 Up next is probably an irreverent overview of GDPR by Brendan O'Connor. Give it up, have a great time. Whitney Merrill tweeted out in early June just before the CFP closed, you know what I really want? I really want somebody to submit a history of the GDPR totally throw memes. And I'm lucky at work. I work in security but I don't have to do GDPR and day to day work. I do a lot of GDPR but the overall responsibility isn't mine which means I'm less burned out and better than say most of your lawyers. But Whitney tweeted she wanted this and I'm like I immediately volunteer as tribute. The intent of this talk is to be contentful but not to let content get in the way of having a good time. Audience participation is mandatory. I need all of you to volunteer to laugh at at least 3% of the jokes. You can all choose your own 3%, don't all choose the same one. If you don't we're going to have a very sad time. If it helps please feel free to have a drink. It is 5 o'clock on the east coast. We're going to cover in this presentation why the GDPR exists, why some people are freaked out about it, why to be concerned and or unconcerned and whether kittens or puppies make the better reference animal for GDPR compliance memes. 3 takeaways from this talk. First the GDPR establishes a new overarching umbrella privacy law that protects personal information from exploitation without your effective and affirmative consent and it has no holes except for the holes that occasionally let it tail out. Secondly the GDPR is rooted in understanding that human rights including privacy are centered around actually being a human being which is an issue we've had in the United States recently. They're not negotiable based on who has the data again unlike the United States and they cannot be waived in a way that prevents you from un-waving them in the future. Finally the GDPR provides a valuable opportunity for businesses both in the European Union and here in the United States to clean up their acts, to fix insane levels of technical debt and to prove to their customers that they're worth doing business with. Ignoring the GDPR is not an option and U.S. businesses who do so will be punished severely. And as I stated in my abstract relax it's all going to be fine. Probably. Just remember not to put the fidget spinner in your mouth. This is an actual government agency. This is real. I don't know why this is real but this is 2018. So I guess that's why. So hi I'm Brandon O'Connor. Depending on who you ask I'm either a shitty hacker, a really shitty lawyer or a worthless person who doesn't do real security thank you red teamers or just the guy who wears black t-shirts every single day at the office. My favorite description of my job by a former co-worker was he's not the lawyer we need he's the lawyer we deserve which I thought was super cool until I realized he did not mean that as a compliment. My day job in the past has been as a security and privacy consultant but these days I'm in house so speaking of that a note none of the following is me speaking on behalf of my employer nor is it representative of the extremely serious approach we have at insert name of employer to protecting the privacy and security rights of all of our users. As a side note we're currently hiring a metric ton of web developers dev managers and PM so if that sounds like something you'd like to do and you'd like to work in a fun dynamic web company that is growing like gangbusters in Seattle come talk to me after the talk. Also a disclaimer I am a lawyer I am not your lawyer I am also not a European lawyer and none of the following is legal advice it may not even be a good idea let alone right. If you go to Vegas and do shots and then sit in the conference facility and get legal advice you clearly have more fun lawyers than me and you deserve exactly the advice you get. Finally a content warning the following talk may contain references to international law, naughty language and an implication that at least the president of one country sucks a whole lot. So let's talk about the prologue to the GDPR harbors of safety and or evil. I want to start by taking you back to the beginning of time unfortunately the last time I as a computer science major took a history class was 1999 so there are slight gaps in my knowledge of Europe. There used to be two great powers in the world. First there is the United States defender of freedom and bastion of democracy. There was also the Soviet Union builder of curtains made of iron I don't quite understand why their curtains were made of iron I don't know if they didn't like tool or what the hell deal was but it was a different time in the 80s. So then a Republican went to Germany and yelled at a wall and apparently that just solved everything which is super cool. The wall was torn down the Soviet Union collapsed and embraced capitalism and election tampering just like the United States has always done. So we won America is awesome freedom wins the day right the story is over our laws are the laws all over and we never have to worry about anyone again. Unfortunately out of the shadow of the Soviet Union another union began to take shape one in which each year countries would come together and have a dance party and I don't know why and if you've watched Eurovision you know that it is completely inexplicable. The singing part was fine but they also in the European Union they got this weird idea that they could have their own thoughts about what their rights should be. So even though we wrote half their constitutions for them they're like maybe maybe having a constitution written by the Rockefellers is weird and we shouldn't do that. They wanted to have their own laws that embraced fancy European concepts like human rights or privacy. The United States of course only embraced privacy as part of a penumbra and a penumbra is a very fancy legal term it's like a lot of legal Latin and in this case penumbra of privacy means law no privacy for you according to the US Supreme Court. Fast forward to 1995 I said this was a somewhat gap filled history of Europe. When Europe created a law star called the data protection directive. Now it's a law star because Europe does some things that are laws and they do some things that are kind of like extremely stringent guidelines written by the Germans. This is one of the latter. So it's technically not a law. The data protection directive is a directive by the European Council which is the heads of state of Europe to all of the member states of Europe saying you will write a law with the following clauses in it. I don't know why they do that. It's boring European internal politics but TLDR there's this thing which everyone refers to called the data protection directive that's kind of like a law but it's a law to make a law. It's like a Java factory factory factory. So this is