On the Quest for a Digital Renaissance - Security2023-04-20T13:11:38+02:00Stephan Engbergurn:md5:3dc8aae7a46cb23955503b63709372a1DotclearePrivacy debate is missing the basics - ends up helping criminals and anti-trust operationsurn:md5:25d29333fbf0dcd7fe138bc21c6270852017-04-25T10:59:00+02:002017-04-26T23:09:32+02:00WO5-GANDISecurityData SecurityePrivacyEUs 50 years anniversaryGDPRIdentification <h2>ePrivacy is part of GDPR</h2>
<p>ePrivacy is addressing the low-level aspect of GDPR - can and are citizens
and devices identified and thereby trackable in the first place?</p>
<p>Where GDPR address data as such, ePrivacy is focussed on the technology and
telekommunications when other than the citizens access or collect data from
basic devices and entities. People are also devices as they communicate and
have sentive "identifiers" (biometrics are sensitive data which cannot be
collected according to GDPR article 9).</p>
<h2>The ePrivacy debate is missing the core issue</h2>
<p>Much of the debate on ePrivacy is somehow mistaken as a repeat discussion on
GDPR (which is fixed) as commercial providers focus on access to track and
collect sensitive data without or merely the illusion of consent.</p>
<p>On one hand, this is understandable as consent is hard and in some instances
almost impossible.</p>
<p>Informed Consent is increasingly meaningless in a digital world, where data
are (ab)used for a myriad of purposes that grow almost exponentially. In
addition, expressing consent PRIOR to collection is literally meaningless when
data collection has already happened when the question is asked. Internet of
things represent scenarios where this problem scale into the extreme as the
constant tracking of devices based on their leakage of identifiers (MAC or
other device identifiers or addresses)</p>
<p>On the other hand, this is the EXACT reason and justification of ePrivacy as
it address the question of HOW basic telecommunication occur.</p>
<h2>The KEY question and raison d'etre of ePrivacy is to require sustainable
telco standards.</h2>
<p>The existing ePrivacy regulation have been effectively sabotaged by
commercial interests reducing the issue to a statement "Here we track you and
you consent simply by using our site" which is essentially a tracking wall
mocking informed consent.</p>
<p>But we also saw the existing ePrivacy beginning to work as standards are
changing - Bluetooth, RFID, WIFI all have seen modification in the direction of
eliminating persistent identifiers whereby basic communication does not involve
collecting device and personal data if neither can be recognized from session
to session. In such technical setup, Informed Consent can PRECEDE collection,
i.e. the citizen can CHOSE to release a Customer # or other identifier known to
the site without releasing persistent identifiers linking the citizens/device
across purposes.</p>
<p>If the citizen - for some strange or peculiar reason actually wants
surveillance - she can always release a persistent identifier such as a Device
MAC or reused communication address (equivalent to or easily linkable a social
security number etc.). But, at least in principle with the proper technologies
applying to Privacy by Design, she can also avoid doing so and maintaining the
integrity of purpose-specification and control of data.</p>
<h2>5G represent the test of ePrivacy reform</h2>
<p>The ePrivacy reform face an easy upfront test. 5G is in entering the final
stage of standardization.</p>
<p>Presently the standard work with the principle of enforced Data Retention in
the sense of "Mandatory Endpoint Identification" meaning that all communication
according to 5G will involve the network spying on devices and thus
citizen.</p>
<p>If this happens, EU face a cartel-enforced data-retention regime until the
next major change of standards which is assumed to be VERY long (at least
decades) in which case, the collapse of not only both ePrivacy and GDPR will be
almost ensured but also a MASSIVE negative impact on the value-creation of
otherwise impressive technologies able to provide huge improvements in wireless
communication.</p>
<h2>The win-win alternative which ePrivacy MUST enforce</h2>
<p>The sustainable alternative would be security and identity established as
contextual-only, i.e. mechanisms where basic infrastructure maintain
unlinkability unless explicitly desired otherwise BY the citizen.</p>
<p>It is clear that the telecommunications industry are still controlled by the
gatekeeper thinking even long after this has proven a massive failure. Bad
wireless standards are feeding control to the horizontal OTT infrastructure
where profit-streams originate from systemic profiling of citizens and
companies across non-related sessions. A Data Retention problem that has been
judged clearly illegal and non-compatible with the EU Charter by courts. As
such the 5G standardization process (such as e.g. @5GPPP and the 5G cartel)
have both ignored and not invested in security beyond systemic surveillance. In
other words taxpayers money have essentially - through EU - been feeding
illegal data retention activities.</p>
<p>But even though the actual security alternatives clearly have been
suppressed in investments, this does NOT means that standards should not assume
these solution can, will and must emerge. By deliberately preventing
alternatives ("mandatory"), the 5G standard function as a illegal antitrust
cartel that prevent innovation in a direction that would prevent systemic
tracking of citizens and devices which would call for large fines as obvious
violations of both EU anti-competition regulation and GDPR/ePrivacy.</p>
<p>You can now say, that we should just wait and let Margrethe Vestager issues
the predictable fines. But this misses the point as we will still be caught in
decades of MASSIVE BAD INVESTMENTS in insecure surveillance-by-design 5G
technologies which best case will cause massive damage to European economy and
trust in an already precarious situation.</p>
<p>My point - and the sole reason for this article - the ePrivacy discussion
and reform needs to get back to focus on the core point and raison d'etre; to
require telco standards to ensure basic communication can be established
WITHOUT transfer of control from citizens to surrounding infrastructure or
passive wiretapping.</p>
<h2>5G standards as-is is ENABLING terrorism</h2>
<p>Where I would claim 5G should be considered critical infrastructure and thus
particular attention to security should be emphasized we instead see standards
DELIBERATELY undermining security even though we already know that e.g. US
drones use the lack of security to direct missiles. The use of e.g. wireless
identifiers leaking is rapidly turning normal in commercial tracking and
targeting.</p>
<p>Point is - it is only a matter of time until even terrorist do the same as
this represent a certain, cheap and effective targeting system to attack
particular targets including VIP.</p>
<p>I informed EU about and demonstrated this more than 10 years ago, but they
continued to make the same basic security mistakes. I even published it as a
commercial business case "Bombs for Hire" (slide 8) as part of <a href="https://blog.privacytrust.eu/public/EU_SRC07_Engberg_20070326.pdf" hreflang="en">EUs 50 years
anniversary</a>. <img src="https://blog.privacytrust.eu/public/Graphics/.Bombs_for_hire_m.jpg" alt="Bombs for hire (no security without privacy)" title="Bombs for hire (no security without privacy), Apr 2017" /></p>