How to effectively evade the GDPR and the reach of the DPA

As my regular readers know I reluctantly trust anything that isn't tested and battle proof. In the last 2 years I applied the same logic that I apply to vulnerability research to the Data Privacy environement and proceeded to test a broad range of Data Subject Rights. Expect a few disclosures following this one.

In true Information Security Fashion (insiders will understand) have attributed this weakness the ID :
  • CDPWE-0001 - Does not designate a Representative in the European Union

Introduction


When I searched Google for my name an interesting website came up in the results. A company called "Rocket Reach" allowed others to buy access to my personal data. I was intrigued as I have never given any consent for Rocketreach to store (or even sell) my data and I saw no other legal basis for RocketReach processing of my data.

"Rocket Reach" a data broker that describes it's service as :
"Connect directly with the right decision makers, using the world's largest and most accurate database of emails and direct dials. Real-time verified data for 430 million professionals across 17 million companies, worldwide.Trusted by over 5.0 million users — powering sales, recruiting, and marketing at companies large and small.
Prospect, connect and converse with your leads at scale."

Issuing a DSAR

On the 5th of April  2019, I asked Rocketreach access to my personal data (Data Subject Access Request) and asked for the purpose and the legal basis of processing. Instead of giving me access to my data and reply adequately, RocketReach decided to delete/remove all traces of it and informed me that it did so the same day.

While it might be surprising to some, this is actually a common reaction to DSARs when the Data Controller realizes the data they have may have no real legal basis.

Filing a complaint 

On the 05th of April 2019, I filed a complaint with the Luxemburgish Data Protection Agency (CNPD). The reference for this complaint is #3018 (For those that want to request information/documents from the CNPD).

Waiting for roughly a year


"We agree with you but we can't do anything, sorry, move on"

On the 6th of March 2020 the CNPD responded as follows (Original Version on top, the Translated version at the bottom).

Monsieur Zoller,
La Commission nationale pour la protection des données (CNPD) se permet de revenir vers vous concernant votre réclamation du 5 avril 2019 à l’encontre de la société RocketReach.
Dans le cadre de l’instruction de votre réclamation, la société RocketReach nous a communiqué qu’elle considère que ce sont les utilisateurs de ses services, et non elle-même, qui sont les responsables du traitement pour ce qui concerne les données à caractère personnel traitées sur son site internet.
Par ailleurs, il ressort également de cette instruction que la société RocketReach est une société située aux Etats-Unis d’Amérique ne disposant pas d’un représentant dans l’Union au sens de l’article 27 du règlement général sur la protection des données (RGPD).
Au sujet des responsables du traitement établis dans des pays tiers, comme les Etats-Unis d’Amérique, nous souhaitons attirer votre attention sur le considérant (116) du RGPD qui précise que:
« Lorsque des données à caractère personnel franchissent les frontières extérieures de l'Union, cela peut accroître le risque que les personnes physiques ne puissent exercer leurs droits liés à la protection des données, notamment pour se protéger de l'utilisation ou de la divulgation illicite de ces informations. De même, les autorités de contrôle peuvent être confrontées à l'impossibilité d'examiner des réclamations ou de mener des enquêtes sur les activités exercées en dehors de leurs frontières. Leurs efforts pour collaborer dans le contexte transfrontalier peuvent également être freinés par les pouvoirs insuffisants dont elles disposent en matière de prévention ou de recours, par l'hétérogénéité des régimes juridiques et par des obstacles pratiques tels que le manque de ressources. »
Dans le cas de votre réclamation cela signifie que, bien que nous ne partagions pas le point de vue de RocketReach et que nous sommes au contraire d’avis que cette société est bien à considérer comme responsable du traitement pour les traitements de données à caractère personnel effectués sur son site internet, il nous est impossible de poursuivre plus en avant le traitement de votre réclamation. En effet, nous ne disposons pas des pouvoirs de mener des enquêtes et de faire appliquer les décisions que nous serions amenés à prendre sur le territoire des Etats-Unis d’Amérique.
Nous sommes dès lors au regret de vous informer que nous considérons qu’il nous est impossible de poursuivre de façon effective le traitement de votre dossier. 
Veuillez agréer, Monsieur Zoller, l’expression de nos sentiments distingués.

