By Agata Chmiel
Unless you have not checked your inbox for the past two weeks, you probably have heard of the EU’s new regulation on data privacy which came into force on the 28th of May. The General Data Protection Regulation is a directly enforceable [1] piece of EU legislation, which hands the control of personal data back to individuals. Throughout seven years of its development, the policy has received both, high acclaims [2] and alarming dissents [3]. This year is a peak of the debate and many questions are left unanswered. One of them is the GDPR’s impact on cybersecurity – how will the legislation affect cybercrime prospects?
When it comes to cybersecurity, the balance sheet of GDPR’s pros and cons is somewhat even. On one hand, some sources talk about opportunities that new framework can bring [4] [5]. On the other hand, there are voices of concern, suggesting that GDPR will virtually become a “gift” [6] to cybercriminals. This article is a quest for the middle ground.
One of the highlighted benefits of the policy, is the improvement of data protection systems done by companies storing and/or processing personal data. That is because GDPR makes it significantly more expensive [7] for a business to hide its security breach and deal with data leak internally (as practiced in the past for reputational reasons), than to dedicate some extra resources for upgrading its digital defence systems. Surprisingly, before May 28th many companies had been neglecting their data security systems by relying on the fact that cyberattacks are so advanced, that it would be too costly to prevent all of them from happening. That is why, last year alone, large companies such as Microsoft, Yahoo or Uber have revealed that they suffered from multiple breaches for several years. Although, with high fines for non-compliance, GDPR is more of a stick than a carrot, the policy can indeed have a positive impact on innovation in the data security field, making life of cybercriminals somewhat more difficult. In addition, some argue that GDPR is value in itself because it portrays data privacy as a ‘human right in this digital age’ [8]. In practice, this is embodied in ‘privacy by design’ approach, which views personal data protection as a core fundament to all (new) technological and digital undertakings.
While GDPR certainly stimulates protection of sensitive data to an unprecedented scale, there are voices concerned with its usefulness in areas of detecting and prosecuting cybercrime. For instance, the Wall Street Journal argues that the policy will actually make it simpler for cybercriminals to get away with their actions, at the same time making it more difficult for the law enforcement to identify them [9]. This is where another actor comes in play, the Internet Corporation for Assigned Names and Numbers (ICANN) and its search system WHOIS. The latter holds public information about domains from all over Internet, which has been serving law enforcement to quickly access data of cybercriminals during investigations into online gambling, piracy or phishing. The main concern, is that, WHOIS blocking the information from public access under GDPR will make the investigations in cybercrime a longer and more bureaucratic process. It means that law enforcement or security researchers will not be able to swiftly scan large bulk of domains’ information in order to, for instance, spot fake or malicious domains. For the loudest critics, this is a one-way road to escalation of cybercrime [10].
So where is the middle ground? Are we lost again in the everlasting battle between privacy and security? Did cybercriminals have a party on May 28th, while companies and law enforcement wept? Not necessarily. In his viral Ted Talk, James Veitch righteously said that: “The internet gave us access to everything. But also, it gave everything access to us” [11] Those should be the leading words of GDPR campaign. The new policy’s purpose is not hindering digital investigations, but rather (re)introducing privacy as a ‘value’ instead of a ‘commodity’. While compliance is costly for businesses and obtaining subpoenas to access online data for (cyber)crime investigations is time-consuming, privacy should not be used as a sacrifice. On the contrary, data privacy’s goal is to make individual data providers feel safe from unauthorized use and access. Taken in perspective, if WHOIS provides information for everyone to see, then not only law enforcement, but also scammers or hackers can effortlessly benefit from it.
To conclude, the problem of cybercrime seems not to lie in strengthened privacy protection, but rather in the legal system, which continuously falls behind technology. Perhaps, a hidden opportunity of GDPR could be assembling policymakers, law enforcement practitioners and web developers into a joint group to seek a privacy-friendly and secure Internet – without sacrificing one for the other.
[1] As in opposition to a ‘directive’, which is legislation that each Member State can implement in a manner tailored to their own domestic rules.
[2] Albrecht, J. ‘How the GDPR Will Change the World’ in: European Data Protection Law Review, Volume 2, Issue 3 (2016) pp. 287 – 289.
[3] Finch, B. and Farmer, S. ‘The EU’s Gift to Cybercriminals’ https://www.wsj.com/articles/the-eus-gift-to-cybercriminals-1527517362
[4] “The GDPR is serving as a starting point for international [legal] standards and a trustworthy digital market.” Albrecht, J. ‘How the GDPR Will Change the World’ in: European Data Protection Law Review, Volume 2, Issue 3 (2016) pp. 287 – 289.
[5] Tiku, N. ‘European’s New Privacy Law Will Change The Web, And More’ https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-more/
[6] Finch, B. and Farmer, S. ‘The EU’s Gift to Cybercriminals’ https://www.wsj.com/articles/the-eus-gift-to-cybercriminals-1527517362
[7] Under art. 83 of GDPR, failure to notify supervisory authority and users affected by the breach can result in, either up to 20 000 000 EUR or up to 4% of the total worldwide annual turnover – which is a lot.
[8] https://www.hrw.org/news/2018/06/06/eu-data-protection-rules-advance-privacy
[9] Finch, B. and Farmer, S. ‘The EU’s Gift to Cybercriminals’ https://www.wsj.com/articles/the-eus-gift-to-cybercriminals-1527517362
[10] Barlow, C. ‘WHOIS Behind Cyberattacks? Under GDPR, We May Not Know’ https://securityintelligence.com/whois-behind-cyberattacks-under-gdpr-we-may-not-know/
[11] ‘The agony to unsubscribe’ https://www.youtube.com/watch?v=Dceyy0cX6J4