Nextleap: Next Generation generation data security
After working on the WebCrypto Working Group at W3C/MIT , Harry Halpin joined the Prosecco team at INRIA Paris in January 2016. He coordinates the European NEXTLEAP project and its multi-disciplinary team.Its goal is to develop the securitymessagingprotocols of tomorrow for messaging and identity applications.
Can you tell us how the NEXTLEAP project came about?
Nextleap is a three-year project funded under Horizon 2020, the European programme that grants funding to essential research projects for the years to come. We have recently seen major security problems in Europe and at the same time, online services are increasingly centralised in a few American firms. We are looking to establish both decentralization while offering greater security and privacy. New services such as Whatsapp, Messenger, Twitter, etc. are on top of open standards such as TCP/IP and HTML from standards bodies like the Internet Engineering Task Force and World Wide Web Consortium. But these standards do not exist on the level of sending messages themselves so messages on these services are not secure or private. Research on data security is significantly lacking. The aim of NEXTLEAP is therefore to create next-generation protocols to make chat and other new Internet applications more secure. A lot of research on cryptography for messaging was done in the 90s but it came too early. Today, for instance, we see that TLS protocols are susceptible to attacks, as shown by Prosecco's research. We need a new generation of protocols. There are currently no security standards for messaging or privacy-enhanced identity applications.
What exactly are the consequences of this lack of security standards?
We have examples of human rights activists who used insecure messaging applications. In Iran, for example, they used Telegram, which advertises itself as a secure service, but in reality, the software they use can be attacked. These activists can be targeted and even risk losing their lives. For European businesses and even governments, communications security is just as essential. Just look at the Hillary Clinton email scandal in the United States. Can European governments trust Gmail? There was backlash at the European level after the revelations of Edward Snowden and governments wondered how they could ensure that their communications remain secure although their data was stored in the USA. The Safe Harbour Privacy Principles ensuring European Data Protection were overturned by the European Court of Justice in October 2015. We therefore now need to find new protocols that reinforce citizen rights.
But, data-mining is a source of income for many businesses, helping them better target their marketing…
Yes, that’s why we’re looking to design systems that analyse data while keeping the data private and secure. People should be sure that no one is spying on their data. Compliance with the General Data Protection Regulation relies on the good faith of businesses in France and Europe, yet we need to come up with technical standards to guaranteethat it is respected. Today businesses make money by understanding what their online service users do. That’s great! But I think this can be done in a way that respects people’s privacy. For example, if I'm trying to sell you shoes, I’m not interested in you specifically but rather the data of a group of people who I could sell my shoes to. That way I don’t need the actual individual data, but the results from machine learning. People want answers, not your data. You can create algorithms to do that.
These new protocols should apply to applications and online services used by the general public.Is that something your team is looking into?
Yes. It's why our team is made up of people from various disciplines, because these issues raise numerous social, political, and ethical concerns. The European Commission recommended that we work with sociologists and philosophers. We’re thrilled to have Bernard Stiegler from l’Institut de recherche et d’innovation working with us. He is a philosopher who specialises on the larger impact of technological change on society. We also work with a team of sociologists from CNRS at the Sorbonne who are carrying out research on user expectations around security. Our outputs will be published as open-source software so that anyone can use it, and we hope to see various companies and the general public take up the protocols.