Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st 178
dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"
I wonder . . . (Score:4, Interesting)
Re: (Score:2, Insightful)
Forget selling software. The real money comes from selective prosecution of offenders.
This law is absurd, an only goes to demonstrate how insane everyone on this planet is. An email address is potentially personally identifiable information. So is an IP address. So is a password.
So based on this legislation, resetting a users password and sending them the new password via email is illegal?
Re:I wonder . . . (Score:5, Funny)
You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.
Re:I wonder . . . (Score:4, Funny)
You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.
Duh. Obviously that wouldn't work, since they don't know their old password. You'd have to password protect the password with their new password!
Re:I wonder . . . (Score:5, Informative)
RTFL. There is "personal information"
NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
1. Social security number.
2. Driver's license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.
Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
(Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)
Re: (Score:2, Informative)
Thats just "Personal Information". "Personal identifying information" is defined as follows:
NRS 205.4617 "Personal identifying information" defined.
1. Except as otherwise provided in subsection 2, "personal identifying information" means any information designed, commonly used or capable of being used, alone or in conjunction with any other information, to identify a living or deceased person or to identify the actions taken, communications made or received by, o
Re: (Score:2)
Gee, sounds pretty close to HIPAA, which has only been mandated at the federal level for years now! Egads, no wonder NV has problems...
Re: (Score:2)
That driver's license number is a critical chunk of data. This week someone tried to get instant credit at Home Depot using my data. One thing they got wrong was my driver's license number. Home Depot was smart enough to call me. The way it works is that they don't care where the card is mailed. They simply want instant credit so that they can walk out of the store with an expensive item that they can quickly sell.
I went to the local sheriff's
Re: (Score:2)
...an unnatural person, congealed into existence in the dark quagmires of the legal landscape...
As amusing as this may sound, it is technically quite close to the truth. The choice of phrase is due to the fact that corporations are legal entities, technically "corporate persons", unto themselves. Such an entity legally is, in fact, an "unnatural person".
Insecure anyway... (Score:5, Informative)
So based on this legislation, resetting a users password and sending them the new password via email is illegal?
This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.
An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.
Re: (Score:2, Interesting)
This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.
An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.
What method of password recovery do you suggest ?
three ways (Score:2)
What method of password recovery do you suggest ?
1. Either, as I said, the password (or reset URL) should be considered as compromisable and thus only temporary and should be replaced as soon as possible.
2. Or, a secure channel should be used (crypted, as suggested by the - although badly worded - law)
3. A last possibility would be simply to try using a completely separate channel. As in, the user asks for a password reset by classical ways, but the replacement is sent by SMS. Not as secure as nÂ2, but requires a little bit more effort to compromise.
Re: (Score:2)
Recovery questions. SSL. Send the password over an HTTPS connection, if you must – even safer would be to require a password reset. Once the user has proven their identity via recovery questions, they get to type a new password and has no way of knowing what the old password was.
Plus, any system which permits password recovery must, by nature, store the password as plain text in a database somewhere, which is bad practice from the get-go.
Re: (Score:2)
A simpler method for email is to simply encrypt the message using the delivery address. Not that it really secures it but it does however force a action with criminal intent. For the message to be deciphered the recipient must fraudulently misrepresent themselves as the legitimate receiver of that message in order to read it and as a result can be subject to criminal prosecution ie. no more postcards and the feature can simply be built into all email readers.
As for required security, which is obvious in
Doesn't work (Score:2)
I know some systems record the IP of the user who wanted to reset the password and only allows that IP to do so, and ensures the same session (cookies) is used also.
Technically it's akin to using several factors, so if one is compromised, the others will still remain (akin to sending part of the information in an SMS).
The problem : these additional data all transit exactly on the same medium as the e-mail. They aren't separate channels and thus don't really offer any additional protect : someone who has snooped on the mail will very likely know the target IP and be able to spoof it.
Nonetheless, in your situation this won't be a problem, because it's a reset email, done
Re:I wonder . . . (Score:5, Interesting)
Re: (Score:2)
Too bad even a PW-prompting Zip file is too complicated for most non-IT folk.
And here we are encrypting email.
TAG: good luck with that
we know that... (Score:2)
I already deal with having to encrypt everything in my current job (electronic medical claims). Believe me, there is still a ton of money to be made, even if you don't sell the software to them.
Re: (Score:2)
Depends on your definition of "best."
If best means "in theory, the technology is extremely difficult to break when human beings know how to use it correctly and do so" then yeah.
If best means "in practice, it is likely to work effectively when used by ordinary actual human beings in the real world" then um, no.
