Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Security Government Privacy News Your Rights Online

New State Laws Could Make Encryption Widespread 155

New laws that took effect in Nevada on Oct. 1 and will kick in on Jan. 1 in Massachusetts may effectively mandate encryption for companies' hard drives, portable devices, and data transmissions. The laws will be binding on any organization that maintains personal information about residents of the two states. (Washington and Michigan are considering similar legislation.) Nevada's law deals mostly with transmitted information and Massachusetts's emphasizes stored information. Between them the two laws should put more of a dent into lax security practices than widespread laws requiring customer notification of data breaches have done. (Such laws are on the books in 40 states and by one estimate have reduced identity theft by 2%.) Here are a couple of legal takes on the impact of the new laws.
This discussion has been archived. No new comments can be posted.

New State Laws Could Make Encryption Widespread

Comments Filter:
  • Okay whew (Score:4, Funny)

    by Anonymous Coward on Friday October 17, 2008 @10:48AM (#25413371)

    Only laptops. I was worried that we would have to encrypt our entire database.

    • Re: (Score:2, Funny)

      by JayAitch ( 1277640 )
      Thanks I almost forwarded this article to my boss. He would have had a heart attack.
      • Re:Okay whew (Score:4, Interesting)

        by ShieldW0lf ( 601553 ) on Friday October 17, 2008 @04:39PM (#25418745) Journal

        Identity theft causes a breakdown in the system that allows a few very rich to wield excessive and arbitrary power while the majority struggles to meet their needs while surrounded by plenty.

        I'm not rich. I don't expect to be rich, I don't desire to be rich. To be rich is to stand on the neck of your fellow man and steal his share, and to spend each day ensuring that the exploitation isn't disrupted.

        I hope we see more identity theft. This system shouldn't exist, and the sooner it shatters due to its own inherent nature, the happier I will be.

        I've got an idea for a much better law. All data must be placed on public servers, like Wikileaks, where anyone can examine it at any time. Anyone attempting to conceal information under any circumstances is guilty of conspiracy and treason. That would make it pretty hard to steal someones identity; you'd be caught for sure.

  • mofo.com? (Score:2, Funny)

    by Anonymous Coward

    What kind of n00b do you think I am? Like I'm really going to click through a link to mofo.com [mofo.com].

    Jesus.

    • Re:mofo.com? (Score:5, Informative)

      by hajihill ( 755023 ) <haji_hill@hotm[ ].com ['ail' in gap]> on Friday October 17, 2008 @11:47AM (#25414325) Journal
      Assuming here that the above poster is being funny, I'll clear this up for those this might actually cause some concern.

      Morrison & Foerster [wikipedia.org] is a internationally recognized and prestigious law firm established in 1883, that has been going by the nickname MoFo since 1973. More on the linked wikipedia article for those still interested or skeptical.
      • Morrison & Foerster [wikipedia.org] is a internationally recognized and prestigious law firm established in 1883, that has been going by the nickname MoFo since 1973. More on the linked wikipedia article for those still interested or skeptical.

        But, you have to admit, given how the current usage of "MoFo" has changed, it's an unfortunate domain name. That, or it's now the Samuel L. Jackson of domain names.

        If they're your attorneys, you can say that your lawyers are some bad-assed MoFo's and be entirely

  • by OeLeWaPpErKe ( 412765 ) on Friday October 17, 2008 @10:53AM (#25413453) Homepage

    Forcing idiots to encrypt sensitive files will ...

    force idiots to encrypt files (not the ones they should encrypt, obviously) using the password "password" ...

    and

    lose half the data, believing they encrypted it

    and

    send the data to half their family, especially anyone claiming to be a hacker, with the subject line "can you tell me the password for this file", who'll put it online on wikileaks (who'll happily -and proudly- publish extremely private information on anyone they don't like [wikileaks.org], laws and privacy be damned)

    Well at least, when the honeymoon's over and it's time for Barack O. to publish his email correspondance he can claim to have "encrypted it" and then send a random string, telling the judge the password has something to do with a very dark hole where apparently many claim the sun does not shine.