English
Mr. Zoller,
The National Commission for Data Protection (CNPD) would like to get back to you regarding your complaint of 5 April 2019 against the company RocketReach.
Reach has informed us that it considers that it is the users of its services, and not itself, who are responsible for processing personal data processed on its website.  Furthermore, it also emerges from this instruction that RocketReach is a company located in the United States of America that does not have a representative in the Union within the meaning of Article 27 of the General Regulation on Data Protection (RGPD)
As regards data controllers established in third countries, such as the United States of America, we would like to draw your attention to recital (116) of the DPMR which states that: 'When personal data crosses the external borders of the Union, this may increase the risk that individuals may not be able to exercise their data protection rights, in particular to protect themselves against unlawful use or disclosure of such information. Similarly, supervisory authorities may be faced with the impossibility to investigate complaints or activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventive or remedial powers, heterogeneous legal regimes and practical obstacles such as lack of resources. » 
In the case of your complaint, this means that, although we do not share RocketReach's view that RocketReach is the data controller for the processing of personal data on its website, we are unable to take any further action in relation to your complaint. We do not have the authority to investigate and enforce any decision we would have to take in the United States of America. 
We regret to inform you that we consider it impossible for us to proceed with the processing of your case. 

In Summary -  Rocketreach has not met the requirement of the GDPR to name an EU representative (Art27) to account for the processing of European Personal Data. In their answer, the CNPD makes it sound like it is optional, it isn't. Instead of pursuing Rocketreach locally on that basis alone, the CNPD just gives up arguing it has no jurisdiction in the US.

In other words, just don't designate a representative in Europe, build your business model around the exploitation of  data from millions of European data subjects and you are fine?

I  am fully aware that I could engage legal procedures myself.  That's not in my interest (in this case). The overall question you should ask is: Do we need a European Institution that handles extra-territorial investigations and fines? Why should it take the time, money and energy from an individual when the DPA is supposed to defend the rights of the data subjects?

What the CNPD could have done according to [1]
  • to impose a temporary or definitive limitation including a ban on processing;
  • to order the suspension of data flows to a recipient in a third country or to an international organisation.
  • to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
  • to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

[1] https://cnpd.public.lu/en/commission-nationale/pouvoirs.html

  

Instead Rocketreach just continues to sell personal data of millions of european datasubjects like nothing ever happened. Including all of the below :

Members of the CNPD

Members of the European Data Protection Board


CNIL











This post has not much "added value" for Security Professionals, it is intended for local broader audiences.

This is a quick post to clarify some ambiguity that I have seen in the reporting and associated discussions.

In the recent weeks it came to light that a Ransomware Group dubbed REvil has been publishing a note that they compromised and extracted information from the Luxembourgish Supermarket Chain "Cactus Group". This was covered by Luxemburgish media, exposing the topic to a broader audience and shedding light on activities commonly dubbed "Ransomware".

 Here is a small list of local press coverage:

All of the above are referencing a blog post by Cyble, Inc on the matter.

Some clarifications :
  • The primary source of the screenshots is not Cybel Inc. The source is a TOR Website where (presumably) "REvil" is publishing notices to companies that don't pay their ransom, the Cactus Group is one of them. 
  • There are more screenshots and details that journalists would discover if they would track down the source website.  In particular, a few datasets that beg the question of why they were highlighted in the first place.
More general information on "Revil/Sodinokibi" :

This is a Twitter Thread turned blog post

This may be interesting for native english speakers, especially those working in international environments. For my Luxemburgish/German readers this may be interesting to know as well.

Among the many things I dislike about languages with Germanic roots (like Luxemburgish) is that our language allows for no differenciation between "Safety" and "Security", making my job difficult.

The english language allows us to differentiate between both terms and allows for easier meaningfull discussions. German and Luxemburgish just know the word "security", there is, to my understanding, no equivalent to the word "safety".

These words however do not have the same meaning.

