This document summarizes a presentation given by Evan Tedeschi on GDPR and data privacy. It provides an overview of Evan's background in physics, computing linguistics, and as the founder of Memopal, a cloud storage software company. The presentation discusses Memopal's operations and data centers, highlights of GDPR regulations around personal data protection, Memopal's architecture ensuring privacy and security of user data, and strategies for responding to data breaches. Key aspects of GDPR covered include explicit consent, right to be forgotten, pseudonymization vs encryption, and separation of duties.

1. DEV.GDPR
EVAN TEDESCHI
ROME - APRIL 13/14 2018

3. Evan Tedeschi
Physics Degree
2000 IT Dev
@telecomitalia,
@telespazio
2002 Computational
Linguistic expert
@translated
2008 @memopal
— and a passionate
husband and traveller

4. Memopal is a
software that
creates a copy
of the user’s file
trough an
encrypted
connection.

6. DATA IS VERY IMPORTANT
2009 Memopal got the contract
for Cloud Storage in turkey
2014 Memopal builds a
Datacenter in Istanbul and
migrate data
2015 All telco companies were
nationalized and merged
2016 “Failed Coup”
2018 we are still there

7. • identity theft
• extortion
• accessing stored
communications
• betting
• fraud on merchandising
• Electronic Harassment
• Pornography
• prostitution
• drug traffic
Computer crimes

13. GDPR
the regulation is for all EU citizens independently from
where data are stored.
‘personal data’ means any information relating to an
identified or identifiable natural person
The controller shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate
that processing is performed in accordance with this Regulation.

14. Personal data shall be
processed lawfully, fairly and in a transparent manner in relation to
the data subject
collected for specified, explicit and legitimate purposes
adequate, relevant and limited to what is necessary
accurate and, where necessary, kept up to date;
kept for no longer than is necessary
processed in a manner that ensures appropriate security of the
personal data

15. EXPLICIT
CONSENT ?

16. Where processing is based
on consent
demonstrate that the data subject has
consented
clearly distinguishable from the other matters
right to withdraw his or her consent at any time.
the provision of a service, is conditional on
consent

17. HOW ?
Any information and communication relating to the processing of those
personal data be easily accessible and easy to understand, and that clear and
plain language be used
Accountability
Expiration
Contacts of Data Controller
inform thought website, pull notice
inform oral P2P or Automatic
Free!

18. ‘right to be
forgotten’
FID CASE

19. RISK ANALISIS

20. PSEUDONYMISATION
VS
CRYPTOGRAPHY

21. 1.5 Million users
2 datacenter
>100k insert per day
600 servers
Big database

22. Frontend Servers
Account data
Virtual file system
Metadata
SSO
Storage
Username and Password
Userid
Anonymized Metadata
File Hash
Password
File content
CLOUD STORAGE ARCHITECTURE

23. username and password
userid
anonymized metadata
file hash
password hash
file content
User
Financial admin
DB Admin
Data center People
Backend Dev
Support
SEPARATION OF DUTIES

24. ZERO KNOWLEDGE
Users gets a Public/private keys
Every file is encrypted with a symmetric key
Simmetric key is encrypted with the public key
Encrypted Symmetric keys are stored with files

25. TRASPARENCY
BEFORE
AFTER

26. Databreach possible
reaction
WTF?!?!??!”£”??!!!#

27. Analysis time:
2 weeks

28. Reaction time:
20 minutes

29. USE THE FORCE
grep -r *.log | sed ’s/ERROR/
INFO/g’| sort -n | uniq -c| fold
-w 5|pv -pert | nc 127.0.0.1
4000

30. Questions ?
EVAN@EVAN.IT

31. Thank you!
https://creativecommons.org/licenses/by-nc-sa/4.0