Data Protection - Unsafe Harbours

By Jason Scott

With increasing reliance on cloud-based services and the ability for data to be resident anywhere in the world, the EU's approach to personal data protection is under threat. This post considers the history to that approach and some of the issues raised by recent revelations.

A European Perspective

With the rapid increase in electronic processing of data during the 1970’s concerns started being raised within Europe about the proliferation and potential misuse of personal information.  Data on individuals was being aggregated, communicated and used for a rapidly expanding number of purposes – such as credit worthiness checks, employment and insurance background checks and a booming industry in direct marketing.  For cultural reasons financial and medical information was considered to be highly personal but at the same time was among the most valuable for marketing purposes.

Consequently countries within Europe began enacting protective legislation. The details varied but there was consensus on many of the underlying principles. Individuals should be able to know what personal information was being held about them and why, be able to challenge and correct it and to prevent it from being passed on or used for other purposes without their consent.  

Concerns were not just limited to commercial organisations. Many countries in Europe have an uneasy history with the use of personal information by governments for surveillance and there were worries about the misuse of data regarding political affiliations or activities. In the United Kingdom these concerns led to the Data Protection Act of 1984 – ironically the same year as the title of George Orwell’s dystopian novel in which Big Brother exercises almost total surveillance (and thus control) of the population.  

The EU Data Protection Directive

As the practice of companies out-sourcing their data processing to third-parties became more prevalent, there was also concern about the transfer of personal data to other jurisdictions. Increasingly data was being processed in countries other than the one in which it had been collected and where it might not be subject to the same legal protection.  

In 1995 the European Union ratified the Data Protection Directive which required all member states of the European Economic Area (EEA) to incorporate a number of rules (agreed by consensus) into their own data protection laws – thus establishing a European-wide minimum level of protection. In the UK this took the form of the Data Protection Act of 1998, which came into force in 2000.

There are eight principles which underlie EU data protection. Personal data is defined as any data that can be used to identify a living individual and broadly speaking must be:

1. fairly and lawfully processed
2. processed for limited and well defined purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. not kept for longer than is necessary
6. processed in line with the rights of individuals
7. stored securely
8. not transferred to a country that has inadequate data protection controls

Number 8 in this list lead to a big problem. There were many countries in the world that did not meet the EU standard for adequate data protection and one of them was the USA.

EU/US Safe Harbour agreement

The USA was and is a major trading partner for the EU and also provided many of the data processing services that EU companies wanted to use. There was no way that the USA was going to change its legislation to meet European standards, so in the grand tradition of politics a compromise was reached.

The EU and the U.S. Department of Commerce negotiated a Safe Harbour agreement (or “safe harbor” if you are on the other side of the Atlantic). This was a framework by which companies within the USA could be certified as providing sufficient data protection measures to meet EU standards, but without such measures being required by US law. It would then be legal for EU companies to pass personal data to companies in the USA that were on the Safe Harbour List.

The Safe Harbour agreement was not without its detractors. In particular there were concerns that it was a self-regulated system – albeit managed by the Federal Trade Commission (FTC) under the oversight of the U.S. Department of Commerce. There was no system of mandated compliance checks (companies could self-certify) and enforcement would be largely complaint driven. However, after much debate it was finally agreed to by the EU in 2000.

The Patriot Act

A year later the dreadful attack of 9/11 happened and just over a month after that the PATRIOT act was rushed through congress. This anti-terrorism legislation covered many areas but one of the things it allowed was for the US government to inspect the data held by any US company or wholly owned subsidiary – regardless of the Safe Harbour agreement.

This raised a potential issue. While all European countries have laws that provide for access to personal data for state security purposes, the powers afforded by the PATRIOT act appeared to be broader and to have a lower threshold of “probable cause” than would be permitted in Europe. This meant that personal data held in a Safe Harbour company could potentially be accessed in a way that would be illegal in the EU – effectively subverting the Safe Harbour agreement.

   

However, despite this and its self-certification weakness, the Safe Harbour agreement seemed to work reasonably well. The FTC did indeed take enforcement action against companies or organisations that were found to break the rules and the rapid growth in cloud-based services meant that large volumes of EU personal data was held in the US or by US based companies.

Edward Snowden & the NSA

Then in 2013 a disaffected former employee of the USA’s CIA and contractor for the National Security Agency set the cat among the pigeons. Edward Snowden’s revelations demonstrated that the NSA was carrying out systematic and wide-reaching surveillance activities on a huge scale.  While many of the NSA’s activities were clearly legal in the USA, others were questionable and in one case has since been ruled unconstitutional by a US judge.

