Today I opened my Facebook which I use actively since yesterday. When g0ing to my settings, the system informed me about changed privacy settings. What it then recommended was ridiculous: All my very tight settings should be opened up. Instead of sharing information only with my friends, the system suggested that I should share a lot of information with everyone and other, sometimes sensitive information (religion, political opinions) with friends of my friends. I had to manually change back everything to “old settings” which at least was an option I could use. However, from my perspective it is fully inacceptable from a privacy perspective to suggest such changes. If someone has opted for tight settings, this approach just shows that Facebook still hasn’t understood anything.

Besides this, the options for managing “authorizations” or privacy settings, e.g. controlling who is allowed to see what are primitive. I can share everything with my friends. But in many cases I want to share some informati0n only with some of my friends. I can use lists, but I for example can’t use these lists as sort of “groups for ACLs (Access Control Lists)”. At list I didn’t manage to find out how until now. But given that I have friends from business and from my private life, it is very obvious that I won’t share everything with everyone, isn’t it?

Again, like pointed out here and here, there is no reason not to construct social networks secure and with strong privacy settings. For sure it is hard to do it afterwards, once you have a bad security architecture in place. But technically seen, it is feasible – and it is relatively easy. But it requires understanding the needs for privacy (which become an inhibitor to the market for Facebook at least in some countries these days) – and you have to do that.

Why am I using Facebook anyway? Too many people are using it and many said that it is a better way to stay in touch with contacts than the other social networks like Xing or LinkedIn. And, by the way: These other networks are as well not the godfathers or inventors of privacy… I don’t expect Facebook to ever understand privacy and act accordingly. Thus I’ll keep an eye on what I publish there and what I don’t publish and I’ll keep my privacy settings very rigid. For sure I could use more than one Facebook account. But that would be harder to manage and a pain for the ones which are “friends” in private and business life.

Just a side note: Interestingly many startups have significant lacks in their overall software architecture and struggle with things like scalability and adding new features. And even more struggle with increasing security requirements. One reason is the missing understanding for security (see link above). The other is that many startups have CTOs which are pretty inexperienced – interestingly the ones where the founders (and amongst them the CTO) is doing a startup the second or third time perform much better because they have learned many lessons before. There are – like always – exceptions from that rule, e.g. startups with young CTOs doing a very good job. But these are the exceptions. You could bet on what my rating for Facebook is from that perspective…

By the way: If anyone knows how to control all access to the content in Facebook based on my lists of friends, let me know…

Yesterday, the German Federal Constitutional Court declared the German law on “Vorratsdatenspeicherung” for illegal. That wasn’t a real surprise, given that this is overall well aligned to other decisions of the Federal Constitutional Court. Two interesting annotations: There where some 35.000 suitors against this law. And the German Minister of Justice, Sabine Leutheusser-Schnarrenberger, was amongst them. She started the law suit when being in opposition – right now she had the interesting situation that there was a lawsuit by her against Germany, represented by her – so she would have been a winner in that case anyway.

The law on “Vorratsdatenspeicherung” (a nice term, isn’t it, as long as the name of the Minister of Justice) is about the collection of data at ISPs and other types of service providers – about connection logs  in internet and telephony services. They had to be kept for six months to allow investigations. The law has been formulated based on an EU guideline, but exceeded the minimum requirements of that guideline. The fact that this law has been declared illegal might affect as well the EU guidelines because they are critizised not only in Germany but in other countries as well, it probably will affect other instances of massive and undifferentiated data collection of the German state.

The Federal Constitutional Court doesn’t forbid the collection of information. However, the current law didn’t fulfill the requirements of data security, didn’t comply with some other laws (like the protection of preachers, doctors,… and their confidentiality requirements), and didn’t restrict the use of the information sufficiently. Interestingly, the Federal Constitutional Court also decided that the information has to be deleted immediately (or at least as fast as possible), thus the decision goes beyond other decisions which allowed the government to first improve the law, without changing the status quo.

