Mailfence at CPDP2018: A brief rundown!
In continuation to Mailfence at CPDP 2018, this blogpost will provide a brief run-down of our overall experience with regards to the event. Our team engaged with a number of privacy conscious users, academics, policy makers and digital rights activists at CPDP 2018. Mailfence is a secure and private email-suite that provides users full control over their data, and the CPDP2018 attendees found Mailfence a very useful and much-needed tool in this age of data surveillance.
Mailfence team not only engaged with the participants of CPDP2018, but also attended a number of conferences to better understand the issues relating to data privacy and security in general, and participate in the ongoing global policy discussion.
Following is a brief of some the conferences we attended:
Law Enforcement Access to E-Evidence: Challenges & Risks
The panel discussed the recent developments concerning police access to evidence stored in other jurisdictions, such as the Microsoft search warrant case. With the increase of cloud computing, data that can be valuable in resolving criminal cases may be stored in data centres abroad. Considering that territoriality and sovereignty used to stop at the border, how can law enforcement authorities now get (legal) access to data across the border, both between Member States and between the EU and third countries? What are the underlying challenges and risks for data protection? What is the role of tech companies? During the panel discussion this theme was explored from a policy, legal, and tech perspective.
Data Minimization by Design
In the age of data collection and harvesting, the notion of using minimalistic approach is highly needed. This includes minimizing data collection, disclosure, link-ability, centralization, replication and retention. It should be considered right from the beginning to build secure and private systems from ground-up.
Mailfence follows this approach by trying to keep only the most needed data, avoid possible disclosure and linkability. We do have a data redundant infrastructure to keep things decentralized while keeping data replication to the minimum. Last but not the least, we do have a data retention policy in place adhering to Belgian laws.
Anonymous Communications Infrastructures for the Protection of Meta-data
Since many legacy protocols were not designed with security and privacy in mind, Mailfence has long been an advocate of protecting meta-data along with end-to-end encrypted content. This is why we encourage users to use overlay networks (e.g., Tor) and other privacy enhancing solutions. However, existing privacy-oriented overlay networks do not satisfy the threat-models of all users, who often requires more privacy protection, which is where Panoramix comes into play.
Panoramix is an EU project, that uses the mix-net based approach to further enhance the security, privacy and anonymity of users in a given network. We look forward to more concrete developments, further public scrutiny, broader deployment and ways that will help us in integrating this to our application.
(Disruptive/enabling) Technologies, Ethics, and the GDPR
As artificial intelligence advances we see more and more autonomous systems working under highly capable neural networks. GPDR holds a great deal of space for regulating both data subjects and cloud entities. It also provides a foundation of data ethics and general practices that could assist in paving a path to better and ethically based designs in the future.
GDPR has many aspects, covering a wide range of subjects from controllers to processors. It also provides a framework that more or less will help organizations addressing data ethics. There is still a lot of work to be done, but existing technology can be used to smoothen up the GDPR adoption and compliance.
Privacy, Advertising and trust: can we have it all
Privacy and advertising are difficult to balance – and trust plays an important role. The business model of most of today’s gigantic IT companies rely on targeted advertising, resulting in a severe erosion of trust in the online ecosystem, while cementing the notion of ‘Free means you are the product’. Many efforts have been done by the community to combat this erosion, both in terms of creating privacy oriented solutions and advocating for likewise policies and regulation.
However, there is still a lot of work to be done in this area, e.g., making consent clear while taking it for the user. The challenge still lies in making a fair system, where both advertisers and businesses can attain a level-playing field without compromising the privacy of end-users. On the other hand, the toolbox of a novice to mid level user (e.g., browser, email client, add-ons/plugins, overlay networks, etc…) also has a major role to play. Based on Mailfence design philosophy, we not only support solutions that help users to regain privacy online, but advocate them as well.
Data protection challenges in humanitarian action
Algorithms and disruptive technologies that hold the potential of changing the landscape of present digital world come with a heap of data security and privacy challenges. Combine them with human right concerns, and the issue becomes severe. One such example is training Machine learning (ML) algorithms with multitude of data to make them efficient and productive. The data privacy element in such kind of practices generally takes the back-seat. In most cases, the data subjects are not even asked for consent that they are being used for training ML algorithms.
The first step is to implement data protection designs, and compliance (e.g., GDPR) with personal data protection standards. Like other areas, a lot of work needs to be done here too e.g., anonymizing data sets, and or taking clear and fair consents from the parties/data subjects whose data will be used in training ML algorithms etc.
National Security: A free license for government surveillance
This debate questioned whether government mass surveillance has more bad’s then perceived good’s. Since a universally accepted definition of national security does not exist, governments can go to any extent they want to sabotage user’s privacy. Not only is this true, but the fact the cyber tools that governments use for such blanket surveillance capabilities, can also fall into bad hands makes things worse. Another angle is the weakening of the existing encryption algorithms, so that governments can break them more easily. The underlying justification has always been to ensure the national security and safety of the citizens.
However, the community (academics, tech-specialists, human-rights activists, political dissidents, lawyers, etc…) have long been rejecting this proposal, as weakening encryption will weaken it for everybody and not only for pedophiles, terrorists, cyber-criminals, …etc Blanket surveillance limits citizen’s rights, particularly, data privacy and protection. While, the debate is still on-going. At Mailfence we believe the focus should also be on laying down a universally accepted definition of national security. A definition that does not restrict the citizen’s rights to data privacy and protection. A key element remains in the effective judicial laws and accountability frameworks to regulate covert-actions of governments.
Encryption of communications and e-evidence: Caspar Bowden political Panel
There are many types of e-evidence, that can be used in a court case. However, the weak element is the regulation regarding the collection of such evidence and usage within the boundaries of legal frameworks. Encryption has become a pivotal element of privacy and data protection since it contributes in preserving the confidentiality of communications. The GDPR does seem to set out a foundation for regulation of data privacy and protection both in EU and elsewhere, but how it will work in practice still needs to be seen.
The law enforcement agencies dealing with collecting and using e-evidence, will require transparent accountability procedures. Procedures that do not only guarantees that citizens rights are preserved, but also that surveillance tools will not fall into bad hands. It also calls for a level of trust to be established among various legal bodies, law-enforcement agencies and the privacy community. Mailfence has long been an advocate of online privacy and digital freedom, and pledges to donate 15% of its annual Pro plan revenues to EFF and EDRi to support their fight.
Parting thoughts regarding Mailfence at CPDP2018
CPDP Brussels 2018 proved to be a significant event that covered a range of data security, privacy and related subjects from various standpoints.
Some parting thoughts:
- We really want to thank the team behind CPDP2018 for their work and efforts that gave us the opportunity to showcase our solution to journalists, academics, policy makers, human rights organization members and entrepreneur(s).
- The need for privacy-oriented and secure solutions is undeniable, and the eco-system is very large.
- Data ethics and the future legal frameworks are of great value. A lot of work still needs to be done in this area.
We are humbled by the work of everybody present at the conference and view it as a privilege to work on our mission of making internet a more secure and open place.