[MyData & Open Data] OKF Finland My data workshop

Mon Apr 7 22:50:55 UTC 2014

On 04/07/2014 11:04 PM, stef wrote:
> howdy,
> 
> On Mon, Apr 07, 2014 at 11:57:20AM +0100, Sally Deffor wrote:
>> The OKF Finland workshop exploring the concept of MyData, privacy and  Data
>> Protection Regulations begins in about 30 mins. The Keynote is by Mydex's
>> William Heath (delivered in English). For those interested, you can get the
>> live stream here<http://new.livestream.com/ITstriimIT/MyData-2014-04-07/archives>
> 
> sadly i missed this. is there a recording that can be directly downloaded?

I saw some of it. Most was in Finnish!

Was good to see EPFSUG Patron Nils Torvalds speak :-)

//Erik

> i was ignorant regarding mydex, but remembered that it was mentioned earlier,
> i started to click[1] around and came up with a few questions regarding: 1.
> technical, 2.  legal and 3rd business related ones, here they go:
> 
> 1. technical
> 
> on https://mydex.org/for-individuals/ Security it states:
> 
>> All the data on your Personal Data Store is encrypted to the highest
>> industry standards. 
> 
> which are these? under https://mydex.org/about/our-credentials/ i only found a
> reference to iso27001, which is not so much a guarantee for security, but
> rather a fig leaf in case of lawsuits. 
> 
> are there specs detailing the exact protocols being deployed? is there any
> scientific research papers proving and attacking the system? what is the
> adversary and threat model of this system (e.g.  "lil' sis", "big bro" style
> adversaries).
> 
> has there been any research into attribute based certificates by mydex? is it
> on the roadmap? if not, why?
> relevant links: http://primelife.ercim.eu/results/opensource/55-identity-mixer
> https://github.com/p2abcengine/p2abcengine
> http://www.futureid.eu/
> lots more relevant links: https://abc4trust.eu/index.php/home/related-projects
> 
> is there any insurance if the stored data leaks somehow anyway? would mydex
> pay the victims? how much? would this come from public funds or does mydex
> have other assets as guarantees? How much does a new identity cost if an old
> one gets compromised?
> 
> 2. legal
> 
> according to
> http://openidentityexchange.org/trust-frameworks/mydex-trust-framework
>> The Mydex Trust Framework is a set of legal and technical rules by which
>> members of a network agree to operate in order to achieve trust online. 
> 
> how can these legal rules be enforced in different jurisdictions? how are the
> legal rules protecting the data in a regime where anti-terrorist laws allow
> for exceptions under gag orders and sanctions for not revealing encryption
> keys? http://www.sapientproject.eu/ might be relevant.
> 
> further it states on the same page:
>> As part of the Mydex Trust Framework is an open API ...
> 
> is this an open standard? how open would it rank according to heading 4 in
> http://www.csrstds.com/openstds.html ? does a free software reference
> implementation exist?
> 
> 3. business
> 
> on: https://mydex.org/the-role-of-personal-data-stores/
>> Personal information
>>
>> Individuals must be able to volunteer and input information about their
>> specific needs, circumstances, preferences and priorities. This personal
>> information is the grain of sand around which pearls of value are assembled.
>> It’s how the right information, products and services can be supplied to the
>> right individuals, in the right ways at the right time.
>> What Mydex offers the individual & organisations
>>
>> Mydex provides a platform for the safe, secure storage, access and
>> permission-driven sharing of this information. This doesn’t only benefit the
>> individual, it benefits every organisation supplying that individual with
>> products and services too, whether in the public or private sectors.
> 
> what exactly is the business model? how much is the business model dependent
> on privacy regulation? (e.g. if you only handle end-to-end encrypted attribute
> based credentials and the user can use whatever client he chooses, you have a
> quite sound mathematical argument that this data itself is not personal data)
> 
> looking at the various partners of mydex by following their credentials at
> https://mydex.org/about/our-credentials/
>   - OIX http://openidentityexchange.org/about
>   - and the partners in http://pde.cc/directory/
> 
> makes me feel, that mydex is a perfect case-study to be very diligently
> scrutinized before any trust and access to personal data should be granted.
> 
> https://netzpolitik.org/wp-upload/passwordcat.jpg :)
> 
> i hope to see the recording of the event today, to understand whether and how
> mydex considers privacy and Data Protection Regulations assets or liabilities.
> 
> cheers,s
> 
> [1] while clicking around i did some cursory checks: the site immediately
> leaks visitor information to at least 6 3rd party providers, some outside EU
> data protection jurisdiction. even the cookie permission widget is hosted at a
> 3rd party. and despite me disagreeing it stores a phpsession id on my browser.
> looking at the ssl cert i have a feeling this is some default setting
> https://www.ssllabs.com/ssltest/analyze.html?d=mydex.org that could be
> improved as well.
> 