Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

Soulskill posted more than 6 years ago | from the wouldn't-bet-on-it dept.

Encryption 178

dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"

Sorry! There are no comments related to the filter you selected.

I wonder . . . (4, Interesting)

base3 (539820) | more than 6 years ago | (#25109679)

. . . which Nevada legislator's friend or relative just happens to sell some kind of compliant encryption solution.

Re:I wonder . . . (4, Insightful)

neuromancer23 (1122449) | more than 6 years ago | (#25109831)

Forget selling software. The real money comes from selective prosecution of offenders.

This law is absurd, an only goes to demonstrate how insane everyone on this planet is. An email address is potentially personally identifiable information. So is an IP address. So is a password.

So based on this legislation, resetting a users password and sending them the new password via email is illegal?

Re:I wonder . . . (4, Funny)

clone53421 (1310749) | more than 6 years ago | (#25109893)

You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.

Re:I wonder . . . (4, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#25110463)

You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.

Duh. Obviously that wouldn't work, since they don't know their old password. You'd have to password protect the password with their new password!

Re:I wonder . . . (4, Informative)

Ferzerp (83619) | more than 6 years ago | (#25110153)

RTFL. There is "personal information"

      NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

            1. Social security number.

            2. Driver's license number or identification card number.

            3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.

Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.

            (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

Insecure anyway... (4, Informative)

DrYak (748999) | more than 6 years ago | (#25110167)

So based on this legislation, resetting a users password and sending them the new password via email is illegal?

This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.

An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.

Re:Insecure anyway... (2, Interesting)

ropiku (1071312) | more than 6 years ago | (#25110725)

This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.

An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.

What method of password recovery do you suggest ?

I'm so disillusioned... (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#25109973)

And here I was believing that Big Government was this benevolent, omniscient, omnipotent entity. Oh merciful Lord Barry, heal me of my bitter, gun-clinging ways!

Re:I wonder . . . (4, Interesting)

Cajun Hell (725246) | more than 6 years ago | (#25110427)

But the the best encryption is free [gnupg.org] and the text of the law doesn't even exclude it. If someone wanted this bill to make money for their friend, they sure screwed up.

Re:I wonder . . . (1)

denis-The-menace (471988) | more than 6 years ago | (#25110721)

Too bad even a PW-prompting Zip file is too complicated for most non-IT folk.
And here we are encrypting email.

TAG: good luck with that

we know that... (1)

filthpickle (1199927) | more than 6 years ago | (#25110729)

but if you run a business and aren't tech savy you don't.

I already deal with having to encrypt everything in my current job (electronic medical claims). Believe me, there is still a ton of money to be made, even if you don't sell the software to them.

it's (0)

Anonymous Coward | more than 6 years ago | (#25109695)

... a start!

Just ROT-13 twice (5, Funny)

Anonymous Coward | more than 6 years ago | (#25109717)

If they are not clear on the definition of encryption, just ROT-13 your messages twice and specify that's the type of encryption you use. You then have to ROT-13 it twice again to decrypt.

Re:Just ROT-13 twice (-1)

SleptThroughClass (1127287) | more than 6 years ago | (#25110625)

Uh... you ROT-13 the garble once to decrypt. Unless you need the extra security of running it through ROT-13 an extra time.

Re:Just ROT-13 twice (4, Informative)

Anonymous Psychopath (18031) | more than 6 years ago | (#25110861)

For the humor-impaired, performing ROT-13 twice results in the same text as the original unencrypted message. Performing ROT-13 twice again to "decrypt" would once again result in the same text as the original, unencrypted message. It's just a joke, relax.

Re:Just ROT-13 twice (0)

Anonymous Coward | more than 6 years ago | (#25111013)

FAIL!

Re:Just ROT-13 twice (3, Funny)

gparent (1242548) | more than 6 years ago | (#25111257)

Your username is very fitting.

Force Encryption eh (0, Redundant)

CrazyJim1 (809850) | more than 6 years ago | (#25109729)

Does Rot 13 count?

