Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/23/2018
05:27 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Microsoft, Google, Facebook, Twitter Launch Data Transfer Project

The open-source Data Transfer Project, intended to simplify and protect data transfer across apps, comes at a sensitive time for many of the participating organizations.

Microsoft, Google, Facebook, and Twitter have teamed up to launch a new initiative dubbed the Data Transfer Project (DTP), which is intended to simplify data sharing across services.

The open-source effort is dedicated to building tools that will enable users to directly transfer information from one service to another so they don't have to download and re-upload it, explains Google, which first mentioned the project in a post about its preparations for GDPR (General Data Protection Regulation). Instead, people can port data from one company to another from within an application.

It's an interesting and somewhat sensitive time for these companies to be embarking on a data sharing project, given both Facebook and Google have recently been at the center of news involving their use of consumer information. Facebook is still dealing with the aftermath of the Cambridge Analytica scandal, which was centered around its API. Google recently responded to a report stating developers can sift through users' inboxes using third-party apps.

The participating organizations outlined their plans to secure and protect users' data in a white paper on the initiative, and described the responsibilities of users and businesses to protect information.

How the DTP works: all organizations involved with DTP are creating tools to convert any service's proprietary APIs to and from a set of standardized data formats, which can be used by anyone. This will let people move data between any two services using a standard infrastructure and authorization. So far, Google says, they have created adapters for seven providers and five types of user data.

DTP is made up of three main components, as explained on the project's website. The first are data models, or frameworks to create a common understanding of how to transfer information. Data models are grouped in verticals; for example, photos, emails, contacts, and music.

Each vertical has its own set of data models to facilitate transfer of related file types. The music vertical, for example, would have models for playlists, songs, or music videos. One goal of the DTP for organizations to use common data models, which would lessen the need for individual businesses to maintain and update proprietary APIs.

The second component is company-specific adapters for data and authentication. Data adapters consist of code that translates a provider's APIs into data models, and they come in two pairs: one is an exporter to translate from a provider's API into the data model; the other is an importer to translate from the data model into the API. Authentication adapters let consumers log into their accounts before moving data from service to service.

Task management libraries process background tasks: calls between adapters, secure data storage, retry logic, failure handling, individual notifications. DTP has task management libraries as a reference implementation for how to use the adapters for transferring data between apps.

Weighing in on Data Security

Services involved with the project must first agree to data transfer between platforms and require users must independently authenticate to each account. Authorization mechanisms are up to partners, so they can choose any form currently in their existing security infrastructure.

Users' data and credentials will be encrypted in transit and at rest, Google explains in a blog post on the news. Further, the DTP will rely on a platform of what Google describes as "perfect forward secrecy," which generates a new unique key for each transfer. Because DTP is open source, anyone is free to check the code and verify data isn't collected or used maliciously.

Microsoft's Craig Shank, vice president for corporate standards, points out how DTP enables data portability that will be especially important for people with poor Internet access.

"For people on slow or low bandwidth connections, service-to-service portability will be especially important where infrastructure constraints and expense make importing and exporting data to or from the user’s system impractical if not nearly impossible," he writes in a blog post.

While it may seem weird to see four tech giants working together on a project like this, breaking down the barriers for data transfer would make things easier for users and companies in the wake of GDPR, which requires platforms to provide all available information on a person.

Existing code for DTP can be accessed on GitHub.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
7/24/2018 | 2:11:10 PM
Trust
These companies have broken their trust with the public in so many levels it's a wonder they are even still in business.  I for one, and except for linkedin, refuse to use them under my own name, post no pictures, and comments under a nom de plume, and stay out of the picture as much as I can.  I have no idea how anyone feels.  These companies start with good intentions, and turn the data over for bad uses.  
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27852
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2021-3137
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
CVE-2020-27850
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2020-27851
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
CVE-2020-13134
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...