[Cryptography] FTC sues for crappy crypto

Thierry Moreau thierry.moreau at connotech.com
Fri Jan 8 13:49:22 EST 2016 

On 08/01/16 11:44 AM, Jerry Leichter wrote:
>>     The US Federal Trade Commission (FTC) has struck a $250,000
>>     settlement package in its case accusing a medical software
>>     developer of lying about its data encryption capabilities.
>>
>>
>> It's interesting to me that the complaint here isn't that they were
>> providing crappy crypto or that dentists were exposing their patients'
>> private data, but that they /lied/ about their crypto. That's fraud,
>> to be sure. But it seems unlikely to me that, had they marketed it as
>> "data camouflage" and not encryption, it would have made any
>> difference to the dentists, particularly since there seems to be no
>> actual law saying that the data need to be encrypted. So the FTC isn't
>> actually protecting anyone here, just making sure their own people
>> stay employed.
> The FTC can't make up rules for what goes into software.  No vendor is
> under any obligation to include cryptography, strong or otherwise, and
> I'd say that's as it should be:  Not every application *needs*
> cryptography; not every buyer *wants* it.  But no seller is, or should
> be, free to outright lie about what it's selling.

 From the original post:
"security protections in compliance with HIPAA rules"
which would (indirectly?) mandate effective data protection (... whether 
this extends to proper key management procedures is another story ...).

The US health sector is governed by HIPAA for privacy of medical 
records. With the battle between lawyers and insurance companies (for 
clinicians error liability coverage) in the private-organization-centric 
US health care system, I would suspect the HIPAA rules are implemented 
with some dedication.

>
> Now, you may say that software that maintains medical records "clearly
> needs" cryptography.  That may be, in some broad sense, but there's no
> law mandating that - and if there were, it would make more sense for the
> mandate to apply *to the medical provider* and not to the seller of the
> software.  The same software might be used, say, by a veterinarian -
> where mandating encryption seems rather an over-reach.
>
> I'm not anti-regulation myself - I think there are many things that
> *need* to be regulated.  But regulation should be targeted where it's
> appropriate - and it should be the minimum regulation needed to
> accomplish some important policy goal.  Demanding that the FTC define
> "strong cryptography" and then mandate, on its own, which applications
> require it, strikes me as a good way to generate tons of new regulations
> that will do more harm than good.

Again, HIPAA.

>
> Keep in mind, too, that any regulation has to be quite explicit - to
> cite the kind of thing that drives people nuts, you can't write a
> regulation that says "fire extinguishers must be at a height that most
> people can get at" because no one will be able to objectively test if
> someone is in violation; so instead you end up with a mandate that says
> "fire extinguishers must be hung 60 inches above the ground" and you end
> up fining people who hang them at 61 inches.  Also, once a regulation is
> in place, it becomes almost impossible to change it because of the
> costs.  That's a disaster in a field moving as rapidly as cryptography
> has been.
>
>                                                          -- Jerry

- Thierry

More information about the cryptography mailing list