- 2017, September 14, NZ Herald, “Expert thoughts on the future of artificial intelligence and machine learning“
- 2017, September 13, Open Data Institute, “Why we need the Data Ethics Canvas“
- 2017, September 13, IMF, “Big Data : Potential, Challenges and Statistical Implications“
- 2017, September 13, American Banker, “Blockchain key to rethinking identity, avoiding next Equifax” — it’s great to see more people talking about the place for blockchain improving identity (and by extension, data security), but (and I have done this too) there isn’t enough about how to make this work. The concept is appealing, but that is a very different thing to actual implementation and integration with existing systems.
- 2017, September 13, SSRN, “Cracks in the Armor: Legal Approaches to Encryption” — considering the high-profile debate on this subject, why don’t governments just focus on exploiting zero day vulnerabilities that makes encryption redundant? Software these days is full of them and government has access to source code. So, get your NSA/GCHQ/ASD/etc (indeed they are!) teams to work on the software. You will probably not win the argument to get back-doors. And indeed, I think the FBI worked around Apple by using an Israeli forensics firm. But this is the technical aspect. From a legal stand-point I guess an agency can access personal information if it has relevance for a case.
- 2017, September 13, SSRN, “Elite Political Ignorance” — elites are ignorant? Who would have guessed …
- 2017, September 13, European Parliament, “Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on ENISA, the “EU Cybersecurity Agency” — interesting idea for centralising cyber security certification in the EU.
A Broader Encryption Issue
There is plenty of debate about whether government should have a back door to get access to encrypted data. My opinion at the moment leans on the ‘yes’ side. But I am not fully committed to the idea.
However, that aside … what about a bigger issue of society growing more dependent on encryption – the loss of access. If we move toward an infrastructure that maintains encryption for data at rest, in use and in transit, then we just move the vulnerability to a different place – the keys. We may have some assurance that data is secure and confidential, but we then rely on securing and backing up the decryption keys. Then you need another infrastructure to assure key security and integrity. Although, I think MFA helps here. Store the key on (multiple) hardware device(s) (like by Yubico) and protect that with a pin or pass-phrase.
Not long ago I faced the challenge of recovering data from a Western Digital external hard drive. Some (many?) of their models integrate hardware encryption so that the data is encrypted. Access is granted on the fly through a decryption module on the SATA-USB bridge. But what if the bridge is corrupted, you forget your password, or for whatever reason that part of the system fails? (That is what happened in my case). I could pay at least $1000 to potentially have a data recovery company retrieve the data. But honestly, I found dealing with these companies akin to what it must feel like dealing with snake-oil boiler-room Ponzi schemes; i.e. it is shady, light on transparency and oversight, and it is difficult to get good information online.
Hardware encryption – or, encryption in general – seems like a good idea. Until it isn’t.