| Thursday May 26th 2016

Encryption Legislation Goes Overboard


Bills pending in the Michigan and Washington state legislatures would mandate that personal information stored in business computers be “encrypted.” Legislatures are unwise to engage in such micro-management.

Pending Michigan Senate Bill (SB) 1022 would forbid a business from storing personally identifiable information in a database unless the information is encrypted. Similarly, in Washington State, pending House Bill (HB) 2574 would mandate that a business employ encryption when storing personal information on an Internet-connected computer server.

When a legislature specifies a technology like “encryption,” it goes beyond stating a goal and requiring that the goal be met. The legislature selects the precise technical means for reaching the goal. In other words, when a legislature dictates technical measures like “encryption,” it assumes the role of a professional engineer. But state legislatures are not qualified to provide professional engineering services!

Encryption is a powerful data security tool. But it is not necessarily always the best way to achieve a data security goal. The successful implementation of encryption in a specific setting involves many issues and trade offs. For example, a panel of security experts recently pointed out that the encryption of data in storage (as opposed to data in transit) raises vexing questions about the key infrastructure that underpins the encryption. When an enterprise encrypts lots of its stored data, a hacker has incentive to attack the encryption scheme’s key infrastructure. If the hacker can defeat the key infrastructure, she can deny the enterprise access to its data. That means the hacker can put the enterprise out of business, or blackmail the enterprise. Thus, the indiscriminate use of encryption may increase the overall social risk associated with stored private data.

Data security is a complex field of engineering. State legislatures should steer clear of it.

In 1995 the Utah legislature adopted pioneering legislation to stimulate growth of public key infrastructure. The legislature received lots of detailed advice from experts. The legislature crafted legislation that was very technically specific. At the time, and for several years thereafter, some experts hailed the Utah legislation as a model and as a great catalyst for e-commerce. However, it is safe to say today that the Utah Digital Signature Act of 1995 was an absolute bust. It achieved none of its goals. It was far too technically specific to be of any value to industry.

The Michigan and Washington legislatures should remember the Utah experience as they draft legislation. A wise legislature might require, for example, that businesses use “reasonable security procedures” (a general goal) rather than that they use “encryption” (a specific technology).

Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.