Slashdot Mirror
Mass. Data Security Law Says "Thou Shalt Encrypt"
emeraldd writes with this snippet from SQL Magazine summarizing what he calls a "rather scary" new data protection law from Massachusetts: "Here are the basics of the new law. If you have personally identifiable information (PII) about a Massachusetts resident, such as a first and last name, then you have to encrypt that data on the wire and as it's persisted. Sending PII over HTTP instead of HTTPS? That's a big no-no. Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose. You'll get a fine of $5,000 per breach or lost record. If you have a database that contains 1,000 names of Massachusetts residents and lose it without the data being encrypted, that's $5,000,000. Yikes.'"
That's pretty much already corporate policy at the last two major places I've worked for a few years now. It would be nice if the government starts treating that data the same way.
In fact, it would also be nice to mandate encryption and signatures for email so there will be no more unsolicited spam. And finally it would be great if no one was allowed to open up a line of credit without my cryptographic signature so I wouldn't have to protect my SSN, birthdate, and mother's maiden name like it was some sort of safety deposit box combination.
Now maybe if they actually enforce it businesses will get the idea that they should protect the data.
Best Slashdot Co
It would have been very difficult for us to figure out how much the fine would be if you lost the records of 1000 people.
It would have been nicer though if you gave us another example. How much would the fine have been for losing records of 2000 people?
What is so scary about this?
With a high cost of PII, there is now an economic incentive for companies to actually give a rats ass. It's the same kind of incentive that is used to make sure companies don't just dump toxic chemicals in kindergarten sandboxes.
If you're a company that doesn't do business within the boundaries of the state, they'll have a damned hard time justifying why you're beholden to their laws.
I hope the phone company has deep pockets, because the phone book is full of first and last names and, last time I checked, it was totally unencrypted!
It's "rather scary" that this emeraldd guy is going to have to actually start doing the job he should have been doing all along?
...in fact, as far as I'm concerned it's about time that someone legislated how companies I have to deal with protect my personal information.
This "Written Information Security Plan"-Thing (yes, I read TFA) sounds like an unnecessary and useless PITA though...
This seens pretty sensible. Given how many people are hurt by these things, this seems like a reasonable standard for future industry practice, and the fines hammer home the idea to the companies that "oops, sorry!" isn't the level of seriousness these things should be given. I imagine most of the time these breaches are against the privacy promises the companies make anyhow.
The only downside is that the fine is kind of daunting for people who would like to enter a relevant market, although .. perhaps it's analogous to car manufacturers being liable for poor design of their products - when they fail, it can be a big deal.
For every problem, there is at least one solution that is simple, neat, and wrong.
Now I await the professionalization of the software field.
Who in the company is going to oversee such rules and regulations? Hmm, perhaps all software projects must be handled by a certified software engineer. They can make sure the software is up to standards... and will have to take out liability insurance like other professionals.
And of course, they must be US citizens to comply with US law.
I'm smelling job protection like doctors and lawyers.
Oh I can dream can't I?
"""
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
"""
So this doesn't apply to places like slashdot and facebook. Only places that should be securing your data in the first place.
Can you construct some sort of rudimentary lathe?
Sounds awesome to me. This should have been made law in every state/country a long time ago. Now if they would just make it law that all companies must provide an easy and thorough means for any individual to expunge their details from company records (I'm looking at you Facebook) then I might finally be able to stop that little bit of throwing up in my throat I get every time a company asks for my email address.
Time for ROT13! "It was encrypted..." /didn't RTFA
Storing the name of a customer in SQL Server without the data being encrypted? No way, Jose
Summary and article fail.
Sorry to disappoint all the SQL consultants out there, but the law (as passed) says NOTHING about requiring encryption of data at rest.
Earlier versions of the bill had the requirement for at-rest encryption, but that was lobbied out.
The only time it mentions encryption is for data in-flight over public networks, wireless access, and laptops/"other portable devices".
Everything else states "reasonable security precautions" (aka: access control/passwords).
But don't take my word for it read it yourself. (it's only 4 pages)
(3)Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information to be
transmitted wirelessly.
[...]
(5) Encryption of all personal information stored on laptops or other portable devices;
- Mass CMR1700 (the only occurrences of the word "encrypt")
What constitutes a 'business'? And how does this affect companies that might be using any one of the myriad of forums or blogging software in addition to their core "enterprise" software? Pretty much every blog or forum software out there keeps PII in plaintext format, and they're in use by many large companies.
From the article:
"Covered businesses range from neighborhood dry cleaners to Fortune 100 companies, but the law stipulates that the program be appropriate to the size and resources of the business."
So, they really do mean pretty much all businesses - anyone conducting any business online, it seems. Should I start turning in every business that doesn't SSL encrypt their 'contact us' forms? After all, someone from MA might use that form.
creation science book
Politicians should stay the fuck away from shit they don't understand!
Which I guess in practice means they should stay the fuck away from pretty much everything.
"When in doubt, use brute force." Ken Thompson
puttin the db on an encrypted volume is doable. https is a minor PITA.
Or filter out all internet traffic from massachussets, which is what they deserve for passing stupid data protection laws.
The only data protection law should be>> you cause distress to a user by losing, selling his data, or by changing EULAs, you pay all present damage, potential damage and a fee, or close door the day after a complaint was filed.
Let then businesses sort out if the data they process needs encryption and at what level. If one player plays an online game with his friggin name, should I encrypt traffic... watch his ping soar.... BS
How
It's scarier to contemplate that such information is so often exposed as a matter of routine carelessness.
On the other hand, it's not clear what to do about the classic perimeter problem. Sooner or later, somewhere, the encrypted data has to be processed or presented in plaintext. The key and the data have to be brought together. Now we've converted the problem of securing the data to the problem of securing the key - probably many keys in practice - and the systems on which those keys reside - probably many systems.
Parity: What to do when the weekend comes.
I think the /. article sub-header "some-serious-micromanagement dept" is incorrect. "Micromanagement" would be to specify a particular technical approach. The law(220kB PDF) doesn't even mention https. So, I think the legislation's level of detail appropriate: "just do it." The author of the FA seems to think this'll sell a lot of SQL Server upgrades, and if SQL Server is what someone is running to persist data, I suppose so.
Luke, help me take this mask off
Wouldn't it be rather pointless to encrypt any of the data that's kept in a database when said data is meant to be available to the software that's accessing that data? The software has to get the decryption key from somewhere, and without the use of special hardware any key that's available to your software would also be available to any hackers who know where the key is kept. Worse yet, it would rule out any software that doesn't incorporate such security, most likely ruling out open source databases.
