It has been 3 years since the introduction of the GDPR regulations. Despite the availability of courses, information on the Internet, and professionals in the marketplace addressing this issue, many companies still make significant mistakes. During the Cyber Security Month I decided to take a look at how five leading hardware stores approach selected security-related issues.
Scope of the study
The Regulation became part of the state’s legal framework as of May 25, 2018. It binds everyone who processes personal data in connection with their business activities. The Regulation introduces a number of changes and expands the scope of data controllers and processors obligations.
In September, a check was carried out on the compliance of five leading online stores selling hardware with provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
During this check, I took into consideration items such as:
- account creation and deletion,
- collecting redundant data,
- data security,
- exercise of rights and obligations towards the user.
Creating an account on the website
All data controllers of the surveyed websites collect data such as e-mail address during user registration. Two out of five websites I checked collect more data, i.e. first name and last name, which may be considered too extensive – one of them however collects telephone numbers which should be considered too extensive, as the principle referred to in Article 5(1)(E) of the GDPR is already met by the e-mail address alone.
In one case we observed possible collection of a wider scope of data, i.e. postal code, but it was defined as information collected optionally and it is not necessary to provide in order to create an account on the website.
In my opinion, the collection of a wider scope of data than the e-mail address at this stage is a redundant collection of data, which means non-compliance with Article 5(1) C of GDPR
The data collectors of two of the five websites I checked take a different approach to finalizing account creation by automatically logging in the new user without requiring confirmation of intent to register. This can lead to impersonation. However, it is not a data breach.
Each of those online stores requires acceptance of the terms and conditions by checking the appropriate checkbox, the terms and conditions themselves are properly linked.
One of those stores does not comply with the requirements to fairly inform the user about who becomes the data controller during the registration process as required under Articles 13 and 14 of the GDPR.
Three data controllers post summary information with a link to the full version of the privacy policy.
Only one of them asks the user to confirm that they have read it by checking the appropriate checkbox. Failure to do so prevents completion of the process.
President of the Personal Data Protection Office approach
It should be remembered that in 2019 PDPO imposed a fine of nearly 1 million PLN for failing to comply with the information obligation with respect to persons whose data it obtained before the regulation came into force.
Failure to properly comply with the information obligation when collecting data constitutes a violation of Articles 13 and 14 of the GDPR and failure to collect confirmation of reading the privacy policy can make it very difficult for the data controller to prove compliance with this obligation!
Closing the account
In case of most entities closing the account is possible in the user’s account tab – in accordance with the principle that the possibility to revoke consent should be as easy as giving it. Three of the checked stores provide this option in their account management tabs. In case of other two stores the user has to contact the store’s administration by sending an e-mail, which may be considered violation of Article 7(3) of the GDPR. None of those stores create unnecessary problems and inform users of the steps taken to comply with data subject’s request. For the lack of such confirmation, the Romanian supervisory authority imposed a fine of 2,000 EUR. Pursuant to Article 12(3) of the GDPR, the data controller is obliged to inform the data subject of the action taken with on the data subject’s request without undue delay, but no later than one month after receiving the said request.
It is important to note that the rights that individuals have in relation to the processing of their personal data may not be exercised in all circumstances. For example, the data controller does not have to erase data after receiving a request if the data is still necessary to fulfil the purpose of the processing. The same applies if the data is not processed on the basis of a consent or a legitimate interest of the data controller.
Even if the data controller determines that there are no grounds for erasure at the request of the data subject, information is provided to the requester that the request will not be fulfilled and on what grounds. Pursuant to Article 12(4) of the GDPR, the data controller has one month to provide information on the reasons for not taking action at the data subject’s request. The data controller shall also inform about the possibility of filing a complaint with the supervisory authority as well as seeking remedies in court.
Security
Each of the data controllers is doing their part to ensure secure data transmission by using certificates that are recognized as secure. However, the choice of keys varies – three data controllers were using RSA 2048 bit public keys and two ECC 256 bit keys.
