[Cryptography] FTC sues for crappy crypto

Jerry Leichter leichter at lrw.com
Fri Jan 8 15:05:33 EST 2016 

>> The FTC can't make up rules for what goes into software.  No vendor is
>> under any obligation to include cryptography, strong or otherwise, and
>> I'd say that's as it should be:  Not every application *needs*
>> cryptography; not every buyer *wants* it.  But no seller is, or should
>> be, free to outright lie about what it's selling.
> 
> From the original post:
> "security protections in compliance with HIPAA rules"
> which would (indirectly?) mandate effective data protection...
There's no such thing as an indirect mandate.  You're either covered by HIPAA, or you aren't.  And HIPAA is surprisingly narrow.  (For example, college students have been unpleasantly surprised to learn that their records at campus health centers are *not* covered.)

Even if HIPAA were broader, the maker of an app is not itself receiving any health data, and it would be a stretch to cover them - any more than the manufacturer of the PC used to maintain the data is under any obligation to ensure that the PC has FDE turned on, is physically secured, what have you.

*Claiming that your app provides protection in compliance with HIPAA rules* doesn't bring you under HIPAA - but if it's a lie, the FTC can come after you for your false claim.  As, indeed, happened here.  The same would apply to a finance application claiming to provide "industry-standard encryption support" - assuming, as is surely by now the case, that everyone in the relevant industry understands what "industry-standard encryption support" is, and the application only implements ROT-13.

If the supplier removed all claims of HIPAA compliance, but marketed to dentists treating human beings within the US, the FDA would likely still go after them, claiming that their marketing, whether using the words or not, was clearly predicated on the assumption that those dentists would believe that they could use the system and stay within the legal limits.  (It might be a harder argument if the company fought back, but my guess is the FTC would win.)

If the supplier only marketed the software outside of the US, and some dentist bought it overseas and brought it home - as far as I can see, the dentist would be in trouble, but the company should be in the clear.
                                                        -- Jerry

More information about the cryptography mailing list