Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
To me, the internet has always been the thing
for the free. But is it still for the free,
or are we increasingly being monetized as users
of the internet? And if so, what can we do about
it? Welcome to Threat Talks. My name is Lieuwe
Jan Koning, and here from headquarters at ON2IT,
we talk today with Professor Bart Jacobs, and
I'm really excited about it. Let's get on to it.
Welcome to Threat Talks. Let's delve deep into
the dynamic world of cybersecurity. Our guest
of the day is Professor Bart Jacobs. Mr. Jacobs,
welcome. He is the professor of computer security,
privacy, and identity at Radboud University
of Nijmegen. He's also a member of the Royal
Netherlands Academy of Arts and Sciences. And
he is in our country and beyond very well known
in participating because he participates in the
public debates. He did a TED Talk educating us
all on the subject of privacy, for example, and
he has an advisory role to the Parliament of the
Netherlands. He's also an initiator of a few tools
that actually are created with the proper privacy
in mind such as an authentication app. It's called
Yivi. We're going to talk about it. Another thing,
a social platform called PubHubs also built
on values that we should probably embrace in
every software solution that we create. We're
going to talk about that as well. And in 2021,
he won the Spinoza Prize which is a prestigious
award for top researchers and is dubbed the Dutch
Nobel Prize. So, who else do we want to talk
to if this is the subject? Mr. Jacobs, once again,
welcome. Thank you. First of all, I would like to
talk to you about a couple of examples of things
that happen on the internet that we should be
every individual should not choose to do. And
for example, we're talking about you can download
WhatsApp or Facebook or all those applications and
all your data is out there. Huh? How bad is
it? You think is it? How safe is the internet
for your children? Maybe it's good to talk about
Facebook in this respect for a moment. You say
all your data is out there. My topic of research
is security and privacy. Let me say Facebook is
very good in security but very bad in privacy.
And it collects all the data and it secures
them very well and it regulates who has access to
these data. But of course Facebook is very bad in
privacy because it uses the personal data to steer
the messages that we get to see on the platform to
try to pump our timeline full with advertisements
to try and make us buy things that we don't really
want to have. But they just get revenue out of
the advertisement. And it's really I consider it
a manipulation network. It's not only primarily
a commercial manipulation network, but we have
seen it's also a political manipulation
network as we've seen in the elections,
the first election of Trump or basically ever
since on the internet. Yeah. So it's abused more
than it's used. If you look at a bigger picture
then I would say yes. From a societal picture from
a societal picture I would consider it as very
harmful as a company and as a very harmful tool. I
can see on an individual level that it has certain
advantages to be in contact with former friends
or classmates or family members who live across
the world but there are also other tools to stay
in contact with them. Yeah. Yeah. Yeah. Indeed.
And personally I hate it if my data is sold. And
I have to admit I have WhatsApp on my phone. And
the reason well actually WhatsApp in the beginning
was for free and it was a European company and
it has since been sold to I don't think WhatsApp
ever was a European company but Eastern Europe.
Maybe I think you're mixing up with the video
calling service that was bought by Skype. Yeah.
Yeah. Yeah. Okay. But it gained a lot of traction
initially also and the problem I have with it is
that I need to communicate in certain for example
we have in my city where I live around we have
what's called Buurtapp - Neighborhood app. Yeah. Yeah.
Neighborhood app indeed. And I actually when the
10th time there was big news about Meta abusing
all your data etc. I actually started a debate
there and started a Signal group. But what you
see there is there's always the few people that
don't want to make the transition and I mean to
me it's obvious that Signal is much better. That's
but I look at the business model. Whose business
model? The business model of Signal. I actually
pay a voluntary subscription. Okay. Very good.
Yeah. But what is your point? My point is, I
hate it that I still have WhatsApp installed,
but I kind of need to cut yourself free. Yeah. I'm
on Signal, not on WhatsApp. And people know this.
Life is great. My life is better. It's good. Good
in that sense. I mean, it's in the end a personal
decision. Yeah. True. You make yourself dependent
on people who make the wrong choice. I in general
in my life I try to make myself not dependent
on people who make wrong choices and I want
to try to so I want to push it back to you. Yeah.
Yeah. You're weak in this. We're taking it. We're
taking it. Yeah. Point. Can you help me please?
Because you have to toughen up yourself. This is
maybe a character building session, but I mean
just leave it. I'm all for it. Yeah. Just leave
it. Just just quit your account. Which I did with
Facebook by the way. But that's one step for you.
That's yeah but WhatsApp is I asked for can you
help me for example I get into discussions and we
talk about even metadata so who I send a message
to for example that is valuable to a company but
I have a hard time explaining this why that is.
