In this blog, we describe the use case of the non-profit organization Sea-Watch and why a data sovereign collaboration platform is indispensable to their work.

About Sea-Watch NGO

Sea-Watch is a non-profit initiative dedicated to civil sea rescue in the Mediterranean Sea. In the face of an ongoing humanitarian disaster, Sea-Watch provides emergency aid. The NGO demands and and at the same time forces the rescue missions through the responsible European institution. Sea-Watch also stands publicly for legal escape routes as well as for freedom of movement and a Europe based on solidarity.

The work Sea-Watchs’ 130 employees and 500 volunteers involves rescue and humanitarian work. They document human rights and legal cases, work to inform the public on the humanitarian crisis in the Mediterranean and advocate extensively in political affairs.

Data sovereign with Nextcloud

Working as a humanitarian aid and activist organization, keeping data safe and confidential is vital for the safety of all parties involved. When looking for a cloud solution, obtaining sovereignty over their data and data security was critical.

Their employees work around the world, so remote working and collaborating is part of their everyday work life.

With Nextcloud, employees and volunteers have a central location to store, share and work on documents that is stored on the Sea-Watch server. They also utilize:

• Nextcloud Polls for data discovery
• Nextcloud Forms for surveys
• Keepass (an open source password manager) for teams / departments

Technical implementation

The Ship IT team deployed Nextcloud on a dedicated server using a Nextcloud provided Docker image, with Office on a second server. A custom tool used to sync files with Nextcloud on board the ships caused a flood of session cookies, sometimes over 30 million between two cron job runs. Some re-configuration of the session management in Nextcloud could fix this.

Since then, the team has migrated Nextcloud to a 3-node Proxmox cluster on which identity management, Nextcloud and office as well as other services are operated. The infrastructure is backed up with Proxmos Backup Server to another location.

Looking forward

The team is constantly growing, and Nextcloud has become the common tool which offers so much functionality enormously important to their daily work.

Nextcloud is pleased Sea-Watch can better operate as an entire organization with more secure and efficient features.

If you’d like to learn more about Sea-Watch, their mission and work, please refer to their website.

The post 500+ users at non-profit organization Sea-Watch use Nextcloud for confidentiality of data appeared first on Nextcloud.

How do computers recognize faces?

Face recognition is a system and technology that matches a human face from a digital image or a video frame against a database of faces.

The idea came about over 60 years ago when researchers tried computing the distances between an individual’s nose, eyes and mouth to determine their identity, but has since been fine tuned to be quite accurate and useful today.

Just like how the brain has neurons which process actions, so do artificial neural networks on a computer. Computerized neurons process and compute data recognizing statistical patterns. An (over) simplified example would go like this: you have a ‘network’ with 5 ‘input’ neurons (where you feed in information) and 1 ‘output neuron’ which shows you the outcome. The network does only one thing: tell you if something is a banana or not!

Each ‘neuron’ has to be told a type of information. Say, you tell neuron 1 the color of the object you have, the second neuron the size, the third its shape, the fourth its smell and so on. Each neuron will, when given information on an object, tell the ‘output neuron’ on a scale of 1-10 if it thinks what it got is banana (like). For example, the color neuron would give a 10 on yellow, 8 on green and brown, 7 on black, but 0 on red. The ‘output neuron’ adds up all chances and at a threshold (it has to learn by itself, one of the great tricks of neurons) say ‘yes, this is a banana’. A neural network that recognizes faces functions a bit similar – yet vastly more complicated.

So you can train neurons to recognize something, but in order to do that you need a large set of data and a large amount of computer resources. That is why it’s taken so long for this type of deep learning to be accurate.

Once the system has been trained, you can then use face recognition to find and tag your family members, friends and more. You can even do object recognition to identify animals, nature and landmarks.

Recognize: A Nextcloud app

Google created and trained several neural network models that are free to use under an Apache license used by many open source projects like Recognize, the Nextcloud app created by Marcel.

To see which models are being used as well as a detailed explanation about how the app works, check out Marcel’s post here.

Recognize goes through your media collection and adds fitting tags which automatically categorizes your photos and music. It can recognize:

Faces from contact photos

Animals, landscapes, food, vehicles, buildings and other objects

Famous landmarks and monuments

Music genres

The downsides and risks

Based on the way the face recognition model works, the model itself is not harmful towards privacy. Face recognition in Reconize happens on your local Nextcloud and your photos aren’t sent anywhere else.

