Application Categories regarding Infosec and Privacy
August 12, 2021 by Michael [ Privacy Architecture ]
We distinct in three basic application categories regarding information security and data sovereignity. One these categories is problematic but broadly in use today.
Content Classification and Trust Models
In our thought process, when approaching a software project, we distinct in three basic app categories with different data management strategies. If the project must use public cloud infrastructure, which is the case for most modern web applications, one of these strategies is not recommended in our opinion. Let's look at the classification first:
- Open - the information should be accessable by anyone.
- Closed - the information is private or restricted to a group of participants.
While the Open model is not of a big concern to privacy, the Closed model brings challenges regarding trust. We can make a further distinction:
- Closed/Trusted - besides the author/authorized group, not transparent to those people, the infrastructure provider can screen the content.
- Closed/Private - it's guarenteed that only the author/authorized group can read the information.
So there are three prominent privacy models used for the most part in modern web applications.
The information should be Open. All data can be stored in readable form on the server and gets processed for broad distribution. The information is meant be public for everybody, e.g. as Homepages, for Marketing, News, Articles. Parts of the content can be of restricted access (e.g. for paying subscribers only), but the content itself must not be protected from things like provider-screening.
Here the goal is wide and effective distribution. The backend-technology is optimized for fast and error-free content delivery and implements approaches like caching and pre-compiling to achieve good performance and to minimize the computing footprint. Static site generators with assets hosted on Edge-services would be an example.
Using highly optimized server infrastructure, which offers benefits like DDos-protection and international server-locations, for public data is a viable approach we use for apps like this Blog.
As with the Open/Public approach, all data is processed on the server in the clear. The server is supposed to ensure the protection of the sensible/private information via authentication and authorization. Users have to trust their service providers and regulators to handle their data responsibly and with high ethical standards. Furthermore it is not sure who actually own the user data, this is a question buried deep in legal statements unread by users.
While the Closed/Trusted model can be a viable approach in some scenarios, e.g. between entities that already have a trusted relationship and share their information anyways, like enterprise apps in B2B operations, today it is broadly applied to many apps of daily use that create and manage lots of sensible/private data. For scenarios, where only the creator/autor or an authorized group of users/clients should have access to the information, we consider this approach unsafe.
This also applies for services marketed as safe because they use End-To-End Encryption (E2EE), but where besides the client also the server has the keys to decrypt the content. This is true for some prominent cloud services.
Other than in the Closed/Trusted approach, the server can not semantically analyze the data and therefore can make no additional use of it. All it does is the original intent of storing/delegating the data. The information is strongly encrypted on the client with E2EE using safe algorithms and the decryption keys are not available elsewhere (except when shared with other people of the "authorized group"). All logical information-processing can only be done on the client.
This is the best approach for confidential information, e.g. personal data like health/journals/intellectual property, photos, communication, location. Here the information must be protected from anyone who does not have the explicit permission to see it.
Technically the user-device does all data processing, view rendering and management to ensure proper data synchronization. The backend just stores encrypted data-packages along minimal metadata needed to make synchronization work and distributes them among permitted user devices efficiently. No trust in the infrastructure is needed. Data breaches are still bad and unfortunate, but not catastrophic (as long as proper encryption protocols are used).
Closed Data and the Trusted model
To be clear, we think the Closed/Trusted model should not be used if it can be avoided. Therefore alternative, equivalent applications which incorporate the Closed/Private model must be available. Here lies the challenge for the next decade. Is it possible that developers/providers can offer a similar or even better user experience while keeping the information safe?
Also, the first step for technologically versed people is to create awareness in the non-technical crowd, which is for the most part
- unaware that their data is constantly scanned and monetized without their knowledge,
- ignorant that broad screening and profiling of information, as demanded by shortsighted regulations, is harmful in the long run.
It must be clear to a big portion of society that privacy has its value, is a basic right that is undebatable and must be protected.
Designing applications that use a responsible mix of all models is an interesting approach. Seperating the public or uncritical parts from the private parts in different services, conflated in a homogenous user interface. The user would not notice any of those technical details and could have a similar experience as we know it today. All in all it is a step back from the cloud, because for this to work much more data must be stored locally or in trusted setups. The research for zero-knowledge proofs and homomorphic encryption, which allows for logical operations on encrypted ciphertext, is progressing and the resulting algorithms could improve pseudonymous communication and reduce the need to keep data local in the future.
We believe Encryption and Decentralization will play an important role in the future protecting our sovereignity as individuals, while we continue to use software products to enhance our lives.