Safety
The state of being protected from danger or harm. The condition of being protected from or unlikely to cause danger, risk, or injury. 
Security
protection of a person, building, organization, or country against threats such as crime or attacks by foreign countries:
Many don't realise that this is part of the reason we often end up disagreeing although we fundamentaly agree, is just the wrong meaning associated to the word "security" and the way we use it.

So in the current debate about tracing apps, associated privacy fears and fear of lack of security controls - this becomes ;
  • Goal of a tracing application : Safety of Individuals and Society
  • Means to get there: Security and Privacy controls and mechanism are used to guarantee (to some degree) the  Privacy and Security of the unterlying data
  • Allowing for  : Safety through actions taken by analysing the data.

The Luxemburgish Constitution is not for its people?

Updates:
29/04/2020 - Added section entitled "About the non-deterministic nature"

Bold Statement? Let me take a moment and explain why I came to this rather confrontational conclusion. 

Since the measures against the SARS-CoV-2 Pandemic were introduced my interest in our constitutional rights grew, I was curious to understand under which legal frameworks those measures operated. 

I must admit that I had a clearer understanding of the US Constitution that I had about the constitution that applies to me. That may have been ignorance on my part, but as I soon found out, it's not solely ignorance, it's simply because the Luxemburgish constitution doesn't really say much about the rights of its people and in some cases has quite extraordinary gaps.

Also of note is the fact that the government chooses to not directly involve its citizens in the revision of the constitution, which is in itself I find quite remarkable.

Disclaimer: I am not a legal professional but a simple citizen. I would argue that fundamental rights in a constitution of a state is to be written in such a way for the average citizen to know and understand. I expect to be wrong in certain areas. Feedback and critique welcomed. This post is in English for the many inhabitants of Luxembourg that cannot read the constitution that may or may not apply to them.


As a start here is a list of constitutions * :

* I am aware that all of these have distinctly (in some cases completely) different legal systems.

A list of gaps

  • Contrary to for example Germany, the constitution says nothing about Human Dignity and the state's obligation to protect it. That's actually the first article from the German Constitution. "(1) Die Würde des Menschen ist unantastbar. Sie zu achten und zu schützen ist Verpflichtung aller staatlichen Gewalt." 
    In that context, I'd like to point out and emphasize that the constitution however explicitly guarantees that the state will protect the environment (nature) and the promotion of the well-being of animals. (Art11 bis).
  • The Luxembourgish Constitution makes no reference to guarantee the fundamental rights of defense. All Luxembourg case-law on procedural and defense rights are based on Article 6 ECHR and does not rely on the Constitution, which does not expressly contain such rights.
  • The Luxembourg Constitution has not explicitly provided any constitutional body to protect fundamental rights
  • The Luxemburgish Constitution with regards to fundamental rights (Chap 2) is often arbitrary in the sense that for the most part it refers to laws that should at a later stage determine the details of those rights. Contrary to for example the constitution of Germany, there is a clear lack of directly deterministic language. Not using a deterministic language guarantees flexibility for the government to change adapt these (through law) at the expense of clarity and  rigidity. It also however is in direct contradiction of the right guaranteed in Art. 11.

    Let's expand on that; the constitution acknowledges the  "droit naturel humain" as fundamental right in Art. 11.

    Simply put the "natural human right" are rights that you own because you are human. 
    The "Droit Naturel Humain" seeks to establish a standard that is immune to the fluctuations of history and morals and avoids the arbitrariness of human judgment. 

    However, the section on fundamental rights within the Luxemburgish constitution seemingly contradicts the very intent of this concept by introducing relative statements all across it's section of fundamental rights ("as determined by law").

    Natural law is actually opposed to positive law, which is the law in force, enacted by society or the State, which by definition is changeable, according to places and times.

    Fundamental rights hence should be clearly and deterministically formulated as far as possible, but they often are not and deliberately weak and hollow :

    Examples :L’Etat garantit la protection de la vie privée, sauf les exceptions fixées par la loi La liberté du commerce et de l’industrie, l’exercice de la profession libérale et du travail agricole sont garantis, sauf les restrictions à établir par la loi

    La liberté individuelle est garantie. - Nul ne peut être poursuivi que dans les cas prévus par la loi et dans la forme qu’elle prescrit. - Nul ne peut être arrêté ou placé que dans les cas prévus par la loi et dans la forme qu’elle prescrit.

