Why GDPR may inhibit privacy and security-enhancing technologies
By sticking rigidly to 1970s definitions of 'processors' and 'controllers', GDPR may hinder the growth of decentralised peer-to-peer alternatives
It should be pretty obvious by now that our personal data is not safe on the internet. Information about us is replicated thousands of times on servers across the world. It is hoovered up by governments and corporations, sold on by invisible brokers, used to create personal profiles all without our knowledge or explicit permission.
Moreover, every week brings news of a new breach in which supposedly secure databases of card details and passwords are hacked, cracked and put up for sale on the web.
It's also pretty obvious that data protection legislation has lagged woefully behind the technology. In the UK, the Data Protection Act dates back to 1998, when the internet was in its infancy. Among the most prominent efforts to update the law is the upcoming EU General Data Protection Regulation (GDPR), which seeks to tighten the rules on how personal data can be stored, transferred and processed and which requires companies to seek explicit permission over how their data is used rather than hiding it in the small print.
All well and good, but even the best laid plans have hidden flaws, and complex legal arrangements have more than most. In the case of GDPR, some provisions may actually stand in the way of technological solutions to the personal data protection problem, by being too inflexible and based on outdated concepts of how the web works.
A case in point is peer-to-peer P2P networking.
A large part of the data security problem is due to the structure of the internet itself, with files stored centrally on servers. Hack the server and you've got the data. A P2P network is a much more secure way of storing data because files are encrypted and broken up into fragments with those scrambled chunks being dispersed over the computers that make up the network. Even if someone breaks into one of these machines, the encrypted file fragments are worthless.
A lot of work is being done on decentralised systems right now, some based on blockchains, some on protocols like BitTorrent and others adopting new approaches to the problem of removing the single point of failure, the centralised server. But could efforts to bring such systems into the mainstream be hampered by regulations that treat all data storage and processing in the same way?
A defining problem
Despite being new legislation, some definitions used in GDPR are based on the 1970s outsourcing models in which a 'data controller' would pass data on floppy disk to a bureau (a 'data processor') for sorting, cleaning and other database operations, a setup which bears little or no relation to the modern reality of P2P and other distributed networking and storage architectures. Similarly, personal data is personal data, no matter whether or not it is hashed, chunked and encrypted.
"Even a partial encrypted chunk of personal data is still considered 'personal data' if someone somewhere (even if not the person holding the chunk) can decrypt it," explained Dr Kuan Hon, consultant lawyer at Pinsent Masons. "As mere storage is 'processing', the person whose equipment is used to store the chunk is considered a 'processor'.
Unless the P2P network is being used to store personal data purely for the user's own purposes - a tricky distinction in the P2P context since the user's machine is also likely to be storing (i.e. 'processing') chunks of other peoples' data - it therefore comes within the scope of GDPR.
"Personally, I believe that properly encrypted personal data should not be treated as 'personal data' in the hands of someone who doesn't have the decryption key," Hon said. "However, data protection law and many data protection regulators take a very wide view of 'personal data', and that seems set to continue and indeed expand."
This broad definition of personal data is intended to future-proof the legislation against advances in technology that might leave it vulnerable - quantum computing, when it arrives, will render current encryption algorithms useless, for example.
However, there needs to be flexibility the other way too, to allow new technologies that enhance privacy, anonymity and security to thrive without being needlessly restricted. Blockchains are an example of such a technology.
Using blockchains to store personal data such as medical records, a use case generating a lot of interest in the health sector, could fall foul of the law. Each node will need to be compliant with the security and consent provisions in GDPR, even though they are passive holders of worthless (to someone attacking a single node) data.
Blockchains used for such purposes will most likely be ‘permissioned' (i.e. restricted to a limited number of authorised nodes). Therefore compliance, while demanding, will not be impossible. However with 'permission-less' distributed P2P models such as BitTorrent and other decentralised networks in which anyone's laptop or smartphone anywhere in the world could potentially be a peer, this is likely to be much more difficult, not least because reliably geo-restricting nodes to comply with data sovereignty provisions of GDPR would be very challenging to achieve.
Technology neutrality
GDPR is a much needed brake on the wholesale surveillance and profiling of individuals by corporations and govenments and one that's been broadly welcomed by privacy activists and security professionals alike. But there's a danger that by being too restrictive, GDPR could in fact hinder new technology that offers enhanced security and privacy to citizens - the very things it's aiming to achieve. There is still time for re-interpretation before it becomes law across the EU (and applicable to any companies that process EU citizens' data), but Dr Hon thinks this is unlikely to happen.
"I hope that regulators will eventually recognise the practical issues and come up with workable guidance, but the law is the law," she said.
"It took over 20 years after the current [EU Data Protection] Directive was passed to adopt the GDPR. It may be another 20 years before data protection laws can be updated for true technology neutrality."
It would be a real shame if European innovators were hamstrung by a law that should be supportive of their efforts.
Join Computing's IT Leaders Forum Getting Ready for the GDPR - Tuesday 28 February