New State Laws Could Make Encryption Widespread

New laws that took effect in Nevada on Oct. 1 and will kick in on Jan. 1 in Massachusetts may effectively mandate encryption for companies' hard drives, portable devices, and data transmissions. The laws will be binding on any organization that maintains personal information about residents of the two states. (Washington and Michigan are considering similar legislation.) Nevada's law deals mostly with transmitted information and Massachusetts's emphasizes stored information. Between them the two laws should put more of a dent into lax security practices than widespread laws requiring customer notification of data breaches have done. (Such laws are on the books in 40 states and by one estimate have reduced identity theft by 2%.) Here are a couple of legal takes on the impact of the new laws.

Okay whew

Only laptops. I was worried that we would have to encrypt our entire database.

Re:Okay whew

[ShieldW0lf]

Identity theft causes a breakdown in the system that allows a few very rich to wield excessive and arbitrary power while the majority struggles to meet their needs while surrounded by plenty.

I'm not rich. I don't expect to be rich, I don't desire to be rich. To be rich is to stand on the neck of your fellow man and steal his share, and to spend each day ensuring that the exploitation isn't disrupted.

I hope we see more identity theft. This system shouldn't exist, and the sooner it shatters due to its own inherent nature, the happier I will be.

I've got an idea for a much better law. All data must be placed on public servers, like Wikileaks, where anyone can examine it at any time. Anyone attempting to conceal information under any circumstances is guilty of conspiracy and treason. That would make it pretty hard to steal someones identity; you'd be caught for sure.

How exactly will this work ?

[OeLeWaPpErKe]

Forcing idiots to encrypt sensitive files will ...

force idiots to encrypt files (not the ones they should encrypt, obviously) using the password "password" ...

and

lose half the data, believing they encrypted it

and

send the data to half their family, especially anyone claiming to be a hacker, with the subject line "can you tell me the password for this file", who'll put it online on wikileaks (who'll happily -and proudly- publish extremely private information on anyone they don't like, laws and privacy be damned)

Well at least, when the honeymoon's over and it's time for Barack O. to publish his email correspondance he can claim to have "encrypted it" and then send a random string, telling the judge the password has something to do with a very dark hole where apparently many claim the sun does not shine.

Re:How exactly will this work ?

[OeLeWaPpErKe]

There's only one real question to ask. If someone publishes Obama's email. And there are some private "let's barbecue some white guy" jokes in there, along with an email of some secretary asking to pay a certain bill or not. You know "state business".

And it would have been published whole ... I have to cover my ears just thinking about it.

So : it's NOT acceptable behavior. Sending the emails anonymously to the the police and keeping them 100% out of public view would be the very last line I would find tolerable on govt. official's private email addresses. But even that still involves a crime.

Ironic... or just interesting

[i_want_you_to_throw_]

How interesting and ironic that not that long ago (1991) possessing encryption tools was considered as munitions!

It used to be that Philip Zimmermann was getting hassled for his creation of PGP.

Boy we've come a long way. Check out the Wikipedia entry on PGP if you can

Re:Ironic... or just interesting

[paco+verde]

Apologies for replying to my own post, but I found the list in this PDF document:

Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and Talisman-controlled (sic) (Taliban-controlled?) areas of Afghanistan as of January 2000.

(Although there are nine -- counting "Talisman-controlled areas of Afghanistan" -- listed, not 7.)

-- Glenn

Company laptops will be enctypted...

[sakdoctor]

but clueless users will write the password on a post it note, and probably burn a plaintext CD copy to leave lying around.
Government agencies will be worse.

Re:Company laptops will be enctypted...

[plover]

but clueless users will write the password on a post it note, and probably burn a plaintext CD copy to leave lying around. Government agencies will be worse.

And you know what? That's better than nothing. It's another layer.

Sure, we all think about "stolen laptops" when we think about these data losses, but that's not always true. Think about a remote hacking attack. Let's say a bad guy connects to the machine and starts sucking up a ZIP files labeled "Customer_Credit_Cards_2007-2008.ZIP". And the password is written down and stuck to the screen. The bad guy is on a network, can't see that password, and the file is just as unencryptable to him as it would be without the sticky note to you.

I'm just saying that you can still get some protection even from bad practices. If that stops 50% of the attackers, well, that's 50% more than we're stopping today. Is it watertight? No. Is it enough? No. Is it better? Yes.

Only 2% reduction?

[NoNeeeed]

I'm not surprised it has made so little difference.

As we know, technical solutions are rarely enough to protect data. Human processes and policies can be much more important.