Good plan....except when the state or local governments fail to do it.....then what? Going to fine themselves?
It's a good idea in theory...except....enforcing it might be hard.
Look at californias hands free cell phone law. I can count, daily, two digit numbers of people who are not following it....and where is the enforcement???
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
So you can't even send them an email, huh? Harsh!
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
This will ultimately probably only end up affect Mass businesses or people with presence in Mass directly. Otherwise this kind of requirement has the potential to impact interstate commerce which states expressly do not have the authority to legislate.
I'm all for requirements to protect data, however it is usually not a good idea to legislate how to accomplish that. When that happens then the industry's ability to innovate is legislated away.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
Does rot26 count as encryption?
Don't fight for your country, if your country does not fight for you.
Any specifics for encryption key storage? How bout another column in the DB? That seems a likely implementation, very convenient and all that. Or we could just hardcode it to something memorable "password".
Any specifics for encryption scheme? I've heard ROT-13 is fast, but XOR is faster.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
So, if a Mass. residents sends me (or my business) an email, what does that mean?
The message will generally contain the sender's name and email address. It is sent in the clear over SMTP, and will generally be stored as plain text on the server as either flat files or perhaps some database until the message is picked up via IMAP, POP or some proprietary protocol. It is then likely to be stored, indefinitely, in plain text on the client machine.
It looks to me like someone did not think this through. (Unfortunately it is not news when a government regulates technology w/o understanding it.)
Even if you're using IPSec?
I am not wild about regs, but the problem is that companies really do not care. Worse, when the have real issues in which they lose your data, they do NOTHING about it. Take the example of Toyota. They would have had a recall that cost them a 100 million had they done it correctly the first time. Did they recall? Nope. But what was the Fed's response? 16 million. Just like MS, Toyota, Chinese companies, and all the rest of these companies taking shortcuts PROVE that CRIME DOES PAY. Hopefully, Mass. hits one company hard in the next year and then all companies will change their tunes. Until then, we will see loads of horrible systems.
I prefer the "u" in honour as it seems to be missing these days.
I've been able to read cleartext SSN's out of college's for the past 30 years without ANY authorization, so all I can say is that this is better late than never.
The only refinement I can think of that would improve it is that any MIS/IT/CIO Director who authorizes any form of non-encrypted storage of this type of information should also have to pay a personal fine of $500 per record.
Funny how when its your own money that's on the line your perspective changes.
Where I last worked, we routinely dealt with issues like this as well(legal field - chain of evidence and all). It's high time that the computer industry took security concerns as a serious matter. And, no, they really don't. I have a friend who worked in the field working with security for major fortune 500 companies and the state of the security was a complete joke. And the threats are a dozen times worse than the public imagines. Yet they do nothing until there's a problem.
Well, hitting them in their pocketbook? That's effective 100% of the time in getting their attention.
Attached file: [1000_Mass-_Citizens_names.txt]
Bah, wasn't that easy. So lets just close Facebook, which fine should be enough to pay USA debt.
Don't know if it's better or worse, or I like it or not, but in any case, it means more work for techies. Lots of databases, middleware, disk systems, etc to upgrade to comply with the new laws. In fact there's likely to be a whole category of security and law compliance consulting...
Build your own energy sources from scratch. http://otherpower.com/
As one of the law's requirements, computers must include:
"(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis."
Do Linux systems generally include antivirus and antimalware software?
I'm glad to hear that at least one state is starting to implement a reasonable law. Between corporations too cheap to pay for systems that implement even a hint of real security, and perhaps a few lazy developers, we have a mess on our hands. I don't really understand the "yikes" exclamations in TFA. At least now there are some consequences for being so sloppy with your and my data.
My approach to coding web apps is that we are playing theater in the round -- playing to at least three audiences at once. In any pool of users, you have Group-1) probably 98% of users in various states of computer illiteracy for whom you need a very well thought-out UI that gets them through the app with no errors (and good recovery *when* they make errors, you have Group-2) 2% users that have a clue and want things really streamlined, and you have Group-3) a half-dozen bunches of malicious crackers.
All three groups are always present, and you cannot ignore any of them. Ignore Group-1, and you'll pretty much have no audience. Ignore Group-2, and you drive off the 'experts' to whom much of Group-1 looks for advice, and you'll consequently lose not only Group-2 but also a lot of Group-1. Ignore Group-3 and you'll get cracked and mess up a lot pf people's lives by losing their data, and/or you'll get embarrassed.
Unfortunately, too many buyers and devs of software ignore Group-3 because of costs, and the "it'll never happen to us" attitude. They need this kind of stick to nudge them towards doing the right thing.
I come from a very libertarian perspective, and I hate excess regulation, but I'm smart enough to know that the magic Market alone does not fix everything; it needs some smart regulation to prevent excesses or omissions, and appears to this is an example of such good regulation (presuming that they haven't screwed up the details).
I just read the text of the law (IANAL) and it doesn't seem that this law is restricted to network transmissions and data storage - in fact it explicitly mentions paper records. How would one even go about encrypting paper? I'd think it would even affect newspapers which listed a reporter's name, or the name of somebody in the news. What if that newspaper was just left on a bench somewhere? Data breach.
I guess this commercial would be illegal... http://tinyurl.com/2g45bn3
I wonder what the fine will be for losing a cellphone with 300 phone numbers of your friends and family in MA.
Build your own energy sources from scratch. http://otherpower.com/
Incorrect. The author either did not do any research at all, or got the definition of PII horribly wrong as far as this law is concerned. The directive that sets the standard based on the law states:
It is abundantly clear that a person's first and last name alone does not constitute PII, SSN, financial account number or some other not so public information is also required.
~Article I, section 8, clause 3, United States Constitution.
"Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Build your own energy sources from scratch. http://otherpower.com/
Well even if the key is just coded into your application, it still means they have to decompile it (C#, C++, C), or just parse it (PHP, Python(non-frozen)). If you kept the key inside an innocuously named file inside your application's structure, with unclear variable names; that would still be a big jump in security.
Why would it rule out open source databases? As long as you do the encryption inside your application, even sqlite is plenty secure.
How do you kill that which has no life?
It's a little irritating to read all the comments about how this is really easy, standard industry practice, etc. Please give me a fucking break.
Suppose you're running a church newsletter. You're not computer-literate. You want to send a newsletter. You write out the names of church members and their mailing addresses on a sheet of paper, and accidentally leave it at the copy shop. This is legal.