But there are challenges. First, as explained – the models are trained on data. There are issues with where this data comes from and how it is put together. If one were to train a network on images from Instagram, and ask what the life of a human looks like, it’s not hard to imagine that the result would be hopelessly optimistic! Models thus bring the biases in their data with them. A computer is of course not racist or sexist, but models designed to help with hiring people have been show to exemplify these biases because the data used to train them contained these.

Beyond biases, one can ask if it is ok to take data stored for one reason and use it for training AI’s.

Stanford University researchers for example collected and used 10,000 photos from Flickr, which was legal under the Creative Commons license, to share with China’s National University of Defense Technology and an AI company that provided China with surveillance technology. That was likely not what the people who uploaded their photos had in mind.

All in all, when companies compile these large data sets, it’s not known what they will do with the data or if it will be exposed to vulnerabilities. It is important to trust the service you offer your data to and understand their policies on data privacy. And it is important to be aware of the limitations of AI and what it is being used for.

The post All you need to know about facial recognition technology and the Nextcloud Recognize app! appeared first on Nextcloud.

It’s more likely than it may seem.

And Google will do nothing about it.

The story of 2 mistakenly blocked Google accounts

As seen in the New York Times article, two individuals from California and Texas have been permanently blocked from their Google accounts due to a mishap with Google’s automated child abuse algorithms.

The mishap being nude children’s photos intended for a doctor’s diagnosis.

Mark, a San Francisco dad and avid user of Google products, discovered his infant son was in pain in the groin area and immediately scheduled an online emergency consultation due to the COVID-19 pandemic. Mark and his wife were advised by the doctor to take a photo of the affected area in advance and upload it to a medical portal. The photos were taken on his Android Smartphone and were backed up to the Google cloud. Two-days later, the Google algorithm mistook the sensitive photos of his son as child exploitation and his account was disabled.

As a former software engineer, he was familiar with similar algorithms and Mark thought that there would be someone who would intervene and he’d get his account back, no problem.

He was wrong. Even after explaining his situation in a follow-up form, Google responded that they would not return the account, with no further explanation.

In an almost identical incident, Cassio, a Houstan, Texas dad who was in the middle of buying a house, also was requested to take a photo of his sick son in an intimate area. He too took the photos for the doctor’s diagnosis on his Android phone which was synced to Google Photos, sent to his wife via Google Hangouts and ended up in the same misconstrued situation.

The consequences

Mark quickly realized the true detriment of the situation, like a domino effect.

Without access to his Google accounts, he lost his:

Gmail email

Contact list

Photos on Google Photos

Music

Phone number and carrier with Google Fi

Security codes for other Internet sites

Most of his digital life …

This everyday family man got locked out of most of his digital life that he’d acquired for over a decade.

Think about how this affects his personal life, family, job, career and more. All the information is intertwined and traces back to each and every Google product.

As such a loyal Google customer, you’d think the company would have at least looked into his case and reinstated all his accounts. After all, he did nothing wrong and was merely at the fate of an algorithm.

From account blockage to police investigation

In both cases, their “violation” against Google’s policies turned into a police investigation, at first without their knowledge. However, both were dismissed after a simple explanation. It was clearly an instance where they got caught under a false trap.

However, even after the police got involved and both cases were proven innocent, Google was not willing to re-activate their accounts or return their data. Both individuals, who for years have relied heavily on Google’s applications, were punished by a big tech corporation for something they were not guilty of.

Story takeaway’s

Nextcloud has written about this in the past, and now that it’s hit mainstream news, it’s even more relevant and a critical call-to-action than ever before.

1) Don’t take privacy for granted

Using Google Photos for instance is very simple for the everyday user, but unfortunately you’ll pay the price in privacy. And this can have consequences, even if you think you have “nothing to hide.”

It’s important to come to the realization that we live in a world where even your most private parts of life could become public and be used against you, at no fault of your own, and have dire consequences.

2) Big tech does not care about you

As seen in this story, even after such a highly publicized event, Google to this day has not rightly owned up to its faults and downfalls. Surveilling thousands of accounts with the intention of protecting children against exploitation is justified, however when the system fails there should be alternative procedures in place. Google does not return accounts even after a case was proven innocent, even for being a loyal customer, or for any other matter. Why? They are more concerned about following government regulations and making money. Truth is, the individual is not protected.

