Amexus is organising a conference on digitisation in the energy sector, and more specifically in the energy transition. Earlier this week I was interviewed at home about the role of open data in energy transition and my work with Dutch provinces on this topic.

The video, in German, has already been made available.

This from Wendy Grossman hits the nail quite precisely on its head.

The problem isn’t privacy,” the cryptography pioneer Whitfield Diffie said recently. “It’s corporate malfeasance.”

This is obviously right. Viewed that way, when data profiteers claim that “privacy is no longer a social norm”, as Facebook CEO Mark Zuckerberg did in 2010, the correct response is not to argue about privacy settings or plead with users to think again, but to find out if they’ve broken the law.

I think I need to make this into a slide for my stock slide deck. It’s also I think why the GDPR focuses on data protection and the basis for data usage, not on privacy as such.

(Do add Wendy Grossman’s blog net.wars to your feedreader.)

Read net.wars: Hypothetical risks

Yesterday we had our monthly all hands meeting at my company. In these meetings we allocate some time to various things to increase our team’s knowledge and skills. This time we looked at information security, and I gave a little intro to start a more long term discussion and effort to raise information security in our company.

When people discuss information security it’s often along the lines of ‘if you want to do it right I’d have to go full paranoid, and that is completely over the top, so I won’t bother with it at all’. This is akin to saying that because it makes no sense to turn your home into an impenetrable fortress against invaders, you’ll just leave the door standing open. In practice you’ll do something in between those two extremes, and have locks on the door.

Impregnable Fortress The Magic Door
doorLock
Fortress or open door? That’s a false dilemma. (fortress by Ryan Lea, CC-BY, open door by Hartwig HKD, CC-BY-SA and locked door by Robert Montalvo CC-BY)

You know the locks on your door won’t keep out very determined burglars or say a swat team, but it will raise the time and effort needed for less determined invaders to a point they will be discouraged.
At the same time keeping the door closed and locked isn’t just useful to keep out burglars but also serves as a way to keep out the wind, rain and leaves and dust blowing in from the street.
Similarly in information security you won’t keep out determined government three letter agencies, but there too there are basic hygiene measures and a variety of measures to raise the cost of more casual or less determined attacks. Like with preventative measures at home, information security can be viewed in layers on a spectrum.

I tried to tease out those layers, from the most basic to the most intensive:

  1. hygiene
  2. keeping your files available
  3. basic steps against loss or theft, also on the road
  4. protect client information, and compliance
  5. secure communication and exchanges
  6. preventing danger to others
  7. traveling across borders outside of the Schengen area
  8. active defence against being targeted
  9. active defence against being targeted by state actors

For each of those levels there are multiple dimensions to consider. First of all in recent years a new group of actors interested in your data has clearly emerged. The tech companies for whom adtech is their business model started tracking you as much as they can get away with. This adds the need for measures to all but the most intensive levels, but especially means the basic levels intensify.
Then there’s the difference between individual measures, and what can be arranged at the level of our organisation, and how those two interplay.

Practically each level can be divided first along the lines of our two primary devices, laptop and phone. Second, there’s a distinction between technological measures, and behaviour (operational security).

the list of levels, and the distinction in dimensions as I showed them yesterday

I provided examples of how that plays out on the more basic levels, and on the most intensive level. E.g. on the level of hygiene, technological measures you can think of are firewalls, spam and virus filters, a privacy screen, ad blockers and tracker blockers, using safer browsers. Behavioural measures are not clicking links before checking what they lead to, recognising phishing attempts, not plugging in usb sticks from others, using unique user names and passwords, using different browsers for different tasks, and switching off wifi, bluetooth and gps (on mobile) when you’re not specifically using them.

Over the years working on open data I’ve increasingly become aware of and concerned about information security, and since early 2014 actively engaging with it. I’m more or less at level 7 of the list above, and with the company I think we need to be at level 5 at least, whereas some of us haven’t quite reached level 1 at the moment. From the examples I gave, and showing some of the (simple) things I do, we had a conversation about the most pressing questions and issues each of us has. This we’ll use to sequence steps. We’ll create short faq’s and/or how-to sheets, we’ll suggest tools and behavioral measures, suggest what needs a collective choice, and provide help with adoption / implementation. I feel with this we have a ‘gentle’ approach, that avoids overwhelm that leads to not taking measures at all.

The first things people mentioned because they were worried about it are: usernames/passwords, e-mail, trackers, vpn, and handling copies of ID’s.
So we’ll take those as starting points.

