2026-06-26

Mentality and reality

Image: Unsplash

“The mentality is shifting. Now let’s hope reality follows,” a colleague sighed. Can you guess what this conversation was about? It could have been quite a few things, I realise – healthy eating, smoking, exercise, you name it. But hey, this is the Security (b)log, after all.

The conversation was about ICT in relation to the geopolitical situation. That is a polite way of saying: we no longer find the Americans as endearing as we once did (because they are bullying us). Fair enough, it’s not just about the unpredictable behaviour of the US. Countries like China are not making things easy for us either: we can’t do without them, yet we would rather have nothing to do with them. In the ICT world, though, it is mainly American products that are visible (the Chinese products are hidden in the hardware).

The entire debate around digital sovereignty centres on the desire to be less dependent on American ICT. The sentiment in our part of the world is that ‘they’ can switch things off at any moment or snoop through our data. That does not feel particularly comfortable. Europe is becoming increasingly aware of the necessity – and the possibility – of becoming more self-sufficient. That is what my colleague meant by: “The mentality is shifting.”

And reality? We have long convinced ourselves that we cannot compete with the American tech giants and their economies of scale. But they too started from nothing. And maybe it is a little more expensive at first to store your data in a European cloud – if you have decided that things need to change, you have to be willing to pay a price for that. But it does not have to be more expensive at all. It can even be cheaper. Microsoft’s Office applications cost money, whereas LibreOffice and FreeOffice (both legally based in Germany), for example, are completely free to use.

There are many more non-American alternatives to American software. I was tipped off that an OSINT specialist collegue had put together a fine overview (OSINT = open source intelligence: gathering intelligence from publicly available sources). This colleague lists alternatives for no fewer than 21 software categories. A few examples: email, VPN, browser, search engine, AI assistant, cloud & storage, maps & navigation. For each category, he names the de facto standard, followed by various European alternatives. And he explains why his number one is his preference. It is not just a list – he actually did his research: read reviews and discussions, gathered information from websites, tried things out himself. With the help of AI, this resulted in a fine document.

The bad news is that the overview is not available online. So here are a few examples. For email, Proton Mail (from Switserland) comes in at number one as an alternative to Gmail and Outlook, “because it combines the strongest encryption with independent audits, a broad ecosystem and the widest reach”. The favourite VPN provider is Swedish Mullvad, “because it offers the strictest take on privacy: no identity required, can be paid for in cash, and repeatedly audited”. Mullvad also tops the browser category, “because it combines the fingerprint protection of Tor with the speed of a regular browser”.

For a search engine, French Qwant is your best bet: “no profiling, and usable results for everyday use”. That category also mentions Mojeek, with the advantage that it uses its own index (and therefore does not rely on Google or Bing results). For artificial intelligence, you can turn to French Mistral Le Chat/Vibe, or, if confidentiality matters, Swiss Proton Lumo. That same Proton also comes up for cloud storage, “because it combines encryption, ease of use and integration with the rest of your Proton account”. And if you want to move away from Google Maps, take a look at Organic Maps: “fast, free, offline and without any tracking”.

When I visited New York City for the first time at the end of the last century, a drunk Irishman gave a speech on the subway. His lament concerned the disappearance of a direct connection between New York and Shannon Airport, and his endlessly repeated refrain always ended with: “It’s all a matter of economics.” And so it is with our digital sovereignty: it is all economically driven. The difference is that you yourself, if you want to, can do something to become master of your own data again.

And in the big bad world…

 

 

2026-06-12

Leaky cruise

Image: Unsplash

They had just completed yet another cruise. This time too, they had managed to keep their feet dry, but as it turned out afterwards, there had been a leak after all. A data leak. And just like in the days of the Titanic, everyone acted as if nothing had happened.

They had not received a personal notification that their data had been exposed. They only found out by pure chance. In Europe, our first reaction is often to start waving the GDPR around indignantly: surely they have to tell me if my data has been leaked?! But it is not quite that simple. To begin with, the organisation responsible for the leak must determine for itself whether the incident has to be reported to the Dutch Data Protection Authority (AP). That is not required if “it is unlikely that the personal data breach will result in a risk to the rights and freedoms of data subjects”, as the AP explains. The leaked information did contain personal data (including that of my seafaring colleague), so they would probably not get away with that argument.

The next step is for the leaking party to notify the victims, and here comes the catch: only if the breach is likely to result in a high risk to them. Once again, the organisation must make that assessment itself, of course based on the GDPR rules. If personal data has been stolen by a hacker, the risk is fairly obvious, according to the AP.

And that is exactly the situation we are dealing with here. Last month, Carnival Corporation, the parent company of Carnival Cruise Line, sent letters to customers about a cybersecurity incident (though not to all customers, obviously). A month earlier, an attacker had gained access to Carnival’s IT systems through social engineering and copied customers’ personal data. The information involved includes names, email addresses, dates of birth, gender, and several Carnival-specific data elements.

Carnival Corporation’s headquarters are located in Miami. Aha, I can hear you thinking gloomily, that is well outside the EU, so that wonderful GDPR is of no use to me. Wrong! The GDPR has what lawyers like to call extraterritorial effect: if a company outside the EU also targets the European market, it falls under the GDPR. And when I add everything up, it seems to me that a personal notification to the affected individuals would indeed be appropriate here.

Unless... Yes, unless the data was encrypted, the breach was stopped before anything could be done with the data, or informing all victims would require a disproportionate effort on the part of the company, for example because it no longer has their contact details. In that last case, publishing a notice in a newspaper or on social media is sufficient.

In short: it is not as straightforward as it may seem. We do know how this particular case played out: it didn't. That is why my data-breached colleague asked me what you can do yourself in such a situation. The AP has put together a useful overview (in Dutch). Among other things, it states that you should change any leaked passwords; that is indeed the very first thing you should do. They also recommend changing the passwords for other accounts and apps if they use the same password as the compromised one.

This immediately shows why you should never reuse passwords: after a breach, it creates a lot of extra work. Criminals will simply take the password from website A and try it on websites B through Z. And of course, you should already have enabled multi-factor authentication wherever possible.

After a breach, you should also be extra alert to phishing attempts. Those phishing messages may be far more sophisticated than the run-of-the-mill phishing emails, because the attackers now have much more than just your email address. With all that additional information, they can make their messages look highly personal.

According to the AP, a criminal cannot do much with just a bank account number (IBAN) or a citizen service number (BSN) on its own. But be careful with combinations of data — a copy of your identity document can be a real game changer when it comes to identity fraud.

In summary: stay alert...

And in the big bad world ...

Mentality and reality

Image: Unsplash “The mentality is shifting. Now let’s hope reality follows,” a colleague sighed. Can you guess what this conversation was ab...