Now, you do the same thing on a computer that you keep locked in your church. You use it to print out labels, you put the labels on envelopes, and you put the envelopes in the mail. Is it really reasonable that you've broken the law here? Most of this information is available in public databases anyway. You don't know "encryption" from your asshole. Your computer runs Windows 98, and there's no network.
To my mind, if "creating a list on paper" is legal, "creating a list in a computer" should be too. If you want to hit %%loss or misuse%% of personal information, write a law that does that. Penalize a lack of security, don't legislate what security is, because every situation is not the same.
Text of the law http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
FAQ: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
Compliance checklist http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf
They also require you to run antivirus software
How about if you answer "I run BSD/VMS/linux, you ignorant clod"?
That's a mistake. The built-in Windows Encrypting File System (EFS) is safe only if you are connected with a domain. Anyone using a workstation not connected with a domain will lose ALL encrypted data if Windows is re-installed on the workstation. Having a backup of the keys is not enough.
EFS is just one example of deep flaws in software from Microsoft that don't get much publicity, in my opinion.
Well you would have the administrator manually mount the encrypted db after a reboot and type the passphrase at that time, not hardcode it in the app. It doesn't help when someone cracks the running system. It does help when they steal the server or the database files. You pretty much get the same benefits as full drive encryption.
Can you construct some sort of rudimentary lathe?
Encryption in transit is great. Encryption of backup tapes is great. Encryption of end-user systems which store the data is great.
But encryption of live servers and databases is a farce. Encryption without key management is itself a farce, and a servers which require keys to operate necessarily lack key management. Furthermore, server encryption is absurd because it can only protects against physical theft of the servers, not against hacking.
The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.
Yes, I work in IT security. Yes, I think encryption is great, but NOT ON SERVERS.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
From the law, personal information is defined as:
Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
So just a first+last name isn't enough to incur the wrath of the law. It has to be that, plus SSN, Lic Number, or financial account number.
But from how I read that, it has to be the First name, Last name, Plus one of those. Does that mean I can store a list of social security numbers plus last names completely unencrypted and be off free? Odd
See this comment from 2005: EFS & stand-alone computers? Can you make it work?
TrueCrypt is reliable, reputable, fast, free, open source, and works on Windows, Mac OS X, and Linux. The TrueCrypt documentation is very good, but not perfect. TrueCrypt can make an encrypted drive letter or encrypt and entire partition, even the boot partition.
Only open source encryption should be accepted, since the U.S. government has decided it can force executives of corporations to work in secret to help gather data from or about users. If software is not open source, there may be hidden methods of decryption.
This will ultimately probably only end up affect Mass businesses or people with presence in Mass directly. Otherwise this kind of requirement has the potential to impact interstate commerce which states expressly do not have the authority to legislate.
Nope, this is only affecting in-state commerce with Massachusetts residents. And the states are absolutely allowed to pass laws that affect out-of-state businesses when they do business in the state. The only constitutional prohibitions on that are when the law is protectionist - imposes additional cost on out-of-state businesses that in-state business don't have to pay. Here, because the law applies equally to in-staters and out-of-staters, it isn't protectionist and isn't unconstitutional.
The FAQ for the law: http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf
Please note, this FAQ contains personally identifiable information - First and last names, job titles, address of employment, phone and fax number, of Governor Deval L. Patrick, Lieutenant Governor Timothyt P. Murray, Secretary of Housing and Economic Development Gregory Bialecki, and Undersecretary Barbara Anthony. It was obtained by http - NOT https, as required by the law.
The only reason THEY can get away with it is because ... guess what ... government agencies are excluded. "Do as I say, not as I do."
Cripes, dude. You link to the full text of the law, but apparently never read past the URL.
First, that is NOT personally identifiable information. As has been said in many posts, and as is listed in your links:
[Definition of] Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;
See? You found names, job titles, addresses, and phone numbers, but no personal information listed in the law.
Second, what's the very next farking sentence in the definition?
provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
See that? Government agencies are not excluded from the law... rather, information lawfully obtained from government agencies are not personal information, which means that people who use it - like you - are not violating the law.
The shocking part is the amount of effort you went to to find the text, the FAQ, and the compliance checklist, plus creating two Slashdot posts about it, and yet you never actually read any of it.
Yes, this really *IS* Microsoft FUD. Note how they fail to mention that it's social security, credit card info, etc that has to be encrypted, not their NAME or address for example. Also note how at the end of TFA they suggest you follow a link for your indoctrination on the encryption features of SQL Server 2008.
Once you realize that it's just the usual credit card and banking related info that must be handled securely, you realize that the law is quite reasonable (though perhaps unenforceable outside of MA).
I'd like to see Mass. set up a website to assist small business owners to comply with this law. I'm not talking about tech support, but maybe a basic guide?
'Political power grows out of the barrel of a gun.' - Mao Tse-tung
Does Mass. suppose that the entire nation or the entire world must comply with such a law? Or does this only apply to those who store data inside Mass.?
Further, do the rights of people within Mass. not equal the rights of people who live outside of Mass.? Or will this devolve into the old dry county types of laws in which a commercial airliner must be wary of whether a county underneath them allows serving of drinks even though they are flying at 600 mph.?
I work for a big company with a lot of retail locations in Massachusetts. We've been aware of this for months and months.
Our only concern is the employee data - we don't keep any sensitive data about our customers, including credit card number. Our customers are essentially anonymous (retail locations, right?)
Our corporate legal department was unable to provide information on the fine, so I'm curious where the $5,000 per figure came from.
On a legacy system, encrypting anything can be very hard and require quite a lot of development (and therefore cost.) Not everyone uses SQL Server (or SQL at all.) Some of us have the joy of C-ISAM or even dBase tables on quirky operating systems.
Are you sure a government came up with it?
You know, all of the use cases you describe can be supported by ticking the 'encrypt' checkbox that Windows NT has had since version 4, or by storing commercial data on an encrypted partition, which pretty much all modern(ish) operating systems support. It's really not hard, and is probably the minimum that a small business should be doing anyway.
Sorry. You don't want to do that, for the reasons others have mentioned on this thread.
And not all of us are using NT out here. Beside, I think it's silly to be using Windows anything for e-commerce, but that's just my hard-nosed opinion.
Encrypting the file system does not protect you if your system is cracked, as was already mentioned. But it will also kill performance. If you want your customers to have a s-l-o-w experience, or if you want to spend more money on hardware, go for it. It just doesn't buy you much of anything in the way of security.
