[Cryptography] Gilmore response to NSA mathematician's "make rules for NSA" appeal

[Anne & Lynn Wheeler]

We had been asked to come in and help wordsmith the cal. state digital signature act. Several of the parties were involved in privacy issues and also working on Cal. data breach notification act and Cal. opt-in personal information sharing act. The parties had done extensive public surveys on privacy and the #1 issue was identity theft, namely the form of "account fraud" as result of data breaches. There was little or nothing being done about this so there was some hope that the publicity from the breach notifications would motivate corrective action. The issue is that normally an entity takes security and countermeasures in self-protection ... the entities suffering the data breaches weren't at risk ... it is the account holders. Since then several Federal breach notification bills have been introduced about evenly divided between having similar notification requirements and Federal "preemption" legislation eliminating requirement for notifications. The federal bills elimina
 ting noti
fications cite industry specifications call for account encryption (that were formulated after the cal. legislation). We've periodically commented in the current paradigm, even if the planet was buried under miles of information hiding encryption it still wouldn't stop information leakage. One problem, is account information is basically used for authentication and as such needs to be kept completely confidential and never divulged. However, at the same time, account information is also required in dozens of business processes at millions of location around the world.

The cal.personal information "opt-in" sharing legislation would require institution have record from the individual authorizing sharing of information. However, before the cal legislation passed, an "opt-out" (federal preemption) provision was added to GLBA. GLBA is now better known for the repeal of Glass-Steagall. At the time, the rhetoric in congress was the primary purpose of GLBA was if you already had bank charter you got to keep it, however, if you didn't have a charter, you wouldn't be able to get one (i.e. eliminate new parties from coming in and competing with banks). However, GLBA was loaded up with other features like repeal of Glass-Steagall and the "opt-out" personal information sharing (i.e. the financial institution needed record of person declining sharing of personal information ... rather than "opt-in" which required institution to have record authorizing sharing).

A few years ago, I was at a national annual privacy conference in Wash DC. (hotel just up the street from spy museum). There was a panel discussion with the FTC commissioners. Somebody in the audience asked the FTC commissioners if they were going to do anything about GLBA "opt-out" privacy sharing. He said he worked on callcenter technology used by all the major financial institutions ... and that none of the 1-800 "opt-out" desks had provisions for recording information from the call (aka an institution would *NEVER* have a record of a person objecting to sharing their personal information). The FTC commissioners just ignored him.

-- 
virtualization experience starting Jan1968, online at home since Mar1970