Security Week 19: a great and terrible GDPR

Imagine for a moment the ideal world in which all your data is stored in the cloud system, in an encrypted form, and only you have access to this storage. "Account" is used to synchronize data on your home PC, smartphone and tablet. Access to files, messages, messenger and mail correspondence requires the additional consent of the owner. Access to your data by third parties and companies is even more severely restricted. One large red button can disable access to all third-party services at once. Social networks are now required each time to request your permission to use data for targeting advertisements. Incognito mode is legally fixed and supported by technology, when companies are expressly forbidden to track your activity - for any purpose. The cost of personal data is growing and becoming public: those who want to freely share their data are offered substantial compensation. You also have to pay for personal data storage, but much less.

None of the above did NOT happen on May 25, when the norms of the European Data Protection Regulation officially came into force. “The Day of the GDPR” in theory was supposed to pass unnoticed by the majority: it’s the same legislation, legal subtleties and so on. But both the complexity of the new principles for the protection of personal data, and the traditional human weakness affected. The result could see all Internet users in their mailboxes. It usually happened with a comment: “I never would have thought how many companies have information about me.” Massively sending out amulets from the wrath of European bureaucrats, do companies become more responsible when processing personal data? So far, rather no, than yes, but there are positive examples.

What can go wrong?

Yes, anything! The developer of the plug-in for blocking advertisements on the web, Ghostery successfully shot both legs to itself, sending a message about 500 GDPR to users, and the address of each of them was written in plaintext in the To field.


Let me remind you that the main principle of the GDPR is not so much responsible processing of personal data as its responsible storage, and it is specifically stipulated that the data should NOT lie in the clear. Or sent to all customers.
')

Most of the corporate reports on the GDPR really look more like a cover for legal backstage, so to speak, rather than attempts to follow the spirit of the law a little more actively. I will assume that the new legislation has brought the greatest problems to small and medium-sized businesses, which one way or another fall under the European rules. For example, the klout service stopped working, apparently deciding that it was easier than trying to bring the entire infrastructure in line with the new legislation. The website of the newspaper Los Angeles Times to all visitors from Europe shows this stub:


American National Public Radio Europeans do not bounce, but shows a fully textual version of the site, devoid of any advertising code and causes even pleasant nostalgic feelings. For similar reasons, the service Instapaper is temporarily closed for Europe.


USA Today newspaper has made for Europeans a separate version of the site, where the main page with identical content takes 10 times less space! The most honest is the Politico edition, which shows a complete list of companies collecting information about visitors to the site, with the ability to disable each provider or all of them. There are several dozens of vendors on the list of companies profiling a user for displaying advertisements.


What about big companies? On the one hand, such monsters as Google and Facebook, have functionality that meets the requirements of the GDPR, for quite some time: in both cases, you can download absolutely all the information that a large Internet service “knows” about you. On the other hand, one cannot say that the methods of collecting and processing information have become much more transparent. On the very first day of the work of the GDPR, the Austrian fighter for privacy, Max Schrems, filed, albeit symbolic, but multibillion-dollar claims against Facebook (for Whatsapp and Instagram) and Google (for Android). The main complaint: network giants are forcing users to accept all the conditions of information processing en masse: either agree or lose access to the service. Theoretically, the GDPR should provide the right to a more detailed choice.

In general, on May 25, the topic of GDPR has not ended, but rather has just begun. How effective will the legislation be, can it stop this “world of the wild West” in relation to user data and bring the information market to a civilized mind? What about spammers, phishers and other cybercriminals who are not bound by any legislation? We'll see. The practice of applying the law, incidents of punishing the innocent and rewarding the uncomplicated will show this. In the technical world, I would like, of course, to see the technical solution to the problem. But alas, while the largest players in the IT market are most likely NOT interested in strict observance of user rights, simply because it is cheaper and more profitable. Legislation with more stringent requirements for privacy in this context just does not hurt.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.