Can you explain a little bit why is that valuable
and why is the problem that I share with that I
would publish who I send messages to for example
there are various things so WhatsApp has improved
considerably throughout the years so one big step
was that it introduced end-to-end encryption
which means that Meta the company behind it
can no longer read the content of messages that
people send to each other. That is a very big
thing. But what they can see is a social graph.
They can see who communicates with whom. And this
data is already very important. And what the data
they also get is the address book information. So
I'm not in your address book I think but suppose
I were and you would then my address data would
all go to Facebook even though I'm not I'm very
much against this but by your choice to open up
your address book to Facebook they get my data as
well. Yeah you bring up a good point if anyone has
a phone with your number in it and they use that
number is also there your name probably. So that
may Yeah. Yeah. And maybe you added my birthday
or whatever kind of details or my wife is or how
many children I had. That all goes to Meta. And
it's other people making these decisions about
me which I really abhor. I find it terrible that
it happens in such a way. I talked to my niece
and she doesn't care. I don't know your niece, but
yeah, I don't know if I want to know her. Probably
not. Not on Facebook. But what do I tell her then?
Because she wouldn't listen. I mean, she says I
don't care if they know my birthday because Well,
the worst thing that could happen, she says, is
they send me flowers on my birthday. Yeah. Okay.
Okay. Well, so I'm not in the business of trying
to convince everyone. There are still people out
there who smoke. Smoke is very bad. It's very bad.
But most people do know this. And if people
really insist on continuing to smoke, I mean,
yeah, despite knowing why it's bad for you. But my
point is, can you help our viewers also to explain
because if you want to explain why smoking is bad
for you, well, you have a really high chance of
cancer and you will die. I mean, if that's not
enough, then I don't know. But what is that same
story for? Yeah. So installing WhatsApp the story
is maybe limited if you only use WhatsApp but
WhatsApp is part of Meta which is a huge company
that has huge advertising networks all over the
place. It can recognize you and then at other
places on the internet certainly if you're also
on Facebook it connects what you do on WhatsApp
all the connections you have there and from the
people you are connected with they can distill an
image of what kind of person you are and then try
to manipulate you more with certain advertisements
some people say I don't mind if I get manipulated
commercially I like to watch advertisement okay
that's possible Well, but not me. If your niece
likes to watch advertisement and be pushed in
a certain direction, okay, some people want to
live their life like this. I have the feeling
I would like to have a bit more control over
the choices in my life. Have you ever do you
have some insight in whether this is a cultural
thing also? Is it for example are people in the
Netherlands on average or in Luxembourg or in the
United States more privacy aware? Is it part is
that part of the equation? I'm not a sociologist,
so I don't you must have wondered about No,
but there are big differences between the
US and Europe. Let me go to that level. Then in
Europe, privacy, data protection is a fundamental
right. We have on our podcast a treasure hunt we
call it. Let me briefly attend to that. So for
the first 200 people that send the code that I'm
about to announce to code@threat-talks.com, they will
receive a t-shirt that you can show off to all
your friends. And the code is 110425. Now that
we have that under our belt, I would like to pick
your brain on you have solutions and that's what
I really like about your work. Partial solutions.
Okay. So you have I do work on alternatives. Yes,
exactly. On alternatives because to me, so the
fact that Signal is there in the first place
makes sure that I that there is an app that is
easy to use and I can tell my mom about and she
actually installed and can handle it. That's
crucially important to me. You have a few of
those and I mentioned them in the introduction as
well. Yivi for example, could you explain well first
of all what the goal of it is? Yeah. So, so Yivi
exists already for more than 10 years. It came out
of scientific research at my research group in the
university. We started working on attribute-based
authentication and the cryptography that is
behind it which is very interesting which based
on zero-knowledge proof but I'll skip the details
here. But this attribute-based authentication
was certainly at the time novel and attributes are
properties of all of us. you I'm here, you're over
18, this is your email address, this your phone
number, your physical address, etc. These small
properties of you are called attributes. And in
many situations, authentication, proving who you
are, can be known via attributes. So, if you want
to play a hefty game online, you have to prove
maybe that you're over 16 or 18. That is just one
attribute that you have to prove. If you order a
book online you have to disclose your physical
address for delivery but not much more basic
maybe email address for confirmation but your name
is not really needed in these kind of things. So
this attribute-based technology really allows data
minimization which is one of the basic principles
in Europe's data protection law the GDPR and so
there are technologies there are technologies to
really support this privacy-friendly approach
and this is what I'm really interested in. So
we built a prototype app at the university. I
set up a nonprofit foundation to roll out this
technology. This process is slow but the Yivi app
is still there. I'm working now with a company
in the Netherlands to develop this further. But
what I consider as a very gratifying influence,
two years ago, the European Union has decided to
introduce identity wallets in Europe. Which are
such apps on your phone that contain attributes
which are attribute-based. So they looked very
carefully at what we did with Yivi. This had a big
influence there. So for me as an academic that is
huge right that is really that's just not a theory
but you actually implemented it and show the
example and how people follow it. So on the one
hand Yivi exists as a product it has about I don't
know so eventually that we don't know how many
people run it but that's amazing. Yeah it's more
than 100,000 so it's not the whole country yet
but it's substantial. It goes beyond friends and
family so to say. Yeah. So it has practical impact
although not a real great breakthrough yet but it
also has indirect impact where we see that people
start copying this they see they have good ideas
that's your bigger goal probably not necessarily
this yeah so Yivi itself as a product is a little bit
my baby so to say so I would hope that Yivi will
be the dominant app in the world also because it's
open source transparent etc. It's really done
in the right way, I would say. But in the end,
if another app which works like Yivi takes over and
offers this kind of privacy-friendly opportunities
to people in a transparent open source way, I can
also live with that. I'd like to dive a little bit
deeper in the technology here if I may.
