There`s no way to say this gently, so I`ll just come out and say it: the federal Michigan legislature has, in effect, banned certain firewalls and other means of encrypting private information.
Similar legislation has reportedly been enacted in Delaware, Illinois, Maryland and Virginia, and measures are pending in several other states, including Massachusetts and Texas.
It`s the kind of announcement that a seasoned industry watcher has trouble taking seriously.
Carel Alberts, technology editor, ITWeb
Say "what" three times, and you`re in the picture. It`s the kind of announcement that a seasoned industry watcher has trouble taking seriously.
Is it for real? Should one let sleeping dogs lie? Or is it better to lift the lid, hoping that good sense will prevail if it is exposed for the joke that it is?
The law in question is a Michigan state law called Act 328. It might have been an April Fools joke, government-style and therefore duly late. But alas, it is real, and it states, in one example of a host of provisions, that users may not conceal the origin or destination of their communications.
What does this mean for e-mail users and corporate networks? "If you send or receive your e-mail via an encrypted connection (in Michigan), you`re in violation, because the `To` and `From` lines of the e-mails are concealed from your ISP by encryption," says Princeton computer scientist, Ed Felten, who broke the news and tracks developments on his Web site.
Far worse is the fact that network address translation (NAT), a widely used enterprise security technology, operates by translating the "From" and "To" fields of Internet packets, thereby concealing the source or destination of each packet and violating these bills. Most security firewalls use NAT, so if you use a firewall, you`re in violation.
Think before you ink
Lawmakers sometimes don`t know their own power. They have the power to up-end whole industries, causing years of damage. Every lawmaker should have a PostIt on his or her desk that reminds them of Plato`s admonition that the king should be a philosopher, or the philosopher king.
Jurists know that legislation is only one source of the law. Coming as it does from the top down, it had better be informed about its subject, which quite often reaches beyond just the law, into other areas such as technology.
Laws should of necessity be narrow in application. If the lawmaker intends to ban one thing, it should not unintentionally ban a slew of other things at the same time. Usually, a lawmaker takes more than passing cognisance of the necessary exceptions. It doesn`t blithely ban, say, abortion, without bearing in mind things like the mental health of the mother, non-consensual intercourse or other considerations, humane or ethical or otherwise.
Perhaps the intention here was to ensure that the identity of senders and receivers of communication can be known, for the greater good. But, with respect, banning security technology without suggesting alternative methods of allowing communications to stay secure, such as key escrow where a trusted third-party holds the key to a sender`s encrypted communications, is just clueless.
But, the law has spoken and now it is up to a napping US ICT industry to protest and pick up the pieces.
Perhaps the SA communications ministry will, when its turn comes, try to make sure it has all the bases covered before it expounds on similar issues.
Note that I`m not asking it to get it right the first time either. As with the domain name authority botch-up, I suppose it`s all right if the process runs and re-runs a few times so long as the eventual pronouncement is more or less in this realm.
Share