Will GDPR give hackers an easy ride?

GDPR – the new EU legislation on data protection – has been a bit of a nightmare for many businesses across the UK and beyond. There will have been great costs incurred by those businesses who have had to contact everyone on their database to try and convince them they can continue to use their data. And there may be an even higher price to pay for those businesses that have had to thoroughly wash their archived data, losing a significant amount of leads in the process.

But there’s also a concern that the new rules make catching hackers even more challenging.

Whose website is it anyway?

One of the main concerns surrounds the functionality of Who.is, an online service used to identify and contact website owners.

This is a website that is used by everyone from journalists to cyber security firms to police officers to make quick checks into the legitimacy of websites, as well as any members of the public wanting to do some due diligence before using an online service, but the new rules mean it can no longer show any contact names, email addresses or phone numbers associated with website owners – this information has been removed to make sure it complies with GDPR.

Although companies have had years to prepare for the new rules, not all have hit the deadline, including Icann, the owners of Who.is. But despite asking for extra time to help it comply with the legislation, its request has been turned down, meaning it has had to strip significantly more data than it might have had to.

What’s the legal position?

Two lawyers, Brian Finch and Steven Farmer have written an open letter to the Wall Street Journal entitled, The EU’s gift to Cybercriminals, which starts: “The torrent of news stories about cyberattacks and data breaches never seems to slow, but law-enforcement agencies have tallied some significant victories against online criminals. Websites spewing Islamic State propaganda have been sidelined, thanks to joint efforts by American and European authorities. So have sites on the “dark web” selling illegal drugs, hacking for hire, and other unsavory items and services.

It continues: “Unfortunately, this good work will now be significantly hindered as the European Union begins to enforce its General Data Protection Regulation.”

“Police will be robbed of ready access to vital data drastically impeding their efforts to identify and shut down illicit activity.

“The regulatory rubric the EU has created will make it harder than ever to catch computer hackers.”

It seems the lack of guidance given by the EU is making companies extremely cautious about the regulation, and because the the consequences of getting it wrong are so great, companies are being extremely conservative in interpreting the law, getting rid of swathes of data, ‘just in case’.

Mr Farmer told the BBC in an interview: “It’s regrettable we didn’t have guidance on the key principles,” he said.

But supporters of the new privacy regulation note that cyber-criminals were never likely to have provided accurate contact details for their scam websites, and highlight that the law does provide added protection for legitimate registrants.