3) Never put all your eggs in one basket

For the victims of this case, both used Google products and services for the better half of their daily lives. To do that with any company is never wise, as you can never predict the consequences of what could happen. Read more here.

Do you really want to worry about what you save on your not-so-private photo album? Is it worth the possibility of wrongly getting turned into the authorities? How about losing all your data for good?

There’s a lot of wrongful and unfair play currently happening at Google and I’m sure you don’t want to get on the wrong end of the stick. Turns out, it really can happen to me and you.

The post NYT reports: Google offers no recourse for mistakenly blocked accounts appeared first on Nextcloud.

Danish Data Protection Agency (DPA) bans Google Chromebooks

The ban was finalized this summer based on the concerning results of a risk assessment the DPA ordered last year. It proved that children’s data was not kept safe by Google and that the processing of personal data on Chromebooks is an infringement of several articles of the GDPR.

After the DPA’s decision, the Mayor of Helsingør, Benedikte Kiaer, took immediate action by formulating a plan to replace 8,000 Google Chromebooks. However, IT experts estimate this could come at a significant expense to the municipality, costing near 30 million DDK.

IT Professor advises solution

Luckily, there is another option.

That is, a Professor of IT and Pedagogy at Aarhus University, Jeppe Bundsgaard, has called out for all municipalities to switch to open-source solutions instead. He believes the installation of free Linux systems on the school’s Chromebooks would be cost efficient, and relatively easy to set up.

Not only that, but the benefits of replacing the current Google operating system would greatly outweigh its limitations and skepticisms.

Benefits of switching to open-source

1. Significantly less security problems

No longer would the schools be at risk of Google’s data harvesting and transferring of data to unwanted sources like US authorities.

“… first and foremost, the transition solves the problem that is the basis of this whole discussion, namely that municipalities use programs that share data with the US intelligence service and probably also use them for product development and marketing.”

– Jeppe Bundsgaard

2. Less expensive bills

Open-source solutions are free to use, and the implementation of the new system would be much less costly.

3. Not overly complicated to replace

“It’s quite a simple operation to do if you have a little technical ingenuity. And if you have to do it with a thousand computers in a municipality, you could probably figure it out.”

– Jeppe Bundsgaard

4. No conflict with the GDPR in the EU

The fact that Google Chromebooks and Workspace infringe upon several Articles of the GDPR will not disappear. In fact, if the municipality continues to use these products and ultimately break the DPA’s order, they could risk a multi-million dollar fine of roundabout DKK 16 million.

5. Schools can still use all the same systems i.e. Aula, Meebook, Outlook, etc.

Because most programs are almost all in the cloud and browsers can go online, this shouldn’t be an issue.

6. No dependencies

Researcher in data protection law at the University of Southern Denmark and member of the Data Ethics Council, Ayo Næsborg-Andersen, criticizes the dependency issue and having no plan B.

“The case illustrates very convincingly how dependent you become on a particular technology once you have introduced it. (…) Products that at first glance seem to be practical, easy and cheap solutions may turn out to be useless because they do not comply with the rules. And then you have a problem if you have adapted your entire system to these products and have no plan B,” said Ayo Næsborg-Andersen.

Furthermore, big tech giants create a lock-in strategy that keeps customers “locked” with them under the false assumption that there are no alternatives.

7. Empowerment

Having no dependencies when switching to open-source ultimately empowers the customer. The code is open to everyone and the customer has the freedom of options.

“It’s a bit difficult to switch over, but as soon as you’re there, you’re going to have a higher degree of power over the way you do things, and you’re not constantly pushing the boundaries of what’s legal in terms of sharing data.”

– Jeppe Bundsgaard

For independence and future of the economy

For both digital sovereignty and the future of the economy, Jeppe Bundsgaard strongly encourages the public of Denmark to follow the recommendations of the EU’s Open Source Software Strategy: avoid the products of big tech giants, and move to an open-source solution.

Google loves to keep customers in its ecosystem while on the other hand not caring for its customer’s individual needs, as seen in this case. Due to the pressing issue, the tech giant is in conversations with the municipality to overcome its problems, but until they change their data processing and transferring policies, their products and services will still unduly infringe upon the GDPR.