Re:Force Encryption eh (2, Funny)

Mhtsos (586325) | more than 6 years ago | (#25109817)

It's too weak. You can use it, but you must encrypt everything twice just to be safe.

Re:Force Encryption eh (1)

clone53421 (1310749) | more than 6 years ago | (#25109913)

Nah. Real geeks convert to hexadecimal before ROT-13 encrypting anything.

Re:Force Encryption eh (1)

Cytotoxic (245301) | more than 6 years ago | (#25111177)

Nah. Real geeks convert to hexadecimal before ROT-13 encrypting anything.

Wouldn't that be ROT-D?

Re:Force Encryption eh (4, Funny)

Angostura (703910) | more than 6 years ago | (#25109887)

I have developed a system by which each character is taken and broken up into a pattern of ones and zeros. The exact pattern is determined by looking up the character in a table. The receiver has to unscramble this pattern of ones and zeros by looking the pattern up in a similar table and then regenerating the character.

I call this system ASCII and I believe that it is a simple type of encryption, albeit with a very public public key, and no private key.

Re:Force Encryption eh (2, Funny)

clone53421 (1310749) | more than 6 years ago | (#25109937)

0101011101101000011000010111010000111111

Re:Force Encryption eh (0)

Anonymous Coward | more than 6 years ago | (#25110143)

Encryption != Encoding

Re:Force Encryption eh (4, Funny)

LordEd (840443) | more than 6 years ago | (#25110031)

I use ROT26. It must be twice as secure at ROT13.

Re:Force Encryption eh (1)

TheSHAD0W (258774) | more than 6 years ago | (#25110379)

I'm a very paranoid person, and I use ROT104 encryption on all my important data. Yeah, it may be overkill, but my computer does it so quickly I barely notice it happening.

SRSLY, I'm a big fan of ubiquitous encryption, and this may work to jumpstart it.

Re:Force Encryption eh (1)

SatanicPuppy (611928) | more than 6 years ago | (#25110703)

The problem with ubiquitous encryption is the same problem you always have when everything is "top security"...When everything is top security, nothing is top security.

I'm a big believer in encryption where it's appropriate, but if you force it everywhere people get sloppy with the data and their keys, and all kinds of crap.

Re:Force Encryption eh (1)

Skapare (16644) | more than 6 years ago | (#25110867)

I'm a very paranoid person, and I use ROT104 encryption on all my important data. Yeah, it may be overkill, but my computer does it so quickly I barely notice it happening.

I think you need to upgrade to triple-ROT104.

Re:Force Encryption eh (0)

Anonymous Coward | more than 6 years ago | (#25110689)

I use ROT26. It must be twice as secure at ROT13.

It is, but only for non-alphabetic characters.

Knowing the law... (1, Interesting)

dkf (304284) | more than 6 years ago | (#25109745)

Am I just being too cynical, or will putting everything in a password-protected ZIP file and then sending that, together with the password, will satisfy the rules?

Re:Knowing the law... (1)

tergvelo (926069) | more than 6 years ago | (#25109929)

1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

The law includes anything that would 'delay' access to the information. They don't say how long the delay must be, so simply putting it in a zip file that would take time to unzip would satisfy the law.

Ridiculous.

Re:Knowing the law... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#25110109)

Not at all. By decrypting, you've made a prosecutable effort. However, the data is safe from passive sniffing.

Re:Knowing the law... (1)

davester666 (731373) | more than 6 years ago | (#25110585)

If it's just a delay that is needed, then just add 40 or 50 linefeeds, to force the recipient to scroll down.

Heck, if just having the info in an attachment amounts to delaying access to the information.

Re:Knowing the law... (1)

Constantine XVI (880691) | more than 6 years ago | (#25109953)

Odds are, yes. Unless it says you have to send the key/password separately.

