A veritable who’s who of tech giants from Google, Facebook, Microsoft and Twitter, went public last week with a partnership on a standards initiative called the Data Transfer Project (DTP), built to enable data portability between cloud platforms. But security researchers believe the project’s privacy implications need to be better vetted.
Towards a Universal Data Portability Framework
This framework will include tools that can convert any service’s proprietary APIs to and from a small set of standardized data formats to ones that can be used by anyone. Using as a starting point publicly available APIs from Google, Microsoft, Twitter, Flickr, Instagram, Remember the Milk and SmugMug, the framework would allow seamless data transfer (only with user consent) for a range of information, including photos, mail, contacts, calendars and tasks. The idea is to create one, open-source approach that will enable consumers to “transfer their data directly from one service to another, without needing to download and re-upload it,” according to a Google blog post on Friday.
“This makes it possible to transfer data between any two providers using existing industry-standard infrastructure and authorization mechanisms, such as OAuth,” Google explained.
The benefits are varied; for one, the interoperability will make it easier for users to move their cherished digital data from one service to another without worrying that something will be lost in translation, and without having to jump through a lot of hoops. That should make trying out or moving to a new service easier. It also can pave the way for better data backups. Microsoft, in a blog post on Friday, struck a more general note, saying that “portability and interoperability are central to cloud innovation and competition.”
Pravin Kothari, CEO of cloud security vendor CipherCloud, listed out for Threatpost some positives for consumers: “The DTP may enable users to back up important information, organize their data across different accounts, recover more rapidly from cyber-events like account hijacking, and retrieve data from old or to be discontinued services.”
Chris Olson, CEO of The Media Trust, also pointed out that there’s a data-control upside. “The Data Transfer Project could be a game changer – you have the biggest tech companies facilitating consent-based sharing of consumer data, and you have consumers more able to manage the data that companies collect on them,” he told Threatpost in an email.
Google echoed this in the posting: “As it is an open-source product, anyone can inspect the code to verify that data isn’t being collected or used for profiling purposes.”
Google in its posting also laid out the security aspects of the DTP.
“Services must first agree to allow data transfer between them, and then they will require that individuals authenticate each account independently,” it explained. “All credentials and user data will be encrypted both in transit and at rest. The protocol uses a form of perfect forward secrecy where a new unique key is generated for each transfer. Additionally, the framework allows partners to support any authorization mechanism they choose. This enables partners to leverage their existing security infrastructure when authorizing accounts.”
There are some potential privacy pitfalls to the DTP idea, James Lerud, head of the behavioral research team at Verodin, told Threatpost.
“The project does not make it easy to remove service A’s existing access to data,” he explained via email. “Taken by itself, the project does little to improve the security of consumer data; it provides new options for consumers to safely share data between services. The distinction is that consumers may gain control over transferring data, while the security of the data is unchanged or potentially diminished by having copies of data stored in multiple services.”
Brian Vecci, technical evangelist at Varonis, had similar thoughts.
“On its face, this sounds like a great way to give users more control over their own data, making it easier to get your information from one source to another,” he told Threatpost via email. “There are significant privacy concerns with this, though. Transferring data like this almost certainly doesn’t mean that data will be deleted on the source service, so while you get the convenience of having information in multiple places, there are also now multiple places where your data can be lost, stolen or misused in some way.”
The concern is especially piquant given that regulations like the recently enacted GDPR in the European Union lays out strict privacy for protections for user data.
“GDPR is forcing companies to be very careful with what data they collect, who potentially has access to it, how it’s used and when it’s supposed to be deleted,” said Vecci. “This is generally easier for data that’s collected organically as part of a specific process, like when you enter your contact information into a website.”
On the other hand, “when you grant a company an entire dump of past data from another source, the potential for that information to end up in places where it’s not properly tracked or kept private is potentially higher,” he said. “Consumers should be careful about what kind of data they provide to which companies.”