GDPR: Big Tech Firms Win, Security Researchers Lose
On May 25, 2018, a mere 11 days form now, the General Data Protection Regulation (GDPR) takes effect. This law was enacted by the European Parliament requiring companies to get affirmative consent for any personal information they collect on residents of the European Union (EU). The text of the strict regulations for data processing and handling were not what got the attention of outside observers; it was the eye-popping fines for violators that garnered the most attention. Organizations that fail to follow GDPR face fines of up to 20 million Euros ($24 million US Dollars at the time of writing) or four percent of the organization’s global annual revenue, whichever is greater. Any organization who’s sites or services could be offered and accessible in the EU would be required to comply with GDPR, even if they are not based in an EU member state.
There is no doubt that there are many winners with the enactment of GDPR: consumers gaining more protection and control of their data, consulting companies (legal and technical) assisting with compliance efforts, and large tech firms that can use their weight and market dominance to effectively force users to accept their terms. GDPR was passed in part to prevent tech giants like Facebook and Google from pressuring users into handing over personal information in exchange for continued use of their services, but the law is appearing to have the opposite effect. Google and Facebook have been bombarding their users, vendors, partners, and third-party affiliates with pop-ups asking them to accept the new terms that are GDPR compliant. Most users will opt to click “Agree” or risk being cut off from a service they deem as vital. Lesser known companies such as Unroll are less likely to get that “Agree” click since users may decide not to hand over personal information in exchange for a non-vital service. This pushes companies to do their advertising business with Google and Facebook since they will have the highest number of GDPR compliant users to target. My personal e-mail inbox has been receiving updated terms and conditions all month.
While GDPR is aimed to provide greater protection for user data and privacy, it also necessarily protects bad actors. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization tasked with managing the global domain name system, has proposed redacting key bits of personal data from the WHOIS database in order to be compliant with GDPR. The WHOIS database is a very powerful security research tool that allows the public to find information about a website or IP address such as the individual who registered the domain, physical address, phone number, and the e-mail address associated with the registration. These key bits of data are important for determining a risk score such as algorithms used in anti-spam technology. Some spammers attempt to hide their identity by registering with a privacy service, a third party that registers the domain on behalf of the actual registrar, but that in itself increases the likelihood that a message may be spam. Not all bad actors are sophisticated or employ good Operational Security (OpSec) and may use their real information or consistently use false information to make tracking their movements easier. For example, based on WHOIS records, we have reason to believe that attack campaign A is linked to attack campaign B since both campaigns used command and control domains registered to the same dummy corporation.
Disallowing the use of WHOIS data for security research purposes will be a big blow to the industry that ICAAN is attempting to address by allowing trusted partners access to the WHOIS database for research purposes. The vetting process will not be in place within the next 11 days and likely will not be implemented until the end of 2019, giving security researchers over a year and a half in the dark.
Now more than ever it is important for security vendors to adopt a zero trust model and not rely on reputation-based security. An important source of that reputation data is about to be removed and leave many organizations vulnerable to attack unless they stop relying solely on reputation. GDPR has some massive fining mechanisms at its disposal and I predict that they will make an example of a company so that others will fall in line.