So you mentioned that I know the app. So what
it does it will actually give you full control
of those attributes that you want to share. So
if you log on with Yivi it will tell you can say
okay just my email address or just the fact that
I'm over 18 not my full birthday. So yeah it's a
little bit subtle. So if you as an organization,
if your company wants their customers to
authenticate online with Yivi, you as a company
decide what these customers have to disclose. So
you can ask and this happens via QR code. You say,
I want your name, email address and maybe
something else maybe your physical address.
To be clear, it is to authenticate users so they
don't have to use Okta or LinkedIn but this can
be done via Yivi but it's you as the verifying party
that decides which attribute gets suppose I have
no but please let me continue for a moment if I go
to your website and I use my Yivi app I get in my app a
request this company wants to see this data from
me and I can say yes or no there's a little bit
of choice I have if you ask for an email address
I can maybe select one of three but so I do have
control in the end that I say yes or no but it's
you who ask me what to disclose. Yeah. And so it's
not so much that I can go somewhere and I decide
I show this but not that. And suppose I have a
web shop and I sell liquor for example. So I need
to know the minimum age and then I don't need the
passport or whatever with the date of birth but
just the attribute that I'm over 18. Yeah. Y is
very suitable for these kind of applications. So
now my question but where does the data come from
then? Yeah. So indeed Yivi and all such other apps
also the European wallet IDs that are coming up
need to collect this data from a trusted source.
So the way it works with Yivi you need to go to a
government website Dutch government website. You
need to log into this website in a regular way
with DigiD the system we use in the Netherlands
and then the website gives you these attributes in
your Yivi app. So they are located only in your Yivi
app. Technically some of your listeners may like
this. What this government issuing organization
also does is put a digital signature on these
attributes so that if I disclose them somewhere
else, the receiving party can see, hey, it's
digitally signed by this government organization.
So the source is clear. Yeah. And what is the
server part of Yivi? What do you mean the server
part? It's a trick question. The SaaS the you have
the client on the app on the machine what about
the server side do you keep track of stuff in
that sense so let me say I tell this as a contrast
so in identity management there are basically two
approaches centralized and decentralized let's
take Facebook offers a login also suppose you
want to login your local newspaper and it offers
a Facebook login. You go to the website of your
newspaper, you get redirected to Facebook. You log
in at Facebook and Facebook tells the website who
Facebook thinks you are. That means all login
go via Facebook. Facebook offers this for free
because what they get out of it, they can see of
all the Facebook users where they go in and they
can build up what you're interested in now.
Precisely. It can offer an even more detailed
picture of the way it works with Yivi. Suppose this
newspaper has a Yivi login on its website and I go
there with my Yivi app. The website talks directly
to the app. It doesn't talk to the government
organization that gave me my address data for
instance, but the communication is purely between
the app and the website. There's one technical
point and maybe that is what you're hinting at.
The way the Yivi app works is it uses a very secret
cryptographic key and protecting such a secret key
is difficult. You can put them on a smart card. Or
you can put them in a secure enclave in a phone,
but that is often very phone dependent and highly
regulated. We trust those. Precisely. What we did
at Yivi, we used a technical trick. So we split up
the private key in two parts. So half of it is on
the phone, half of it is at the central server run
by Yivi. Now if I want to disclose something with
my Yivi app, say again this newspaper where I want
to login, my app briefly talks with the central
server to check to get the rest of the phone or
at least the way we have done it is technically
homomorphic encryption. So the key is not combined
but on both sides part of the computation is done
in a privacy-friendly manner and then the app
can reveal the relevant attributes. The server
sees that my app is used but doesn't see where and
also does not see which attributes I disclose. So
in that sense really the whole set the data itself
is only on the app correctly. Yeah. So if I clear
about that yeah so that is intentional indeed.
