As of our last all hands meeting we have moved our company to using NextCloud on a server in a German data center. This is the second major step in improving on our information hygiene in the company, after adopting RocketChat and leaving Slack.
I had created the cloud already last May, but we had not transitioned everyone in the company and all our work. That transition has now been made.

It allows us to avoid having to work with clients in cloud environments like Google Docs, it has OnlyOffice for online collaboration in documents, it allows to avoid file transfer services in favor of being able to provide (time limited, password protected) download links from our own server, and it has integrated STUN/TURN support so we can do (video)conference calls from within our own environment. It’s a managed server/service for a few hundred Euros per year. A key benefit is being able to nudge our clients to routines less exposed to the data hungry silos, and also to show compliance with (regularly inconsistent and differing) rules regarding which online services they do and don’t allow. Setting an example is in itself a benefit given our work on transparent data governance, data ethics and accountability.

In the coming weeks we’ll aim to get fully accustomed to our new working environment, but so far it has been pretty self-evident.

Screenshot from working with a colleague in OnlyOffice (content blurred obviously)

We are working our way through a list of things to improve our overall information hygiene, a discussion I started last spring. It involves changes at the company level (like Nextcloud and Rocketchat) and changes at the individual level (helping colleagues e.g. with password management. We moved all of us onto the same password manager, that also includes the option to share passwords from a company account). It focuses on tools and technological measures, as well as on behaviour and work routines. And it looks at both laptop and mobile devices. I’ve created a ‘information hygiene ladder’ on those three dimensions, with a different level of information security at each rung, that we can strive for. The upper end, the “I’m being targeted by a three letter agency”, we’ll never address I’m sure. But there is a wealth of opportunities to improve our information security level before that extreme stage.

With my company we now have fully moved out of Slack and into Rocket.Chat. We’re hosting our own Rocket.Chat instance on a server in an Amsterdam data center.

We had been using Slack since 2016, and used it both for ourselves, and with some network partners we work with. Inviting in (government) clients we never did, because we couldn’t guarantee the location of the data shared. At some point we passed the free tier’s limits, meaning we’d have to upgrade to a paid plan to have access to our full history of messages.

Rocket.chat is an open source alternative that is offered as a service, but also can be self-hosted. We opted for a Rocket.chat specific package with OwnCube. It’s an Austrian company, but our Rocket.chat instance is hosted in the Netherlands.

Slack offers a very well working export function for all your data. Rocket.chat can easily import Slack archives, including user accounts, channels and everything else.

With the move complete, we now have full control over our own data and access to our entire history. The cost of hosting (11.50 / month) is less than Slack would already charge for 2 users when paid annually (12.50 / month). The difference being we have 14 users. That works out as over 85% costs saving. Adding users, such as clients during a project, doesn’t mean higher costs now either, while it will always be a better deal than Slack as long as there’s more than 1 person in the company.

We did keep the name ‘slack’ as the subdomain on which our self-hosted instance resides, to ease the transition somewhat. All of us switched to the Rocket.chat desktop and mobile apps (Elmine from Storymines helping with navigating the installs and activating the accounts for those who wanted some assistance).

Visually, and in terms of user experience human experience, it’s much the same as Slack. The only exception being the creation of bots, which requires some server side wrangling I haven’t looked into yet.

The move to Rocket.chat is part of a path to more company-wide information hygiene (e.g. we now make sure all of us use decent password managers with the data hosted on EU servers, and the next step is running our own cloud e.g. for collaborative editing with clients and partners), and more information security.

Just a month ago I wrote here about my reservations concerning the use of mobile phones as hotel room key. A hotel I will be staying at in the near future yesterday started sending me multiple (unasked) SMS’s to download their hotel app to ‘make my stay smarter’. Sure, I will trust download links in unrequested SMS! Today as I’ve ignored their messages I received an e-mail imploring me to do the same.

The app they ask me to use is called Aeroguest, and their pitch to me is about easier check-in/out, using chat to contact staff, and using my phone as door key. The first two I’d rather do in person, and the last one is not a good idea as explained in the above link.

