[MyData & Open Data] OKF Finland My data workshop

stef s at ctrlc.hu
Mon Apr 7 21:04:24 UTC 2014


howdy,

On Mon, Apr 07, 2014 at 11:57:20AM +0100, Sally Deffor wrote:
> The OKF Finland workshop exploring the concept of MyData, privacy and  Data
> Protection Regulations begins in about 30 mins. The Keynote is by Mydex's
> William Heath (delivered in English). For those interested, you can get the
> live stream here<http://new.livestream.com/ITstriimIT/MyData-2014-04-07/archives>

sadly i missed this. is there a recording that can be directly downloaded?

i was ignorant regarding mydex, but remembered that it was mentioned earlier,
i started to click[1] around and came up with a few questions regarding: 1.
technical, 2.  legal and 3rd business related ones, here they go:

1. technical

on https://mydex.org/for-individuals/ Security it states:

> All the data on your Personal Data Store is encrypted to the highest
> industry standards. 

which are these? under https://mydex.org/about/our-credentials/ i only found a
reference to iso27001, which is not so much a guarantee for security, but
rather a fig leaf in case of lawsuits. 

are there specs detailing the exact protocols being deployed? is there any
scientific research papers proving and attacking the system? what is the
adversary and threat model of this system (e.g.  "lil' sis", "big bro" style
adversaries).

has there been any research into attribute based certificates by mydex? is it
on the roadmap? if not, why?
relevant links: http://primelife.ercim.eu/results/opensource/55-identity-mixer
https://github.com/p2abcengine/p2abcengine
http://www.futureid.eu/
lots more relevant links: https://abc4trust.eu/index.php/home/related-projects

is there any insurance if the stored data leaks somehow anyway? would mydex
pay the victims? how much? would this come from public funds or does mydex
have other assets as guarantees? How much does a new identity cost if an old
one gets compromised?

2. legal

according to
http://openidentityexchange.org/trust-frameworks/mydex-trust-framework
> The Mydex Trust Framework is a set of legal and technical rules by which
> members of a network agree to operate in order to achieve trust online. 

how can these legal rules be enforced in different jurisdictions? how are the
legal rules protecting the data in a regime where anti-terrorist laws allow
for exceptions under gag orders and sanctions for not revealing encryption
keys? http://www.sapientproject.eu/ might be relevant.

further it states on the same page:
> As part of the Mydex Trust Framework is an open API ...

is this an open standard? how open would it rank according to heading 4 in
http://www.csrstds.com/openstds.html ? does a free software reference
implementation exist?

3. business

on: https://mydex.org/the-role-of-personal-data-stores/
> Personal information
>
> Individuals must be able to volunteer and input information about their
> specific needs, circumstances, preferences and priorities. This personal
> information is the grain of sand around which pearls of value are assembled.
> It’s how the right information, products and services can be supplied to the
> right individuals, in the right ways at the right time.
> What Mydex offers the individual & organisations
>
> Mydex provides a platform for the safe, secure storage, access and
> permission-driven sharing of this information. This doesn’t only benefit the
> individual, it benefits every organisation supplying that individual with
> products and services too, whether in the public or private sectors.

what exactly is the business model? how much is the business model dependent
on privacy regulation? (e.g. if you only handle end-to-end encrypted attribute
based credentials and the user can use whatever client he chooses, you have a
quite sound mathematical argument that this data itself is not personal data)

looking at the various partners of mydex by following their credentials at
https://mydex.org/about/our-credentials/
  - OIX http://openidentityexchange.org/about
  - and the partners in http://pde.cc/directory/

makes me feel, that mydex is a perfect case-study to be very diligently
scrutinized before any trust and access to personal data should be granted.

https://netzpolitik.org/wp-upload/passwordcat.jpg :)

i hope to see the recording of the event today, to understand whether and how
mydex considers privacy and Data Protection Regulations assets or liabilities.

cheers,s

[1] while clicking around i did some cursory checks: the site immediately
leaks visitor information to at least 6 3rd party providers, some outside EU
data protection jurisdiction. even the cookie permission widget is hosted at a
3rd party. and despite me disagreeing it stores a phpsession id on my browser.
looking at the ssl cert i have a feeling this is some default setting
https://www.ssllabs.com/ssltest/analyze.html?d=mydex.org that could be
improved as well.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt



More information about the mydata-open-data mailing list