Data Security and Informational Self-determination

Power to the Users

The fourth funding round of the Prototype Fund was announced in 2018 on the topics of self-determination, security and trust. In preparation, we looked at the technical requirements for digital sovereignty and self-determination.

We noticed that there is a general lack of secure software. Even in contexts for which more secure software exists, it is underutilised. Reasons for this is are the software's limited usability and the fact that lock-in effects often lead to the dominance of less secure alternatives.

Software needs to fulfil two requirements in particular in order for its users to be able to protect their data in a self-determined manner:

• Transparency: Both the functionality of the software and the objectives of its developers should be known to users so that they can judge its trustworthiness. Open source software has the advantage of being verifiable with good documentation.
• Customisability: In order for users to be able to protect their data according to their own needs, security settings must be customisable and controllable.

You can read the full report (in German) here.

European (Digital) Sovereignty, Technologies and Collective Action

In 2020, we analysed how laws can support information security and informational self-determination.

We identified three levels of digital sovereignty, namely the self-determined actions and decisions of:

1. individuals,
2. companies and other institutions as well as
3. states or supranational institutions such as the European Union

Important laws designed to ensure data security and digital sovereignty are:

• the General Data Protection Regulation (GDPR)
• the Network and Information Security Directive (NIS Directive, since 2022 NIS2 Directive)
• the Cybersecurity Act (and in future the Cyber Resilience Act)

You can find the full report (in German) here.

(Downward) trend data security

In 2022, our research focussed on the specific technical means that can increase data security, which is still inadequate in many contexts. These include:

• encryption
• automatic access control
• version documentation
• redundant design of systems
• continuous testing, maintenance and updating of software
• usability through low energy consumption, intuitive application and smooth integration into standard workflows

You can find the full report (in German) here.

Reliable and easy-to-use encryption

• Briar Mailbox
• Close lid to encrypt
• Cypherlock – Coercion Resistant Storage
• Dark Crystal Social Key Recovery System
• OpenMLS
• Rosenpass: post-quantum VPN mit minimalen Privilegien
• Schleuder

Software to detect and avert attacks, e.g. along software supply chains and in computer networks

• NYGMA
• Portable Firewall for QubesOS
• Real-life Reproducible Builds
• SiC - Secured management operations through signed containers
• StalkerBuster
• Undo Ransomware

Anonymization, pseudonymization and authentication as methods for more data security

• dhcpanon
• Identity-Stick
• Pseudify - Pseudonymization for developers and Pseudify 2.0

Defense of informational self-determination with the help of data protection law

• BBND - Der Big Brother Newsletter Detector
• An App for Data Requests.de
• Guidelight
• OpenPIMS: No More Cookie-Banner