After the decision of the Federal Constitutional Court had been unveiled the discussions about the next steps started immediately – and that’s where IPv6 comes into play. Within its decision, the Federal Constitutional Court declared that connection data of churches, some governmental organizations, and other specified parties must not be stored. That led to the argument of the lobbyists of the “internet economy” (e.g. ISPs and so on) that this can’t be implemented. Given that IP addresses are usually assigned dynamically it wouldn’t be feasible to exclude some groups. But, honestly, that isn’t true. It is true as long as you rely on IPv4 and dynamic IP addresses (and given that they are limited, we have to). But it isn’t true with IPv6. With other words: When relying on IPv6, you can comply with the decision of the German High Court. Given that the technology supporting IPv6 is out in most areas – client operating systems, servers,… – at least in most cases, the answer is simple: Finally switch to IPv6 as the standard protocol and you’re done. Overall, we’ve been waiting way to long for IPv6 becoming the primary protocol and IPv4 being used only for backwards compatibility. This decision, with its impact on the entire European legislations in that field, thus might become a push towards IPv6.

Last week, the German health insurance company BKK had to unveil a severe information leak. The company has become blackmailed because someone had stolen masses of sensitive patient records. Besides the fact, that the way that this happened shows an astonishing carelessness when dealing with IT security and privacy at the BKK and raises many questions (see below), there are some interesting new options for the German government to work with this data.

You could for example take such patient records and combine them with the recently acquired stolen data from Switzerland about potential tax fraud. If you take for example people who recently showed insomnia or started bed-wetting, that should be fully sufficient for an initial suspicion by the attorneys. And that is just the tip of the iceberg. There are so many other interesting opportunities of combining patient records with other types of information… Thus the thief probably should have approached the German government instead of the BKK. They are always willing to buy stolen things and to make use of that, like they have proven recently.

Some words about the BKK case itself: The BKK had outsourced some tasks to a call center. There hasn’t been an auditing about the privacy, IT security, or data protection approaches of that outsourcer. In fact, it appears that there have been other outsourcers and freelancers involved. Besides this, there was an IT company involved which did the support for the outsourced call center. The employees of that IT company had some privileged accounts with access to massive amounts of sensitive patient records.

Overall, there has obviously been a lack of understanding of IT security and privacy issues I seldomly have seen before, at least not in the healthcare and finance industry. No valid concept for differentiated access controls, no privileged access management, no data leakage prevention, nothing. Incredible – but true.

The Deutsche Bahn has been sentenced to a penalty of 1,1 Mio Euro for breaches of the German data protection law, e.g. the privacy regulations in Germany. That is the record penalty based on the BDSG (Bundesdatenschutzgesetz), how the law formally is called. The reason for that penalty were abusive analysis of employee data, to identify potential cases of corruption and fraud. Data of bank accounts of suppliers and employees were compared. That became public, there was a lot of public discussion about – the topic was top in the news for several days. And the CEO, Hartmut Mehdorn, was (factually) fired.

However, dealing with corruption and fraud is a must for the management of any corporation. Heinrich von Pierer, the former CEO of Siemens, had to leave the company because he didn’t address corruption and fraud. Hartmut Mehdorn did it – and lost as well. Obviously, there are regulations in conflict. The problem of both was that they had no valid concept of which regulations are relevant, which are in conflict and how to deal with these conflicts. The Bahn analyzed far too much data and didn’t put that approach into a bigger concept, openly discussing it with the works council and so on.

So one lesson which should be learned by everyone with responsibility for compliance regulations (and the BDSG is one of them) is: Analyze the relevant regulations, clearly define the valid approach to deal with, discuss it with the works council as far as employee data is affected, talk with your auditors – in fact have a strategic approach on how to operationalize the regulations.

The second interesting aspect around the “Bahn” case is that the penalty is a record penalty – and only 1.1 million Euro, which is sort of paid out of the petty cash. Thus it hurt some people at the Bahn, loosing their jobs. But it is only a small penalty from the perspective of the large corporation. It seems that the BDSG is sort of a “law that has no teeth” (in German the saying is “toothless tiger”…). But there is good news (from the perspective of enforcing privacy and data protection): The new amendments of the BDSG will change things fundamentally – the tiger will get teeth.

