Saving Puppies in Washington, D.C.
Last Wednesday I spent the day in D.C. visiting Senators and Representatives (or more often their staffers), to talk about data regulation broadly, and data privacy specifically -- how to protect credit card numbers and other personal information. There are at least half a dozen consumer data privacy bills in committee right now, so the timing was good. Afterwards, I had a chance to talk with some members of the media (see here and here).
I had two goals: First to share the concerns that I heard from our large financial customers earlier in the week (see "Hacker hits up to 8M Credit Cards"); and second to hear how Congress is thinking.
I was impressed with Congresswoman Zoe Lofgren's knowledge of encryption. When I worked at MIPS Computer in 1986 as the junior-most computer programmer, I was frustrated with US export law. It was illegal for us to ship standard Unix encryption out of the country, even though it was based on the "Enigma Code" that Germany used in World War II and that Alan Turing cracked during World War II. We had to do painful work-arounds to ship MIPS Unix out of the country. That made no sense to me, but I guess that's what happens when you put the Bureau of Alcohol, Tobacco and Firearms in charge of cryptography. (Cryptography was considered to be a "munition".) Lofgren was a part of a two-person Congressional team, one Republican and one Democrat, who fixed all that. (Nice to see bipartisanship actually solved a problem.)
That change related to our mission of promoting encryption for credit card protection. It used to be that export regulations made it tricky for US companies to develop and ship good encryption, and tricky for global companies to deploy encryption broadly. Now businesses—both inside the US and abroad—have access to high-powered military-grade encryption.
Our visits had two flavors: people representing locations where NetApp has offices, and people who are sponsoring privacy protection bills. The two types of visits had completely different feels. The first type was very friendly. "Hello Mr. Employer in my district or state. Wonderful to meet you. How can I help?"
The second type was much more interesting, at least from my technical/engineering perspective. The staffers responsible for the legislation weren't always the most technical people, but they were clearly quite familiar with the issues, including the use of encryption to protect data. Some bills specifically identified encryption as a practice that should be used, and others did not, but even for bills that weren't explicit, staffers indicated that "Of course banks should encrypt customer data." And they were interested in understanding the effect of their legislation on the corporations (our customers) that would need to implement.
It seems unlikely that any of the bills will reach the floor this year, but I think there's a good chance that something will pass next year because both Republicans and Democrats want better protection for consumers. As Kevin Brown, the VP of Marketing at Decru (a NetApp company) likes to say, "Protecting consumer data is like saving puppies. Who is going to argue against saving puppies?"
Comments