On its way: A Google-free, NSA-free IT infrastructure for Europe
Take open source. Enlist Euro carriers. How hard was that?
Analysis This really wasn’t in the script. All conquering, “disruptive” Silicon Valley companies were more powerful than any nation state, we were told, and governments and nations would submit to their norms. But now the dam that Max Schrems cracked last week has burst open as European companies seek to nail down local alternatives to Google, Dropbox and other Californian over-the-top players.
They don’t have much choice, says Rafael Laguna, the open source veteran at Open Xchange.
What the Schrems vs Facebook decision in the European Court means, Laguna argues, is that any data protection guarantee that a US company makes in Europe is worthless, and so any business processing a European individual’s data on US servers exposes them to lawsuits they can’t win.
“Suppose I’m a German business, and I get an agreement from Google, which says everything is good, and I put that into my file. When a customer sues me, I go to court and find that agreement isn’t worth a dime. Google cannot guarantee what they’re guaranteeing.
“This takedown of Safe Harbor will be remembered as a historical event. It’ll be patched, but it’ll be a bad patch. The real patch is you do business with a trusted supplier operating in a country whose laws you trust. And that doesn’t mean the over-the-top big boys from California,” says Laguna.
Data from consumers and businesses routinely touches dozens of US internet services – and replacing them all with European-hosted alternatives is obviously going to take time. But piece by piece, they’re getting there. What’s interesting and perhaps surprising to US readers, is that European telcos are playing in a vital role in European data independence.
Open Xchange provides the office, secure email and secure storage, and is gradually building a trusted infrastructure with European telcos. Its partners will cheerfully provide you with IM and video conferencing over the top. That leaves huge gaps in the picture - consumer social networks like Facebook, and CRM services like SalesForce still dominate their respective markets. But with the customer base for OX climbing towards 200 million seats, it’s not to be sniffed at.
It’s particularly surprising that telco companies are trusted - given that telco-bashing is a US sport. (Look out for the “Complaining about Comcast” events in the 2020 Olympics). Laguna understands why.
“It’s historical. Once, you were either at BT, or at BT, or at BT. Coming from that world is difficult for them. And then there were limited licences for mobile, with only a few operators, and these grew from nought to 80 million in 10 years, so they didn’t have to hunt for customers, or provide great customer services to retain customers, because they were having money thrown at them. And so they didn’t provide customer service.”
“There used to be a sign on German phone booths that said ‘Be Brief’ - and that was their marketing.”
But internet comments don’t show the full picture, he thinks. In surveys, OX found that only retailers are more trusted.
“Now telcos can regain some trust they lost to the OTTs.”
Unprotected email? You must be joking
The industry-wide Trusted Email (TES) Working Group that Open Xchange helped establish is part of the vision of an independent, European open source infrastructure. Mikko Linnamäki, co-founder of Dovecot explains:
“There are 2.9 million IMAP servers on the surface of this planet. The transfer of email between them is unprotected. The storage is unprotected. it’s a total disaster. And that’s for the whole world, for 20 years. Google and Apple and Microsoft don’t care - they want everyone to come to them. There is nobody who is solving this problem, and it’s a very delicate problem. If an IMAP server’s emails are searchable, like the Sony emails were searchable, then that’s a disaster.”
OX acquired Dovecot, a tiny outfit that maintains the IMAP software used by 60 per cent of the world’s email servers, and Dutch DNS outfit PowerDNS, which provides the software for 90 per cent of the world’s secure DNS.
The intention is to encrypt email on your behalf, with the minimum of technical end-user intervention.
The TES working group will thrash out standards, sample code and best practices allowing anyone participating to lock down email in transit and in storage. Carrier grade intermediaries will host the private key, and the end user only needs to enter a passphrase, or use whatever authentication they already use such as 2FA or USB keys. And lo, a global key directory emerges.
Laguna acknowledges that it isn’t foolproof - but it’s far more secure than totally open plaintext email flooding across the pipes.
“The public-private keypair is generated on the server when the passphrase is entered. In theory that key cannot be trusted. Security experts will say you should never leave your key on the server. But the likelihood that the NSA sits and waits and in that nanosecond grabs it from memory is almost zero.
“That’s good enough for 99.99 per cent of people. Currently, people are driving without a seatbelt. We’re not making it perfect, but what we want people to do is buckle up, and we’ll deliver the airbags later.”
So fairly soon we’ll have key servers locking down email for hundreds of millions of users. All OX can be turned on by default.
In the OX mail client a traffic light indicates the relative security of the sender. Green for trusted. Gmail remains permanently lit red.
Kids today, eh?
Laguna optimistically thinks that only open source and locally hosted European software can fill the uncertainty created by slack US terror laws, and an NSA that can slurp data at will. And he hopes younger users will smarten up.
I told him about a conversation with a young phone blogger I met recently who declared that, “I don’t mind sharing anything with Google, and in any case, it’s only machines that read my email.” (This was before Google announced it was sharing the “anonymised” profiles with third party marketeers.) I asked the lad if he’d be quite so confident if he had been diagnosed HIV+. He had no answer. The thought didn’t seem to have occurred to him.
“It’s not something young people have ever run into,” says Laguna. “As a young child in the GDR I was exposed to surveillance, and I could feel it. At least in East Germany, you saw the Stasi guys, and you knew who they were, and when you went to school you [adopted] a persona. And when you got back home you closed the door, and you were the real person again. Here you can’t see them. But everyone will get to the point where they feel it.”
But as in Dave Eggers' novel The Circle, people willingly trade their privacy for civic order and security.
“Everyone has the personal right to be naive,” he says. “That’s why I like the Hotel California metaphor. It’s a state of mind these Californians are in: it was drugs. now it’s data. Maybe young people will realise in 10 years, when they try and sign up for heath insurance and find they can’t get it - maybe because they’ve been flying too much.” ®
For a concise backgrounder on Schrems, this piece by Robert Levine in the New York Times is a must-read.
Sponsored: Becoming a Pragmatic Security Leader