oss in the quest for gdpr compliance
play

OSS in the quest for GDPR compliance Pass the Salt 2019 Errata - PowerPoint PPT Presentation

Aug 24, 2023 •304 likes •612 views

OSS in the quest for GDPR compliance Pass the Salt 2019 Errata this talk was proposed by Cristina DeLisle I'm filling in due to a scheduling conflict I Am Not A Lawyer Agenda 1. XWiki & CryptPad, who we are, what we do 2. what we talk

  1. OSS in the quest for GDPR compliance Pass the Salt 2019

  2. Errata this talk was proposed by Cristina DeLisle I'm filling in due to a scheduling conflict I Am Not A Lawyer

  3. Agenda 1. XWiki & CryptPad, who we are, what we do 2. what we talk about when we talk about privacy 3. about CryptPad 4. GDPR: our experience, implications for open-source

  4. $ whoami Aaron MacSween � Privacy engineer & researcher, applied cryptographer CryptPad project lead XWiki SAS � (Paris, France)

  5. What is XWiki? ~40 person organization France, Romania, Spain*, Germany*, Belgium* enterprise knowledge management software the open-source XWiki platform in business for 15 years ...but how does this fit into Pass the Salt ?

  6. Privacy and security are often "added at the end" ...and it doesn't work and it has terrible consequences and we'd like to change that but...

  7. There's no single fix privacy and security are complicated they're context dependent

  8. XWiki knows a lot about knowledge management it's one small piece of the puzzle (privacy) we research how to advance the state of the art

  9. Privacy & Security from whom? the NSA? your little brother? for how long? until you're out of the country? what are you protecting or hiding? what's your threat model? In short, the two don't always go together.

  10. Security with less privacy anti-fraud policies protection via surveillance 2FA something you know, something you have

  11. Privacy with less security "zero knowledge" web services pastebins, file upload, X but with encryption no 2FA, but no third parties

  12. CryptPad: c'est quoi? real-time like Etherpad or Google docs, but with encryption e2ee collaboration suite fully open-source (AGPL), 250+ instances in the wild

  13. Our architecture browser-based "thick client" p2p conflict resolution with pluggable encryption multiple editors with compatible APIs and UIs mostly dumb websocket store-and-forward server like IRC channels but with history append-only logs on the server filesystem cryptographic keys and document ids shared as URLs

  14. Extensions "CryptDrive" (just another document) cryptographic login (via Scrypt) read/write/delete capabilities public-key authenticated RPCs encrypted files embedded in documents shared folders "Friends" and write-only "Mailboxes" private messaging and embedded group chat

  15. Our users The pirate party of Germany (self-hosted) C3W (CCC Vienna, self-hosted) various other activist groups, hackerspaces 12K registered on our instance about 10K unique IPs each week

  16. Funded by... French R&D grants (merci BPI France) NLnet Foundation (NGI PET) donations: opencollective.com/cryptpad subscriptions on CryptPad.fr

  17. But that makes us responsible for other people's data...

  18. Handling data General Data Protection Regulation (GDPR) in effect since May 2018 unified set of data protection laws formal recognition of encryption as best practices

  19. Our strategy Privacy by Design read the docs: "Seven foundational principles" data minimization "who needs to know?" challenge conventional wisdom, find alternatives to PII (Personally Identifying Information)

  20. Roles and definitions Data Protection Officers Data controllers Data processors Lawful processing

  21. DPOs Data Protection Officer one of Cristina's roles at XWiki can be adversarial in nature audits policies, keeps inventories of PII formalize access control strategies 30 days to respond to queries

  22. Data controllers the organization which employs the DPO and holds the data set privacy policies and strategies for the data's lifecycle proactively demonstrate compliance process PII lawfully, with informed consent

  23. Data processors third parties involved in handling your data defined in a Data Processor Agreement For us: OVH (hosting) Stripe (payments) Quaderno (invoicing and regional tax rates)

  24. Lawful processing compliance with the law contractual reasons involving consent of the data subject legitimate* interest

  25. Fines for violations coerced or forced "consent" not reporting confidentiality or availability breaches up to 4% of annual global turnover or €20 million whichever is greater.