Re:Knowing the law... (2, Informative)

moderatorrater (1095745) | more than 6 years ago | (#25109969)

Even if it is, setting up certificates is a hell of a lot easier than what you proposed. The very best security systems are where good security is easier than bad security. Unfortunately, this doesn't happen very often.

How about http web traffic? (3, Interesting)

cryfreedomlove (929828) | more than 6 years ago | (#25109753)

If I am an ecommerce website, am I now expected to encrypt all http traffic destined for customers I know to be in Nevada?

Re:How about http web traffic? (3, Insightful)

fm6 (162816) | more than 6 years ago | (#25109985)

If you're an ecommerce website, and you don't already use https for sensitive data (like credit card info), you are just begging to be ripped off. Or hadn't you noticed that little padlock icon that appears whenever you buy something online?

Re:How about http web traffic? (3, Interesting)

SoCalChris (573049) | more than 6 years ago | (#25110073)

But from the sounds of this law, simply having a small "Hello fm6" message at the top of the page would require the entire page to be encrypted, not just the login/out and payment screens.

Re:How about http web traffic? (1)

fm6 (162816) | more than 6 years ago | (#25110189)

Don't judge a law by how it sounds. The actual text [slashdot.org] tends to be more useful.

Re:How about http web traffic? (3, Informative)

Anonymous Coward | more than 6 years ago | (#25110507)

No. As others here have noted:

NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. ÃS The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

Thus, simply having the username or first + last name on a page is insufficient to require encryption - if however, you are presenting the user with a credit card number of any of the above, then that page must be encrypted, which makes sense. This actually is a good piece of legislation if they defined what constitutes encryption - I don't know, and I don't feel like looking through the legalese.

Re:How about http web traffic? (1)

Constantine XVI (880691) | more than 6 years ago | (#25109991)

If you're an ecommerce website, you should be doing everything involving private data over HTTPS to begin with.

Re:How about http web traffic? (1)

barzok (26681) | more than 6 years ago | (#25109995)

Shouldn't you be doing that already for your login/checkout/payment processes?

Re:How about http web traffic? (4, Informative)

rtfa-troll (1340807) | more than 6 years ago | (#25110125)

Yes and no. The law says that you have to encrypt when you send personal data. The definition of encryption is pretty broad [state.nv.us] but the definition of personal data is very narrow [state.nv.us] so you could have a web site which is unencrypted except for the part where the customers identified themselves.

Overall, I don't see the problem with this. That they allow weak encryption is a red herring. Strong encryption will also comply with the ruling and so most people will use that. Weak encryption is often better than nothing. There are loopholes, but those can be closed later. This looks like a good start.

Re:How about http web traffic? (2, Funny)

SleptThroughClass (1127287) | more than 6 years ago | (#25110835)

That they allow weak encryption is a red herring.

Actually it's a red herring with a bicycle.

Re:How about http web traffic? (1)

Cajun Hell (725246) | more than 6 years ago | (#25110493)

You were expected to do that before they even passed this law, and not just for customers in Nevada.

1976 called, they want their RSA-hasn't-been-invented-yet excuse back.

encryption lacking all over. (0)

Anonymous Coward | more than 6 years ago | (#25109757)

So, start telling government agencies to start supporting SSL/TLS on their mail servers.

Also, SMIME or PGP? SMIME would be easier since mail clients do not tend to have built in support for PGP, especially Outlook.

I approve... (4, Funny)

elzbal (520537) | more than 6 years ago | (#25109771)

... the encryption of my customer records at Nevada's brothels.

I just hope they do more than password protecting the word docs...

Re:I approve... (1, Funny)

Anonymous Coward | more than 6 years ago | (#25110331)

Dear John,

Don't worry we won't let your secrets out, but you should be more careful where you email your requests to. We will not be able to accomodate you on your request to dress up for church with our hair in a bun and wearing glasses while engaging in an act with a donkey dressed as a moose. Perhaps you meant your email to go to a Hacienda of a different name in Boy's Town?

--This message encrypted for your protection. Please don't forget to use your protection.