Then if I lose my phone or if I buy a new phone
start over. I have to start over. I have to but
I mean this is generally if you get a new phone
you have to reinstall all your apps and maybe you
have to collect the data if you have an app for
satellite navigation with local maps you also have
to reload the local think it's a disadvantage at
all it's actually it's a marvelous technology if
you ask me I mean there's indeed a little bit of
a key on the server side on your server side that
is in itself worth nothing. Precisely. That's the
idea. And so the only tracking you could do
is indeed how many times do you use it? Yeah.
Precisely. From which country maybe if you would
want to No, I don't think you see the country.
What you could do what you could even do so if you
really lose your phone, someone steals your phone
and you're really worried about that, you can log
in at our central server and block the center part
of the key. Oh yeah. So that it cannot be used.
You can withdraw the Yeah. It offers some level of
protection. Yeah. But the central server does not
know where you are. So if you're confused and you
say I don't remember if I logged in there or there
and you call us, we cannot tell you. Yeah. But
that's a feature. Big feature. We consider that a
feature. Yeah. Indeed. Okay. Yeah. That's great.
So and that means that any user can download the
app. That's for free worldwide. If you want to be
the supplier and allow your users to authenticate
with this. Yeah. We should promote this. Yeah.
Yeah. I so I should say the app becomes usable
only when it gets connected to valuable sources
where it can get attributes. So in the Netherlands
it's connected to the national government and so
the citizen administration is also connected to
university database. So if you're a student or a
staff member of a university in the Netherlands,
you can also get your data in there. You can prove
you're a student. Yeah. Which means that you
can use Yivi to connect to those systems of the
university. That's what you mean by connect. No,
you can collect data there. But for instance, you
can go to collect data and if there's for instance
suppose on your company website you want to give a
discount to that. No no suppose you want to give
a discount to students. So, so there is a student
attribute that people can reveal proving that they
are student. Yeah. And to answer your question. If
you want to run Yivi two ways to do it, you can run a
Yivi server yourself. It's open source software. You
can install it and then a reasonable programmer
has it up and running in an hour. And then you can
integrate this in your web page but you have to
run the server and keep it up to date etc. There
are also commercial companies that offer this as
a service. So you have to put something in your
website and then they do the authentication
and tell you back. These companies are called
identity brokers a bit like payment brokers as
well. Yeah. And I expect this to be a growing
market in the next few years for these identity
brokers. It sounds like it's very simple to do.
It is very simple to do. So we should spread
the word a lot. Sorry. We should spread the
word because certainly I'm sure there's people
listening now that don't know about Yeah. So,
so it can be used already in many situation, but
I should say if there are people international
listeners and so if you're in the US, I mean Yivi
is not connected to a US citizen database. Yeah,
it doesn't exist. It doesn't exist. That's another
problem. But suppose at state level or whatever.
What's what can be added globally in your Yivi app is
your email address. What can be added? Just put
it in yourself. Your own authority there. No. So
what happens is we have a website. You put in your
email address. We send a one-time code to your
email address. You type it in as a confirmation.
Then you get a QR code and you can load it.
A very certain way of knowing someone's email
address. Precisely. So we do the check for you.
So other websites don't have most companies only
need the email address. Yeah. Yeah. Precisely.
Another thing is also we in Europe we also offer
mobile phone number. The way it works is the same
way. You go to a website of ours. You type in your
mobile phone number. We send you a text message
with a one-time code. If you can type this in,
you can scan the QR code and we offer this only
in Europe at this stage for financial reasons.
Understand? Yeah. Yeah. And I know exactly
what you mean. We also have to send messages
worldwide. Precisely. So what is coming up soon?
I hope before the end of the year is that people
can also hold their passport to their phone and
that Yivi extracts their personal data from their
passport and so that can then be used selectively
in certain situations but that's a lot of
countries that is a lot of that's basically that
works basically for the whole world it works for
all countries that have a chip in their passport
which is all countries basically yeah yeah yeah
so that will be a breakthrough internationally
and I think Yivi could be very useful in situations
that you see there's more and more pressure now
that age verification should be added to various
websites. And for instance, Australia was the
first to do this and they said for social media
and Australia said these companies should decide
themselves how to do this. So that means but that
means if you leave this up to Facebook they will
come up with a way of checking this which gives
them even more data. Yivi offers an alternative
open source privacy etc that can soon be used
worldwide for this age verification. Okay that's
good news for everybody. So then that it means
that in the audience every company that feels
we need to advocate better privacy and allow
our users to only share what they really want they
can actually use this and it's not that difficult
they can start today they can go to Yivi.app the
website. There's more information there. There's
also we'll put it in the show notes, including
the details we can find on the documentation and
I'm sure there's also people who really like to
go nerdy on security cryptography. Yeah. Yeah.
This is one thing, but this is not just this is
not all. There's also the Pub Hubs. What's the
story behind that? Yeah. PubHubs is a more
recent development. It's not as mature yet
as Yivi. PubHubs is an attempt to develop let
me say a decent social network. Now what is
a decent social network it has no advertisement.
It has no profile of people. It has no plundering
of people. It has no manipulation etc. all the
things that make people very uncomfortable about
the current social networks between quotes because
I don't consider them to be social consider them
to be very harmful. And so it is an attempt to try
and do things in a decent way but also there are
some security and privacy thoughts behind this.
Can you tell us a little bit about that? Yeah. So,
so one thought behind this is also if you
go on Facebook and you post something there,
basically you post to the whole world. And but
that is not natural. Most of us talk among friends
at work or at the sports club or whatever. So
typically we have local conversations. Now, if
you talk on Facebook, it's on the whole world, but
even though you intended only for small audiences,
but it also means that the whole world can talk
back to you. All kinds of nasty people and they
do. And there are a lot of bad people out there.
Young girls getting approached by various nasty
characters. I don't want to expand on this. So the
way we've set up PubHubs is that it focuses on
local conversation and I can go a bit more in the
detail. So it's really different in setup. It's
not meant as a competitor of Facebook. It's also
not meant as a platform for cat videos and this
kind of amusement. People who like cat videos
should really stay on Facebook. But the way it
works so PubHubs has a central login based on
Yivi. Of course. Of course. Once you've passed a
central login, you can go to different hubs.
And once you log in, you can seamlessly step
from one hub to the other. A hub may be run by
a university, by a municipality, by a company,
by a library, local library. It's a bit like how
Mastodon is set up. A little bit a little bit but
Mastodon is more for short messages and but in
principle it is similar it's distributed so it
isn't owned by a single party yeah yeah that is
true so all these organizations they run local
instances of PubHubs of a hub as we call it it
involves its own software it's based on Matrix.
Matrix is an open-source version of Slack. So
it's a bit similar to Slack, but there has some
identity management material. If you've done
this central login and you go to hub one,
let me call it hub one, you get a pseudonym.
And if you enter hub one, it only knows you
with this pseudonym. If you go to hub two, you get
a different pseudonym automatically. To hub three,
you get again a different pseudonym. If you return
to hub one, you get back your original pseudonym.
So if you misbehave in hub one, it can block this
pseudonym or block it temporarily or whatever. So
what we wish to achieve is a combination of
privacy and accountability so that people who
misbehave can really be addressed in a certain
way. Now within a hub it's a bit like in Slack.
You can select they're called channels where the
conversation happens in our version they’re called
rooms doesn't matter very much. What we have added
is authentication to rooms. So certain rooms in
such a hub contains many rooms and certain
rooms are open to everyone. But the organization
running the hub can also say for this room you
have to disclose your email address and you can
only get in if you're on a list of email address
or for a neighborhood room you have to disclose
your postal code and only if it's this postal
code you can go into this neighborhood room
or this room is for people younger than 18. Or
older than 18 or whatever. Or this is only for
the directors of your company or only for the HR
department. So you can really have secure rooms
as we call them and this is a feature that other
networks don't have this authentication built in
and also this offers a lot of possibilities. Rooms
also have moderators and moderators have a lot of
flexibility. So in principle the discussion in a
room can be based on pseudonyms. So everybody can
participate. But suppose I'm a moderator and I see
you going to the edge. I can send a message to you
and say I want you to disclose your name to me and
your address if you want to continue. Otherwise
I block you here. Yeah. You see so there are many
buttons that you can very flexible in that sense.
It's very flexible. It's really a new idea and
a new approach in these kind of things. Again,
the question is just like with Yivi, will others
copy it or will this really become a So,
how is this used? How is this used currently?
Yeah. So, so we are still in the pilot phase.
We're still in the pilot phase. I said
we're still cautious and a very interesting
user community that we're working with are patient
organizations and in the Netherlands there are
like five six hundred patient organizations.
Every disease illness has its own support group.