The post Schools in Denmark look toward open-source solutions after DPA bans Google Chromebooks appeared first on Nextcloud.

Today’s blog highlights five Nextcloud features that provide the utmost security. Nextcloud provides its users with dozens of data privacy features, however we’re providing it to you in chunks.

Monitoring

To keep your files safe, you should know what is happening to them. Nextcloud has a number of ways that help users keep an eye on their files.

How to monitor your files with Nextcloud:

• Track file activity – Have a clear overview of changes like newly added or deleted files in shared folders, recent edits, downloads, new comments from other users or tags, and more!
• Add more monitoring capabilites with Nextcloud apps: Activities for shared file downloads which lets you trackdownloads of your shared files, and Quota Warning which sends notifications to users when they reached 85, 90 and 95% of their quota. See more in the Nextcloud App Store.
• The Server Information app allows admins to monitor the state and performance of a Nextcloud server installation. It shows some basic statistics and gives access to data through an API endpoint which enables it to connect to.
• Industry standard tools like Splunk, Nagios and openNMS. In fact, Splunk and openNMS have support for monitoring Nextcloud systems.
• Auditing Logs allow you to log data in the nextcloud.log file to not only monitor file handling and user management, but prevent against data loss too.

Read more about Nextcloud Monitoring.

Advanced Permissions

Advanced Permissions allow the user to configure permissions on the files they share.

There are several types of permission options that make your files more secure like:

• Setting permissions on a shared file to: read, create, edit, and / or upload.
• Watermarking confidential documents to make it harder to steal data
• Enabling a password protection or expiration date on a public file or folder
• File-Drop: option to hide the contents of a folder where people can upload files to
• Blocking downloads so the user can view and even edit the shared file(s), but not download them

With all of these features available, users can ensure their files are only accessed the way they want.

Machine learning based suspicious login detection

Introduced back in Nextcloud 16 by one of our developers, you can protect your account through machine learning, which increases security and productivity even beyond our brute-force protection and 2-factor authentification.

Suspicious Login Detection uses a locally trained neural network to detect attempts to login by malicious actors.

The way it works is that the app tracks a series of successful logins for a set period of time, and then uses the generated data to train a neural network. This network essentially learns the patterns of the user: at what time and from what location they usually log in. Once this trained model is formed, the system can detect any unusual or suspicious logins. For example, if a user typically logs into the office at 9AM, and suddenly there is a login from a different city at 11PM, something is off. When such a login is detected, the user gets a notification and can check the logs, potentially concluding in a password change by the user.

Note that Suspicious Login Detection trains and works with local data and does not send data anywhere else!

File Access Control

File Access Control is a feature that enables administrators to limit access to files in accordance to business and legal requirements.

Rather than working on individual files, it creates a definition of rules that block file access, even if an individual user would have shared a file against company policy. File Access Control is configured using Flow, which can also allow an admin or user to perform automatic actions like file conversion, getting notified based on certain conditions, and more.

For example, a company’s HR department normally works with documents only they and management can see. The administrator in this case could create a rule or “flow” implementing the following rule: “PDF files – from the HR department – should not be accessible outside company IP ranges or from outside the HR department or management.” This means specifically that PDF files, from the HR department, outside company IP ranges, will be blocked.

You can set each specific filter as simple or complicated as you wish, as seen below:

If now for instance an HR employee would accidentally share a resume with the entire company, all is fine. When that link seems like it could be accessed outside of management, the HR teams, or outside the company IP range, the rule would kick in and block access to the file.

Another example deals with a more specific and complicated flow, seen below. You set up a flow that only blocks MIME file types of images, that are a member of the admin group, that have a file size less than 5 MB, and that matches a specific IPv4 IP address. If a file access request matches these credential rules, Nextcloud will block access to the file.

There are truly countless options to the flows you can configure which ultimately safeguard your day to day workflow and business.

Audits

Audits are important security and compliance measures that can be used by companies to identify problems, track and dissect the causes of security or data loss breaches, improve efficiency, and instill trust to their partners and customers. They are often legally required and thus it is important that a collaboration platform supports them.

Nextcloud supports an audit log which stores the activities of all users of the system, suitable for review in case this is needed.

Of course, as a company, we also have our own processes and code audits. Beyond that, customers do their own audits or work with third parties on auditing the Nextcloud code base.

