[Cryptography] FTC sues for crappy crypto

Jerry Leichter leichter at lrw.com
Fri Jan 8 06:44:11 EST 2016 

> The US Federal Trade Commission (FTC) has struck a $250,000 settlement package in its case accusing a medical software developer of lying about its data encryption capabilities.
> 
> It's interesting to me that the complaint here isn't that they were providing crappy crypto or that dentists were exposing their patients' private data, but that they lied about their crypto. That's fraud, to be sure. But it seems unlikely to me that, had they marketed it as "data camouflage" and not encryption, it would have made any difference to the dentists, particularly since there seems to be no actual law saying that the data need to be encrypted. So the FTC isn't actually protecting anyone here, just making sure their own people stay employed.
The FTC can't make up rules for what goes into software.  No vendor is under any obligation to include cryptography, strong or otherwise, and I'd say that's as it should be:  Not every application *needs* cryptography; not every buyer *wants* it.  But no seller is, or should be, free to outright lie about what it's selling.

Now, you may say that software that maintains medical records "clearly needs" cryptography.  That may be, in some broad sense, but there's no law mandating that - and if there were, it would make more sense for the mandate to apply *to the medical provider* and not to the seller of the software.  The same software might be used, say, by a veterinarian - where mandating encryption seems rather an over-reach.

I'm not anti-regulation myself - I think there are many things that *need* to be regulated.  But regulation should be targeted where it's appropriate - and it should be the minimum regulation needed to accomplish some important policy goal.  Demanding that the FTC define "strong cryptography" and then mandate, on its own, which applications require it, strikes me as a good way to generate tons of new regulations that will do more harm than good.

Keep in mind, too, that any regulation has to be quite explicit - to cite the kind of thing that drives people nuts, you can't write a regulation that says "fire extinguishers must be at a height that most people can get at" because no one will be able to objectively test if someone is in violation; so instead you end up with a mandate that says "fire extinguishers must be hung 60 inches above the ground" and you end up fining people who hang them at 61 inches.  Also, once a regulation is in place, it becomes almost impossible to change it because of the costs.  That's a disaster in a field moving as rapidly as cryptography has been.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160108/f69e0ff5/attachment.html>

More information about the cryptography mailing list