  26. GDPR and OSS forces cloud infrastructure to be more accountable protects and empowers data subjects raises awareness of privacy and the risks of proprietary platforms

  27. Uncertainty at what point does a self-hoster become a controller? what schemes are best? what's the right way to handle data? how do we challenge "legitimate interest"? what can be considered a reasonable effort?

  28. Conclusions Privacy advocates still need lots of help: from dedicated security experts from domain expert POC implementations for different problems

  29. Questions? Come say hi after: if you want stickers or... if you're interested and eligible for EU R&D projects

  30. Aaron | ansuz https://social.privacytools.io/@ansuz https://twitter.com/fc00ansuz Cristina cristina.rosu@xwiki.com https://mastodon.social/@redchrision CryptPad https://twitter.com/cryptpad https://social.weho.st/@cryptpad

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko

IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko

IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko Ltd FCA compliance consultants * BIBA Compliance Manual * Engaging Events * Tailored Solutions Format 1. GDPR (the important bits!) 2. ICOBS

716 views • 67 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Almost one year after the GDPR, where are we now? Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The first year of the GDPR can best be described as "quiet test run. What are the most striking

405 views • 8 slides
Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin

Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin

Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin Aslan Legal Counsel - Sinequa Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR takes effect on May 25, 2018 with no further

285 views • 26 slides
On Purpose and by Necessity: Compliance under the GDPR Sren Debois, IT University of

On Purpose and by Necessity: Compliance under the GDPR Sren Debois, IT University of

On Purpose and by Necessity: Compliance under the GDPR Sren Debois, IT University of Copenhagen Joint work with David Basin (ETH) and Thomas Hildebrandt (KU) FC 18, Feb 26, 2018 General Data Protection Regulation May 25, 2018 GDPR

223 views • 20 slides
*Funded by the European Commission GDPR Compliance and The International Patient Summary An IPS

*Funded by the European Commission GDPR Compliance and The International Patient Summary An IPS

*Funded by the European Commission GDPR Compliance and The International Patient Summary An IPS Workshop Brussels, 13 th September 2018 GDPR Compliance and The International Patient Summary Introduction and Welcome Stephen Kay Vice Chair of

520 views • 33 slides
Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do to be compliant? Data Breaches How does the GDPR affect you? Steps to Compliance Summary What is the GDPR? q The EU's General Data

355 views • 17 slides
General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR

General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR

General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR Accountability measures: GDPR requires compliance and evidence of compliance: documented policies and procedures, records of consents etc.

355 views • 9 slides
Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect Microsoft Denmark This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law. 1. Data Privacy and

900 views • 21 slides
Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman,

Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman,

Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman, Vijay Chidambaram General Data Protection Regulation (GDPR) Respect the rights of data owner Personal Gathered legally, Protect it from Data

500 views • 37 slides
Upcoming events Apr. 10 - GDPR: Are your marketing efforts in compliance? Apr. 30 - Local SEO:

Upcoming events Apr. 10 - GDPR: Are your marketing efforts in compliance? Apr. 30 - Local SEO:

Upcoming events Apr. 10 - GDPR: Are your marketing efforts in compliance? Apr. 30 - Local SEO: Proven tactics to help you rank Sept. 12 - 2018 Moving Marketing Forward Conference GUERILLA RESEARCH Create a Better User Experience with Just

707 views • 38 slides
EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS bd@gemserv.com Agenda

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS bd@gemserv.com Agenda

Reaz Khedarun and Ian Davis EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS bd@gemserv.com Agenda Implications and opportunities of GDPR New obligations and liabilities for suppliers How GDPR compliance can

437 views • 24 slides
something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations

something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations

Privacy is no longer something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations Statistics from EY Surveys Page 2 When is privacy not something to keep quiet about? Data protection and data privacy compliance

884 views • 24 slides
How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

WEBINAR How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security for API-based Services Welcome and Introductions Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management

506 views • 34 slides
GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data Protection Regulation Came into force on May 25 th Replaces the current 1995 Data Protection Directive and Data Protection Act (1998). What is GDPR?