In addition to the significant damage done to the USA’s relationship with its allies and partners, the revelations re-focused attention on the Safe Harbour agreement with concerns about the US’s regard (or lack thereof) for EU citizen’s data. 

For example, among the many revelations was the fact that the NSA was secretly accessing Yahoo and Google data centres by tapping into undersea cables in order to collect information on hundreds of millions of accounts. Leaked NSA documents mention “bulk access”, “full take” and “high volume” with regard to such interceptions. This kind of dragnet approach to surveillance is highly problematic for the EU – particularly with regard to data protection.

The revelations prompted the European Commission to carry out a review of the Safe Harbour agreement and earlier this year the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee backed a call for its “immediate suspension”.  The EU’s Justice Commissioner, Viviane Reding, threatened to do just that if the US fails to take action to address concerns by the summer of 2014.

“The Commission has made 13 concrete recommendations... Safe Harbour has to be strengthened or it will be suspended.”

Such a suspension would have a big impact on US based cloud service providers, who have already seen a significant decline in business associated with a loss of trust following Snowden’s revelations. However, it would also have serious consequences for the many EU based companies who currently hold personal data in US companies.

Access to Data held in the EU

To make matters worse for EU companies holding data in the cloud, it has become clear that data being held by US companies physically outside of the US is not safe from the PATRIOT act (as had often been assumed). Because the act applies to all US companies or wholly owned subsidiaries it can be used to force an EU based company, such as Microsoft UK or Amazon Ireland, to hand over its data to the US authorities. 

In such cases there may be legal conflicts between US and local legislation, but statements from companies such as Microsoft and Google as well as from the Information Commissioner's Office for the UK, make it clear that EU based US wholly-owned subsidiary companies are vulnerable to the PATRIOT act.

The Safe Harbour agreement in its current form actually increases this vulnerability, since an EU based subsidiary can legally transfer data to its parent company - if that company is registered under Safe Harbour. Once the data is in the US it is entirely within the scope of the PATRIOT act.

Data held outside of the US may also be vulnerable via other means. A US judge recently ruled that Microsoft must provide emails that are held on a server in Ireland. Details of the emails were requested via a US search warrant. Ordinarily such a warrant would not be enforceable outside of the US, but the judge ruled that it should be treated in the same way as a subpoena for documents. Under US law that means it applies regardless of where the documents are held. Microsoft is challenging the ruling.

Consequences

At the moment there is a lot of uncertainty about data protection and the status of personal information held in the cloud. Because the USA is home to the largest cloud storage and service providers it has been the focus of much of the debate - but many of the legal issues and concerns apply equally elsewhere. This includes countries and organisations within the EU itself, such as GCHQ in the UK and the role it has played in the NSA's surveillance activities.

What is almost certain is that there will be changes to EU legislation on data protection at some point and probably changes to the Safe Harbour agreement.  There have been calls to reduce EU dependence on non-EU cloud service providers by developing its own infrastructure and this is likely to continue. It is conceivable that some US companies could partner with companies based in the EU to avoid the "wholly owned subsidiary" aspect of the PATRIOT act. However, doing so might be viewed very negatively by their home markets in the US, so may not be tenable for many of the well-known names.

What is your view?

At MobiCloud we would be very interested to hear whether these issues are currently a concern for companies considering enterprise mobility applications. They may even be seen as an opportunity for European cloud infrastructure providers. For some companies using cloud-based solutions the issues may be almost academic. If you are already in the cloud to stay then do you have other more prosaic or pressing security concerns? Please let us know.

Jailbreaking and BYOD

By Marcin Lukow of Appear Networks

With an increasing acceptance of BYOD (bring your own device) there is growing scope for conflict between personal freedom and corporate responsibility.

According to recent statistics, 23 million mobile devices currently in use are jailbroken and the number of users deciding to use an alternative to Apple’s App Store is constantly growing. Every release of a new Apple device brings up the topic of jailbreaking in the context of security. It is next to impossible not to at least hear about the process, but what exactly is a jailbreak?

In 2007 a group of engineers called the iPhone Dev Team, as a reaction to Apple’s hermetic software ecosystem, released a tool which made it possible to install third-party applications on the first iPhone – i.e. applications not approved by Apple and not bought via the Apple App Store.

The tool took advantage of a security flaw in the iPhone’s operating system (iPhoneOS, renamed iOS with the launch of the iPad) which allowed it to run with far greater rights than it should have been able to (a privilege escalation attack). It then used these rights to break out of a BSD jail – the system the iPhone used to stop applications gaining full control of the device. It was this that gave the name to the process. Other ecosystems use different names for doing the same thing - on Android it is called “rooting”.