weird to Americans. The only time we do this weirdly is for drunk driving laws. We don't say you have to have a drunk driving law at this level. We just say we're going to take away all of your highway funding until your driving law drops to this level. So that's the only time we do in the United States other than that we just have laws. But the gist of it was this. We're going to have some rules around data privacy for Europeans and if you have data on Europeans you have to follow European laws including EU human rights laws like the right to privacy. Critically if you take data out of the European Union for instance if you send it to the cloud you have to handle it according to European laws anyway. And some countries like Canada were determined to have laws with protections equivalent to EU laws because I definitely think that reliable Canadian privacy laws are a good thing. So you can send European data to Canada under this data protection directive no problem. But for other countries the EU sets up new treaties called Safe Harbor. And it's funny because you'd think that because the treaty is concluded in English both sides of the Atlantic would spell it the same way. But seriously never. They never one time agreed for the 23 years this law existed on how to spell Safe Harbor on either side. Both sides always fall with each other it was kind of weird. And in the United States Safe Harbor was very simple. It let companies self-certify that they absolutely promised they would uphold EU laws. It requires an annual self-certification that takes about three minutes. You just say I solemnly swear I'm up to no good and then you're done. Unfortunately there's a reason IOACTIV is on this slide. The Federal Trade Commission a couple years ago had to sue IOACTIV because IOACTIV had been lying for years about having actually filled out the one page form to do this. And it was just embarrassing. You know the FTC's critical enforcement methodology that they figured this out. They did a Google reverse image search on the Safe Harbor logo and then got a list of companies and then they just sued all the ones that were lying. So good security IOACTIV I really trust you on your compliance metrics. The other problem with Safe Harbor is it turns out that there's some secret government agency I think it was NASA or something close to that. That was using Safe Harbor certified companies to spy on the whole world. So then an angry young Austrian came up with a plan to bend Europe to his will. Wait not that angry young Austrian. A different angry. This angry young Austrian who's not the one you're all thinking of. His name is Max Schrems. He was an Austrian law student when he decided to go have a beer in Ireland and sue Facebook. Close. What he actually did is he went and he had a beer in Ireland and then sued the Irish Data Protection Commissioner because remember how all those member states got to have their own laws that meant that you didn't ask Europe to fix something. You'd ask whatever country was holding the data. And as everybody knows all the cool American companies have data centers in Ireland and so Max Schrems was like hey so Facebook is habitually lying to us about Safe Harbor. Maybe I should do something about that. Ireland is like 40% of our GDP is basically dank memes at this point. So I think we should probably not do that. And he said yeah that's not on the list of options. Like I realize this is Ireland but even here. Like it's not like optional to have laws. So Ireland is like cool story. We're not going to decide this. Ireland never actually ruled on this. They just kicked it up the European Court of Justice. Which probably blew up Safe Harbor. In this like 100 page opinion that it could be summarized as yeah fuck the NSA. The judge wrote that Facebook was obviously in league with the NSA. That it was obviously therefore lying on Safe Harbor. And that therefore the United States was negotiating in bad faith as a matter of international law. And therefore Safe Harbor was worthless. The treaty is invalid and could not continue. Nido. That was totally fine. That was 2015. At which point every U.S. company said simultaneously oh shit. Now it happens. Well this thing happened. And it's the Interregnum period. It's called Privacy Shield. After the fall of Safe Harbor. The United. Yo yeah. No. This is not even a joke. This is the actual logo off the State Department's website. And it's just like it describes it perfectly right. It perfectly describes the sanity, composition, and coherence of the program itself. Under Privacy Shield. Now stop if you've heard this one before. United States businesses fill in an annual self certification by which they promise to respect European laws right. And it's like straight up the pitch was we won't fuck you again. And Germany just straight up went ape shit. So Germany is slightly weird like besides the whole being German thing. They're weird in that they instead of having one Information Privacy Commissioner for Germany they have one for each German lander which is the rough equivalent of a state. So 27 Germans went to the European Council and said ah ah we're not doing this shit again. And then there was a whole fight and the fight is important and it's interesting and there's details around how Privacy Shield works. And none of this is relevant because the European Court of Justice is about to invalidate Privacy Shield because Facebook. So like we could go into this but straight up unless you already know about Privacy Shield and its implications it's no longer worth your time to learn about Privacy Shield and its implications. Let's just move straight on. While I'm pointing out the dumb shit the United States is doing which is our thing as you can see. You can get in a drunken fight with a buffalo in Yeltsin National Park. I grew up near Yeltsin National Park. This is not an uncommon story. So I'd be remiss if among other stupid shit we do. I didn't mention USV Microsoft. Now the older nerds in the room are going I remember this one. Billy G had to testify. This is not that case. So he knew USV Microsoft was where the the Federal Bureau of Investigation you know the feds we all like the spot tried to obtain data held by Microsoft in Europe while violating European law because I guess America, freedom, Brando, Eagles. The European Commission straight up said if Microsoft turns over this data in violation of our law we're banning Microsoft from Europe. Like there's not we're not even going to have windows anymore all all windows are going to be papered over it's not even okay. You can no longer see out of buildings. And the FBI said well terrorism and turn out the FBI lied. Who knew right? This was a drug case. This was a this was a related to Silk Road drug case. We know the guy they were trying to subpoena. And yes the FBI lied. I'm so