The world looks to Denmark for strong leadership in encryption

The world looks to Denmark for strong leadership in encryption

The four core pillars of GDPR are: citizen rights to their data; incident response; pseudo-anonymity; and encryption. Most countries of the world, though, are still struggling with these things, and especially when it comes to encrytion. But one country in the world … Denmark … has decided that enough is enough and had mandated for encryption.

For them they have taken Article 9 of the GDPR (‘processing of special categories of personal data’) and made it mandatory to encrypt senstive data. For me, this type of approach MUST be applied into every country which complies with GDPR, and it should scale across both the public and the private sector. In Denmark this will apply to any organisation which does business in Denmark, or will relate to any Danish citizen. While it only relates to the data in transit — such as using TLS sessions — it shows a move towards encryption-by-default.

Encrypting email

From 1 January 2019, companies in Denmark also have to make sure that all sensitive emails are encrypted with end-to-end encryption (complying fully with Article 9 of GDPR). In this way, not even system administrators will be able to read user’s emails.

And so for an email system which has existed for over 40 years, it is quite shocking that we are only now starting to take the security of emails seriously. Ask Sony about how embarrassing the leak of corporate emails can be.

The move is likely to start a wave of change across the EU, as companies adopt the leadership of Denmark. With the increase in data breaches, it seems that it is one of the best ways to prevent serious leakages of sensitive information. One must wonder why areas such as health care haven’t already moved to end-to-end encryption, as the article covers:

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Presently email is only secured while it is tunnelled over a network connection, and which provides little security on the emails on the server. End-to-end encryption means that the sender can sign an email for its content, and where only the recipient will have the encryption key to read the email.

One way for Bob to send an email to Alice, is for Bob to generate a unique encryption key, and then encrypt the message for Alice. Bob then encrypts the encryption key with Alice’s public key. Alice can then decrypt the key with her private key, and reveal the message. Bob also takes a hash of the message, and encrypts this with his private key, and gives to Alice, she decrypts it with Bob’s public key, and if she gets the same hash, she knows it was Bob who signed the email, and that the email has not been changed:

Conclusions

While the focus in Denmark is on personally sensitive information, it is likely that it will scale out to cover every email sent within a corporate environment. In five years time, cybersecurity will look back on our time as one which cared little about proper security, and basically applied sticking plasters. The future is towards full encryption of data, and every part of its journey. While countries like Finland, Estonia and Denmark seem to value the rights of privacy of citizens, other countries around the world still want to be able to read emails. The strict compliance of GDPR will see the citizen winning out. For those who mine our emails, or who try to hack them, there will be a change coming soon.

While protecting citizen-rights, the move in Denmark may also bring benefits to companies operating there, and where the country is increasingly seen as a place which has high standards of protecting citizen data. While some countries of the world move towards breaking encryption, the Danes move in the other direction.

As an academic I stand by the rights to privacy for our citizens and strive to build systems which integrate with rights, while applying strong governance and consent. Our existing data world is flawed, and still based on the methods and protocols we created in the 1980s. The need to switch this world off soon, and move over to a world which has cryptography as its lowest layer.

I’ve borrowed this from a model from the finance industry, but I think it, at least, illustrates the layers of the new world that we are creating: