Over the last weeks, a public discussion has started on the topic Tapping of internet communication and access to user data and emails via secret services. Many users got insecured what effects these processes have on their own handling of internet technologies.

The ITMC would like to refer to the following information:

Network and ITMC server infrastructure

• The server systems operated by the ITMC are protected against third party access.
• The ITMC provides no unauthorized third parties access to user data.
• All user data are located locally in Rostock on systems operated by the ITMC itself and NOT outside Rostock’s university network infrastructure.
• The access to ITMC services (application server, HIS, HOME, Ilias, Mailbox, SharePoint, StudIP etc.) from the internet is ALWAYS done with forced encryption and, thus, is tap-proof.

Data exchange via the internet

• When transporting data, ONLY encrypted data are protected against third-party access. This particularly applies for the email traffic, see here:
  https://www.itmz.uni-rostock.de/anwendungsdienste/software/windows/sicherheit/grundlagen/smtp-sicherheit/
  
  Encrypted data are principally protected against third party access even during transport!
  
  The ITMC recommends the use of certificates to encrypt emails. Every user of the University of Rostock can get a personal certificate, see here:
  https://www.itmz.uni-rostock.de/it-sicherheit/zertifikate-und-verschluesselung/zertifikate/
   
• The safety of data stored in the internet at providers should not be trusted in without checking.
  
  Third party access to these data are always regulated by the national law of the relevant company‘s home country. Particularly the American legislator fargoing entitles the American government to access American company data. Microsoft’s legal department exemplarily took position for other US companies, see here:
  http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to-government-legal-demands-for-customer-data.aspx

Data protection recommendations for using internet providers

The ITMC recommends all users to check the handling of data stored in the internet and use provider as reliable as possible

Criticial and/or data protection relevant data must NOT be stored at suppliers like Apple, Dropbox, Facebook, Google, Microsoft etc.

The ITMC automatically provides a HOME directory to all users with user ID, see here:

• https://www.itmz.uni-rostock.de/basisdienste/speicherdienste/homedirectory/

We currently offer a SharePoint for web-based data exchange, see here:

• https://www.itmz.uni-rostock.de/basisdienste/e-mail-und-kollaboration/sharepoint/

Soon, Gigamove can be also used for filesharing and a sync&share solution similar to DropBox is in progress via the DFN association and is expected to be available in the fourth quarter. The ITMC will inform about these opportunities as soon as they are available.

Long-term safety of asymmetric (Public-Key) encryption method

Unfortunately, NO known asymmetric encryption method offers protection without time limitation so far.
 
This also applies for the Perfect Forward Secrecy Procedure as the public keys for a recorded encrypted communication necessarily tob e exchanged in plain text could theoretically be used to break the encryption used for all sessions of the relevant communication, related future IT resources provided. See here:
http://tonyarcieri.com/imperfect-forward-secrecy-the-coming-cryptocalypse

Additional remarks

• FAQ on the spying affair of the Society for Informatics (GI)
• Society for Informatics, registered association (GI), recommends encryption
• Roundmail of the ITMC dated 13.08.2013: Information on safety of IT systems and working in the internet
• FAQ on the NSA affair

In case of questions or remarks on this document, please, get in contact by email with joerg.maletzky(at)uni-rostock.de.