Privacy assurances mustn’t result in data value losses

 In my book Privacy 3.0, I had suggested that we were entering the third age of privacy—a period in which increasingly stringent privacy regulations could, if we are not careful, deprive us of some benefits that data has to offer. Since the time of its publication, a number of countries seem to have come to similar conclusions, recognizing that unless they can come up with a better solution for protecting personal privacy, they will never be able to unlock the value inherent in personal data

The EU, whose General Data Protection Regulation (GDPR) is widely recognized as today’s gold standard for privacy regulation, has tacitly acknowledged the need for extra-legal solutions that data subjects can use to better control their data. The European Data Strategy, adopted in February 2020, states that individuals should be given tools so they can take control of their data and decide, at a granular level, what is to be done with it. This strategy is going to be implemented through the enactment of the EU Data Governance Act, which will establish “common data spaces" that will, through a combination of technical infrastructure and governance rules, make data more widely available for use in society while ensuring that entities which generate it remain in effective control of it.

Australia, for its part, has launched its Consumer Data Rights (CDR) initiative, aimed at ensuring that citizens have greater access to their own data, allowing them to obtain this data in a usable form so that they can direct it to be securely transferred to trusted third parties. The first implementation of the CDR has been in the country’s banking sector, where granular data transfers between participant banks has been made possible through a centrally-defined protocol. Similarly, India’s implementation of the Data Empowerment and Protection Architecture (DEPA) in the financial sector (with the launch of the Account Aggregator framework), offers tools through which users can more effectively manage the flow of their personal financial data.

While there are clearly a number of different normative technologies being developed to augment existing data protection regulations, they all fall into two broad categories. The first provides data subjects with tools they can use to manage personal data, right from the moment it is created, thus allowing them to determine how it is subsequently shared to the point of even controlling how insights generated from this data are used. Examples of this approach include the Solid project (promoted by Sir Tim Berners-Lee) and the MyData model of human-centric design. Both these sets of tools operate on data from before it is collected, granting individuals full control over the data’s entire life-cycle and giving them tools with which to manage its creation, storage and use as well as to control its flow between different data controllers. However, in order for these tools to proliferate, they need to be widely adopted by a large enough number of users that would convince data controllers of the necessity of implementing these protocols in their offerings.

Tools in the second category are designed to unlock personal data already under the control of data controllers operating in different sectors of the economy, so that the data they control can be securely transferred to others with the consent of users. Australia’s CDR and India’s DEPA frameworks are examples of this, offering users technology frameworks through which data sharing has been implemented in the financial services sector to start with. While there are several differences between the Indian and Australian frameworks, broadly speaking, tools in this category operate on data silos, unlocking data that has already been collected by making it easy to transfer it to other entities with the required consent. For this approach to have a substantial impact, these frameworks need to be adopted by institutions that control data. This might seem daunting, except that when that happens, the benefits of safe and convenient data sharing would be unlocked for all customers of participant entities.

On the face of it, these two approaches may seem contradictory, given how they focus on opposite ends of the spectrum. However, a closer examination suggests that they are not mutually incompatible. With so much data already stored in silos that are effectively beyond the ability of individuals to control, we need to implement a DEPA-like approach to unlock that data for the benefit of the consumer. Absent such an intervention, users will be unable to utilize their data that has already been aggregated in sectors such as finance and health. At the same time, tools like Solid are necessary to implement personal data stores in which newly created data can be managed so that the information contained within them can be more effectively used without detrimentally affecting personal privacy.

No technology can, of itself, deliver the data-driven future I had written about in my book. As promising as these tools are, they need to derive their legitimacy from privacy principles embedded in the law. At the same time, laws alone are incapable of delivering the level of data governance required in a world increasingly dependent on data. They need to be augmented by technology solutions that are compatible with the statutory framework.

We need models that combine normative technologies with smart regulations. Thankfully, we have more than just a few options to choose from.

Rahul Matthan is a partner at Trilegal and also has a podcast by the name Ex Machina

Source: Mintepaper, 15/12/21

Bridge the gender gap

 

The under-representation of women in cybersecurity must be addressed at the earliest

In an era when everyone is online, the likelihood of cyber-attacks has increased significantly, as has the need for professionals in the domain. While the demand for trained people rises, there is also the need to bridge the gender gap in cybersecurity. Estimates show that women account for just 24% of the workforce. Apart from the notion that men are better at handling technical subjects, there is also the risk of discrimination and, most important, the lack of support for women who want to study in these technical fields.

Enterprises dealing with cybersecurity must understand the need for gender diversity and how women can contribute to this field. The first step would be to shed the image of “male hacker only” industry. This is a deep-rooted notion emphasised by web series such as Mr. Robot, Silicon Valley, Who Am I, among others. What’s more, job advertisements for cybersecurity positions are mostly focused on recruiting and showcasing the role as being more suitable for men.