Are they really gaps?

In Luxemburg fundamental rights are not limited to the Consitution only, they include the UN Charta of Human Rights and the European Declaration of Human Rights and the Luxemburgish courts have given precedence of these obligations over national law.

It is true that Luxembourg is subject to the EDHR/UN Charta and implicitly is bound by these. It is also true that Luxembourg operates on a model where the courts do verify cases in alignment to treaties and fundamental rights. 

That's said, I have to say two things for those arguing that this situation is fine:
  • If it's the case that these take precedence, then I see no reason to not just simply add them to the revision of the constitution, making it both more accessible and understandable for an average citizen (.i.e. me).
  • Personally I find it quite frightening that an average citizen is supposed to read, understand and cross-reference existing jurisprudence (or nonexisting for that matter - we have many articles with zero existing case law..) , international treaties, chartas for them to understand their fundamental rights as a citizen of Luxembourg. A constitution and a list of fundamental rights shall be easy to understand and easy to comprehend by it's people.
It is therefore that I come to the conclusion that Luxemburgs' constitution, in it's current (and planned) form is simply not meant for its people, and that's something I'd like to see challenged.


About the non deterministic nature 

To make this clearer, let's take a few examples.

Luxemburgs current understanding of describing a fundamental human right in a constitution is best demonstrated by Art 25 :
«Art. 25. La Constitution garantit le droit de s’assembler paisiblement et sans armes, dans le respect des lois qui règlent l’exercice de ce droit, sans pouvoir le soumettre à une autorisation préalable. - Cette disposition ne s’applique pas aux rassemblements en plein air, politiques, religieux ou autres; ces rassemblements restent entièrement soumis aux lois et règlements de police
Translation :
"ART. 25. The Constitution guarantees the right to assemble peacefully and unarmed, in accordance with the laws regulating the exercise of this right, without being able to subject it to prior authorization. - This provision does not apply to open-air, political, religious or other gatherings; such gatherings remain entirely subject to the laws and police regulations."
That's not a description of a fundamental right, and in my opinion has no place in a constitution. That is basically saying, you have a right, and we restrict that right. Then after finishing that very sentence and for good measure, we continue to restrict your "fundamental right" even further by excluding open-air, political, religious or "other gatherings" and pointing to laws and police regulations that are not futher described. This is both ambigious and deliberate. In my opinion, that's plain nonsense and a travesty and has no place in a section on fundamental rights in a constitution.

Let's take a look at Art 8 of the German Constitution describing what is basically the same fundamental right.
Art. 8 GG : "(1) Alle Deutschen haben das Recht, sich ohne Anmeldung oder Erlaubnis friedlich und ohne Waffen zu versammeln. (2) Für Versammlungen unter freiem Himmel kann dieses Recht durch Gesetz oder auf Grund eines Gesetzes beschränkt werden.
Translation :
(1) All Germans have the right to assemble peacefully and without weapons without registration or permission.(2) For assemblies in the open air, this right may be restricted by law or by virtue of a statute.
Apart from being short and to the point; the German constitution allows for restrictions by law without stating that they effectively already are being restricted and has not included that restrictions are in place or even what they are . 


Changes I'd like to see

  • Take Chapter 2 (Fundamental Rights) and transform it into deterministic statements actually applying Art11 ("Natural Human Law") as much as possible. i.e "Your right is XYZ", instead of: "Your right on topic X will be determined within a law and is not ..". Those articles in essence just state that there must be a law, not the intent or limits such laws would have. If I was able to convey my logic to my reader you will understand that all I am really asking for is applying Art.11 of the constitution "Droit naturel Humain".
  • Fundamental rights also serve the purpose to protect from arbritary decisions by governments. we should stay away from mechanisms allowing governments to change the fundamental rights the constitution by way of backdooring it with "will be determined within the law".

