[Cryptography] FTC sues for crappy crypto

Sean Lynch seanl at literati.org
Fri Jan 8 13:54:51 EST 2016 

On Fri, Jan 8, 2016 at 3:44 AM Jerry Leichter <leichter at lrw.com> wrote:

>
> It's interesting to me that the complaint here isn't that they were
> providing crappy crypto or that dentists were exposing their patients'
> private data, but that they *lied* about their crypto. That's fraud, to
> be sure. But it seems unlikely to me that, had they marketed it as "data
> camouflage" and not encryption, it would have made any difference to the
> dentists, particularly since there seems to be no actual law saying that
> the data need to be encrypted. So the FTC isn't actually protecting anyone
> here, just making sure their own people stay employed.
>
> The FTC can't make up rules for what goes into software.  No vendor is
> under any obligation to include cryptography, strong or otherwise, and I'd
> say that's as it should be:  Not every application *needs* cryptography;
> not every buyer *wants* it.  But no seller is, or should be, free to
> outright lie about what it's selling.
>

Indeed, but if there is actual harm to a customer, don't we already have a
mechanism to deal with that in the form of class action lawsuits?

Now, you may say that software that maintains medical records "clearly
> needs" cryptography.  That may be, in some broad sense, but there's no law
> mandating that - and if there were, it would make more sense for the
> mandate to apply *to the medical provider* and not to the seller of the
> software.  The same software might be used, say, by a veterinarian - where
> mandating encryption seems rather an over-reach.
>

Personally, I don't think laws like this are a great way to protect
people's privacy, because they give the consumer a false sense of security.
On the other hand, there should be some liability when a company fails to
protect information it was reasonably expected to protect, which means some
kind of guidelines, perhaps in the form of liability limits if the vendor
meets certain standards and isn't negligent.


> I'm not anti-regulation myself - I think there are many things that *need*
> to be regulated.  But regulation should be targeted where it's appropriate
> - and it should be the minimum regulation needed to accomplish some
> important policy goal.  Demanding that the FTC define "strong cryptography"
> and then mandate, on its own, which applications require it, strikes me as
> a good way to generate tons of new regulations that will do more harm than
> good.
>

I'm not anti-regulation, especially in the presence of government-granted
privilege, but regulation is about as blunt an instrument as one can
imagine. And then you get the problems of regulatory capture and
regulators/bureaucrats over-regulating or only going after easy targets in
order to justify their existence. I'd classify this as one of those easy
targets.


> Keep in mind, too, that any regulation has to be quite explicit - to cite
> the kind of thing that drives people nuts, you can't write a regulation
> that says "fire extinguishers must be at a height that most people can get
> at" because no one will be able to objectively test if someone is in
> violation; so instead you end up with a mandate that says "fire
> extinguishers must be hung 60 inches above the ground" and you end up
> fining people who hang them at 61 inches.  Also, once a regulation is in
> place, it becomes almost impossible to change it because of the costs.
> That's a disaster in a field moving as rapidly as cryptography has been.
>

Agreed.

I think a better solution to the more general problem of companies failing
to protect the data people entrust to them is some sort of certification
scheme along the lines of Underwriters' Laboratories. You could have
competing private certification organizations funded not by applications
but by, say, insurance companies, an endowment, or some other mechanism
that is aligned with the interests of consumers and not vendors. In order
to be insured against liability for data leakage, companies would need to
be certified by some organization recognized by the insurance company. It's
not altogether different from PCI, though I'd prefer it not be associated
with a cartel like the payments industry has.

Of course, an organization would always be free to self-insure. I don't
have any idea how any certification organization could certify Google or
even AWS that is operating on the frontiers of computer security, but when
you're talking about something like a dentist, I don't see how anything BUT
certification could work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160108/249d3ce3/attachment.html>

More information about the cryptography mailing list