A veritable who’s who of tech giants from Google, Facebook, Microsoft and Twitter, went public last week with a partnership on a standards initiative called the Data Transfer Project (DTP), built to enable data portability between cloud platforms. But security researchers believe the project’s privacy implications need to be better vetted.

Towards a Universal Data Portability Framework

This framework will include tools that can convert any service’s proprietary APIs to and from a small set of standardized data formats to ones that can be used by anyone. Using as a starting point publicly available APIs from Google, Microsoft, Twitter, Flickr, Instagram, Remember the Milk and SmugMug, the framework would allow seamless data transfer (only with user consent) for a range of information, including photos, mail, contacts, calendars and tasks. The idea is to create one, open-source approach that will enable consumers to “transfer their data directly from one service to another, without needing to download and re-upload it,” according to a Google blog post on Friday.

“This makes it possible to transfer data between any two providers using existing industry-standard infrastructure and authorization mechanisms, such as OAuth,” Google explained.

The benefits are varied; for one, the interoperability will make it easier for users to move their cherished digital data from one service to another without worrying that something will be lost in translation, and without having to jump through a lot of hoops. That should make trying out or moving to a new service easier. It also can pave the way for better data backups. Microsoft, in a blog post on Friday, struck a more general note, saying that “portability and interoperability are central to cloud innovation and competition.”

Pravin Kothari, CEO of cloud security vendor CipherCloud, listed out for Threatpost some positives for consumers: “The DTP may enable users to back up important information, organize their data across different accounts, recover more rapidly from cyber-events like account hijacking, and retrieve data from old or to be discontinued services.”

Chris Olson, CEO of The Media Trust, also pointed out that there’s a data-control upside. “The Data Transfer Project could be a game changer – you have the biggest tech companies facilitating consent-based sharing of consumer data, and you have consumers more able to manage the data that companies collect on them,” he told Threatpost in an email.

Google echoed this in the posting: “As it is an open-source product, anyone can inspect the code to verify that data isn’t being collected or used for profiling purposes.”

Google in its posting also laid out the security aspects of the DTP.

“Services must first agree to allow data transfer between them, and then they will require that individuals authenticate each account independently,” it explained. “All credentials and user data will be encrypted both in transit and at rest. The protocol uses a form of perfect forward secrecy where a new unique key is generated for each transfer. Additionally, the framework allows partners to support any authorization mechanism they choose. This enables partners to leverage their existing security infrastructure when authorizing accounts.”

Concerns Remain

There are some potential privacy pitfalls to the DTP idea, James Lerud, head of the behavioral research team at Verodin, told Threatpost.

“The project does not make it easy to remove service A’s existing access to data,” he explained via email. “Taken by itself, the project does little to improve the security of consumer data; it provides new options for consumers to safely share data between services. The distinction is that consumers may gain control over transferring data, while the security of the data is unchanged or potentially diminished by having copies of data stored in multiple services.”

Brian Vecci, technical evangelist at Varonis, had similar thoughts.

“On its face, this sounds like a great way to give users more control over their own data, making it easier to get your information from one source to another,” he told Threatpost via email. “There are significant privacy concerns with this, though. Transferring data like this almost certainly doesn’t mean that data will be deleted on the source service, so while you get the convenience of having information in multiple places, there are also now multiple places where your data can be lost, stolen or misused in some way.”

The concern is especially piquant given that regulations like the recently enacted GDPR in the European Union lays out strict privacy for protections for user data.

“GDPR is forcing companies to be very careful with what data they collect, who potentially has access to it, how it’s used and when it’s supposed to be deleted,” said Vecci. “This is generally easier for data that’s collected organically as part of a specific process, like when you enter your contact information into a website.”

On the other hand, “when you grant a company an entire dump of past data from another source, the potential for that information to end up in places where it’s not properly tracked or kept private is potentially higher,” he said. “Consumers should be careful about what kind of data they provide to which companies.”

He advises there should be a good reason for performing a transfer, “because every company that has your data is another company that could misuse it or see that data leaked as part of a breach.”

And, in the event of a breach, who would be held responsible?

“For example, in the centralized deployment model, a third party takes on the role of the ‘Hosting Entity,’ and sets up a ‘Host Platform’ to process requests between providers,” CipherCloud’s Kothari said. “This concentrates potentially more data flow than ever before through one central point. According to the July 20, 2018 Data Transfer Project Overview and Fundamentals document, the Hosting Entity must acquire API keys for all the providers it wants to be able to transfer data to or from. In the event of a data breach who, exactly, will be responsible for the breach of the data? Given key ownership, how many vendors will fall into GDPR compliance due diligence due to a centralized breach?”

He added that it may be too soon to trust tech behemoths with that kind of responsibility.

“It was only a short moment ago that Facebook was reeling from the implications of Cambridge Analytica,” he said. “Until major technology companies like Facebook and others can demonstrate the correct policies, a maturity of judgment, as well as time-tested strong data security and operational GDPR compliance, the Data Transfer Project may offer more risks than rewards for consumers.”

Better Compliance in the Offing

As for the tech giants themselves, there are other implications for compliance with a growing number of regulations – not just the GDPR, but also measures like the recently passed California Consumer Privacy Act and Canada’s upcoming PIPEDA.

“For one thing, companies of all sizes will need to do more to know and manage the third parties that leverage their platforms in order to access consumers and their data,” The Media Trust’s Olson told Threatpost. “They will need to have stronger policies in place, as well as better processes and tools to enforce those policies, to ensure that data portability does not lead to any data leakage. If companies have the same information on consumers, cybercriminals might focus their campaigns on smaller, less secure companies, not to mention their even more vulnerable third parties, to access the data they want.”

Simon Langton, vice president of professional services at Avecto, added that the DTP may be a spur to tech giants to be more vigilant than before on that front.

“Companies are creating a culture of accountability, and it will force greater review policies, procedures and best practices to strengthen defense and improve data integrity,” he told us.

For its part, Google framed the DTP as a GDPR-led effort.

“GDPR encourages companies to enable direct service-to-service data transfers where feasible, for example from Google Photos to another photo service,” it said in a post about its GDPR preparations. “To support that aim, we’ve recently initiated the Data Transfer Project on GitHub, providing early-stage open source code that will, in time, be of use to any developer wanting to offer seamless transfer of data from one service directly into an alternative (or vice versa).”