Re: Database Encryption (now required by law in Italy)

Alle 12:30, lunedì 8 marzo 2004, Peter Galbavy ha scritto:
> Silvana Di Martino wrote:
> > Oracle has a system similar to pgcrypto but more sophisticated. I do
> > not know if it can use encrypted indexes, encrypted dates and
> > encrypted times (it is likely but I did not tried, yet). It stores
> > its "global encryption password" into a system table in encrypted
> > form. Only authenticated users can decrypt data.
>
> This can then be broken. Anything that does without some sort of human
> intervention is waiting to be hacked one way or another.

You are right, of course. For having a reasonably robust system, (at least) we
should keep the "password's password" on a separated (and well-protected)
server and access via SSH or SSL when needed.

> I cannot speak or read Italian, so any reference to an English version of
> the legislation or analysis of it would be greatly appreciated.

Being italian law, addressed to italian speakers, no english translation is
available. I cannot translate it because of lack of time. Sorry...

> 1. Some countries within the EU still have national laws, unless I blinked
> and they disappeared, that mandate some control over cryptography.
> Historically, France was certainly one - anyone with current specifics ?
> This leads to a potential conflict if the EU mandates in anyway that
> countries must require _encryption_ (as opposed to string protection) of
> personal data by data controllers (i.e. ever incorporated business and many
> sole traders that I know of).

Our governement is discussing since a long time this topic and seems to be
possible that cryptography will be prohibited. How do they hope to reconcile
this prohibition with the requirement to use cryptography to protect personal
data is behind my ability to understand the human logic.

> 2. I have been unable to find, as an amateur with interests in the subject,
> a *single* instance of a prosecution under Data Protection laws in the UK.
> Lots of "enforcement by discussion and threat" and stuff, but no court time
> to test the laws directly. Probably don't know the right places to look.
> Again, anyone with real data for the UK and the EU in general for how
> existing Data Protection laws have been enforced ?

I can tell you for sure that we never had any actual prosecutions in Italy,
neither under the "old" law (675/96) nor under the "new" one (196/03). This
does not mean that we will not see any prosecution in the future, as well. A
company that violates the new law can receive a 35.000 euro fine and this
money can be a strong motivation for our governement.

See you
-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni(at)interfree(dot)it
silvanadimartino(at)tin(dot)it