Problem › Security

Entries feed

Tuesday, April 25 2017

ePrivacy debate is missing the basics - ends up helping criminals and anti-trust operations

ePrivacy is part of GDPR

ePrivacy is addressing the low-level aspect of GDPR - can and are citizens and devices identified and thereby trackable in the first place?

Where GDPR address data as such, ePrivacy is focussed on the technology and telekommunications when other than the citizens access or collect data from basic devices and entities. People are also devices as they communicate and have sentive "identifiers" (biometrics are sensitive data which cannot be collected according to GDPR article 9).

The ePrivacy debate is missing the core issue

Much of the debate on ePrivacy is somehow mistaken as a repeat discussion on GDPR (which is fixed) as commercial providers focus on access to track and collect sensitive data without or merely the illusion of consent.

On one hand, this is understandable as consent is hard and in some instances almost impossible.

Informed Consent is increasingly meaningless in a digital world, where data are (ab)used for a myriad of purposes that grow almost exponentially. In addition, expressing consent PRIOR to collection is literally meaningless when data collection has already happened when the question is asked. Internet of things represent scenarios where this problem scale into the extreme as the constant tracking of devices based on their leakage of identifiers (MAC or other device identifiers or addresses)

On the other hand, this is the EXACT reason and justification of ePrivacy as it address the question of HOW basic telecommunication occur.

The KEY question and raison d'etre of ePrivacy is to require sustainable telco standards.

The existing ePrivacy regulation have been effectively sabotaged by commercial interests reducing the issue to a statement "Here we track you and you consent simply by using our site" which is essentially a tracking wall mocking informed consent.

But we also saw the existing ePrivacy beginning to work as standards are changing - Bluetooth, RFID, WIFI all have seen modification in the direction of eliminating persistent identifiers whereby basic communication does not involve collecting device and personal data if neither can be recognized from session to session. In such technical setup, Informed Consent can PRECEDE collection, i.e. the citizen can CHOSE to release a Customer # or other identifier known to the site without releasing persistent identifiers linking the citizens/device across purposes.

If the citizen - for some strange or peculiar reason actually wants surveillance - she can always release a persistent identifier such as a Device MAC or reused communication address (equivalent to or easily linkable a social security number etc.). But, at least in principle with the proper technologies applying to Privacy by Design, she can also avoid doing so and maintaining the integrity of purpose-specification and control of data.

5G represent the test of ePrivacy reform

The ePrivacy reform face an easy upfront test. 5G is in entering the final stage of standardization.

Presently the standard work with the principle of enforced Data Retention in the sense of "Mandatory Endpoint Identification" meaning that all communication according to 5G will involve the network spying on devices and thus citizen.

If this happens, EU face a cartel-enforced data-retention regime until the next major change of standards which is assumed to be VERY long (at least decades) in which case, the collapse of not only both ePrivacy and GDPR will be almost ensured but also a MASSIVE negative impact on the value-creation of otherwise impressive technologies able to provide huge improvements in wireless communication.

The win-win alternative which ePrivacy MUST enforce

The sustainable alternative would be security and identity established as contextual-only, i.e. mechanisms where basic infrastructure maintain unlinkability unless explicitly desired otherwise BY the citizen.

It is clear that the telecommunications industry are still controlled by the gatekeeper thinking even long after this has proven a massive failure. Bad wireless standards are feeding control to the horizontal OTT infrastructure where profit-streams originate from systemic profiling of citizens and companies across non-related sessions. A Data Retention problem that has been judged clearly illegal and non-compatible with the EU Charter by courts. As such the 5G standardization process (such as e.g. @5GPPP and the 5G cartel) have both ignored and not invested in security beyond systemic surveillance. In other words taxpayers money have essentially - through EU - been feeding illegal data retention activities.

But even though the actual security alternatives clearly have been suppressed in investments, this does NOT means that standards should not assume these solution can, will and must emerge. By deliberately preventing alternatives ("mandatory"), the 5G standard function as a illegal antitrust cartel that prevent innovation in a direction that would prevent systemic tracking of citizens and devices which would call for large fines as obvious violations of both EU anti-competition regulation and GDPR/ePrivacy.

You can now say, that we should just wait and let Margrethe Vestager issues the predictable fines. But this misses the point as we will still be caught in decades of MASSIVE BAD INVESTMENTS in insecure surveillance-by-design 5G technologies which best case will cause massive damage to European economy and trust in an already precarious situation.

My point - and the sole reason for this article - the ePrivacy discussion and reform needs to get back to focus on the core point and raison d'etre; to require telco standards to ensure basic communication can be established WITHOUT transfer of control from citizens to surrounding infrastructure or passive wiretapping.

5G standards as-is is ENABLING terrorism

Where I would claim 5G should be considered critical infrastructure and thus particular attention to security should be emphasized we instead see standards DELIBERATELY undermining security even though we already know that e.g. US drones use the lack of security to direct missiles. The use of e.g. wireless identifiers leaking is rapidly turning normal in commercial tracking and targeting.

Point is - it is only a matter of time until even terrorist do the same as this represent a certain, cheap and effective targeting system to attack particular targets including VIP.

I informed EU about and demonstrated this more than 10 years ago, but they continued to make the same basic security mistakes. I even published it as a commercial business case "Bombs for Hire" (slide 8) as part of EUs 50 years anniversary. Bombs for hire (no security without privacy)