Security Weekly 45: The Great and Dreaded GDPR
Imagine for a moment the ideal world in which all your data is stored in the cloud system, in an encrypted form, and only you have access to this repository. “Account” is used to synchronize data on a home PC, smartphone, and tablet.
- To access the files, messenger messages and mail correspondence, the additional consent of the owner is required. Even more restrictive is the access to your data by third parties and companies. One large red button can disable access to all third-party services.
Social networks now have to ask for your permission to use data to target advertisements every time. Legislatively fixed and supported by technology incognito mode, when companies are explicitly prohibited from monitoring your activity – for any purpose. The cost of personal data is growing and becoming public: those who wish to freely share their data are offered solid compensation. For personal data storage, too, have to pay, but much less.
- None of the above did happen on May 25, when the norms of the European Data Protection Regulation officially entered into force. “The Day of the GDPR” was supposed to pass unnoticed for the majority: this is legislation, legal subtleties and so on. But the complexity of the new principles of protecting personal data, as well as the traditional human тegligence, affected both.
The result could be observed by all Internet users in their mailboxes. Usually, this happened with a comment: “I would never have thought how many companies own information about me.” Massively sending amulets from the anger of European bureaucrats, are companies becoming more responsible when processing personal data? So far, no, then yes, but there are also positive examples.
What can go wrong?
Yes, anything! The developer of the plug-in for blocking advertising on the web Ghostery successfully shot both feet by sending a message about the GDPR 500 to users and the address of each of them was written in the To field.
Let me remind you that the main principle of the GDPR is not so much responsible processing of personal data as the responsible storage of data, and it is specially stipulated that the data should NOT lie in the clear. Or sent to all customers.
Most of the corporate messages about the GDPR really look more like a cover, so to speak, of the legal rear, rather than trying to follow the spirit of the law a little more actively. I will assume that the new legislation has brought the greatest problems to small and medium-sized businesses, one way or another subject to the European rules. For example, the service Klout stopped working, apparently, deciding that it’s easier than trying to bring the entire infrastructure into compliance with the new legislation. The site of the newspaper Los Angeles Times to all visitors from Europe shows here such a stub:
American National Public Radio Europeans do not play football, but it shows a fully textual version of the site, devoid of any advertising code and even a pleasant nostalgic feeling. For similar reasons, the Instapaper service is temporarily closed for Europe.
The newspaper USA Today has made for Europeans a separate version of the site, where the main page with identical content takes 10 times less space! Most honestly received the publication Politico, showing a complete list of companies that collect information about visitors to the site, with the ability to turn off each provider or all in an osprey. In the list of companies that profile users to display advertisements, there are several dozen vendors.
And what about the big companies? On the one hand, monsters like Google and Facebook have functionality that meets the requirements of the GDPR for a long time: in both cases, you can download absolutely all the information that a large Internet service “knows” about you. On the other hand, it can not be said that the methods of collecting and processing information have become much more transparent.
- On the first day of the GDPR work, the Austrian fighter for privacy Max Schrems filed even symbolic but multi-billion claims against Facebook (against Whatsapp and Instagram) and Google (on Android part). The main complaint: network giants force users to accept all the conditions of processing information in an ounce: either agree or lose access to the service. Theoretically, the GDPR should justify a more detailed choice.
In general, on May 25 the theme of the GDPR did not end, but rather, it just started. How effective will the legislation be, can it stop this “world of the Wild West” with respect to user data and lead the information market to a civilized species? What about spammers, phishers and other cybercriminals not bound by any legislation? We will see. The practice of applying the law, incidents with the punishment of the innocent and rewarding the uninvolved will be shown. In the technical world, of course, I would like to see a technical solution to the problem. But alas, while the largest players in the IT market are more likely NOT interested in strict observance of user rights, simply because it is cheaper and more profitable. Legislation with more stringent requirements for privacy in this context is certainly not a hindrance.