Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/23/2018
05:27 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Microsoft, Google, Facebook, Twitter Launch Data Transfer Project

The open-source Data Transfer Project, intended to simplify and protect data transfer across apps, comes at a sensitive time for many of the participating organizations.

Microsoft, Google, Facebook, and Twitter have teamed up to launch a new initiative dubbed the Data Transfer Project (DTP), which is intended to simplify data sharing across services.

The open-source effort is dedicated to building tools that will enable users to directly transfer information from one service to another so they don't have to download and re-upload it, explains Google, which first mentioned the project in a post about its preparations for GDPR (General Data Protection Regulation). Instead, people can port data from one company to another from within an application.

It's an interesting and somewhat sensitive time for these companies to be embarking on a data sharing project, given both Facebook and Google have recently been at the center of news involving their use of consumer information. Facebook is still dealing with the aftermath of the Cambridge Analytica scandal, which was centered around its API. Google recently responded to a report stating developers can sift through users' inboxes using third-party apps.

The participating organizations outlined their plans to secure and protect users' data in a white paper on the initiative, and described the responsibilities of users and businesses to protect information.

How the DTP works: all organizations involved with DTP are creating tools to convert any service's proprietary APIs to and from a set of standardized data formats, which can be used by anyone. This will let people move data between any two services using a standard infrastructure and authorization. So far, Google says, they have created adapters for seven providers and five types of user data.

DTP is made up of three main components, as explained on the project's website. The first are data models, or frameworks to create a common understanding of how to transfer information. Data models are grouped in verticals; for example, photos, emails, contacts, and music.

Each vertical has its own set of data models to facilitate transfer of related file types. The music vertical, for example, would have models for playlists, songs, or music videos. One goal of the DTP for organizations to use common data models, which would lessen the need for individual businesses to maintain and update proprietary APIs.

The second component is company-specific adapters for data and authentication. Data adapters consist of code that translates a provider's APIs into data models, and they come in two pairs: one is an exporter to translate from a provider's API into the data model; the other is an importer to translate from the data model into the API. Authentication adapters let consumers log into their accounts before moving data from service to service.

Task management libraries process background tasks: calls between adapters, secure data storage, retry logic, failure handling, individual notifications. DTP has task management libraries as a reference implementation for how to use the adapters for transferring data between apps.

Weighing in on Data Security

Services involved with the project must first agree to data transfer between platforms and require users must independently authenticate to each account. Authorization mechanisms are up to partners, so they can choose any form currently in their existing security infrastructure.

Users' data and credentials will be encrypted in transit and at rest, Google explains in a blog post on the news. Further, the DTP will rely on a platform of what Google describes as "perfect forward secrecy," which generates a new unique key for each transfer. Because DTP is open source, anyone is free to check the code and verify data isn't collected or used maliciously.

Microsoft's Craig Shank, vice president for corporate standards, points out how DTP enables data portability that will be especially important for people with poor Internet access.

"For people on slow or low bandwidth connections, service-to-service portability will be especially important where infrastructure constraints and expense make importing and exporting data to or from the user’s system impractical if not nearly impossible," he writes in a blog post.

While it may seem weird to see four tech giants working together on a project like this, breaking down the barriers for data transfer would make things easier for users and companies in the wake of GDPR, which requires platforms to provide all available information on a person.

Existing code for DTP can be accessed on GitHub.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
7/24/2018 | 2:11:10 PM
Trust
These companies have broken their trust with the public in so many levels it's a wonder they are even still in business.  I for one, and except for linkedin, refuse to use them under my own name, post no pictures, and comments under a nom de plume, and stay out of the picture as much as I can.  I have no idea how anyone feels.  These companies start with good intentions, and turn the data over for bad uses.  
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
CVE-2020-25157
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
CVE-2020-25648
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...