One prime example is the code audit conducted by Swiss IT security firm Kyos for the City of Geneva, Switzerland. The results came back with flying colors and added an extra layer of security that could be deeply trusted from the core of the code.

Today’s post just highlighted 5, however we recently posted more security features that bring our users the reassurance regarding all things security.

The post 5 More Things to Keep your Data Safe appeared first on Nextcloud.

When it comes to protecting your data, we want to be your #1 trusted technology and provide you with state-of-the-art, industry leading tools that go beyond today’s technology standards.

Nextcloud offers more security features and benefits than most people realize, and today we want to zoom in on 5 of them.

Remote Wipe

Remote wipe is a Data Leak Prevention (DLP) method that allows a system administrator to remotely delete data from a device. It’s especially useful if your device is lost, has been stolen or when an employee no longer works for your organization.

Due to built-in Nextcloud support, Remote wipe will not only work on systems under the management of a company (MDM), but also on the private devices of employees in BYOD situations or for friends who have an account on your server. Therefore it is also helpful for home users, large universities, and non-profits who often don’t fully control the devices of their users.

2 examples when Remote wipe is essential:

• In a scenario where guest accounts were handed to a third party who use private devices, say for planning an event: when the event is over, you can wipe the documents from the devices of guests you gave access.
• In a situation where an employee leaves the company and keeps their device(s): If you want to make sure an ex-employee can’t access company data, you can utilize Remote wipe and to remove the company data from their devices.

Stolen or lost devices usually catch you unprepared. Therefore, this feature is supported by all official Nextcloud clients, for Android, iOS and desktops. Note that the Nextcloud Remote Wipe feature can only remove data from online devices.

Curious? Watch the video to see how it works:

Video Verification

In situations where extreme security is warranted and the identity of a recipient must be verified with absolute certainty before they are granted access, Nextcloud includes the industry-first implementation of Video Verification in a file sync and share solution.

You might be familiar with this process from the opening of online bank accounts: you have to record yourself or have to have a live session with a human. In both cases, a human has to check your identity before you gain access.

Similarly, Video Verification enforces a Nextcloud Talk video call before access is given to a share, making sure the identity of the recipient is properly checked. The call can be picked up through the Nextcloud Talk Mobile apps as well as the web interface.

At Nextcloud, we want you to feel 100% certain that your data is protected and under your control and jurisdiction.

Private Cloud Security Scan

To help our system administrators assess the security of their private cloud server, we have developed the Private Cloud Security Scan.

Our scan is strictly based on publicly available information, that is, the list of known vulnerabilities relevant for Nextcloud releases as well as any applied hardenings or settings we can scan without having access to the server.

It’s available for free here, just add your server URL.

Security Bug Bounties

Nextcloud protects your security with up to $10,000 in our HackerOne’s Bug Bounty program.

We have partnered with HackerOne because of its extraordinary popularity among IT security professionals. The widely used platform has a global hacking community that uncovers high-risk vulnerabilities fast and which allows us to quickly leverage the collective knowledge of a huge amount of security experts. Over 3,000 hackers have already reported countless bugs for Nextcloud and reaped the benefits.

“Nextcloud’s commitment to responsiveness and putting security first puts them in the best position to attract top hacker talent to continue to supplement the good work their internal security team is doing to protect customers.” – Michiel Prins, Co-founder HackerOne.

Anyone reporting a security vulnerability in Nextcloud can earn up to $10,000, making ours one of the highest security bug bounty programs in the open-source industry!

Learn more in our latest update about the program and read the HackerOne Case Study!

Virtual Data Room

In settings where a strong security firewall is needed between departments or organizations without impeding smooth and efficient collaboration within each team, a separate Virtual Data Room can be set up. Nextcloud offers a range of features for VDR use and its on-premises nature offers unparalleled confidentiality and control.

For Nextcloud, VDR is a set of features to implement the concept of a VDR, with flexibility in the exact implementation. In our next post, you will learn about some of these features!

The post 5 Unique Security Features by Nextcloud appeared first on Nextcloud.

Microsoft tries to lock-in EU CSPs

3 weeks ago, Microsoft announced a new strategy shift with the aim to comply with its steady flow of legal complaints from the EU. The company has stated that it will revise its licensing deals to allow customers to use their licenses on any European cloud provider delivering services to their own data centers.