Say it ain't so! (2, Insightful)

Phizzle (1109923) | more than 6 years ago | (#25109783)

The technically illiterate are passing legislation on technology!

Re:Say it ain't so! (2, Insightful)

darguskelen (1081705) | more than 6 years ago | (#25109881)

Sarcasm noted.
Are they aware just how much money this is going to cost businesses in training?
Not to mention they will have to have every company (and possibly every employee of every company) submit and maintain a proper public key in a public database, no matter how technically savvy they are. I can't get my own company to do that internally...

And if you don't have an IT department? (3, Insightful)

Morris Thorpe (762715) | more than 6 years ago | (#25109853)

Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.
Now, someone emails you with their name and address asking for a quote.

Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!

p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."

Re:And if you don't have an IT department? (3, Funny)

clone53421 (1310749) | more than 6 years ago | (#25109965)

p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."

Obviously they're being very optimistic about the economic impact...

Re:And if you don't have an IT department? (1)

gnick (1211984) | more than 6 years ago | (#25110163)

You beat me to it and did a better job than I would have. I doubt that my effecting a similar jab would have had nearly as humorous an effect.

Well done.

Re:And if you don't have an IT department? (0)

Anonymous Coward | more than 6 years ago | (#25111251)

To effect such a simple quip is obviously the work of the affected; in effect the affect effects nothing.

Re:And if you don't have an IT department? (1)

darguskelen (1081705) | more than 6 years ago | (#25109975)

Except that if your customer is employed, they will already know how to encrypt their emails before sending you one.

Re:And if you don't have an IT department? (0)

Anonymous Coward | more than 6 years ago | (#25110243)

Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.

I am a guy with a lawn mowing business and my own web site which I crudely built myself, you insensitive clod!

Re:And if you don't have an IT department? (3, Funny)

Cajun Hell (725246) | more than 6 years ago | (#25110515)

It looks like you're going to have to stop including people's Social Security Numbers in your lawnmowing quotes.

Re:And if you don't have an IT department? (2, Informative)

Rob the Bold (788862) | more than 6 years ago | (#25110691)

Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!

For that matter -- if you're in a business like lawnmowing that only uses its "web presence" as a virtual billboard or PO Box -- good luck knowing this law even exists!

Re:And if you don't have an IT department? (2, Funny)

carambola5 (456983) | more than 6 years ago | (#25110933)

Obviously, you either have never been to Nevada or have very poor business sense.

A lawn mowing business would never succeed in Nevada.

Re:And if you don't have an IT department? (1)

GenP (686381) | more than 6 years ago | (#25111005)

Perhaps some sort of rock grooming establishment?

Re:And if you don't have an IT department? (1)

MobyDisk (75490) | more than 6 years ago | (#25111175)

It means:
1) He is an idiot
2) He should have encrypted his email
3) But he isn't a business so it doesn't matter anyway.

Sounds like a non-issue to me.

How about this? (2, Funny)

JustCallMeRich (1185429) | more than 6 years ago | (#25109889)

Can I start a lawsuit to sue some company that does NOT do this, go to a jury by trial, but then do a terribly bad job of defending my position and set precedent that the defendant does not need to encrypt this stuff before a 'real' lawsuit comes about and sets precedent the other way?

Re:How about this? (1)

Qzukk (229616) | more than 6 years ago | (#25109935)

then do a terribly bad job of defending my position and set precedent

Judges hate it when you do that, and will likely throw out your case and force you to pay for all of it.

Re:How about this? (1)

JustCallMeRich (1185429) | more than 6 years ago | (#25110085)

So people DO try this?! HA! I was just off on a lark...

Encryption Conniption (3, Funny)

digitaldc (879047) | more than 6 years ago | (#25109897)

As of posting time, representatives of the state had not gotten back to me with comment.

It was later found that the reason for this delay was a system-wide shutdown & widespread panic as they couldn't figure out how to encrypt or decrypt any of their correspondence properly.

