Provider Information Update Form Current: Fill & Download for Free

When people exploit weaknesses in cryptosystems, this virtually never has anything to do with finding flaws in mathematical reasoning—indeed, the closest thing to this that I can recall occurring was the discovery that the SHA-1 hash function was proved to be insecure, and there was never a proof that it was secure to begin with. Implemented correctly, modern cryptographic protocols are about as fool-proof as they could be. I suppose, in theory, someone could come along and prove that one of the problems that we believe is hard actually isn’t, but to date no one has.The problem is that when you are implementing a cryptosystem on a physical device, you have at least two significant weaknesses that mathematics cannot shield you from: 1) physical limitations and 2) human error. Let’s discuss both in turn, and see how they can screw you over.All mathematical proofs that cryptosystems are secure are based on assumptions about what is and is not known to any would-be attacker. However, when you are actually building a physical system that is meant to implement this, there might be all sorts of ways that you might leak information without meaning to. For example, an attacker might measure how long it takes for a server to respond to different queries—if it takes significantly longer on certain inputs, this might provide information about the cryptosystem (see timing attacks). Similar attacks can be carried out by measuring power consumption, or even listening to how loudly the cooling fans are working.Perhaps much more damning is human involvement in cryptosecuity, because humans manage to mess up pretty much everything at every level. There is no guarantee that the programmer that is implementing the cryptosystem actually does it correctly. There is no guarantee that the companies in charge of properly storing private keys securely actually do so. There is no guarantee that users will manage their passwords in anything resembling a sensible manner. Social engineering is a tried and true method of attacking information systems because it turns out that humans are often much easier to fool than computers.Let me give you an example where a cryptosystem was rendered completely insecure, despite the fact that the underlying mathematics was perfectly sound. The full story is presented here, but it concerns the mystery of how the NSA is, purportedly, able to break the encryption of many websites. The suggested answer is that the NSA found a weakness in how the Diffie-Hellman key exchange is often implemented. The way that it is supposed to work is that on start-up, the two parties that are communicating have to agree on a single large prime of a particular form, and then use that to produce keys that they share between each other so that they can send encrypted information back and forth without other people being able to read it. Here’s the problem, though: the way the exchange is supposed to work, you choose this large prime at random on start-up. But this requires additional computational time, and programmers are lazy. So instead, most users of this cryptosystem wound up just using the same primes over and over and over. So, what the NSA probably did is they just devoted a lot of CPU time to crack some of these primes that were getting constantly reused, and all of a sudden they had access to everyone’s private data. You can’t fault either Diffie or Hellman for this, but I guess that’s not a big consolation.If you could remove all problems of implementation and human error, then something like RSA should be perfectly safe, provided that you are using a long enough key to be able to avoid brute force attacks (and assuming that integer factorization is actually hard). In fact, if you keep increasing the size of your keys, such systems become more secure with increased processing power, not less. The reason for this is that key generation runs in polynomial time, but cracking keys does not. So, as processing power increases, so does the gulf between the longest keys we can reasonably generate and the time it takes to crack such keys. Of course, that is assuming that we do increase key size as more and more powerful machines are available, which sadly isn’t quite true—cryptographic protocols are updated from time to time, but you can’t guarantee that every company that you have given your private information to will actually keep up with best practice.Addendum:I perhaps should have mentioned quantum cryptography, because it seems like it is going to be the next wave. We know that there are certain problems that quantum computers can solve much faster than our current machines—this is an issue for any cryptosystems based on the assumption that such problems are difficult. In particular, it is commonly suggested that quantum computers will make RSA insecure, because it is known that Shor's algorithm can quickly factor large integers, which is one of the cornerstones of RSA security. The funny thing is that it isn’t actually clear that RSA cannot be adjusted somewhat to accommodate this—for more on this, I suggest looking here. In any case, quantum computing is still in the future, and the big work being done at the moment is trying to figure out what cryptosystems are and aren’t going to be resistant to it.

