Encryption is a cryptographic method in which data is turned into an encoded and unintelligible version,
using encryption algorithms and an encryption key. A decryption key or code enables others to decode it
again.
The technical challenge introduced by the GDPR is made clear when we examine the mobile applications
(apps) we use in our day-to-day business communication. Many of these come with end-to-end
encryption. But, most of these applications are built in such a way that businesses cannot decrypt the
data being processed by such technologies. This data may include personal data and therefore in case
of a ‘Data Subject Access Request’ places a requirement on the business to decrypt such data and
provide it to the EU citizen in question.
Security gaps created by non-compatible technologies connecting to mobile apps create major
information security challenges. These gaps present an increasing requirement for mobile apps to be
interoperable and secure by design in order to ensure secure data processing between apps and other
technologies they may exchange data with (or otherwise process data).
Secure Chorus is a not-for-profit membership organization in the field of information security, working
with mobile app developers, as well as other secure communications technology providers, to address
secure data processing. We have addressed this cybersecurity requirement through a strategy of
government-industry collaboration, with industry members developing a number of mobile apps based
on common technology standards to ensure that the app architecture facilitates the exercise of data
subject rights under the GDPR.
Secure Chorus supports MIKEY-SAKKE an open identity-based public key cryptography, which provides
for end-to-end encryption and can be used in a variety of environments, both at rest (e.g. storage) and in
transmission (e.g. network systems). Designed to be centrally managed, it gives enterprises full control
of system security as well as the ability to comply with any auditing requirements, through a managed
and logged process.
MIKEY-SAKKE has been standardised by the Internet Engineering Task Force (IETF). Access to this
type of globally accepted, strong and reliable cryptography has become vital to app developers that are
becoming increasingly aware of the widespread risks associated with internet use.
MIKEY-SAKKE is configured so that each user is attached to a Key Management Server (KMS), where
the keys are issued to users by an infrastructure managed by the business’ IT department. This ensures
that the ability to decrypt content remains private to the individuals communicating. However, in
exceptional cases such as a ‘Subject Access Request’, it also allows the business to derive a valid
decryption key from the Key Management Server. To audit an encrypted communication, the organisation
should export a user-specific and time-bound key from the KMS. This key enables an audit function to
decrypt a specific user's communications for a specific time period (e.g. week or month). The KMS is
able to log this action to ensure that it is accountable.