Human beings are part of the security equation [schneier.com]. Gnupg is a great piece of technology, but unless it is wrapped in an interface and set of procedures in such a way that Nina from accounting is able
Just ROT-13 twice (Score:5, Funny)
Re:Just ROT-13 twice (Score:5, Funny)
This is irresponsible advice. There are known-plaintext attacks on reduced-round variants of ROT13. Always use the full 16 rounds to be sure you're actually getting the security that double ROT-13 promises.
Re:Just ROT-13 twice (Score:5, Informative)
For the humor-impaired, performing ROT-13 twice results in the same text as the original unencrypted message. Performing ROT-13 twice again to "decrypt" would once again result in the same text as the original, unencrypted message. It's just a joke, relax.
Re:Just ROT-13 twice (Score:4, Funny)
Knowing the law... (Score:2, Interesting)
Am I just being too cynical, or will putting everything in a password-protected ZIP file and then sending that, together with the password, will satisfy the rules?
Re: (Score:2)
Odds are, yes. Unless it says you have to send the key/password separately.
Re: (Score:3, Informative)
How about http web traffic? (Score:4, Interesting)
Re:How about http web traffic? (Score:4, Insightful)
If you're an ecommerce website, and you don't already use https for sensitive data (like credit card info), you are just begging to be ripped off. Or hadn't you noticed that little padlock icon that appears whenever you buy something online?
Re:How about http web traffic? (Score:4, Interesting)
Re: (Score:2)
Don't judge a law by how it sounds. The actual text [slashdot.org] tends to be more useful.
Re: (Score:3, Informative)
No. As others here have noted:
Re: (Score:2)
a natural person's first name or first initial and last name in combination with any one or more of the following data elements
The username and first + last name, yes. Either or, no.
Re: (Score:2)
funny how people fall for that padlock every time.
Re: (Score:2)
If you're an ecommerce website, you should be doing everything involving private data over HTTPS to begin with.
Re: (Score:2)
Shouldn't you be doing that already for your login/checkout/payment processes?
Re:How about http web traffic? (Score:5, Informative)
Yes and no. The law says that you have to encrypt when you send personal data. The definition of encryption is pretty broad [state.nv.us] but the definition of personal data is very narrow [state.nv.us] so you could have a web site which is unencrypted except for the part where the customers identified themselves.
Overall, I don't see the problem with this. That they allow weak encryption is a red herring. Strong encryption will also comply with the ruling and so most people will use that. Weak encryption is often better than nothing. There are loopholes, but those can be closed later. This looks like a good start.
Re: (Score:3, Funny)
Actually it's a red herring with a bicycle.
Re: (Score:2)
You were expected to do that before they even passed this law, and not just for customers in Nevada.
1976 called, they want their RSA-hasn't-been-invented-yet excuse back.
I approve... (Score:4, Funny)
I just hope they do more than password protecting the word docs...
Re: (Score:2)
Say it ain't so! (Score:2, Insightful)
Re: (Score:2, Insightful)
Are they aware just how much money this is going to cost businesses in training?
Not to mention they will have to have every company (and possibly every employee of every company) submit and maintain a proper public key in a public database, no matter how technically savvy they are. I can't get my own company to do that internally...
And if you don't have an IT department? (Score:4, Insightful)
Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.
Now, someone emails you with their name and address asking for a quote.
Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!
p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."
Re:And if you don't have an IT department? (Score:4, Funny)
p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."
Obviously they're being very optimistic about the economic impact...
Re: (Score:2)
You beat me to it and did a better job than I would have. I doubt that my effecting a similar jab would have had nearly as humorous an effect.
Well done.
Re:And if you don't have an IT department? (Score:4, Funny)
Re: (Score:3, Informative)
Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!
For that matter -- if you're in a business like lawnmowing that only uses its "web presence" as a virtual billboard or PO Box -- good luck knowing this law even exists!
Re: (Score:3, Funny)
Obviously, you either have never been to Nevada or have very poor business sense.
A lawn mowing business would never succeed in Nevada.
Re: (Score:2)
I dunno, in the brothels, there's plenty of bush trimming that gets done.
Re: (Score:2)
Tell that to the dozen landscape companies (mainly lawn mowing) that handle the houses on my block. The ones that handle foreclosed houses seem to be doing particularly well.
How about this? (Score:2, Funny)
Can I start a lawsuit to sue some company that does NOT do this, go to a jury by trial, but then do a terribly bad job of defending my position and set precedent that the defendant does not need to encrypt this stuff before a 'real' lawsuit comes about and sets precedent the other way?
Re: (Score:2)
then do a terribly bad job of defending my position and set precedent
Judges hate it when you do that, and will likely throw out your case and force you to pay for all of it.
Encryption Conniption (Score:4, Funny)
It was later found that the reason for this delay was a system-wide shutdown & widespread panic as they couldn't figure out how to encrypt or decrypt any of their correspondence properly.