    Granted, yes there are other procedures with checks and balances within the legislative process and yes sometimes it is necessary to say that, but that's should be the exception not the norm. That said, a fundamental right is fundamental and only allowed to be circumsized within limits. These limits could be described. 
  • Involve citizens more into the revision process 

If you master German I recommend to read "Grundrechte im Großherzogtum Luxemburg"

Final Word

I leave you with the following - which I think is relevant and applicable to the current situation  :










Disclaimer: I am not a medical professional, laymen terms. I collect information for personal consumption below and will keep it updated. Too much noise currently.

Updates

  • 26.03.2020: Added Spread and Containment Simulator
  • 27.03.2020: Added tested and proven 3D Prints; Added further national dashboards. Fixed the estimated percentages of asymptomatic infections. Clarified terminology (Symptomatic, Asymptomatic, Infected, Ill). Added "From the horse's mouth" section - on the ground reports.
  • 29.03.2020 : Added details on why the mortality rate is so different from country to country. In Section Statistics.
  • 30.03.2020 : Added Ventilator Pumps Open source designs and information on Disinfecting 3D Prints in the section "What can I do ?" Added interview with Professor Kim Woo-joo from Korea University Guro Hospital in "Videos to watch".
  • 31.03.2020 : Added statistics showing the daily number of cases instead of a logarytmic/cumulative approach in statistics. If you want to see these for your country head over to this dashboard: https://nssac.bii.virginia.edu/covid-19/dashboard/
  • 01.04.2020 : Added COVID-Trends (Thanks to @memgrinder) and CoronaVirus Forecast (Thanks to @GunstickULM) in Statistics.
  • 25.04.2020 : Added Graphs based on the projections of the UNI.LU For Luxembourg

Terminlogy

A striking number of officials can't get their terminology right making some of their statements and statistics void of any meaning hence I will use the following  :
  • SARS-CoV-2 is the name of the particular Coronavirus strain we are seeing now.
  • COVID-19 is the respiratory disease caused by the virus NOT the name of the virus
  • "Infected" = Infected with the virus (Could be symptomatic OR unsymptomatic)
  • "Sick" or "ill" = Infected and suffering from COVID-19 (Symptomatic)
  • Infected does not equal Sick (Symptomatic) 
Problems with the current statistics - a different way to count Infections. Meaningless terminology like counting "healed". Healed from what? COVID-19 ?
Some countries and/or Media only publish cumulative Dashboards. Below you'll find Germany and Luxembourg (both opting for enforced social distancing) - you see indicators that the initiatives work, a flattening of the curve.




Projections for Luxembourg

Source : Ben Nelson (https://benelsen.com/covid19/unilu.html) and UNI.LU

Simulation based on Luxembourg continuing the lockdown
“(...) midterm projections for Luxembourg predicting the number of assumed positive Covid-19 cases, ICU demands and deaths cases for a continued Lockdown. The projections are obtained by a stochastic agent based epidemiological model and gives for each average value also a 90% confidence interval.”


Simulation based on Luxembourg stopping the lockdown on May 4th

“(...) midterm projections for Luxembourg predicting the number of assumed positive Covid-19 cases, ICU demands and deaths cases for a scenario of a general exit on May 4th. The projections are obtained by a stochastic agent based epidemiological model and gives for each average value also a 90% confidence interval.”


Simulation based on Luxembourg stopping the lockdown  with Backtracing

“(...) midterm projections for Luxembourg predicting the number of assumed positive Covid-19 cases, ICU demands and deaths cases for a scenario of a release of 63k workers on April 20th with initial testing or 25% effective backtracking. The projections are obtained by a stochastic agent based epidemiological model and gives for each average value also a 90% confidence interval.”

Dashboards 


Simulators 

3D Prints / "What can I do ?"


From the Horses Mouth

  • NY - 25/03 : https://www.youtube.com/watch?v=bE68xVXf8Kw
    An emergency room doctor in Elmhurst, Queens, gives a rare look inside a hospital at the center of the coronavirus pandemic. “We don’t have the tools that we need.”

Common Symptoms

  • Fever
  • Cough and Respiratory Difficulties
  • Loosing smell or taste <-

Disinfectant DYI:

  • 4 Parts Rubbing Alcohol (Isopropanol) 
  • 1 Part Water
  • 1 Part Citric Acid (smell)
The above kills virii and is nothing else then what is in commercially available disinfectants.

Videos to watch