Data Protection - Unsafe Harbours

By Jason Scott

With increasing reliance on cloud-based services and the ability for data to be resident anywhere in the world, the EU's approach to personal data protection is under threat. This post considers the history to that approach and some of the issues raised by recent revelations.

A European Perspective

With the rapid increase in electronic processing of data during the 1970’s concerns started being raised within Europe about the proliferation and potential misuse of personal information.  Data on individuals was being aggregated, communicated and used for a rapidly expanding number of purposes – such as credit worthiness checks, employment and insurance background checks and a booming industry in direct marketing.  For cultural reasons financial and medical information was considered to be highly personal but at the same time was among the most valuable for marketing purposes.

Consequently countries within Europe began enacting protective legislation. The details varied but there was consensus on many of the underlying principles. Individuals should be able to know what personal information was being held about them and why, be able to challenge and correct it and to prevent it from being passed on or used for other purposes without their consent.  

Concerns were not just limited to commercial organisations. Many countries in Europe have an uneasy history with the use of personal information by governments for surveillance and there were worries about the misuse of data regarding political affiliations or activities. In the United Kingdom these concerns led to the Data Protection Act of 1984 – ironically the same year as the title of George Orwell’s dystopian novel in which Big Brother exercises almost total surveillance (and thus control) of the population.  

The EU Data Protection Directive

As the practice of companies out-sourcing their data processing to third-parties became more prevalent, there was also concern about the transfer of personal data to other jurisdictions. Increasingly data was being processed in countries other than the one in which it had been collected and where it might not be subject to the same legal protection.  

In 1995 the European Union ratified the Data Protection Directive which required all member states of the European Economic Area (EEA) to incorporate a number of rules (agreed by consensus) into their own data protection laws – thus establishing a European-wide minimum level of protection. In the UK this took the form of the Data Protection Act of 1998, which came into force in 2000.

There are eight principles which underlie EU data protection. Personal data is defined as any data that can be used to identify a living individual and broadly speaking must be:

1. fairly and lawfully processed
2. processed for limited and well defined purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. not kept for longer than is necessary
6. processed in line with the rights of individuals
7. stored securely
8. not transferred to a country that has inadequate data protection controls

Number 8 in this list lead to a big problem. There were many countries in the world that did not meet the EU standard for adequate data protection and one of them was the USA.

EU/US Safe Harbour agreement

The USA was and is a major trading partner for the EU and also provided many of the data processing services that EU companies wanted to use. There was no way that the USA was going to change its legislation to meet European standards, so in the grand tradition of politics a compromise was reached.

The EU and the U.S. Department of Commerce negotiated a Safe Harbour agreement (or “safe harbor” if you are on the other side of the Atlantic). This was a framework by which companies within the USA could be certified as providing sufficient data protection measures to meet EU standards, but without such measures being required by US law. It would then be legal for EU companies to pass personal data to companies in the USA that were on the Safe Harbour List.

The Safe Harbour agreement was not without its detractors. In particular there were concerns that it was a self-regulated system – albeit managed by the Federal Trade Commission (FTC) under the oversight of the U.S. Department of Commerce. There was no system of mandated compliance checks (companies could self-certify) and enforcement would be largely complaint driven. However, after much debate it was finally agreed to by the EU in 2000.

The Patriot Act

A year later the dreadful attack of 9/11 happened and just over a month after that the PATRIOT act was rushed through congress. This anti-terrorism legislation covered many areas but one of the things it allowed was for the US government to inspect the data held by any US company or wholly owned subsidiary – regardless of the Safe Harbour agreement.

This raised a potential issue. While all European countries have laws that provide for access to personal data for state security purposes, the powers afforded by the PATRIOT act appeared to be broader and to have a lower threshold of “probable cause” than would be permitted in Europe. This meant that personal data held in a Safe Harbour company could potentially be accessed in a way that would be illegal in the EU – effectively subverting the Safe Harbour agreement.

   

However, despite this and its self-certification weakness, the Safe Harbour agreement seemed to work reasonably well. The FTC did indeed take enforcement action against companies or organisations that were found to break the rules and the rapid growth in cloud-based services meant that large volumes of EU personal data was held in the US or by US based companies.

