Security and Web 2.0

I’ll admit, I hadn’t read Getting Things Done until now. Sorry. I guess I never got around to do it.

Luckily, I seem to be half a GTD’er to start with – which means the topic of security in this context has been on my mind for quite some time. While it’s not something swept under the rug completely (one example being the steps taken by Evernote) it’s seemingly not being seen as the big problem it really is.

Recently in Sweden we’ve had a few well publicized break-ins into web services, where password files (either in clear text or with unsalted hashes) have been released into the wild. This in turn lead to the public discovery that government officials, security experts and police personnel have used third party web systems – like GMail – to store official or company data.

That is unacceptable – unless we change the current mindset of everyone involved in the current transition to “data in the cloud”. It’s not enough that a service uses well protected servers. It’s not enough if only a few admins have access to the data center. It’s not enough if my password is encrypted and that you promise me you won’t sell my info to third party companies.

It’s not enough, as long as a single person besides myself can access the data I’ve stored on your servers, in clear text.

I’d like to implement GTD, or some derivative, fully in my life. I cannot do it though, since as with many others in the “2.0-crowd” the border between what would be called my personal life and what I do at work is increasingly diffuse. I’ve worked far too long with security to allow myself to put up a single work related note, mail or photo on a server not controlled by my company. I’d go so far as to bluntly state that if you do, you’re naïve as to the risks involved and the amount of corporate spying (company and government sponsored) being performed.

Now, this is probably solvable. Data portability, open APIs and open authentication schemes could and should be followed by personal privacy. While causing trouble for cloud computing, using a private key system where all my different access devices will encrypt the data sent to the servers – and decrypt when fetching, will satisfy the privacy fears.

(The problem with cloud computing is, of course, that encrypted data is likely not modifyable. If we were to let the cloud computer modify the data it would need to be able to decrypt it, and while doing so the data would indeed become readable by spyware)

-“But I trust Google/Yahoo/Microsoft!”

You shouldn’t. What should be offered by all cloud computing companies is a way for their service to use computing and storage resources at an external site, where private keys could be used in a secure environment. The access APIs would be the same, but the flow of information would be routed differently depending on the user’s credentials. This would allow for a single user to have personal data that he or she would be able to entrust to a single company like one of the above, but when in their professional capacity it would be possible to instead route the data through other servers with more inherit trust and capabilities.

This would allow cutting edge Web 2.0 to become trusted tools that could be used by companies other than small startups (which, sorry to say, seldom cares about security) and would reverse the worrying trend that only large suppliers with an existing business relationship are allowed to deliver (sub standard at that) collaboration utilities.

Come to think of it, what I just described is a B2B service directed at Web 2.0 companies. There should be someone already trying to implement it.

I can has invite plz?