This is the year when the General Data Protection Laws (GDPR) takes effect. Woohoo!
The big question is; should mere mortals be concerned or is this just something for security geeks like myself?
My friend and colleague decided to take his family to Florida over Christmas and a couple of weeks before Christmas Google sent me a reminder to get him a Christmas gift. In case I couldn’t come up with any idéas, Google had a couple of suggestions. The first one was a voucher for a nine-hole trial at a golf resort with included dinner for the entire family afterwards. The resort just happened to be a 10 minute drive from the hotel where they had their reservation.
Google sure helped me out in this case and I did end up getting him that Christmas gift but it gets to me every time. We have to face the fact that our browser knows almost everything worth knowing about us today. Most of it is harmless stuff like our shirt size and perhaps a spellcheck or two but somewhere in the piles of harmless knowledge about you and your person lies your deepest and darkest secrets.
Secrets for sale
Now imagine if all your secrets are for sale. We leave a remarkable amount of digital footprints today and if I could buy information about peoples browsing habits I could find out almost anything about anybody. Everything from diseases and financial situation to sexual orientation and preferences. This is of course nothing to worry about as long as nobody uses the information for sinister purposes but a couple of interesting question arise; What could this data be used for? and where do we draw the line?
How do we draw the line?
I’m sure you’d feel it was crossing the line if insurance companies increased your premium based based on you searching a lot of medical information. But what if this data could help you find out if you children’s soccer coach is a pedophile? Would you like to find out if you could? What if your own life was at risk, let’s say you could use this data to find out if your pilot is depressed. Wouldn’t you like to know that before boarding a plane (or rather not board in this case)?
If we translate this to the corporate world I would say that Information that can be shameful for a child is a great way to extort a parent. I know what lengths I would go to protect my loved ones, how about you? Imagine the things you would do to spare your children from embarrassment, humiliation and depression. Corporate loyalties ought to be quite thin if one is forced to choose.
This isn’t really rocket science if you have the data and trust me when I say that we would have far worse problems feeling a bit used over tailored gifts if this data was to be used for evil. Everything about you can be found out by your browsing habits. <- Period.
General Data Protection Law
So, why am I talking about browsing habits.
GDPR is the new law that will govern how companies and authorities can handle your personal information or in short; how to ensure your data privacy. To answer my own question; Yes, this is something you should be concerned about and I just gave you a number of reasons why.
There is a great need to regulate what you can do with personal information and how you can share and use it. It is important that we as individuals know what rights we have regarding information about myself. This is is part of the answer as to why we need GDPR, we need rules and the companies that collect our data needs rules. Browsing history shouldn’t be a commodity for sale. It should be more complicated than just purchasing somebody else’s deepest and darkest secrets as a result of them using the Internet.
6000 pages – a good read!
The Law in itself is just around 100 pages and if you really want to understand the consequences of the new law you need to read the references, referrals and statements regarding the law as well. If you just take all documents published from EU we land at a meagre 6000 pages. But this is a new regulation and anything unprecedented in law is pretty unpredictable.
For instance, depending on how the law will be enforced the costs to be compliant for my company alone might differ from 100 USD to 100.000 USD all with very likely scenarios. You don’t get very happy managers when you tell them that it will cost something between 100-100.000. They tend to want a bit more precise predictions than that and this is exactly what we will take a deeper look at in my following posts.
I have just begun my second read of the 6000 pages and this time around I will talk about my key findings in a series of articles. Join me and feel free to ask me anything about the GDPR in the comments below.
Kim Hindart, CSO at City Network, has a long background in information security with previous experience from News and media industry, IBM, Swedish Army and Big Telcos. He is a long term enthusiast in Open Source projects like Symbian, Android and Open Stack. When not involved in security work, he likes to play around with databases and mobile operating systems. According to Kim, Internet access and cheese are the big necessities of life.
“Go SQL you can still survive”.