Edward Snowden & the NSA

Then in 2013 a disaffected former employee of the USA’s CIA and contractor for the National Security Agency set the cat among the pigeons. Edward Snowden’s revelations demonstrated that the NSA was carrying out systematic and wide-reaching surveillance activities on a huge scale.  While many of the NSA’s activities were clearly legal in the USA, others were questionable and in one case has since been ruled unconstitutional by a US judge.

In addition to the significant damage done to the USA’s relationship with its allies and partners, the revelations re-focused attention on the Safe Harbour agreement with concerns about the US’s regard (or lack thereof) for EU citizen’s data. 

For example, among the many revelations was the fact that the NSA was secretly accessing Yahoo and Google data centres by tapping into undersea cables in order to collect information on hundreds of millions of accounts. Leaked NSA documents mention “bulk access”, “full take” and “high volume” with regard to such interceptions. This kind of dragnet approach to surveillance is highly problematic for the EU – particularly with regard to data protection.

The revelations prompted the European Commission to carry out a review of the Safe Harbour agreement and earlier this year the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee backed a call for its “immediate suspension”.  The EU’s Justice Commissioner, Viviane Reding, threatened to do just that if the US fails to take action to address concerns by the summer of 2014.

“The Commission has made 13 concrete recommendations... Safe Harbour has to be strengthened or it will be suspended.”

Such a suspension would have a big impact on US based cloud service providers, who have already seen a significant decline in business associated with a loss of trust following Snowden’s revelations. However, it would also have serious consequences for the many EU based companies who currently hold personal data in US companies.

Access to Data held in the EU

To make matters worse for EU companies holding data in the cloud, it has become clear that data being held by US companies physically outside of the US is not safe from the PATRIOT act (as had often been assumed). Because the act applies to all US companies or wholly owned subsidiaries it can be used to force an EU based company, such as Microsoft UK or Amazon Ireland, to hand over its data to the US authorities. 

In such cases there may be legal conflicts between US and local legislation, but statements from companies such as Microsoft and Google as well as from the Information Commissioner's Office for the UK, make it clear that EU based US wholly-owned subsidiary companies are vulnerable to the PATRIOT act.

The Safe Harbour agreement in its current form actually increases this vulnerability, since an EU based subsidiary can legally transfer data to its parent company - if that company is registered under Safe Harbour. Once the data is in the US it is entirely within the scope of the PATRIOT act.

Data held outside of the US may also be vulnerable via other means. A US judge recently ruled that Microsoft must provide emails that are held on a server in Ireland. Details of the emails were requested via a US search warrant. Ordinarily such a warrant would not be enforceable outside of the US, but the judge ruled that it should be treated in the same way as a subpoena for documents. Under US law that means it applies regardless of where the documents are held. Microsoft is challenging the ruling.

Consequences

At the moment there is a lot of uncertainty about data protection and the status of personal information held in the cloud. Because the USA is home to the largest cloud storage and service providers it has been the focus of much of the debate - but many of the legal issues and concerns apply equally elsewhere. This includes countries and organisations within the EU itself, such as GCHQ in the UK and the role it has played in the NSA's surveillance activities.

What is almost certain is that there will be changes to EU legislation on data protection at some point and probably changes to the Safe Harbour agreement.  There have been calls to reduce EU dependence on non-EU cloud service providers by developing its own infrastructure and this is likely to continue. It is conceivable that some US companies could partner with companies based in the EU to avoid the "wholly owned subsidiary" aspect of the PATRIOT act. However, doing so might be viewed very negatively by their home markets in the US, so may not be tenable for many of the well-known names.

What is your view?

At MobiCloud we would be very interested to hear whether these issues are currently a concern for companies considering enterprise mobility applications. They may even be seen as an opportunity for European cloud infrastructure providers. For some companies using cloud-based solutions the issues may be almost academic. If you are already in the cloud to stay then do you have other more prosaic or pressing security concerns? Please let us know.

Jailbreaking and BYOD

By Marcin Lukow of Appear Networks

With an increasing acceptance of BYOD (bring your own device) there is growing scope for conflict between personal freedom and corporate responsibility.

According to recent statistics, 23 million mobile devices currently in use are jailbroken and the number of users deciding to use an alternative to Apple’s App Store is constantly growing. Every release of a new Apple device brings up the topic of jailbreaking in the context of security. It is next to impossible not to at least hear about the process, but what exactly is a jailbreak?