These support groups are mostly online but
sometimes also in the physical world and they're
often very valuable for the people in there
so they can share their experience get advice
etc. But you can probably feel that many things
are privacy-friendly there. I'm always astonished
about a support group on Facebook but I would not
want to participate in that. Welcome to PubHubs.
Yeah, exactly. Precisely. So the idea is indeed
if you look at these patient organizations the
smaller ones are on Facebook very uncomfortably
themselves they are on Facebook. The bigger ones
have built their own network but also they see
this is not their core business to build the
network. So they're happy if we provide a general
generic infrastructure that they can use. But this
is just one application scenario can also be used
for instance for municipalities where people can
go there online get some general information in an
open room but also where they can let's say ring a
bell and get into a one-on-one conversation with
someone from the municipality in an authenticated
channel so that the municipality knows who it's
talking to. Let me add one thing. So this offers
the option that a municipality can say to its
citizen you need a new driver's license. You can
come by physically to the counter or you can do it
online via PubHubs. You're authenticated by your
passport. No less. Only thing you cannot do is
apply for a passport. Yeah. Again. Yeah. Okay. But
for businesses maybe also? I mean what if you want
to have a community with your customers and maybe
there's a new feature that you want to discuss
with a few customers or that is indeed possible
but we don't have advertisements. No, no. So
indeed it could be you have a conversation
with your suppliers or certainly so it can
be used. So what we aim for is on the one
hand professional context and professional
authentication a law office that wants to
communicate with its customers via video call
and you have to communicate with Office 365 and
all their sensations it's non-authenticated it's
non-authenticated because you don't know who's on
the other side it's terrible sorry it's terrible
doctors when they talk to patients they have to
authenticate the patient before they can share
medical details Yeah, but by law indeed there
are many situations where this is compulsory or at
least where it's very desirable to do it in this
way but also it's meant for let's say cultural
organizations libraries. So libraries who want
to organize a local discussion or some cultural
festival or a book discussion and they really want
to talk to a local community and they want some
way to close it off to keep out the bad people
who want to disrupt these meetings and not so much
because they're so private or security sensitive
but many organizations when they go online they
are hindered by people who are really just out
there to disrupt these kind of activities. So it's
good to have some possibility to close the door a
bit. Yeah. Understood. Understand. Yeah. So, what
if there is a company that wants to offer this to
its customers or user group? How can you download
it or do there's a website pubhubs.net. We'll put
it in the show notes as well. Very good. They
can go there. There’s a contact address they can
contact us in principle already they can download
the whole thing everything is also on GitHub but
they need to come under this central login
umbrella for this they need to get a private
key from us to participate in all of this there
probably some legal work yeah there's some legal
work there as well we’re still developing this
so we're working with a few organizations that
we know that have gotten this key. If there are
organizations who really interested to scale this
up to help us also scale this up. Do contact us.
So it comes from a university that has to now it's
in the process of moving out of this university.
I like to organize it in some steward ownership
style. Not run as a commercial company, but I do
see the benefits of commercial incentives to get
certain things up and running and off the ground.
But within a framework, this whole PubHubs just
like Yivi is really focused on public values. Yeah.
Yeah. And I think it also a lasting technology.
That's what I like about it because there's also
BlueSky for example. BlueSky better than Twitter
you might say, but it's still a company. So, and
you have got to keep maybe in my experience every
company at some point gets owned by VMware or IBM
or so organizing it. It's almost like Linux in a
foundation. Safeguarded for the future. Although
keeping it purely in the nonprofit sector is maybe
not the most efficient way to do it. So I like
this idea of steward ownership to organize it in
such a way and I'm happy to talk to other people.
I meet quite a bit of enthusiasm. And of course
the question is will it really scale? We’ll see.
But it offers really functionalities for dedicated
sector which are not available on current social
networks between quotes. It's great insights that
I think for many viewers are refreshing. It's
a different way of looking at things. I mean
what drives me in these kind of things is also to
show there are alternatives and there is a choice.
We don't have to do things necessarily the way
they are invented in Silicon Valley. They like
to present them as if that's by law or by nature
the way how things should develop. But there
are also choices behind how they do things and
their choices are driven by their own commercial
interests. I want to talk about the returns
in a minute. I have one question before that
and that is we're talking about so you show here
that privacy by design is really possible right
certainly it's possible what are other success
factors is a difficult question because what I we
touched upon it a little bit I mean big tech has
a strong arm they have marketing everywhere and they try to everybody
lobbying we read about all the algorithms actually
people in Silicon Valley that I know, those are
the biggest advocates of not having their children
for their children not to have a smartphone. They
know because they know the nasty technology behind
it. Yeah. Yeah. Yeah. So what is there this is not
something you can solve with technology, right?
