Friday, May 25, 2018 EU's new privacy laws went into effect, replacing all similar national laws within the EU. Called General Data Protection Regulation (GDPR), the new law requires detailed public specification of the personal data kept by every business and organization that interacts with subjects of the EU. It's not completely clear how such laws benefit individuals. But it is rather easy to see how they can benefit some modern criminal organizations and cause harm to legitimate businesses and organizations.
Ever register at a website? You likely gave your email address and may have provided your real name and other information. Have you purchased something on the Internet? Most likely, you provided a name, address, and phone number so that the company could ship the items to you. Visited a website? Someone, somewhere (Google, etc. at least) logged your IP address related to that visit. Now you have the right to know about that. Didn't you already? You entered the information.
You might want to know if the website shares your personal information with others; advertisers for example. But you probably did; or were at least satisfactorily informed according to law. Did you check a box that said you agree to terms and conditions? If a website felt compelled to ask for that, it's possible that you gave them permission to do with your personal information what they pleased.
You have a right to be forgotten. That might seem like a good thing, especially if you've tracked down a core source of too much spam or don't want Bing to advertise your drunken nude photos anymore. But GDPR did not create that right. The European Court of Justice defined the "right to be forgotten" as a human right when they ruled against Google in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014).
What does this have to do with organized crime? If you've ever administered a WWW system, you are most likely aware that automated intrusion events happen quite frequently. The most primitive type is the most common. It starts with a robot that tries to log into an unprotected server. But you may also have seen attempts to disrupt activities or steal information from your database. Basic methods for such efforts are sufficiently common that beginner's training can include them, as a way of preparing programmers to defend against them.
Now what if you want to run a massive operation to break into databases and steal information across the EU? Wouldn't it be nice if every website posted details of the information they keep? This would allow very simple crawlers to locate the page through keywords (personal information, data protection policy, gdpr, etc.) and then use word matches within that page to identify what information is available. It's like a department store ad in the Sunday Times.
The information and the character of its presentation might also give hints about the character of the operation. In the end, you have the basis for risk analysis and a pretty good shot at a professional level cost benefit analysis for attempting a break-in. Quite frankly, it's easy to see how most of this process can be done automatically. The effect is that criminal organizations now have the means to efficiently search through large numbers of websites to locate potentially valuable targets.
The law may actually protect criminals. The day might come when a court blames you and the business rather than the perpetrators for damage done by information stolen from your organization. The criminals might go free because your website didn't fully explain or properly notify them that you track their IP addresses; which is, according to GDPR, personal information. You violated their rights by logging information that was useful in catching them.
Let me offer a general comment based on a broader view of related events. Both the EU and the US have been leaning toward blaming businesses for what people do when using their services. What if a bridge breaks down? An investigation follows, sometimes a criminal investigation of those responsible for building and maintaining the bridge. Doesn't it seem at least superficially logical that the same sort of rules should apply to IT systems?
At the same time, less responsible voices such as Elon Musk, Bill Gates, and Mark Zuckerberg, serve as “IT leaders” in the popular press, forming public impressions as well as those of politicians and judges. In a recent Congressional hearing, Mark Zuckerberg reported that Facebook is working on AI to interpret posts and make human judgments about their content. But technology has evolved to the point that people can at least imagine something like that working; while experts can easily contend that much of the danger associated with such systems is that nobody knows how to make them work well. Their stuff is open-source. Doesn't that mean:
Just don't forget that the people who have decided to empower themselves to make these decisions have absolutely no expertise in IT development or administration. At the base, they are EU politicians; not the most intelligent, responsible, or reputable people that we know. How would they incorporate engineering judgment into their decisions while demanding something be done about something?
The question easily arises: If they can create human-level AI (for the world) and Google can create self-driving vehicles, why can't a lone consultant personally guarantee that data systems operated by a small business cannot be broken into by technically sophisticated well-financed teams in the Russian Mafia – and guarantee everyone's legal rights, no matter how arbitrarily conceived – including those of the criminals? It seems like technology is sufficiently advanced and engineers just need to do their routine jobs. If you are an experienced engineer, you know it's always your fault anyway. Are you in jail yet?