GOOD! (2, Insightful)

Anonymous Coward | more than 6 years ago | (#25109933)

ISTM we should phase out any unencrypted protocols going over the internet.

This particular law may have technical shortcomings - but if it takes close-but-not-quite right laws to raise awareness to the common person and politician that much internet traffic is unencrypted, I'm all for this law as a stalking horse to-be-improved-upon.

And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.

Re:GOOD! (1)

Dewin (989206) | more than 6 years ago | (#25111103)

Unencrypted protocols still have perfectly valid uses. Should we really waste CPU overhead (encryption is time-consuming) and bandwidth (it usually adds some overhead, I believe) to download a 250MB hey_the_game_really_works_now___patch_1_02.exe which is freely downloadable for anyone?

Bad summary (4, Informative)

russotto (537200) | more than 6 years ago | (#25109963)

The statute forces businesses to encrypt "Personal Information", which by law consists ONLY of the following

NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.

Re:Bad summary (2, Insightful)

ptbarnett (159784) | more than 6 years ago | (#25110357)

So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good.

If any business is currently sending SS and driver's license numbers via email, they are being irresponsible.

Re:Bad summary (0)

Anonymous Coward | more than 6 years ago | (#25110657)

Don't forget customer stupidity.

I work for a company that doesn't collect driver's license or social security numbers, and I won't even get into how many times in a day I'm basically handed one by a customer thinking that is how to access their account with me on the phone.

If I wanted to steal identities, I'm basically given all I need to on a daily basis, just out of customer stupidity.

Re:Bad summary (1)

ArsonSmith (13997) | more than 6 years ago | (#25110881)

I always send that kind of info in a word doc, then have my email client UUEncrypt it.

What can go wrong? (2, Insightful)

oDDmON oUT (231200) | more than 6 years ago | (#25109997)

It's not like we've had any keys lost [bigblog.com] lately.

Rot-13 Encrypted - Twice (0, Redundant)

supernova_hq (1014429) | more than 6 years ago | (#25110017)

This comment is encrypted using Rot-13 twice!

The End of the Internet as We Know It! (1)

fm6 (162816) | more than 6 years ago | (#25110035)

If they can require people to encrypt their email, the next evil plan will be to force everybody to supply crytographic certificates with each email. This will make it impossible to send anonymous email! No poison pen messages, no mailbox bombing, no sp...

Oh. Never mind.

Add an encryption flag (0)

RichMan (8097) | more than 6 years ago | (#25110091)

From now on all emails send by the company will include the XMAIL header To:
This header will marks the email as encrypted using ASCII character encoding encryption.
The authorized recipient specified in the To: header is permitted to decode the email.

Note that this email is covered under the DMCA and any unauthorized decryption is liable for criminal prosecution and civil damages.

This is about as complicated as the "don't record" flag being used in digital television.

public keys (1)

misxn (901438) | more than 6 years ago | (#25110137)

An exchange of public keys has to take place first before data is encrypted? I don't know this is going to be enforced. The receiving party has to have your public key first. I bet all that happens out of this is a bunch of signed e-mails.

rot13 (0)

Anonymous Coward | more than 6 years ago | (#25110183)

Aught to be enough for anybody.

rot26 (1)

argent (18001) | more than 6 years ago | (#25110385)

I use rot26 because it's twice as powerful as rot13!

This is a good idea (3, Funny)

JeanBaptiste (537955) | more than 6 years ago | (#25110233)

Personally identifiable information should be encrypted.

Sincerely,
xz'Kxv!y{Ycut="xgq'^e;

The Real Problem... (4, Informative)

lax-goalie (730970) | more than 6 years ago | (#25110237)

...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.

One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.

Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")

Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.

Re:The Real Problem... (1, Informative)

Anonymous Coward | more than 6 years ago | (#25110769)

I disagree. The real problem is lack of standard business practices that take the need to protect PII seriously.

I personally know of people in businesses relating to insurance who regularly get emails from HR departments containing unencrypted PNI.