amazed. So the FBI said straight up we're going to hold Satya Nadella in contempt that I don't think he's going to do well in jail. And the entire thing was fought the US Supreme Court as a full court press to overturn the concept of separate countries having equal sovereignty. And that's important under international law because the way the time we came up with this was because we were tired of the 30 years war and the 80 years war simultaneously raging over Europe for you know I mean you know for 30 years of that anyway. And so the way that we can fix this was we said okay within your country the king is the king. Outside the king's country the king is just some dude with a fancy hat. This is called the peace of the peace of Westphalia of 1548. And like if we're going to restart the peace of Westphalia I for one am on team Hapsburg because I think like being able to be the holy Roman emperor would be kind of cool. And so straight up you guys like yeah international law is bullshit because Merca. So this case was originally called the name that just rolls right off the tongue in Ray a warrant to search a certain email account controlled and maintained by Microsoft Corporation. Because calling it a warrant to fuck the Irish was apparently not on the list of Supreme Court dockets. And it got followed with US Supreme Court where it's called USV Microsoft 2. And then unfortunately it all came crashing down. Really really badly. Boo! That's exactly it. Before we get to learn if the notorious RBG was going to vote to go to war against the holy Roman empire the United States Congress passed a thing. Unfortunately it wasn't like health care or sanity or anything. It was called the US Cloud Act which just straight up says the United States is going to ignore everyone else's laws with regard to electronic data storage forever. The Cloud Act is so obviously and wantonly a violation of international law and the core concept of separate sovereignty that it's just boring to hear me rant on this so we're going to move quickly along. I'm going to summarize this entirely as when Canada invades us to bring an end to our rogue statery this will be one of the charges levied. So let's find let's talk about the GDPR. At long last this is the standard model in most US companies of how the GDPR works. Oh my god it's coming out of nowhere it's a dog in the air. Hide your lawyers and hide your children. This is like we're bad at stuff like the general US business approach to regulation like any regulation is just to ignore it until all hell breaks loose and like that was part of the problem it's just our thing but also like it's Europe right like do we care they're like America's dorky younger brother they have weird stuff there like blue cheese and human rights and not having child soldiers like why would we even care don't they know this is America where even our diplomats can't find the Geneva conventions on a map and even if they do they assume it's part of a trade show but like you know what the EU straight up post shrooms post NFC revelations from Chelsea Manning post having to fight with Microsoft all the way to the US Supreme Court to say that we're a big boy country and get to have laws the EU is not up for our shit so the US screened in diplomatic negotiations saying we're absolutely we can't do this horrible things were happened and like that cat over there the EU is just like yeah I'm just walk away and in reality even without Chelsea Manning max rams and orange Julia Caesar in the White House this has been a long time in coming like we like to think of this is the thing that just happened like and it's a part of a post Trump reality partially because among other things uncle Mirko still really pissed about how we tapped her cell phone and so she's been very much unlike yeah we're not giving this shit to Ransettville Vita man but it's actually been happening since 1995 the the original work to start building a stronger version of the data protection directive the original GDPR draft was passed as an EU European Commission proposal in 2012 January of 2012 so we've had that much notice that this was going to happen so if your company first mentioned the GDPR internally in April 2018 fire your lawyers if your company first actually did something about the GDPR and had previously known about it but ignored it fire your management chain they had every warning about this now those of you who've been working on this shit for the last six months continuously will go no we didn't have enough time get you had two years that's enough it's like the law fall the law so let's talk about what the GDPR actually does right because for American spectrum is like it kills our freedoms that's not entirely true it just kills like a couple of freedoms and they're unimportant freedoms so we're gonna go through the articles I'm not going to go through every article there's like 92 in the GDPR it's not that important I am going to give you the numbers of the important articles because you're going to hear these numbers repeatedly kind of like how the Americans just say the first amendment when what we mean is I don't understand what Twitter is the like we just say in article 17 notice when what we mean is give me all your shit and then delete it so we all give you the numbers article 15 is called the right of access and it's very simple give me all the information you have on me and as part of that as part of the request for all the information that a company is storing on you you also have to give them how long you're going to keep it for every single individual piece of data what your justification is to hold on to the data and your justification for having collected it in the first place and where you got all of it so if you're Facebook for instance and you're collecting data from like the Facebook website and you're also collecting data from like a ton of people just sending you data because Facebook's super cool law you have to actually put out exactly which person give you exactly which piece of data that's tied or identifiable to an individual and it's not just like identifying information which is an American concept this is much more like the HIPAA concept if it could be linked to a human then you have to link it and you have to disclose it this is actually not that hard unless you're one of those data is the new oil companies in which case it feels a lot more like this right let's talk about article 16 article 16 is the right of rectification and Merca were like that sounds naughty but it's not this is pretty straightforward if your data is wrong or your data isn't complete you have to fix it this is easier to think of why this would matter like I don't care if Rapid7 has the wrong data about me I probably give it to them to get into a party but it makes more sense when you think of private corporations