GDPR, IP Addresses, and Cloud-Based Security – Who is Profiling Your Web Traffic?

Max Pritchard

In Fujitsu’s global survey of consumer attitudes, 88% of people say they are worried about who has access to their data. It seems that you are not alone in your concerns about data privacy. With the inexorable rise of cloud service adoption over recent years, cloud systems and eco-systems of numerous cloud service providers are proving notoriously hard to secure.

How visible is your IP address in the cloud?
How visible is your IP address in the cloud?

According to the latest report by Netskope, the average enterprise in EMEA is using over 600 cloud applications. These service providers and the contracts they sign with customers must be compliant with GDPR to ensure the protection of their data. Netskope stated that most companies underestimate the number of cloud applications in use by up to 90%. This demonstrates how important it is for businesses to be constantly aware of their use of the cloud. If any one of these apps is breached then company data could be compromised, for example in the Ticketmaster breach in June 2018.

What is GDPR?
GDPR stands for General Data Protection Regulation and is a set of rules governing what companies can and can’t do with someone’s personal data. The UK Data Protection Act (2018) is aligned with the EU GDPR. The regulation, which came into force in May 2018, has revolutionised what businesses must do to justify collecting and storing personal data as well as enabling access rights for data subjects. Meeting the requirements of the regulation has become crucial for organizations doing business in the EU and failure to comply could result in fines up to €20 million or 4% of global annual turnover.

The emergence of the EU GDPR has prompted regulatory changes across the world, most of them with the objective of better protecting individual privacy by placing additional onus on business to be able to demonstrate that they are living the mantra “we take the security of your data seriously.”

See our GDPR page to learn more.

So Who Can See You?

If we take, for example, the simple act of an individual browsing a web page.  Assuming you are not using a VPN, you type in some text into a search engine and hit return, then you pick a link and follow it.

When you visit a website your IP address, and other details, become available to your router, search engine provider and their affiliates, your ISP, the company you use (it may be your ISP) to implement your DNS resolution. Your page request goes through numerous third-party networks including content distribution providers, ISPs, network operators, and the hosting company – before it even reaches the owner’s website.

Most companies use third parties to design and operate their sites using third party engines and code. They embed code from social media companies, advertisers and extensions. A flurry of cookies is thrown at your browser to further track your movements and masses of data are squirreled away for further analysis, enrichment, and combining with existing datasets and sharing.

It’s easy to imagine that somewhere in the machinery of government, the act of you browsing a certain page is captured for future reference as well. Your device will remember what page you visited and when, and that’s stored locally – or might be shared with a computer maintenance service or log management application, or, mundanely, a company offering data backup services. When you dispose of the device, the ghost of that page visit might find itself in the hands of a waste disposal firm, a charity performing IT refurbishment or even a new owner.

Each page you look at might mean a dozen or more companies capturing an aspect of your digital footprint immediately, and then ripples out as the data is shared, lost, or moved from place to place.

IP Addresses and Personal Data

Due to an EU court ruling in 2016, an IP address counts as personal information. The reasoning is that, although IP addresses are often dynamic, shared, and indicate a device more than an individual, they can be (and are frequently) combined with other data sets to identify an individual. Like your postcode, date of birth, or the name of the town you call home, your IP address might represent a pivotal piece of data that allows two otherwise distinct datasets to be connected together. Advertising companies are playing a multi-billion pound global game of Guess Who with personal data and selling their expertise to any organization with money.

The rise of big data and machine learning techniques is making it increasingly easy for global businesses to pick out threads of identity from an ocean of data and build profiles of individuals – mainly for marketing purposes at the moment, but who knows maybe it will become an “information system that serves mankind” as the GDPR aspires to encourage.

Cloud Security Vendors

Alongside processing of IP addresses to “improve your web browsing experience”, the same data is used by cloud security vendors to decide whether your page request represents a threat to the website itself.  In data centres around the world, servers are processing IP addresses, comparing them to databases of “bad” addresses, devices compromised by malware, or direct hacking, and now spewing out DDoS attacks, web application attacks, spam, and other undesirable traffic. The shape, rapidity, and nature of the data are analysed and dissected in milliseconds. This is automatic profiling resulting in a decision to block or allow access to an information asset.

Cloud WAF, cloud DDoS mitigation, cloud bot management, cloud load balancing, and other infrastructure security services are quietly dropping (or slowing down) packets based on secret rules in an effort to protect the availability of information assets on the public network.

Cloud security for websites and GDPR

Under GDPR, using cloud security services to protect websites poses a problem in people’s data protection rights versus legitimate interest in information security.  Without cloud security platforms, potentially any malicious traffic could get through the security defences without being checked and could result in a breach of data. However, cloud security itself relies on automated processing of personal information and instant decision-making, often in jurisdictions outside of the EU.  How would you feel if your device was blacklisted and you were stopped from being able to access one or more of your 600 business applications? Who would you turn to?

When spam started to become a problem, services such as Spamhaus appeared with lists of e-mail domains and/or blocks of IP addresses that were known sources of spam. If someone’s domain or IP address of their mail server was blacklisted by Spamhaus (or some other spam list), then anyone using that list to filter e-mails would be blocked from receiving e-mails from legitimate users on that domain. Getting your domain removed from the list became a real problem.

You may also like: GDPR: Taking a Risk Based Approach to The Technological Measures Required to Protect Data

Network Security as Legitimate Interest

GDPR is quite specific that processing personal information for the purposes of information security is a legitimate interest. However, like all legitimate interests, the impact on the data subject, in this case the risk of being denied access to an information resource because of automated processing resulting in their web page request being blocked, needs to be balanced against that interest.  This may not be difficult to do, but as data controller, you may wish to have a conversation with your cloud security provider to ensure that they are in a good position with respect to the GDPR considerations of their services.

activereach solutions

In order to comply with GDPR it is imperative to use appropriate security solutions from partner companies that are conversant with some of the subtleties of dealing with personal information in the modern information security market.  This is particularly important for cloud security services, as hackers are continually finding new ways to infiltrate an organization or exfiltrate data from web and cloud systems. This is crucial for not only your own site but any third parties your business may use in protecting your own business and the data subjects that rely on you.

activereach scours the national and international markets looking for the most up-to-date and effective solutions for cloud security. We provide a high-quality service that allows your company to be better protected against the latest attacks.

activereach offers bespoke solutions in securing your cloud platform. For more information, please see our pages on public cloud security and cloud application security.