Add checkboxes to your signup forms (if you don’t have them yet). They must not be preselected (no implied consent, right?) and they should cover the information about how the collected data will be processed.Update your cookie information. It should provide information about the aim of collecting cookies and the way they are being processed.Check what tracking codes you have in your product. Make sure that they are really necessary for you to analyze the behavior of your app users and you have access to all the data that these codes collect.Update Privacy Policy. It should contain information about the sort of data that you collect (including cookies and data collected through all the tracking codes), the way that you intend to use it, the way you share the information with third-party companies (such as advertising or analytic service providers), security issues and procedures that the user should follow to change or delete his or her data.Update your Terms of service (also known as Terms of use or Terms and conditions) and make sure that your users read the updated document! It should contain the information about:> Disambiguation/definition of key words and phrases> User rights and responsibilities> Proper or expected usage; definition of misuse> Accountability for online actions, behavior, and conduct> Privacy policy, outlining the use of personal data> Payment details such as membership or subscription fees, etc.> Opt-out policy describing procedure for account termination, if available> Arbitration detailing the dispute resolution process and limited rights to take a claim to court> Disclaimer/Limitation of Liability clarifying the site’s legal liability for damages incurred by users> User notification upon modification of terms, if offeredRemember to make sure that your users read the updated document! A good practice is to send an email listing the changes and linking to the full document.Make your users accept the changes. How to do it? You can, for instance, create a pop-up with the new version of documents (Terms of Service, Privacy Policy). When the user logs in to your app, he or she will need to accept it in order to proceed and use the application. Remember to store the logs of the acceptance!Update your database. Your current users or subscribers have the right to be forgotten (if they want to).Store all the data in a safe place. The regulation requires you to evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption (GDPR, Recital 83). Focus particularly on the data from registration forms as they probably contain the most sensitive data such as name, email address or phone number.Make sure sessions and cookies expire and are destroyed after logout.Enforce secure communications through HTTPS. If you don’t have an SSL certificate, it’s high time you create it! It protects the integrity of your website, the privacy and security of your users and apart, it’s a requirement for many new browser features.In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.Disclaimer: The answer is based on my recent article. You can read it here: What are the steps to take as a SaaS product to be a GDPR compliant? Despite the changes that you need to implement in your app, it covers some theory about what aspects of GDPR apply to web applications (data processing agreement, etc.)

Technology startups will be affected just like any other companies.GDPR affects anyone who processes data of EU residents. Whether you’re an international company or a local business, if you are based in EU and/or you process data of EU residents, you must comply with the regulations regarding the collection, storage, and usage of personal information.If you need to learn more about what GDPR is and who should be concerned about it, take a look at this article: What is GDPR and how does it affect my business?In order to compy with GDPR, you need to:Add checkboxes to your signup forms (if you don’t have them yet). They must not be preselected (no implied consent, right?) and they should cover the information about how the collected data will be processed.Update your cookie information. It should provide information about the aim of collecting cookies and the way they are being processed.Check what tracking codes you have in your product. Make sure that they are really necessary for you to analyze the behavior of your app users and you have access to all the data that these codes collect.Update Privacy Policy. It should contain information about the sort of data that you collect (including cookies and data collected through all the tracking codes), the way that you intend to use it, the way you share the information with third-party companies (such as advertising or analytic service providers), security issues and procedures that the user should follow to change or delete his or her data.Update your Terms of service (also known as Terms of use or Terms and conditions) and make sure that your users read the updated document! It should contain the information about:> Disambiguation/definition of key words and phrases> User rights and responsibilities> Proper or expected usage; definition of misuse> Accountability for online actions, behavior, and conduct> Privacy policy, outlining the use of personal data> Payment details such as membership or subscription fees, etc.> Opt-out policy describing procedure for account termination, if available> Arbitration detailing the dispute resolution process and limited rights to take a claim to court> Disclaimer/Limitation of Liability clarifying the site’s legal liability for damages incurred by users> User notification upon modification of terms, if offeredRemember to make sure that your users read the updated document! A good practice is to send an email listing the changes and linking to the full document.Make your users accept the changes. How to do it? You can, for instance, create a pop-up with the new version of documents (Terms of Service, Privacy Policy). When the user logs in to your app, he or she will need to accept it in order to proceed and use the application. Remember to store the logs of the acceptance!Update your database. Your current users or subscribers have the right to be forgotten (if they want to). If they don’t accept the changes in your new Privacy Policy or ToS, you should also delete them from your database.Store all the data in a safe place. The regulation requires you to evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption (GDPR, Recital 83). Focus particularly on the data from registration forms as they probably contain the most sensitive data such as name, email address or phone number.Make sure sessions and cookies expire and are destroyed after logout.Enforce secure communications through HTTPS. If you don’t have an SSL certificate, it’s high time you create it! It protects the integrity of your website, the privacy and security of your users and apart, it’s a requirement for many new browser features.In order to make sure that your business is GDPR compliant, get professional assistance of a lawyer.Disclaimer: The answer contains some of the information from my recent article about GDPR-compliance for web applicaitions. You can read the whole article here: How to make sure your app is GDPR compliant?