However, we should not be fooled by the magic of numbers. Because it does not mean that a 256-bit key is worse than a 2048-bit key. This is due to the different encryption method where the key based on Elliptic Curve Cryptography (ECC) is much more complicated than that used in the Rivest-Shamir-Aldeman (RSA) algorithm. Thus, ECC offers security comparable to RSA with significantly shorter keys. The security of an RSA key of 1024 bits is estimated to be equivalent to that of an ECC key of 160 bits.
Prior to 2018, regulations clearly indicated the necessary length, complexity, and frequency of required password changes. The entry into force of the regulation no longer mandates such top-down guidance from the controller. However, it obliges the data controller to ensure an adequate level of security by implementing appropriate technical and organizational measures, so as to provide a degree of safety adequate to the risk. This gives many options to the data controller. It is important to remember that failure to adequately secure data can have very serious consequences for the data controller. These include a fine of nearly PLN 3 million imposed by the supervisory authority. The President of Personal Data Protection Office held the penalized data controller accountable for non-compliance with the standards described in the guidelines of one of American federal agencies – NIST (National Institute of Standards and Technology), and, more precisely, instructions contained in the document – “NIST 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management.”
Implementation
Let us take a look at how the evaluated stores are approaching the implementation of the recommendations contained in Article 32 of the GDPR.
One of the controllers requires a password of 6 characters, containing at least one number and letter. The other 4 controllers require a password of at least 8 characters.
One store only needs 8 identical characters (no distinction between upper and lower case letters, numbers or special characters, but it does include a password complexity index where at 8 characters it is considered good and at 11 it is considered great.
A given store may require only 8 identical characters, but the user will be informed that it is a weak password, regardless of length. Adding a number, a capital letter and a special character does not change this information, but extending it to 9 characters classifies the strength of the password as “average” ; a 10 characters password is considered as “meeting the requirements”. A controller that is not guided solely by the length of the password when defining the requirements should be commended.
In two cases, a password of 8 characters including a number and an uppercase and lowercase letter is required, and they do not use an auxiliary indicator to inform about the complexity of the password.
Good practices
None of the controllers impose password change deadlines, which is in line with the cited NIST guidelines. There is a simple reason for this recommendation – users will instinctively use weaker passwords, knowing that they will have to change them anyway in a short period of time. So far we have learned that with such a forced, periodic change, the user usually enters a similar password, with the addition of e.g. another number (1, 2, 3, etc.).
This creates a false sense of security, a possible attacker is also aware of the user’s behaviour when changing passwords. Instead, the aforementioned guidelines recommend the so-called „event-based change”. This means that a controller should force a change in passwords if they have a reasonable suspicion that confidentiality has been breached. It should only happen on an exception basis. Only occasional enforcement of a password change motivates the user to enter a more difficult password.
But what about the obligatory use of special characters and numbers? According to NIST guidelines, it is not recommended to force the use of such measures.
It is argued that this type of coercion most often leads, for example, to the simple addition of a “!” to the password or other predictable behaviour, such as using the first letter as a capital. In addition, it is pointed out that this mechanism leads to user frustration, which in turn results in focusing not on the actual complexity of the password, but only on overcoming the hurdle as quickly as possible, which leads precisely to repetitive, predictable behaviour as pointed out above – moreover, it also leads to using one password in many places (since it is difficult to remember) or writing them down in prominent places.
Instead of enforcing the use of special characters, the guidelines recommend using password blacklists (the simplest or most commonly used), such as “123456”, “password1”, “qwerty”, etc. According to the test cited above, only one store in the study applies such a rule. Paragraph 7 of the cited guidelines recommends the use of password “strength” indicators, which are in fact used only in several of the surveyed stores.
