Slashdot Log In
Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st
Posted by
Soulskill
on Mon Sep 22, 2008 02:53 PM
from the wouldn't-bet-on-it dept.
from the wouldn't-bet-on-it dept.
dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"
Related Stories
Submission: Nevada Businesses Must Encrypt E-Mail on 10-1-08 by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
I wonder . . . (Score:4, Interesting)
Re: (Score:2, Insightful)
Forget selling software. The real money comes from selective prosecution of offenders.
This law is absurd, an only goes to demonstrate how insane everyone on this planet is. An email address is potentially personally identifiable information. So is an IP address. So is a password.
So based on this legislation, resetting a users password and sending them the new password via email is illegal?
Re:I wonder . . . (Score:5, Funny)
You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.
Parent
Re:I wonder . . . (Score:4, Funny)
You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.
Duh. Obviously that wouldn't work, since they don't know their old password. You'd have to password protect the password with their new password!
Parent
Re:I wonder . . . (Score:5, Informative)
RTFL. There is "personal information"
NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
1. Social security number.
2. Driver's license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.
Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
(Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)
Parent
Insecure anyway... (Score:5, Informative)
So based on this legislation, resetting a users password and sending them the new password via email is illegal?
This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.
An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.
Parent
Re:I wonder . . . (Score:5, Interesting)
Parent
Just ROT-13 twice (Score:5, Funny)
Re:Just ROT-13 twice (Score:5, Funny)
This is irresponsible advice. There are known-plaintext attacks on reduced-round variants of ROT13. Always use the full 16 rounds to be sure you're actually getting the security that double ROT-13 promises.
Parent
Re:Just ROT-13 twice (Score:5, Informative)
For the humor-impaired, performing ROT-13 twice results in the same text as the original unencrypted message. Performing ROT-13 twice again to "decrypt" would once again result in the same text as the original, unencrypted message. It's just a joke, relax.
Parent
Re:Just ROT-13 twice (Score:4, Funny)
Parent
Knowing the law... (Score:2, Interesting)
Am I just being too cynical, or will putting everything in a password-protected ZIP file and then sending that, together with the password, will satisfy the rules?
Re: (Score:2)
Odds are, yes. Unless it says you have to send the key/password separately.
Re: (Score:3, Informative)
How about http web traffic? (Score:4, Interesting)
Re:How about http web traffic? (Score:4, Insightful)
If you're an ecommerce website, and you don't already use https for sensitive data (like credit card info), you are just begging to be ripped off. Or hadn't you noticed that little padlock icon that appears whenever you buy something online?
Parent
Re:How about http web traffic? (Score:4, Interesting)
Parent
Re: (Score:3, Informative)
No. As others here have noted:
Re: (Score:2)
If you're an ecommerce website, you should be doing everything involving private data over HTTPS to begin with.
Re: (Score:2)
Shouldn't you be doing that already for your login/checkout/payment processes?
Re:How about http web traffic? (Score:5, Informative)
Yes and no. The law says that you have to encrypt when you send personal data. The definition of encryption is pretty broad [state.nv.us] but the definition of personal data is very narrow [state.nv.us] so you could have a web site which is unencrypted except for the part where the customers identified themselves.
Overall, I don't see the problem with this. That they allow weak encryption is a red herring. Strong encryption will also comply with the ruling and so most people will use that. Weak encryption is often better than nothing. There are loopholes, but those can be closed later. This looks like a good start.
Parent
Re: (Score:3, Funny)
Actually it's a red herring with a bicycle.
I approve... (Score:4, Funny)
I just hope they do more than password protecting the word docs...
Say it ain't so! (Score:2, Insightful)
Re: (Score:2, Insightful)
Are they aware just how much money this is going to cost businesses in training?
Not to mention they will have to have every company (and possibly every employee of every company) submit and maintain a proper public key in a public database, no matter how technically savvy they are. I can't get my own company to do that internally...
And if you don't have an IT department? (Score:4, Insightful)
Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.
Now, someone emails you with their name and address asking for a quote.
Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!
p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."
Re:And if you don't have an IT department? (Score:4, Funny)
p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."
