[LINK] Microsoft slams local data centre edict
kim at holburn.net
Sun Nov 27 13:44:50 AEDT 2011
As Wikileaks discovered, once the file is out there you only need the key to be made public and all your encryption is gone.
That being said, I don't know how Cocoon Data's system works. They hold the keys for you? Adding more people you have to trust to a transaction usually makes things less secure.
On 2011/Nov/27, at 12:08 PM, Philip Argy wrote:
> With Cocoon Data's Secure Objects technology, the access control list
> for a file/directory/server etc can be kept in Australia and the
> encrypted file stored anywhere on the planet. Because the
> encryption/decryption keys and the access rights are totally
> controlled from here, and have to be referenced each time a file is
> sought to be opened, the paranoia about the location of the server on
> which the information is stored becomes irrelevant. The encryption
> mechanism can be as strong as you wish - 5,000+ bit keys if you're so
> inclined! What's important is where access control is - not where the
> data is.
> But of course this is just innovative Aussie technology that no-one
> here is interested in ...
> -----Original Message-----
> From: link-bounces at mailman.anu.edu.au
> [mailto:link-bounces at mailman.anu.edu.au] On Behalf Of Jan Whitaker
> Sent: Friday, November 25, 2011 9:36 AM
> To: link
> Subject: Re: [LINK] Microsoft slams local data centre edict
> Re Karen Dearne's article about the submissions on the PCEHR
> MS says in their submission:
> "Healthcare information stored in a PCEHR will not necessarily be
> better secured and protected simply by virtue of data being held
> within Australia's territorial boundaries, as compared to (offshore)
> storage repositories and portals operated under world's best practice
> security and privacy systems," it says in a just revealed submission
> on the draft bill.
> "By regulating the geography where the data is held rather than the
> level of security under which it is held implicitly establishes
> criteria for data protection that are not related to principles of
> technology security."
> Exactly right! There are more important things than the specific
> technology, like accountability, right of action, law, little things
> like that.
> I went to a briefing on ehealth info with an APF colleauge about 3 or
> 4 years ago. We met the person from Microsoft at the time running
> Healthvault or whatever it was called, the MS offering for storing
> personal health information at the pleasure of the individual rather
> than the government.
> The key question I asked him was: Will MS guarantee the information is
> stored in Australia to be under our legal jurisdiction? The answer was
> an unequivocal, yes, it will be stored in Australia. It was that
> The position MS takes about not focusing on the security misses the
> governance problem: whose law will cover the screw ups? It's not just
> about technical security or even privacy. It is about jurisdictional
> accountability. IANAL, but the issue of server location has seemed to
> be powerful enough for other actions where jurisdiction comes into
> play. Why does Microsoft say in their submission (as quoted in the
> article) that the government could contract them to meet the local
> jurisdictional requirements? Is that accurate?
> Link mailing list
> Link at mailman.anu.edu.au
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link