20

I called customer service of a well known company and discovered that the operator had the ability to view my website password in clear text on her screen.

I asked her about this and she defended the policy saying it was for FCC (Federal Communications Commission in the USA) compliance.

I've never heard of this requirement, and would love to know if any industry is required to keep a clear text version of the password, or if the IT manager responsible for this is referenced in this popular SO question.

Is there any legitimacy to the representatives claim that a clear-text password is required by law?

Update 1:

I called the manager for more information. Their reasoning for knowing the cleartext password is related to "CPNI", or Customer Proprietary Network Information. I will need to research this topic more.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 2
    What industry does the "well known company" do business in? The context could help a bit here, though I'm still not familiar with *any* FCC regulations requiring passwords to be *stored* in the clear. – Iszi Aug 02 '11 at 16:01

6 Answers6

18

The only instance where I can think of the FCC requiring that a password be clear is related to amateur radio, and even that isn't truly the case.

In six years at an audit firm, and all in everything I've ever read including a lot of court briefings, I've never heard anything that hints that such madness is actually justified anywhere.

It's not uncommon for CSRs to do a bit of social engineering. Their job is often much easier if they say it's required by something outside their company.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • I'd be interested to hear your explanation of "even that isn't truly the case". I thought all ham transmissions had to be in the clear? – Iszi Aug 02 '11 at 15:58
  • 4
    97.1 13(a)(4) prohibits "messages in codes or ciphers intended to obscure the meaning thereof." A password's meaning is not obscured by encrypting it. One can't operate a secured channel, but one can transmit coded information where the meaning is clear, such a challenge and response password exchange. – Jeff Ferland Aug 02 '11 at 17:26
  • I think the legality of that is highly debatable, but it's probably unlikely that the case will ever actually come up or that it would be brought to the FCC's notice if it did. – Iszi Aug 03 '11 at 13:15
  • 3
    @Iszi - Jeff is correct here, it is the equivalent of a transmission in the form `A:` "Authenticate Bravo X-Ray 3 1 2" / `B:` "Bravo X-Ray 3 1 2 I Authenticate Juliet Whiskey 7 4 9". You have no idea what the challenge/response mean without the authentication cypher's key, but it's clear it's a challenge/response to authenticate the communicating party. You cannot however have the *remainder* of the conversation in code - that must be in-the-clear. – voretaq7 Aug 04 '11 at 19:04
7

BBC has an article on huge companies challenging the French government over a new law requiring them to handover passwords to law enforcement on demand.

The government later claimed that it is sufficient to provide other credentials allowing access to the account in question. (Sorry, I cannot find an English source for this right now, without spending more time on it).

It is common for internet service providers to store passwords in clear text as I explained in this answer for the technical reasons of supported old protocols.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
7

I don't know. I confess my first guess would be baloney or misunderstanding of the law.

In my experience, it is not uncommon for companies with dumb policies to blame those policies on security or on the federal government. Sometimes folks are acting in good faith and are just confused about what the law actually or security actually requires. Sometimes it is a calculated excuse to make customers shut up and deflect complaints.

(You can even see this on airplanes, where airplane attendants will tell you to do all sorts of things in the name of security (e.g., "for security, only use the lavatory in your ticketed cabin"), when there is actually no government regulation or reasonable security justification requiring that.)

Of course, there could actually be some stupid regulation requiring this -- but I'm pretty skeptical.

I would try to get a citation to the specific law or regulation (not just "it has to do with CPNI"). You could also try asking for the name of the government agency that they claim issues those regulations, then call up that agency to ask them point-blank if that's something they require and ask them for a citation and a copy of the regulation. In my experience, if I'm able to look at the actual regulation, it's not unusual to find that it doesn't actually require what people think or say it does.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Actually in the U.S. "Federal Aviation Regulations require passenger compliance with the lighted passenger information signs, posted placards, areas designated for safety purposes as no smoking areas, and crewmember instructions with regard to these items." [Sec. 121.571] (http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgFAR.nsf/0/71ab32e8a7261e2386256ecf004e3ab1!OpenDocument) If the crewmembers make the safety rules for your flight, its difficult to object. – this.josh Aug 03 '11 at 01:37
  • 3
    @this.josh, no, that is not justification. That makes clear that crew members (or the carrier) *could* refrain from requiring passengers to abide by this restriction -- but they don't, because it suits their own interests better to impose this restriction. Their real reason has nothing to do with security (it has to do with protecting the revenue and quality of their first-class cabin), but they blame it on security to try to defuse criticism and deflect blame. That's cynical, but it's common. (To be clear, I support that particular rule, but I oppose lying about the justification.) – D.W. Aug 03 '11 at 06:39
6

I am not qualified to offer legal advice. If you need legal assistance please consult with an appropriate practitioner.

EPIC's interpretation of 222. Privacy of customer information seems to indicate that a password is not part of Customer proprietary network information (CPNI).

(h)

(1) The term “customer proprietary network information” means—

(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and

(B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier;

My guess is that your password is not printed on your bill, so that rules out part B.

I can't figure out how a password relates to a telecommunications service except to provide security for the information describing that service, so that seems linke no part A.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
this.josh
  • 8,843
  • 2
  • 29
  • 51
2

Company Explanation is Wrong

I used to work for a telco, and that is utterly wrong.

First of all, yes, they are required to authenticate you somehow. That much is true.

The telco can face severe penalties for disclosing CPNI without authenticating the caller or web site user properly. We're talking thousands of dollars per violation.

A Right Way and A Wrong Way

However, there is no reason to display your web password in clear text. There are many ways to authenticate callers without a password---and even if they choose to use a visible PIN/password, it should not be the same password used to access web portals, email, etc.

Possible Alternative Explanation

Either they have made a terrible security decision in their attempt to comply with the law, or else you mistakenly supplied the same password for both web portal access and account management.

To see where the error was made, simply change your web password. If the agent sees this new password the next time you call, then the company has made a huge mistake. This would only be a security lapse, however, not a violation of law.

DoubleD
  • 3,862
  • 1
  • 6
  • 14
0

To expand on D.W.'s answer in a slightly different direction, it could be that it is a faulty interpretation designed to "cover all the bases" and/or the interpretation of a vague/misleading requirement that they feel will cover themselves as completely as they can.

I work in Healthcare, specifically the Education department for a moderately large health system, and I've seen some really stupid education "requirements" come across my desk for either or both of the above. Usually there is a much more reasonable interpretation that meets all the stated requirements of the regulation or certification, but some people just aren't satisfied if it isn't the most convoluted and/or absurd interpretation.

AnonJr
  • 199
  • 8