Why such an app might be seen as attractive to the hotel, becomes clear if you look at the specifications of the app. A clear benefit is direct repeat bookings, saving the expensive middle men that booking sites are. In my case I almost always book through the hotel’s website directly. And if I enjoyed my stay I usually book the same hotel in a city for my next visit. I do use booking sites to find hotels. In this case I’ve stayed in this hotel several times before.

The stated benefits for the guest (key, chat, check-in/out, choosing your room) are a small part of the listed benefits for hotels in using the app, such as up-selling you packages before and during your stay. An ominous one, when seen from the guest’s perspective, is ‘third party services’ access presumably meaning potential access to your booking / stay history and maybe even payment / settlement information, requested preferences etc. Another, more alarming one, is “advanced indoor mapping” which I take means tracking of guests through the hotel which can yield information on time spent in hotel facilities, time spent in the room, how often / when the key was used, and by matching it with other guests, whom you might be meeting with that is also staying in the hotel. In Newspeak on the apps website in the data and analytics section this is described as “With transparency, you can proactively accommodate your guests’ needs.” Note that the guest is the one who is being made transparant. That is quite a price in exchange for being able to choose your specific room when checking in with the app.

I’ve replied to the hotel my reasons for not wishing to use the app (linking to my previous blogpost), and told them I look forward to checking in at reception in person when I arrive. When I arrive I am curious to hear more about their usage of the app. For now “making my stay smart” reads like the “smart cities” visions of old, it may be smart, but not for the individuals involved, merely for the service provider.

Hotel keys
Hotel keys, photo by Susanne Nilsson, license CC BY-SA

Everybody hates the keycard, says the NYT, and talks about using your phone instead. There are a few reasons why using your phone as a hotel key is not something I do, or would do.

One reason is provided by the hotels promoting this themselves:

And, since the keys are downloaded electronically through a hotel app, the host has a presence on the guests’ phones, and can offer other exclusive services, like promotions and a chat feature.

Presence on my phone, that sounds rather ominous. Let me count the hotel apps I currently allow on my phone…. 0.

Unless there’s an opt-in for each single additional ‘service’ as part of a hotel’s ‘presence’ on my phone, it is in breach of the GDPR wherever I travel. Do hotel chains really want to expose up to 4% of their annual turnover to liability risks?

The ones I’ve encountered worked through bluetooth. That opens up a wide range of potential vulnerabilities. I never have bluetooth switched on (nor wifi when not in active use, for that matter), and there are very good reasons for that. There might be other bluetooth devices nearby pretending to be my hotel door to get access to my phone, or piggyback on my room door’s communication. A plastic card and a room door never have that issue. NFC based ones have less of these issues, but still bring their own issues.

A vulnerability in a hotel’s mobile app now also becomes a vulnerability for your hotel key as well as for your phone. It also means a phone will contain data traces of any hotel you may have used it as a key. That is a privacy risk in itself, not only to yourself, but potentially as well to people you have encountered. (E.g. investigative journalists would be risking the anonymity and privacy of their sources that way.)

Another reason is, also when I travel alone I have 2 plastic key cards. I keep them in different places, so I have a back-up if one of them gets out of my hands. Having just my phone is a single point of failure risk. Phones get left in hotel bars. Phones slip out of pockets in taxi back seats. Phone batteries die.

That is the third reason, that phone batteries die, especially on intensive work days abroad. Already that is sometimes problematic for mobile boarding passes for e.g. a second leg of a trip after a long haul flight (such as last month on a trip to Canada), or an evening flight home.
When staying in a hotel, after a long day, I sometimes need to leave a phone to charge in my room (sometimes the room safe has a convenient power outlet), while I go have a coffee in the lobby. This month during holidays I left my phone charging during dinner in a hotel in Rouen, as well as in an apartment on the Normandy coast, while we headed out for a walk on the beach.
So when I read in the article “What is also great is that I don’t find myself forgetting my key in the room as I always have my phone with me“, I take that to mean “you can’t leave your room when your phone needs charging” and “you can’t return to your room if your phone battery died”.

Phones and hotel keys all have their vulnerabilities. Putting a key card on your phone doesn’t remove the existing vulnerabilities of existing key card systems, but transfers and adds them to the vulnerabilities of your phone, while also combining and increasing the potential negative consequences of one of those vulnerabilities becoming actualised.

