The theme of this week’s conference of the Forum of Incident Response and Security Teams (FIRST) is “Sharing to Win”. Perhaps inevitably, I’ve had a number of people (and not just Europeans) tell me that privacy law prevents them sharing information that would help others detect and recover from computer security incidents. If that’s right, then those laws are working directly against the privacy they are supposed to be protecting.
If a computer or account has been taken over by someone else, then the legitimate user has a serious and growing privacy problem. Telling someone (usually via their ISP or incident response team) that they have a privacy problem will help them fix it. If the computer or account is being used to attack others then sharing information that’s needed to defend against those attacks will reduce the number of people whose privacy is breached in future.
Not only does incident response protect privacy, the information that needs to be shared to achieve this benefit normally represents at most a minor intrusion into privacy. IP addresses are the most commonly needed information. The issuing ISP will often be able to link that to the individual account holder, but they are also the organisation who can do most to remedy that individual’s privacy problem. Other incident response teams are unlikely to be able to link an IP address to an individual, but they can use it protect others from being dragged into the expanding privacy breach. In each case the benefit to privacy seems much greater than the risk. Account numbers or names may be slightly more revealing than IP addresses, but again the benefits of sharing within a community that can be trusted not to misuse them should far outweigh any privacy harm.
European privacy law recognises this kind of balance. Article 8 of the European Convention on Human Rights grants every individual a right of respect for their private life and communications, but permits interference with that right where it is necessary to protect the rights (including the Article 8 right) of others. European data protection law also permits processing personal data that is necessary in the legitimate interests of others, provided it does not override the fundamental interests of the individual. The vital work of Computer Emergency Response Teams (CERTs) in “preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems” is highlighted in recital 39 of the draft Data Protection Regulation.
When a credit card number is stolen, it’s routine to let the issuing bank know to stop the owner’s financial losses; stolen card numbers are also routinely shared with merchants to protect them against future losses. The overwhelming benefit of that sharing doesn’t seem to be questioned. If the Internet is going to remain a relatively safe place to conduct our business and social lives – in private to the extent that we choose – then we need to get the same routine recognition by regulators, CERTs and individuals that sharing incident information among trusted CERTs is one of the best and most important privacy-protecting tools we have.