A time of visitation for Europe
In January 2016, the EU Commission passed a new data security regulation on the data protection of individuals (GDPR), which will become effective in 2018. European companies have just over a year to change their operating practices to make Europe a safe haven of data security. Europe needs services that ensure that personal data and privacy are not vulnerable to snooping by third parties. This requires good legislation and certified data security services.
Illustration by: Simo Koivunen
Presently, Internet users are constantly under threat from criminals, governments and businesses. Information security crimes are encountered daily. Criminals use targeted attacks against organizations, and traditional data security solutions are insufficient for protection against them. Individual people are constantly targeted for scams, and identifying them becomes more and more difficult.
Besides criminals, governments and businesses also snoop for personal data. Random individual events cause people to get marked and even sent to get tortured for things they did not do. This happened to Canadian Maher Arar, who also has Syrian citizenship. In 2002, he was returning to Canada from Tunisia and changing flights in New York. American officials suspected Arar of being a member of al-Qaeda, arrested him and sent him to Syria, where he was held prisoner for a year and tortured.
“Regaining consumers’ trust requires European IT service providers to make pledges about privacy, safety and data security. Consumers and businesses must demand it and be ready to bear their own share of the responsibilities.”
According to a 2015 Eurobarometer study, a third of consumers believe that they are unable to control the data they submit on the web. Only one half of consumers believe they have at least partial control over their data. Regaining consumers’ trust requires European IT service providers to make pledges about privacy, safety and data security. Consumers and businesses must demand it and be ready to bear their own share of the responsibilities. One must be able to take care of one’s data security the same way one takes care of an apartment. Residents choose their own locks, windows are kept closed when the house is empty, and when choosing an apartment, buyers will check that the latches on the windows are appropriate.
The new Privacy Shield protocol will not prevent mass snooping
The EU Court decided on October 6, 2015 that the Safe Harbor agreement between the EU and the United States has been annulled. The Safe Harbor agreement was supposed to guarantee the privacy of personal data. The annulment was based on a complaint filed by an individual person. In 2010, Austrian Max Schrems got upset about Facebook’s data collection and requested Facebook to list all the data they had collected about him. Facebook sent him a PDF document more than 1,200 pages long that included data Schrems believed he had already deleted.
Schrems asked Irish information security officials to review how the data had been transmitted from Facebook’s servers in Ireland to the United States. From Ireland, the matter was taken to the EU Court. According to the Court, the agreement does not sufficiently consider the privacy protection of EU citizens. United States authorities have broad access to the data of Europeans. EU citizens also do not have sufficient means to access their own personal data or to demand the correction or deletion of such data. On February 2, 2016, the European Commission announced that it had “reached an understanding about a new framework for trans-Atlantic data transfers” with the United States. The new so-called Privacy Shield agreement sets stricter responsibilities for companies operating in the US to protect Europeans’ personal data. The United States also pledges to ensure that clear conditions and restrictions are imposed on the ability of authorities to access personal data, and that this access is monitored. The Privacy Shield agreement appears to be dividing opinions: some say it still does not guarantee privacy, others think the mechanisms for improvements are there.
Therefore, the problem is not that authorities want to investigate an individual crime, which they have the right to do. At the same time, however, they also create opportunities for themselves and everyone else to snoop on anybody at any time. There are no guarantees that the security loopholes created by the NSA are not already being utilized by other governments. By building itself opportunities for mass snooping, the NSA is also paving the road for criminals and other governments.
The problem is mass snooping. Data is collected everywhere and about everyone. Mass snooping also causes false alarms. The more data is collected, the more requirements there are for the quality of the processing system: otherwise, authorities will be spending their time analyzing thousands of innocent people instead of real criminals. The US Constitution only protects US citizens, which is why Privacy Shield as a continuation of Safe Harbor and new European legislation are extremely important for Europeans.
