The Global Backdrop of Privacy, Security, and Data Sovereignty

Always changing, sometimes conflicting, and often very uncomfortable

Presented as part of The Lost Summer Project

Presented by Donald Edwards, CISSP

All content herein is presented as general information and does not constitute commercial or legal advice.

I am not a lawyer. I am most definitely not YOUR lawyer.

All opinions are mine alone and are not necessarily shared by my past, present, or future employers or any other group associations.

Donald's relevant conscious biases

National origin: Texas

Political stance: Left of center (social egalitarian, progressive)

Pro-stances:

Privacy
European Union
Government regulation
Transparency
Science
Responsible disclosure

Anti-stances:

Government privatisation/outsourcing
Cryptography backdoors
Offensive cyber warfare
Hacking back
Mass surveillance
Bitcoin (all decentralised cryptocurrencies)

Because this presentation involves discussion of geopolitics, I feel that it is important for me to acknowledge some of my personal biases. Your views may differ, and that's perfectly fine with me. We all have different biases, experiences, and priorities. We all need to learn to work with people who hold different opinions and values.

Agenda

Working definitions of privacy, data sovereignty, and security

Photograph of a tablet computer showing personal diary software, a lock, and a crown

Survey of international, national, sub-national, and industry regulations

Cartoonish rendering of a globe

What this means to you, an information security professional

Person in a hoodie with a question mark instead of a face

If speaking to an audience containing relatively new people to the security profession, welcome them and emphasise that they really can wear the title of "security professional".

Data sovereignty in a nutshell

My people, my property, my rules

Data localisation

Require specific types of data to remain inside a short list of countries/li>
Usually require all copies to remain, sometimes just a copy

Data access

Control who is allowed to handle specific types of data and for what purposes
Sometimes require giving access to law enforcement

Personal rights (consent to collect, right to be forgotten etc.)

Require third parties that collect data about "their people" to give "their people" some level of control over the use of that data

Extra-territorial effect - Data sovereignty laws often apply to data, people, companies, situations, etc. even if some or all of them are not inside that country's borders.

Data localisation - Some countries restrict processing of certan types of data to specific locations (personal information, geological surveys, other data of strategic or military importance). Sometimes they are protecting it. Sometimes they are making sure they can access it.

Data access - Some countries restrict create/read/update/delete access for certain classifications of data to people with certain legal status, country of origin, etc.. Some also require that the government be allowed access with various levels of due process.

Personal rights - Some countries want to ensure that their citizens, residents, and other groups of people to whom they lay some claim have adequate privacy protections wherever they are.

Data sovereignty in application

The good, the bad, and the ugly

Health and welfare

Protect citizens, residents, protected peoples from exploitation

Keeping tabs

Retain (or gain) access to people's data for surveillance purposes

Intellectual property control

Protect commercially or strategically valuable informaton from falling into the wrong hands

The subtitle is a good example of where my personal bias comes in.

Some of the reasons countries enact data sovereignty laws are:

Health and welfare - Ensure that people they care about are protected from exploitation wherever they may be.

Keeping tabs - Some countries want to make sure they can access data about people they care about wherever they may be.

Intellectual property control - Most countries want to retain some level of control over information that gives them geopolitical, strategic, military, economic, or other advantages.

What does privacy even mean?

There's no good answer! Here are some options:

Leave me alone!

Protections from snooping on people in non-public places like their homes
Some countries extend surveillance protections to the workplace

That's none of your business!

Control over who is allowed access to personal information
Ability to revoke access

Why do you want to know?

Transparency and control over what personal information others have and what they do with it

What does privacy even mean?

There's no good answer! Here are some options:

That's ancient history!

Expectation that personal information that is irrelevant will be deleted

Wait, that's a lie!

Ability to correct incorrect or misleading information

I'm trusting you, so keep my information safe!

Expectation that personal information will be treated carefully, preserving its confidentiality and integrity

Lose my number!

Ability to sever a relationship and have personal in formation deleted

So, how does security fit in?

Confidentiality
Protect data from unauthorised access

Old-fashioned rubber stamp imprint saying confidential

Integrity
Protect data from unauthorised modification or deletion
Paper shredder in the process of destroying a document

Availability
Ensure data is accessible to whom, when, and where it is required
Clock indicating six o'clock

Security implements the rules described by data sovereignty and privacy laws.

Confidentiality - The hard part is in building the process required to determine who is authorised and how to revoke that authorisation when required

Integrity - Many requirements around integrity of data involve recording why someone is making a change in addition to what the change is - intent is hard because it is not a technical thing

Availability - Data localisation is a particular challenge for availability because the results of data analysis often need to be in one country while the data itself must be in a different country

Security is enforcement

We don't make the rules, but we do make the rules to enforce them

People
Skills, knowledge, and obligations

Process
Checks and balances to minimise occurrence and impact of errors and malicious actions

Technology
Tools to aid people and process

Implementing security requires three things, in order of importance.

People - Properly trained staff with skills, knowledge, and awareness of their obligations

Process - Checks and balances, orderly workflows, and opportunities to verify that decisions are reasonable and actually do what they are supposed to do

Technology - Easy to buy, but requires People and Process to get meaningful value out of them

Europe and the United Kingdom

General Data Protection Regulation (GDPR)
Protects data privacy of citizens and residents of European Union (EU) and European Economic Area (EEA) member countries, no matter where they are.

Africa and the Middle East

Countries with strategic resources
Geological data related to oil, gas, and precious minerals often required to remain exclusively in-country

South Africa, Uganda, Botswana, Ghana, Angola, and others
Privacy laws exist, are enforced, and are expanding

Russia and China

China
New laws are vague - commercial and "common" cryptography rules are different.
Probably require allowing government oversight

Russia
Primary copy of data about Russians (defined broadly) must reside in Russia
Note: Russia recently demonstrated the ability to sever ties to the Internet at large (Runet)

United States and Canada

Canada
PIPEDA - Privacy law comparable to GDPR, more coming

United States
HIPAA - National health information privacy law
Note: The US is considering legislation forcing companies to install backdoors in encrypted systems (again)
California
CCPA - Leading the nation in general privacy (somewhat comparable to GDPR)

South America

Privacy laws improving
Many countries have privacy laws and are actively working on expanding their scope and enforcement

Brazil and Argentina
Two countries leading the way on privacy regulations (Argentina is deemed adequate for GDPR)

Australia and New Zealand

New Zealand
Privacy laws somewhat comparable to GDPR

Australia
Strong privacy laws, somewhat comparable to GDPR
Note: Companies are required to assist the government in investigations and can be compelled to create technical capabilities to do so

Payment Card Industry (PCI) Data Security Standard (PCI-DSS)

Established through contract, not through sovereignty

Covers handling of information related to credit, debit, and other payment cards

Forbids recording of certain data (e.g. CVV numbers)
Prescriptive framework (for now)
Heavy on Confidentiality, light on Integrity, barely touches Availability

Penalties for compliance failure include fines and revocation of payment processing privileges

Prescriptive control frameworks often lag behind the industry and fail to meet real, practical security needs.

So, how does this affect me as a security professional?

Embrace the discomfort and design for change

Trust the lawyers or become one

Over 130 countries and thousands of localities have privacy and security laws
Many laws are vague and open to interpretation

Accept that you will implement polices and controls with which you disagree

Almost all business is global business
Data sovereignty laws will only increase
Security is at the centre of global economic tensions

Everything changes

Minimise data, decentralise your designs, provide for metadata (classification)

Understand that you will be working with lots of grey areas that make you uncomfortable. Design systems assuming that regulatory frameworks will change in strange ways.