Tag: data sovereignty

European Union to establish own DNS infrastructure

Article Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

EU wants to build its own DNS infrastructure with built-in filtering capabilities – The Record by Recorded Future

My Comments

Europe is working on another Internet-focused effort to maintain some sovereignty over its online affairs.

The DNS is the Internet’s equivalent of the traditional White Pages telephone book where when you would look up someone’s name in that book to find their phone number. Here, it is about looking up the domain name part of a Web address like “homenetworking01.info” and identifying the IP address of the Webserver that hosts the Website. This process is very similar for looking up the IP address for the email server that is listed after the “@” part of an email address.

Here, the European DNS4EU effort is about creating a network of DNS servers that are based in Europe. It is essentially about European data sovereignty where this Internet-essential function is in European hands and fully subject to European laws and norms rather than in the hands of a few non-European companies.

For example, this DNS effort is run compliant to the European Union GDPR user-privacy directive and avoids issues to do with the USA’s CLOUD Act which can place online data use subject to US authorities’ investigative requirements even if it is used overseas as long as the servers are owned by a company based in the USA.

The DNS4EU DNS service will also have powerful filtering abilities to work against cyber attacks. This can include blocking DNS name resolution for domains associated with malware or phishing sites. But there are questions about which kind of Internet user this would be mandatory for like the public sector, financial services or essential services or whether EU-based or all European based ISPs will be required to take advantage of this new DNS4EU infrastructure.

This same project also assures compliance with court orders against access to prohibited content like child-sexual-abuse imagery or pirated content. But this kind of protection may be limited to the European Union or a wider area like the Euripean Single Market or even the countries under the Council Of Europe’s scope.

Another benefit often seen with this is increased speed for European DNS queries due to the proximity of the DNS4EU servers to European citizens and businesses. It is also a way that Europe can carve out its own online identity amongst their own citizens rather than relying on other areas for its IT needs.

As I have said before, there could be questions raised about the kind of geopolitical reach that the European Union’s new DNS infrastructure would have. But it could be seen as one of many attempts for Europe to have its own IT infrastructure and work in a manner independent of countries like the USA.

Germany to instigate the creation of a European public cloud service

Article

Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

Europe to have one or more public cloud services that respect European sovereignty and values

Germany to Unveil European Cloud to Rival Amazon, Alibaba | ITPro Today

France, Germany want more homegrown clouds to pick from | ITNews (Premium)

My Comments

Germany is instigating a European-wide project to create a public cloud-computing service.  As well, France is registering intent in this same idea but of creating another of these services.

Both countries’ intention is to rival what USA and Asia are offering regarding public-cloud data-processing solutions. But, as I have said before, it is about having public data infrastructure that is sovereign to European laws and values. This also includes the management and dissemination of such data in a broad and secure manner.

Freebox Delta press photo courtesy of Iliad (Free.fr)

… which could also facilitate European software and data services like what is offered through the Freebox Delta

The issue of data sovereignty has become of concern in Europe due to the USA and China pushing legislation to enable their governments to gain access to data held by data service providers that are based in those countries. This is even if the data is held on behalf of a third-party company or hosted on servers that are installed in other countries. The situation has been underscored by a variety of geopolitical tensions involving especially those countries such as the recent USA-China trade spat.

It is also driven by some European countries being dissatisfied with Silicon Valley’s dominance in the world of “as-a-service” computing. This is more so with France where there are goals to detach from and tax “GAFA” (Google, Apple, Facebook and Amazon) due to their inordinate influence in consumer and business computing worlds.

or BMW’s voice-driven assistant for in-car infotainment

Let’s not forget that Qarnot in France has designed computers that put their waste heat to use for heating rooms or creating hot water in buildings. This will appeal to a widely-distributed data-processing setup that could be part of public cloud-computing efforts.

Questions that will crop up with the Brexit agenda when Europe establishes this public cloud service will include British data sovereignty if data is held on the European public cloud or whether Britain will have any access or input into this public cloud.

Airbus A380 superjumbo jet wet-leased by HiFly at Paris Air Show press picture courtesy of Airbus

… just like this Airbus A380 superjumbo jet shows European prowess in aerospace

Personally I could see this as facilitating the wider creation of online services by European companies especially with the view to respecting European personal and business values. It could encompass ideas like voice-driven assistant services, search engines, mapping and similar services for consumers or to encourage European IT development.

Could this effort that Germany and France put forward be the Airbus or Arianespace of public-cloud data services?

Amnesty International reports on recent email phishing attacks

Article

How Hackers Bypass Gmail 2FA at Scale | Motherboard

Hacker spoofing bypasses 2FA security in Gmail, targets secure email services | ZDNet

My Comments

Recently, it has been revealed that hackers were attacking users of secure email sites by compromising the two-factor authentication that these sites implement.