In many of these cases, password-protecting an Excel spreadsheet full of SSNs before mailing it would be a *huge* step up, and would provide enough protection for over 99% of realistic threat scenarios.

We're not talking about Swiss bank accounts, we're talking about the equivalent of where shredding a document before putting it curbside is enough to prevent most meth-addicted dumpster-divers from committing identity theft.

BTW, these insurance and HR employees aren't bad people, they're just non-techie clerk types and they aren't going to mess with encryption unless their boss demands it. And sadly, their bosses do not fear HIPAA.

This law could boost awareness of the need to encrypt PII, and businesses that exchange a lot of such data will have this value seep into their culture and business practices.

Re:The Real Problem... (1)

swillden (191260) | more than 6 years ago | (#25110771)

Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation".

I don't think it's all that bad. It'd be better if it required the use of good encryption, but I suspect that most people will find it cheaper to implement the widely-deployed encryption tech (i.e. SSL for web sites, S/MIME or PGP for e-mail) than to invent something themselves -- and those widely-deployed technologies are also quite good.

Of course, the implementations will often be half-baked, with stupid processes that make the decryption keys far too easy for the wrong person to get -- but it'll almost certainly be better than it is now!

Never mind the dual rot-13 jokes. Bad law! (1)

mmell (832646) | more than 6 years ago | (#25110313)

While I'll grant you that businesses should absolutely use encryption or some other mechanism to protect sensative information, legislation isn't the solution.

Consider - if a bank sent new ATM cards with the pin in the same envelope as the card, most consumers would go immediately berserk. The institution in question would rapidly see an erosion of their customer base, as well as being found liable for any losses incurred by people who had their mail intercepted by thieves.

That same bank can blithely send out e-mails with user account names, numbers and passwords all in one convenient, easy-to-sniff package and nobody gets upset. How often has anybody here clicked on "forgot my username/password" only to get a nice, convenient clickable link which allows unfettered access to private, smooth, creamy soft personal information? The solution isn't for the government to legislate the use of encryption; rather, it's a matter for market pressure. Let enough people become unhappy over the cavelier treatment their personal information garners from a corporation - they'll vote with their wallets, if they are once educated regarding the situation.

That last phrase is the hard part though, isn't it?

Re:Never mind the dual rot-13 jokes. Bad law! (0)

Anonymous Coward | more than 6 years ago | (#25110411)

Maybe the answer is some type of smart card authentication. SIM cards have this built into the protocol, and most smartphones have secure memory for RSA public/private keypairs to prevent all but a chip fab from getting access.

Why not have some type of challenge/response system against the keypair. If someone forgets their website password, they punch a random into their phone, and type the result for a reset.

Bad thing, this will move theft from anonymous hacking to either forcing people to give access by cellphone, or theft of cellphones.

The technical solution isn't the point . . . (2, Insightful)

mmell (832646) | more than 6 years ago | (#25110559)

Hellfire, the government could issue an RSA code to every citizen and publish the public keys in a phone book. The government could even provide the necessary software to make it work. It'd be secure - that's the beauty of public key encryption systems such as RSA or knapsack. But it'll never happen. Nobody wants it. Nobody wants to pay for it.

This legislation will force industry to develop and pay for it, regardless of whether the customers want it or not. Yes, we all want encryption on everything; but an overwhelming majority of computer users don't care enough to actually do anything, even though it would only take a bit of time and effort. Now, what happens when your bank send you your private encryption key and instructions? Most recipients will either delete or (at best) ignore the key. Later that month imagine their anger when their bank statement is encrypted and they have no idea how to decrypt it? Or do you really get the impression that the average American (Nevadan?) consumer is intelligent enough to implement, say, GPG? If so, do you think the average consumer is energetic enough to do so?

Leave this job up to market forces - the free-enterprise economy is infinitely more responsive to the needs and wants of the average consumer than is the Federal or even any of the State governments.

