As Congress explores options for a comprehensive federal privacy law, tech experts disagree whether the U.S. should model a law after the European Union’s GDPR or California’s Consumer Privacy Act (CCPA).
In fact, some fear the EU’s strict privacy rules increase the risk of cybercrime, including cyberattacks, identity theft, illegal drug sales and human trafficking. Because the EU implemented GDPR less than a year ago, there’s not enough data to determine if there’s been an uptick in cybercrime.
Several scholars at the American Enterprise Institute (AEI), though, fear the privacy principles enshrined in GDPR combined with the law’s broad, imprecise language create a huge loophole for cybercriminals.
In her testimony before the Senate Judiciary Committee’s hearing two weeks ago, AEI Visiting Scholar Roslyn Layton touched on the tech industry’s concern that GDPR hampers cyberattack data-sharing, which is important for law enforcement to hunt down the perpetrators as well as companies to prevent future cyberattacks.
In a November 2018 filing with the National Technology and Information Administration (NTIA), the Cybersecurity Coalition highlighted this specific concern, juxtaposing the issues of privacy and cybersecurity.
“[Data-sharing] is consistent with consensus best practices for comprehensive security programs, such as the NIST Cybersecurity Framework,” the coalition wrote in the filing.
Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources he teaches a class on ethics and cybersecurity at MIT, and said students are always conflicted about whether attacked companies should share potentially sensitive, incriminating data about their customers with third parties in the name of cybersecurity.
The kind of data companies might share with law enforcement or other companies in the wake of a cybercrime includes seemingly mundane details like cookies, internet domain names and IP addresses. This kind of data is part of a large database called the WHOIS database, and can be used to locate and identify an individual.
GDPR now classifies these online identifiers as “personal data,” which means it’s controlled by the consumer, and can be deleted, moved or restricted at the consumer’s request.
According to Layton, GDPR prompted the Internet Corporation for Assigned Names and Numbers (ICANN) to “announce a Temporary Specification that allows registries and registrars to obscure WHOIS information they were previously required to make public, ostensibly to comply with the GDPR.”
Furthermore, a letter from Andrea Jelinek, chair of the Article 29 Working Party (which pushed GDPR), states that the party “welcomes the fact that ICANN continues to make progress towards GDPR compliance with respect to the WHOIS directories and services. In particular, it welcomes the decision of ICANN to propose an interim model which involves layered access, as well as an ‘accreditation program’ for access to non-public WHOIS data. The WP29 also welcomes the proposal to introduce alternative methods to contact registrants or administrative and technical contacts, without public disclosure of registrants’ personal email addresses.”
The result? Less data for companies or law enforcement officials to trace criminals.
“Actors including ICANN are practicing voluntary censorship because the GDPR’s provisions are so vague and the potential penalties so high,” Layton argued. “The WHOIS problem can be described as the conflict between the individual’s right to privacy and the public’s right to know. It can also be understood within the context of the problem of ‘privacy overreach,’ in which the drive to protect privacy becomes absolute, lacks balance with other rights, and unwittingly brings worse outcomes for privacy and data protection.”
Theoretically, under GDPR, a hacker could very easily cover his or her tracks by requesting deletion, portability or restriction of his or her online identifiers, making it easier for the hacker to get away with a crime.
But as noted in Jelinek’s letter, there is a goal to “introduce alternative methods to contact registrants or administrative and technical contacts, without public disclosure of registrants’ personal email addresses,” which means the cybersecurity gap may only be temporary as ICANN works to comply with GDPR and come up with a way for the right people to access online identifiers for specific reasons.
Congress hasn’t yet released draft federal privacy legislation, but sources familiar with the matter told InsideSources there should be a draft coming soon.