Newsletter
Every website runs a newsletter and there is a reason why so many companies choose to send out such information. With the help of a newsletter, the owners of the website can inform about changes and innovations introduced, improve the recognisability of the website or in various ways encourage customers to use its offer again.
By definition, these are also pieces of commercial information. They are considered to be not only content that directly promotes products or services, but also (directly or indirectly) the image of the entrepreneur. This means that several specific requirements must be met for the newsletter to be legitimate.
Three legislations – three requirements for obtaining consents
Currently, there are three provisions that oblige the sender of a newsletter to obtain consent to receive messages for marketing purposes:
article 6(1)(a) of the GDPR – processing of personal data on the basis of consent expressed for a specific purpose (expressed voluntarily and knowingly),
article 10 of the Act on the Provision of Electronic Services – the requirement to obtain consent to send commercial information to a natural person,
article 172 of the Telecommunications Law – prohibition on using telecommunications terminal equipment and automatic calling systems for direct marketing purposes unless the subscriber consents to it.
Required consents
One must remember that with GDPR, the owner can rely on the legitimate purpose of the controller (Article 6(1)(F)), but a balancing test and a proof that the controller’s interest outweighs the data subject’s rights are required.
During the examination, it was noted that one of the entities does not collect any consents related to signing up for marketing mailings, which clearly contradicts the requirements of the Act on Providing Services by Electronic Means and the Telecommunications Act.
Two controllers use an additional acknowledgement of reading the terms and conditions, but this is linked to additional promotions and discounts for users. The other two controllers only collect consent for contacting data subjects for marketing purposes.
It should be remembered that it is possible to create the content of the consent in such a way that it simultaneously meets the requirements of the Telecommunications Law and the Act on Providing Services by Electronic Means.
Another problem arising from this is the necessity to inform the user who will be the data controller is that according to the regulation this obligation must be fulfilled already at the stage of data collection, which is realized only by two entities. One allows newsletter sign-ups for logged-in users only, and the other by introducing appropriate provisions into the consent for marketing activities.
Ensuring compliance with appropriate regulations vs. claims
To protect you against claims of receiving unsolicited marketing content, a double opt-in confirmation is used. This is done, for example, by sending an e-mail confirming the consent (so-called double opt-in). According to the observations, four controllers use such a mechanism. Only one sends a confirmation that you have subscribed to receive the indicated content.
Unsubscribing from newsletters is usually easy and involves clicking on a link at the end of an e-mail. The one exception is a store that requires an e-mail to be sent to an address belonging to the DPO. Unfortunately, none of the stores we surveyed had an opt-out option through the user profile tab. Each of the stores informs the user of the actions taken.
Conclusion
While I was preparing to perform the review I thought it would be a simple task of looking for compliance. It came as a big surprise to me that none of the stores surveyed met all of the requirements set, indicating that there are still many challenges ahead for Data Protection Officers involved in commerce to meet the requirements of the legislation.
The lack of specific guidelines, as was the case in the old Data Protection Act, gives controllers a free hand in achieving the task in question. But it also introduces uncertainty about whether the actions being taken are right and appropriate to ensure information security in an area that is as difficult as cybersecurity.
***
Want to make sure you are compliant with GDPR? Make use of EXATEL’s Security Reconnaissance service and learn even more about your organization.
The Security Reconnaissance is a multi-day, targeted survey of an organization’s security level. They are performed by procedural security and infrastructure penetration testing experts from EXATEL’s Advanced Security Services team. During the operation, we will conduct a survey, infrastructure security reconnaissance, and an examination of processes and procedures.
What will you achieve as a result of the EXATEL Security Reconnaissance? The outcome of the work is a report identifying the most pressing problems in the area of security, our recommendations for risk mitigation in relation to the gaps found and proposals for actions to be implemented in the project mode. You will get a detailed description of the attack vector and a number of specific guidelines on how to improve security in technical, process and organizational issues. This is an ideal summary that can be presented before the Board of Directors and the Management of the organization.
