precedence: bulk Subject: Risks Digest 29.13 RISKS-LIST: Risks-Forum Digest Thursday 26 November 2015 Volume 29 : Issue 13 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.13.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: HIPAA Settlement Reinforces Lessons for Users of Medical Devices (HHS) China Cuts Mobile Service of Xinjiang Residents Evading Internet Filters (*NYTimes*) Who's right on crypto? An American prosecutor or a Lebanese coder? (Kieren McCarthy) Sneaky Microsoft renamed its data slurper before sticking it back in Windows 10 (*The Register*) Black Friday Falters as Consumer Behaviors Change (*NYTimes*) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 25 Nov 2015 22:33:38 -0500 From: Monty Solomon <monty@roscom.com> Subject: HIPAA Settlement Reinforces Lessons for Users of Medical Devices (HHS) Lahey Hospital and Medical Center (Lahey) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Lahey will pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/LAHEY/index.html http://www.hhs.gov/about/news/2015/11/25/hipaa-settlement-reinforces-lessons-users-medical-devices.html http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/LAHEY/lahey.pdf ------------------------------ Date: Thu, 26 Nov 2015 01:10:51 -0500 From: Monty Solomon <monty@roscom.com> Subject: China Cuts Mobile Service of Xinjiang Residents Evading Internet Filters (NYTimes) http://www.nytimes.com/2015/11/24/business/international/china-cuts-mobile-service-of-xinjiang-residents-evading-internet-filters.html People who had downloaded foreign messaging services and other software were said to be targeted, as part of a new measure in the country's fractious western territory. ------------------------------ Date: Wed, 25 Nov 2015 07:53:38 -0800 From: Henry Baker <hbaker1@pipeline.com> Subject: Who's right on crypto? An American prosecutor or a Lebanese coder? (Kieren McCarthy) "Encryption is about mathematics, not policy." "When you make a credit card payment or log into Facebook, you're using the same fundamental encryption that, in another continent, an activist could be using to organize a protest against a failed regime." "It's not something that we're not smart enough to do; it's something that's mathematically impossible to do. I cannot backdoor software specifically to spy on jihadists without this backdoor applying to every single member of society relying on my software." "politicians are now furiously trying to move the needle back to where they were most comfortable: secret access to huge amounts of information." Kieren McCarthy, *The Register*, 24 Nov 2015 Who's right on crypto: An American prosecutor or a Lebanese coder? District attorney and encrypted chat app dev sound off on privacy http://www.theregister.co.uk/2015/11/24/perspectives_on_encryption/ Special report The debate over encryption has become particularly intense following the deadly attacks in Paris. Politicians, police, and government agents insist the encryption in our software and gadgets be limited. Tech companies and programmers insist the encryption be implemented fully securely. http://www.theregister.co.uk/2015/11/20/tech_companies_against_weaker_encryption/ This past week, there have been two posts from opposite ends of this debate, both argued passionately and eloquently, that highlight the complexities around the issue. One comes from Manhattan's District Attorney and is a 42-page report [PDF] making the case for law enforcement access to smartphones; the second is a blog post from a 25-year-old Lebanese security researcher living in Paris whose secure chat app has become the focus of media interest after the recent attacks. http://manhattanda.org/sites/default/files/11.18.15%20Report%20on%20Smartphone%20Encryption%20and%20Public%20Safety.pdf https://nadim.computer/2015/11/23/on-encryption-and-terrorists.html The question is: who's right? The American prosecutor or the Lebanese coder? The two questions The debate boils down to two basic questions. One: should investigators be able to get hold of communication data if they strongly feel it will solve a crime? And two: how would that system actually work? With few exceptions, almost everyone agrees that, yes, the police and Feds should be able to access information that will assist in sending down criminals, so long as there are adequate measures to prevent the system from being abused. The problem comes with the second question: how is it actually done? And here lies the problem, because the answer to that question in many respects overrides the first. Encryption is about mathematics, not policy. If you create a system that makes data accessible only to Alice and Bob, and inaccessible to Eve, and you then try to ensure the data is somehow accessible to people indistinguishable from Eve, you have to purposefully break the system. And that break, no matter how eloquently implemented, is still a break. Once it is there, it cannot go away. Technologists and coders have become increasingly outspoken about the fundamentally flawed logic of creating an encryption system with a hole in it, in significant part because Edward Snowden revealed the lengths to which the US government was prepared to go to access all data. Previously, tech companies had reached an uneasy agreement that they would include carefully designed holes in their systems so information could be