providing government services or just for government services directly and like for instance in the United Kingdom right now they basically haul it out their government because they live in an iron randy and fantasy and so now major corporations provide like the equivalent of welfare of social security and so if they're saying well you obviously can't have social security because you're clearly a 12 year old boy and you're not a 12 year old boy then they have to fix it and then they have to actually address the like give you back the services they took away that's all article 16 says for Rapid7 like I could demand the Rapid7 have my real email address but that would be a dumb thing to demand article 17 is the right to be forgotten and now there's a lot of harsh reactions the right to be forgotten in the United States and so before y'all start yelling freedom murka eagle first amendment guns brawndow I want you all to understand what this really is in most cases the right to be forgotten really means hey company I don't want to do business with you anymore delete the data you have on me and stop emailing me for 10 years so for those of you who once signed up for a party at black hat this will be your friend but it applies to a lot of things it's true that there's also a right to deletion in public databases the process is the same but there are a list of balancing effects there's actually a lot of interesting case law because this is not new to the GDPR this has been around for a while and to be honest most of the time this is not a controversial decision so let's say someone uploads an embarrassing photo of you to a public forum or a newspaper takes a photo of you and uses it with a funny caption this actually happened it wasn't hope it was a conference less fraught than hope but a couple months ago a newspaper took a photo just a normal stock photo like the chill out lounge equivalent of four or five hackers that happened to be men and then used them as the headline and caption you know security conference you know repeatedly harasses women and these five hackers had not harassed anyone and we're like excuse me what the hell you we know who the harassers are take a photo of them don't use me as their cage is a good example of when you'd actually want a right to be forgotten or this woman this woman is now not 12 and she's a nurse in Phoenix and she is tired of random people stopping her in the street to say oh my god you're the urban girl so she could file a request to have it removed unfortunately it's really hard to get it removed from like each hand but she can afford right to be forgotten request ever photo removes it serves no purpose of legitimate public interest anymore and this meme would still be funny it would just look like this now and like it would no longer serve to annoy a nurse in Phoenix who has a right to privacy and a right to having a quiet life so free speech absolutists will undoubtedly first try to sell you bitcoin and then say freedom requires that I be able to say anything about anyone forever and then they'll say something about the Holocaust on h n because it seems to be one group these days like I'm familiar with the free speech abs argument I'm familiar with the argument that like this data is of public interest forever didn't you hear about the one German doctor who killed people and like yeah I know the German doctor story but here's how this actually works in practice in Wisconsin a system allows any person for any reason to access any court record that has not been specifically sealed like a child custody case always be specifically sealed this means that arrest records charges convictions lawsuits most of a divorce all of that is there and when you log into the system it has a note warning you that now it's illegal to discriminate against someone for anything other than an actual criminal conviction related to the purpose for what you're screening them and what actually happens is that anyone who's ever had a messy divorce every landlord every coer her everyone knows about it even if it was 40 years ago because there's a right of access there's no way to get this removed so sure can it serve a public interest absolutely is it good well no it's not it's not good that you can't get an apartment if you were once arrested for having weed in the 1960s when as far as I can tell everyone had weed and it's illegal but it's extremely hard to prove there's no logs of this and Wisconsin has done this is a government service but there are hundreds of websites like florida man mug shots calm where you can go to get mug shots of people who are arrested and even if they were arrested illegally you have to pay them ten thousand dollars to remove it it's just another extortion scam so it's not unreasonable to say hey maybe we shouldn't do this Europe didn't make a crazy decision here to say that spent criminal convictions people who are out of probation and salacious rumors for twenty years ago were things that had to be removed they took two rights the United States also has free speech and privacy the United States of course is always free speech and then privacy right always the way it works which is not great and they said you know what privacy and not incidentally criminal rehab rehabilitation which is what we always say we want comes first then free speech also very important just not the very tippy toppy thing the United States has decided the other way around and of course guns way up there not please not least because we do love our puritanism so it's always good to say well one time in the past you sinned so forever you shall be marked with the mark of Cain which for some reason also comes with an ad to reduce your belly fat Europe's not necessarily wrong they just came to a different conclusion and back when we still had conversations with people this would be an interesting thing on which two cultures could dialogue moving on article 18 the right to restriction of processing this is a weird one but essentially it comes down to either when someone has contested the accuracy of data which like we talked about before or just contested the holding of data they said delete my data and you said lol no and then they're about to sue you you don't get deleted in the meantime you also don't get the process on it so basically while there's a court case ongoing or about to be a court case you don't get to use this to build your ML models Facebook you don't get to use it to send emails to spam people rapid seven you just have to hang on to it in nerds there's also article 19 which says the same thing as article 18 but for all of your trusted marketing partners those of you who've worked in compliance space who have recently done vendor onboarding in any company more than about 10 people might have heard of a thing called a GDPR DPA or data processing