
Why use full-disk, then? I imagine that having a bootable computer with reasonable apps would be enough to pacify most security personnel. For most cursory inspections, what ain't mounted ain't there.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
Encryption is good for protecting trade secrets, but useless for protecting social security numbers. Thieves who want to steal credit card or social security numbers can choose from tens of thousands of possible targets, at least one of which will be insecure. We need to stop pretending that social security numbers are useful as identification or authentication, because using an SSN to identify yourself requires disclosing it. We need to switch to a system of public-key cryptography, and put the blame for identity theft where it belongs: on the banks, who somehow decided that a few readily-discoverable numbers and a few easily-forged documents were all that's needed to take a loan in your name.
could happen. you can 'play' along if you're so inclined.
greed, fear & ego are unprecedented evile's primary weapons. those, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' life0cidal hired goons' agenda. most of yOUR dwindling resources are being squandered on the 'wars', & continuation of the billionerrors stock markup FraUD/pyramid schemes. nobody ever mentions the real long term costs of those debacles in both life & any notion of prosperity for us, or our children, not to mention the abuse of the consciences of those of us who still have one. see you on the other side of it. the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.
http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://news.yahoo.com/s/ap/20080918/ap_on_re_us/tent_cities;_ylt=A0wNcyS6yNJIZBoBSxKs0NUE
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.cnn.com/2008/TECH/science/09/28/what.matters.meltdown/index.html#cnnSTCText
http://www.cnn.com/2008/SHOWBIZ/books/10/07/atwood.debt/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html
http://news.yahoo.com/s/politico/20080805/pl_politico/12308;_ylt=A0wNcxTPdJhILAYAVQms0NUE
http://www.cnn.com/2008/POLITICS/09/18/voting.problems/index.html
http://news.yahoo.com/s/nm/20080903/ts_nm/environment_arctic_dc;_ylt=A0wNcwhhcb5It3EBoy2s0NUE
(talk about cowardlly race fixing/bad theater/fiction?) http://money.cnn.com/2008/09/19/news/economy/sec_short_selling/index.htm?cnn=yes
http://us.lrd.yahoo.com/_ylt=ApTbxRfLnscxaGGuCocWlwq7YWsA/SIG=11qicue6l/**http%3A//biz.yahoo.com/ap/081006/meltdown_kashkari.html
http://www.nytimes.com/2008/10/04/opinion/04sat1.html?_r=1&oref=slogin
(the teaching of hate as a way of 'life' synonymous with failed dictatorships) http://news.yahoo.com/s/ap/20081004/ap_on_re_us/newspapers_islam_dvd;_ylt=A0wNcwWdfudITHkACAus0NUE
(some yoga & yogurt makes killing/getting killed less stressful) http://news.yahoo.com/s/ap/20081007/ap_on_re_us/warrior_mind;_ylt=A0wNcw9iXutIPkMBwzGs0NUE
(the old bait & switch...you're share of the resulting 'product' is a fairytail nightmare?)
http://news.yahoo.com/s/ap/20081011/ap_on_bi_ge/where_s_the_money;_ylt=A0wNcwJGwvFIZAQAE6ms0NUE
is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insi
How does Massachusetts have jurisdiction over business entities that neither reside nor provide services within its borders?
Yes mister DHS, I'd love to decrypt this file for you! However, it is in the "Customer Records" folder, so I'm not allowed to know the key. Yes, it is probably full of goat-porn and cocaine receipts, but that's the law...
I wonder if people will simply ROT13 their data for cheap token compliance.
Looks like a lot of state agencies are finally going to have to upgrade from Win98.
A legislature is unwise to require a specific technology like "encryption." Legislatures are prone to make technical mistakes. --Benjamin Wright
Benjamin Wright, Dallas, Texas, benjaminwright.us
A requirement for on-disk encryption could actually be a real problem for many medical practices, because an astonishing number are still using slightly-updated versions of practice management software from the early- to mid-90's on systems like SCO's OpenServer 5.0.x. I support a fair number of those practices.
We also have one practice running a dedicated system for ophthalmologists that is so old it doesn't understand networks. Users are connected via serial port expansion units. Makes it a pain when they have multiple sites and the telco says "We're dropping support for those 56k dedicated lines you've been using for 15 years."
fencepost
just a little off
I know that's a scary topic for lots of Americans, but good gov't regulations are largely responsible for Canadian banks not needing $700 billion + $250 billion bailout packages...
Just imagine if business was ENTIRELY unregulated. What would that be like? I know, monopolies would emerge! Microsoft, Amazon and Richard Branson would probably own everything, and would be in constant bidding wars to buy each other out. Steve Jobs would likely be begging outside the new flagship Windows Store (formerly known as the Apple Store) in San Francisco, and pleading with people not to buy Microsoft Windows X and brand new WindowsBook Pros.
Some food for thought...
Now, while I agree that THIS particular proposition could be worded better to remove ties to specific technological methods (encryption) and focus more on more general methods like the UK Data Protection Act, which was mentioned earlier. This would make the law able to last longer without requiring rewrites every so often to keep up to date. The UK law is very well written in this regard. See this post for more details about the UK law.
Last I checked, no information that is transmitted or stored electronically is in an "unencrypted" format. One could easily argue that storing information in little/big endian form is very much encrypted as defined by these statutes.
This could provide all sorts of amusement.
Once companies have to encrypt the user data, I'm waiting for some poor schmuck to be coming back into the US with data on his laptop. The border guys will insist you decrypt -- and, then you're screwed either way.
If you don't decrypt it, immigration and DHS will arrest you. If you do, the states will arrest you. :-P
I kid, hopefully this wouldn't be a real scenario. But, dueling laws is always fun to ponder.
Cheers
Lost at C:>. Found at C.
What's the password to the UK? Marmalade?
For the love of Mike, somebody secure that laptop!
Thank you! I'm here through the weekend!
Why, without your clothes, you're naked, Miss Dudley!
Yup, because if a solution doesn't fix every fucking problem in the world, it's not worth doing.
I'll be sure to tell my plumber not to try using the plunger because a plunger won't cure cancer.
No dumbass, a lost laptop with tens of thousands of users information on it is not directly equivalent to what a semi-hostile government body in a foreign country might do.
And how much authority does Massachusetts have over a company in Wilimgton, DE (for example)? None.
Best case, this law will be ignored for a few months, then struck down by Federal court on the grounds that a state lacks authority over businesses that operate across state lines.
Worst case, businesses will just move their data warehouses out of Massachusetts and claim the law doesn't apply to them any more.
I'm not saying encryption is stupid or unnecessary. I'm just saying this law has very minimal chance of making any real difference. You can't change the nature of e-commerce one state at a time.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
e.g. Gender equality - in the Middle East?
Child Health - how about not putting melamine in baby formula, China?
Combat HIV/AIDS - South Africa's (the biggest economy in Africa) president *just* admitted that AIDS is in fact caused by a virus. Sounds like they have a ways to go.
Environmental Sustainability - in China? Yeah, right.
More expensive I'm sure, but Digiboard has some nice stuff. Generally very solid drivers (from what I've experienced), real documentation in English, etc.
A PortServer TS/16 runs approximately $1000 new and provides 16 serial ports that can be configured in any of a variety of ways.
fencepost
just a little off