Ruby Neural Evolution of Augmenting Topologies
Not that it is prudent to encrypt on the server at that level, anyway, for performance and false sense of security reasons.
Ruby Neural Evolution of Augmenting Topologies
The law is only re in-transit data. Encrypting other might or might not make sense. Encryption is a form of access control and can be very expensive in performance. (Imagine what happens to a database keyed on name or some other field that you get told to encrypt. Now try to count the number of under the table decryptions needed to do normal things to the data.
The main failing is the definition. What should be protected (via some method that works) is what is used for authentication, not what is used for identification. The two are different. If people stopped using SSN for authentication of anyone, but it functioned only as a name does, and was not believed to indicate anything along the lines of proving you are the person who has the number assigned, it would be pretty insensitive (like your phone number). The SSN might be published in a directory like phone numbers even, so people might use it to disambiguate themselves from others with the same name.The practice of using it to prove you are someone is what causes the trouble. (Ditto with financial account numbers and the like; they should not be used to authenticate anyone either.) The definitions they have should have understood that distinction and acted to mandate protection of authenticating data, not identification data. But no, neither Mass nor other states appear to understand it, so we get a law that mandates things about the state of (mal)practice in authentication at the moment. Should the practice become sane, it will take separate action for such rules to catch up, regardless of the danger or lack thereof. Aside from that, mandating encryption without discussing keying is hot air and delusion. If I encrypt with a Caesar cipher with a key value of 13, I have strictly speaking encrypted the data. Not much of a secret, is it? (This is the famous rot13 operation for those who don't know the history.) Yet it is a cipher, needs a key to decrypt (the value of the key is 13 in this case). If I turn letters into numbers in some way, that arguably is a code also. If so, how about a code where I use 65 for A, 66 for B, 67 for C and so on...? (This for the novice is the way ASCII does it.) Could be that only pictures of the words might fall afoul of the law unless there are further definitions that might specify it further. Even such are likely to be technology specific and will become quickly obsolete.
It seems to me that we'll run out of IPv4 space VERY quickly if every website that collects PII is required to become encrypted with SSL. Option B: use an expensive multi-domain SSL. The CAs must be frothing at the mouth because of this new law. I think the lawmakers of MA just gave me a really good excuse to raise my hosting rates.
Monitor bandwidth usage on IIS6 in real-time: http://www.waetech.com/services/iisbm/
I just suppose that the article summarizes the law correctly, I am too lazy to actually read it, since it won't affect me anyways. But from a technical point of view, what is encryption? Would it be sufficent to xor each byte with a constant?
So if you ask a Mass resident to fill out any web form that includes the first and last name then it needs to be encrypted.
What about email addresses? they are unique identifiers.
What about WHOIS entries?
Roosters of club members or lists of email list subscribers?
All Social Media sites?
http://www.hawknest.com/
Like this?
Your post advocates a
( ) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Please note, this FAQ contains personally identifiable information - First and last names, job titles, address of employment, phone and fax number, of Governor Deval L. Patrick, Lieutenant Governor Timothyt P. Murray, Secretary of Housing and Economic Development Gregory Bialecki, and Undersecretary Barbara Anthony. It was obtained by http - NOT https, as required by the law.
Spoken like someone who didn't actually read the law or the countless posts on about the article.
What the law ACTUALLY covers:
Personal information, a Massachusetts resident's first name and last name or first initial and
last name in combination with any one or more of the following data elements that relate to
such resident. (a) Social Security number; (b) driver's license number or state-issued
identification card number; or (c) financial account number, or credit or debit card number,
with or without any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account; provided, however, that
“Personal information” shall not include information that is lawfully obtained from publicly
available information, or from federal, state or local government records lawfully made
available to the general public.
The law allows for displaying someone's name, address, address of employment, and job title. The only time you start to violate the law when you slap one of those three OTHER things to a name. Good. If you are dealing with my credit card number or you better damn well have it encrypted.
Example: "Have you stored your records and data containing PI in locked facilities, storage areas or containers?" - better not have a hardcopy of any records in an unlocked drawer,or take them home to work on.
Yes, that is true. You are an asshole if you walk home with a list of customer names and credit cards in plain text. If there is something you need to do with that involves credit card and SS numbers, you are actually going to have to act responsible for them and secure them. Yes, that might mean you can't actually can't walk home with a brief case full of credit card numbers. Boo-fucking-ho.
"Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices, that contain personal information?" - so much for using your smartphone for email and phone calls since you have an unencrypted phone book sitting in there (or evenif it's encrypted, it can be accessed at will without having to enter a password each time - and a 4-digit "unlock" is not considered an effective password under the law ... so sux 2 b u.
Unless you are adding SS numbers and credit card numbers to your smart phone's phone book, you are not violating the law. Again, actually read the law. It is reasonable. If you are dealing with sensitive information (SS number, state/federal IDs, finical data), you actually need to make at least half-assed attempt to be responsible for it.
I know some sites online will ask for the SSNO on a job application, but I never supply it. If they want it, they have to HIRE me first!!!!!
Ruby Neural Evolution of Augmenting Topologies
Read the rest of the law - they mandate up-to-date antivirus software on every such system. Good luck telling them you don't need Symantec on VMS, AIX, BSD, etc.
What constitutes a "Financial account number" is VERY broad. Do you have a paid subscription to slashdot? Then that account info is included. Did you make a donation to groklaw? Ditto. Also, names you commonly go by in pubic count - so that would include nyms. It's a dumb law. Better to legislate the desired outcome, not the method of achieving it. In other words - :data breeches will cost you $X per event." Not "if you take these half-assed steps, you won't be liable."
So tell us, how is replacing all those servers with Windows crap + antivirus going to make things more secure?
The word "reasonable" is used about 1000 times throughout the 4 page document. Your guess is as good as mine as to what that means. The PCI standard for all its flaws (hashing a credit card number is always stupid regardless of the strenght of the hashing algorithm used) are at least somewhat coherent.
I encrypted it by base 64 encrypting the first name, rot 13 encrypting of the last name and AES with a static key hidden in software encryption for credit card and SSN. Is this "reasonable"?
Non-stop blabbering about encrypting data on the wire but no mention whatsoever about about trust and key management. Would I be in compliance if I choose to use anonymous DH cipher or an SSH leap-of-faith style system? The data is encrypted for what good that does me when a determined attacker is using an Active-MITM.
