OSS in the quest for GDPR compliance Pass the Salt 2019 Errata - - PowerPoint PPT Presentation

oss in the quest for gdpr compliance
SMART_READER_LITE
LIVE PREVIEW

OSS in the quest for GDPR compliance Pass the Salt 2019 Errata - - PowerPoint PPT Presentation

Aug 24, 2023 304 likes •616 views

OSS in the quest for GDPR compliance Pass the Salt 2019 Errata this talk was proposed by Cristina DeLisle I'm filling in due to a scheduling conflict I Am Not A Lawyer Agenda 1. XWiki & CryptPad, who we are, what we do 2. what we talk

slide-1
SLIDE 1

OSS in the quest for GDPR compliance

Pass the Salt 2019

slide-2
SLIDE 2

Errata

this talk was proposed by Cristina DeLisle I'm filling in due to a scheduling conflict I Am Not A Lawyer

slide-3
SLIDE 3

Agenda

XWiki & CryptPad, who we are, what we do 1. what we talk about when we talk about privacy 2. about CryptPad 3. GDPR: our experience, implications for open-source 4.

slide-4
SLIDE 4

$ whoami

Aaron MacSween Privacy engineer & researcher, applied cryptographer CryptPad project lead XWiki SAS (Paris, France)

slide-5
SLIDE 5

What is XWiki?

~40 person organization France, Romania, Spain*, Germany*, Belgium* enterprise knowledge management software the open-source XWiki platform in business for 15 years ...but how does this fit into Pass the Salt ?

slide-6
SLIDE 6

Privacy and security are often "added at the end"

...and it doesn't work and it has terrible consequences and we'd like to change that but...

slide-7
SLIDE 7

There's no single fix

privacy and security are complicated they're context dependent

slide-8
SLIDE 8

XWiki knows a lot about knowledge management

it's one small piece of the puzzle (privacy) we research how to advance the state of the art

slide-9
SLIDE 9

Privacy & Security

from whom? the NSA? your little brother? for how long? until you're out of the country? what are you protecting or hiding? what's your threat model?

In short, the two don't always go together.

slide-10
SLIDE 10

Security with less privacy

anti-fraud policies protection via surveillance 2FA something you know, something you have

slide-11
SLIDE 11

Privacy with less security

"zero knowledge" web services pastebins, file upload, X but with encryption no 2FA, but no third parties

slide-12
SLIDE 12

CryptPad: c'est quoi?

real-time like Etherpad or Google docs, but with encryption e2ee collaboration suite fully open-source (AGPL), 250+ instances in the wild

slide-13
SLIDE 13

Our architecture

browser-based "thick client" p2p conflict resolution with pluggable encryption multiple editors with compatible APIs and UIs mostly dumb websocket store-and-forward server like IRC channels but with history append-only logs on the server filesystem cryptographic keys and document ids shared as URLs

slide-14
SLIDE 14

Extensions

"CryptDrive" (just another document) cryptographic login (via Scrypt) read/write/delete capabilities public-key authenticated RPCs encrypted files embedded in documents shared folders "Friends" and write-only "Mailboxes" private messaging and embedded group chat

slide-15
SLIDE 15

Our users

The pirate party of Germany (self-hosted) C3W (CCC Vienna, self-hosted) various other activist groups, hackerspaces 12K registered on our instance about 10K unique IPs each week

slide-16
SLIDE 16

Funded by...

French R&D grants (merci BPI France) NLnet Foundation (NGI PET) donations: opencollective.com/cryptpad subscriptions on CryptPad.fr

slide-17
SLIDE 17

But that makes us responsible for

  • ther people's data...
slide-18
SLIDE 18

Handling data

General Data Protection Regulation (GDPR) in effect since May 2018 unified set of data protection laws formal recognition of encryption as best practices

slide-19
SLIDE 19

Our strategy

Privacy by Design read the docs: "Seven foundational principles" data minimization "who needs to know?" challenge conventional wisdom, find alternatives to PII (Personally Identifying Information)

slide-20
SLIDE 20

Roles and definitions

Data Protection Officers Data controllers Data processors Lawful processing

slide-21
SLIDE 21

DPOs

Data Protection Officer

  • ne of Cristina's roles at XWiki

can be adversarial in nature audits policies, keeps inventories of PII formalize access control strategies 30 days to respond to queries

slide-22
SLIDE 22

Data controllers

the organization which employs the DPO and holds the data set privacy policies and strategies for the data's lifecycle proactively demonstrate compliance process PII lawfully, with informed consent

slide-23
SLIDE 23

Data processors

third parties involved in handling your data defined in a Data Processor Agreement For us: OVH (hosting) Stripe (payments) Quaderno (invoicing and regional tax rates)

slide-24
SLIDE 24

Lawful processing

compliance with the law contractual reasons involving consent of the data subject legitimate* interest

slide-25
SLIDE 25

Fines for violations

coerced or forced "consent" not reporting confidentiality or availability breaches up to 4% of annual global turnover or €20 million whichever is greater.

slide-26
SLIDE 26

GDPR and OSS

forces cloud infrastructure to be more accountable protects and empowers data subjects raises awareness of privacy and the risks of proprietary platforms

slide-27
SLIDE 27

Uncertainty

at what point does a self-hoster become a controller? what schemes are best? what's the right way to handle data? how do we challenge "legitimate interest"? what can be considered a reasonable effort?

slide-28
SLIDE 28

Conclusions

Privacy advocates still need lots of help:

from dedicated security experts from domain expert POC implementations for different problems

slide-29
SLIDE 29

Questions?

Come say hi after:

if you want stickers or... if you're interested and eligible for EU R&D projects

slide-30
SLIDE 30

Aaron | ansuz https://social.privacytools.io/@ansuz https://twitter.com/fc00ansuz Cristina cristina.rosu@xwiki.com https://mastodon.social/@redchrision CryptPad https://twitter.com/cryptpad https://social.weho.st/@cryptpad