Data | Ethics | Governance

The Principled Data News Review

  • 2017, August 26, SSRN, “Regulating Online Content Moderation” — a very interesting paper.  It comes at a good time considering the debate about the fate of The Daily Stormer.
  • 2017, August 25, SSRN, “Sovereignty in Cyberspace: Lex Lata Vel Non?” — hmm, sovereignty in something so ephemeral as cyberspace?  Certainly there are physical objects that exist within a country, but the essence that these physical objects give rise to is decidedly not subject to any single country.  Perhaps the greatest control a State has when it comes to cyberspace is access.  I remember when I briefly lived in Shanghai back in 2005 – the Internet was unbelievably slow and VPNs rarely worked properly.  So basically, poor access.  I am sure the service is better now, but the restrictions still exist.  China retains is ‘sovereignty’ through a vast infrastructure of monitoring.  This seems insane to Western eyes, but I wonder how effective it is in preventing offensive cyber operations from outside China?
  • 2017, August 25, SSRN, “Beware the Slender Man: Intellectual Property and Internet Folklore” — wow, academic space for Internet memes!

So, Trump loses cyber security advisers.

Not much news today.

Encryption Everywhere?

I wonder if we should approach the issue of data security from the starting point that the internal network is a hostile environment?  Yes, we put up plenty of security measures to avoid a breach, but we also know that a breach is inevitable.  A user will click on a dodgy link, or an administrator will leave something un-patched or render a system in some other way, insecure.  Or, an insider does all the damage anyway.

An option is to use encryption in as many places as is feasible.  Encrypt databases as well as sensitive data.  Then just expect that everything else is in the public domain – not literally, but has the potential for it.

I’m not sure about the mechanics of this at the moment, but why not implement a software (or hardware) solution where users have a token (like a Yubikey) that ties them to their network permissions.  A user with access to aforementioned sensitive data or databases (which should be encrypted) obtain access with a hard-coded key that forms part of the hardware token.  Keys are backed up in a central location that is off the network.  Replacements and key management is done from an offline computer with an attached peripheral that ‘cuts’ new tokens.

This would also be an ideal solution to cloud access.  Maybe the hardware token could simply store the private key of the user?  The key would be stored and then the device would be set to read-only.