GOOD! (Score:2, Insightful)
ISTM we should phase out any unencrypted protocols going over the internet.
This particular law may have technical shortcomings - but if it takes close-but-not-quite right laws to raise awareness to the common person and politician that much internet traffic is unencrypted, I'm all for this law as a stalking horse to-be-improved-upon.
And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.
Re: (Score:2)
Re: (Score:2)
And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.
In the case of things like bittorrent throttling, connections can be identified by the characteristics of the connection, such as burstiness, throughput, port numbers, etc. Beyond encryption, you have to obfuscate it. Truly disguising it would likely require throttling anyway.
Bad summary (Score:5, Informative)
So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.
Re: (Score:3, Insightful)
So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good.
If any business is currently sending SS and driver's license numbers via email, they are being irresponsible.
Re: (Score:2)
I always send that kind of info in a word doc, then have my email client UUEncrypt it.
Re: (Score:2)
I wonder if this couldn't be pried open to include SSNs that are publicly available from court or property documents. It certainly looks like it. It also looks like if you remove the last name, you can send their SSN, credit card number and password all together.
I don't know what's worse, a legal system where "loopholes" are enough for you to be excluded, or a society that needs a legal system that attempts (and inevitably
What can go wrong? (Score:3, Insightful)
It's not like we've had any keys lost [bigblog.com] lately.
The End of the Internet as We Know It! (Score:2)
If they can require people to encrypt their email, the next evil plan will be to force everybody to supply crytographic certificates with each email. This will make it impossible to send anonymous email! No poison pen messages, no mailbox bombing, no sp...
Oh. Never mind.
This is a good idea (Score:3, Funny)
Personally identifiable information should be encrypted.
Sincerely,
xz'Kxv!y{Ycut="xgq'^e;
The Real Problem... (Score:5, Informative)
...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.
One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.
Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")
Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.
Re: (Score:2)
Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation".
I don't think it's all that bad. It'd be better if it required the use of good encryption, but I suspect that most people will find it cheaper to implement the widely-deployed encryption tech (i.e. SSL for web sites, S/MIME or PGP for e-mail) than to invent something themselves -- and those widely-deployed technologies are also quite good.
Of course, the implementations will often be half-baked, with stupid processes that make the decryption keys far too easy for the wrong person to get -- but it'll almos
Re: (Score:2)
Any encryption is better than no encryption. Besides, once people learn how to encrypt things, it is pretty easy to just forget to turn it off. Or to receive encrypted emails in case I want to send one to them.
Damned if You Do/Don't (Score:2)
Seems there is no easy way to win this.
Like you said, if they defined encryption to the tee, then they'd have a problem next year when that defininition is out of date or broken.
Seems to me that leaving it vague is better, since it lets people choose how they comply. We're always saying on here that government should keep their hands off things. Maybe this is a good thing?
Either way, this decision sounds like a step forward. It might be a very small step, and even slightly off the desired path, but at le
this is what makes Slashdot worth reading (Score:2)
Does it need a backdoor? (Score:2)
The way the government's going, I wouldn't be surprised if the businesses have to use a particular package that gives the government backdoor access.
Obligatory (with slight variation) (Score:3, Funny)
Your government advocates a
(X) technical (X) legislative ( ) market-based ( ) vigilante
approach to fighting identity theft. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop identity theft for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from identity thieves
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) identity thieves don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of identity theft
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Dishonesty on the part of identity thieves themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about your legislature:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're stupid people for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Re: (Score:3, Funny)
Asshats are an eternal problem, second only to the Dutch.
Re: (Score:2)
That's because asshats tend to be at the root of technical problems like this one.
Re: (Score:2)
Could be the start of a good thing (Score:2)
If this is the first step to encrypting EVERYTHING, then i think its worth a few of the speed-bumps this will cause in the beginning.
Delay access? Not good enough. (Score:2, Insightful)
Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
Under this definition of "encryption", I could argue that by compressing the file it would "delay access" by making them wait for the time 7zip takes to unzip. So now zipped files are encrypted?
The Hard Part of This (Score:3, Informative)
The hard part of this problem is getting MS Windows users to use email encryption. Your pretty much screwed if you use MS LookOut. Sometimes it works, sometimes it doesn't.
I would encrypted all my email if people that I'm sending to could read it. I would refuse any email that is not encrypted if I could get people to encrypt their email.
Re: (Score:2)
How is this problem specific to Outlook? I've used Outlook as well as other email clients and I never felt uncertain about the effect of my actions.
Could you elaborate?
Estbay encryptionyay orfay ureaucratsbay isyay... (Score:3, Funny)
...Igpay Atinlay!
