Is It Really Encrypted When the Key Is Public and Automatic?

Obsolesce

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

scottalanmiller

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

They are selling their system as described: they are promoting the customer's data as being encrypted. Then selling that same encryption key to their competitors.

JasGot

My thoughts.

Legally, the data is encrypted and can be advertised as such. No laws broken.

Now, here is where you can go after the vendor, with a single word: "Negligence."

The vendor will be found profoundly negligent in the way they designed their software.

DustinB3403

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

They are selling their system as described: they are promoting the customer's data as being encrypted. Then selling that same encryption key to their competitors.

It's all still encrypted, just with a horribly thought out process for encryption.

scottalanmiller

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

They are selling their system as described: they are promoting the customer's data as being encrypted. Then selling that same encryption key to their competitors.

It's all still encrypted, just with a horribly thought out process for encryption.

It is, but the key is stored with it. If you weld a key in a lock, it becomes a door knob. That's the scenario here, there is never a time that the data is encrypted without the ability to read it.

scottalanmiller

@JasGot said in Is It Really Encrypted When the Key Is Public and Automatic?:

Legally, the data is encrypted and can be advertised as such. No laws broken.

Is this true? In no other context would this be legal. Using "encryption" to refer to something that requires nothing secret to read has never been legal. If it was, you could use it to refer to all data, because everything has to be encoded to be on a computer. Whether it is stored in ASCII or in a file system or XML, that's all encryption by that definition. That's all that it is here, just a weird format but one that involves zero security.

If you pulled that with HIPAA it would be black and white lying about the encryption. Why would this case be different than all other legal cases? What makes this special?

scottalanmiller

@JasGot said in Is It Really Encrypted When the Key Is Public and Automatic?:

Legally, the data is encrypted and can be advertised as such. No laws broken.

If a system uses a password, but enters the password automatically and never asks for it, is it still a password? In this case, uses never need the key to use the data... not even other users. The key is always presented automatically even if you separate the key from the data. The encoding is like ASCII, not like what the IT industry calls encryption.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@JasGot said in Is It Really Encrypted When the Key Is Public and Automatic?:

Legally, the data is encrypted and can be advertised as such. No laws broken.

Is this true? In no other context would this be legal. Using "encryption" to refer to something that requires nothing secret to read has never been legal.

flip that on its ear - has it been specifically illegal? I'm guessing not.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

They are selling their system as described: they are promoting the customer's data as being encrypted. Then selling that same encryption key to their competitors.

It's all still encrypted, just with a horribly thought out process for encryption.

It is, but the key is stored with it. If you weld a key in a lock, it becomes a door knob. That's the scenario here, there is never a time that the data is encrypted without the ability to read it.

I think this is the closest analogy you've put forth so far - but welding is a bit to far, I simply think saying "leave the key in the lock" Because in that case, the key can be removed - just like the key can be removed from the local computer - doesn't matter than others have copies, or can get copies...

so run it from there - what are the legal liabilities?

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce imagine if you were a lock smith, and you sold someone a lock and key. And you told them about the strength of the key and promoted the lock as being so tough to break into. And then secretly made a kept a copy of that key, and then sold those copies to other people!

If you were a locksmith, everyone would demand you go to jail, of course. Exactly the same here.

Sure, that sounds illegal to me... but again, I don't know exactly what they are claiming to do, actually doing, selling, tos/eula/etc.

They are selling their system as described: they are promoting the customer's data as being encrypted. Then selling that same encryption key to their competitors.

It's all still encrypted, just with a horribly thought out process for encryption.

It is, but the key is stored with it. If you weld a key in a lock, it becomes a door knob. That's the scenario here, there is never a time that the data is encrypted without the ability to read it.

I think this is the closest analogy you've put forth so far - but welding is a bit to far, I simply think saying "leave the key in the lock" Because in that case, the key can be removed - just like the key can be removed from the local computer - doesn't matter than others have copies, or can get copies...

so run it from there - what are the legal liabilities?

You can't remove the key from the app, though. It's literally welded in. You'd have to remove the door, to remove the key.

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

so run it from there - what are the legal liabilities?

Can't. Key is required to be with the data for the app to run. It's inside the app, can't he separated.

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@JasGot said in Is It Really Encrypted When the Key Is Public and Automatic?:

Legally, the data is encrypted and can be advertised as such. No laws broken.

Is this true? In no other context would this be legal. Using "encryption" to refer to something that requires nothing secret to read has never been legal.

flip that on its ear - has it been specifically illegal? I'm guessing not.

Using a standard term to mean the complete opposite? Yes, that's generally illegal.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

so run it from there - what are the legal liabilities?

Can't. Key is required to be with the data for the app to run. It's inside the app, can't he separated.

OK I misunderstood then.. gotcha..

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

so run it from there - what are the legal liabilities?

Can't. Key is required to be with the data for the app to run. It's inside the app, can't he separated.

OK I misunderstood then.. gotcha..

You CAN remove the key and make the data unreachable, even by yourself. but only by deleting the app entirely.

scottalanmiller

But anyone else with the app will have your key, so you can stop yourself from reading it, but you can't stop anyone else.

Obsolesce

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

so run it from there - what are the legal liabilities?

Can't. Key is required to be with the data for the app to run. It's inside the app, can't he separated.

Have you successfully been able to use it to decrypt other people's data?

DustinB3403

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

so run it from there - what are the legal liabilities?

Can't. Key is required to be with the data for the app to run. It's inside the app, can't he separated.

Have you successfully been able to use it to decrypt other people's data?

I don't know if that would be ethical to do specifically. But since there is apparently a demo environment if you could use your key to decrypt the demo data the proof is already sufficient while not exposing someone else's environment and data.

Obsolesce

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

so run it from there - what are the legal liabilities?

Can't. Key is required to be with the data for the app to run. It's inside the app, can't he separated.

Have you successfully been able to use it to decrypt other people's data?

I don't know if that would be ethical to do specifically. But since there is apparently a demo environment if you could use your key to decrypt the demo data the proof is already sufficient while not exposing someone else's environment and data.

Is that what he did?

DustinB3403

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

so run it from there - what are the legal liabilities?

Can't. Key is required to be with the data for the app to run. It's inside the app, can't he separated.

Have you successfully been able to use it to decrypt other people's data?

I don't know if that would be ethical to do specifically. But since there is apparently a demo environment if you could use your key to decrypt the demo data the proof is already sufficient while not exposing someone else's environment and data.

Is that what he did?

I think he mentioned it in or near the OP, yes.

scottalanmiller

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

so run it from there - what are the legal liabilities?

Can't. Key is required to be with the data for the app to run. It's inside the app, can't he separated.

Have you successfully been able to use it to decrypt other people's data?

Yes, that's how we found it. Someone sent us their data asking us to decrypt it. Which we did so, without getting a key from them.