The mobile application (app) ecosystem has emerged to become one of the biggest global industries. Multimedia apps continue to be the most used form of communication and have not just changed the way we interact in our private lives: they have become an important means for organizations to interact with their customers, integrating several of their services into these IM platforms.
While organizations increasingly rely on multimedia applications to offer services to their customer base, the processing of sensitive data through such technologies is becoming a growing concern. When a mobile app processes any data that is personal and private by nature, such as pictures, messages, emails and agenda items, as well as data that is related to the user’s behavior, all the key data protection requirements in the GDPR are triggered.
The GDPR provides that the data controller has an obligation to process personal data securely. The data subject also has the right to obtain confirmation as to whether personal data is being processed. Where that is the case, the data subject can request to access to the personal data, to receive information about the processing, as well as request different actions on such data.
The data controller shall however also ensure that means used to comply with such requests from a data subject do not adversely affect the rights and freedoms of other data subjects.
Data security faces some serious challenges in the area of mobile apps. This is due to the complexity of the mobile app ecosystem: it is not only dependent on app development methods, but on the hardware, software, operating systems, protocols, APIs, infrastructures, contracts, and so on.
Because of this complexity, the assessment of an app’s privacy and security characteristics is difficult. As a result, in order to achieve a comprehensive approach to protecting data processing for mobile app users, a multi-stakeholder approach to developing common technology standards is required.
Secure Chorus is a not-for-profit membership organization in the field of information security. We work with multimedia app developers to address key privacy and security issues through adoption and development of common technology standards. We have achieved this milestone through a strategy of government-industry collaboration, with industry members developing a number of multimedia apps based on common technology standards to ensure that the app architecture facilitates the exercise of data subject rights under the GDPR.
The GDPR considers encryption as one of the core techniques to protect personal data processing in enterprise. Secure Chorus addresses the GDPR requirement to implement appropriate security for personal data processing through the use of an open cryptography standard called MIKEY-SAKKE. Encryption is a cryptographic method that turns data into an encoded and unintelligible version, using encryption algorithms and an encryption key. A decryption key or code enables others to decode it.
The UK’s National Cyber Security Centre (NCSC) defined MIKEY-SAKKE, which was then then standardized by the Internet Engineering Task Force (IETF). Access to this type of globally accepted, strong and reliable cryptography has become vital to app developers that are becoming increasingly aware of the widespread risks associated with internet use.
The adoption of MIKEY-SAKKE by app developers also helps them to address the GDPR requirement on businesses: that of being able to decrypt personal data cases of data subjects exercising their right to request access to data via a subject access request, to receive information about such data, as well as request various actions to be undertaken on them.
MIKEY-SAKKE is configured so that each user is attached to a Key Management Server (KMS), where the keys are issued to users by an infrastructure managed by the business’ IT department. This ensures that the ability to decrypt content remains private to the individuals communicating.
However, in exceptional cases such as a subject access request, it also allows the business to derive a valid decryption key from the KMS. To audit an encrypted communication, the organization should export a user-specific and time-bound key from the KMS. This key enables an audit function to decrypt a specific user's communications for a specific time period (e.g. week or month). The KMS is able to log this action to ensure that it is accountable.
To conclude, there are two critical considerations for organizations that have adopted multimedia apps to interact with, and offer services to, their customers. First is to choose multimedia apps that provide end-to-end encryption of personal data. This will ensure that any data processing activity can be done without compromising data security.
Second, organizations should choose apps that give them full control of the system security. This is important, as regulators will increasingly require access to an enterprise’s data.