Skip site navigation (1) Skip section navigation (2)

Re: Database Encryption (now required by law in Italy)

From: "Peter Galbavy" <peter(dot)galbavy(at)knowtion(dot)net>
To: "Silvana Di Martino" <silvanadimartino(at)tin(dot)it>,<pgsql-admin(at)postgresql(dot)org>
Subject: Re: Database Encryption (now required by law in Italy)
Date: 2004-03-08 12:30:58
Message-ID: 006f01c40509$3807b410$152ca8c0@petersdesktopho (view raw or flat)
Thread:
Lists: pgsql-admin
Silvana Di Martino wrote:
> Oracle has a system similar to pgcrypto but more sophisticated. I do
> not know if it can use encrypted indexes, encrypted dates and
> encrypted times (it is likely but I did not tried, yet). It stores
> its "global encryption password" into a system table in encrypted
> form. Only authenticated users can decrypt data.

This can then be broken. Anything that does without some sort of human
intervention is waiting to be hacked one way or another.

> BTW: It looks like I'm the only one here facing this problem. That's
> surprising, given the number of countries that have a law like the
> italian one and the wide diffusion of PostgreSQL.

I cannot speak or read Italian, so any reference to an English version of
the legislation or analysis of it would be greatly appreciated.

As some background to my next comments, for those not in the EU, there is a
lot of inconsitency in the way that member countries implement EU
directives. These glaring differences sometimes, no scratch that: ALWAYS,
cost taxpayers dear, while the legislators and the civil and criminal
justice systems sorting issues out after the fact, and at great cost.

Two observations in this light;

1. Some countries within the EU still have national laws, unless I blinked
and they disappeared, that mandate some control over cryptography.
Historically, France was certainly one - anyone with current specifics ?
This leads to a potential conflict if the EU mandates in anyway that
countries must require _encryption_ (as opposed to string protection) of
personal data by data controllers (i.e. ever incorporated business and many
sole traders that I know of).

2. I have been unable to find, as an amateur with interests in the subject,
a *single* instance of a prosecution under Data Protection laws in the UK.
Lots of "enforcement by discussion and threat" and stuff, but no court time
to test the laws directly. Probably don't know the right places to look.
Again, anyone with real data for the UK and the EU in general for how
existing Data Protection laws have been enforced ?

rgds,
--
Peter


In response to

Responses

pgsql-admin by date

Next:From: gilmore@libero.iDate: 2004-03-08 13:03:48
Subject: postgresql redhat edition 3.0 problem installation
Previous:From: Silvana Di MartinoDate: 2004-03-08 12:26:10
Subject: Re: Database Encryption (now required by law in Italy)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group