Updated May 3, 2018

Security industry braces for vague EU privacy rules

Illustration: Lazaro Gamio / Axios

Europe's goal with its strict new privacy regulations is to give consumers more control over their personal information, but some security and privacy experts worry the rules could put the squeeze on some kinds of businesses.

Why it matters: The General Data Protection Regulation (GDPR) imposes strict penalties for improperly collecting or storing user's personal information. But the devil is in virtually every detail, from what actually constitutes personal information to how to define "collect" and "store" — and the resulting confusion could impact everything from criminal investigations to the blockchain industry.

What GDPR is trying to do: GDPR requires global businesses to receive explicit consent to store the personal data of any European citizen and provide a mechanism for users to delete any stored information. It also tightens security practices, including encouraging encryption.

  • In the worst case, the EU will fine businesses 4% of global revenue, or a minimum of €20 million.

Where the problems begin: Personal information can be anything from the obvious (names, addresses, credit card information) to some more obscure pieces of data (users' internet addresses). But the law didn't foresee many of the instances where the public interest might be served by technology that doesn't follow its privacy rules.

Blockchain is one.

  • Blockchain, the public ledger at the heart of Bitcoin that is now being used for a variety of other purposes, may not be compatible with GDPR.
  • Laura Jehl, who heads both the GDPR and blockchain practices at the law firm BakerHostetler, notes that entries on a blockchain are theoretically indelible, but the pseudonymous ID codes used in blockchain may count as personal information that users would have the right to delete.
  • Bitcoin itself is likely exempt from the rule, she said, as Bitcoin lacks a definitive person or company in charge. But other types of blockchains with more definitive ownership would qualify.
  • "It’s strange, because blockchain is another way to approach the same problem" that GDPR addresses, she said.

The WHOIS database is another.

  • The WHOIS database, the internet's long-running public record of who owns which domain, is facing a likely shutdown with GDPR's advent. Many security professionals believe this will devastate their ability to fight cyber crime.
  • “To give you a sense of the scale here, just at IBM alone using WHOIS data we identify 1.3 million malicious domains per month that we share with the security industry to block spam and break up cybercrime campaigns. Without WHOIS data, our analysis found it might take over 30 days to detect malicious domains via other methods," said Caleb Barlow, vice president of threat intelligence at IBM security, via email.

Smaller firms may not be ready: Large U.S. firms have kept their eye on GDPR for some time — 4% of revenue is a lot — but smaller firms are in for some rude surprises.

  • "Very large orgs aware of international presence are in pretty good shape," said April Doss, chair of the cybersecurity and privacy practice at Saul Ewing Arnstein & Lehr. "But midsize entities that think of themselves as primarily U.S. businesses are less prepared."

Prepare to lose EU members on skittish platforms: WarpPortal, makers of the game Ragnarok Online posted a note last week it would simply stop serving EU customers once GDPR kicked in. Other services are likely to follow.

Whispers U.S. firms will be in the crosshairs: U.S. based privacy personnel have a nagging suspicion that the first firms in regulator's crosshairs will be in the U.S., to put a head on a pike. "It's going to be Facebook, right?" asked one expert I spoke to.

Go deeper

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 10:30 a.m. ET: 1,363,365— Total deaths: 76,420 — Total recoveries: 292,425Map.
  2. U.S.: Total confirmed cases as of 10:30 a.m. ET: 368,533 — Total deaths: 11,008 — Total recoveries: 19,972Map.
  3. Trump administration latest: Peter Navarro warned White House colleagues in late January about the massive potential risks from the coronavirus.
  4. Public health update: Funeral homes are struggling to handle the pandemic.
  5. 2020 update: Wisconsin Supreme Court blocks the governor's attempt to delay in-person primary voting until June.
  6. Tech update: YouTube has removed thousands of COVID-19 videos for violating policies related to spreading medical misinformation.
  7. What should I do? Pets, moving and personal health. Answers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Stephanie Grisham out as White House press secretary

Photo: Chip Somodevilla/Getty Images

White House press secretary Stephanie Grisham is departing her post to return to the East Wing as First Lady Melania Trump's chief of staff, the White House announced Tuesday. The news was first reported by CNN.

Why it matters: Grisham will leave after nine months without ever having held a formal press briefing. Her departure follows the arrival of new White House chief of staff Mark Meadows, who has a chance to overhaul a communications shop that's kept a low profile since President Trump ended the tradition of daily press secretary briefings.

WeWork board sues SoftBank

Illustration: Sarah Grillo/Axios

SoftBank was sued Tuesday morning by a special committee of WeWork's board of directors for alleged breaches of contract and fiduciary duty related to SoftBank's decision to cancel a $3 billion tender offer for WeWork shares.

Why it matters: SoftBank is viewed by many in the private markets as an unfaithful partner. If this reaches trial, that reputation could either become widely cemented or reversed.