"a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;"
Security is only as good as its weakest link. Finger print readers have piss poor entropy and offer much less secure than a "reasonable" password which is it?
"For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information."
"Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis."
Malware, virus scanners, personal firewalls do what exactly to prevent something that should not have been possible in the first place from occuring? These systems are incapable of providing security guarantees and have a history of themselves being subject to attack and reduced systems availability adding more branches to the threat tree of what should otherwise be secure systems.
Laws that go out of their way to define a requirement without prescription of a solution are ususally the smart responsible avenue to take in these cases... From my read this law does not even vaugly define an advasary with respects to what constitutes reasonable.
When I want to send someone money..I write them a check containing my banks routing number, my bank account number, my name and address. At the end of the day the worlds transaction systems need to work more like paypal where funds are given rather than taken. CC and check transactions are fundementally flawed. No amount of legislation is ever going to change that. This is not to imply we shouldn't try. We need industry standards (PCI) not ad hoc state based idiosyncrasies which have no teeth outside of that state or country.
If I were gay and married, living in Massochusetts, I would want that info encrypted too..
So, is it possible to reliably black list someone from a specific state from your server without knowing at least some "personally identifiable information" about a user prior to their inital connection attempt? If nothing else, you probably know enough about that connection attempt to identify where it was made from if you could reliably block it by location, just from the activity logs, right?
So are you screwed even if you specifically choose not to do business with the state over this?
8==8 Bones 8==8
I just read the law. It defines personal information as: ...a Massachusetts resident's first name and last name or first initial and last name IN COMBINATION WITH any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number...
[capitalization mine, for emphasis.]
IOW, a customer database is fine- it doesn't have to be encrypted, unless you also store the customers' Social security numbers, drivers license numbers, or credit card data. Without any of that stuff, you're just storing data you could have obtained from scanning a phone book.
I'm sorry, but I strongly disagree with your position on almost every count.
Firstly, your point about different territories with different rules is fundamentally flawed. Many places — all of Europe, for example — already have stronger data protection laws than most of the US. This causes no earth-shattering problem with compliance. Large companies keep the data they can't legally export within their European offices. Smaller companies just outsource things like payment collection to services that guarantee any personal data will be processed securely and not transferred outside of EU borders. They were going to outsource it anyway, so the only people who lose out are services that want to handle sensitive information but can't make the same guarantees as others about security, whose flawed business model just became obsolete.
Secondly, I think you (and several other DB admins and such in this Slashdot discussion) are far, far too casual about this subject. In my country, we have had a string of mismanagement or outright leaks of sensitive personal data in recent months. The number of people who have wound up losing money or suffering long-term hassle just to set their records straight is absurd, and rising every day. A $5,000 fine per leak is nothing compared to the hassle and indirect costs of someone suffering identity theft, even if they get everything put right in the end and recover their direct losses. To one side, it's several months of hell to get your identity back. To the other, it's a mere business expense, a footnote on page 172 of the annual financial statement.
In my not so humble opinion, both business and governments need to learn this lesson, and I have absolutely nothing against sending a business to the wall if it collects personal information but fails to secure it properly. We have allowed more-or-less unrestricted collection of personal data for a few years, easily long enough for the industry to gets its act together. The result has just been organisations hoarding personal information about people for reasons that are entirely self-serving, pretty much all of whom could just die and make the world a better place anyway, and the string of screw-ups I mentioned before from many organisations that do have a legitimate reason to hold that sort of data.
It is time for organisations that think this is OK to be taught otherwise, and frankly these fines are on the light side. I would have preferred an additional statutory duty of care with unlimited liability to cover the cost of putting right any damage done to an individual following a leak. Go ahead and reevaluate your security protocols and whether it is really impossible to do these things or just inconvenient/expensive, when the other side of the inequality you're testing looks like an 8 on its side instead of a $10 per person class action settlement.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Yes, I believe TrueCrypt is the best encryption software. TrueCrypt meets all the requirements, including avoiding vendor lock-in.
Possibly EFS was fixed in Windows 7. Before that, part of the encryption key was the Windows user password and a key generated specifically for that installation of Windows.
For a discussion of the issues, read page 5 of this PDF file from Elcomsoft, which I just found: Advantages and disadvantages of EFS.
Elcomsoft is a famous Russian company. Quote from Wikipedia: "On July 16, 2001, Dmitry Sklyarov, a Russian citizen employed by ElcomSoft who was at the time visiting the United States for DEF CON, was arrested and jailed for allegedly violating the United States DMCA law by writing ElcomSoft's Advanced eBook Processor software. A landmark court case ensued, setting precedents and attracting much public attention and protest. On December 17, 2002, ElcomSoft was found not guilty of all four charges under the DMCA."
The problems with EFS were acknowledged by Microsoft employees. People have discussed losing data on Microsoft professional discussion boards. Elcomsoft sells software designed to recover data lost because of the poor design of EFS.
Dude, you’re handling our personal information! You keep it safe, or I’m gonna rip your ass open at the next election! (Or sooner.)
The only stuff that should be open, should be anonymized data, and what the government is actually doing and information about what data they have.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
"I do not remember precisely, but I think that password (user's, not generated) in particular is also used as part of the decryption key."
Yes, that's right. Parts of the encryption key were the keys made by the user, the user's Windows password, and another key associated with the user's particular installation of Windows.
If the computer was associated with a domain, then the key was recoverable if there was a hard drive failure, because the entire encryption key, containing all three parts, was stored on the server.
If the computer was not associated with a domain, and there was a hard drive failure, the data was lost. There was discussion on Microsoft support forums about the cruelty of the situation. None of the Microsoft documentation indicated the limitations, and users often lost their hard work.
Eventually companies like Elcomsoft began selling software that would break the encryption.
Funny, the last white pages that was dropped off on my Mass front stoop wasn't encrypted. That had, I don't know, millions?, at least hundreds of thousands of Mass First Name, Last Name, Address, and phone number records. Will someone fine them $5k a record so I can stop getting this useless use of paper!
This is how it should always work.
My personal information is worth much more to me personally than $5,000. It is an extremely reasonable penalty. Especially considering there are many open-source 100% free encryption methods available. In this day and age, we all have more computing power than we need. Our computing experience has gone from functional to flashy. There is no excuse not to be encrypting absolutely EVERYTHING.
The only case in which server encryption would do a bit of good is if the datacenter has no physical security, and every time a system boots, someone has to walk over to it and type a 20+ character random password.
