The rush towards encryption, authentication and Personal Identity Verification (PIV) is reaching fever pitch at present as data breaches hit the national and international news headlines and General Data Protection Regulation (GDPR) punishments up the financial ante, writes Jason Hunter. Certainly, data protection has never been higher on the political and business agendas.
Government bodies on both sides of the Atlantic have recently summoned Facebook founder Mark Zuckerberg for a grilling on how his company protects and uses people’s information since a data scandal exploded last month. The social media tech giant’s share price has dropped by almost 20% [at the time of writing] – in turn wiping more than £60 billion (ie $86 billion) off the company’s value – since the middle of March when The Observer broke the startling news of how the data of 87 million Facebook users was allegedly used to try to influence hugely important political outcomes.
The news stories were based on ‘whistleblower’ accounts from Christopher Wylie, the co-founder and former director of research at previously little-known firm Cambridge Analytica (CA), which allegedly illegally obtained the user data. This data was reported to have been ‘harvested’ by a Facebook ‘Personality App’ entitled thisisyourdigitallife created by Aleksandr Kogan, a Russian-American based at Cambridge University.
A Moldovan-born researcher, Kogan has admitted to harvesting the personal details of 30 million Facebook users via the App that he developed and has stated that he then passed the data to CA who assured him this was legal. Wylie told The Observer that the data Kogan obtained was used to influence the outcome of the US Presidential Election contested by Donald Trump and Hillary Clinton. It’s an allegation the firm vehemently denies.
Indeed, Wylie has claimed that the data were used not only to sway the opinions of voters in Trump’s successful Presidential bid, but also for elections in Kenya and Nigeria and even pro-Brexit campaigners here in the UK.
These claims gained some degree of credence when Channel 4 News broadcast undercover footage of CA executives – including CEO Alexander Nix – boasting that they could entrap politicians with bribes and other ploys. CA subsequently suspended Nix pending a full and thorough independent investigation process.
General Data Protection Regulation
All of this has been taking place at the same time as new data protection laws are set to come into force. The EU’s GDPR will take over from the Data Protection Directive 95/46/EC. It’s designed to harmonise data privacy laws across Europe, protect and empower all EU citizens’ data privacy and re-shape the way in which organisations across the region approach the subject of data privacy.
The GDPR was finally approved by the EU Parliament on 14 April 2016 after four years of preparation and debate, with an enforcement date set for 25 May 2018, after which time any non-compliant organisations face heavy fines. These fines could be as high as 4% of annual company turnover.
To illustrate the ‘teeth’ of this new regulation, consider the fact that when the TalkTalk cyber breach occurred in October 2015, affecting nearly 157,000 customers in the process, the company was fined a record £400,000 by the Information Commissioner’s Office (just shy of the potential maximum £500,000 fine).
Under the GDPR, if that attack happened again, the business would face a potential penalty of up to £71 million.
Cyber security in the spotlight
Not a day goes by without another e-mail or letter from a bank, social media platform or publishing house informing me that I’m now ‘in control of my data’ and asking me to opt-in to continue to receive information from them via different communications channels. No wonder, then, that everyone I encounter in my day job is talking about cyber security, how they might protect their organisation from data breaches and hacks and how they can integrate cyber with their other protection systems and regular business processes.
At the very least, specifiers are demanding end-to-end encryption of data systems and bank or Government-level security and accreditation.
FIDO (Fast IDentity Online) is an open standard alliance – with Microsoft, Google, Paypal, Samsung, Intel, Visa and the UK Cabinet Office, among others, as its constituent members – recognised globally as the future of logical and physical access authentication. Access credentials are issued to mobile phones using the FIDO Universal Authentication Framework (UAF) protocol, which allows each user to select their preferred method of secondary authentication. Unlike other methods, the FIDO UAF protocol doesn’t require the authenticating system to store user biometric or PIN information, so this information never leaves a user’s personal device, either during enrolment or ongoing authentication.
As a business, we reinvest 15% to 20% of revenue generated on R&D, which represents almost one tenth of our workforce globally. We’re committed to two major software releases per annum.
We’ve partnered with Nok Nok labs, a founding member of the FIDO alliance, to ensure that our access products support either PIN, fingerprint or iris biometric authentication when this is offered by users’ phones. The solution uses P256 elliptic curve cryptography – equivalent to 128-bit AES encryption – to protect public keys for stronger authentication, which is done by the client device proving possession of the private key to the system by signing a challenge. When an administrator configures two-factor authentication, the client’s private keys must be unlocked locally on the device by the user with the preferred method of authentication they’ve selected. This is consistent with the highest global standards, such as those exhibited by the Centre for the Protection of National Infrastructure, FIPS and Type 1A, and is suitable for meeting US Government-level PIV credentials for security requirements.
It now seems that the culture of many organisations has shifted so far away from respect for their customers (or data subjects, to make use of the jargon). The truth is the data they hold isn’t theirs. They are merely custodians for the data subject, whose property it remains.
Here’s another truth… Many of the technologies organisations rely on to protect data, such as encryption, are totally negated by legitimate user access. People usually cause data breaches, not technology.
It’s vital, then, that technology is supported by adequate awareness and training to enable legitimate users and custodians to both value data and protect it. Our message is clear: do everything you can to look after people’s data. Ignore the costs of not doing so at your reputational and financial peril.
Jason Hunter is Business Development Manager for Gallagher Security (Europe)