Earlier today, ten days since my return from Brussels, I received an email from Mr. Lambrinidis regarding a number of amendments on the upcoming e-Privacy directive that he contributed to. An interesting topic that I think merits a short post was that of breach notification. Breach notification refers to the situation when citizens whose personal data were kept by a third party A (e.g. a corporation) get ‘stolen’ or ‘compromised’ by another party B without their consent. The amendments stipulate whether A has any obligation to notify the citizens whose data were compromised and if so in which cases and how.
In the email Mr. Lambrinidis states that obligatory notification of affected citizens, by the service providers and/or the national regulatory authority, in cases where their personal data is compromised by a third party is guaranteed, in contast to previous amendments (see for example the Harbour Report from July 2008, whereby it was up to the national regulatory authorities to determine whether a breach was serious enough for notification to take place or not). Indeed, the bulk of Lambrinidis’s amendments are certainly an improvement over the previous text and a very welcome addition to the directive. I was particularly impressed by his ability to balance the arguments and come up with a relatively decent text. Nevertheless, I still have reservations with regard to the formulation of the directive. Take for example Amendment (183):
The competent authority should determine the seriousness of the breach and should require the relevant service providers to give an appropriate notification without undue delay to the persons affected by the breach, as appropriate. [emphasis mine].
The uncertainty introduced by ‘as appropriate’ could mean that the national regulatory authority has the last say on how, when and perhaps whether it should notify those involved. Someone might not be notified on time (or at all) before his or her personal data are used illegally by third parties, if the national authority does not consider this to be a serious breach for them to notify him or her soon enough. It is my opinion, that ambiguous terms such as these should be avoided and the law should be clear regarding the authorities’ and service providers’ obligations.
Some may consider this nitpicking (it may very well be). But then take a look at Amendment 184, which is of much greater concern:
Notification of a security breach to a subscriber or individual shall not be required if the provider has demonstrated to the competent authority that it has implemented appropriate technological protection measures, and those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorized to access the data.
So, a company just needs to ‘convince’ the national regulatory authority that the compromised data is ‘unintelligible’ to unauthorised third-parties. It is ambiguous and unclear what ‘technological protection measures’ [sic] means. The authors of the amendment most probably mean cryptographic integrity of the information. But, while such measures are often effective there are a few problems with the concept:
1. No current cipher can render data indefinitely ‘unintelligible’ to anyone determined to decipher it and having infinite time and money. So the phrasing begs the question: unintelligible at the time of the breach? That’s not good enough. Unintelligible forever? That’s better, but that is impossible — or rather impossible to prove mathematically unless one time pads are used. The inclusion of a clause such as ‘unintelligible by [population metric] for at least [number of years] after the breach’ would have been better.
2. Current ciphers (say AES-256 or RSA-2048) are probably good enough against most attacks by anyone — except maybe the U.S. Government — and will be so for the next couple of decades or even more. Even if sensitive personal financial information (e.g. credit card numbers) are adequately protected until the card expires and the data becomes useless, this means that non-expiring personal data (such as names, social security numbers, other biometric information, etc.) might be readable in some years’ time, but before that person who owns the data passes away.
3. In any case, not every single commercial entity in Europe is using said ‘current’ ciphers and some national regulatory authorities do not seem to be aware of the flaws older (and very widespread) ciphers have. Even if they are aware, national regulations and prerequisites for service providers may take years to catch up to the real world, especially when technology moves so rapidly and new attacks on ciphers appear all the time. I’m willing to bet here that at least one relatively obscure and understaffed national regulatory authority in backwater EU that might consider DES-128 or RSA-1024 to be secure. Again, the decision to enforce the notification should not be left up to the national authority under such technical criteria.
4. The fact that data is currently unreadable is no reason for not disclosing the breach anyway. This is because the ‘service provider’ is still responsible for the data, by law, and from the moment the data is retrieved by third parties the ‘service provider’ is no longer capable of ensuring that the data is secure. It can claim that it probably is when the data is encrypted with a ‘current’ cipher (with confidence approaching 1 for the short-term after the breach), but it cannot guarantee this. Nevertheless, even if it could guarantee it, that should not waive its obligation to disclose the breach.
5. I do not see how a corporation that gets hacked or ‘loses’ a laptop in a train can prove that the data contained in the laptop is unintelligible. Is a legally binding statement that the data is secure by someone representing the corporation enough? How do I know that they are not lying? Is there an auditing process that can verify this? Why are we introducing exceptional conditions in such important legislation that might render it completely ineffective in protecting citizens’ rights?
The point I’m making here is that by allowing this ‘window’ for non-notification, a loophole is created: that is: corrupt, inefficient or simply underperforming national authorities whose regulations and requirements are behind the times can compromise the raison d’être of the breach notification obligation and void the obligation of organisations to notify citizens whose personal data has been stolen or compromised. I have seen no convincing argument as to why organisations are excluded from the notification requirement and I can think of none that holds any water. The stakes are huge and corporate profit should have no part in this argument. If anything, organisations maintaining records of citizens with personal data should be obliged to employ current and strong cryptographic methods and protocols to minimise the possibility of compromise or theft of the data. This should ideally be specified in a common EU-wide minimum technical requirement, instituted and updated regularly by a competent EU authority. Note that in the United States the National Security Agency (NSA) is responsible for specifying which ciphers are ‘good enough’ for classified information.
EU Directives should, in my opinion, be forward-looking and expressed in an unambiguous, solid way that does not allow room for legal maneuvering by corporations not wishing to notify the authorities or customers of a compromise of their personal data due to a breach in their systems’ security or obsolete/ineffective national technical regulations pertaining to the minimum requirements that would ensure that information is truly unintelligible for a sufficient period of time following a breach. The current text, as formulated by the Lambrinidis Amendments in the area of breach notification, while easy to implement, makes it quite easy for corporations to avoid notifying the authorities or citizens of a data breach (or simply lie with impunity) without ensuring that the data is truly safe for any reasonable period of time post-breach, but leaving all such considerations to national authorities around Europe.