Interesting times

I usually don’t write political blog posts, especially if it relates to a country of which I’m not a citizen off nor live in. While I definitely have very clear opinions and views, I want to stay neutral in this blog and only talk about the technology side of things.

It seems that the new US administration is in the process of shaking-up a lot of traditions and regulations, while also redefining the relations between the USA and the rest of the world. Even though a lot of these changes are very relevant to a lot of people on this planet, I want to focus on three topics that directly affect the IT, the free software world and especially my work at Nextcloud.

Crypto Wars and Backdoors

Some of you might remember the early times of the web in the 90s where we had the ‘crypto wars’. This was a time period where the US government tried to limit the access to strong cryptography, especially outside the US. The idea was that the US secret services should be able to crack and decrypt every encrypted communication that happens outside the US. For example software like PGP was not allowed to be exported outside of the US, and browsers like Netscape were only allowed to use weak 40Bit SSL keys while the US version supported 128Bit keys.

After a while the US realized that this was a very stupid idea and allowed other countries to also use strong encryption. It seems that the new Attorney General likes the idea of Crypto Backdoors and this is now back on the table. This would obviously be very bad for internet security. The EFF has a good summary.

Legal battle over overseas Microsoft data

A lot of organisations and companies are concerned about storing sensitive data on servers and cloud services hosted in the USA. The reason is that the US government organisations are allowed to access all the information and data, and this is something a lot of people and companies don’t agree with. Microsoft and the ‘Deutsche Telekom’ have implemented a workaround, making it is possible to get an Microsoft Office 365 subscription where the data is hosted in a hosting center in Germany. The current judicial interpretation is that this service is covered by the local German law and not the US law.

However, now you can read in the news that it is possible that the US might soon have a different interpretation here. In the near future US agencies might have full access to services where US companies are involved, like in this case of Microsoft. More information can be found here in this article on politico

Privacy Shield and Safe Harbor

Two days ago Trump signed an executive order which might kill the Privacy Shield agreement with the EU. This is an agreement which is the successor of Safe Harbor which basically allowed European based companies to use US based cloud services and still be compliant with EU law. If this agreement is being annulled, then this makes all data flow from the EU to US based cloud services illegal. More information from Techcrunch.

All this happened in only the last few days. It is not completely clear yet what the long term impact will be and what else might happen next, but it is safe to say that the security of computer systems, the internet and our privacy is under heavier attack than ever before.

Free software developers, organisations, companies and everyone else who cares about security and privacy should act now. We need to develop and support technology that implements strong cryptography and is distributed and federated. It is becoming very clear that the heavy dependency on US based IT, Cloud and web-services is not good for the rest of the world. One of the main benefits of free software like Linux, KDE, GNOME, ownCloud and Nextcloud is that everyone can host and install it wherever they want, can audit the code to make sure that there are no backdoors, while also being able to adapt it and enhance it however they want.

These are interesting times and we, as software developers, are in a key position to make sure that all people will have access to data privacy tools and secure communication in the future

10 Comments

  1. Alex L
    28/01/2017

    > I usually don’t write political blog posts

    I think that everything about privacy is a political post and it’s OK.
    In fact KDE *is* a political movement. Those that complained about this kind of post on KDE Planet are victims of the so called “containerization of knowledge’s fields”, one of the worst things that happened to humanity.

    So for me posts like this are welcome and they should be very common.

    Reply
  2. Paulo Marques
    28/01/2017

    Well, next year any company that does not respect EU citizens data is liable to pay 4% of revenue and the person responsible for the data is also financially liable. As the liberals say, the market will sort it out pretty quickly.

    Reply
  3. Kruppy
    28/01/2017

    I work as an external data protection officer for many companies and have to deal with the data protection authorities regularly. I wish what you said was true but the provisions you refer to read very differently than you think:

    Companies may be fined either UP TO (!!!) € 10 Million (Billion for our US friends) or 2% of last years world wide revenue or UP TO € 20 Million or 4% of last years world wide revenue.

    So both are “up to” provisions which means that fines can be way lower than that. Looking at the past our data protection authorities never even used the currently € 50k and € 300k fines we have in Germany. Why would they suddenly fine companies way higher?

