Another Victim Of The GDPR & CCPA: Security Researchers No Longer Can Get Anonymous Access To Internet Attack Data
from the not-understanding-privacy... dept
We’ve pointed out before that we’re generally bad at regulating privacy because we don’t understand privacy. All of the regulations around privacy seem to treat a set of information as “special” that must be locked up and hidden. However, as we’ve pointed out over and over again, privacy is actually a set of trade-offs, and in some situations, certain information should be shared, and in others not. But it requires an awful lot of context — and no privacy regulations that I’ve seen seem to take that context question into account. Because of that we end up with nonsensical results that often do more harm than good.
The latest example of this comes from Rapid7, a cybersecurity company that, among other things, tracks network activity and attacks to help fend off attackers. Back in 2018, Rapid7 launched the Open Data project to enable more researchers to have access to important data generated from its Project Sonar and Project Heisenberg research efforts. Via the Open Data Initiative researchers could access important useful data for improving security and understanding various threats online.
The Open Data Project offered two forms of access to researchers — both free. The first required signup, at which point registrants were “subject to light vetting and terms of service” before being able to access current and historical data. The second was free access “to a one-month window of recent data” from Project Sonar. However… thanks to laws like the GDPR in the EU and the CCPA in California, apparently sharing that information is becoming a liability. So Rapid7 is doing away with the second type of access, the kind that was widely available (the one month snapshot) for anyone to see on their website.
Reading between the lines, it sounds like Rapid7 was facing some threats under the GDPR and/or the CCPA, claiming that the very, very useful service it provided for anyone to look at the data, was possibly revealing… IP addresses. And, once again, this gets into the trade-off nature of privacy. In some cases, IP address information might reveal sensitive information — but the fact is that, in most instances, it absolutely does not. However, courts are getting aggressive about this — as you may recall from our recent story about a German court fining a company for… using Google’s fonts. The violation? Passing IP address info back to Google.
Rapid7 has noticed that this means its data service is potentially a liability:
During the past few years, we have also seen an evolving regulatory environment for data protection. Back in 2018, GDPR was just coming into effect, and everyone was trying to figure out its implications. In 2020, we saw California join the party with the introduction of CCPA. It seems likely we will see more privacy regulations follow.
The surprising thing is not this focus on privacy, which we wholeheartedly support, but rather the inclusion and control of IP addresses as personal data or information. We believe security research supports better security outcomes, which in turn enables better privacy. It’s fundamentally challenging to maintain privacy without understanding and addressing security challenges.
Yet IP addresses make up a significant portion of the data being shared in our security research data. While we believe there is absolutely a legitimate interest in processing this kind of data to advance cybersecurity, we also recognize the need to take appropriate balancing controls to protect privacy and ensure that the processing is “necessary and proportionate” — per the language of Recital 49.
The company says it will still work to make the data available, but from now on it’s going to require registration, rather than just being openly available on the website.
Once again, this seems like it will mostly likely have a negative impact on actual online security and privacy… all to comply with rules that are supposed to be improving our privacy. Some of us have warned regulators of these kinds of consequences, and are always brushed off, but we keep seeing this kind of thing happening.
Filed Under: ccpa, gdpr, privacy, public information, research
Comments on “Another Victim Of The GDPR & CCPA: Security Researchers No Longer Can Get Anonymous Access To Internet Attack Data”
Did I misunderstand the use of the word “Public” in Public IP Address? Kinda like your street address (way more personally identifiable) is actually a “Public” Street address?
I insist under GDPR that my address, and the street view, and any satellite imagery, or mapping data immediately be protected cause…. reasons?
Because if they don’t jump fast enough I can get big bucks!
Considering that some courts seem to believe that an IP address alone can prove crime, this sort of crazy thinking make sense.
They seem to have no problem with cookies & things telling companies you were searching for a rapid HIV test location, but if they DARE to mention your IP address its a huge crime.
Its like the found this one stupid place where they think they are doing good, but all they are doing is making all of their plans look like they were made by idiots. Of course tell them this is stupid and you are just in the pocket of big tech stealing everyday peoples information to underpants gnome profit from somehow.
Get IP address
Unless they can show how a list of IP addresses are making someone wealthy, perhaps we should tell them to stop talking out their asses.
More concerning than IP’s should be the number of companies gathering and linking emails, advertising cookies, Fb accounts, Apple ID, Google IDs, cell numbers… combining that data is way more harmful to people than knowing their last 5 ip address. But hey its all spelled out, even if there isn’t an actual list of who all ends up with access to the gathered data or how poorly its anonymized or what other friends they can share the data with getting a better profile at each stop on the line combining all the bread crumbs into the ultimate marketing bonanza!!!
I mean its not like I’ve purchased an item from Amazon only to have Amazon then offer me 15 different of the exact same item that you might be 2 of in a lifetime.