The new declaration at DefCon 2017 in Las Vegas by two German researchers that it was easy to obtain and expose browsing data and display user habits, containing a judge’s porn fondness, will come as little surprise to the world-wise. On the other hand, The EU General Data Protection Regulation (GDPR) made an announcement. GDPR mentioned people should be watchful about data leaks through online search and translation devices.
What could be more surprising, is that some public figures and regulated professionals appear blind to the danger of revealing important information about their work, clients and personal lives and the potential violation of protection of information rules.
The most recent news was made known after research presented at the DefCon conference by journalist Svea Eckert and data scientist Andreas Dewes. The pair established a fake marketing company and used social engineering techniques to get the ‘anonymous’ browsing habits of millions of citizens in Germany.
Google Translate Defenselessness
Via investigating Google Translate URLs, which are stored in the full text of any examination, the researchers even identified details of an existing police investigation after matching one click-stream to a particular police detective. The case related to a cyber-crime investigation and the investigator was translating requests for aid made to foreign police forces.
New European Union laws that become effective next year with GDPR could see companies receiving heavy fines if they are found guilty of data violation such as losing or unlawfully sharing cardinal information about citizens. In July 2014, Don DePalma of Common Sense Advisory warned that free machine translation tools such as Google Translate can unintentionally cause a data leak.
In June 2017, Sally Anne Poole, enforcement manager at the Information Commissioner’s Office warned that
“If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
Citizens have a right to look forward for organizations to take care of the information they hold on them. That means having basic controls in place to prevent criminals getting in and stealing data, and avoiding the situation where staff unintentionally reveal sensitive information through emails, online browsing, and so on.
Organizations that regularly use free online tools to conduct research on customers or translate information received from them should be careful about how much information they are exposing and whether the explicit approve of the customer is required to process the data in this manner. David Clarke, the former head of the National Fraud Intelligence Bureau, supports regulated professionals to be especially cautious when online, and to have an effective information security management system in place that be accordance with prevailing standards of ISO 27001:2013.
Before using free online search tools, professionals should always ask themselves if they and their client would be satisfy if the information became publicly available? As the researcher Svea Eckert said at DefCon 2017, “What would you think if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’?”