[MyData & Open Data] OKF Finland My data workshop
Sam Smith
s at msmith.net
Mon Apr 7 22:53:22 UTC 2014
William is on the list, and I expect he'll reply, but he'll currently be travelling back from Finland
Sam
On 7 Apr 02014, at 22:27, Phil Booth <phil at einsteinsattic.com> wrote:
> Hi Stef,
>
> Might I suggest you get in touch with William Heath, chair of Mydex's Board, or David Alexander, Mydex CEO, who I'm sure would be happy to answer (and learn from) your questions. William is william at mydex.org and David is david at mydex.org
>
> Cheers,
>
> Phil (independent adviser to Mydex, amongst other things!)
>
> -----Original Message-----
> From: mydata-open-data [mailto:mydata-open-data-bounces at lists.okfn.org] On Behalf Of stef
> Sent: 07 April 2014 22:04
> To: mydata-open-data at lists.okfn.org
> Subject: Re: [MyData & Open Data] OKF Finland My data workshop
>
> howdy,
>
> On Mon, Apr 07, 2014 at 11:57:20AM +0100, Sally Deffor wrote:
>> The OKF Finland workshop exploring the concept of MyData, privacy and
>> Data Protection Regulations begins in about 30 mins. The Keynote is by
>> Mydex's William Heath (delivered in English). For those interested,
>> you can get the live stream
>> here<http://new.livestream.com/ITstriimIT/MyData-2014-04-07/archives>
>
> sadly i missed this. is there a recording that can be directly downloaded?
>
> i was ignorant regarding mydex, but remembered that it was mentioned earlier, i started to click[1] around and came up with a few questions regarding: 1.
> technical, 2. legal and 3rd business related ones, here they go:
>
> 1. technical
>
> on https://mydex.org/for-individuals/ Security it states:
>
>> All the data on your Personal Data Store is encrypted to the highest
>> industry standards.
>
> which are these? under https://mydex.org/about/our-credentials/ i only found a reference to iso27001, which is not so much a guarantee for security, but rather a fig leaf in case of lawsuits.
>
> are there specs detailing the exact protocols being deployed? is there any scientific research papers proving and attacking the system? what is the adversary and threat model of this system (e.g. "lil' sis", "big bro" style adversaries).
>
> has there been any research into attribute based certificates by mydex? is it on the roadmap? if not, why?
> relevant links: http://primelife.ercim.eu/results/opensource/55-identity-mixer
> https://github.com/p2abcengine/p2abcengine
> http://www.futureid.eu/
> lots more relevant links: https://abc4trust.eu/index.php/home/related-projects
>
> is there any insurance if the stored data leaks somehow anyway? would mydex pay the victims? how much? would this come from public funds or does mydex have other assets as guarantees? How much does a new identity cost if an old one gets compromised?
>
> 2. legal
>
> according to
> http://openidentityexchange.org/trust-frameworks/mydex-trust-framework
>> The Mydex Trust Framework is a set of legal and technical rules by
>> which members of a network agree to operate in order to achieve trust online.
>
> how can these legal rules be enforced in different jurisdictions? how are the legal rules protecting the data in a regime where anti-terrorist laws allow for exceptions under gag orders and sanctions for not revealing encryption keys? http://www.sapientproject.eu/ might be relevant.
>
> further it states on the same page:
>> As part of the Mydex Trust Framework is an open API ...
>
> is this an open standard? how open would it rank according to heading 4 in http://www.csrstds.com/openstds.html ? does a free software reference implementation exist?
>
> 3. business
>
> on: https://mydex.org/the-role-of-personal-data-stores/
>> Personal information
>>
>> Individuals must be able to volunteer and input information about
>> their specific needs, circumstances, preferences and priorities. This
>> personal information is the grain of sand around which pearls of value are assembled.
>> It’s how the right information, products and services can be supplied
>> to the right individuals, in the right ways at the right time.
>> What Mydex offers the individual & organisations
>>
>> Mydex provides a platform for the safe, secure storage, access and
>> permission-driven sharing of this information. This doesn’t only
>> benefit the individual, it benefits every organisation supplying that
>> individual with products and services too, whether in the public or private sectors.
>
> what exactly is the business model? how much is the business model dependent on privacy regulation? (e.g. if you only handle end-to-end encrypted attribute based credentials and the user can use whatever client he chooses, you have a quite sound mathematical argument that this data itself is not personal data)
>
> looking at the various partners of mydex by following their credentials at https://mydex.org/about/our-credentials/
> - OIX http://openidentityexchange.org/about
> - and the partners in http://pde.cc/directory/
>
> makes me feel, that mydex is a perfect case-study to be very diligently scrutinized before any trust and access to personal data should be granted.
>
> https://netzpolitik.org/wp-upload/passwordcat.jpg :)
>
> i hope to see the recording of the event today, to understand whether and how mydex considers privacy and Data Protection Regulations assets or liabilities.
>
> cheers,s
>
> [1] while clicking around i did some cursory checks: the site immediately leaks visitor information to at least 6 3rd party providers, some outside EU data protection jurisdiction. even the cookie permission widget is hosted at a 3rd party. and despite me disagreeing it stores a phpsession id on my browser.
> looking at the ssl cert i have a feeling this is some default setting https://www.ssllabs.com/ssltest/analyze.html?d=mydex.org that could be improved as well.
>
> --
> otr fp: https://www.ctrlc.hu/~stef/otr.txt
> _______________________________________________
> mydata-open-data mailing list
> mydata-open-data at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/mydata-open-data
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2014.0.4355 / Virus Database: 3722/7312 - Release Date: 04/07/14
>
> _______________________________________________
> mydata-open-data mailing list
> mydata-open-data at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/mydata-open-data
More information about the mydata-open-data
mailing list