Since then Apple has made a constant effort to improve the security of their operating system in order to make jailbreaking impossible. However, hackers have kept pace and new releases of iOS are quickly followed by new versions of jailbreaking tools. It took just 3 months for iOS 7 to get cracked.

For most people Apple’s App Store is a sufficient source of applications. However, some users do not like being limited by Apples’s strict policies of what software can be installed or what preferences can be changed on their mobile phones. There are unofficial applications that mimic the Android home screen, blacklist unwanted phone calls, enable tethering without carrier consent or give access to hidden settings that allow users to customize their iPhone experience far beyond Apple’s intentions.

In 2010, as part of their review of the Digital MillenniumCopyright Act the U.S. Copyright Office introduced an exemption for thejailbreaking of smart phones – essentially making it legal (a corresponding EUdirective was published in 1991). This provided users with an additional incentive for unlocking their devices but does legal and fun mean safe?

The probability of a user installing a malicious program from an unverified supplier is much higher than when using the official Apple App Store. A good illustration of the risk is an example of data protection. One of the file security modes on the iPhone is to protect the data until the device is unlocked using a PIN code. It would be unfeasible to brute force PINs using the standard login screen because the device gets wiped after a certain number of failed attempts. However, it is possible to programmatically check all 9999 combinations by bypassing the login screen and using a private API (application programming interface). Use of this is prohibited by the Apple App Store rules. 

Although there are cases where such applications have been accidentally accepted on the Apple App Store, they are quickly pulled when the concealed functionality is discovered. Users installing apps from outside of the App Store have no such protection.

Another more sophisticated, yet equally viable example is a hidden process running in the background of the device and sending sensitive data to unauthorized third parties. Preventing this might be essential in a BYOD situation where sensitive business data has to be distributed to employees. One possible solution would be to encrypt the data independently of the operating system, but with a jailbroken device it cannot be assumed that the encryption functions have not been replaced with malicious counterfeits or that the encrypted files will not be transferred to a much more powerful computer and decrypted anyway. 

The risk persists even if a jailbroken device itself does not store the data but has access to a corporate network. Using commonly available tools it is possible to turn such devices into "sniffers" to provide hackers with confidential and potentially useful information about the network infrastructure.

Unsurprisingly security is the first and most important point cited by Apple with regard to unauthorized modifications – although one might assume they are also concerned about losing App Store revenue. Jailbreaking tools have been made extremely easy to use and even casual users are just a few clicks away from breaking open their devices. After cracking it is not possible to install official updates without removing the jailbreak, which means that vulnerabilities used to break into the system remain unpatched. Some tools used to crack into the iOS also close the security holes but this is not always the case, leaving the device open to further attacks.

The question arises of whether there is something that can be done to mitigate the risk of jailbreaking in a BYOD scenario. The most obvious defence is to prevent jailbroken devices from accessing sensitive data. There are mobile device management systems (MDMs) that try to detect whether the devices they are managing have been jailbroken or rooted, but they are not 100% accurate. There are even countermeasures that be applied to a jailbroken device to make it appear legitimate to an MDM (jailbreak jammers).

A more effective approach, as with many security issues, is to address user behaviour directly. Jailbreaking can be discouraged by raising security awareness among users and pointing out that the risks significantly outweigh the benefits – especially since many of the desired Apps or changes find their way into an official version sooner or later.  It is also important, if possible, to keep up to date with the new versions of the operating systems and install them as soon as they get released. It does not render the devices jailbreak-proof and it can sometimes introduce minor problems, but it definitely makes it more difficult for hackers.

The Mobilization Hierarchy of Needs

By Martin Wilson of Appear Networks

Abraham Maslow first proposed his theory of human motivation  more than 70 years ago and it is still a popular meme used by colleges and business management today. The original theory proposes 5 levels of human fulfilment that start with basic physiological needs (eating, breathing), progress through social status (friends, respect) and end with self-actualisation (creativity, talent). It is usually depicted as a pyramid with the most basic need at the base. More broadly in business Maslow “re-mixes” are used in many different ways – for example to talk about how work environments can meet the needs of employees or how products can meet the needs of customers.

When faced with implementing a mobile project we can utilise the same approach and consider a Mobilization Hierarchy of Needs. This is a useful exercise whether you are an independent software vendor (ISV) or an organisation looking to develop (or have someone develop for you) a mobile application to add to your armoury. The Mobilization Hierarchy of Needs starts with cost and rises through timing, risk, quality and innovation.