  • by i_want_you_to_throw_ ( 559379 ) on Friday October 17, 2008 @10:54AM (#25413459) Journal
    How interesting and ironic that not that long ago (1991) possessing encryption tools was considered as munitions!

    It used to be that Philip Zimmermann was getting hassled for his creation of PGP.

    Boy we've come a long way. Check out the Wikipedia entry on PGP if you can [wikipedia.org]
    • Re: (Score:2, Informative)

      by IchNiSan ( 526249 )
      s/possessing/exporting/g
  • by sakdoctor ( 1087155 ) on Friday October 17, 2008 @10:55AM (#25413485) Homepage

    but clueless users will write the password on a post it note, and probably burn a plaintext CD copy to leave lying around.
    Government agencies will be worse.

    • What you can't solve with technology, solve with policy. Burn unencrypted data to CD because your convenience is more important than security? That's a firin'.

      • But the boss requested the cd for his home computer.

        Refuse to burn the CD? That's a firin'.

        The only solution is to get the boss' beard stuck in a pencil sharpener.

    • by hansraj ( 458504 )

      1. Make use of encryption common
      2. Once people are familiar with it, hopefully all softwares dealing with data support encryption by default.
      3. ???
      4. Profit (for people like me who can't use encryption in for example pidgin because the other person can't be bothered to install the plugin).

    • This also won't stop people working for government agencies to simply sell the information.

      It is very doubtful that so many people happen to lose laptops or other materials. How easy is it to sell a laptop and claim you lost it or that it was stolen? When do you ever hear about these "lost" laptops with a lot of personal data being returned? Never.

      The best solution would be to encrypt the files and don't trust the low level employee's with the key.

      • Re: (Score:3, Insightful)

        by Gonarat ( 177568 ) *

        Encrypting laptops won't stop an employee from selling the laptop and data if that is what they want to do. All they have to do is give the purchaser the password when they sell the machine. All the purchaser needs to do is fire up the laptop and enter the password to get the data. Our work laptops are encrypted, and all i have to do at home to use the machine is enter my logon password twice -- once for access to the encrypted partition of the hard drive, and once to log on to Windows XP. I don't even

      • Re: (Score:3, Informative)

        by valkraider ( 611225 )

        The best solution would be to encrypt the files and don't trust the low level employee's with the key

        You do realize that it is the "low level employees" who do most of the work, right?

    • by plover ( 150551 ) * on Friday October 17, 2008 @04:52PM (#25418911) Homepage Journal

      but clueless users will write the password on a post it note, and probably burn a plaintext CD copy to leave lying around. Government agencies will be worse.

      And you know what? That's better than nothing. It's another layer.

      Sure, we all think about "stolen laptops" when we think about these data losses, but that's not always true. Think about a remote hacking attack. Let's say a bad guy connects to the machine and starts sucking up a ZIP files labeled "Customer_Credit_Cards_2007-2008.ZIP". And the password is written down and stuck to the screen. The bad guy is on a network, can't see that password, and the file is just as unencryptable to him as it would be without the sticky note to you.

      I'm just saying that you can still get some protection even from bad practices. If that stops 50% of the attackers, well, that's 50% more than we're stopping today. Is it watertight? No. Is it enough? No. Is it better? Yes.

  • Given that this does not affect personal computers, only corporate data stored about private individuals, how does this warrant a nannystate tag?
    • Re:nannystate tag? (Score:4, Insightful)

      by jellomizer ( 103300 ) on Friday October 17, 2008 @11:03AM (#25413635)

      As many people in the election on both sides has stated There are a lot of small business out there, more that do not focus on IT in general. Excessive restrictions and regulations are just as bad as none. You can't hold the hands of every company. You need to let them mess up from time to time. Encrytion is a good thing however forcing it isn't even for companies. As many of the small business are an employee of one and it is their own personal PC.

