Monday 28 January 2019

Automating Facts in EU Privacy and Security Legislation

Privacy law is very general because it can't possibly cover all situations, and the technology and social environments change all the time. Nevertheless, hard facts would help a lot for those of us just trying to make privacy work. Practical privacy decisions are very hard to automate.

It turns out there are facts in EU privacy and security law, and some of them can be automated.

Facts Embedded in EU Privacy Law

It isn't just the GDPR. Six pieces of new EU law are a kind of privacy extravaganza. They are a cluster of rules and incentives with some common themes for transforming how we live and do business in the 21st century.

There is rather a lot of new law:

GDPR - a mashup of human rights, commercial incentive and a lot of implied computer science
Networked Information Systems Directive - for traditional utility suppliers, and modern apps
European Electronic Communications Code - for traditional telecoms operators, and modern apps
EU Cybersecurity Act - for improving infrastructure security in each country, and also modern apps
Regulation for the Free Flow of Non-Personal Data (the anti-GDPR; no geoblocking within the EU)
ePrivacy Regulation - still a draft law. Does for communication what the GDPR did for data

Added to these are the country-specific versions of these laws, and despite them all being compatible there are significant differences, with some countries going a lot further, other countries having complementary traditions and so on. With the EU 27, plus the six other countries who have signed up to the Extravagenza including the UK, that is more thousands of pages. 

Facts Embedded in The Laws

The one outstanding Extravaganza fact that everyone seems to know is "fines of 4%" and it isn't just the GDPR that has potentially huge fines for big companies. But there are other hard facts too, ones that help increase compliance and are good business.

There are some unifying themes of computer science facts, commercial facts and legal statements of fact. Human interpretation and advice is always needed when it comes to applying complicated law. But when software needs to make a decision about what is and is not permitted activity, it can really help to have facts available in real time.

Lack of facts seems to be a universal constant in the world of privacy as I learned when doing GDPR consulting work with companies focussing on the applied realities. Few organisations can answer even really basic factual business questions such as "where is all the company data kept?" and "what backups exist?" because they aren't used to asking them. That is why progressing to questions like "what personal data is kept?" or "do you have any idea if your systems are secure?" gives highly approximate answers. My approach was to reduce the problem size, that is, to stop doing the really bad things immediately and then plan gradually improve the rest. But even when there is a good privacy environment in place with great policies and training, value judgements are still made on a daily basis. Hard facts are relatively rare because that is the nature of privacy.

There are at least three kinds of facts in the Privacy Extravaganza:
  1. Facts about IP addresses, not only users' IP addresses but also server IPs. The Extravagenza works by computers taking actions, and all computers/devices involved have IP addresses.
  2. Facts about business definitions. Some of these a company will know, and must commit to, and some of these can be looked up.
  3. Facts about relationships between entities, because the relationships are specified in law.

If we discard the ambiguous cases, if we do not attempt to answer questions where shades of human judgement are needed, then those facts that remain are likely to be robust enough to consulted in real time as a piece of software deals with high speed data transfers. Even transfers between people or computers about which little else can be known for sure. In science terms, this is falsifiable knowledge, because we can prove it to be incorrect rather than shrugging our shoulders. These facts are valuable.

Facts About IP Addresses

This gets a bit complicated and messy, so first of all here are the categories of IP address I have found implied in the law and computer science:

  1. Public server IP Addresses. These have no privacy issues (they aren't people) and various facts can be established about them. For example, if I am about to send an email or initiate an internet voice call with someone - my computer can know some hard facts about IP at the other end, or at least, be positive that no facts are available. 
  2. Private  server IP Addresses. These would be for example within the same company, which in a lot of cases is a Europe-wide or worldwide private network. It might be harder to get facts in this case, because of misplaced assumptions of trust. But otherwise, as per public server IP addresses.
  3. Public and private personal IP addresses. Here we need to be careful, because there are privacy issues. But still, within the law, we can still make some statements of fact based on publicly available information.
  4. IP addresses belonging to special categories of organisation, such as defined in the NIS Directive and Communications Code. 
  5. IP addresses claimed by particular organisations, usually large ones, who are easily identifiable
  6. Server or client IP addresses which advertise technical information that prove they do not meet security requirements of the Extravaganza. This probably means we are unable to complete communication with that IP address - and that is a new category of error implied by the security sections in at least three of the Extravaganza laws. ERROR - INSECURE CONNECTION is going to be one of the most annoying sights of the internet until improvements are made in the quality of services. We can often have the facts in advance that this is the case, and take some action such as find an alternative or let the user down gently.

Once we have some knowledge of the category of IP address we can start to ask some questions. We cannot guarantee to answer these questions, but we can guarantee that if we do provide an answer, the answer will be a good factual one.

Here are a few of many such possible questions:
  • Is this IP address in Extravaganza-covered address space? That is, EU27+6 countries, plus depending on what communication is being attempted, various other countries. The algorithms are in the law and there are public databases to help provide factual information. This is legal as much as computer science, with a bit of geography too.
  • Is this IP address listening as a server (eg email, or internet voice, etc)
  • Is this IP server obviously insecure, by Extravaganza definitions?
  • Is this IPv6 address not using privacy features when it should be
  • Is this IP address coming from/hosted by an EU company?
  • Does this IP address host services which obviously fail the ePrivacy Regulation?

Facts About Business Definitions

The online world meets the legal world in the Extravaganza laws, among many other places. That implies that a domain name or IP address needs to relate back to a legal entity.

Generally a human is needed for that... for example, CNIL is fining Google tens of millions of Euros for privacy breaches, but what is the actual company being fined? Will that have anything technically to do with the Google company which is operating in Austria or Spain? That is why, thought it is tempting to try to relate domain names to businesses and IP addresses, that quickly becomes too complicated and error prone and requires manual intervention. But the Extravaganza comes with some databases implied and already taking shape which do change this somewhat:

  • We will soon be able to know at least some of the business names and at least some of the domain names of companies required to register under country-specific NISD and Communications Code provisions.
  • We can already in some countries look up the companies and related information registered for privacy reporting purposes.
  • Large companies usually host their own DNS in a transparent way, and we can relate that to registered business information.
  • Public disclosures of privacy and security breaches, for certain companies, will be available. 
That said, Extravaganza definitions of what country a company is deemed to be operating in, and where an IP address can be said to reside and more of that nature, are all very flexible and quite the opposite of hard facts.  

Facts About Legal Relationships

  • GDPR Controllers and Processors have mandated contracts. Computer science says that they must share passwords as part of that.
  • Certain types of large Extravaganza-covered company have mandatory registration and reporting relationships with Country-level security certification organisations.
  • ISPs and Hosting companies have different mandatory registration and reporting relationships with country-level security organisations
  • Every company covered by the GDPR has a mandatory registration and reporting relationship
  • Some of the companies listed above have implied relationships with each other directly, rather than through any third party or government organisation, in the event of a security incident
  • Many different kinds of organisation have some public communications obligations under Extravaganza terms.

The Future of Privacy and Security Facts

A picture is emerging of a kind of first-pass approach to privacy legislation, where the facts we know can be applied automatically. This can establish a very useful baseline for everything else.

No comments:

Post a Comment

Constructive and polite please!