addendum the biggest part of a DPA it's very for those of you who work in the HIPAA compliance space is very similar to a BAA but not as broad the DPA mostly says this it says if we tell you delete the data delete the damn data which is really interesting for data brokers which become essentially illegal under this article 20 is the right to data portability this is very simple it says give me the data in a format that I can actually work with if you're one of those companies that says no our memes are too dank we can we can allow anyone to leave and so your response to this is saying we'll give you all your tweets but like as a huge PDF and not a machine readable format that's just illegal now it was always a shitty thing to do but now it's just illegal article 21 is awesome though it's the right to object so if you tell companies to stop using your data to send you direct marketing rapid seven they have to actually stop if you tell them to stop using your data to build lookalike audiences Facebook and then send those lookalikes direct messages they have to stop it's almost like Europe decided we'll find if corporations are people then corporations need to stop bad touching you in the data and no means no Facebook finally article 22 the twilight of the algorithms this is this hilariously liberal seeming rule they'll be familiar to those of you who do machine learning it says you get to object to fully automated decision making based upon your data and a good example of this in the United States is the compass system how many of you have heard of compass in the criminal justice context one two people okay for the rest of you compass is an amazing system they took court records from like a hundred thousand people and they and you know rehabilitation outcomes and demographic data and then they made a huge big data machine learning model and they sold to the court saying hey we're going to make your sentencing data-driven so if you have a low risk offender then they'll get a low sentence and you don't have to do all the calculation yourself you can just feed it into the compass system this is not inherently a terrible idea however what they actually did is they made a system that says if you're black you go to jail forever straight up like there's like nothing that can test this in the world Wisconsin Georgia Florida a bunch of states use this system and it's the most racist thing in the world so the right to objection to automated decision making says not that we have to not be racist unfortunately but it says that we can't blame the computer so it means that two things one you have a right to a human in the loop for the decision-making so you can't just say oh it's just the computer a human has to actually be an involved part of it running on established criteria but secondly and this is the part that it will annoy ML people you have to be able to provide an actual explanation for what inputs and what outputs the machine learning model actually used and how it and how it weights those and how it calculates those you can't just say well I don't know what it does I fed it your photo and it said 50 years isn't that amazing which is the traditional machine learning we don't understand how it works so under the GDPR if you don't understand how it works cut it out so let's talk about corporate responsibilities of the GDPR there's a lot of corporate responsibilities but many of them have been summarized as you have to actually take care with data it's not good enough to go nobody's going to notice or nobody's ever going to find that hole that I just found with Ness's no one's ever going to do that you don't have to create the greatest security ever given to data but you do actually have to do the work article 30 is records of processing which is super cool it says that when you send data to people you have to write down that you sent the data to people I'm like oh my god we have 348 advertising networks how will we ever do this stop stop having 348 advertising networks seriously it's okay you can do it just use Facebook I guess and yeah why do you have to do this it's so that people can sue you we don't want to be sued yeah well the fines if you don't do this are much worse than people suing you so you just have to do this you write down this is the data we sent this is what we sent it to and this is why we think that that's legal ideally the answer number three should be because we had actual affirmative consent from the user who double opted in to share our data with our trusted marketing partners if that's not your answer you're in a lot of trouble so good luck and yeah is this really hard I mean like it could be but in fact we've been doing the same thing in other spaces for a really long time we call it supply chain security and if you want to have a really good overview of supply chain security go tomorrow to Shabbat Khan and talk to the Shabbat Khan leaders that there are no fire talks about how the Orthodox Union has been doing kosher supervision for like 600 years it's not that complicated we know if you killed the cow correctly we can also figure out if you sent the data to a market right the next article is security of processing which means you have to have an actual security program and if you indulge me I will rant for a moment about our dear brethren on the red team in the security community we hear an awful lot about technical security on both attack and defense things like row hammer and meltdown inspector incredible brilliant proofs that our assumptions are open to challenge Travis Goodspeed's packet in packet work proves that when you live with a metaphor like the OSI model you die by the OSI model and on the defense side we have sexy defense tech right like Leviathan's low tan crash of analysis the brother since TLS hugs which is an amazing talk that's all in technical error for some reason and the cyber ITL's security property labeling this is all wonderful work and provides a lot of hope for the future but sexy offense and sexy technical defense are one part of the puzzle and the compliance people and how many compliance people in the room there's like a compliance people in the room and you're all crunchy and that's fine we're the like like I don't want to say we're the only actual security people but here's the deal in medicine you know what saves like a bunch of lives things like brain surgeons or things like cool new gene therapy they take untreatable things and make them treatable things you know what these billions of lives sewers and hand-washing and mosquito nets the big public health things not the sexy things working on sewers is not thought of as a way to save millions of lives but it does you know what's the sewers and hand-washing stuff information security management programs do you have a firewall is it on your shelf or is it plugged in because I've