Yesterday, I read an article at a German news web-site about the recent security leaks found in the social network SchülerVZ. The article claims that social networks like SchülerVZ and Facebook (both are mentioned) don’t have any chance to avoid crawlers accesing personal data which should be presented only to friends. Ridiculous!!!

Sorry, that is definitely nonsense!

It is very simple. You have some data which is visible only to some specific persons. You have an authorization policy, which might be expressed in the form of ACLs or XACML or whatever. Some application (the regular frontend, a crawler, an administrative application,…) tries to access data. You have done an authentication. You do the authorization by comparing the authentication information to the authorization information. You decide on whether access is allowed or not. That is done in millions of applications day-by-day. And that shouldn’t work with social network sites? I don’t see any real reason why!

For sure there are two reasons why at least some social networks don’t do that in this way:

• Bad software architecture: Security has to be done by design, from the very beginning. Otherwise it is hard to implement it. Unfortunately, many developers don’t design security in their products but add it at the end, as something painful they have to do at the minimum level.
• Performance considerations: For sure security will affect performance. For any access, you will have to do security checks. You will even have to provide stronger authentication features. But it can be done. Providers will probably require some more hardware to keep the performance level of their social networks. But security has its price.

But to be honest: These aren’t valid reasons. Either you are able to deploy a social network in a secure way and fulfill the data protection laws. Or you should shut the entire thing down. Given that it is possible to secure social networks, the operators should be fully responsible for any security breach.

By the way: Even the databases themselves can be fully secured. That depends a little on the database chosen and the additional technologies in place, like Oracle’s Database Security products (to mention one of the more advanced solutions). OK, that will again cost you some performance and some money. But again it is about “security first”. If the providers of social networks can’t afford the cost of security, their business model just doesn’t work.

Some time ago I blogged about the “rise and fall of social networks“. My main point was that today’s social networks lock-in the information of their customers – but if I participate in Xing, LinkedIn, Facebook or other platforms, I enter my data there. With some networks, it’s virtually impossible to export my own network. And if I want to use more than one of these networks, there is no way to just move my existing network to the new platform. The interfaces (in most cases) as well as the standards (in any case) are missing.

Yesterday, the discussion gained further momentum because Facebook has changed its policies. Facebook now claims an unlimited right to use the information which someone has entered – even when the user cancels his Facebook account. Interestingly, the general terms and conditions aren’t (or at least haven’t been) fully translated into German. Some German lawyers claim that they are thus invalid, because German law requires them to be in German.

Overall, the recent discussion an the overall situation is pretty interesting from two perspectives:

• Legal: Which of the general terms and conditions of providers are valid? Given that Facebook doesn’t act in Germany (and most other countries), but from the US, the contract is between an US company and a German (or other) user, that is a very interesting question. It is, by the way, a general issue in the Internet. Most companies will face the same problem once they start using the cloud (and some have experienced these issues in outsourcing). Another question is about copyright and intellectual property rights – are rules like the ones of Facebook or Xing really valid? I have to grant them unlimited rights without any restrictions. I can’t cancel the contract. Once I have agreed, I’ve lost my rights. Besides this, it is as well an interesting question whether the change of general term and conditions affects information which has been in the network before that change and whether or not someone has to agree explicitly to that change. I’m no lawyer but I think that these are interesting questions.
• Data ownership: Again, it is my network. I really don’t like to have this lock-in.

In another area, the customer relationships, we have a somewhat comparable situation. Vendors have a lot of information about me – and I don’t really know what they know about me. In German law, I can request that they provide me with the information they have stored about me (which might provide reasonable workload if many customers ask for that information). But there are other approaches. The concept of VRM (Vendor Relationship Management) which has been intensively discussed at last year’s European Identity Conference tries to change the play. The customer manages his vendor relations and controls which information he provides to whom. Like I have stated in my older post on social networks, these concepts might be applied to new type of social networks. I’m not quite sure about the business model. But as long as I have to act with vendors which have business models that – like they claim – only work if I give away any control and rights about my information I think it is really worth to consider a switch in that area.

I think that companies like Facebook and Xing with their general terms and conditions are digging their own grave. That won’t happen very fast, but once the users have an option which provides them more rights and more privacy, that might happen.