      • Re: (Score:3, Interesting)

        by peragrin ( 659227 )

        a laptop is stolen weekly with 10000 credit card numbers on it. Yet the companies only respond to it when it affects their bottom line. This has to be law as it will take another decade before most companies even think about it.

      • Re: (Score:3, Insightful)

        by jandrese ( 485 )
        As long as the restrictions are reasonably commonsense, I don't think small businesses should be exempt. In the end it doesn't matter if my personal information ends up on the black market via a small business or a large business with lax security, either way I'm screwed.

        Simple solutions that would solve 95% of the data leaks (especially the big ones):
        1. Never store customer data on machines that must travel outside of the company. 2. Regardless of #1, all laptops have full disk encryption where poss
        • Re:nannystate tag? (Score:4, Informative)

          by DavidTC ( 10147 ) <slas45dxsvadiv.vadiv@NoSpAm.neverbox.com> on Friday October 17, 2008 @12:39PM (#25415065) Homepage

          It's not just personal data on the laptop.

          I work for a fairly small company, and while we don't have any person data off our server, and in fact don't really have any personal data beyond names, addresses and email accounts...

          ...we have logins to our CC processor and whatnot that could trivially be used to steal quite a lot of CC numbers. In addition to probably breaking into our bank account and draining. In addition to getting into our servers and installing backdoors.

          Which is why, of course, we have Truecrypt with boot-time encryption on all laptops, so that if they get stolen we don't have to run around like chickens with our heads cut off trying to figure out every single login that needs to be changed.

          For those people worried about forgetting password: Burn three or four TrueCrypt 'recovery CD' and write the password on them. In fact, write the password everywhere...just don't carry it around in the laptop bag.

          Seriously, half these 'data thefts' are random laptop thieves stealing random laptop that just happen to include absurdly dangerous amounts of data on them. They aren't targeted attacks, and the thief is probably wiping them before boot. But companies have to act like they have all your data because said companies are morons who can't spend a tiny amount of time setting up free software that would stop that from happening.

          People often worry about computer security in entirely the wrong direction, worrying about changing internal company-only passwords every month, and then completely ignoring actual outside risks like someone snatching a laptop bag off someone's arm.

      • Re: (Score:3, Insightful)

        by Just Some Guy ( 3352 )

        You can't hold the hands of every company. You need to let them mess up from time to time. Encrytion is a good thing however forcing it isn't even for companies.

        Lead reduction is a good thing however forcing it isn't even for companies.

        Proper document shredding is a good thing however forcing it isn't even for companies.

        Proper hazardous waste disposal is a good thing however forcing it isn't even for companies.

        There are a lot of things that are inconvenient that we, as a society, have decided that our citizens must do. In each of the above cases, including yours, the regulations exist to enforce real, tangible protections. These aren't hypothetical problems that

        • Proper hazardous waste disposal is a good thing however forcing it isn't even for companies.

          Are you saying it should be legal to dump hazardous waste?

          • by pjt33 ( 739471 )
            No. He's demonstrating that "measure X has more of an impact on some companies than others" isn't a sufficient reason not to implement measure X.
      • Did you not even RTFS? They mention that this is applicable to companies who deal with peoples' personal information. If you run a one-man company that handles personal information and can't afford to implement even basic encryption and security systems, I would classify you in the same department and one-man machining companies that don't implement basic safety procedures!

        If your company can't handle the requirements for handling personal information, then you shouldn't be handling personal information. Pe

  • Or if they are in the UK.

    Let's say that this (good) idea is properly implemented (rather then just pretend implemented), and all the laptops have full disk encryption in place.