seen that happen do you have an explanation for why you have inbound ports open because you have a firewall and it's set to any any law then it doesn't help do you have backups true story when I've worked as an information security management program consultant which is basically means I come in and say show me the backups I once talked to a client that said yes we have backups of this incredibly expensive thing I'm like cool you show me the logs no why well it hasn't run for a while how long would that be since we installed it why is that we're waiting for the software to allow us to do the backup how long you've been waiting two and a half years okay so you realize that your entire company ceases to exist if this data center floor falls in right and below us there's a gym so if somebody hits the ceiling with a barbell your company ceases to exist they're like that's not in our threat model I'm like okay your threat model sucks too so you don't have firewalls and backups until you know that you have them and then you've checked them and then collect the proof that you do these things repeatedly and every time otherwise it's a pointless waste of money to buy things like silence it's actually a pointless waste of money to buy silence anyway but it's especially a pointless waste of money to spend a hundred thousand dollars a year on tech you don't understand until you know that you have business rules around your firewall for God's sakes so doing your job the right way every day and taking pride in it is the sexy defense thing so all of you who work on blue team and occasionally have to do boring backup log checking you are the actual heroes and to hell with the red teamers who say that compliance kills companies your ego does not help security and your bigotry is just annoying so after article 32 if you build an information security management program you have to actually test if the straps were holding your Humvee to your parachute boom look that's a real video by the way we bombed hum Germany with Humvees about three years ago accidentally so GDPR isn't HIPAA so GDPR data security requirements aren't as specific as saying do X and Y and Z but it does say you should look at things like encryption data pseudonymization confidentiality integrity availability testing testing your control frameworks and specific risks that you yes you Mr. Corporation post the human rights of the people whose data you're testing and whose data you're holding excuse me because let's face it if you screw up and I get doxxed I don't care whether this was from like a car wash or whether this was aquifax again or what it is all data storage is considered an actual risk which you have to actually account data is the new oil and your companies are hazmat sites so clean them up article 33 and 34 very simple if you get breached you have to actually tell someone you cannot just backfill it with a master law so you have to tell the government and you have to tell the person whose rights you've just violated because you before it's violating somebody's rights you have to tell the government which usually means your responsible information commissioners office within 72 hours of first becoming aware of the data breach not a lot of time this provides a useful incentive to you to make sure that you have an incident response team and then fund them because if your incident response team doesn't have Splunk or elk or something so they can search a lot of logs in a real big time you're going to get fined for not responding within 72 hours also here's your incentive to finally put full this encryption on stuff if you have effective security controls which means encryption on data you've lost and you know that the key was not breached you don't have to do a report you have to do a report of the government but not the individual people so put full this encryption on your laptops this is 2018 it's been built in every operating system for a decade just turn it on you also have to tell people whose data you've lost quote without undue delay which means fast if and again you don't have to tell them if it was encrypted but it has to be real encryption it cannot be base 64 encoded for security seriously so it has to be real and you will be audited on whether it's real and you will be sued if it was not real and you'll be sued by both governments and people article 37 a data protection officer how many of you have worked in the HIPAA space like a handful of you so in the HIPAA space you have a thing called a designated security official which is sometimes a designated security officer that just says we need to have a a neck we can choke if you get a HIPAA breach same exact thing for the GDPR in actual human being not a function not a consultancy but an actual person in charge of GDPR type privacy protection interestingly they have to report to the C-suite they can't report to like you know the third executive assistant in charge of hand-watching and you can't fire them because they tell you to work harder this is also a thing straight out of HIPAA you're not allowed to shoot the messenger and you're not allowed to prevent whistle blowing all the same thing this just sound really familiar to people in other compliance spaces you can still fire them if they groped the intern to be clear like this does not give them any special protections other than saying you cannot shoot the messenger and now the cool part the part you've all been waiting for why do we care about Europe like we're not even in Europe doesn't matter well yeah it does matter first of all the GDPR applies to all companies who hold data on European citizens regardless of whether or not they have a European subsidiary so Europe will straight up penalize you as we'll talk about in a second or even if you're an American only company because you don't provide GDPR protections to European nationals okay so even if you sell forklifts and you only sell them in the United States you have to actually put GDPR compliance in place it might be but probably isn't good enough to do the whole we're going to turn off our European game servers thing that a few game companies have tried like that's embarrassing and it's not super helpful because you actually have to do this and it's not like optional and they will find you because it turns out that Europe's banks are connected to our bank since they will find your money first big thing in the penalty section how many of you have been forced to sign an arbitration clause everyone raise your hand everyone has had to do this it's in the PlayStation contract for God's sakes everyone has to do this article 77 78 and 79 say nope we're done with that shit no more binding arbitration that waves your fundamental right to sue no binding arbitration that waves your fundamental right to report to an actual government and have an actual