With this new strategy, EU CSPs (cloud service providers) like IONOS, OVH, Telekom, and AMX will have the ability to host and sell Office 365. Moreover, in our opinion, be subject to a complete lock-in with Microsoft. CSPs will be ultimately tied to Microsoft products and if they eventually decide to move away from them, they would lose their valuable customers.

CSPs will by no means have additional security because the software is not open-source and can thus not be modified, adapted, or improved.

Furthermore, CSPs are also at a risk by offering Microsoft’s software because they will still be in competition with the hosted Microsoft 365 product itself. It’s really not a win-win at all, as Microsoft gleans all the glory, and slowly takes down the smaller cloud providers.

Microsoft can offer all the new programs and principles they want to look anew, but they don’t come close to end the unfair licensing practices and anti-competitive restricting of productivity platforms with cloud services.

Antitrust Complaints against Microsoft

Last summer, and just recently gaining international attention, French cloud provider OVH filed an anti-trust complaint against Microsoft due to the company’s obvious unfair advantage and uneven playing field. Microsoft used its dominance in the industry once again and special licensing deals to intentionally put its own Azure cloud over OVH cloud services, among others in the area.

Nextcloud filed an anti-trust complaint with the European Commission’s Directorate-General for Competition in 2021, regarding similar concerns. Read about our coalition and anti-trust case here.

Microsoft continually contributes to the phenomenon of platform capitalism, as well as toying with making itself a monopoly. They make competing with other SaaS services near impossible when their cloud OneDrive and collaboration platform Teams are the default platforms in Windows. Customers are basically handed a choice that they don’t get to make on their own. Read more here in our blog.

“Through abusing its dominant position, Microsoft undermines fair competition and limits consumer choice in the cloud computing services market.”

OVH Cloud

Even after repeated antitrust complaints against them from across Europe, the company is still moving in the wrong direction.

A better outlook for CSP’s

In conclusion, all European cloud service providers should be hesitant if confronted by Microsoft to strike a deal, as their interests and values are indeed not shared.

CSPs are much better off without them.

The post EU cloud providers subject to lock-in with Microsoft due to new strategy appeared first on Nextcloud.

On Friday, March 25^th the White House announced the Trans-Atlantic Data Privacy framework.

The Trans-Atlantic Data Privacy Framework is the most recent scheme on how data privacy should be managed on an international level between the EU and US.

As stated in the official White House Fact Sheet, the Framework “will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union … underlying the EU-U.S. Privacy Shield framework” and “will reestablish an important legal mechanism for transfers of EU personal data to the United States.”

With its message as a beacon of hope in lieu of the Cloud Act, Schrems II, and more, there are still some definite gray areas which critics find to be less than promising.

First off, the fundamental backing of this framework is not bound by law and legislation (yet), but to a US Executive Order.

To provide a quick overview, the US President has the supreme power to create, amend, and revoke an Executive Order at any given time. They can be perceived as “instant” law, however they are not legislation and require no approval from US Congress.

The Executive Order in question, EO 12333 (United States Intelligence Activities), was signed in 1981 by former President Ronald Reagan and is the primary authority under which the NSA collects and analyzes foreign intelligence information outside of the US.

EO 12333 has been amended 3 times (EO 13284, EO 13355, and most recently EO 13470 in 2008), but is still an active Executive Order and is basically what allows the possibility for European data to be collected and obtained by US foreign intelligence agencies.

The inherent fact that the Executive Order is not law, nor the newly introduced framework, the current debate is if it really can be legal under GDPR and in the Court of Justice of the European Union.

Of course, changes within US legislation is the preferred option, as it would be comparable to EU law, however this involves a lot of complexity, time, and international law politics. The fruition of such a legal document adopted by both sides is a goal of the U.S. Government and the European Commission, as stated in a briefing statement, but only time will tell.

Until a bespoke legal agreement, we must assess all we have: the Framework and the Executive Order and determine if both comply with the key articles of the EU charter (7, 8, 47, and 52). Without getting into the legal wording and analysis, these two documents do no fulfill the requirements of the articles.

The announcement of the Trans-Atlantic Data Privacy Framework may have been widespread news, however, it does not solve the problem of the conflicting US and European law, and further, it’s hard to imagine how the the issue can be solved in the future.