If you want to read up on information security and operational security around your devices, dearly missed Arjan Kamphuis’s book on information security for journalists is a very useful resource. My approach as described is more geared to the actual context of the people involved, and what I know about their habits and routines, and to the context of our work and typical projects.

A project I’m involved has won funding from the SIDN Fund. SIDN is the Dutch domain name authority, and they run a fund to promote, innovate, and stimulate internet use, to build a ‘stronger internet for all’.
With the Open Nederland association, the collective of makers behind the Dutch Creative Commons Chapter, of which I’m a board member, we received funding for our new project “Filter me niet!” (Don’t filter me.)

With the new EU Copyright Directive, the position of copyrights holders is in flux the coming two years. Online platforms will be responsible for ensuring copyrights on content you upload. In practice this will mean that YouTube, Facebook, and all those other platforms will filter out content where they have doubts concerning origin, license or metadata. For makers this is a direct threat, as they run the risk of seeing their uploads blocked even while they clearly hold the needed copyright. False positives are already a very common phenomenon, and this will likely get worse.

With Filtermeniet.nl (Don’t filter me) we want to aid makers that want to upload their work, by inserting a bit of advice and assistance right when they want to hit that upload button. We’ll create a tool, guide and information source for Dutch media makers, through which they can declare the license that fits them best, as well as improve metadata. In order to lower the risk of being automatically filtered out for the wrong reasons.

Two years ago a colleague let their dog swim in a lake without paying attention to the information signs. It turned out the water was infested with a type of algae that caused the dog irritation. Since then my colleague thought it would be great if you could somehow subscribe to notifications of when the quality of status of some nearby surface water changes.

Recently this colleague took a look at the provincial external communications concerning swimming waters. A provincial government has specific public tasks in designating swimming waters and monitoring its quality. It turns out there are six (6) public information or data sources from the particular province my colleague lives in concerning swimming waters.

My colleague compared those 6 datasets on a number of criteria: factual correctness, comparability based on an administrative index or key, and comparability on spatial / geographic aspects. Factual correctness here means whether the right objects have been represented in the data sets. Are the names, geographic location, status (safe, caution, unsafe) correct? Are details such as available amenities represented correctly everywhere?

Als ze me missen, ben ik vissen
A lake (photo by facemepls, license CC-BY)

As it turns out each of the 6 public data sets contains a different number of objects. The 6 data sets cannot be connected based on a unique key or ID. Slightly more than half of the swimming waters can be correlated across the 6 data sets by name, but a spatial/geographic connection isn’t always possible. 30% of swimming waters have the wrong status (safe/caution/unsafe) on the provincial website! And 13% of swimming waters are wrongly represented geometrically, meaning they end up in completely wrong locations and even municipalities on the map.

Every year at the start of the year the provincial government takes a decision which designates the public swimming waters. Yet the decision from this province cannot be found online (even though it was taken last February, and publication is mandatory). Only a draft decision can be found on the website of one of the municipalities concerned.

The differences in the 6 data sets are more or less reflective of the internal division of tasks of the province. Every department keeps its own files, and dataset. One is responsible for designating public swimming waters, another for monitoring swimming water quality. Yet another for making sure those swimming waters are represented in overall public planning / environmental plans. Another for the placement and location of information signs about the water quality, and still another for placing that same information on the website of the province. Every unit has their own task and keeps their own data set for it.

Which ultimately means large inconsistencies internally, and a confusing mix of information being presented to the public.

The Mozilla foundation has launched a new service that looks promising, which is why I am bookmarking it here. Firefox Send allows you to send up to 1GB (or 2.5GB if logged in) files to someone else. This is the same as services like Dutch WeTransfer does, except it does so with end-to-end encryption.

Files are encrypted in your browser, before being send to Mozilla’s server until downloaded. The decryption key is contained in the download URL. That download URL is not send to the receiver by Mozilla, but you do that yourself. Files can be locked with an additional password that needs to be conveyed to the receiver by the sender through other means as well. Files are kept 5 minutes, 1 or 24 hours, or 7 days, depending on your choice, and for 1 or up to 100 downloads. This makes it suitable for quick shares during conference calls for instance. Apart from the encrypted file, Mozilla only knows the IP address of the uploader and the downloader(s). Unlike services like WeTransfer where the service also has e-mail addresses for both uploader and intended downloader, and you are dependent on them sending the receivers a confirmation with the download link first.


Firefox Send doesn’t send the download link to the recipient, you do

This is an improvement in terms of data protection, even if not fully water tight (nothing ever really is, especially not if you are a singled out target by a state actor). It does satisfy the need of some of my government clients who are not allowed to use services like WeTransfer currently.