judge give an actual order to fix stuff there's no more of this while you waved it so you're screwed thing that is very popular in the United States but you all want to hear about money so here's the money 2% of worldwide turnover which means global gross annual revenue not just profit or 10 million euros whichever is higher if you breach certain sections it's actually double that 4% of worldwide gross annual revenue or 20 million euros whichever is higher that's an amount of money that makes even Google notice because Google cannot take 4% from every single one of these lawsuits of its worldwide annual gross revenue and the reason for this is really simple why is it that huge because Facebook was just paying the big penalties under the data production directive because it was cheaper than doing the compliance work so now it's not so now they'll actually do it and that's exactly what it's designed to be a Google Facebook and Microsoft killer and it should be pretty effective I know Google is pretty worried about the lawsuits they've already defending also though this particularly great into American companies you have to actually pay damages to the people whose rights you violated real damages not another crap where click-through contract says your maximum damages are limited to the amount you pay in in one month for our service which is like $3 so sorry we stole everything you also don't get to say well Equifax didn't have a contract with you so Equifax can't be sued by you that's not a thing anymore either not for European nationals so finally what comes next well this is already in effect GDPR day was May 25th it's amazing the GDPR isn't affecting it protects all of us because most companies not Facebook are applying all these same rights everyone in the world because it's easier than trying to ask for passports when you get a deletion request Max Shrems our angry Austrian from earlier has already sued Facebook as I mentioned and how that case turns out will shape a lot of how the United States and the European Union react to each other in the next couple decades luckily we have strong and stable leadership in the White House so I'm sure that regardless of the decision coming from the European Court of Justice we will continue to respect our neighbors across the Atlantic and work together in a productive and meaningful so we're all screwed like this I can't even like we're so doomed like Trump is just gonna go there and like oh bar you're not even a real court like what is cheese also there have been proposals from some u.s. states to enhance their own privacy laws but none of them have gone anyway that was a weird sound it sounded like there was one crazy state who might have done something oh shit it's California oh my god seriously everyone responding to California passed a GDPR style privacy law at about 72 hours because a rich man threatened them to hold a referendum and they were pretty sure like the polling said like the GDPR is going to pass in California and it was seriously going to have an effective an effective date of the next day after the election so it's just going to be like surprised GDPR and so rather than doing that the California legislature rushed through kind of a mishmash bill that provides more or less GDPR style they're slightly watered down protections to Californians which means America this is how this works so this is kind of amazing they did the full D. Roy Jenkins so hopefully it works out for them we'll find out in 2020 you can read the law now but we're not sure what most of it's going to mean and like half of the planet is going to sue so we'll figure out what it means in a couple years outside California though what comes next well for one thing people are going to learn what goes into their code or they're gonna have to learn what goes into their code they're not going to be able to say well it's serverless so I guess I'm outside of your jurisdiction they're gonna say well it's serverless which means it runs on someone else's servers and like I always get annoyed at the like the cloud is just other people's computers meme but I do love the calling it serverless architecture is like calling takeout kitchenless architecture like it's just like it still got made on a computer right and finally people in the United States are starting to treat privacy like a first-class principal instead of the punchline to a Joe which is traditionally how we've done this so everything is awesome except that of course now we have to be GDPR compliant forever or as I will leave now on Twitter put it did so know that GDPR compliant did not end on the 25th of May we actually have to set up an effective security program yeah you do remember that ceiling cat is watching your data processing activities and we'll be doing so for the foreseeable future thank you we are taking all questions on the microphone so everybody can hear the questions we've got actually got about 10 minutes for questions and if we have to shut down the mic hopefully there's time outside of the venue so thanks questions hi so my question is given the fact that you know Angela Merkel flipped her shit because the US was like we don't give a fuck about your laws america guns brando eagles blah blah blah and usb microsoft isn't it somewhat hypocritical for them to turn around and say with the GDPR we don't give a shit even if you only sell to americans that never deal with europeans you still have to deal with gpr and they don't quite say that so that the difference is it's if you only sell to americans and to hold no data on europeans it's entirely done by the nationality of the people whose data you hold so if you really like if you are like if you think about yourself as like quickie mart type thing you don't have to worry about gpr because you're only selling to people like there and like you might incidentally pick up a european nationals like you know stickers bar receipt realistically i don't think the enforcement percent potentials particularly high so this the thing is that most u.s. businesses do in fact sell overseas and have always relied on not being in europe to protect them from european laws and that's the difference that's what doesn't happen anymore and the u.s. does do exactly that and has done that for a long time the difference of the u.s. u. microsoft issue was that it was on a non-american citizen with a non-american data center and it reached out and took something so that's the difference okay and also why is it why is it no longer the case that you can't say you know all our servers are on all our servers are on american soil and like your user agent went from europe to america so there is no like you're no longer in europe you're in america you're dealing with american rules and stuff like that because europe said that that was dumb so diving into this is a whole long