Obviously they're being very optimistic about the economic impact...
Parent
Re: (Score:2)
You beat me to it and did a better job than I would have. I doubt that my effecting a similar jab would have had nearly as humorous an effect.
Well done.
Re:And if you don't have an IT department? (Score:4, Funny)
Parent
Re: (Score:3, Informative)
Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!
For that matter -- if you're in a business like lawnmowing that only uses its "web presence" as a virtual billboard or PO Box -- good luck knowing this law even exists!
Re: (Score:3, Funny)
Obviously, you either have never been to Nevada or have very poor business sense.
A lawn mowing business would never succeed in Nevada.
How about this? (Score:2, Funny)
Can I start a lawsuit to sue some company that does NOT do this, go to a jury by trial, but then do a terribly bad job of defending my position and set precedent that the defendant does not need to encrypt this stuff before a 'real' lawsuit comes about and sets precedent the other way?
Re: (Score:2)
then do a terribly bad job of defending my position and set precedent
Judges hate it when you do that, and will likely throw out your case and force you to pay for all of it.
Encryption Conniption (Score:4, Funny)
It was later found that the reason for this delay was a system-wide shutdown & widespread panic as they couldn't figure out how to encrypt or decrypt any of their correspondence properly.
GOOD! (Score:2, Insightful)
ISTM we should phase out any unencrypted protocols going over the internet.
This particular law may have technical shortcomings - but if it takes close-but-not-quite right laws to raise awareness to the common person and politician that much internet traffic is unencrypted, I'm all for this law as a stalking horse to-be-improved-upon.
And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.
Bad summary (Score:5, Informative)
So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.
Re: (Score:3, Insightful)
So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good.
If any business is currently sending SS and driver's license numbers via email, they are being irresponsible.
What can go wrong? (Score:3, Insightful)
It's not like we've had any keys lost [bigblog.com] lately.
The End of the Internet as We Know It! (Score:2)
If they can require people to encrypt their email, the next evil plan will be to force everybody to supply crytographic certificates with each email. This will make it impossible to send anonymous email! No poison pen messages, no mailbox bombing, no sp...
Oh. Never mind.
This is a good idea (Score:3, Funny)
Personally identifiable information should be encrypted.
Sincerely,
xz'Kxv!y{Ycut="xgq'^e;
The Real Problem... (Score:5, Informative)
...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.
One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.
Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")
Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.
Obligatory (with slight variation) (Score:3, Funny)
Your government advocates a
(X) technical (X) legislative ( ) market-based ( ) vigilante
approach to fighting identity theft. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop identity theft for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from identity thieves
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) identity thieves don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of identity theft
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Dishonesty on the part of identity thieves themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about your legislature:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're stupid people for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Re: (Score:3, Funny)
Asshats are an eternal problem, second only to the Dutch.
The Hard Part of This (Score:3, Informative)
The hard part of this problem is getting MS Windows users to use email encryption. Your pretty much screwed if you use MS LookOut. Sometimes it works, sometimes it doesn't.
I would encrypted all my email if people that I'm sending to could read it. I would refuse any email that is not encrypted if I could get people to encrypt their email.
Estbay encryptionyay orfay ureaucratsbay isyay... (Score:3, Funny)
...Igpay Atinlay!
Seriously...show me one governmental agency that does ANYTHING with technology well and I'll accept governmental agencies telling me what the rules are regarding said technology.
Re: (Score:2, Funny)
Re: (Score:2)
Nah. Real geeks convert to hexadecimal before ROT-13 encrypting anything.
Re:Force Encryption eh (Score:5, Funny)
I have developed a system by which each character is taken and broken up into a pattern of ones and zeros. The exact pattern is determined by looking up the character in a table. The receiver has to unscramble this pattern of ones and zeros by looking the pattern up in a similar table and then regenerating the character.
I call this system ASCII and I believe that it is a simple type of encryption, albeit with a very public public key, and no private key.
Parent
Re: (Score:3, Funny)
0101011101101000011000010111010000111111
Re:Force Encryption eh (Score:5, Funny)
I use ROT26. It must be twice as secure at ROT13.
Parent