Lack of awareness

The image of cybersecurity positions being focused on hacking and handling data breaches can be attributed to pop culture and media. However, cybersecurity involves a lot more with roles like security analyst, security engineer, security architect, security administrator, security developer, security consultant, cryptanalyst, security officer, virus technician, detection specialist being some that are important.

The under-representation of women gives rise to an uneven, and at times unfair, playing field. This consequently results in women getting isolated, requiring to overdo, compromising their physical security and so on. It would not be wrong to say that bridging gender gap will being enhanced creativity and innovative defences or solutions to field of cybersecurity.

Alka Kapur

Source: The Hindu, 10/11/21

The new avatar of the encryption wars

 The specific implementation of encryption technology that has worried governments the world over is the Signal protocol (E2EE), which guarantees that even intermediaries who provide these services will not be able to decrypt these messages in transit

The government has proposed a new bill to regulate mathematics. The bill envisages that certain mathematical operations such as multiplication, division, LCM and GCD would be banned, if they are prime numbers and have more than 309 digits and a licensing regime, which would only allow licensed entities to perform these operations.If the above reads like a parody, it may soon cease to be and become reality.

An Australian Prime Minister, Malcolm Turnbull declared in 2017 that, “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia”.

In a joint communique issued on October 11, 2020, the Five Eye nations (United States, United Kingdom, Australia, New Zealand, Canada), along with Japan and India, stated, “Particular implementations of encryption technology... pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children” and called upon technology companies to enable “law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight”.

The specific implementation of encryption technology that has worried governments the world over is the Signal protocol (E2EE), which guarantees that even intermediaries who provide these services will not be able to decrypt these messages in transit. It also guarantees plausible deniability, where if someone receives an encrypted message from you, they can be absolutely sure you sent it (rather than having been forged by some third party), but can’t prove to anyone else that it was a message you wrote.

A variation of their anxieties played out in India, in the “WhatsApp traceability debate”, where the government pushed for traceability (Tell me who the sender is), but also said that it does not want to break end-to-end encryption, an impossible request, as sender deniability is at the heart of the end-to-end encryption. When repeatedly rebuffed by WhatsApp, an attempt was made to resolve the matter through the judicial system to compel the intermediaries (WhatsApp) to stop deploying messaging systems that use E2EE.

Given this background, the use of children in the statement to build a case for banning E2EE is interesting because it uses a propaganda technique called Pedophrasty, where children are invoked to prop up an argument, and make the opponents against the argument look like unprincipled savages and make everyone else suspend all rational and critical thinking, and agree to the argument.

But we must not agree to this dangerous set of proposals, as they are a continuum to the encryption wars, which started in the 1970s, where Western governments tried to limit use of encryption technologies by using export controls and ultimately failed.

In the 1990s, the National Security Agency in the US proposed the use of “Clipper Chip” in every phone, which implemented encryption but gave backdoor access to the US government. After Matt Blaze showed how rogue applications can use the chip to access data without the government backdoor, this attempt was abandoned.

In 2010, Google published a blog post, detailing how Chinese state backed hackers, attacked Gmail to spy on Chinese human rights advocates via a backdoor, installed by Google at the behest of the US government in Gmail to comply with search warrants on users. When Ericsson put backdoors into Vodafone products and deployed these in Greece for aiding law enforcement, these backdoors were used to spy on the Greek prime minister, by unknown perpetrators, who were never found.

All these incidents point out two fundamental realities. The first one is that backdoors are always dual-use and can be used by anyone and, hence, they don’t keep anyone safe. The second is that E2EE is safe and easy enough for anyone to use and hence has achieved mainstream adoption. This has made the usual approach preferred by law enforcement agencies of coercing intermediaries to put backdoors irrelevant and obsolete.

Outlawing E2EE deployment and forcing intermediaries to comply with these proposed rules or leave the country by threatening to shut down their business operations, hence, may become the preferred policy response. But these rules, even if they become the law everywhere, are doomed to fail, in the same way, the discovery of irrational numbers (square root of 2) could not be suppressed by drowning its inventor Hippasus, in the sea, as it takes only a rented computer at ₹700 a month to run a back-end service implementing E2EE.

If existing intermediaries are forced to abandon it, others like EncroChat (popular among drug cartels) will step in and fill the void. The busting of EncroChat, when law enforcement agencies successfully penetrated the drug cartels by putting a “tool” in its servers, also indicates that it is possible to work around E2EE in some cases, using offensive technical measures by compromising endpoints. It would also be a far more proportionate measure than attempting to ban mathematical equations.Anand Venkatanarayanan researches disinformation, cyber weapons and data security and is a privacy advocate

By Anand Venkatanarayanan

Source: Hindustan Times, 4/02/21