    Now someone with one of these laptops travels outside the US, and then flies back in and is asked to boot up the laptop. They will do so of course, and then, suddenly, there is no point to having the encryption, at that point. Sure it's still useful for cases where the laptop gets left on a train or something (assuming that they also

    • by FLEB ( 312391 )

      Why use full-disk, then? I imagine that having a bootable computer with reasonable apps would be enough to pacify most security personnel. For most cursory inspections, what ain't mounted ain't there.

    • Yes mister DHS, I'd love to decrypt this file for you! However, it is in the "Customer Records" folder, so I'm not allowed to know the key. Yes, it is probably full of goat-porn and cocaine receipts, but that's the law...

    • Yup, because if a solution doesn't fix every fucking problem in the world, it's not worth doing.

      I'll be sure to tell my plumber not to try using the plunger because a plunger won't cure cancer.

      No dumbass, a lost laptop with tens of thousands of users information on it is not directly equivalent to what a semi-hostile government body in a foreign country might do.

  • Oh Lord (Score:3, Interesting)

    by TheHawke ( 237817 ) <rchapin&stx,rr,com> on Friday October 17, 2008 @10:57AM (#25413533)

    Here comes the flood of complaints that their systems are slow, not responsive or too busy.

    We have gunfights with our encryption client almost on a daily basis, being a resource hog and all that.

  • "nanny state"? (Score:3, Interesting)

    by Garse Janacek ( 554329 ) on Friday October 17, 2008 @10:58AM (#25413555)
    Okay, why is this already tagged "nanny state"? Is it somehow a fascist imposition on the free market to make companies protect the personal data of their customers? Aren't slashdot articles run all the time criticizing how lax many corporations (including financial companies that should know better) are with their customers' data?
    • Re: (Score:2, Insightful)

      by dlcarrol ( 712729 )
      Yes, it is. The answer is to create penalties for losing personal data just like there could be penalties for losing my car at a mechanic's shop. The answer is not to force every mechanic to build a bank vault around his parking lot, and it is stupid to think that this will do anything except a) make nearly every business a "criminal" with spotty, whimsical enforcement or b) shut things down and so be repealed el fasto
      • Re: (Score:3, Insightful)

        by CSMatt ( 1175471 )

        No amount of fines in the world will get my personal data back. Once it's out there, it cannot be retracted. At least if the mechanic loses my car I can sue and use the money to invest in a new car. No one can use the car to impersonate me or make copies of the car to allow others to do the same. The car is just an object. It way have sentimental value, but I can ultimately live without that particular car. Personal data breaches, however, can adversely affect people for life. Data can be copied and

    • Re:"nanny state"? (Score:4, Insightful)

      by Aladrin ( 926209 ) on Friday October 17, 2008 @11:09AM (#25413751)

      In a word: Yes.

      Making laws to tell them exactly what to do is stupid. What if there's a better way, and encryption isn't needed? They still have to do the encryption now.

      Other posts have been more reasonable: Harsher penalties for failing to protect the data.

      It might even be different if this was a 100% fix. It's not. Now the thief just needs 1 more step, instead. The password/key. Even without it, it's not impossible to crack encryption. It's just very hard, if done right. (And next to useless if done wrong.)

      So yes, the 'nannystate' tag is accurate.

      • What if a company thinks or claims there's a better way, and encryption isn't needed?

        There, fixed that for you.

      • But the same objections could be raised to physical safety laws, or due diligence laws of any kind. With safety regulations, you don't just increase the penalties for accidents, and you don't avoid making explicit requirements because "what if there's a better way?" -- if the technology improves, so can the regulations, but it shouldn't just be a matter of whatever the company thinks is good enough.

        Now the thief just needs 1 more step, instead.

        Anything any company might conceivably do, with or without le

      • by smoker2 ( 750216 )
        In a word: No
        You seem to be in favour of the data getting out and punishing those responsible. How does that protect my data ? Answer - it doesn't, in any way shape or form.
        As for the thief only needing one more step, that's wrong too. I have a key for my ssh connections which requires a passphrase. I could use the same for files. So I would need:
        a)the files
        b)the key
        c)the passphrase.