I don't know precisely what you mean by this,
but there is at some level political choice needed
here. Right. To go back to the example of smoking,
we as organizations have said we start taxing
smoking, discouraging people, putting nasty
images on cigarette packages. So to make clear
to people this is not good for you. Social media
we're not there 100% there yet but the amount of
people that smoke what are currently called social
media between quotes once again they are also very
addictive and especially the European Parliament
is working on legislation to address especially
this addictive character especially for youngsters
so it's really bad for you. Yeah. We actually in
one of the next episodes we have an interview with
Patai who is a big advocate of these things and
he's working on the new legislation in the spring
let's say in the next episode. So do you think
that the role of the government should be much
better played out they should strong arm much more
and make laws to forbid things and all that. Yeah.
So when you say the government is of course the
question what is the government does government or
at the European level? Yeah probably all of them
most effective one I don't care which one. Yeah.
So, so at least at the European level, Europe
is already rather active in this area to try and
legislate things. It's often said that Europe is
a legislative power and not so much a technology
power. The balance is somewhat wrong there. And I
think we should also really invest in technology
in Europe that adheres to our values in Europe
that supports our way of understanding privacy. So
it really involves investment also in technology.
Governments have a role there. I'm not someone
saying that government should run something like
PubHubs. I'm very much in favor of civil society
initiatives together with companies which have a
society-motivated agenda. Yeah. So the governments
then have to enforce the rules and which is good
for the health of the citizens which is the task
certainly and they can also set an example be
launching customers for instance. Yeah, I find it
very problematic that many government departments
in the Netherlands are still on Twitter/X. They
also should set an example there and I understand
the reasoning they want to be where people are but
they can also all move to Mastodon like you should
leave WhatsApp and tell all your people in your
surroundings it's a different world you change.
I'm no longer adapting to your wrong standards.
Yeah. I can imagine as a politician it's indeed
you need to get those votes if the votes are
all on. No, no, no. It's a choice but also it's a
clear choice. You also express certain values by
saying I don't want to be associated with nobody
reads it. I guess I don't want to be associated
with these bad practices. Yeah. And yeah, I
think more generally we've ended up in Europe
in a situation that our information and decision
space is controlled by the tech bros of Trump that
they control it that they control what we get
to see. They control via these AI tools what
decisions are being taken here. I find that deeply
problematic also because these tech bros of Trump
have a very strong anti-European anti-democratic
agenda. Yeah, we saw support for in the German
elections for anti-democratic parties that
were favored in the algorithms of Yeah,
precisely. So they run our information space.
We keep on organizing elections here in Europe
whereas a substantial part of the population gets
manipulated by these anti-democratic parties. I
think the European governments and the European
Union itself should be tougher on this. Yeah.
Well, China TikTok is banned in well was banned
for a little while in the United States for the
same reason. Yeah. Yeah. That is not a serious
example because Trump really brought it back in
and I think it was only two weeks. So that's no.
So what we saw in Europe about a year ago with the
presidential elections in Romania, I think it was
where suddenly out of nothing a candidate came to
a populist candidate came to position one via an
active campaign on TikTok which by the security
services there was identified as coming from
Russia. Now TikTok let this happen. The fact
that TikTok let this happen is against European
laws against the DSA the Digital Services Act.
So the European Union I think could forbid or
at least fine TikTok for this in a very serious
way. There are investigations going on but I think
we should really be more assertive towards these
platforms. They are devastating our information
space here. They are aggressive against our way
of life. How did we let this happen? How did
we get there? And of course the next question
is how do we get out of there? Could you answer
that? Yeah. But I mean it's not that laws help,
investments in our own technology help, but first
the will to change this. The will to change this
to try and get out of these political will you
mean? Yeah. Individuals that choose differently
choose technology. It's on all levels. It's on
all levels. It's political. It's in government
organizations, in companies, and at an individual
level. We should decide to be no longer in these
kind of toxic, manipulative relationships. Clear, Thank you. Before we close off because we are
running out of time on this because there's
so much to discuss here. But maybe let's
we covered two examples of alternatives that
are not well mainstream isn't maybe a good word.
I mean but not top of mind people. Yeah.
Yeah. Okay. If everything you said today
and you are for an IT manager or a CISO and it
really appeals to you that we should think this
way. Where can I go to is there like a how do
I find these solutions apart from listening to
this? Yeah. So there it's not enough. There are
certain websites with European alternatives. I
can't forget the precise name, but I'm sure you
can. European-alternative.eu. I'll put them in
the show. Yeah. Yeah. Please put them under there.