So you're saying that no data is important enough to encrypt such that if a server fails and reboots, somebody has to spend time entering a password back into it's console? Even at a 24 x 7 staffed facility? Even with on-call people no more than an hour away?
I know of servers with 1700+ day up times. I've run networking equipment that has 1200+ day year up times. I expect, at a minimum, highly available systems carrying sensitive data should have up times of at least six months, meaning no more than one password entry ever six months.
I hardly think the inconvenience of having to type in a password upon boot justifies not encrypting important and sensitive information.
Yes, I work in IT security.
It concerns me that you do. You seem too willing to give up security for convenience.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
eihab seems to have it right.
IANAL, either, but I did read the whole law and there is no broad encryption mandate as the SQL Mag author claimed.
The encryption-related sections of the law that I can find (17.04 (3) & (5)) actually mandate:
In other words, if you send data over public networks, or wirelessly, or store it on laptops, you should encrypt it. Excuse me for not getting excited about this.
Law: 201 CMR 17.00 reg
FAQ: 201 CMR 17 faqs
The whole thing seems pretty sensible overall.
I'm pretty sure that "another key associated with installation" is precisely what gets backed up when you back up certificates. So all you need is to have a user account with identical name and password on another machine. You can't use those backed-up certificates with a different user account.
I don't get it.
Won't the spammers just adopt sigs?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
and realise that to easily comply with this law, you encrypt the filesystem underneath the database, not the data in the database itself.
Then again, anybody who declares themselves to be a guru at something probably is suffering from the Dunning–Kruger effect.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
why is everyone talking about bitlocker and EFS as a solution? It seems that only protects you should your hardware find its way out of your control.. but if you're running an SQL on top of that and someone can get a plain-text dump of all your data you'd still be screwed in full accordance with the law right? There would have to be encryption in the database with a key pair on the web applications (.net, php etc) in order to execute searches etc. Question... what about call detail records generated by phone companies? Many of these are on aging DMS100's and 5ESS switches that are not encryption capable. Would they also be required to encrypt CDR data if the callerid name is also stored in their call records?
I have a question.
What is http://hackerkey.com/ and why can't I get to it?
Sorry, 'www.hackerkey.com' does not exist or is not available.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Yes, a completely reasonable law, that just outlawed facebook. :) sounds like progress to me!
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Open source databases can encrypt data (or, alternatively, store their data on devices encrypted at a lower level.)
They've outlawed facebook. Great! Awesome! Wonderful! Where do I make campaign contributions?
If you let your users use an alias like any civil website, you're completely immune. Look, you have no business knowing your users real names, except for financial transactions, and that's definitely worth the encryption.
Facebook's real name policy is a massive threat to the delicate balance between connectivity and human dignity. I hope MA courts seize all facebook's assets and throw the executives in jail.
p.s. I'm aware you might have concerns about say the IRS processing tax returns, well actually the IRS isn't subject to MA laws, and trial would amuse us.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
So I know California is famous for this, and with the internet reaching out as it does, even wee Massachussetts can get in on the act. if you're going to impose a law like this that will make requirements of entities not in your state, possibly not even "doing business" in your state, aren't you going to get struck down in the Supreme Court, with this sort of interstate commerce issue being one of those powers actually given to the federal government in the Constitution (as opposed to the many they just sort of usurp as a matter of course)?
I'm just asking, I might be missing something here.
Wouldn't this bleed over into email as well?
> Why would it rule out open source databases?
Postgresql and Mysql both support encryption. However, you can bet the the Oracle and Microsoft salesmen are already spreading FUD to the effect that the state will view the use of Free Software as evidence that you don't take security seriously.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
i can only say that harddrives are not tracked well enough that not relying on encryption for sensitive data is idiotic.
Clearly doesn't understand the REGULATION (vs. the law) and clearly doesn't understand the content nor requirements of the regulation. MGL is very different from CMR. Seems to be another blind M$ admin with a blog.
Er, it makes things harder.
You lock the door to your residence, right? Even though any fool can break a window.
Think of this as something similar. If a database is encrypted, the backup tapes and any old drives from the DB server that are routinely discarded will not be useful for stealing data from.
No need to melt or physically destroy it.
Why is this a "Yikes!" thing? Having your data around NOT encrypted is more something that would make me say "Yikes!". HTTPS is standard and easy to use. I would be most worried that vendors start shipping "encryption" options that aren't strong at all, and everyone simply uses them, which won't result in much more security. Even then it would be better than now I suppose.
MA is trying to protect its' citizens and their rights. All States probably have requirements TO DO this exact thing (make laws that protect its citizens). If they are not required to act upon obvious 'wrongs' to its citizens (failure of PII gatherers to protect that information from being used\misused in ways not authorized by the owners [the citizens]), who is the citizen to turn to for protection? This subject should be a 'common sense' thing but just isn't, MOSTLY because of financial reasons (which happens a lot in business). This law is requiring thoughtful consideration of everything about 'information technology', including the consequences of not thinking about it all, and pulling organizations away from just thinking about ROI and 'ease of use'. Most gatherers of PII admit that the owners of that PII are entitled to protections against unauthorized\misuse of their PII, but for financial reasons the gatherers argue that requiring them to be the protectors is just not fair to them. This idea that MA is going towards cannot be considered a bad thing, so what is all this other arguement about ?
cjacobs001
Interesting. I'm not disagreeing with you, though based on the definitions I'm familiar with it would seem to violate the interstate commerce rules. Definitely intrastate would apply, but interstate gets interesting.
However if I am in California and someone from Mass comes to my online service and buys from me, I do not have a presence in Mass. Likewise if I were a mail order business. I am not familiar with any precedents that define businesses in different states as having a presence in other states simply because they have a web site that *might* be visited by someone in another state. Of course, I've not been following it as close as I probably should, and IANA, so it's quite likely I missed that when (if) it happened.
Can you point to those? I'd like to get caught up.
Otherwise, it would seem problematic for a business on one side of the country having to follow business rules on the other side of the country. Take the internet out of the equation. A brick and morter business in California (say a used book store) has a telephone. Someone in Mass. calls that book store and asks if they have a specific book. They do, a transaction is made over the telephone and the book sent to the purchaser. Based on the theory you put forth, this brick and morter store in California would now have to jump through the special regulatory and financial hoops being passed in Mass. If other states do the same thing, then these businesses could find themselves having to comply with a myriad of laws, regulations, and other restrictions, potentially just because of the random, one-off transaction of a diligent customer looking for a special book.