GDPR: the new information security regulation
In January 2016, the EU Commission passed a new regulation on the protection of personal data (GDPR: General Data Protection Regulation), which will become effective in 2018. The goal of the regulation is to return control over personal data to the persons themselves and to set significant sanctions for the incompetence of those managing the data. For the purposes of this regulation, personal data includes not only name, address and credit card number, but also IP address, location and cookies.
When the regulation becomes effective, the consumer has a right to know whether data about them has been stored, and a right to access that data. The consumer also has a right to transfer and modify their data, oppose the processing of their data and restrict or delete their personal data. Probably the biggest practical problem with GDPR is that it requires the creation of expertise in all companies processing people’s personal information within two years. Time will tell how well the data managers of different companies, if they even exist, understand all the risks and threats related to data management. Companies will need strong support in the application and adoption of the law.
The Internet of Things brings new threats
Monitoring the enforcement of the regulation is difficult as technology constantly develops. The Internet of Things is creating a world where nearly all home appliances and systems are connected to the Internet. At its simplest, the Internet of Things is a digital view of the real world, where the data from devices and objects is transmitted over wireless networks to processing using suitable software. The data is usually processed on a platform in a cloud (outside the home/office), from which it may even be used for controlling the home. The Gartner research company estimates that in 2020, there will be as many as 25 billion devices connected to the Internet. New technologies create new ways of making people’s lives easier, but they also change the nature of threats. For example, system developers must look after the physical safety of people and property better than before.
The Internet of Things brings an entirely new threat to the data security of cloud services. Criminals and spies can affect the lives of ordinary people. They can control home automation from the outside and turn off heating systems or refrigerators. In Britain, it was discovered that the remotely accessible meters of the gas company could be manipulated. Car brakes have been disabled, and there is a web site for home surveillance cameras where you can see people’s homes and lives through hacked security cameras. Besides their privacy and data security, people also have to look after their personal safety in a way they may not have thought about before.
Security must be built into everything – the Internet of Things, cloud services and all smart devices we carry with us. The use of encryption, malware protection and monitoring of cloud services will hopefully become more common as people’s awareness increases. There must be new secure, European services for storing personal data that can be managed by the users.
See more about the European trusted cloud
Better trust through European collaboration
Data security related to cloud services has developed strongly over the last few years. Major players have invested in service and product development, which has improved reliability. There are diverse certification mechanisms that can be used to ensure that matters related to cloud technology are done right. In 2015, the Trusted Cloud program of EIT Digital, the European Innovation and Technology Institute’s community that focuses on future information and communication technologies, conducted a study with 3,000 respondents from six countries. The results show that decision-makers, companies and researchers must invest in trust in cloud services. IT services must also be developed in Europe instead of us merely consuming them passively and making ourselves vulnerable to ever expanding threats.
One of EIT Digital’s top projects is to restore European consumers’ trust in secure cloud services. The aim is to create a Trusted Cloud ecosystem, where companies and organizations that are part of it guarantee that the data of persons using their services remains under the users’ control. Ecosystems like Trusted Cloud can offer secure European cloud service solutions. In an uncertain world, they form a basis for operating practices and technologies that help guarantee an information-secure operating environment. This may help companies that find it challenging to make their customers trust in their services. The new General Data Projection Regulation (GDPR) sets a significant challenge of this kind for European companies, but may also offer new opportunities for more trusted services and solutions.
Janne Järvinen is the director of EIT Digital’s Future Cloud Action Line and the director responsible for F-Secure’s external research collaboration.
Markku Kutvonen is the leader of EIT Digital’s Trusted Cloud program and the director responsible for F-Secure’s external collaboration.
Security attacks in the world at a specific moment. Password quality does make a difference and each significant account must have its own. Special attention must be paid to the e-mail account that is used to reset the passwords of other accounts. Two-phase authentication is an effective way of preventing the capture of e-mail or social media accounts. The privacy settings of services should be checked carefully, as it is not necessarily in the service provider’s interest to use the strictest settings. Most mobile devices allow encryption and even deletion of data that falls into the wrong hands.
The original article was published by Le Monde Diplomatique, Finnish edition.