April 19, 2005

Spitzer - securing your data to become a crime?

Elliot Spitzer's office of the Attorney General has introduced a
package of legislation intended to "rein in identity theft." Well, good luck! But here's one thing that won't help:

  • Facilitating prosecutions against computer hackers by creating specific criminal penalties for the use of encryption to conceal a crime, to conceal the identity of another person who commits a crime, or to disrupt the normal operation of a computer;
  • What the AG probably doesn't realise is that efforts to suppress crypto are one of the core underlying factors that got us into this mess in the first place.

    The 'unintended consequences' of the US Government's war on crypto has over the years stifled the use of protection technologies in the Internet. Instead of being a basic technique that is used at every place and juncture, like a PIN, it is an arcane, difficult subject, only permitted to the elect few who dare to challenge the twin demons of the Crypto Guild and the USG's export restrictions. (Yes, that's right. The underlying weaknesses that create cyberterrorism and cyberwarfare and cracking are the President's executive orders. Nice one guys.)

    Since Unix sparked the open source revolution, the effect of the insecurity of the successive Executive Orders has been felt; the simple one was passwords which were originally encrypted by DES could not be encrypted in many Unix systems because DES couldn't be shipped. It took decades for that to sort itself out, and the message was clear: don't add strong security to your system because you won't be able to share it.

    The good uses of encryption far outweigh the bad uses. I'm not talking like 10%, I'm talking like 3 orders or more of magnitude. Crypto isn't like guns, where the only use of them is to shoot things. Crypto can be used for all sorts of governance, protection, and self-protection ideas. But stick a law on it, and the stuff slows to sludge. Another data point is the digital signature laws, which because they got passed in advance of any experience or understanding, basically killed the arisal of the technology in ordinary commerce.

    Not only is criminalising encryption a bad idea, and one guaranteed to reduce security as history shows, it's also completely opposed by the existing data protection law from California: if you encrypt the data, says California, then you do not have to notify. But if you encrypt the data, says New York, then you get an extra crime added on if you ever get in trouble yourself, and as every new yorker knows, Elliot Spitzer's got a reputation for wanting the data pursuant to some criminal investigation or other.

    Creating "extra super coverall" crimes like wire fraud, mail fraud and money laundering doesn't ever address the true problems. Only hard police work and luck addresses real crimes. But it certainly makes the life of the citizen and the task of the programmer much more difficult if they are too scared to use encryption.



    Spitzer Calls for Regulation of Information Brokers and
    Increased Penalties for Computer Hacking

    Attorney General Eliot Spitzer and representatives of consumer advocacy and crime victims organizations today urged the State Legislature to pass legislation to protect consumers' from identity theft and the unauthorized use of personal data.

    Spitzer has submitted a package of bills aimed at providing consumers better control over the dissemination of their personal information, strengthening government's ability to prosecute crimes leading to identity theft and increasing penalties for such crimes.

    "It has been said that the theft of one's identity and personal information is not a matter of 'if' but a matter of 'when'," Spitzer said. "New York State must enact reforms to strengthen consumers' ability to control personal information and to facilitate the prosecution of identity theft crimes."

    In February, the Federal Identity Theft Data Clearinghouse reported that 38 percent of all fraud claims in 2004 related to identity theft, and New York State ranked seventh in the nation in per-capita identity theft reports. Moreover, a national survey conducted by the Federal Trade Commission estimated that the number of victims in 2002 approached 10 million, including 663,300 New Yorkers.

    Spitzer noted that in the last nine weeks alone, numerous incidents have highlighted the issue including:

    * Two major information brokerage companies, ChoicePoint, Inc. and LexisNexis have admitted that data files of over 455,000 consumers were breached;
    * One of the world's largest financial institutions, Bank of America, confirmed that backup tapes containing personal data on 1.2 million accounts were missing;
    * Federal authorities confirmed an investigation into the electronic hacking theft of eight million credit card accounts from the processor of credit transactions for MasterCard, Visa, Discover and American Express;
    * A popular shoe store chain, DSW Shoe Warehouse admitted that customer credit information was stolen from over 100 of its stores; and
    * Approximately 180,000 GM Mastercard holders will soon receive notification that someone might have stolen their personal information in a data breach at Polo Ralph Lauren Inc.