I don't think that's likely to go very far, and were it challenged in court I seriously believe it would be thrown out as violating interstate commerce laws.
Obviously this would only be for businesses not maintaining a physical presence of some form in the state. If they have an office, a store, etc. then they would need to comply. Of course, that then begs the question of whether they have to make their nationwide operations comply or just those operations and transactions that originate within the state of Mass.
One things for sure, the lawyers will have fun.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
"I'm pretty sure..."
That is mistaken. In Windows XP, workstations not connected with a domain have an additional key that is not backed up. I don't know if that was fixed in later versions of Windows. Read the links I gave below.
Hmmm... just a thought... NOT a recommendation...
Since "personal information" is the "first name and last name" IN COMBINATION WITH any of the other items, could you just denormalize the tables to get around this? Stick the SSN or CC info in a second or third table. Since that data is not stored WITH (same table) the name of the card holder or account owner, then... well... you see where this is going.
I guess it call comes down to what the meaning of "is" is. ;-)
I suspect that the broader effect will largely depend on the precise economics of how these systems are written/modified.
California's "OMG Carcinogens!" warnings are only required in that state; but you see them all over the place; because, for all the whining, it is often cheaper to make all your products compliant, rather than produce a California edition and a fuck-you-California edition.
MA is a much smaller market; but software has much smaller per-unit costs of production. If you have enough MA customers/operations in MA, you'll need to have an MA-compliant system. If you already have one, just using it for everybody might well be easier and cheaper than having a second, weaker, one for other people.
Well, if you really wanted to get hypothetical, the Supreme Court should just abolish State Governments altogether since they've held time and time again that anything anyone does "affects" interstate commerce and therefore falls under Federal Jurisdiction under the Commerce Clause.
"Anything a State Government does affects whether residents will move into or out of that State, and in moving, there is significant interstate commerce, therefore anything a State Government does falls under federal review." Or something like that..
Heh..
A state cannot just make laws that apply to random 3rd parties who aren't in/don't do business in that state; nor can they make laws that would specifically contradict something the feds have promulgated on the matter; but that doesn't mean they can't, de facto "export" the effects of (certain) laws.
California's labelling requirements, for instance, would probably be struck down hard if they applied to the entire country, or even said something like "You can only do business here if you follow our laws in all places you do business". However, they just say "you must do X when you do business here". Because California is a fairly large market, and stickers are fairly cheap, simple economics and economies of scale "export" that particular law for them.
I don't know whether the economics of this situation would cause a de facto exportation or not. I would assume that, in general, it is cheaper and easier to build and maintain one standard system, instead of two in parallel, and that there would be substantial exportation(especially since these measures aren't exactly something a responsible CIO wouldn't want to do anyway. There may be a number of cases of "Yeah, I know you don't like it; but look at this scary, scary new law, and approve my upgrade!" being used as an excuse to do things that people had wanted to do anyway.)
Because MA isn't exactly gigantic, or if the costs of doing it there way are noticably higher on a per user basis(rather than just on the design/setup/initial costs basis), I assume that you'd just see certain CC processors and the like offering "MA compliant" handling options at a modest premium and making those easy to invoke based on customer address.
"System security agent software" doesn't seem like a synonym for AV software, though it would definitely include it.
Something like a href="http://sourceforge.net/projects/tripwire/">Tripwire, or whatever the name of the chunk of code that actually manages AppArmor or SELinux(I forget what the BSD MAC system is called) restrictions, would(on a naive reading) seem to qualify, and any of those are useful and plausible parts of a BSD/Linux server.
They do forbid checking that checkbox by running a copy of Norton 7 with definitions from 2001, or some similar nonsense, which seems like a good thing.
If a case came to court, and the argument that a properly configured MAC setup with a small list of enumerated goodness with only the permissions it needed, all else denied execution, qualified as "System security agent software" with both "malware protection and virus definitions"(anything not specifically blessed by the admins, in this case) were to be rejected, my position on this part of the law would change. For the considerably worse.
Worst comes to worst, ClamAV has "AV" right in the name, and is quite inexpensive...
So tell us, how is replacing all those servers with Windows crap + antivirus going to make things more secure?
Why would you need to? I don't think the law has called out that you have to. All it is asking companies to do is perform the due diligence to protect PHI and PII for the citizens of Massachusetts.
The only reason THEY can get away with it is because ... guess what ... government agencies are excluded. "Do as I say, not as I do."
I think you may want to read Mass. Executive Order 5-04. They have to follow this so they are not exempt. http://www.mass.gov/?pageID=gov3terminal&L=3&L0=Home&L1=Legislation+%26+Executive+Orders&L2=Executive+Orders&sid=Agov3&b=terminalcontent&f=Executive+Orders_executive_order_504&csid=Agov3
This sounds like a good reason to do business with companies in Massachusetts, if you ask me.
Even better: "Anything a State Government might do might affect whether a person might consider thinking about moving into or out of that State and in the possibility of moving, they might consider engaging in a possibly commercial activity which might be involve another state. Therefore, it is indisputably interstate commerce."
The incoherent idiocy which is the controlling decision for the Interstate Commerce clause actually reads like this.
Hey Obama, you should take a page out of this state's book, and make this a federal law. Accountability goes a long way to build trust with people, and this really brings it up a notch. Awesome to hear this news!...today is a good day, now if i could convince all other 51 states to follow suit.
However if I am in California and someone from Mass comes to my online service and buys from me, I do not have a presence in Mass. Likewise if I were a mail order business. I am not familiar with any precedents that define businesses in different states as having a presence in other states simply because they have a web site that *might* be visited by someone in another state. Of course, I've not been following it as close as I probably should, and IANA, so it's quite likely I missed that when (if) it happened.
Can you point to those? I'd like to get caught up.
Believe it or not, the wiki page is actually pretty good for this... but then, personal jurisdiction jurisprudence has been pretty well established for the past half century.
Otherwise, it would seem problematic for a business on one side of the country having to follow business rules on the other side of the country. Take the internet out of the equation. A brick and morter business in California (say a used book store) has a telephone. Someone in Mass. calls that book store and asks if they have a specific book. They do, a transaction is made over the telephone and the book sent to the purchaser. Based on the theory you put forth, this brick and morter store in California would now have to jump through the special regulatory and financial hoops being passed in Mass.
Nope - only if the Californian store "reaches out" to do business in Mass. (advertises in Mass., has an 800 phone number so people from Mass. don't have to pay long distance, etc.). In the context of internet sales, check out the Zippo case mentioned on the wiki... passive websites aren't enough, but interactive websites, like Amazon.com, are enough to establish a "presence" in the state.
