2019: A Critical Year for Privacy Rights, Data Protection and Public Safety
Dave Piscitello, on behalf of the APWG Board of Directors
Privacy refers to the right to exercise control over how your personal information is collected, used, or disclosed. Data protection refers to measures to protect data from unauthorized access, alteration, or loss, and applies to data at rest such as a database or web site content, as well as data in motion, including messaging and mail services. We need both privacy and data protection to preserve trust and confidence between consumers and providers of Internet services and content.
Privacy rights have been abused and data protection has been all but absent long before the Internet. Database breaches are a pandemic. Commercial third parties collected and shared postal addresses and phone numbers without notice or consent. Postal mailboxes did and still overflow with "junk" catalogs. Unsolicited commercial phone calls were landline intrusions long before email and (mobile) messaging improved our lives. The Internet "merely" accelerated personal contact collection , expanded opportunities for, and raised the delivery of junk and abuse to an unimaginable level: the Privacy Rights Clearinghouse Chronology of Breach Events lists over 9000 reported breaches that collectively exposed a staggering 11 billion plus records, a figure even more terrifying given that it represents only reported breaches since 2005 and only breaches where US individuals records were affected. Societies world wide are well overdue for a privacy overhaul.
2019: A year of tumultuous change ahead
2019 promises to be a tumultuous year for data protection and privacy. The intimidating fines and penalties in the EU General Data Protection Regulation, GDPR, have multi-nationals and even small businesses that collect personal data from EU citizens or residents scrambling to comply. In the United States, efforts to establish trust between consumers and providers are finally gaining ground. The Data Care Act proposes obligations for companies that use the Internet to collect personal information: duties of care, loyalty and confidentiality. The bill proposes privacy requirements that are similar to those already imposed on financial institutions, physicians, and attorneys, i.e., to "act in good faith on behalf of their patients or clients and are bound to keep our disclosures safe and confidential".
While we should all be excited over the prospect of privacy and data protections, security practitioners should feel an urgency to contact and encourage legislators and policy makers to avoid treating data protection and privacy rights as if they were interchangeable. These need different considerations in the context of Internet technology and policy. To make privacy rights policy decisions with the most benefits and fewest unintended consequences, legislators as well as policy makers responsible for regulatory compliance face the challenge of understanding of how data protection "works".
A cautionary tale
Initial efforts to comply with the EU General Data Protection Regulation (GDPR) have not taken into account how investigations are conducted in the cyber world and equally importantly, how the parties who conduct cyber investigations differ from brick-and-mortar investigations.
Private sector and academia play a leading and arguably dominant role in cyber investigations. Law enforcement agencies, from the US FBI to Europol and Interpol publicly admit that private sector actors are generally better funded, have more boots on the ground, and are often first to detect and first to respond to cyber-attacks. Executive Director Catherine De Bolle explains that successes of law enforcement in the fight against cybercrime will continue, "As long as European Union law enforcement continues to grow and evolve and to forge new bonds with global partners in both the public and private sector".
ICANN's attempt to comply with the EU GDPR is a discouraging example of how a compliance policy that doesn't consider fully the current threat-and-response landscape can create challenges or impediments for private sector actors, with consequent harms that GDPR legislators neither intended nor anticipated. ICANN's Temporary Specification for gTLD registration data allows parties that collect domain name registration data to redact point of contact data of all registrations, regardless of whether the registrant falls within the EU jurisdiction. In a recent APWG and M3AAWG survey, over 300 first responders reported that this practice other elements of the temporary Whois policy are "significantly impeding cyber applications and forensic investigations and allowing more harm to victims", specifically noting that the policy does not address timely and uniform access for the lawful bases for processing defined in Article 6 of the GDPR, and that there is no consensus regarding what parties can request access or how to manage access.
The impact of ICANN's Temp Spec on cyber investigations since its adoption is profound.
Responses to cyber-attacks are impeded. Investigators can no longer use elements of domain name point of contact information (email address, name, postal address) as a search argument to identify a cyber-attacker’s abuse domain portfolio in near real time. Portfolios of thousands of domain names are often associated with a single cyber-attack. Stripping investigators of this important processing technique interferes with efforts to dismantle global botnet or spam infrastructure attacks and hampers private actor efforts to assist law enforcement in identifying perpetrators.