1. COST – The need to limit costs

Most software companies or IT departments will have a budget that is already sized according to existing needs. Extending that budget to include development of a mobile application may be a challenge. Then there are the make or buy questions – whether to buy-in expertise or components of software or implement in-house. This is a delicate balance. Mobilization will take resources away from core business. Which mobile devices will be supported? Developing for multiple platforms can get expensive and then maintaining the resulting apps as those different mobile platforms evolve is even more expensive.

2. RAPID – The need to shorten time to market

A big new challenge to existing established ISV’s are the “Mobile First” competitors. These companies have sprung seemingly from nowhere in the past 2-3 years with “mobile” as their focus. Everything they do is around ensuring the mobile experience for their customers is perfect. Users are being seduced by the simple experience of using mobile devices to meet their business needs and if you are an ISV you are probably already being asked when your “mobile app” will be ready. The quicker your mobile app can be delivered the shorter the time to profitability and the greater the chances are that the future of your business is secured.

3. RISK – The need to minimize the risk of failure

Taking on a mobile project involves some risks. Is your team equipped with the right skills? They can learn, but the experience of learning will have a cost which may not be forecast in your project. Will the mobile applications you deliver meet the expectations of your customers? What about the different mobile operating systems? Will your application be cross-platform and work on all the different operating systems? Which platform to choose first? How can you avoid some of the most common mistakes? Mitigating project risks is an important way of increasing the odds of a successful investment in mobile.

4. PRO – The need to deliver a professional solution

In order for your application not to disappoint it will need to meet professional standards – including your customer security requirements, users’ usability expectations, availability and reliability considerations. If this need is not met there is the risk that your established software business could be impacted by the poor reception given by your new mobile user base.

5. ” I ” – The need for innovation

Ensuring your existing products extend to the mobile realm is an effective way to keep your new “mobile first” competition at bay – they will be focused on building the “shiny” mobile part without their back-end being established. But having a mobile solution will push your proposition into new markets. Being able to use your new found mobile reach to create whole new propositions is an important source of differentiation and will help you stay ahead, and by carefully exploiting new device functionality, form factors and operating system capabilities there will be plenty of scope for meeting the need for innovation.

MobiCloud

The MobiCloud platform uses Appear Network’s technology to make it easier to address all of these needs. Applications can be rapidly developed at reduced cost by intrinsic cross-platform support and cloud hosting. Risk is reduced by using proven platform capabilities and rapid deployment allows development to be done iteratively (an “innovation discovery process”). The cloud hosted Backend-as-a-Service (MBaaS) model enables the rapid testing and delivery cycles necessary to achieve this.

For more information about MobiCloud and how you can participate, please visit our website and consider joining our partner program.

MobiCloud at Speedy Integrated Services Show with COMIT

Last week MobiCloud partner COMIT were at the Speedy Integrated Services Show in Telford, UK. Speedy are a large supplier of hired products and services to the construction industry and their show is the largest of its kind in Europe.

Mark Collier of Costain demonstrating the Site Diary App

Mark Collier from Costain attended, along with members of COMIT and demonstrated the MobiCloud Site Diary App - complete with hi-visibility jacket and hard hat.

Mark was also invited by Speedy to sit on the expert panel of a leadership session on Mobilising the Workforce in Construction and Industry. Mark took the opportunity to describe the MobiCloud project and to explain how it was playing its part in doing just that.

Iain Miskimmin from COMIT speaking & Mark Collier on left of panel

The Speedy show was a two-day event and COMIT were there for the whole thing. Plenty of people dropped by and there was a definite interest in everything cloud and BIM (building information modelling). The latter seems to be leading to a greater interest in and development of the former, since BIM requires the sharing of huge quantities of data which can only really be facilitated cost effectively by using cloud technologies.

The UK government's BIM strategy, which was launched in 2011, mandates that all public sector centrally procured construction projects must be delivered using BIM by 2016. BIM is not just about modelling the construction process, but about seamlessly sharing information between stages and stakeholders within the process.

“BIM will integrate the construction process and, therefore, the construction industry"

Graham Watts, OBE, Chief Executive Officer, Construction Industry Council

There is real synergy between BIM and cloud-based technologies such as those being developed as part of MobiCloud, which bodes well for the future of the project.
For more information about the Speedy event please see the COMIT blog.

MobiCloud is a winner

MobiCloud is pleased to report that it has won the ITEuropa European IT & Software Excellence Awards for Communications/Mobility Solution of the Year - under both the Independent Software Vendor and Solution Provider categories.

