Application Security

7/23/2018
05:27 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft, Google, Facebook, Twitter Launch Data Transfer Project

The open-source Data Transfer Project, intended to simplify and protect data transfer across apps, comes at a sensitive time for many of the participating organizations.

Microsoft, Google, Facebook, and Twitter have teamed up to launch a new initiative dubbed the Data Transfer Project (DTP), which is intended to simplify data sharing across services.

The open-source effort is dedicated to building tools that will enable users to directly transfer information from one service to another so they don't have to download and re-upload it, explains Google, which first mentioned the project in a post about its preparations for GDPR (General Data Protection Regulation). Instead, people can port data from one company to another from within an application.

It's an interesting and somewhat sensitive time for these companies to be embarking on a data sharing project, given both Facebook and Google have recently been at the center of news involving their use of consumer information. Facebook is still dealing with the aftermath of the Cambridge Analytica scandal, which was centered around its API. Google recently responded to a report stating developers can sift through users' inboxes using third-party apps.

The participating organizations outlined their plans to secure and protect users' data in a white paper on the initiative, and described the responsibilities of users and businesses to protect information.

How the DTP works: all organizations involved with DTP are creating tools to convert any service's proprietary APIs to and from a set of standardized data formats, which can be used by anyone. This will let people move data between any two services using a standard infrastructure and authorization. So far, Google says, they have created adapters for seven providers and five types of user data.

DTP is made up of three main components, as explained on the project's website. The first are data models, or frameworks to create a common understanding of how to transfer information. Data models are grouped in verticals; for example, photos, emails, contacts, and music.

Each vertical has its own set of data models to facilitate transfer of related file types. The music vertical, for example, would have models for playlists, songs, or music videos. One goal of the DTP for organizations to use common data models, which would lessen the need for individual businesses to maintain and update proprietary APIs.

The second component is company-specific adapters for data and authentication. Data adapters consist of code that translates a provider's APIs into data models, and they come in two pairs: one is an exporter to translate from a provider's API into the data model; the other is an importer to translate from the data model into the API. Authentication adapters let consumers log into their accounts before moving data from service to service.

Task management libraries process background tasks: calls between adapters, secure data storage, retry logic, failure handling, individual notifications. DTP has task management libraries as a reference implementation for how to use the adapters for transferring data between apps.

Weighing in on Data Security

Services involved with the project must first agree to data transfer between platforms and require users must independently authenticate to each account. Authorization mechanisms are up to partners, so they can choose any form currently in their existing security infrastructure.

Users' data and credentials will be encrypted in transit and at rest, Google explains in a blog post on the news. Further, the DTP will rely on a platform of what Google describes as "perfect forward secrecy," which generates a new unique key for each transfer. Because DTP is open source, anyone is free to check the code and verify data isn't collected or used maliciously.

Microsoft's Craig Shank, vice president for corporate standards, points out how DTP enables data portability that will be especially important for people with poor Internet access.

"For people on slow or low bandwidth connections, service-to-service portability will be especially important where infrastructure constraints and expense make importing and exporting data to or from the user’s system impractical if not nearly impossible," he writes in a blog post.

While it may seem weird to see four tech giants working together on a project like this, breaking down the barriers for data transfer would make things easier for users and companies in the wake of GDPR, which requires platforms to provide all available information on a person.

Existing code for DTP can be accessed on GitHub.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
7/24/2018 | 2:11:10 PM
Trust
These companies have broken their trust with the public in so many levels it's a wonder they are even still in business.  I for one, and except for linkedin, refuse to use them under my own name, post no pictures, and comments under a nom de plume, and stay out of the picture as much as I can.  I have no idea how anyone feels.  These companies start with good intentions, and turn the data over for bad uses.  
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.