This article was first published at ITK SECURITY.
Last update 1 year ago by Patrick RuppeltReading time: 8 minutes
Even I, as a TÜV-certified data protection officer, don't really care what the supervisory authorities sometimes say, if I may say so profanely.
I don't even want to know what kind of whistleblowers are sitting there. Firstly, some of them should learn the basics of data protection law before they open their mouths, and secondly, there is still such a thing as common sense.
I have already gone into details in other articles. Therefore, I will leave it at this point with a few humorously sarcastic quotes that are taken out of context but stand for themselves. Just take it as a personal comment. I wish I could say I'm not that serious about all this, but to be honest it's a pretty serious thing.
Source references for all quotations all come from the Berlin Data Protection Commissioner Maja Smoltczyk:
- Berlin Commissioner for Data Protection and Freedom of Information, Checklist for Conducting Video Conferences During Restricted Contact Periods1)
- Berlin Commissioner for Data Protection and Freedom of Information, Berlin Data Protection Commissioner on the conduct of video conferences during contact restrictions2)
Thesis #1 Phone is safer than video
I wonder if they have ever heard that telephone and fax have always been unencrypted?
Even the encryption of modern IP phones only goes as far as the telephony provider. What happens afterwards in the network is another question.
The complexity and security of modern video conferencing solutions may be debatable, but the claim that telephones are generally more secure than video telephony is steep.
...and on:
Thesis #2 If video, then run it yourself
Also cool. Microsoft runs Teams on its own servers. These have been under load since Corona 720%. Microsoft is gradually limiting functions, reducing video bandwidth because even the Microsoft cloud servers are hopelessly overloaded worldwide.
The Berlin data protection commissioner is now of the opinion that a small company should simply operate itself what Microsoft has only just been able to provide in 30 years of development.
...or even:
...or even:
Thesis #3 The user looks into the source code of the software
Sure... Anyone is able to take software apart, to see if there are any indications in the source code that data is being tapped. Or to examine any data traffic in detail to find out what exactly is being transmitted. Quite apart from the fact that the network traffic is encrypted, so how am I supposed to look into it as a user?
Thesis #4 There are enough German / European providers of such solutions
What world are you actually living in up there? I'll cut a long story short: I don't know of a single European provider that has something like this in its portfolio. Not from Germany anyway.
...or even:
...and it's totally cool when the dear lady herself realises that what she recommends doesn't exist at all. DOH DOH DOH.
Thesis #5 Privacy Shield is secure
So Ms Smoltczyk, seriously. Do you have any idea what Privacy Shield is? Questionnaire tick "yes I am sure". That is only something on paper, but has nothing to do with real security, dear expert.
Thesis #6 You must not use anything from Microsoft in general.
Reason? Yes, uh... hm... no, none. Just thrown into the room like that. That shows real expertise. Wow...
I generally disagree with the Berlin data protection commissioner. I would even go so far as to say that the dear Ms Smoltczyk is quite off the mark here with her absurd statements.
or also:
Thesis #7 If video provider is located in the EU or EFTA, then no encryption is needed
Ahem. Yeah. It's a daring reversal, okay. Did I maybe misunderstand what she was writing? I don't know. Somehow... Whatever there is to smoke in Berlin, I want some of it, too.
Thesis #8 The more sensitive the subject matter, the more likely the conference will be hacked
Logical.
I already know what is meant. I guess it's aimed at the fact that if something at equal probability of occurrenceIf something happens, regardless of whether it is sensitive or not, then the subsequent risk is naturally higher in the case of sensitive conversations. But please, you can't give out a letter of recommendation like that...
Thesis #9 Gag little sausage the American global corporation by contract!
How can you be so unworldly? I was involved in negotiations for almost 5,000 Microsoft Office 365 / Teams licences. It took three months of negotiations, together with three specialist lawyers from a large international company. To be clear, we are talking about a customer who pays over 100,000 € per month to Microsoft. Microsoft did not change a single comma in the contract because Microsoft is not interested in special cases.
...and on:
My personal recommendation
Don't believe everything you read from official sources. Theory and practice are already miles apart, but something like this is just stupid. Many companies are really struggling with other problems right now.
Switch on your brain, think about it and, if in doubt, just ask your data protection commissioner. I'm sure he'll be more likely to agree with me than with the Berlin data protection commissioners...