Posts tagged " Encryption "

GDPR: how to email data securely to comply with the new regulations

April 5th, 2018 Posted by Industry Focus, IT Services No Comment yet

The European Union’s General Data Protection Regulation (GDPR), which comes into force on May 25, will govern the storage and processing of data rather than its collection. It also includes some very important consumer rights. The most important are the right to be informed, the right of access, the right to correct errors, the right to erase data, the right to restrict processing, and the right take it elsewhere (data portability). How useful these will be in practice remains to be seen.

Emails are like plain text postcards because they can, in theory, be read at any of the many servers through which they pass, or by someone tapping a line. Of course, “read by” is unlikely to mean “read by a human being.” However, software can look for things like passwords and credit card numbers.

A more likely problem is sending emails to the wrong address, either because users have got their own email addresses wrong (this happens surprisingly often), or through human error. Pick the wrong address from a list of auto-complete suggestions and you could send personal data to the wrong recipient. This would be a data breach that might have to be reported.

It would obviously be good thing if all emails were encrypted by default so that only the intended recipient could read them. Three decades of history says this isn’t going to happen soon even though it would help secure investments and asset protection information, if at all. Public key encryption is too hard for people who just want to send normal emails.

Some large organisations do have encrypted email services, such as the NHS, but that doesn’t help the rest of us.

Some people do choose secure email services, such as ProtonMail in Switzerland and Tutanota in Germany. However, you also have to send external recipients a password – for example, in an SMS text message – to decrypt the email.

Tutanota users get an email that says “you have an encrypted email” and you click a link to read it, and reply to it, in a browser. You have to export the email if you want to keep a copy.

There are also plug-ins for Gmail and the Microsoft Outlook email program that provide secure email services. If one of your employers is using a secure system, they might let you join in.

If there’s no other alternative, you should encrypt and password-protect your images and documents before sending them as email attachments. Again, you must send the password separately, either via a different messaging service or in the post.

Fotolia_40957727_XS1

Online storage locations

It’s a good idea to upload attachments and then send people a link. However, bear in mind that you are uploading documents to the company that probably runs the biggest surveillance operation on the planet. Encrypt your documents before you upload them.

Encryption protects data if an online storage service is compromised – it has happened – or if your email is hacked.

Unfortunately, using Google Drive brings up an extra complication. If you are using Gmail, then you can assume that your data is being held in, or passing through by arizona bus company, or accessible from the USA.

GDPR does not oblige users to store data on servers inside the EU. However, there are extra requirements if servers are outside the EU. First, you need to have a legitimate reason for transferring personal data outside the EU. Second, you must have the consent of the person whose data is being exported. Third, you must give that person the option to opt out.

In another post, the aforementioned Liz Henderson explains how to create a GDPR Privacy Notice, and you could adapt her sample to cover Gmail storage outside the EU.

You could switch to using an email service that operates wholly within the EU (see above), if only for any people who opt out, or you could upgrade to Google’s paid-for service.

Google claims that its G Suite and Google Cloud Platform (GCP) services are fully compliant with GDPR, because it offers to sign EU Model Contract Clauses and a Data Processing Amendment. The fine print notes that “the parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data” and that “Google will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services”.

 

Privacy

How much do you value your privacy?

January 16th, 2017 Posted by Subjects, Voice No Comment yet

I’ve got nothing to hide, so why should I care?

This argument is commonly used in discussions regarding privacy. Colin J. Bennett, author of The Privacy Advocates, said that most people “go through their daily lives believing that surveillance processes are not directed at them, but at the miscreants and wrongdoers” and that “the dominant orientation is that mechanisms of surveillance are directed at others” despite “evidence that the monitoring of individual behaviour has become routine and everyday“.

 

Most of us do value our own personal security/privacy more than we think. “Imagine upon exiting your house one day you find a person searching through your wheelie bin painstakingly putting the shredded notes and documents back together. In response to your stunned silence they proclaim ‘you don’t have anything to worry about – there is no reason to hide, is there?”.

Of course, most likely you don’t have anything suspicious to hide, but do you really want them looking at your bank statement, seeing receipts for things you’ve bought, letters from your children’s school…even the number of wine bottles in your recycling might be embarrassing?!

Your technological life is no different – you might not be breaking state secrets online, but would you want someone reading your private texts or messages? The heartfelt message to a loved one, an angry text to a friend, something mean said on the spur of the moment? It is essentially the same as your offline life.

Have you considered encryption?

Unless you are very tech-savvy, the likelihood is you haven’t. Luckily, there are some very forward-thinking people and companies out there trying to make encryption the norm. The following apps are all downloadable free of charge.

  • Signal – is an encrypted instant messaging and voice calling application for Android and iOS. It uses the Internet to send one-to-one and group messages, which can include images and video messages, and make one-to-one voice calls.

 

  • ChatSecure – The app uses open-source, publicly auditable encryption libraries to keep your private business messages private. It’s really flexible, letting you choose between connecting via your existing Google account, or creating a new account on a public XMPP server. Users who want even stronger security can connect to ChatSecure from their own private server. And unlike with many rival apps, ChatSecure doesn’t require your phone number of any other personal data to get started.

 

  • Gliph is a secure messaging service that you can use on all of your computing devices. When you’re on the go, use the iOS or Android app on your smartphone. When you’re at the office, use the Gliph desktop app so you can send and receive messages using a mouse and keyboard. Another key feature is “Real Delete,” which lets you permanently delete a message from both the sending and receiving device, as well as the Gliph server, whenever you choose. You can also attach a pseudonym to your main account at any time, so you can use a screen name for personal chatting and switch back to your real name for professional communications.

 

  • Wickr is a secure messaging app that lets you set an “expiration date” for every message you send; just select a date and time for your media to expire, and it will automatically be deleted at that time. That way, you don’t have to worry about a third party inadvertently reading private communications that are left on a contact’s smartphone. Meanwhile, the app features end-to-end encryption for all messages, and it lets you remove metadata from individual messages, such as the time it was sent, as well as geo-location data. Another handy feature gives you the ability to completely clear away message files that have been manually deleted but still reside on your smartphone’s memory. Wickr also has standard messaging features, like the ability to chat with groups of up to 10 people at once.