In 2007 a group of engineers called the iPhone Dev Team, as a reaction to Apple’s hermetic software ecosystem, released a tool which made it possible to install third-party applications on the first iPhone – i.e. applications not approved by Apple and not bought via the Apple App Store.

The tool took advantage of a security flaw in the iPhone’s operating system (iPhoneOS, renamed iOS with the launch of the iPad) which allowed it to run with far greater rights than it should have been able to (a privilege escalation attack). It then used these rights to break out of a BSD jail – the system the iPhone used to stop applications gaining full control of the device. It was this that gave the name to the process. Other ecosystems use different names for doing the same thing - on Android it is called “rooting”.

Since then Apple has made a constant effort to improve the security of their operating system in order to make jailbreaking impossible. However, hackers have kept pace and new releases of iOS are quickly followed by new versions of jailbreaking tools. It took just 3 months for iOS 7 to get cracked.

For most people Apple’s App Store is a sufficient source of applications. However, some users do not like being limited by Apples’s strict policies of what software can be installed or what preferences can be changed on their mobile phones. There are unofficial applications that mimic the Android home screen, blacklist unwanted phone calls, enable tethering without carrier consent or give access to hidden settings that allow users to customize their iPhone experience far beyond Apple’s intentions.

In 2010, as part of their review of the Digital MillenniumCopyright Act the U.S. Copyright Office introduced an exemption for thejailbreaking of smart phones – essentially making it legal (a corresponding EUdirective was published in 1991). This provided users with an additional incentive for unlocking their devices but does legal and fun mean safe?

The probability of a user installing a malicious program from an unverified supplier is much higher than when using the official Apple App Store. A good illustration of the risk is an example of data protection. One of the file security modes on the iPhone is to protect the data until the device is unlocked using a PIN code. It would be unfeasible to brute force PINs using the standard login screen because the device gets wiped after a certain number of failed attempts. However, it is possible to programmatically check all 9999 combinations by bypassing the login screen and using a private API (application programming interface). Use of this is prohibited by the Apple App Store rules. 

Although there are cases where such applications have been accidentally accepted on the Apple App Store, they are quickly pulled when the concealed functionality is discovered. Users installing apps from outside of the App Store have no such protection.

Another more sophisticated, yet equally viable example is a hidden process running in the background of the device and sending sensitive data to unauthorized third parties. Preventing this might be essential in a BYOD situation where sensitive business data has to be distributed to employees. One possible solution would be to encrypt the data independently of the operating system, but with a jailbroken device it cannot be assumed that the encryption functions have not been replaced with malicious counterfeits or that the encrypted files will not be transferred to a much more powerful computer and decrypted anyway. 

The risk persists even if a jailbroken device itself does not store the data but has access to a corporate network. Using commonly available tools it is possible to turn such devices into "sniffers" to provide hackers with confidential and potentially useful information about the network infrastructure.

Unsurprisingly security is the first and most important point cited by Apple with regard to unauthorized modifications – although one might assume they are also concerned about losing App Store revenue. Jailbreaking tools have been made extremely easy to use and even casual users are just a few clicks away from breaking open their devices. After cracking it is not possible to install official updates without removing the jailbreak, which means that vulnerabilities used to break into the system remain unpatched. Some tools used to crack into the iOS also close the security holes but this is not always the case, leaving the device open to further attacks.

The question arises of whether there is something that can be done to mitigate the risk of jailbreaking in a BYOD scenario. The most obvious defence is to prevent jailbroken devices from accessing sensitive data. There are mobile device management systems (MDMs) that try to detect whether the devices they are managing have been jailbroken or rooted, but they are not 100% accurate. There are even countermeasures that be applied to a jailbroken device to make it appear legitimate to an MDM (jailbreak jammers).

A more effective approach, as with many security issues, is to address user behaviour directly. Jailbreaking can be discouraged by raising security awareness among users and pointing out that the risks significantly outweigh the benefits – especially since many of the desired Apps or changes find their way into an official version sooner or later.  It is also important, if possible, to keep up to date with the new versions of the operating systems and install them as soon as they get released. It does not render the devices jailbreak-proof and it can sometimes introduce minor problems, but it definitely makes it more difficult for hackers.