Is It Really Encrypted When the Key Is Public and Automatic?

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

So in this case, while not nearly as bad as most, it's actually ransonware, right?

Wouldn't that apply to any system that prevents you from extracting your data, unless you pay a fee?

If it does so by maliciously encrypting your data to their benefit, not yours, yes. Generally that's considered illegal. Hence the term "ransomware". It refers to using encryption to make you unable to access your own data so that you have to pay a ransom to get it back.

scottalanmiller

And, like a lot of ransomware, it also means that someone else has access to your data that you do not.

Kelly

In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

DustinB3403

@Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

Obtained by whom? The customers, the vendors, someone else?

Does that mean if the rightful customer has the key, that they must consider their system compromised even though they should have the key?

scottalanmiller

@Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

That's the case in most places, I think, but good to know as we have loads of people in CO with this.

Kelly

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

Obtained by whom? The customers, the vendors, someone else?

Does that mean if the rightful customer has the key, that they must consider their system compromised even though they should have the key?

It is a privacy law. If someone who is not authorized has both the data and the key the data is considered to have been exposed and the company is liable under HB11-1828. If the key is public then any access to the data would be considered a breach and exposure.

DustinB3403

@Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

not authorized

Gotcha, so it's not a poorly written law but only applies in the case of not authorized cases.

Kelly

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

not authorized

Gotcha, so it's not a poorly written law but only applies in the case of not authorized cases.

Well, it will need to fleshed out via case law to determine what unauthorized really means and how you can verify the access or prove non access. The control is ahead of technology implementation in most organizations. We will see how it plays out. It is written in sufficiently broad terms that the access could be from an external access or an internal one.

scottalanmiller

@Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

Obtained by whom? The customers, the vendors, someone else?

Does that mean if the rightful customer has the key, that they must consider their system compromised even though they should have the key?

It is a privacy law. If someone who is not authorized has both the data and the key the data is considered to have been exposed and the company is liable under HB11-1828. If the key is public then any access to the data would be considered a breach and exposure.

What if it was non-encrypted data, so that there was no key? Wouldn't that be the normal boat, and that's not an exposure.

scottalanmiller

The issue in this case is that the data is not required to be encrypted. But it's sold as a benefit. But it isn't like a HIPAA violation.

Obsolesce

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

At best? Isn't giving YOUR keys away to other people fall under hacking laws? It's definitely not legal for them to keep, let alone distribute, your key.

Dunno. I'm not a lawyer specializing in privacy and data protection laws. I can only speculate based on general logic. I have no idea about their eula/tos/etc either.

Kelly

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

The issue in this case is that the data is not required to be encrypted. But it's sold as a benefit. But it isn't like a HIPAA violation.

So, the Colorado law and some other state laws (may include CCPA) are mandating that certain PII data be encrypted. HB11-1824 has very few teeth to it at this point until someone gets breached, but I don't want to be the test case for the DA to try it out on.

DustinB3403

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

At best? Isn't giving YOUR keys away to other people fall under hacking laws? It's definitely not legal for them to keep, let alone distribute, your key.

Dunno. I'm not a lawyer specializing in privacy and data protection laws. I can only speculate based on general logic. I have no idea about their eula/tos/etc either.

Most lawyers shouldn't be the expert either. .

scottalanmiller

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

At best? Isn't giving YOUR keys away to other people fall under hacking laws? It's definitely not legal for them to keep, let alone distribute, your key.

Dunno. I'm not a lawyer specializing in privacy and data protection laws. I can only speculate based on general logic. I have no idea about their eula/tos/etc either.

General logic would say that selling someone a key based on a promise to protect them, then selling that same key to someone else to undermine the security that they just sold to you, is not just a civil problem, but a criminal one. Selling access to other peoples' data is highly illegal.

scottalanmiller

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Obsolesce

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

scottalanmiller

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

They are selling their system as described: they are promoting the customer's data as being encrypted. Then selling that same encryption key to their competitors.

JasGot

My thoughts.

Legally, the data is encrypted and can be advertised as such. No laws broken.

Now, here is where you can go after the vendor, with a single word: "Negligence."

The vendor will be found profoundly negligent in the way they designed their software.

DustinB3403

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

They are selling their system as described: they are promoting the customer's data as being encrypted. Then selling that same encryption key to their competitors.

It's all still encrypted, just with a horribly thought out process for encryption.

scottalanmiller

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

They are selling their system as described: they are promoting the customer's data as being encrypted. Then selling that same encryption key to their competitors.

It's all still encrypted, just with a horribly thought out process for encryption.

It is, but the key is stored with it. If you weld a key in a lock, it becomes a door knob. That's the scenario here, there is never a time that the data is encrypted without the ability to read it.