This has been found to be an attack perpetrated by nation-states against journalists, human-rights defenders, non-government organisations and their allies in the Middle East and North Africa over 2017 and 2018. Here, this user base were using GMail and Yahoo Mail Webmail services and Protonmail and Tutanota secure Webmail services that were compromised. This is because the Webmail setup typically allowed for a client-independent portable email front.

What was going on was that a phishing page was asking for the users’ email and password but this would trigger the software’s two-factor authentication routine. But the user interface was “steered” via a fake page asking for the one-time password that the user would transcribe from their mobile phone which would receive this value via text messaging. It then led to the creation of an app password, typically used for third-party apps to use the service, but was used by the hacker to sustain control of the user’s email account.

Oh yeah, there was the SSL authentication which would show a “green padlock” icon on the user’s Web browser, making the user think that they were safe. But the phishing that took place was facilitated using fake domain names that sounded and looked like the real domain names.

This loophole exploited the use of the “intact key” or “green padlock” symbol in a Web browser’s user-interface to indicate that the SSL certificate was intact and that the interaction with the Website is safe thanks to HTTPS. But users may not know they are with the wrong Website, which is the breeding ground for phishing attempts.

The other weakness that was called out was the requirement for end-users to transcribe the one-time password from an SMS message, software token app or hardware token in order to phish the account. This was aggravated through the use of an app password to allow third-party app access to the service. What is being preferred as a secure 2FA solution was a security key kept in the possession of the end-user that connects to the user’s host device via USB, Bluetooth or NFC.

Most of us can easily relate this process to using an ATM to take cash out of our account or a payment terminal to pay for goods or services using our plastic cards. Here, to facilitate the transaction, you have to present your card by inserting it in or touching it on an identified spot on the ATM or payment terminal then enter your PIN number in to the same machine.

Extended Validation SSL site as identified on Microsoft Edge address bar -

Extended Validation SSL site as identified on Microsoft Edge – notice the organisation’s legal name appearing in green text

The Websites that high-risk end-users rely on can use Extended Validation SSL or Organisation-based SSL certificates and other authentication measures to verify the Website they are visiting is the correct one. Extended Validation SSL has a stronger certificate that verifies the organisation it is associated with and implements the strongest encryption available for HTTPS. The user experience here will have a green bar in the browser’s address bar along with the typical padlock icon while the organisation’s legal name is written in the address bar before the URL. The Organisation-based SSL certificate doesn’t have the green bar or text on the user interface but lists the organisation’s legal name in the address bar. But some browsers like recent Chrome versions don’t implement the green highlighting of the legal name for EV SSL certificates.

This also includes the organisations keeping tabs on their Internet “real estate” of domain names to identify typosquatting risks and, perhaps, make further “land grabs” of domain names if they can afford it.  This is in conjunction with efforts like what Amnesty International were doing with Protonmail and Tutamota where they are made aware of fake sites and are given legal assistance to take them down.

Then browsers and similar user agents could highlight domain names in a more distinct manner so users can know where they are at. This would be more important with email clients or browsers implemented on “reduced-user-interface” platforms like mobile operating systems. As well, end-users in high-security-risk user groups could be trained to be aware of the domains associated with Websites they are visiting. Mobile browsers pitched to smartphones can also implement a way to show the organisation’s legal name on the user interface such as a caret-identified drop-down interface that comes alive with Organisational Validated or Extended Validated SSL certificates.

Webmail-based user interfaces and similar high-risk online services could move towards use of “transcription-free” two-factor authentication like FIDO-U2F-compliant security keys including software keys run on mobile platforms to provide a secure login user experience.

Similarly, token-based authentication could be the way to go for app-to-service authentication especially as we use native-client software to interact with online services. This avoids the creation of persistent “app passwords” to facilitate native client access to online services. Here I would see this as being important as something to be investigated as part working towards secure client-based email setups, especially as the client-based email provides a platform-native user interface for your email.

Each of these approaches has to be looked at in a manner to work with small and medium organisations who don’t have their own IT staff. This is more so as this class of organisation sees itself as “grown up” when it uses cloud-based line-of-business software. The issue here is to assure that authorised users have secure access to the proper service they are authorised to use.

This situation that Amnesty International raised could also bring forward the idea of non-profit entities that underscore data security for independent media and civil society. Here, it could be about extending and bolstering the Electronic Frontier Foundation’s efforts or building up legal-action funds and lawyer teams to provide legal remedies against cyber-attacks.

What is now being realised is data security has now become a human-rights issue rather than an economic necessity.