Re:Never mind the dual rot-13 jokes. Bad law! (1)

Cajun Hell (725246) | more than 6 years ago | (#25110825)

What they could do, is define lack of encryption as negligent, for liability purposes. Lawmakers do weird things like this all the time: for example if you possess more than x weight of drugs, then you have intent to distribute (regardless of whether or not there's actually any reason to believe you had such intent).

They could pass a law that if you lose info and didn't encrypt it, and then someone comes after you for damages resulting from such negligence, then your position is far weaker than it would be if you had encrypted. (I generally disapprove of those types of laws, but as long as we're keeping them around, then something like this might be a good idea.)

I bet we'll see files like named like this (0, Redundant)

BigGar' (411008) | more than 6 years ago | (#25110341)

Use_Fred1234_For_Passwd_to_unzip.zip

Interstate commerce (1)

chrylis (262281) | more than 6 years ago | (#25110389)

Although I am one of those who is appalled by the fact that Congress can get away with writing laws about nearly anything by waving their hands and yelling "commerce clause", it really seems that a law like this is just asking to get smacked down at the federal leve.

Is this a joke? (1)

ScubaS (600042) | more than 6 years ago | (#25110459)

see topic. I hope Nevada law makers know its not April Fools. They never required phone conversations to be encrypted, why emails?

this is what makes Slashdot worth reading (1)

Presto Vivace (882157) | more than 6 years ago | (#25110551)

I didn't know any state was even talking about this.

What about Internet faxes? (1)

CleverDan (728966) | more than 6 years ago | (#25110587)

From the statute:

...an electronic transmission other than a facsimile...

What makes a fax so secure? If eFax delivers a fax to my email box, what's to keep it from being intercepted and OCR'd?

When faxes were more or less point-to-point transmissions, they may have been more secure. But now...

What about.... (1)

WWGTom (1117667) | more than 6 years ago | (#25110645)

Businesses that are registered through the state due to their sales tax breaks but are not physically located within the state? (Of course I didn't RTFA....)

Does it need a backdoor? (1)

Nimey (114278) | more than 6 years ago | (#25110653)

The way the government's going, I wouldn't be surprised if the businesses have to use a particular package that gives the government backdoor access.

Obligatory (with slight variation) (2, Funny)

dkleinsc (563838) | more than 6 years ago | (#25110789)

Your government advocates a

(X) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting identity theft. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop identity theft for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from identity thieves
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) identity thieves don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of identity theft
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Dishonesty on the part of identity thieves themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about your legislature:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're stupid people for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Obligatory (with slight variation) (1)

skis (920891) | more than 6 years ago | (#25110885)

Anyone else notice that the "Asshats" box is always checked whenever anyone posts one of these?

Could be the start of a good thing (1)

nurb432 (527695) | more than 6 years ago | (#25111053)

If this is the first step to encrypting EVERYTHING, then i think its worth a few of the speed-bumps this will cause in the beginning.

Delay access? Not good enough. (2, Insightful)

isBandGeek() (1369017) | more than 6 years ago | (#25111129)

Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

Under this definition of "encryption", I could argue that by compressing the file it would "delay access" by making them wait for the time 7zip takes to unzip. So now zipped files are encrypted?

Lawmakers + Technology ??? (1)

EvilIntelligence (1339913) | more than 6 years ago | (#25111133)

As usual, some lawmakers, who know next to nothing about technology, create a half-assed law to govern something they know nothing about. You would think that they would at least bring on an expert adviser to tell them what his realistic and what is not. Don't they understand that such a law will create millions upon millions of costs on their own local businesses, which will gain them next to nothing in security, and only hurt their competitiveness?

KISS (1)

jaguth (1067484) | more than 6 years ago | (#25111189)

Encryption takes too much time and energy. It would be much easier for Nevada to just distribute an email template that has a picture of Kathy Lee Gifford at the top of the message. That would deter anyone one trying to read anyone's super-important-business-critical emails. Keep It Simple Stupid!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?