With enterprise becoming increasingly reliant on mobile apps for many of its everyday business communications, processing sensitive data through these apps could pose a significant risk to data security. There is a requirement to provide app developers with standards that will achieve security by design.
By Elisabetta Zaccaria, Chairman Secure Chorus
With the amount of digital information being transmitted via mobile apps rising at a dramatic rate, protecting this information from falling into the hands of cybercriminals has become a significant challenge.
With mobile apps, the data exposure risk stems mainly from the variety of data and sensors held on mobile devices, the use of different types of identifiers and the extended possibility of users’ tracking the complex mobile app ecosystem and limitations of app developers, as well as the extended use of third-party software and services.
These risks mean that when it comes to the implementation of core data protection principles in mobile apps – as stipulated by the EU General Data Protection Regulation (GDPR) – there are serious challenges. The application ecosystem complexity, including app developers, app providers as well as other actors in the ecosystem (operating system providers, device manufacturers, market operators, ad libraries, and so on) is the main factor that hinders mobile app developers and providers compliance with the GDPR, e.g. the requirement to implement data protection by design and by default, during data processing
This Regulation applies to the processing of personal data by a controller or processor established in the EU, regardless of whether the processing takes place in the EU or not. It also applies to the processing of personal data of ‘data subjects’ based in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services, irrespective of whether a payment from the data subject is required, to such data subjects in the EU; or the monitoring of their behavior as far as their behavior takes place within the EU. The GDPR finally applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.
The compliance of mobile apps with the GDPR may therefore not be a concern limited to EU enterprises, but to a much wider pool of organizations falling in the above jurisdictional applicability. To resolve these challenges, there is now a need for greater industry-wide cooperation on the development of standards to make mobile apps secure by design.
Technology standards are published documents that establish specifications and procedures in the areas of product reliability, safety, security and interoperability (in order to achieve compatibility with other technology products). Because of their widespread availability and applicability, they have the further benefit of fostering innovation, often simplifying the product development process.
The reason mobile apps need to be secure by design is because the requirement to prevent (and in some cases provide) access to sensitive communication is deeply inscribed in modern legislation, which aims to protect a variety of interests, ranging from the basic civil liberties of an individual at one end of the spectrum, to the protection of the security of a nation against criminal activities at the other.
This is due to the fact that, while they have many legitimate purposes, secure communications may also be used in the commission of criminal activities. It follows that law enforcement services need tools to investigate cybercrimes as well as other cyber-facilitated forms of crime.
Rights of the individual need to be evaluated in relation to the rights of others to find a balance between the individual interests and the greater interest of all citizens of a nation. In the case of serious crimes, law enforcement may need to lawfully gain access to relevant communications.
The EU General Data Protection Regulation (GDPR) has made efforts to reconcile the individual’s right with other relevant rights. On the one hand, the regulation requires businesses to protect personal data during any of its data processing activities (introducing end-to-end encryption as a viable method to achieve such protection), while on the other, it requires businesses to be able to access personal data that may be encrypted, in order to comply with lawful interception as well as ‘Data Subject Access Requests’. Specifically, Article 15 of the EU GDPR provides that EU citizens (the ‘data subject’) have the right to receive confirmation that an organization is processing their personal data, as well as the right to receive a copy of that data. Individuals also have the right to obtain a variety of supplementary information.
Encryption is a cryptographic method in which data is turned into an encoded and unintelligible version, using encryption algorithms and an encryption key. A decryption key or code enables others to decode it again.
The technical challenge introduced by the GDPR is made clear when we examine the mobile applications (apps) we use in our day-to-day business communication. Many of these come with end-to-end encryption. But, most of these applications are built in such a way that businesses cannot decrypt the data being processed by such technologies. This data may include personal data and therefore in case of a ‘Data Subject Access Request’ places a requirement on the business to decrypt such data and provide it to the EU citizen in question.
Security gaps created by non-compatible technologies connecting to mobile apps create major information security challenges. These gaps present an increasing requirement for mobile apps to be interoperable and secure by design in order to ensure secure data processing between apps and other technologies they may exchange data with (or otherwise process data).
Secure Chorus is a not-for-profit membership organization in the field of information security, working with mobile app developers, as well as other secure communications technology providers, to address secure data processing. We have addressed this cybersecurity requirement through a strategy of government-industry collaboration, with industry members developing a number of mobile apps based on common technology standards to ensure that the app architecture facilitates the exercise of data subject rights under the GDPR.
Secure Chorus supports MIKEY-SAKKE an open identity-based public-key cryptography, which provides for end-to-end encryption and can be used in a variety of environments, both at rest (e.g. storage) and in transmission (e.g. network systems). Designed to be centrally managed, it gives enterprises full control of system security as well as the ability to comply with any auditing requirements, through a managed and logged process.
MIKEY-SAKKE has been standardized by the Internet Engineering Task Force (IETF). Access to this type of globally accepted, strong and reliable cryptography has become vital to app developers that are becoming increasingly aware of the widespread risks associated with internet use.
MIKEY-SAKKE is configured so that each user is attached to a Key Management Server (KMS), where the keys are issued to users by an infrastructure managed by the business’ IT department. This ensures that the ability to decrypt content remains private to the individuals communicating. However, in exceptional cases such as a ‘Subject Access Request’, it also allows the business to derive a valid decryption key from the Key Management Server. To audit an encrypted communication, the organization should export a user-specific and time-bound key from the KMS. This key enables an audit function to decrypt a specific user’s communications for a specific time period (e.g. week or month). The KMS is able to log this action to ensure that it is accountable.
All Secure Chorus member technologies use MIKEY-SAKKE. This has enabled Secure Chorus to define with its members a range of interoperability standards that ensure members’ products can work with one another and the systems implementing these technologies. The adoption of MIKEY-SAKKE and of Secure Chorus’ interoperability standards by app developers, help them to develop products which meet the GDPR compliance requirements of enterprise customers.
Mobile apps built with such standards would allow enterprise customers to maintain data encrypted during any data processing undertaken by the app, as well as by other technologies the app may be connected to. In addition, the enterprise costumer would be able to decrypt data in case of a lawful interception request or a ‘Data Subject Access Request’ under the GDPR, by exporting a user-specific and time-bound key from the KMS.
Following two years of collaborative work Secure Chorus, has recently announced the completion of its first set of interoperability standards for encrypted voice calls. The completion of this first set of interoperability standards for encrypted voice calls, specifically aimed at enterprise users has created a much-needed breakthrough, setting a strong step ahead to develop interoperability standards for developers of mobile communication apps.
About the Author
Elisabetta is co-founder and Chairman of Secure Chorus, prior to which she was Group Chief Strategy Officer & Chief Operating Officer of Global Strategies Group, where she set the strategy and co-led the cybersecurity company’s explosive growth, turning the start-up into a $600million revenue international information security business in six years.
About Secure Chorus
Secure Chorus is a not-for-profit membership organization serving as a platform for multi-stakeholder cooperation, for the development of forward-looking strategies, common technology standards and tangible capabilities in the field of information security.
For further information please contact:
Secure Chorus Ltd via PRPR
Elisabetta Zaccaria, Chairman
Stephen Brown, Director
Phone number: +44 (0) 7831 208109