    Spitzer's legislative proposals would address many of these incidents by:

    * Providing identity theft victims better control over their personal identifying information, including: allowing for "security freezes" on credit files; and providing significantly increased protections against a private company's disclosure of a customers' social security numbers;

    * Requiring companies to provide notice to individual consumers involved in instances in which a security breach has exposed personal information concerning 500 or more New Yorkers;

    * Facilitating the ability of victims to file criminal complaints with law enforcement agencies;

    * Requiring that information brokers notify consumers whenever a report containing personal information - such as telephone numbers, bank account information, income, medical information, driving record, and purchasing preferences - has been issued and mandating the disclosure include contact information of the entity that requested the report. The bill also would provide consumers access to their profiles compiled by information brokers;

    * Establishing statewide personal information "opt-out" lists, similar to the Telemarketing Do Not Call program, for consumers who want to ensure their confidential personal information is not disclosed;

    * Facilitating prosecutions against computer hackers by creating specific criminal penalties for the use of encryption to conceal a crime, to conceal the identity of another person who commits a crime, or to disrupt the normal operation of a computer;

    * Increasing criminal penalties for gaining unauthorized access through a computer to data about employment, salary, credit or other financial or personal information;

    * Facilitating prosecutions against hackers and others who surreptitiously gain access to computers, but do not steal or destroy computer material.

    For more information about identity theft or to file a complaint, consumers are encouraged to visit the Attorney General's website at www.oag.state.ny.us/consumer/consumer_issues.html or call his consumer help line at (800) 771-7755. Consumers also can go to Federal Trade Commission to file complaints by calling (877) IDTHEFT.

    Posted by iang at April 19, 2005 06:09 AM | TrackBack

    Who cares about Spitzer on this matter since he uses the law to bring cases against deep pockets namely financial institutions. The real authority is the Chinese government because the world belongs to them

    Posted by: James Nesfield at April 19, 2005 08:46 AM

    I'd want to see the draft legislation. It may be that what Spitzer is calling for is for encryption use to be an aggravating factor. If this is the case, I can (barely) see it being acceptable, at least for the purposes of discussion.

    After all, having a separate crime of aggravated battery, which a person commits if they intentionally strike somebody with a baseball bat rather than with their fist, puts no real restriction on the legitimate use of baseball bats.

    However, I fear that even the esteemed NY state legislature is incapable of understanding what the legitimate uses of encryption are, whereas they probably do know what the legitimate uses of a baseball bat are.

    Posted by: Chris Walsh at April 19, 2005 09:20 AM

    I understand some of the harms wrought by bad digital signature legislation, but what are some of the unintended consequences of the anti-crypto efforts? I know demonstrating a counter-factual is hard, but are there credible stories/research of what the internet and the financial infrastructure might look like now if the Powers That Were had dropped the fight early on?

    Chris: it would be interesting to apply some criminology econometrics work here about what possible deterrence stronger penalties would have against this sort of attack.

    Posted by: allan friedman at April 19, 2005 10:35 AM

    I'm looking for a quick comment on Spitzer's crackdown on encryption. I read your blog and thought you had smart stuff to say about it. Would you be willing to comment for a story I'm working on?


    Alex Haislip
    ahaislip at redherring dot com

    Posted by: A. Haislip at April 19, 2005 12:29 PM

    Interesting stuff, thanks for bringing it to my attention:


    Posted by: AHH at April 19, 2005 03:21 PM
    Post a comment

    Remember personal info?

    Hit preview to see your comment as it would be displayed.