Controlled folder access to come to Windows 10 soon

Articles 

Windows 10 preview build protects your files from ransomware | Engadget

Windows 10 will hide your important files from ransomware soon | The Verge

Microsoft previews new ransomware protection feature | Bit-Tech

From the horse’s mouth

Microsoft

Windows Experience blog post

My Comments

If you have heard the news over the last few month, you will have heard about ransomware activity in the form of the WannaCry and Petya ransomware variants getting at major installations including the NHS and the Victorian traffic-camera infrastructure.

But Microsoft has attacked this problem in a different way by providing application-level control for the next major update for Windows 10 – the Fall Creator’s Update. It is part of refining the Windows Defender security software that is part of the operating system for improved business-tier data security.

It is a very similar process to what Android and iOS do in relation to allowing the user to control what apps have access to what resources and features on their smartphone or tablet. It is also in contrast to how regular-computer operating systems work when it comes to controlling the level of access granted to a computer’s file system, where users or groups of users are typically granted particular levels of access to folders or files.

Here, once you enable the Controlled Folder Access function, applications can’t add, modify or delete files in folders where this control exists unless the app is part of a user-defined whitelist.  The routine for adding an app to the whitelist will be very similar to what you do on your iPhone or Android phone when it comes to allowing that app you newly downloaded to have access to a particular resource on your smartphone and could occur during installation or when you first use that app after enabling Controlled Folders.

By default, this feature would be enabled for the Documents, Desktop, Pictures and Videos folder trees but you can enable this feature for other folders such as “ad-hoc” work folders created on the system disk or other fixed storage on your system. I am not sure is this is also to apply to removable storage like USB hard disks, USB memory keys or SD cards, or whether this can also apply to network and online storage like your NAS shares or your Dropbox folder.

A question that can also be raised is whether the Controlled Folder feature will also provide a way to limit access to other system resources by apps. Here, it could range from access to network and Internet resources to prevent spyware from “phoning home” or to limit access to your computer’s Webcam and microphone to limit use of these resources as a surveillance tool.

Could you end up determining which country your data is held in?

Article

Microsoft will host data in Germany to hide it from US spies | The Verge

My Comments

Edward Snowden has raised a very significant issue concerning the confidentiality and sovereignty of your data when he leaked what went on with the NSA. This has affected how individuals and organisations do business with American-chartered IT organisations like all of Silicon Valley.

The data sovereignty question is even being extended towards data held within nations that implement a federation or similar geopolitical structure like the USA, Canada, Germany, Switzerland or Australia. This situation could even apply to the United Kingdom thanks to the devolved countries like Scotland and Wales acquiring independent powers similar to a state in a federation. Here the question that come in to play is which state’s rules govern the data that is being created. It has come in to play since the US Supreme Court overturned Roe vs Wade and placed women at risk of trouble if they seek abortions within the USA’s “Red” states, because of the increased computerisation of our business and personal lives.

But what has happened was that Microsoft took up a new model for setting up data storage which is in the form of a “data trustee”. This model is similar to how a trust fund operates where a third party who is known as a trustee, is tasked to control funds and assets that come in to that fund for the benefit of the recipients.

In this case, Microsoft is setting up data centers in Germany and delegating Deutsche Telekom, a telco entirely chartered in Germany, to control these data-storage facilities as a “data trustee” for them. But the data stored on these facilities will be Microsoft’s and their customers’ data.

Why Germany? Warum Deutschland? This is because Germany, a country which has been passed through some horrible periods of history where big government abused citizens’ privacy in the form of the Third Reich and East Germany, have enacted some of the world’s tightest privacy laws.

What I see of this is that a person who signs up to a Webmail service, online storage service, Webhost or similar online service could be given the option to have the data held on servers in a nominated country, most likely rated according to the country’s standard of privacy and data sovereignty. Similarly, companies chartered in countries with rigorous data privacy and confidentiality standards could end up doing valuable business in renting data center space or providing online services to local and foreign individuals and companies wanting stronger privacy.

On the other hand, these countries could end up with the same reputation that Switzerland had with its banks. This was where Switzerland’s financial-secrecy laws were abused by people and companies who were laundering or concealing ill-gotten gains in Swiss banks to avoid official scrutiny. In relationship to data, this could allow for data associated with criminal activity such as child-abuse imagery or pirated software to be concealed in countries with high data-privacy standards.

But the authorities in those countries can act as a legal filter to make sure that any official data requests are for legitimate crime-fighting and personal-safety reasons rather than to suppress internationally-recognised core freedoms and liberties.

Created 13 November 2015. Updated 8 July 2022 to encompass the reversal of Roe vs Wade and the ramifications associated with countries that implement a federation or similar geopolitical structure.