[MyData & Open Data] This man thinks big data and privacy can co-exist, and here's his plan
stef
s at ctrlc.hu
Thu Aug 29 08:59:28 UTC 2013
ohi,
On Wed, Aug 28, 2013 at 11:39:28PM +0100, William Heath wrote:
> Thanks Sam; thanks for the ref Andy. Stef: re your concerns: in broad
> design terms when an individual uses Mydex to create a personal data store
thanks William for your response, i have some more doubts, sorry for dumping
them, but i think they're important concerns.
> they create their own key, and they alone hold it. So initially the
> individual encrypts the data with a passphrase only they know.
> Since Mydex itself does not hold they key this protects against the insider
> threat or superinjunction. It does mean the user is stuck if they lose
> their key and has to start again. The architecture will support an
> escalation of access control (eg adding a voice biometric).
i guess that does imply you do javascript crypto? reopening the whole
cryptocat debate, how you cannot provide confidentiality, integrity in the
browser.
see for more details on cryptocat:
http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html
more general why this doesn't work:
http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/
and why javascript does not work with crypto in most general:
http://www.matasano.com/articles/javascript-cryptography/
and
http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/
i understand there's a lot of webdevs running around armed with technologies
to build services to exploit ipad wielding customers. but these thechnologies
have been built for exploitation, not for protection of these customers. first
we need completely new browsers. i mean mozilla doesn't even sign their
releases, how can you trust your browser at all? we are very far from this:
https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
where there's even but some effort into doing trusted builds of binaries.
> In terms of jurisdiction Mydex is a Community Interest Company registered
> in Scotland. Data is currently hosted in the UK.
sorry, i don't understand the nuances of Community Interest Companies, but
post snowden and post miranda, the uk cannot be trusted i believe for any data
passing through it.
sorry for all this depressing views, but it is much worse than we still
believe.
--
pgp: https://www.ctrlc.hu/~stef/stef.gpg
pgp fp: FD52 DABD 5224 7F9C 63C6 3C12 FC97 D29F CA05 57EF
otr fp: https://www.ctrlc.hu/~stef/otr.txt
More information about the mydata-open-data
mailing list