ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Is It Really Encrypted When the Key Is Public and Automatic?

    IT Discussion
    encryption software legal
    9
    59
    4.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @scottalanmiller
      last edited by

      @scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

      @flaxking said in Is It Really Encrypted When the Key Is Public and Automatic?:

      It's a bad sign when questions about security from your clients have to go through your lawyer every time.

      Sadly, if their customers try to access their own data the vendor sues them. They claim that the customers don't have the right to use the public keys that they give away.

      You client is running into that issue now?

      and how did the vendor find out?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

        @scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

        @flaxking said in Is It Really Encrypted When the Key Is Public and Automatic?:

        It's a bad sign when questions about security from your clients have to go through your lawyer every time.

        Sadly, if their customers try to access their own data the vendor sues them. They claim that the customers don't have the right to use the public keys that they give away.

        You client is running into that issue now?

        and how did the vendor find out?

        We know a client that is having this issue. He posts about it. They found out because he let others know how to access their own data and exposed that the encryption wasn't unique: that they all shared a single key.

        The knowledge can be used, obviously, to sue the vendor out of existence (and it ties back to EMR stuff, so while this one key isn't HIPAA related, the company is) and can be used to migrate customer data off of their platforms (the real reason that they are trying to encrypt the data - to extort the customers for migration fees.)

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          So in this case, while not nearly as bad as most, it's actually ransonware, right?

          DashrenderD 1 Reply Last reply Reply Quote 0
          • G I JonesG
            G I Jones
            last edited by

            In this case would the definition of "encryption" be relevant? It's pretty vague as is. This is super fucked at any rate. I hope all the bad things in life happen to that company and only that company.

            scottalanmillerS 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @G I Jones
              last edited by

              @G-I-Jones said in Is It Really Encrypted When the Key Is Public and Automatic?:

              In this case would the definition of "encryption" be relevant? It's pretty vague as is. This is super fucked at any rate. I hope all the bad things in life happen to that company and only that company.

              I think it does because the Fed defines encryption in all kinds of things like HIPAA.

              1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

                So in this case, while not nearly as bad as most, it's actually ransonware, right?

                Wouldn't that apply to any system that prevents you from extracting your data, unless you pay a fee?

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

                  @scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

                  So in this case, while not nearly as bad as most, it's actually ransonware, right?

                  Wouldn't that apply to any system that prevents you from extracting your data, unless you pay a fee?

                  If it does so by maliciously encrypting your data to their benefit, not yours, yes. Generally that's considered illegal. Hence the term "ransomware". It refers to using encryption to make you unable to access your own data so that you have to pay a ransom to get it back.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    And, like a lot of ransomware, it also means that someone else has access to your data that you do not.

                    1 Reply Last reply Reply Quote 0
                    • KellyK
                      Kelly
                      last edited by

                      In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

                      DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 1
                      • DustinB3403D
                        DustinB3403 @Kelly
                        last edited by

                        @Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

                        In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

                        Obtained by whom? The customers, the vendors, someone else?

                        Does that mean if the rightful customer has the key, that they must consider their system compromised even though they should have the key?

                        KellyK 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Kelly
                          last edited by

                          @Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

                          In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

                          That's the case in most places, I think, but good to know as we have loads of people in CO with this.

                          1 Reply Last reply Reply Quote 0
                          • KellyK
                            Kelly @DustinB3403
                            last edited by

                            @DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

                            @Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

                            In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

                            Obtained by whom? The customers, the vendors, someone else?

                            Does that mean if the rightful customer has the key, that they must consider their system compromised even though they should have the key?

                            It is a privacy law. If someone who is not authorized has both the data and the key the data is considered to have been exposed and the company is liable under HB11-1828. If the key is public then any access to the data would be considered a breach and exposure.

                            DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • DustinB3403D
                              DustinB3403 @Kelly
                              last edited by

                              @Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

                              not authorized

                              Gotcha, so it's not a poorly written law but only applies in the case of not authorized cases.

                              KellyK 1 Reply Last reply Reply Quote 0
                              • KellyK
                                Kelly @DustinB3403
                                last edited by

                                @DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                @Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                not authorized

                                Gotcha, so it's not a poorly written law but only applies in the case of not authorized cases.

                                Well, it will need to fleshed out via case law to determine what unauthorized really means and how you can verify the access or prove non access. The control is ahead of technology implementation in most organizations. We will see how it plays out. It is written in sufficiently broad terms that the access could be from an external access or an internal one.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Kelly
                                  last edited by

                                  @Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                  @DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                  @Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                  In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

                                  Obtained by whom? The customers, the vendors, someone else?

                                  Does that mean if the rightful customer has the key, that they must consider their system compromised even though they should have the key?

                                  It is a privacy law. If someone who is not authorized has both the data and the key the data is considered to have been exposed and the company is liable under HB11-1828. If the key is public then any access to the data would be considered a breach and exposure.

                                  What if it was non-encrypted data, so that there was no key? Wouldn't that be the normal boat, and that's not an exposure.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    The issue in this case is that the data is not required to be encrypted. But it's sold as a benefit. But it isn't like a HIPAA violation.

                                    KellyK 1 Reply Last reply Reply Quote 0
                                    • ObsolesceO
                                      Obsolesce @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                      @Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                      False advertisement maybe at best IMO.

                                      At best? Isn't giving YOUR keys away to other people fall under hacking laws? It's definitely not legal for them to keep, let alone distribute, your key.

                                      Dunno. I'm not a lawyer specializing in privacy and data protection laws. I can only speculate based on general logic. I have no idea about their eula/tos/etc either.

                                      DustinB3403D scottalanmillerS 3 Replies Last reply Reply Quote 0
                                      • KellyK
                                        Kelly @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                        The issue in this case is that the data is not required to be encrypted. But it's sold as a benefit. But it isn't like a HIPAA violation.

                                        So, the Colorado law and some other state laws (may include CCPA) are mandating that certain PII data be encrypted. HB11-1824 has very few teeth to it at this point until someone gets breached, but I don't want to be the test case for the DA to try it out on.

                                        1 Reply Last reply Reply Quote 0
                                        • DustinB3403D
                                          DustinB3403 @Obsolesce
                                          last edited by

                                          @Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                          @scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                          @Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                          False advertisement maybe at best IMO.

                                          At best? Isn't giving YOUR keys away to other people fall under hacking laws? It's definitely not legal for them to keep, let alone distribute, your key.

                                          Dunno. I'm not a lawyer specializing in privacy and data protection laws. I can only speculate based on general logic. I have no idea about their eula/tos/etc either.

                                          Most lawyers shouldn't be the expert either. .

                                          1 Reply Last reply Reply Quote -1
                                          • scottalanmillerS
                                            scottalanmiller @Obsolesce
                                            last edited by

                                            @Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                            @scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                            @Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

                                            False advertisement maybe at best IMO.

                                            At best? Isn't giving YOUR keys away to other people fall under hacking laws? It's definitely not legal for them to keep, let alone distribute, your key.

                                            Dunno. I'm not a lawyer specializing in privacy and data protection laws. I can only speculate based on general logic. I have no idea about their eula/tos/etc either.

                                            General logic would say that selling someone a key based on a promise to protect them, then selling that same key to someone else to undermine the security that they just sold to you, is not just a civil problem, but a criminal one. Selling access to other peoples' data is highly illegal.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 2 / 3
                                            • First post
                                              Last post