Security industry braces for vague EU privacy rules
Illustration: Lazaro Gamio / Axios
Europe's goal with its strict new privacy regulations is to give consumers more control over their personal information, but some security and privacy experts worry the rules could put the squeeze on some kinds of businesses.
Why it matters: The General Data Protection Regulation (GDPR) imposes strict penalties for improperly collecting or storing user's personal information. But the devil is in virtually every detail, from what actually constitutes personal information to how to define "collect" and "store" — and the resulting confusion could impact everything from criminal investigations to the blockchain industry.
What GDPR is trying to do: GDPR requires global businesses to receive explicit consent to store the personal data of any European citizen and provide a mechanism for users to delete any stored information. It also tightens security practices, including encouraging encryption.
- In the worst case, the EU will fine businesses 4% of global revenue, or a minimum of €20 million.
Where the problems begin: Personal information can be anything from the obvious (names, addresses, credit card information) to some more obscure pieces of data (users' internet addresses). But the law didn't foresee many of the instances where the public interest might be served by technology that doesn't follow its privacy rules.
Blockchain is one.
- Blockchain, the public ledger at the heart of Bitcoin that is now being used for a variety of other purposes, may not be compatible with GDPR.
- Laura Jehl, who heads both the GDPR and blockchain practices at the law firm BakerHostetler, notes that entries on a blockchain are theoretically indelible, but the pseudonymous ID codes used in blockchain may count as personal information that users would have the right to delete.
- Bitcoin itself is likely exempt from the rule, she said, as Bitcoin lacks a definitive person or company in charge. But other types of blockchains with more definitive ownership would qualify.
- "It’s strange, because blockchain is another way to approach the same problem" that GDPR addresses, she said.
The WHOIS database is another.
- The WHOIS database, the internet's long-running public record of who owns which domain, is facing a likely shutdown with GDPR's advent. Many security professionals believe this will devastate their ability to fight cyber crime.
- “To give you a sense of the scale here, just at IBM alone using WHOIS data we identify 1.3 million malicious domains per month that we share with the security industry to block spam and break up cybercrime campaigns. Without WHOIS data, our analysis found it might take over 30 days to detect malicious domains via other methods," said Caleb Barlow, vice president of threat intelligence at IBM security, via email.
Smaller firms may not be ready: Large U.S. firms have kept their eye on GDPR for some time — 4% of revenue is a lot — but smaller firms are in for some rude surprises.
- "Very large orgs aware of international presence are in pretty good shape," said April Doss, chair of the cybersecurity and privacy practice at Saul Ewing Arnstein & Lehr. "But midsize entities that think of themselves as primarily U.S. businesses are less prepared."
Prepare to lose EU members on skittish platforms: WarpPortal, makers of the game Ragnarok Online posted a note last week it would simply stop serving EU customers once GDPR kicked in. Other services are likely to follow.
Whispers U.S. firms will be in the crosshairs: U.S. based privacy personnel have a nagging suspicion that the first firms in regulator's crosshairs will be in the U.S., to put a head on a pike. "It's going to be Facebook, right?" asked one expert I spoke to.