| 2.7 Security
23. Safe Harbour Note | |
|---|
| 27.23 ISM - Safe Harbour Note: | | In Oct 2015, the Safe Harbour agreement for data protection between Europe and USA was declared invalid by the European Court of Justice - without any possibility of appeal. | | In addition, the European Court of Justice in a case against WELTIMMO stated that any company trading in any European country must comply with the Data Protection regulations of each specific country. | | It can be assumed that the Snowden effect may significantly impact on European businesses now that the European Court of Justice has accepted that illegal mass surveillance has been undertaken by the USA on all European people. European companies may be able to become established as competition to USA companies. Each European person must provide positive agreement that their data may be transferred to the USA or held by a USA owned company that is subject to USA legal surveillance. |
| Compliance: | | TIES does business in several European countries, including support for local European languages, local time zones and local currencies. | | It is a business requirement to comply with the unique Data protection regulations of each country where trading takes place. | | It is likely that TIES does comply with all such regulations, but it is a requirement to gain first hand access to local data protection regulations in:- | | UK, Ireland, Norway, Sweden, Finland, Denmark, Netherlands, Belgium, France, Austria, Italy, Spain, Greece and Germany. | | TIES does business in many other countries using excessively encrypted data so the data stored in other countries remain safe and secure. | | Encryption means that a database in a distant data center is just a string of numbers with no meaning - nobody can guess what data is stored. |
| USA Corporations: | | USA corporations that aid mass surveillance of European people such as Microsoft, Apple, Google, Yahoo and Facebook face significant legal consequences in each of 28 European countries. European companies using Microsoft 365 or Google Docs will need to put special data protection provisions in-place to ensure that business data is not made available for USA mass surveillance. | | Where a European company has its IT support activities outsourced to people in the USA who may be part of a mass surveillance program, then special provisions are needed to comply with European Data Protection regulations. The impact of handling Data Protection in each and every European country in a unique way may be costly. Major software houses such as Oracle, SAP and Salesforce where technical support is provided from the USA may find that such a method of working becomes illegal because the data may be accessed by USA legal processes. |
| Security Keys: | | It is possible that an agency could force a person to disclose any encryption key. Precautions have been taken to counter this possibility so a criminal cannot threaten a person or their family. First, a very large number of encryption keys are involved - thousands and each is fragmented in to many parts of a key. Second, a set of keys have been reserved to purposefully destroy all data so in the event they are disclosed to a criminal who uses them - the destruction is by further encryption using a non-reversable divisor method. | | Advice to every person who is threatened is to disclose any encryption keys they have been issued with - the destructive keys. Any part of the application service that needs to be fully protected is encrypted by keys where no one person hold the complete key - they only have a fragement. A number of people must consipire together at the same time so their fragments of the key come together to unlock a secret folder that contains hundreds of keys. | | Everybody uses a public key and a private key so we choose to employ many other keys and encryption methods at the same time. The effect is that having a private key will not unlock secure data - data remains further encrypted using very different mathematical methods. All 2048 bit keys look like 256 characters, but such a key is fragmented into four 64 character strings and hidden in a folder containg many millions of 64 character strings. |
| Tokenization: | | Business data is tokenized to prevent criminals being able to sell the data. For example "Newcastle-upon-Tyne" is substituted by "3WATFOR" and "Stratford-upon-Avon" is substituted by "4LONDO". The effect is the business data may look like data, but in fact is list of tokens that must be decoded and substituted. No encryption keys are involved, so agencies cannot force a person to disclose the keys. The amount of transformation that takes place is so great that no person is capable of knowing all the tokens. | | The majority of names are tokenized so "Tom Jones" may be substituted by "5Dave 6Alan" - the kind of token that may appear to be original data. An email such as "fred@live.co.uk" may be stored as "8john7@gmail.com" - a simple pair of substitutions. A telephone number is split into its area code and number - the area code is tokenized to look like a different area code so the data becomes valueless to a criminal. |
|
|