But I would say if you run a company in Europe,
you should really be careful about your
business continuity. The world is governed
by autocratic unpredictable old men. I mean if the
conflict with Russia heats up a little bit more,
the first thing Russia will do is start pulling
transatlantic cables. Will your company still run
in Europe? Yes. Well, we have our own data
centers. Yeah. You have your own data centers.
Very good. Our university will have to shut down.
All right. So Microsoft says we keep all Europe
all the I'm not too sure by the way because Leiden
has their administrative systems also in Amazon
I believe for the websites no that's they have
that in the Netherlands it's was more of course
systems are but yeah yeah the customer but that's
I don't I think we will have issues let me so you
will have issues let me expand on the university
so Microsoft says all your data is in Europe
But at the university, we use these authenticator
apps. I'm pretty sure they go via the US. So
it may be the case that our data is here in
Europe. We cannot access it because we cannot
same story then. Yeah. So cutting cables is a
serious concern. The total unpredictability of
Trump is a big concern. I don't know if you
know the ICC court case in The Hague where Trump forbid
US companies to supply to the international
court because he didn't like the court. Now
they can't use their email anymore. So Dutch
they've since moved to ProtonMail I think
in Switzerland. Dutch judges still have to decide
in the next round about whether the Dutch should
deliver parts of the F-35 plane to Israel. Suppose
Dutch judges forbid this. And suppose Trump gets
angry and he says no longer Microsoft service
to the Dutch legal system, it shuts down. Yeah.
Even if you're hosted in Europe, even if you're
How did we end up? How did we get there? How did
we get in such a situation? And so this is slowly
sinking in with more and more people and more and
more organizations are starting to look around in
Europe and in the Netherlands. In the Netherlands,
you find hosting companies that can do your
email, right? That is not rocket science. So I
would certainly advise many companies to at least
approach these companies in the Netherlands as a
backup service, right? Can you run email for us?
What other services can you do? Calendar. I mean,
there is Nextcloud. I don't know if you're next.
It's an open-source alternative for Microsoft
Office. Not fully. It's not as well developed,
but the basic functionality is there. You can
run that. Big features. It will always run.
It will always run and you can run it locally
and you're in control or you can ask a company to
run that for you. If you don't like that company,
you can switch to another company. You are in
that freedom of choice and be able to pick up
your data and put it somewhere and it's yours
to stay yours. And you're not dependable on
unpredictable autocrats who are running this
world now. And there are a lot of solutions.
as you mentioned European alternatives and we
also have privacytools.io I think we'll put
them in the show notes as well. So there is a lot
out there. It's just not well known and the sales
guys aren't banging on your door trying to sell it
to you and Microsoft is. Yeah, that is of course
these American IT companies have become so big
they invest heavily in lobbying in support. They
offer turnkey solutions. You want to have a device
to a cloud-based service to run something on. You
pull your credit card and you're there. Make it
easy. That's what Patrick Baert says. We should
make it super easy. We have great technology
everywhere but we should make it super easy
to consume. Yeah. So indeed more investments are
needed. For instance, in Yivi and also in PubHubs
we invest quite a bit in this user experience.
We have designers involved. We know that is
ultimately deciding for the larger public whether
that good nontechnical factor indeed. Yeah. Yeah.
So I'm all in favor of security and privacy, but
what we need is usable security. Exactly. And
that's really a different thing. Yeah. Yeah. There
needs to be a lot of effort. The same with Linux.
Linux system. I mean, it doesn't look as good to
many. I think Microsoft looks horrible. Oh, it did
a good job of deteriorating. Yeah. It's terrible.
I don't understand that Word has become the world
standard. The interface is so terrible. I find at
this stage that Linux offers better interface than
Microsoft. I agree. Yeah. Okay. Let's settle that
as you clip. Thank you very much for all these
insights of the day and in a way it is depressing
that there's so much work to do but in another way
you showed a lot of roads to us that we can walk
that lead into there are alternatives you just
have to choose them. Yeah. And if you care about
privacy and we all should and this is certainly
what you should Yeah. That's I always leave
that out because it's so default to me being
in a security company. Professor Jacobs, thank
you very much for all your insight of the day and
hope to see you another time on our podcast. And
to our viewers, thank you very much for listening
in if you like this. Please like this video
because it makes sure that more people learn
about all these privacy issues and solutions. And
while you're there, press the subscribe button.
We would appreciate it. And for you that would
mean that the next episode of Threat Talks will
be in your inbox very soon. Thank you very much.
Bye-bye. Thank you for listening to Threat Talks,
a podcast by ON2IT Cybersecurity and AMS-IX.
Did you like what you heard? Do you want to
learn more? Follow Threat Talks to stay up to
date on the topic of cybersecurity. [Music]