Victimization lasts longer. Investigators cannot contact victims of compromised web site attacks without domain name point of contact information in a timely manner. Investigators ideally seek to contact victims in a matter of hours. In circumstances where unwitting party victims cannot be contacted quickly, attackers can continue to perpetrate fraud, publish inauthentic news, influence politics, breach databases, or otherwise inflict harm to both the victim of the web site attack as well as visitors to the site.
Requests to access point of contact data for lawful bases of processing is denied or not timely. These processes are impediments more often than not: AppDetex Brand Protection shared Whois Requestor System reports that nearly 60% of requests to over 350 registrars don’t even receive a response. Even when responses are approved, the average time to disclosure of point of contact data is 7-9 days. Viewing this average through the grimmest of lenses, attacks that first responders successfully mitigated in less than 24 hours now remain active for longer than a week.
Protect privacy rights and do no harm
We have two seemingly conflicting objectives: (1) satisfy a public policy objective of protecting privacy rights through legislation and (2) ensuring public safety interests by establishing timely and uniform access and processing of protected data where lawful bases permit.
APWG believes that it is possible to satisfy both objectives.
And we are prepared to devote our time in 2019 to achieve this.
APWG respects privacy rights and has implemented data protections accordingly. APWG's data feeds protect consumer privacy by not including personally identifiable information. Additionally, the use of APWG’s data feeds helps protect consumer privacy by reducing phishing exposure, which typically exposes consumer personal data to unauthorized disclosure or misuse. APWG’s eCrime exchange data feeds are used by organizations worldwide to protect consumers and organizations from frauds or data exfiltration attacks by professional eCrime gangs and hostile nation states, making the exchange is an important resource for the global privacy rights and data protection ecosystems.
In 2018, APWG expanded the types of data that are exchanged to include ransomware and attacks against cryptocurrencies. In 2019, APWG will continue to study and where possible, expand data typing. Over 100 security companies rely on APWG eCrime data feeds to enhance their anti-phishing protection in products and services that are used to protect tens of thousands of companies and hundreds of millions of consumers.
In 2019, APWG will work diligently to ensure that privacy rights legislation and policy do not sacrifice the equally important need to ensure public safety interest. The APWG Board will work with privacy rights and data protection legislators and policy makers worldwide to ensure that its members are acknowledged (and validated?) as trusted processors whose cyber investigations activities satisfy lawfulness of processing of personal data. Our members, directors and contemporaries will work with ICANN and the EU to define a Whois policy that acknowledges the roles of first responders and private sector investigators and affirms that these roles are indeed within the scope of Article 6 of the EU GDPR. APWG will also work to promote efforts such as the US Transparent, Open, and Secure Act (TOSA) to ensure timely and uniform access to Whois data.
If your company would like to contribute to the APWG to fund the eCrime exchange, education, global policy, and data sharing under GDPR, please contact firstname.lastname@example.org. Companies that contribute to the APWG are contributing to the world's oldest and largest cybercrime non-profit organization.
APWG's Applied Research Agenda for 2019 and Beyond
In 2019, APWG intends to engage in activities to expedite the suppression of cybercrime data logistics and telemetrics, data policy and risk management, and participation in mitigations and interventions on a global scale.
In 2019, and with cooperation and contributions from members, governments, and supporting foundations, APWG and APWG EU will continue or begin to:
APWG members, directors and contemporaries are particularly eager to expand its applied Research and Development (R&D) activities. The APWG has already delivered a variety of services from earleir R&D initiatives including a redirect system to route users clicking on phishing links to educational pages, an abusive domain reporting scheme to deliver notices to Registrars, and a universal cybersecurity awareness campaign launched in 21 nations. We now have in development a user census program to measure national user cyber resilience to phishing.
We believe the next evolutionary stage for the APWG is to establish an R&D center dedicated to applied research for development of tools, infrastructure, and/or intellectual property for the programmatic suppression and measurement of cybercrime in three topical dimensions: