Is It Really Encrypted When the Key Is Public and Automatic?

scottalanmiller

So, here is a legal question. We know what encryption is, mostly, but there is also an implication to using the term. We've found some software that claims that they encrypt end user data in their software. And they do, sort of, but not in any meaningful way and I feel that from looking at what they have done that it's a legal issue that they are scamming their customers on security grounds. Let me explain the situation:

Software vendor sells "encrypted data" as one of their features, they make it a big selling point on their web page. Their software does include an encryption key and does encrypt some data. However:

1. It only encrypts a small portion of the data. Yes, the most critical parts, but not the majority of the data. Someone thinking that their data was protected could have nearly everything (95% or more) taken straight off of the disk without any encryption.
2. The encryption key has no password and is just part of the software. So as long as you get the software (which has a free demo to download, so it is completely public) in any way the data automatically decrypts and someone looking to steal the data would never encounter it in its encrypted state. It is technically encrypted at rest, but the decryption key sits on the same resting location with the encrypted data. So even if you can't get the key from anywhere else, you always get it with the data anyway.
3. The same key is used for every customer (and every demo). So not only is the data not effectively encrypted, but it is openly decrypted by the software vendor for any customer (or anyone that downloads the public demo) automatically. So automatic, that no one using the software would ever realize that they had decrypted something.
4. The behaviour of the encryption is such that it acts like ASCII or SQLite: it's an on-disk format (which we used to call encryption), but not a security mechanism. Imagine if MS Notepad claimed to be "encrypting your data" and it turned out that it was just using ASCII. All data is encrypted if we use the term that way, clearly not what they are promoting in their marketing.

Basically the analogy works like this: the software vendor is out there selling their special security. It's a key and lock system. But when they sell you the house, they weld the key into the door lock so that you cannot remove it. Anyone that walks up to your front door, even if it is locked, just turns the handle and it opens. The wind isn't going to block it open, it's a dead bolt, but a dead bolt that opens automatically because the key cannot be removed. Is it truly a key if you can't remove it?

But then, not only is the key welded into the lock, but every single neighbour in your entire city is forced to use the same lock and key, also welded in, in their doors. So even if you managed to get the key out, and they did too, absolutely everyone has a copy of your key. And, just in case that wasn't bad enough, they run a little shop where you can pop in anonymously and request your copy of the key even though you don't live there.

This isn't HIPAA data, so there isn't a strict law about the data being encrypted or anything. But this sounds insanely illegal to me. Both in that they are falsifying the fact that the data is encrypted (in multiple ways falsifying this), and also that they then give away any protection to your data to random third parties without your permission. Even if they could argue that the data truly is encrypted, I think giving away your encryption key publicly is a pretty serious crime, because it is intentional.

It's a bit like the story of the guy who insured his cigar collection against fire, then smoked them, and tried to collect. Yes, they were truly insured. Yes, it is legal to smoke them. But making an insurance claim against them was an arson charge.

scottalanmiller

So you will ask "why would they bother to do any of this?" Good question, and the answer is actually pretty easy. There are two parts:

Firstly, sales. They want to say that they have this "insert security buzzword here" that their customers don't actually understand so they do the simplest thing that allows them to reasonable claim that they attempted to do the thing. In a casual argument, they can demonstrate that one file on the disk is "encrypted" meeting the English language usage of the word, but not the intent of it.

Secondly, obfuscation. By encrypting the core data that their customer's use, they make it extremely cumbersome for the customers to back up and use their own data making them effectively dependent on the vendor for expensive backup services and data migration services. The vendor can't legally stop the customer from owning their own data, but they can make it so hard to access it that they won't bother. It's a form of lock in. Anyone can casually extract data to hurt the customer, but the customer can't easily get their data en masse to leave the platform. So the encryption is actually an attack on the customers only, and in no way a form of protection of their data. It's purely malicious.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

es and data migration services. The vendor can't legally stop the customer from owning their own data, but they can make it so

The lawyers be having a field day with this one - would reset solely on the judge or jury.

Obsolesce

False advertisement maybe at best IMO.

scottalanmiller

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

At best? Isn't giving YOUR keys away to other people fall under hacking laws? It's definitely not legal for them to keep, let alone distribute, your key.

scottalanmiller

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

Imagine if a company sold you a secure VPN solution. Then publicly gave away your key so that anyone could hack into your communications. That would be a crime.

flaxking

Another reason is ignorance. Thinking that's 'secure enough' without adding additional complexity to deployments.

DustinB3403

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

Imagine if a company sold you a secure VPN solution. Then publicly gave away your key so that anyone could hack into your communications. That would be a crime.

You mean like NordVPN losing their private keys?

flaxking

It's a bad sign when questions about security from your clients have to go through your lawyer every time.

scottalanmiller

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

Imagine if a company sold you a secure VPN solution. Then publicly gave away your key so that anyone could hack into your communications. That would be a crime.

You mean like NordVPN losing their private keys?

Losing isn't the same as giving away knowingly.

scottalanmiller

@flaxking said in Is It Really Encrypted When the Key Is Public and Automatic?:

It's a bad sign when questions about security from your clients have to go through your lawyer every time.

Sadly, if their customers try to access their own data the vendor sues them. They claim that the customers don't have the right to use the public keys that they give away.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@flaxking said in Is It Really Encrypted When the Key Is Public and Automatic?:

It's a bad sign when questions about security from your clients have to go through your lawyer every time.

Sadly, if their customers try to access their own data the vendor sues them. They claim that the customers don't have the right to use the public keys that they give away.

You client is running into that issue now?

and how did the vendor find out?

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@flaxking said in Is It Really Encrypted When the Key Is Public and Automatic?:

It's a bad sign when questions about security from your clients have to go through your lawyer every time.

Sadly, if their customers try to access their own data the vendor sues them. They claim that the customers don't have the right to use the public keys that they give away.

You client is running into that issue now?

and how did the vendor find out?

We know a client that is having this issue. He posts about it. They found out because he let others know how to access their own data and exposed that the encryption wasn't unique: that they all shared a single key.

The knowledge can be used, obviously, to sue the vendor out of existence (and it ties back to EMR stuff, so while this one key isn't HIPAA related, the company is) and can be used to migrate customer data off of their platforms (the real reason that they are trying to encrypt the data - to extort the customers for migration fees.)

scottalanmiller

So in this case, while not nearly as bad as most, it's actually ransonware, right?

G I Jones

In this case would the definition of "encryption" be relevant? It's pretty vague as is. This is super fucked at any rate. I hope all the bad things in life happen to that company and only that company.

scottalanmiller

@G-I-Jones said in Is It Really Encrypted When the Key Is Public and Automatic?:

In this case would the definition of "encryption" be relevant? It's pretty vague as is. This is super fucked at any rate. I hope all the bad things in life happen to that company and only that company.

I think it does because the Fed defines encryption in all kinds of things like HIPAA.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

So in this case, while not nearly as bad as most, it's actually ransonware, right?

Wouldn't that apply to any system that prevents you from extracting your data, unless you pay a fee?

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

So in this case, while not nearly as bad as most, it's actually ransonware, right?

Wouldn't that apply to any system that prevents you from extracting your data, unless you pay a fee?

If it does so by maliciously encrypting your data to their benefit, not yours, yes. Generally that's considered illegal. Hence the term "ransomware". It refers to using encryption to make you unable to access your own data so that you have to pay a ransom to get it back.

scottalanmiller

And, like a lot of ransomware, it also means that someone else has access to your data that you do not.

Kelly

In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.