Read Everybody Hates the Key Card. Will Your Phone Replace It? (nytimes.com)

Technology that allows hotel guests to use their phones as room keys is expanding, taking aim at those environmentally unfriendly plastic cards.

Yesterday we had our monthly all hands meeting at my company. In these meetings we allocate some time to various things to increase our team’s knowledge and skills. This time we looked at information security, and I gave a little intro to start a more long term discussion and effort to raise information security in our company.

When people discuss information security it’s often along the lines of ‘if you want to do it right I’d have to go full paranoid, and that is completely over the top, so I won’t bother with it at all’. This is akin to saying that because it makes no sense to turn your home into an impenetrable fortress against invaders, you’ll just leave the door standing open. In practice you’ll do something in between those two extremes, and have locks on the door.

Impregnable Fortress The Magic Door
doorLock
Fortress or open door? That’s a false dilemma. (fortress by Ryan Lea, CC-BY, open door by Hartwig HKD, CC-BY-SA and locked door by Robert Montalvo CC-BY)

You know the locks on your door won’t keep out very determined burglars or say a swat team, but it will raise the time and effort needed for less determined invaders to a point they will be discouraged.
At the same time keeping the door closed and locked isn’t just useful to keep out burglars but also serves as a way to keep out the wind, rain and leaves and dust blowing in from the street.
Similarly in information security you won’t keep out determined government three letter agencies, but there too there are basic hygiene measures and a variety of measures to raise the cost of more casual or less determined attacks. Like with preventative measures at home, information security can be viewed in layers on a spectrum.

I tried to tease out those layers, from the most basic to the most intensive:

  1. hygiene
  2. keeping your files available
  3. basic steps against loss or theft, also on the road
  4. protect client information, and compliance
  5. secure communication and exchanges
  6. preventing danger to others
  7. traveling across borders outside of the Schengen area
  8. active defence against being targeted
  9. active defence against being targeted by state actors

For each of those levels there are multiple dimensions to consider. First of all in recent years a new group of actors interested in your data has clearly emerged. The tech companies for whom adtech is their business model started tracking you as much as they can get away with. This adds the need for measures to all but the most intensive levels, but especially means the basic levels intensify.
Then there’s the difference between individual measures, and what can be arranged at the level of our organisation, and how those two interplay.

Practically each level can be divided first along the lines of our two primary devices, laptop and phone. Second, there’s a distinction between technological measures, and behaviour (operational security).

the list of levels, and the distinction in dimensions as I showed them yesterday

I provided examples of how that plays out on the more basic levels, and on the most intensive level. E.g. on the level of hygiene, technological measures you can think of are firewalls, spam and virus filters, a privacy screen, ad blockers and tracker blockers, using safer browsers. Behavioural measures are not clicking links before checking what they lead to, recognising phishing attempts, not plugging in usb sticks from others, using unique user names and passwords, using different browsers for different tasks, and switching off wifi, bluetooth and gps (on mobile) when you’re not specifically using them.

Over the years working on open data I’ve increasingly become aware of and concerned about information security, and since early 2014 actively engaging with it. I’m more or less at level 7 of the list above, and with the company I think we need to be at level 5 at least, whereas some of us haven’t quite reached level 1 at the moment. From the examples I gave, and showing some of the (simple) things I do, we had a conversation about the most pressing questions and issues each of us has. This we’ll use to sequence steps. We’ll create short faq’s and/or how-to sheets, we’ll suggest tools and behavioral measures, suggest what needs a collective choice, and provide help with adoption / implementation. I feel with this we have a ‘gentle’ approach, that avoids overwhelm that leads to not taking measures at all.

The first things people mentioned because they were worried about it are: usernames/passwords, e-mail, trackers, vpn, and handling copies of ID’s.
So we’ll take those as starting points.

If you want to read up on information security and operational security around your devices, dearly missed Arjen Kamphuis’s book on information security for journalists is a very useful resource. My approach as described is more geared to the actual context of the people involved, and what I know about their habits and routines, and to the context of our work and typical projects.