story right is it deals partially with the fact that europe for various reasons didn't create the big internet companies and now hold everybody's data but it's also because there are a lot of situations in which the nationality of someone actually affects the laws they're in regardless of what country they're in this is less uncommon than it kind of seems like it's mostly it seems like it's uncommon because the united states traditionally does this to everybody all the time and in like a thousand different forms every way from the treatment of our armed forces to banking regulations all sorts of things it's just that nobody else ever done to us before so I will summarize as because there's a ton of law saying they get to do that with respect to their own citizens okay thank you hi if someone asks to be forgotten and I have backups of that data do I need to then go through those backups and erase them from my backups yes holy crap yeah it's not like there's you so I only have an hour and not like an entire career to walk you through all this right so it there there are rules about how instantaneously this has to be and like you can you can say for instance okay we've deleted it we've deleted you from our live things we're no longer recording your backups we have a six month rotation we do it with iron mountain trying to go out to Iron Mountain and pull those individual backup tapes outside of the rotation is unrealistic so we're going to let it time out instead you can do things like that you have to actually justify that you can't just say law no but yeah the answer is you can't keep permanent backups at the expense of the rights of European citizens and if you look at data breaches that's perfectly obvious why we do that right thank you hi I have kind of a two-part question first of all so I get a lot of requests to forget me from people who apparently are you a pre-nationals and part of me thinks that these are all coming from an automated system because the emails are all exactly the same they say I withdraw my consent on our article 17 for the process you know my yeah I know yeah yeah so so what is like what is expected for due diligence for verifying that those people are actually the people that they say they are and the second part is do you have any good ideas for attacks where you might like send out requests on someone else's behalf to have them forgotten from important things so totes the answer to your first question is don't just delete their data okay don't be that guy like just don't like don't be the edge lord like this is a weird thing to have to explain like the large American businesses but like don't be the I'm just asking a reasonable question like I want you to show me your password no just delete the damn data it's okay there's plenty of data so like don't don't be that guy honestly this is not legal advice because your lawyer will tell you can get away with it but then you have to actually do verification it's easier just to delete their data okay for part two that is an interesting and intriguing question the way I have seen it done is that basically you have to validate that the person has the authority to act on behalf of the thing they're claiming because yeah if you can just DDoS send emails so like if you think about like my space let's because my space is easy and everyone likes to make fun of them my space like my space could say hey okay yes I got your request to delete data associated with this email address that email address is associated with an account we've sent an internal my space message to that account reply to it because that proves that you're in control of the account and then we don't have to verify your true identity we just verify that you're a person who is authorized to access the account so I've seen that get through lawyers before so I think that's cool because it doesn't require it doesn't require collecting passports which nobody wants to deal with so that's how I would approach it and that allows you it's still very human intensive I haven't seen a good automated way of doing this I have heard that Google has a good automated way of doing it but I actually don't know what their solution is but for companies that are not at you know billion user scale put a human in the loop and send a DM and it's not that hard there are situations where that won't work but that's a pretty good start yeah and that is actually what we're doing because that's that's what we yeah thank you yeah hi there two non contiguous questions first one I thought I knew pain reading the GDPR and then I read the CCPA any idea why there's no clear right to be forgotten in that mess and because the first amendment just right up the first amendment the reason that we can't do a right to forgotten is because the first amendment to current interpretation says that we can't that's not a that's not a thing that we would necessarily have to do this goes into kind of lawyer constitutional nurturing so like talk to like Mark Rindaza or talk to other like first amendment attorneys who are big deals but it would not be impossible to construct a Supreme Court jurisprudence going forward that would allow us to see that there that a right to privacy and trying to the fourth amendment would enable us to say you can't do immaterial facts that would be a pretty massive change though so nothing is likely at all that's that's why we can't a second question is on the horizon other states attempting to California on on privacy I was listening to Ellis and Bender speak earlier in the week at black hat she talked about an attempt in Massachusetts to require breached companies to give at least some suggestion suggestion to consumers of attribution which seems like a minefield yeah the governor shot that one down just see anything else weird on the horizon that privacy folks should be watching for I mean that sounds like a handout to Mandy and have to put you find like it's like that's awesome you can just always say it's China it makes it easy the dartboard yeah I I there's lots of weird stuff like the like it's common to see the states of the laboratories of democracy I'm increasingly convinced that in our hilariously polarized times the street the states are now the meth labs of democracy because like I'm from Montana and you should see the shit that came out of Montana when we had a ultra majority of one little political party it's like more than 75% like we just did away with democracy luckily nothing mattered but like holy crap it was bad so yeah no not it's I mean almost nothing compares to my current states thing that says that if your PCI compliant you're not liable for data breaches regardless of whether you process credit cards it's just a whole thing some of you states always do crazy stuff we'll see how it shakes out thank you all right let's give it up for brendan