[MyData & Open Data] OKF Finland My data workshop

Phil Booth phil at einsteinsattic.com
Mon Apr 7 21:27:38 UTC 2014


Hi Stef,

Might I suggest you get in touch with William Heath, chair of Mydex's Board, or David Alexander, Mydex CEO, who I'm sure would be happy to answer (and learn from) your questions. William is william at mydex.org and David is david at mydex.org  

Cheers,

Phil (independent adviser to Mydex, amongst other things!)

-----Original Message-----
From: mydata-open-data [mailto:mydata-open-data-bounces at lists.okfn.org] On Behalf Of stef
Sent: 07 April 2014 22:04
To: mydata-open-data at lists.okfn.org
Subject: Re: [MyData & Open Data] OKF Finland My data workshop

howdy,

On Mon, Apr 07, 2014 at 11:57:20AM +0100, Sally Deffor wrote:
> The OKF Finland workshop exploring the concept of MyData, privacy and  
> Data Protection Regulations begins in about 30 mins. The Keynote is by 
> Mydex's William Heath (delivered in English). For those interested, 
> you can get the live stream 
> here<http://new.livestream.com/ITstriimIT/MyData-2014-04-07/archives>

sadly i missed this. is there a recording that can be directly downloaded?

i was ignorant regarding mydex, but remembered that it was mentioned earlier, i started to click[1] around and came up with a few questions regarding: 1.
technical, 2.  legal and 3rd business related ones, here they go:

1. technical

on https://mydex.org/for-individuals/ Security it states:

> All the data on your Personal Data Store is encrypted to the highest 
> industry standards.

which are these? under https://mydex.org/about/our-credentials/ i only found a reference to iso27001, which is not so much a guarantee for security, but rather a fig leaf in case of lawsuits. 

are there specs detailing the exact protocols being deployed? is there any scientific research papers proving and attacking the system? what is the adversary and threat model of this system (e.g.  "lil' sis", "big bro" style adversaries).

has there been any research into attribute based certificates by mydex? is it on the roadmap? if not, why?
relevant links: http://primelife.ercim.eu/results/opensource/55-identity-mixer
https://github.com/p2abcengine/p2abcengine
http://www.futureid.eu/
lots more relevant links: https://abc4trust.eu/index.php/home/related-projects

is there any insurance if the stored data leaks somehow anyway? would mydex pay the victims? how much? would this come from public funds or does mydex have other assets as guarantees? How much does a new identity cost if an old one gets compromised?

2. legal

according to
http://openidentityexchange.org/trust-frameworks/mydex-trust-framework
> The Mydex Trust Framework is a set of legal and technical rules by 
> which members of a network agree to operate in order to achieve trust online.

how can these legal rules be enforced in different jurisdictions? how are the legal rules protecting the data in a regime where anti-terrorist laws allow for exceptions under gag orders and sanctions for not revealing encryption keys? http://www.sapientproject.eu/ might be relevant.

further it states on the same page:
> As part of the Mydex Trust Framework is an open API ...

is this an open standard? how open would it rank according to heading 4 in http://www.csrstds.com/openstds.html ? does a free software reference implementation exist?

3. business

on: https://mydex.org/the-role-of-personal-data-stores/
> Personal information
>
> Individuals must be able to volunteer and input information about 
> their specific needs, circumstances, preferences and priorities. This 
> personal information is the grain of sand around which pearls of value are assembled.
> It’s how the right information, products and services can be supplied 
> to the right individuals, in the right ways at the right time.
> What Mydex offers the individual & organisations
>
> Mydex provides a platform for the safe, secure storage, access and 
> permission-driven sharing of this information. This doesn’t only 
> benefit the individual, it benefits every organisation supplying that 
> individual with products and services too, whether in the public or private sectors.

what exactly is the business model? how much is the business model dependent on privacy regulation? (e.g. if you only handle end-to-end encrypted attribute based credentials and the user can use whatever client he chooses, you have a quite sound mathematical argument that this data itself is not personal data)

looking at the various partners of mydex by following their credentials at https://mydex.org/about/our-credentials/
  - OIX http://openidentityexchange.org/about
  - and the partners in http://pde.cc/directory/

makes me feel, that mydex is a perfect case-study to be very diligently scrutinized before any trust and access to personal data should be granted.

https://netzpolitik.org/wp-upload/passwordcat.jpg :)

i hope to see the recording of the event today, to understand whether and how mydex considers privacy and Data Protection Regulations assets or liabilities.

cheers,s

[1] while clicking around i did some cursory checks: the site immediately leaks visitor information to at least 6 3rd party providers, some outside EU data protection jurisdiction. even the cookie permission widget is hosted at a 3rd party. and despite me disagreeing it stores a phpsession id on my browser.
looking at the ssl cert i have a feeling this is some default setting https://www.ssllabs.com/ssltest/analyze.html?d=mydex.org that could be improved as well.

--
otr fp: https://www.ctrlc.hu/~stef/otr.txt
_______________________________________________
mydata-open-data mailing list
mydata-open-data at lists.okfn.org
https://lists.okfn.org/mailman/listinfo/mydata-open-data


-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4355 / Virus Database: 3722/7312 - Release Date: 04/07/14




More information about the mydata-open-data mailing list