Personally I prefer the UK approach, the Data Protection Act. No doubt it is flawed, and sadly not enforced as rigorously as it should be, but the concept is better. Rather than mandate specific technological approaches, it imposes a set of general requirements on any organisation that holds personal data:

• Data may only be used for the specific purposes for which it was collected.
• Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
• Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
• Personal information may be kept for no longer than is necessary.
• Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
• Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
• Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

The DPA is one of the few generally excellent pieces of legislation in the UK. It's just a shame that the Information Commisioner's Office that enforces it isn't as active as it could be. But it gives you quite a bit of power to take on companies yourself.

Why so expensive

[LordKronos]

The Massachusetts government estimates that a business with 10 employees will need to spend $3,000 up front, plus an additional $500 a month in order to comply. Security executives at larger firms said they expect to spend a similar amount per employee.

It sounds to me like all you need to do is encrypt the hard drive and require a password, but if so, why so much? It seems $300 per person is probably on the expensive end for the software, but I'll let that one slide. However, $50 per person per month just to maintain the system? What is this cost for? What is there to maintain? The only thing I can think of is dealing with forgotten passwords, which will require restoring the system and losing whatever was on the laptop and not backed up. $600 per employee per year seems high for this.

Re:Why so expensive

[Aladrin]

Encrypting something isn't instantaneous, especially if new software has to be researched, bought, and installed. In addition, you're paying 2 employees for the time the system is getting the software installed. This goes for laptops, pc, servers, etc. The downtime for servers is also going to cost money in its own ways.

If you think dealing with encryption won't waste $50/mo of each employees productivity, you're mistaken. Plus the passwords thing you mentioned... That could do it on average, too.

No, I think the estimates are low, if anything.

Re:Why so expensive

[DavidTC]

Right. Especially for laptops, which tend to have slower hard drives in the first place.

I installed TrueCrypt on my moderately old laptop, an Intel 1.6Ghz, and the only speed different I notice is that, for some reason, hibernation and unhibernation is twice as slow. I suspect this is some sort of bug. Other than that, I forget it's there except when I boot up.

TrueCrypt, by default, uses AES, which was designed for speed on modern processors. (Or, rather, was designed to use exactly the mathematical operations that CPU manufacturers optimize for in order to make games run faster, so as CPUs keep speeding those operations up AES gets faster.)

Ha, I just checked to see if that hibernation thing is a bug, and it turns out that not only is it, but it's been fixed in 6.0 and I should just upgrade instead of whining about it.

Corruption opportunity

[Verteiron]

Why do I have a sneaking suspicion that specific software will be endorsed and/or required to meet this new requirement? Probably whichever one spends the most money to "demonstrate" its capabilities to the lawmakers by treating them all to free vacations in the Bahamas. How much do you want to bet that a free solution like Truecrypt just won't meet the "standards" set by this new law?

Re:nannystate tag?

[jellomizer]

As many people in the election on both sides has stated There are a lot of small business out there, more that do not focus on IT in general. Excessive restrictions and regulations are just as bad as none. You can't hold the hands of every company. You need to let them mess up from time to time. Encrytion is a good thing however forcing it isn't even for companies. As many of the small business are an employee of one and it is their own personal PC.

Corporate interest

[crow]

I wonder if Massachusetts concern about encrypting stored data has anything to do with EMC being headquartered in the state. Considering that EMC owns RSA (the company), a law like this would probably benefit EMC. Also, Massachusetts is home to TJX, famous for having had a major data breach.

[Note: I work for EMC, but have no inside knowledge related to this topic.]

Law Enforcement will Complain

[CodeBuster]

It amuses me to see how government always wants to have its cake and eat it too. I agree that widespread use of strong encryption and good security practices is of great benefit to society, but some Senator or law enforcement agency is bound to complain that their ability to wiretap or access encrypted data is being compromised by these better private security measures. Strong encryption and good security are two edged swords, they help us and they help our enemies as well, there is no way around that. Personally, I don't have a problem with that. I would rather live in a society were encryption is used, privacy is paramount, and some criminals and evil doers are a bit harder to catch, not a bad trade-off IMHO. However, there will doubtless be howls of indignation from the law enforcement community, which contains more than its fair share of self-righteous authoritarian pricks, about how criminals are getting away with crimes and going unpunished. I suppose that my response to them would be to make better use of the tools and laws that we already have instead of depending upon ever more egregious invasions of our collective personal privacy and abridgements of our Constitutional rights merely to prevent some drug addict from getting his fix or some high school students from posting pictures of themselves on MySpace or Facebook.

Mandate != Reality

[Gothmolly]

Just because a state mandates something, does not mean it automatically happens. Look at speeding, look at drug laws, look at overtime rules for P/T and F/T employees, look at many other unenforced business regulations.

This stuff is like when a judge ordered a server's RAM chips removed and stored as evidence, as they were a 'data storage device'. Government typically sucks at anything like this.

Re:"nanny state"?

[Aladrin]

In a word: Yes.

