Encryption not sufficient to protect personal data

I could hardly believe it when I read the latest developments on the negotiations of the EU Data Protection Regulation in an article on the German heise news site. Of course it is nice to hear that there is progress at all, but the suggestion to skip noticing the authorities in case of an incident if the data has been stored encrypted is nonsense. Encryption is an important bit in the puzzle, but it does not protect against many threats. It mainly helps if the device (server) is turned off or during data transfer. It does not help against most common problems like application vulnerabilities, unpatched servers, weak authentication or insecure passwords. A device might be easily hacked even though the data is encrypted. Trusting in encryption alone is like trusting in your car’s security systems like the airbag only and not caring about traffic rules or speed limits: it won’t function.

Hopefully data protection experts do not let them influence too much by lobbyists and listen a bit more to people understanding how personal data is protected in real-life scenarios by a comprehensive approach supported by technology and processes.

IPEN workshop Berlin

berlin_state_parliament

On Friday the first workshop of the Internet Privacy Engineering Network (IPEN) took place in Berlin State Parliament with leading data protection experts like Peter Hustinx (European Data Protection Supvervisor, EDPS), Peter Schaar (EAID), and several Data Protection Authority (DPA) representatives from all over Europe. IPEN was founded by Achim Klabunde (Head of IT Policy of the EDPS) and aims to build privacy into everyday tools and bring legal people and engineers closer together. George Danezis from the University College London said he never saw so many legal experts and engineers at one table and that this is promising to push privacy in software engineering. Carlo from Lynx stated that the internet is broken and surveillance cannot be prevented as long as we have insecure protocols.

Anyway there are much more things to improve besides protocols and quick wins possible to reduce the misuse of personal data as performed by many companies nowadays. We from OWASP presented our initial version of the Top 10 Privacy Risks that provides engineers and business architects guidance and raises awareness for common privacy risks in web applications.

IPEN decided beside others to develop a privacy cookbook for engineers and one for business architects and to start a project to boost secure communication for several channels like email and sms. Further information about the event was published in a press release and on Twitter.

Top 10 Privacy Risks published

OWASP published Top 10 Privacy Risks for Web Applications:

  1. Web Application Vulnerabilities
  2. Operator-sided Data Leakage
  3. Insufficient Data Breach Response
  4. Insufficient Deletion of personal data
  5. Non-transparent Policies, Terms and Conditions
  6. Collection of data not required for the user-consented purpose
  7. Sharing of data with third party
  8. Outdated personal data
  9. Missing or Insufficient Session Expiration
  10. Insecure Data Transfer

Further details are provided on the project website.

Study on costs of NSA surveillance

New America’s Open Technology Institute published a paper on NSA’s Impact on Economy, Internet Freedom & Cybersecurity. NSA surveillance not only causes economic loss to US companies like cloud computing vendors or the defence industry because foreign companies and governments lose trust. Also US foreign policy interests are undermined and additional costs to the Internet Freedom Agenda and US Credibility in
Internet Governance are caused.

Furthermore security standards in the internet are compromised and vulnerabilities are created. This might require costly initiatives to border the internet like the proposal of the Deutsche Telekom for a Schengen Routing or the European Cloud Partnership.

Cybercrime affects Germany most

According to the study Net Losses – Estimating the Global Cost of Cybercrime published by the Center for Strategic and International Studies (CSIS) Germany loses 1.6 percent of its gross domestic product (GDP) because of cybercrime. This is more than in all other countries. Second are the Netherlands with 1.5 percent followed by Norway and USA with 0.64 percent each. One reason for Germany’s high loss numbers could be the recent efforts to collect and publish cybercrime incidents, but of course also a lack of security measures in German companies.

NSA surveillance major threat to fundamental rights

The alternative report on protection of fundamental rights published by the German committee on fundamental rights and democracy considers mass surveillance by NSA and other secret services as one of the two major threats besides the right-wing terror organization NSU (National Socialist Underground). The major threat to free democracies moves away from outside attackers to an aggressive overreaction of the internal system says one of the publishers Rolf Gössner in a German heise article. Furthermore he states that the German government and justice refuse legal or political consequences for protection so far.