The field of online privacy and information security have been in a whirlwind of change these past few months. In addition to the headline-making controversy surrounding Facebook and Cambridge Analytica, tech firms around the world have been rushing to comply with the European Union’s General Data Protection Regulation (GDPR), perhaps the biggest piece infosec legislation ever seen.
If this seems like a lot to keep up with, don’t worry. Even experts have their work cut out for them dealing with these developments. Of course, for most people, there’s no need to delve into the details. An overview with some practical guidelines would be more useful—and that’s precisely what we have here.
Breaches and Blunders
Data privacy has become a hot topic, drawing widespread attention since the major data breaches of the past year, which included Equifax in 2017 and Under Armour in early 2018.
Alongside these high-profile cases, however, there was a surge in cybercrime in 2017, which resulted in over 16 million victims. Incidents of fraud without credit card use spiked by 81%. These crimes rely on the theft of various pieces of personal information—contact details, login credentials, and other tidbits of data used to guess passwords—which has stoked fears regarding online privacy.
Things came to a head when it was revealed that millions of users’ Facebook data had been improperly used by UK-based political consulting firm Cambridge Analytica. When it became clear that the data used may have affected the US presidential elections, the platform’s founder, Mark Zuckerberg, was summoned to testify before Congress.
The European Way: GDPR
As tensions over online privacy rise, the solution might be found in sweeping reforms that have been in the works for some two years now: Europe’s GDPR. The new regulation covers several provisions—it’s about 100 pages long—including those concerned with users’ control over their data. Companies must disclose how users’ information is being stored and give them simple ways to alter or permanently delete this information when they want to.\
The regulations apply to all businesses and web entities operating in Europe, regardless of where they are based. Penalties for violations can go up to 4% of a company’s yearly revenue, which is strong incentive to comply.
You might have noticed some changes already: Facebook has introduced a centralized Privacy Center, for example; Google has added settings to control what data is shared with certain products, such as Gmail and Docs.
One reason behind the GDPR was setting a uniform standard for companies operating online in the EU to streamline compliance. If similar standards are established in other countries, it would be a boon for online businesses. It would also be a step forward for consumers’ rights to privacy.
Vast and Vague: China’s Online Licenses
On the other hand of the spectrum is China’s approach to online security. Any business that wants to operate online in the country needs a specific license, but China recently introduced new rules for present and would-be license holders.
Under the new rules, companies must store any data about or acquired from Chinese individuals on servers within China. They also must obtain clearance before sending bulk data abroad.
The rules introduce a lot of inefficiency into many systems that could once run seamlessly across countries. Perhaps more importantly, however, the regulations’ scope is broad and its terms are vague. There’s little clarity on the criteria for proving technology systems “secure and controllable,” as China’s government requires. Those judged wanting may be permanently blacklisted from the country.
This likely won’t have any direct effect on users outside China, but it will shape the environment of online privacy and information security as time passes. If Chinese technology companies continue to build up influence, we may soon see an Internet steered by Asia and Europe, rather than the USA.
Crossing Borders: VPN Laws
Virtual private networks (VPNs) have long been a favored tool for users who want a more controlled online experience. Using a VPN encrypts all data sent to and by a device, ensuring its privacy. A VPN also assigns a new IP address, making users harder to track and allowing them to bypass geographic restrictions on internet use, such as content blocked in specific countries.
While VPNs may not be directly affected by the new regulations, the use of VPNs itself is subject to certain rules in different countries.
In China, for instance, the use of VPNs is highly discouraged by the state, if not outright banned. The general public doesn’t get much access to VPNs, though corporations are allowed to use them to transmit data securely—which is probably the only reason VPNs are allowed there at all.
Other countries have rules of their own, particularly where media licensing and distribution are concerned. So while VPNs remain a good option for protecting your data in these turbulent times, be sure to look up relevant laws when you use one.