Thursday 13 September 2012

Explicit consent: The EU’s (potential) new gift to the malware community

A speaker at yesterday’s meeting of the Data Protection Forum made such a blindingly obvious point about a possible consequence of part of the new Data Protection Regulation that I really wonder whether the European Commission quite appreciates the size of the gift that may it may well bequeath to the malware community.

And I’m kicking myself for not having appreciated it before. As you, dear reader, will start to kick yourself shortly, too.

The issue is, when you think about it, pretty simple. It’s an unintended consequence of something that some European official probably thought was a really good idea. If the malware community play its cards right, however, the consequences could be catastrophic for most of the internet using community.

What am I on about?

Well, it’s all about this great idea the European Commission has to “improve” standards of data protection, by setting out the circumstances where users need to “consent” to a processing activity before that activity can commence.

If you think about it quickly, this sounds like quite a good idea. After all, what’s wrong with being asked to “consent” before stuff happens?

But, as soon as you unpick the practicalities of the proposal, Dementors as awful as those that tormented Harry Potter run the risk of being unleashed on an unsuspecting audience.

Zoltan Precsenyi of Symantec pointed out yesterday that, if the new Regulation is adopted even roughly its current form, the onus will probably be on data controllers to seek the user’s explicit consent before certain types of processing activities are carried out. The effect is that the more reputable data controllers are likely to present internet users with a series of “fair processing notices”, accompanied by pop-up boxes, which users will be required to “tick” to show that that they really do consent to the relevant processing that the data controller wants to carry out.

This sounds good in theory.

In practice, the reality is likely to be horribly different – as fears are emerging that malware providers will take advantage of the “security by design” flaw that the Commission could be creating.

Let’s take a minute to imagine what will really happen. Internet users are human beings, not anoraks. They will not read fair processing notices. But, they will be conditioned to expect to see a plethora of “Commission inspired” pop-up boxes appearing before they get to access stuff they really want to be presented with.

So, what will they do? If they’re anything like me, and I do apologise in advance for wanting to act like a paid-up member of the human race, they will work out where they need to place their cursor to click on the “I accept” button, and they will just click it. They won’t read the stuff. No-one really reads this stuff. Life is too short to read privacy notices. I’m sorry, but it just is.

And, as the great unwashed click away at the snowstorm of consent boxes, it won’t be beyond the wit of a malware designer to sneakily insert an “I also accept this malware” box too. And the first time most people will be any the wiser will be after their data has been slurped up, or when their device has become part of a botnet - ironically, “legitimately”, as far as the malware provider is concerned.

How this type of naughty activity is investigated, and how the investigators will get the evidence they need to establish that users didn’t really provide their “consent” even when they clicked a bright blue “I accept” box, is a question that I really can’t answer.

So, obtaining “explicit consent” for various forms of processing may sound good in legal theory, but it also offers very interesting opportunities for new types of misbehaviour to be carried out on the great unwashed.

Image credit: