COVID-19 Cyber Threat Coalition and GDPR

[Notes:

1. This isn’t legal advice, but I hope it will reassure anyone considering supporting the COVID-19 Cyber Threat Coalition that the data protection risks should be very low;
2. This only covers the use of data for defending systems, networks, data and users; use for offense, including attribution and evidence, is covered by separate legislation, which varies much more between countries.
3. The US Department of Justice has a paper on precautions to take when gathering threat intelligence from “dark markets” and other criminal sources.]

I’ve recently been introduced to the work of the COVID-19 Cyber Threat Coalition (CTC). This is a global group of volunteers who have got together in response to criminals’ increasing use of fear of the virus as a way to propagate scams, ransomware and other malicious content. At a time when we are all worried about our own health and that of our friends, families and colleagues, it’s easy to see how an apparently authoritative email or website might tempt us to click on the wrong attachment or link.

The good news is that collecting data about such scams, analysing that data securely within a group of experts, and disseminating information to help protect all of us against them seems to be comfortably within the bounds of Europe’s General Data Protection Regulation (GDPR). A few years ago I wrote a peer-reviewed paper on how incident response fits into the GDPR’s provisions on protecting networks, systems, data and users. The framework described in that paper can be applied to CTC’s work.

When we are processing personal data (which may include some IP and email addresses) for the purpose of ensuring network and information security, Recital 49 of the GDPR directs us to look at the “legitimate interests” provisions in Article 6(1)(f). Those require a three-step test: is the purpose legitimate? Is the processing necessary to achieve that purpose? Does the risk that the processing will cause outweigh the benefit it might produce? In section 4.2 of the paper I set out key questions for assessing incident response activities against these requirements: here’s how COVID-19 CTC responds.

When addressing the legitimate interest:

• The potential or actual severity of the incident being prevented, detected or investigated: a joint advisory from the UK and US Governments on 8th April reports that COVID-19 is now the most common “hook” for scams masquerading as trusted government sources. These range from financially-motivated ransomware and phishing against individuals to espionage.
• How widely the [] activities will benefit others: results from CTC are made public, in formats that can be directly incorporated into existing software and network defences. With appropriate take-up of these resources, this can help to protect the majority of Internet users around the world.
• Whether the objectives and activities fall within the reasonable expectations of those whose data will be processed, for example whether they are recognised as legitimate by the law or community norms: processing of data about cyber-attacks in order to improve defences against them has been recognised as legitimate in European law since at least the 2009 revision of the ePrivacy Directive (see Recital 53), and as a positive requirement in Regulatory guidance (see first paragraph on p.6) since the 2016 GDPR.

When assessing the impact on individual rights:

• Whether the activity involves processing identifiers that might be linked to individuals, and how likely such linkage is: reports submitted to CTC may include identifiers that might be linked to recipients and victims of scams, such as their IP and email addresses. However the coalition has no interest (and, in most cases, no ability) to perform that linking or use that recipient data in any way. Support for victims of scams should be provided by their home networks and organisations, not by CTC. The identities of recipients in one organisation are irrelevant to protecting recipients in others, so such information should not be included in feeds published by CTC. IP, and possibly email, addresses used by attackers are likely to be included in the published feeds, but attackers design these to be hard to link to their origins, and even law enforcement agencies may be unable to do this. The likelihood of linkage is therefore near-zero for victims and, sadly, very low for attackers.
• How the processing can be separated from other functions of the organisation: CTC has no other function, and volunteers working to analyse data undertake not to use it for personal or organisational benefit.
• Whether information was collected in a way that included privacy safeguards: CTC receives information from voluntary donors, it does not collect its own. Donors are encouraged to use OTX feeds, which structure data to focus on fields whose defensive value is high and whose privacy impact is known.
• How widely information will be disclosed, and the interests of all recipients: information that can be used to defend against attacks is made public, other information is not disclosed at all. Recipients of information are expected to use it for defending against attacks, and it would have few other uses in any case.
• What safeguards – including pseudonymisation, encryption and computer, rather than human, inspection – can be used: CTC holds and analyses donated data within industry-standard secure cloud services; the scale and speed of processing required means that computer inspection, at least of raw data, is always preferred; data is published in formats suitable for automated ingestion into defensive systems so that no human inspection is required by recipients.

Applying the balancing test, it is clear that COVID-19 CTC’s activities can help mitigate a serious threat to a significant proportion of global Internet users. And both the CTC’s purpose, and how it carries it out, result in a very low risk to those users. Thus there should be little difficulty in justifying those activities as lawful under GDPR Article 6(1)(f).