        So no, nanny state is not accurate. Explain to me why the state is mandating encryption - oh yes, it's because companies are
  • Only 2% reduction? (Score:5, Insightful)

    by NoNeeeed ( 157503 ) <slash@@@paulleader...co...uk> on Friday October 17, 2008 @10:58AM (#25413565)

    I'm not surprised it has made so little difference.

    As we know, technical solutions are rarely enough to protect data. Human processes and policies can be much more important.

    Personally I prefer the UK approach, the Data Protection Act [wikipedia.org]. No doubt it is flawed, and sadly not enforced as rigorously as it should be, but the concept is better. Rather than mandate specific technological approaches, it imposes a set of general requirements on any organisation that holds personal data:

    • Data may only be used for the specific purposes for which it was collected.
    • Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
    • Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
    • Personal information may be kept for no longer than is necessary.
    • Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
    • Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
    • Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

    The DPA is one of the few generally excellent pieces of legislation in the UK. It's just a shame that the Information Commisioner's Office that enforces it isn't as active as it could be. But it gives you quite a bit of power to take on companies yourself.

    • Re: (Score:3, Informative)

      by MrMr ( 219533 )
      The DPA is one of the few generally excellent pieces of legislation in the UK
      Ironic that it is just the local implementation of the 1995 EC data protection directive...
    • by homer_s ( 799572 )
      Personally I prefer the UK approach, the Data Protection Act. No doubt it is flawed, and sadly not enforced as rigorously as it should be, but the concept is better. Rather than mandate specific technological approaches, it imposes a set of general requirements on any organisation that holds personal data:

      A better approach would be to stop pretending that a 10 digit number that is stored in a million different places is 'personal information'.
    • by jimicus ( 737525 )

      The DPA is one of the few generally excellent pieces of legislation in the UK. It's just a shame that the Information Commisioner's Office that enforces it isn't as active as it could be. But it gives you quite a bit of power to take on companies yourself.

      It's an excellent piece of legislation - but it's also one of the most widely misunderstood and poorly enforced.

      It's been used by utility companies to avoid doing things - even though doing such things wouldn't be a breach of it anyway.

      It's been ignored wholesale by British Telecom (who got away with it because police "don't think they intended to break the law" [theregister.co.uk] - really? Can I use that as a defence?).

      On those rare occasions it has been enforced, companies fined have openly admitted that it won't affect th

    • Personally I prefer the UK approach, the Data Protection Act.
      ...
      The DPA is one of the few generally excellent pieces of legislation in the UK.


      And yet we still hear, quite a lot, of the MOD, NHS, or other UK entity losing yet another laptop, full of raw user data.
      Just last week [slashdot.org], in fact.

      But it gives you quite a bit of power to take on companies yourself.

      Only after they give your life away. It is too late then.
      This is at least trying to be proactive. Knowing there will be a loss, minimize the effects.
  • Why so expensive (Score:4, Interesting)

    by LordKronos ( 470910 ) on Friday October 17, 2008 @10:59AM (#25413581)

    The Massachusetts government estimates that a business with 10 employees will need to spend $3,000 up front, plus an additional $500 a month in order to comply. Security executives at larger firms said they expect to spend a similar amount per employee.

    It sounds to me like all you need to do is encrypt the hard drive and require a password, but if so, why so much? It seems $300 per person is probably on the expensive end for the software, but I'll let that one slide. However, $50 per person per month just to maintain the system? What is this cost for? What is there to maintain? The only thing I can think of is dealing with forgotten passwords, which will require restoring the system and losing whatever was on the laptop and not backed up. $600 per employee per year seems high for this.

