Encryption not sufficient to protect personal data

I could hardly believe it when I read the latest developments on the negotiations of the EU Data Protection Regulation in an article on the German heise news site. Of course it is nice to hear that there is progress at all, but the suggestion to skip noticing the authorities in case of an incident if the data has been stored encrypted is nonsense. Encryption is an important bit in the puzzle, but it does not protect against many threats. It mainly helps if the device (server) is turned off or during data transfer. It does not help against most common problems like application vulnerabilities, unpatched servers, weak authentication or insecure passwords. A device might be easily hacked even though the data is encrypted. Trusting in encryption alone is like trusting in your car’s security systems like the airbag only and not caring about traffic rules or speed limits: it won’t function.

Hopefully data protection experts do not let them influence too much by lobbyists and listen a bit more to people understanding how personal data is protected in real-life scenarios by a comprehensive approach supported by technology and processes.

IPEN workshop Berlin

berlin_state_parliament

On Friday the first workshop of the Internet Privacy Engineering Network (IPEN) took place in Berlin State Parliament with leading data protection experts like Peter Hustinx (European Data Protection Supvervisor, EDPS), Peter Schaar (EAID), and several Data Protection Authority (DPA) representatives from all over Europe. IPEN was founded by Achim Klabunde (Head of IT Policy of the EDPS) and aims to build privacy into everyday tools and bring legal people and engineers closer together. George Danezis from the University College London said he never saw so many legal experts and engineers at one table and that this is promising to push privacy in software engineering. Carlo from Lynx stated that the internet is broken and surveillance cannot be prevented as long as we have insecure protocols.

Anyway there are much more things to improve besides protocols and quick wins possible to reduce the misuse of personal data as performed by many companies nowadays. We from OWASP presented our initial version of the Top 10 Privacy Risks that provides engineers and business architects guidance and raises awareness for common privacy risks in web applications.

IPEN decided beside others to develop a privacy cookbook for engineers and one for business architects and to start a project to boost secure communication for several channels like email and sms. Further information about the event was published in a press release and on Twitter.

Top 10 Privacy Risks published

OWASP published Top 10 Privacy Risks for Web Applications:

  1. Web Application Vulnerabilities
  2. Operator-sided Data Leakage
  3. Insufficient Data Breach Response
  4. Insufficient Deletion of personal data
  5. Non-transparent Policies, Terms and Conditions
  6. Collection of data not required for the user-consented purpose
  7. Sharing of data with third party
  8. Outdated personal data
  9. Missing or Insufficient Session Expiration
  10. Insecure Data Transfer

Further details are provided on the project website.

Study on costs of NSA surveillance

New America’s Open Technology Institute published a paper on NSA’s Impact on Economy, Internet Freedom & Cybersecurity. NSA surveillance not only causes economic loss to US companies like cloud computing vendors or the defence industry because foreign companies and governments lose trust. Also US foreign policy interests are undermined and additional costs to the Internet Freedom Agenda and US Credibility in
Internet Governance are caused.

Furthermore security standards in the internet are compromised and vulnerabilities are created. This might require costly initiatives to border the internet like the proposal of the Deutsche Telekom for a Schengen Routing or the European Cloud Partnership.

NSA surveillance major threat to fundamental rights

The alternative report on protection of fundamental rights published by the German committee on fundamental rights and democracy considers mass surveillance by NSA and other secret services as one of the two major threats besides the right-wing terror organization NSU (National Socialist Underground). The major threat to free democracies moves away from outside attackers to an aggressive overreaction of the internal system says one of the publishers Rolf Gössner in a German heise article. Furthermore he states that the German government and justice refuse legal or political consequences for protection so far.

OWASP Top 10 Privacy Risks

I started the OWASP Top 10 Privacy Risks project together with a colleague. Its goal is to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. The list will cover technological and organizational aspects like missing data encryption or the lack of transparency. The project is open source and non-profit. Feel free to contribute!

Tips against governmental surveillance

Many people currently ask what to do against governmental surveillance (NSA spying) and some managers even think that standard security measures are useless because “the NSA has access to everything anyway”. But there are other attackers besides secret services and there are also things you can do against governmental surveillance. Here is my list of the most important things to consider:

  • Use encryption. The NSA is not able to read all encrypted data with reasonable effort and if you use the algorithms and key sizes recommended by ENISA you are quite secure. Furthermore there are tools for anonymized internet browsing like Tor and JonDo.
  • Choose European IT companies instead of US IT companies. It will not only help to lower the likelihood that your data leaks to the NSA, but also to put some economic pressure on US companies. US companies themselves will demand to restrict governmental spying if they lose a significant number of customers or users.
  • Blow the whistle if you are aware of governmental back-doors in products or systems, unlawful eavesdropping or even attempted blackmailing. Media companies like the German SPIEGEL have set up guidelines for informants and sometimes whistle-blowing is the only way to point out serious deficits. But prepare to run and leave your family 😉
  • Request independent audits and product certifications that prove the absence of data leaks for governmental bodies. Choose trusted auditors.
  • Continue securing your assets because as a security consultant or manager you are mainly defending the reputation of your company. The NSA would not publish that they hacked your company. But if your customer data gets published or sold by cyber criminals, you will get huge media attention and this will damage your reputation and possibly your shareholder value. Furthermore you also have to comply with laws and regulations.

Note: There are governments from other countries besides the USA that have powerful secret services and support spying on private and company data and internet traffic without providing transparency. One self has to decide whom he or she trusts, and in how far eavesdropping is acceptable and helpful to fight terrorism.

Swedish Transparency

ScreenHunter_03 Jan. 08 19.41

I spent New Year’s Eve in Sweden and it is always interesting again to see that Swedes are much less concerned regarding privacy than people in most other European countries. Especially services like requesting the holder of a car including type, registration date and location by just sending a SMS with the license number to 72503 or getting detailed information about the salary history and financial standing of a person on ratsit.se for only a small fee would not be possible and accepted in most other European countries.

This is not surprising if you have a look at a Eurobarometer report from 2011 stating that only 33% of the Swedes are concerned about over-disclosure of personal information. The EU average is 72%. The revelations about the Swedish government spying on Russia to support the NSA and opposing to the planned reform of the European Data Protection Regulation confirm that privacy is not a big concern in Sweden.