> I'm all for requirements to protect data, however it is usually not a good idea to legislate how to accomplish that. When that happens then the industry's ability to innovate
> is legislated away.
I usually tend to agree. However, what do we do in cases where many of the mitigating steps are obvious, but, as years go by, few do much about it. I work in healthcare. Do you know when healthcare companies started investigating encryption? Ill tell you, it was AFTER they were mandated to by law.
The problem is, that the information is "other peoples info". Companies are careful with "other peoples info" in exactly the same way, and to the same extent as congress is frugal with "other peoples money". Its not that they don't care, or that they don't "want to be good" its just... not a risk to them. Risks need to be prioritized and as long as its "other peoples problem" it sits at the bottom of the "Wouldn't it be nice if we did this someday" pile.
All this law does is bring "fix that gaping hole" from the bottom of everyones "wouldn't it be nice" pile and puts it squarely on the "I am at risk" pile.
-Steve
Except that its a lot easier to turn on SSL for all transactions than seperate out the MA transactions from others.
Thus, I suspect, it will effect customers of firms that either do business with MA residents or do business with firms that do so.
Also, I would question the case of implementing it in such a way as to make the seperation. Since it would, generally, be more work, and serve only to continue not protecting non-ma residents... isn't it a different case from the current situation? Currently its just standard practice to do nothing and offer no protection. Going out of your way to not offer protection seems to me like a different action from simply not offering it by doing nothing.
-Steve
"I opened my eyes, and everything went dark again"
yeah. lemme go ahead and out-lawyer you. because the constitutional challenge isn't going to be about protectionism. it's going to be about preemption. the argument will go something like: this is an area of law, prudentially, better left to the feds. see: 50 different states with different regs. compliance nightmare, etc., etc. i'm not clear on the federal regs on the subject but i'm sure there's something to point to as intended to "occupy the field." chances are its going down.
of course, in the meantime, you can't rely on the potentiality of unconstitutionality in your compliance auditing.
The "system security agent software" is not the same as the "antivirus" and "malware" software - the law sees them as two separate things. BTW - good luck getting clamav (or any av) to update itself in rom on an embedded system. The law is stooopid.
So, who's writing viruses that attack Tru64 systems?. Again, this law was written by people who think "computer == desktop".
That's what the interstate commerce clause might've meant in the beginning, but nowadays it's more like "if enough people or businesses are potentially affected by it, then it would start to affect interstate commerce, which means congress can and should be the ones to regulate/handle it." Which is why we have numerous laws like "illegally chewing bubblegum while engaged in interstate commerce".
I am not a sig.
>> what he calls a "rather scary" new data protection law from Massachusetts:
Why is this scary? It seems like absolute common-sense to me.
I imagine the only people this is scary to are the sloppy and incompetent corporations, db admins & web programmers that haven't already been properly encrypting personal info.
Anyone still not encrypting personal info must have been living under a rock for the last 10 years.
Can you show vulnerabilities in TrueCrypt?
...
... TrueCrypt is a disk encryption system intended to solve the problem of people ....
Obviously, I don't have the time to look through Google's 313,000 results for truecrypt vulnerability.
I was unable to find any links to vulnerabilities in TrueCrypt in that list! Here is a typical item from the Google search:
UW Computer Security Research and Course Blog Security Review
Feb 10, 2008
alexmeng on Current events: Adobe Reader Vulnerability...
cubist.cs.washington.edu/Security/.../security-review-truecrypt/ - Cached - Similar
As you can see, that link is to a vulnerability in Adobe Reader, not TrueCrypt.
Just stop doing business with anyone in Massachusetts.
That's what I'm going to do at this point. They need to get control of their legislature.
I've fallen off your lawn, and I can't get up.
Folks, The InfoWorld article referenced by the SQL Serer Magazine guy now states: "This story was updated on April 20. Massachusetts does not require that written information security programs be filed at this time, just that they exist." Not only that, but he's incorrect about the encryption being required on *servers*. Again, the InfoWorld article as originally referenced talks about in-place encryption on "laptops and other portable devices". Yes, "PORTABLE DEVICES". Servers should of course be in a *locked closet*. In-place encryption is not a requirement of the law. -- IANAL
The Dunning–Kruger effect is a cognitive bias in which "people reach erroneous conclusions and make unfortunate choices but their incompetence robs them of the metacognitive ability to realize it."[1] The unskilled therefore suffer from illusory superiority, rating their own ability as above average, much higher than in actuality; by contrast, the highly skilled underrate their abilities, suffering from illusory inferiority. This leads to a perverse result where less competent people will rate their own ability higher than more competent people. It also explains why actual competence may weaken self-confidence because competent individuals falsely assume that others have an equivalent understanding. "Thus, the miscalibration of the incompetent stems from an error about the self, whereas the miscalibration of the highly competent stems from an error about others."[1] “ In the modern world the stupid are cocksure while the intelligent are full of doubt. ” — Bertrand Russell[2][3]
Interesting reference. However, you hardly know anything about me, so perhaps you have fallen prey to the Dunning-Kruger effect yourself. :-)
But while we're on the subject, let me continue.
Slash me to pieces for tooting my own horn. Actually, I only mentioned to "guru" bit in passing, as a short-hand for stating that I kinda know something about databases in high-demand environments, without having to spend an entire paragraph doing the same. If you want to pick it to death, go straight ahead and do so. Sheesh.
However, despite all of that, I do find the Dunning-Kruger reference interesting. I have been back and forth many times with assuming everyone has my level of understanding, and thinking I'm a stupid idiot despite evidence to the contrary. These days, I simply call an ace an ace. I know what I can do, I know what I am capable of, so why be shy about it? Do I know everything? No. I would never claim such. However, If I do know something, what's wrong with just being honest about it? Why is it some get offended at this? I put in the Blood, Sweat, Tears, and Years getting to where I am. Should I not be proud of that? What does modesty buy me?
I've had bloody enough of beating myself into the ground for this or that, and I refuse to do it anymore. I am an empiricist; I go by observations. And I have observed many others referring to myself as "guru", "genius", "brilliant", and what not. Quite frankly, I don't think all of those monikers are deserved. But then, I should give myself credit for what I have accomplished.
So sorry you are peeved. Actually, I'm not sorry that you are. That's your problem. Not mine.
Ruby Neural Evolution of Augmenting Topologies