Network Forensics Concerns Around GDPR


In Cyber Forensic there are a vast array of tools that are used throughout most investigations, however, not all jurisdictions allow or even agree to the usage of some of them. This is mainly due to each specific geographical region’s view on their citizens right to privacy.

Some of the tools and tactics to collecting evidence are therefore questionable and raise specific concerns in this matter.

During the evidence collection process there are many things to consider when it comes to data being transferred over a network.

If data is being collected, held or transferred only within the same global legal region, then only the laws that govern it are at play, as there are no added complications around data in transit or being stored elsewhere.

However, if data is transferred from a region to a different geographical region, then the case gets much more complex and data privacy concerns in all affected regions need to be considered and abided by.

Personally Identifiable Information or simply PII is when data contains information that can be tracked back to the originator and is personal to them, such as where they live, their name or banking information, among many other things.

The problem with PII data is that it is technically impossible to completely remove from other data, as it is not simply a data masking task such as replacing all four-digit numbers or masking out names, but also many other things that could be embedded in natural language.

For example, a string of data that used language such as “if you go left around the bend and take a right at the red house and on the left next to the orange car you’ll find my place” would not be picked up as PII by masking techniques, but clearly states PII information regarding a home location of a particular individual.

Up until recently, data protection was handled by each country differently, with no regulated standards or body to speak of (Mcgacisk, 2018).

In the United Kingdom, which falls under the European Union, there is a law which recently passed termed the General Data Protection Regulation (GDPR) which lays out the following three objectives (Intersoft, 2018):

  • The protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
  • Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
  • The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

This has created a standard for the world to follow and to adhere to when data is passed through the European Union, which a large portion is to some degree.

Most online businesses and international websites have fulfilled the GDPR by adopting the rulesets as of the cut-off which was the 25th May 2018 (ICO, 2018).

Collecting information about individuals without their permission is a crime and one that cyber forensic investigators also need to understand and obey.

References

Mcgacisk, T. (2018) The Positive and Negative Implications of GDPR [Online] TimeDataSecurity.com, Available from: https://www.timedatasecurity.com/blogs/the-positive-and-negative-implications-of-gdpr (Accessed on 23rd September 2018)

Intersoft (2018) Art. 1 GDPR: Subject-matter and objectives [Online] GDPR-Info.eu, Available from: https://gdpr-info.eu/art-1-gdpr/ (Accessed on 23rd September 2018)

ICO (2018) Guide to the General Data Protection Regulation (GDPR) [Online] ICO.org.uk, Available from: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ (Accessed on 23rd September 2018)