    • by Aladrin ( 926209 ) on Friday October 17, 2008 @11:13AM (#25413807)

      Encrypting something isn't instantaneous, especially if new software has to be researched, bought, and installed. In addition, you're paying 2 employees for the time the system is getting the software installed. This goes for laptops, pc, servers, etc. The downtime for servers is also going to cost money in its own ways.

      If you think dealing with encryption won't waste $50/mo of each employees productivity, you're mistaken. Plus the passwords thing you mentioned... That could do it on average, too.

      No, I think the estimates are low, if anything.

      • What downtime for servers? This law is just about encrypting data on portable devices, as far as I can tell. And how does encryption reduce a user's productivity? Yeah, it takes time to decrypt files, but not that much time. Especially considering most users will be dealing with relatively small files (for the most part, a couple MB at worst). I really can't see the 50 per month cost

      • If you think dealing with encryption won't waste $50/mo of each employees productivity, you're mistaken

        Bullshit. Encryption can and should be transparent to the employee. He enters his password, as he always does, and doesn't even need to know that his data is encrypted. Yes, encryption puts a small burden on the admin. But usually only once or, at worst, once per workstation. So, where exactly are $50/month wasted per employee here?

        • by Aladrin ( 926209 )

          What magical encryption do you have that doesn't slow the system at all?

          • Re: (Score:3, Informative)

            What magical encryption do you have that doesn't slow the system at all?

            It's not the encryption, it's having a system with a processor made in the last 5 years. Spinning plates of rust are already insanely slow, adding symmetric encryption on top of that won't make a difference.

            • Re:Why so expensive (Score:4, Informative)

              by DavidTC ( 10147 ) <slas45dxsvadiv.vadiv@NoSpAm.neverbox.com> on Friday October 17, 2008 @12:54PM (#25415263) Homepage

              Right. Especially for laptops, which tend to have slower hard drives in the first place.

              I installed TrueCrypt on my moderately old laptop, an Intel 1.6Ghz, and the only speed different I notice is that, for some reason, hibernation and unhibernation is twice as slow. I suspect this is some sort of bug. Other than that, I forget it's there except when I boot up.

              TrueCrypt, by default, uses AES, which was designed for speed on modern processors. (Or, rather, was designed to use exactly the mathematical operations that CPU manufacturers optimize for in order to make games run faster, so as CPUs keep speeding those operations up AES gets faster.)

              Ha, I just checked to see if that hibernation thing is a bug, and it turns out that not only is it, but it's been fixed in 6.0 and I should just upgrade instead of whining about it.

          • There are some IDE controllers that can do encryption/decryption on the fly, using a password from the BIOS. I think some Lenovo systems sport such chips.

            I'm waiting for the first company to standardize AES and SHA1/SHA2 within their x86 processors. VIA already has this, but I'm not sure it is ready for standardization in their form.

            Then the time would be minimal for any protocol that uses the hardware encryption.

          • What kind of CPU are you using that you can even measure a slowdown?
            Anything above 1GHZ should be able to perform transparent encryption without breaking a sweat.

            For reference: My Athlon64 3500+, which is a few years old now, encrypts AES-256 at roughly 80MB/s.
            Most harddrives can't even burst at that rate, much less sustain it. Furthermore, for full-disk encryption you'll often use a less CPU intensive algorithm such as blowfish.

            Thus, unless your CPU is completely saturated by something else (very unlikely

      • Re: (Score:3, Insightful)

        If you think dealing with encryption won't waste $50/mo of each employees productivity, you're mistaken.

        My work laptop has full-disc encryption. The only time I notice is when it asks for a boot password or when I have to change the password every couple months. This is completely negligible compared to, say, the time to boot Windows and open all the horribly bloated (and network-aware, so they also take time to connect to the server) applications I have to use.

    • Re: (Score:3, Interesting)

      Someone here must have been through an enterprise-wide encryption rollout. What did yours cost?

    • by jimicus ( 737525 )

      The only thing I can think of is dealing with forgotten passwords, which will require restoring the system and losing whatever was on the laptop and not backed up.

