Re: Database Encryption (now required by law in Italy) - Mailing list pgsql-admin

From Peter Galbavy
Subject Re: Database Encryption (now required by law in Italy)
Date
Msg-id 006f01c40509$3807b410$152ca8c0@petersdesktopho
Whole thread Raw
In response to Re: Database Encryption (now required by law in Italy)  (<lnd@hnit.is>)
Responses Re: Database Encryption (now required by law in Italy)
List pgsql-admin
Silvana Di Martino wrote:
> Oracle has a system similar to pgcrypto but more sophisticated. I do
> not know if it can use encrypted indexes, encrypted dates and
> encrypted times (it is likely but I did not tried, yet). It stores
> its "global encryption password" into a system table in encrypted
> form. Only authenticated users can decrypt data.

This can then be broken. Anything that does without some sort of human
intervention is waiting to be hacked one way or another.

> BTW: It looks like I'm the only one here facing this problem. That's
> surprising, given the number of countries that have a law like the
> italian one and the wide diffusion of PostgreSQL.

I cannot speak or read Italian, so any reference to an English version of
the legislation or analysis of it would be greatly appreciated.

As some background to my next comments, for those not in the EU, there is a
lot of inconsitency in the way that member countries implement EU
directives. These glaring differences sometimes, no scratch that: ALWAYS,
cost taxpayers dear, while the legislators and the civil and criminal
justice systems sorting issues out after the fact, and at great cost.

Two observations in this light;

1. Some countries within the EU still have national laws, unless I blinked
and they disappeared, that mandate some control over cryptography.
Historically, France was certainly one - anyone with current specifics ?
This leads to a potential conflict if the EU mandates in anyway that
countries must require _encryption_ (as opposed to string protection) of
personal data by data controllers (i.e. ever incorporated business and many
sole traders that I know of).

2. I have been unable to find, as an amateur with interests in the subject,
a *single* instance of a prosecution under Data Protection laws in the UK.
Lots of "enforcement by discussion and threat" and stuff, but no court time
to test the laws directly. Probably don't know the right places to look.
Again, anyone with real data for the UK and the EU in general for how
existing Data Protection laws have been enforced ?

rgds,
--
Peter


pgsql-admin by date:

Previous
From: Silvana Di Martino
Date:
Subject: Re: Database Encryption (now required by law in Italy)
Next
From: Andrew Sullivan
Date:
Subject: Re: HIPAA