[Hidden-tech] New Massachusetts Encryption Law

[Andy Klapper]

There is no perfectly secure system except a computer with no network
connections, in a locked room, with a guard standing outside.

If you look at the law in more detail it is far more than just encrypting
the data.  There are sections about limiting the number of users that can
gain access to this information.  Requirements for periodic audits.  User
ids attached to all access events.  I only scanned it enough to know that I
don't want this kind of information in anything I work with, it's just too
much work to deal with.  If it makes sure that this information is stored
and used in less places, that would be a good thing.  There may be parts
that talk about Anti-virus/anti-spyware software and wireless networks, if
it isn't write your state legislator and get it put in the law.  I agree
they would be good additions.

It may not be perfect, but if it prevents a laptop full of unencrypted
information from being stolen, if it prevents minimum wage temporary
employees from being able to see this information, if it detects somebody
that has access using that access significantly more than their job needs
to, if it just makes it significantly harder, I'll be happy.

I'd be even happier if I could freeze and unfreeze my credit at will,
without cost, say four times a year.  (Frozen credit means I cannot get a
loan or open up a new credit card account or buy something on in-store
credit).  Then you could print my social security number in the phone book
and it wouldn't matter.


Andy.

-----Original Message-----
From: hidden-discuss-bounces at lists.hidden-tech.net
[mailto:hidden-discuss-bounces at lists.hidden-tech.net] On Behalf Of
ussailis at shaysnet.com
Sent: Sunday, March 01, 2009 1:10 PM
To: hidden-discuss at lists.hidden-tech.net
Subject: Re: [Hidden-tech] New Massachusetts Encryption Law

   ** Be sure to fill out the survey/skills inventory in the member's area.
   ** If you did, we all thank you.


Unfortunately your (and my) driver's license number IS often copied down
when we cash a check. What is copied can be a Social Sec Number (not Mass
issued) or a Mass issued number used to prevent ID thieft. Any thinking
person has changed to a Mass issued number by now.

Now these folks say that can't be stored, but it is stilled copied down at
the point-of-sale, entered into the banking system, and then stored in
digital form by the banking system. Oops.

And I can think of at least one method where the tracks of magnetic media
(think hard drive disks) can be mechanically read with the info stored as
an image of the magnetic domains, on paper.

Then this law does not address the real issue of keystroke loggers
infecting computers as has been done on a couple of high profile cases in
this state.

I believe the cass where data was lost by unencrypted computers was the
fault of workers for the Commonwealth. They took their laptops home.
Wouldn't a simple procedure be to frequire that all State stored data by
locked up, in the manner as money is not left lying around?

Finally, any data that is wirelessly transmitted can easily captured,
stored, and later decrypted. Here time is on the side of the electronic
capture. The data does not have to be decrypted in real time at all. In
fact, this data could be sent to thousands of unsuspecting computers for
decryption during their idle time, just as the Seti project is doing to
find life elsewhere. There goes the arguement that a gizillon years are
required for decryption.

There has been a lack of thinking on Beacon Hill here. But that's nothing
new.


Jim Ussailis
jim at natrionalwireless.com

Original Message:
-----------------
From: Roger Williams roger at qux.com
Date: Fri, 27 Feb 2009 10:50:30 -0500
To: sreed at avacoda.com, hidden-discuss at lists.hidden-tech.net
Subject: Re: [Hidden-tech] New Massachusetts Encryption Law


   ** Be sure to fill out the survey/skills inventory in the member's area.
   ** If you did, we all thank you.


>>>>> Scott Reed <sreed at avacoda.com> writes:

  > What is the definition of "personal data"?

201 CMR 17.00 defines it as:

  a Massachusetts resident's first name and last name or first initial and
  last name in combination with any one or more of the following data
elements
  that relate to such resident: (a) Social Security number; (b) driver's
  license number or state-issued identification card number; or (c)
financial
  account number, or credit or debit card number, with or without any
required
  security code, access code, personal identification number or password,
that
  would permit access to a resident's financial account; provided, however,
  that "Personal information" shall not include information that is lawfully
  obtained from publicly available information, or from federal, state or
  local government records lawfully made available to the general public.

-- 
Roger Williams <roger at qux.com>
Chief Technical Officer, Qux Corporation
433 West Street, Suite 8, Amherst, MA 01002, USA
Tel +1 413 253-6400 * Fax +1 508 302-0230 * GSM +1 508 287-1420
_______________________________________________
Hidden-discuss mailing list - home page: http://www.hidden-tech.net
Hidden-discuss at lists.hidden-tech.net

You are receiving this because you are on the Hidden-Tech Discussion list.
If you would like to change your list preferences, Go to the Members   
page on the Hidden Tech Web site.
http://www.hidden-tech.net/members


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://link.mail2web.com/mail2web


_______________________________________________
Hidden-discuss mailing list - home page: http://www.hidden-tech.net
Hidden-discuss at lists.hidden-tech.net

You are receiving this because you are on the Hidden-Tech Discussion list.
If you would like to change your list preferences, Go to the Members   
page on the Hidden Tech Web site.
http://www.hidden-tech.net/members