AdaptiveMobile Security’s CEO, Brian Collins, takes a deeper look at how the new EU regulation could hinder national security initiatives
With the much heralded arrival/imposition of the General Data Protection Regulation aka GDPR on the 25th of May 2018 now past, it is time, especially as a security company that reviews data for threats to subscribers, to discuss whether this much vaunted legislation is actually being effective in protecting people’s data rights or simply spreading a landscape of fear that is hindering the valuable uses of data that support national initiatives in the defeat of terrorism, fraud and criminal activity.
GDPR was created some years back with the noble aspiration of harmonising data protection laws across all EU member states. It requires that personal data be processed lawfully, fairly and in a transparent manner in relation to individuals and details a specific set of criteria surrounding the collection and storage of such data. Those outside the EU complain it is a “get back” against the US internet giants like Google and Facebook while further highlighting Europe’s failure to present an internet giant of its own – that conversation, however is for another forum.
Data hygiene is one thing, but data hysteria an entirely different matter!
For those unfamiliar with the workings of EU law, regulations are adopted by the EU Institutions and have binding legal force throughout every Member State, with no national laws being required to implement them. Directives, meanwhile are adopted by the EU Institutions and lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.
Now that the avalanche of emails has more or less ceased from just about every company you ever committed an email address to, we believe it is time to see if by accident or design, GDPR has changed people’s habits in how they use their personal details now that they know there is obligation upon the data recipient, (“processor? controller?”) to handle their data in line with this legislation. We ask the question: is a by-product of this data seed change possibly depriving the security agencies the key resource (data) required to protect their citizens and its national critical infrastructure.
It is undoubtedly early days, but as a company that processes over 40 billion security events a day our view is a resounding yes! One of the key tenets of GDPR relates to encryption and the regulation has certainly made data users a lot savvier and more educated regarding how encryption works and its specific uses. Whereas in a lot of cases law enforcement and security agencies have significant tools to decrypt certain types of encrypted traffic this is a slow and laborious process requiring keys and continuous updates. Within our day to day security processing, we have seen 1.4% increase in the level of encrypted traffic in recent months.
This article does not harbour the ambition to be the forum to debate the pros and cons of encrypting traffic. We all use encryption on near daily basis, online banking, online commerce, Whatsapp, etc. The traditional argument provided by the misinformed is that weakening encryption for one specific purpose weakens it for all, is not valid when it comes to matters relating to national security. The fact that everyone uses encryption should not detract from the fact that the bad guys abuse it and hence makes the entire reason for encrypting unsafe.
Finding workable and fair solutions regarding encryption has been the focus of the intelligence committee known as the Five Eyes i.e. US, Australia, New Zealand, Canada and Britain. Following a recent meeting in 2017, a press release was issued stating the committee view that encryption can “severely undermine public safety efforts and committed members to working together to find common ground to” explore shared solutions.” Such statements put the fundamental tenet of GDPR to shame in that, attempting a “one size fits all” approach to the ever evolving and mindboggling issue of the value of data access, data security must be solved by a multi-agency approach as opposed to the somewhat contaminated and biased view of some European Governments who ultimately have failed to foster the environment that would allow a European Google prosper.
It is undoubtedly early days for GDPR, but as a security company headquartered in Europe and involved every day in the battle against abusers of data (criminals, cynical nation states and fraudsters) it is worth placing under serious consideration: that GDPR as it stands is a cause for concern for national security and critical infrastructure security both today and in the future.
The irony is not lost that in its current format, GDPR could lead to reduced security and increased privacy risks, which would seem to be the opposite of what it was created to achieve in the first place.