Cybereye | A crypto can of worms
New Nevada law designed to protect privacy is likely to create as many problems as it's trying to solve
William Jackson
GCN
ON OCT. 1, NEVADA became the first state to require the use of
encryption to protect consumer information being transmitted by
businesses. Privacy is a good thing, and encryption can be a
powerful tool in preserving it. But the Nevada law is likely to
create as many problems as it's trying to solve.
The 2007 law is admirably brief. It states only that 'a
business in this state shall not transfer any personal information
of a customer through an electronic transmission other than a
facsimile to a person outside of the secure system of the business
unless the business uses encryption to ensure the security of
electronic transmission.' It then appends definitions for
encryption and personal information.
But those 45 words raise a lot of questions: Exactly which
businesses and customers does it apply to? What kinds of
transmissions? E-mail, of course, and presumably file transfers,
but what about a telephone call? How far does the encryption have
to go? To the recipient's desktop? To a server? To a router
somewhere that has to decrypt the packets before routing them? How
strong does encryption have to be to ensure the security of the
transmission? What are the enforcement mechanisms and penalties for
not complying? There are none listed in the statute.
And then there is the constitutional issue: Can Nevada
effectively impose a requirement on those outside the state that
they be able to decrypt data sent from inside the state? That could
be construed as interfering with interstate commerce, which is a
no-no.
The problem is that the law is at once too specific and too
vague. It specifies a solution, cryptography, but it does not spell
out how it is to be used or what problem it is to solve. Even the
people you would expect to be advocates of such a law have mixed
feelings about it.
'I'm leery of government imposing technology
requirements,' said Phillip Dunkelberger, chief executive
officer of PGP, which sells encryption products. 'I've
always been an advocate of working with best practices, not a
specific remedy to a specific problem.'
However, he said the law is a step in the right direction.
'The best thing this law does is draw some attention to the
problem,' he said.
But in focusing too closely on a specific technology to address
one aspect of a problem, it misses the larger issues of privacy and
data protection. Even if all the pipes in and out of Nevada are
secured, what about all those other places where personal
information spends most of its time ' the hard drives and
chips of servers, PCs and other devices?
Dunkelberger has a suggestion. 'I'd like to see a
law that says if you collect personally identifiable information,
then in all methods of using that data, whether stored, in
applications or in transmissions of any kind, you have to use best
practices to protect it.'
It would take a while for industry and the courts to work out
the definitions of best practices, but history has shown it can be
done. And in the end, this would be a more flexible and robust
standard than technical specifications imposed by legislators.