      They're probably working on the basis of the commercial top-end version of PGP. This includes key recovery so forgotten passwords don't mean the laptop needs to be wiped - but it's not cheap. The price quoted sounds about right from the last time I looked into it.

  • by Verteiron ( 224042 ) on Friday October 17, 2008 @11:02AM (#25413619) Homepage

    Why do I have a sneaking suspicion that specific software will be endorsed and/or required to meet this new requirement? Probably whichever one spends the most money to "demonstrate" its capabilities to the lawmakers by treating them all to free vacations in the Bahamas. How much do you want to bet that a free solution like Truecrypt just won't meet the "standards" set by this new law?

  • Corporate interest (Score:4, Interesting)

    by crow ( 16139 ) on Friday October 17, 2008 @11:04AM (#25413665) Homepage Journal

    I wonder if Massachusetts concern about encrypting stored data has anything to do with EMC being headquartered in the state. Considering that EMC owns RSA (the company), a law like this would probably benefit EMC. Also, Massachusetts is home to TJX, famous for having had a major data breach.

    [Note: I work for EMC, but have no inside knowledge related to this topic.]

  • Seriously, its about damn time that states required companies with our personal data to do something smart with it. Yes I don't like business being forced to act at the whim of a government but in this case, with so much of our data out there and being transmitted to third parties controls are important.

  • by CodeBuster ( 516420 ) on Friday October 17, 2008 @11:06AM (#25413689)
    It amuses me to see how government always wants to have its cake and eat it too. I agree that widespread use of strong encryption and good security practices is of great benefit to society, but some Senator or law enforcement agency is bound to complain that their ability to wiretap or access encrypted data is being compromised by these better private security measures. Strong encryption and good security are two edged swords, they help us and they help our enemies as well, there is no way around that. Personally, I don't have a problem with that. I would rather live in a society were encryption is used, privacy is paramount, and some criminals and evil doers are a bit harder to catch, not a bad trade-off IMHO. However, there will doubtless be howls of indignation from the law enforcement community, which contains more than its fair share of self-righteous authoritarian pricks, about how criminals are getting away with crimes and going unpunished. I suppose that my response to them would be to make better use of the tools and laws that we already have instead of depending upon ever more egregious invasions of our collective personal privacy and abridgements of our Constitutional rights merely to prevent some drug addict from getting his fix or some high school students from posting pictures of themselves on MySpace or Facebook.
  • Mandate != Reality (Score:4, Insightful)

    by Gothmolly ( 148874 ) on Friday October 17, 2008 @11:07AM (#25413699)

    Just because a state mandates something, does not mean it automatically happens. Look at speeding, look at drug laws, look at overtime rules for P/T and F/T employees, look at many other unenforced business regulations.

    This stuff is like when a judge ordered a server's RAM chips removed and stored as evidence, as they were a 'data storage device'. Government typically sucks at anything like this.

  • by scrod98 ( 609124 ) on Friday October 17, 2008 @11:14AM (#25413829)
    ...who thought that the link to MOFO.com would be some kind of Samuel L. Jackson fan site and not a law office?
  • as was discussed yesterday, could be pointless [slashdot.org], as good part of the breach could go thru social engineering and trojans that could defeat several kinds of encryption schemes.

    If you want to force users to be safe, educate and give them tools to be safe, be the information in their HDs encrypted or not.

    Wonder how this combines with the tendency of US government to monitor ISPs to detect terrorism, IP violation or whatever excuse is hot in that moment. The encryption needed is a backdoored one or we could

  • by russotto ( 537200 ) on Friday October 17, 2008 @11:55AM (#25414451) Journal

    Any lawyers reading want to comment on Massachusetts's attempt to impose this regulation on any business (even one without a presence in Massachusetts) storing information about Massachusetts residents? My take on this is that they are WAY overstepping the boundaries of what state laws can do, but IANAL.