Making laws to tell them exactly what to do is stupid. What if there's a better way, and encryption isn't needed? They still have to do the encryption now.

Other posts have been more reasonable: Harsher penalties for failing to protect the data.

It might even be different if this was a 100% fix. It's not. Now the thief just needs 1 more step, instead. The password/key. Even without it, it's not impossible to crack encryption. It's just very hard, if done right. (And next to useless if done wrong.)

So yes, the 'nannystate' tag is accurate.

Re:Legacy Systems?

[Sebilrazen]

It seems like the Democrats are doing the same thing the republicans did after 9/11. Just as after 9/11 the Republicans pushed Security to an extremist state, Democrats are using the financial crisis to push down all those heave regulations down our mouth...

BS, this is state level law, not Congress, way to troll. Besides these laws were passed way before the meltdown, these are their enactment dates.

Re:Bad news

[MindKata]

"Information wants to be free."

I don't know about free. Anything but free. This is government admiting they expect widespread monitoring of communications. For example, in the case of the UK, that means all business data will be scanned along with peoples emails, so it makes sense that governments and companies with international offices, are going to be worried their internal email documents are going to be intercepted.

Re:Legacy Systems?

[Beryllium+Sphere(tm)]

>Also I could see huge problems later on when the only IT guy who knows the key is fired, hit by the obligatory train, or quits.

If you're covered by the credit card industry's Data Security Standard, you're already required to use encryption and you're required to use it competently, with a key management infrastructure.

Corporate crypto deployments have been using some form of key escrow for many years. Availability is as much part of security as confidentiality is.

Re:mofo.com?

[hajihill]

Assuming here that the above poster is being funny, I'll clear this up for those this might actually cause some concern.

Morrison & Foerster is a internationally recognized and prestigious law firm established in 1883, that has been going by the nickname MoFo since 1973. More on the linked wikipedia article for those still interested or skeptical.

Re:You Un-American *tards!

[Dr_Barnowl]

Millenium Development Goals :

• End Poverty and Hunger
• Universal Education
• Gender Equality
• Child Health
• Maternal Health
• Combat HIV/AIDS
• Environmental Sustainability
• Global Partnership

Yes, you're right, that is un-American.

Re:Legacy Systems?

[Tony+Hoyle]

You'd probably have trouble on AS/400 unless they've done a version that copes with all the nasty EBCDIC issues porting to that platform (and the fact that it doesn't use directories in any meaningful sense, and what there is of its filesystem is completely alien to the average PC user).

There are lots of those in operational use that have been doing mundane work for years.. and nobody is going to change them in a hurry, because replacement is very expensive and you don't get a better system at the end of it.

Hell, I'd hesitate to compile OpenSSL on quite mainstream OSs like HPUX (although probably someone has already gone through the pain of doing it I'm sure).

Protecting SSNs won't stop identity theft

[Jimmy_B]

Encryption is good for protecting trade secrets, but useless for protecting social security numbers. Thieves who want to steal credit card or social security numbers can choose from tens of thousands of possible targets, at least one of which will be insecure. We need to stop pretending that social security numbers are useful as identification or authentication, because using an SSN to identify yourself requires disclosing it. We need to switch to a system of public-key cryptography, and put the blame for identity theft where it belongs: on the banks, who somehow decided that a few readily-discoverable numbers and a few easily-forged documents were all that's needed to take a loan in your name.

Re:nannystate tag?

[DavidTC]

It's not just personal data on the laptop.

I work for a fairly small company, and while we don't have any person data off our server, and in fact don't really have any personal data beyond names, addresses and email accounts...

...we have logins to our CC processor and whatnot that could trivially be used to steal quite a lot of CC numbers. In addition to probably breaking into our bank account and draining. In addition to getting into our servers and installing backdoors.

Which is why, of course, we have Truecrypt with boot-time encryption on all laptops, so that if they get stolen we don't have to run around like chickens with our heads cut off trying to figure out every single login that needs to be changed.

For those people worried about forgetting password: Burn three or four TrueCrypt 'recovery CD' and write the password on them. In fact, write the password everywhere...just don't carry it around in the laptop bag.

Seriously, half these 'data thefts' are random laptop thieves stealing random laptop that just happen to include absurdly dangerous amounts of data on them. They aren't targeted attacks, and the thief is probably wiping them before boot. But companies have to act like they have all your data because said companies are morons who can't spend a tiny amount of time setting up free software that would stop that from happening.

People often worry about computer security in entirely the wrong direction, worrying about changing internal company-only passwords every month, and then completely ignoring actual outside risks like someone snatching a laptop bag off someone's arm.

minimal effort

[Wyck]

I wonder if people will simply ROT13 their data for cheap token compliance.

win98

[zanybrainy941]

Looks like a lot of state agencies are finally going to have to upgrade from Win98.