01/09/2019 08:24:37 AM

Privacy refers to the right to exercise control over how your personal information is collected, used, or disclosed.  Data protection refers to measures to protect data from unauthorized access, alteration, or loss. You need both to preserve trust and confidence between consumers and providers of Internet services and content. 

Privacy rights have been abused and data protection has been for all practical purposes absent long before the Internet. Postal mailboxes did and still overflow with “junk” catalogs and correspondence. The Internet “merely” accelerated personal contact collection , expanded opportunities for abuse, and raised the delivery of junk and abuse to an unimaginable level: the Privacy Rights Clearinghouse Chronology of Breach Events lists over 9000 reported breaches that collectively exposed a staggering 11 billion plus records, a figure even more terrifying given that it represents only reported breaches since 2005 and only breaches where US individuals records were affected. Societies world wide are well overdue for a privacy overhaul.

We’ve only just begun…

2019 promises to be a tumultuous year for data protection and privacy. The intimidating fines and penalties in the EU General Data Protection Regulation, GDPR, have multi-nationals and even small businesses that collect personal data from EU citizens or residents scrambling to comply.  In the United States, efforts to establish trust between consumers and providers are finally gaining ground.  The Data Care Act proposes obligations for companies that use the Internet to collect personal information: duties of care, loyalty and confidentiality.  The bill proposes privacy requirements that are similar to those already imposed on financial institutions, physicians, and attorneys, i.e., to “act in good faith on behalf of their patients or clients and are bound to keep our disclosures safe and confidential”.

While we should all be excited over the prospect of privacy protections, security practitioners in particular should feel an urgency to contact and encourage legislators and policy makers to avoid treating data protection and privacy rights as if they were interchangeable. These need different considerations in the context of Internet technology and policy. To make privacy rights policy decisions with the most benefits and fewest unintended consequences, legislators as well as policy makers responsible for regulatory compliance face the challenge of  understanding of how data protection “works”. 

A cautionary tale

Initial efforts to comply with the EU General Data Protection Regulation (GDPR) – most notably, ICANN’s Temporary Specification for gTLD registration data – have not taken into account how investigations are conducted in the cyber world and equally importantly, how the parties who conduct cyber investigations differ from brick-and-mortar  investigations.

Private sector and academia play a leading and arguably dominant role in cyber investigations. Law enforcement agencies, from the US FBI to Europol and Interpol publicly admit that private sector actors are generally better funded, have more boots on the ground, and are often first to detect and first to respond to cyber attacks. Executive Director Catherine De Bolle explains that successes of law enforcement in the fight against cybercrime will continue, “As long as European Union law enforcement continues to grow and evolve and to forge new bonds with global partners in both the public and private sector”. 

ICANN’s attempt to comply with the EU GDPR is a discouraging example of how a compliance policy that doesn’t consider fully the current threat-and-response landscape can create challenges or impediments for private sector actors, with consequent harms that GDPR legislators neither intended nor anticipated. ICANN’s temporary policy allows parties that collect domain name registration data to redact point of contact data of all registrations, regardless of whether the registrant falls within the EU jurisdiction. In a recent survey, over 300 first responders reported that ICANN’s current Whois policy “is significantly impeding cyber applications
and forensic investigations and allowing more harm to victims”, specifically noting that the policy does not address timely and uniform access for the lawful bases for processing defined in Article 6 of the GDPR, and that there is no consensus regarding what parties can request access or how to manage access.

The impact of ICANN’s Temp Spec on cyber investigations since its adoption seven months ago is dramatic.

Responses to cyber attacks are impeded. Investigators can no longer process point of contact information for potentially thousands of domain names associated with a given cyber attack in real time and their efforts to attributing attacks or cybercrimes to perpetrators is greatly delayed. First responders must now request disclosure of protected Whois data from registrars through arbitrary, non-uniform inquiry processes. Each day of delay resulting from the request process extends the duration of an attack or the opportunity to inflict harm or loss.

Victimization lasts longer.  Investigators cannot contact victims of compromised web site attacks without point of contact information. Investigators ideally seek to contact victims in a matter of hours. In circumstances where unwitting part victims cannot be contacted in a timely manner, attackers can continue to perpetrate fraud, publish inauthentic news, influence politics, or otherwise inflict harm to both the victim of the web site attack as well as visitors to the site. 

Requests to access point of contact data for lawful bases of processing is denied or not timely. AppDetex reports that the average response by registrars to redacted request notices from first notice to compliance is approximately nine days. AppDetex Brand Protection shared Whois Requestor System “only 3% of requests have so far yielded full WHOIS records”. Viewing this average through the grimmest of lenses, attacks that first responders successfully mitigated in less than 24 hours now remain active for longer than a week.

Protect privacy rights and do no harm

We have two seemingly conflicting objectives: (1) satisfy a public policy objective of protecting privacy rights through legislation and (2) ensuring public safety interests by establishing timely and uniform access and processing of protected data where lawful bases permit.

In 2019, we must do all that we can to avoid legislation that cures one exposure to harm but increases other exposures consequentially.