570 views • 18 slides
Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and

Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and

Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and outsourcing Brexit Central Bank and Cyber Fraud Consumer Insurance Contracts Act 2019 Covering PCF roles during COVID19 Assessing

666 views • 34 slides
Interoperability in Geospatial Web Services Jeff de La Beaujardire, PhD NASA Geospatial

Interoperability in Geospatial Web Services Jeff de La Beaujardire, PhD NASA Geospatial

Geospatial Interoperability Office Interoperability in Geospatial Web Services Jeff de La Beaujardire, PhD NASA Geospatial Interoperability Office Editor, WMS 1.1 Specification jeff2002@sunrise.gsfc.nasa.gov +1 301-286-1569 Geospatial

580 views • 23 slides
Banking software architecture 2 Architectural Styles 1 WebLogic Network Gatekeeper's software

Banking software architecture 2 Architectural Styles 1 WebLogic Network Gatekeeper's software

Architectural Styles Ana Moreira Fernando Brito e Abreu 1 Architectural Styles Banking software architecture 2 Architectural Styles 1 WebLogic Network Gatekeeper's software architecture 3 Architectural Styles GNOME Desktop Accessibility

519 views • 50 slides
Developments of the S tate Authority for Geodetic Works from IT perspective Todorovski Dimo

Developments of the S tate Authority for Geodetic Works from IT perspective Todorovski Dimo

Developments of the S tate Authority for Geodetic Works from IT perspective Todorovski Dimo Republic of Macedonia INTERNATIONAL INSTITUTE FOR GEO-INFORMATION SCIENCE AND EARTH OBSERVATION S tate Authority for Geodetic Works registering

496 views • 22 slides
CIS 330: Applied Database Systems Lecture 1: Introduction Johannes Gehrke

CIS 330: Applied Database Systems Lecture 1: Introduction Johannes Gehrke

CIS 330: Applied Database Systems Lecture 1: Introduction Johannes Gehrke johannes@cs.cornell.edu http://www.cs.cornell.edu/johannes Course Goals Understand the functionality of modern database systems Understand where database

385 views • 21 slides
Using an ADL to describe a large information system Eoin Woods eoin.woods@artechra.com 1

Using an ADL to describe a large information system Eoin Woods eoin.woods@artechra.com 1

Using an ADL to describe a large information system Eoin Woods eoin.woods@artechra.com 1 Wednesday, 22 August 12 Introducing the Project Very established system (15 years) widely used, actively developed multiple languages (Perl, Java, C++,

373 views • 8 slides
CompSci 356: Computer Network Architectures Lecture 3: Hardware and physical links References:

CompSci 356: Computer Network Architectures Lecture 3: Hardware and physical links References:

CompSci 356: Computer Network Architectures Lecture 3: Hardware and physical links References: Chap 1.4, 1.5 of [PD] Xiaowei Yang xwy@cs.duke.edu Overview Lab overview Application Programming Interface Hardware and physical layer

852 views • 53 slides
Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM

Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM

Dynamic Web Applications Authoring, Deploying And Consuming Mixed-Namespace XML T. V. Raman IBM Research Dynamic Web Applications p. 1 Outline Characteristics of a Web application. Building on what we have. Whats left to solve.

487 views • 22 slides
Microservice Integration Software Engineering II Sharif University of Technology MohammadAmin

Microservice Integration Software Engineering II Sharif University of Technology MohammadAmin

Microservice Integration Software Engineering II Sharif University of Technology MohammadAmin Fazli Topics Ideal Integration Technology Interfacing with Customers Shared Database Synchronous vs Asynchronous

886 views • 71 slides

More recommend