As for now, it is encouraged to take data privacy in your own hands, until, or if ever, a transparent agreement or law firmly states that your data is not crossing the Atlantic into the hands of foreign intelligence bodies and sketchy third parties.

Stay informed with Nextcloud as we share all you need to know regarding data privacy, data security and data sovereignty happening around the world. #PrivacyWednesday

The post The new Transatlantic Data Privacy Framework fails to make US cloud services GDPR compliant appeared first on Nextcloud.

Ever since the GDPR came into effect in 2018, Google has been under fire in the EU. The GDPR, or General Data Protection Regulation, regulates and protects EU citizen’s data and privacy which was recently confronted by Google in order to meet demands overseas.

What began with complaints from Austria headed by Max Schrems and his case against Facebook, instigated other EU countries to disclose their incongruencies with Google Analytics. For instance, both in Norway and France, their Data Protection Authorities stated, due to ongoing research and regulation of websites, that the use of Google Analytics may be illegal.

After 101 complaints from the NOYB came flooding in, France’s Commission Nationale de l'Informatique (CNIL), in cooperation with its EU counterparts, came to the conclusion that data transfers to the United States are currently not sufficiently regulated, and are in fact illegal. The CJEU (Court of Justice of the EU) also highlighted the great risk posed to Europeans as well in the Schrems II judgement that proved GA invalidated the EU-US Privacy Shield.

Under the CLOUD Act and US law, US companies are required to give US government agencies and courts access to any data they store from foreign citizens. As the EU's GDPR requires that no third party has access to the data of a user without their consent, this act is fundamentally incompatible with EU law.” – From our previous blog here.

The analysis tool in itself is not in violation of GDPR, however in the way it is used. Due to the way Google Analytics works, it is actually not possible to use the analysis tool and at the same time comply with the GDPR.

According to Article 44 of the EU’s GDPR, companies that use GA do violate the law because private data from European citizens are being sent to the US without 'standard contractual clauses.’ Countless studies and leaks before, including the infamous Snowden leaks, have shown that European citizens’ personal data has been transferred to American intelligence agencies via US cloud services.

Google must have felt the increasing pressure brewing overseas, as as of last Wednesday, they have decided to sunset Universal Analytics* and introduce a brand new model – Google Analytics 4 or GA4 to take over in 2023.

*Universal Analytics and Google Analytics are the same thing. In short, Universal Analytics is just the new version of the old Google Analytics (Classic Analytics). Read more in detail here.

Google Analytics 4 may be the answer the EU has been waiting for. It will finally stop logging and storing IP address information as a mechanism for tracking and analytics. This is a breakthrough announcement as one of the top complaints and mutual disapproval of EU countries is that of IP address information. Ultimately, it will relieve the pressure on Google Analytics in the EU.

So, what does this mean?

Google will switch from deterministic user conversions to a more modeled, data-driven attribution which is natively integrated into GA4. Before, in GA, it used last-click attribution which was their default metric.

When a user enters a page, Google will infer the approximate location data and register that country or market to the page being browsed. The result is that this localized IP address visibility prevents the data from leaving the country, and thus cannot be given to the NSA or any other secret US government surveillance operation. These new country-level controls allow data collection to be fine-tuned by the local market and/or jurisdiction of EU law.

With Google’s reputation as being an unreliably secure Big Tech company regarding data privacy, we will continue to keep our eyes and ears peeled for where this leads and/or if there will be a catch or two along the way.

Following the announcement of the new GA4, it is clear that Google is fully aware of the issues at hand, its severity, and are trying to work on it. It’s not only reassuring that EU countries are getting heard from Silicon Valley and are getting taken seriously, but vital because with further complaints, court cases, and national government involvement, the EU would have surely seen to it that GA be made illegal, and Google would be looking at a loss worth millions overseas, not to mention serious lawsuits.

On the other hand, despite Google having the EU on its tail, from a consumer perspective they must meet the increasing consumer privacy standards on demand. Nowadays, people may not be necessarily worried on a daily basis about their private data being shared, but are more aware of companies keeping their data and want to have full transparency. As consumers are for the first time in ages at the top of the hierarchy, their wishes will be companies’ command.

The post Google Confronts EU’S GDPR Demands by Introducing Google Analytics 4 appeared first on Nextcloud.