    • IANAL, and that was my first thought too. However, after thinking a little, if a customer in MA does business with my company, and my company flubs his personal data, he can file on me in MA, even though my company has no corporate presence there.
  • Nevada's legal definition of encryption sucks, and covers just about any technology that obstructs a bad guy's access to data. That includes such cryptographic wonders as, say, passwords or 2-factor auth.

    The weaknesses of this law have been pointed out repeatedly -- for example by Schneier in a crypto-gram from probably 2004 (this is from memory), and by various bloggers interested in data breach legislation.

    I am sure MA could not do a worse job, but Nevada did an absolutely terrible one.

  • by Jimmy_B ( 129296 ) <jimNO@SPAMjimrandomh.org> on Friday October 17, 2008 @12:25PM (#25414879) Homepage

    Encryption is good for protecting trade secrets, but useless for protecting social security numbers. Thieves who want to steal credit card or social security numbers can choose from tens of thousands of possible targets, at least one of which will be insecure. We need to stop pretending that social security numbers are useful as identification or authentication, because using an SSN to identify yourself requires disclosing it. We need to switch to a system of public-key cryptography, and put the blame for identity theft where it belongs: on the banks, who somehow decided that a few readily-discoverable numbers and a few easily-forged documents were all that's needed to take a loan in your name.

    • Thieves who want to steal SSNs can just throw darts, and check the SSA for whether or not they exist (I remember some services advertised years ago that did -e lookups for free and info dumps for like $5).

      Even if they were well distributed the thieves would have something like a 1/3 chance, so it wouldn't take too much effort for "monte carlo" identity theft to be fairly profitable. AND go largely unnoticed: the thieves may have a high chance of guessing a number, but the number of actually stolen identiti

  • minimal effort (Score:3, Interesting)

    by Wyck ( 254936 ) on Friday October 17, 2008 @12:46PM (#25415159)

    I wonder if people will simply ROT13 [wikipedia.org] their data for cheap token compliance.

  • win98 (Score:3, Informative)

    by zanybrainy941 ( 972076 ) on Friday October 17, 2008 @12:52PM (#25415239)
    Looks like a lot of state agencies are finally going to have to upgrade from Win98.
  • by Fencepost ( 107992 ) on Friday October 17, 2008 @12:58PM (#25415335) Journal
    A requirement for on-disk encryption could actually be a real problem for many medical practices, because an astonishing number are still using slightly-updated versions of practice management software from the early- to mid-90's on systems like SCO's OpenServer 5.0.x. I support a fair number of those practices.

    We also have one practice running a dedicated system for ophthalmologists that is so old it doesn't understand networks. Users are connected via serial port expansion units. Makes it a pain when they have multiple sites and the telco says "We're dropping support for those 56k dedicated lines you've been using for 15 years."
    • Sounds like that's a market opportunity... I'll bet someone would be willing to deal with the HIPAA stuff to make a new system once the technology is completely outdated.

      Or do you still complain that you can't get leaded gasoline?

  • This could provide all sorts of amusement.

    Once companies have to encrypt the user data, I'm waiting for some poor schmuck to be coming back into the US with data on his laptop. The border guys will insist you decrypt -- and, then you're screwed either way.

    If you don't decrypt it, immigration and DHS will arrest you. If you do, the states will arrest you. :-P

    I kid, hopefully this wouldn't be a real scenario. But, dueling laws is always fun to ponder.

    Cheers

  • From TFA:

    Starting in January, Massachusetts will require businesses that collect information about that state's residents to encrypt sensitive data stored on laptop computers and other portable devices.

    And how much authority does Massachusetts have over a company in Wilimgton, DE (for example)? None.

    Best case, this law will be ignored for a few months, then struck down by Federal court on the grounds that a state lacks authority over businesses that operate across state lines.

    Worst case, businesses will ju

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...