The European IT & Software Excellence Awards are pan-European awards to recognize the role of Independent Software Vendors and Solution Providers in delivering real-world solutions. There were entries from 25 different countries and each had to be supported by a client's endorsement. 81 companies from 16 countries were in the finals. The winners were selected by an independent panel of consultants and editors.

“What impressed us this year was the quality and the measurable returns many of these projects delivered. Many have total paybacks many times the value of the IT investment, and we are seeing many of these projects delivered as part of a continuing expansion of productive investment. This shows what a great relationship these IT suppliers have with their customers, and how customers are keen to work with suppliers on a long term change to their organisations.” 

John Garratt, Editor of IT Europa. 

The awards were split into three categories, Independent Software Vendors, Solution Providers and Suppliers. MobiCloud entered under both ISV and Solution Proider and won in both categories.

Report on the Future Internet Assembly 2014

By Vladimir Bataev of EsperantoXL

The most reliable way to predict the future is to invent it, maintains the old saying, but since this activity can take time, one who shapes the future should not underestimate the importance of regularly informing a curious public about what is waiting for them ahead. That was the raison d'etre of the Future Internet Assembly 2014 that took place in Athens, Greece between March 17th and March 20th. It combined a series of workshops together with an exhibition of the most prominent technology projects that have been funded by the European Commission.

The workshops, panels and plenaries covered a traditional range of subjects: from next generation networks and hardware that will physically enable the future internet, regardless of the shape it will eventually take, to the applications and services that will be built on top of this infrastructure. Key trends of the past year - internet of things, ubiquitous computing and increased mobility - merged into one übertheme: "smart cities" and it was rare for a presentation not to mention it.

Smart cities remain a tricky subject. Lots of pilots and living lab projects have been implemented and some of them, like the CitySDK project in Amsterdam, have produced tangible results that citizens can make use of and in this case even featured in the Economist. However, as one of the panelists noted, very few, if any, of these pilot projects have been transformed into a larger scale implementation. 

There are several reasons for this and the most obvious one is the lack of a sustainable business model. Even CitySDK still has to get the commitment from participating municipalities to keep it alive beyond the project end date this year. The search for such business models was the focus of a half-day workshop. Its conclusion was that so far only large vendors of platforms to monitor city traffic and companies building actual hardware sensors were able to find such business models.

Commercialization of technology is one of the strong points of the MobiCloud project, which already has multiple trial cases running commercially. Two of these examples were demonstrated and explained at the MobiCloud booth by myself and Vincent Dollet of Appear.

The MobiCloud booth was on the VIP route and was very well attended - several delegations stopped by, as well as Zoran Stancic, Mario Campolargo, Ken Ducatel and Maria Tsakali from the European Commision. Neelie Kroes was expected, but only had time to visit FI-WARE, one of the largest and most heavily funded projects, which offers interesting collaboration opportunities for MobiCloud as well.

The MobiCloud team appeared on local television and you can see the interview with Vincent Dollet here. We were also invited to present the project during the EC-Mexico collaboration workshop. This brought together industry representatives and researchers to find the common problems to work on in 2014.

You can find out more about FIA Athens on the official website. You can also contact Vincent Dollet or Vladimir Bataev via the MobiCloud website for more about MobiCloud and their involvement.

Meet MobiCloud at the 2014 Future Internet Assembly in Athens, Greece on 18th to 20th March

The European Future Internet Assembly is a collaboration between projects that have recognized the need to strengthen European activities on the Future Internet to maintain European competitiveness in the global marketplace. Currently FIA brings together around 150 research projects that are part of Challenge 1 of the ICT programme of FP7 and are advancing the state of the art in their respective thematic areas. 

FIA supports open interactions and cross-fertilization across technical domains, hence it is open to all researchers engaged in Future Internet research (be they at EU or not) to contribute and participate towards FIA’s goals. The first FIA was held in Bled, Slovenia in May 2008, and reaches its 11th edition this year, in FIA Athens 2014.

The 11th FIA in Athens will focus on reshaping the Future Internet infrastructure for innovation, and more specifically on the formulation of the new Internet technological landscape based on network/cloud integration & virtualisation SDN/NFV and innovative software, services and cloud technologies that enable application innovation.

Vincent Dollet from Appear Networks and Vladimir Bataev from EsperantoXL will be supporting MobiCloud's presence at the event demonstrating the technology and participating in some of the workshops. Attendees will have the opportunity to discuss the technology behind the project and see some of the resulting enterprise mobility applications.

FIA Athens 2014 features several parallel events, such as working sessions, project demonstrations, FIF, FI-PPP, session/demo/project contests etc.

If you are planning to attend and would like to meet up then get in touch!