Seriously...show me one governmental agency that does ANYTHING with technology well and I'll accept governmental agencies telling me what the rules are regarding said technology.
We've been doing this for years in the UK (Score:2)
In the UK, most large companies have long accepted that this is an implicit requirement of our Data Protection Act. In my area of work, you'd certainly be subject to disciplinary action if you failed to encrypt an email that contained personal data.
Perhaps it's time for the USA to catch up with the rest of the world.
Re: (Score:2)
Balls. There is no consistent standard, and personal details still fly freely over the wire. Show me ANY, repeat, ANY recruitment agency that publishes a PGP key and that emails CVs encrypted.
Even that setup that has more ways to waste money than a teenager, the government, has failed to pull something consistent together. Mind you, last time I rescued them from embarrassment they had Microsoft consultants cook up some secure email solution. Given the rates that MS pays it's "consultants" it was no surp
Nice idea, totally unenforceable (Score:2)
Don't for one minute believe that this idea is enforceable on a widespread basis.
Here in the UK we've got the Data Protection Act (which doesn't specify "encryption" but does specify "reasonable care" and the watchdog tasked with monitoring compliance describes using encryption as an example of "reasonable care") and yet there have been loads of instances where personal data has been compromised.
The purpose of a law like this is to give the judiciary something definite to charge someone with when the inevit
Re: (Score:2, Funny)
Re: (Score:2)
Nah. Real geeks convert to hexadecimal before ROT-13 encrypting anything.
Re: (Score:2)
Nah. Real geeks convert to hexadecimal before ROT-13 encrypting anything.
Wouldn't that be ROT-D?
Re: (Score:2)
Retard Of The Day? No, that's the "Frost Piss" and "Nigger" troll.
Re: (Score:2)
I think it'd be ROT-Q.
Re:Force Encryption eh (Score:5, Funny)
I have developed a system by which each character is taken and broken up into a pattern of ones and zeros. The exact pattern is determined by looking up the character in a table. The receiver has to unscramble this pattern of ones and zeros by looking the pattern up in a similar table and then regenerating the character.
I call this system ASCII and I believe that it is a simple type of encryption, albeit with a very public public key, and no private key.
Re: (Score:3, Funny)
0101011101101000011000010111010000111111
Re:Force Encryption eh (Score:5, Funny)
I use ROT26. It must be twice as secure at ROT13.
Re: (Score:2)
I'm a very paranoid person, and I use ROT104 encryption on all my important data. Yeah, it may be overkill, but my computer does it so quickly I barely notice it happening.
SRSLY, I'm a big fan of ubiquitous encryption, and this may work to jumpstart it.
Re: (Score:2)
The problem with ubiquitous encryption is the same problem you always have when everything is "top security"...When everything is top security, nothing is top security.
I'm a big believer in encryption where it's appropriate, but if you force it everywhere people get sloppy with the data and their keys, and all kinds of crap.
Re: (Score:2)
I'm a very paranoid person, and I use ROT104 encryption on all my important data. Yeah, it may be overkill, but my computer does it so quickly I barely notice it happening.
I think you need to upgrade to triple-ROT104.
Re: (Score:2)
I copy-paste a spam e-mail into an HTML document that contains the following header... (it can even be typed in Notepad: all the characters are 0x20 or over with the exception of 0x09, which is tab).
Bonus points if you can figure out what it means.
rot26 (Score:2)
I use rot26 because it's twice as powerful as rot13!
Re: (Score:2)
Encryption does not have to be strong to meet requirements. I'm sure I didn't invent this, but I personally use a rotating ROT-? cipher. It isn't unbreakable, but without knowing the key that it is ciphered with, it is very difficult to crack.
Data to encipher: "University of Texas"
Key: "Bobb Sledd"
Enciphered, it becomes some representation of: "U+B, n+o, i+b, v+b, e+' ', r+S, s+l...." etc. but it is still printable with ascii chars.
So, I suppose you could brute force it, but I think it would take you
Re: (Score:2)
What they could do, is define lack of encryption as negligent, for liability purposes. Lawmakers do weird things like this all the time: for example if you possess more than x weight of drugs, then you have intent to distribute (regardless of whether or not there's actually any reason to believe you had such intent).
They could pass a law that if you lose info and didn't encrypt it, and then someone comes after you for damages resulting from such negligence, then your position is far weaker than it would b
Re: (Score:2, Insightful)
Re: (Score:2)
The "don't record" flag is the first (and only) commercially available implementation of the "evil" bit.
Ironic.
Re: (Score:2)
No, no, no... they'll distribute RAR files with the password in the RAR comment. TOC unencrypted, of course.
Re: (Score:2)
Actually, I think they just included that to avoid making hundreds of thousands of existing office fax machines illegal.