    The person responsible being fines will be very difficult in practice because you have to proof that a certain individual objectively fucked up. That’s near impossible especially for company owners that usually have several layers of plausible denialability in place to protect them. Normal workers are mostly exempt from this provision and are unattractive targets for suing for damages anyways.

    Reply
    • Frank Karlitschek
      28/01/2017

      I totally belief that a lot of companies don’t care enough and that the fines are low. But this doesn’t change the fact the a lot of people and companies are acting in a grey area. What do you think?

      Reply
  4. Kruppy
    28/01/2017

    Just to be clear: I was responding to Paulo Marques. 😉

    But still you are right. There are very few companies who “really” care for data protection compliance. Those are often forced to comply by big companies or because they provide services to government owned entities.

    Most companies couldn’t care less about data protection but try to achieve a superficial level of compliance for a couple of reasons: Mainly marketing but also to have some kind of foundation to argue in front of the data protection authorities if they get caught in some way. The authorities are very cooperative in such cases and in 95 % won’t fine the company if it does “something” about the found issue.

    And then there are the companies whose business model is simply incompatible with data protection laws but they still operate mostly untroubled by the authorities. Typical examples are call centers, companies who sell lead generation (and similar services), employee analyses services and many of the so called “web analytics services”.

    About Safe Harbor and now EU/US-Privacy Shield: This is a sham! End of discussion. It’s a simple tool that allows US companies to receive personal data from Europe by writing a simple privacy policy, signing up on a website (10 minutes work) and paying 100 bucks service fee.

    Same goes with “EU Model Clauses” which allows the same by simply signing a standardized contract that in practice has absolutely no effect.

    I hope my post is not too cynical but after working many years in this business as someone who truly values data protection rights by heart, you either get depression or suck it up and try to reduce the damage as much as possible. Either by nagging your own customers into compliance with the little power you have or by helping works council members to fight for their employees rights. But in the end you will always be little Don Quichotte fighting those invincible wind mills of different sizes. May it be Google or Salesforce or the shady call center down the street…

    Reply
  5. Björn Schießle said - GNU Social
    28/01/2017

    […] sure that all people will have access to data privacy tools and secure communication in the future" http://karlitschek.de/2017/01/interesting-times/ !privacy !selfhost #FreeSoftware a few seconds ago from web […]

    Reply
  6. Kruppy
    28/01/2017

    Oh but lets end on a brighter note shall we?

    Projects like Own/Nextcloud as well as LetsEncrypt, and the big open source community in general offer many tools that effectively help you to win a big chunk of your privacy back or at least reduce your footprint (fingerprint) you leave behind while using the web.

    In many cases it’s still pretty complicated to use for non techy folks or they simply don’t care for whatever reasons.

    Still I cherish each and every one of this community and I hope you guys know how incredibly important your work is: You empower people to emancipate away from corporations like Google, Microsoft and Amazon and take (at least parts) of their own live back into their own hands.

    Thank you! 🙂

    Reply
  7. Kruppy
    28/01/2017

    And I still have to add something:

    We actually have pretty good data protection laws and they will get even better in 2018 with the DSGVO. Yes there are issues and obvious lobby enforced “workarounds” here and there but it’s a pretty solid law (+ related provisions).

    The real problem is (as in so many cases) lack of enforcement by the authorities. Since I know a couple of folks in those administrative bodies I claim to know the reasons for this:

    1. Lack of qualified staff. Public service is paid too little especially for IT and law experts.

    2. Lack of staff in general. They simply don’t get enough staff approved. You have 10-20 people checking on thousands of companies in each federal state (Germany).

    3. Pressure from higher levels and politicians: People tend to get angry if you fine the most important employer of the area. Also especially IT companies tend to settle for Munich because the BayLDA is very lenient compared to Hamburg for example.

    Reply
  8. rob
    15/05/2017

    the Privacy Shield agreement is (was) a hypocritical assurance imho.
    better it got be killed and EU companys have to apsire real, honest and preferably transparent privacy. nexcloud is a pretty good example here 🙂

    Reply

Leave a Reply