Many major websites do not use SSL to protect personal data as it travels across the internet. This was highlighted by the publication of the Firesheep Firefox extension in late 2010. This post looks at what European Data Protection Legislation has to say about the use of SSL to protect personal data.
Very little as it turns out.
It really only says that "appropriate measures" must be taken to protect the data. The UK and Ireland were examined a bit more detail. In these two countries, some of the accompanying notes to the legislation talk about encryption, but it is vague. The situation in other EU countries was not reviewed.
So, it seems to be unclear whether websites that transmit personal data across the internet in cleartext are in breach of European Data Protection Legislation. However, based on the experience with Google Streetview, the combined EU Data Protection bodies should be in a position to put pressure on these websites to configure and use SSL properly.
Most information security professionals would think that SSL is a basic security measure.
Feedback is welcome - especially on the situation in other EU countries.
The Firesheep Firefox extension shows how easy it is to hijack user sessions on websites that do not implement SSL properly. In summary, you can use Firesheep to steal personal data (names, addresses etc.) from many major websites that do not use SSL or only use it during authentication.
So what does European Data Protection legislation have to say about SSL? Are websites who do not use SSL to protect personal data in breach of Data Protection Legislation?
European Data Protection Legislation and American Websites
First of all a quick note about American companies. Most of the major websites are run by American companies. You might wonder whether they care about European Data Protection legislation or what the relationship is. The answer is the Safe Harbor program administered by the US Department of Commerce.
Essentially it means that companies who sign up to the Safe Harbor program agree to comply with EU Data Protection rules. In general, the major websites do sign up. You can search the list at:
European Data Directive
The main security driver for the protection of personal data in the EU is
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995
Article 17 Security of processing of the Directive states:
- "the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss and against unauthorized alteration, disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing"
It says that "appropriate technical" measures must be taken "in particular where the processing involves the transmission of data over a network". That implies that something should be done to protect personal data as it is being transmitted across the internet - but it does not mention SSL or encryption.
Every EU country has implemented the European Data Directive into its own legislation. Each EU country has a local Data Protection body who is responsible for enforcing this legislation in that country. The following sections look at two countries in a bit more detail - the UK and Ireland.
In the UK the Information Commissioner's Office is responsible. Does the commissioner have anything to say? The ICO document "Data Protection Good Practice Note - Collecting personal information using websites contains a number of questions. Question 9 is relevant:
- We collect personal information through our website. Do we have to use an encryption-based transmission system?
- "You are responsible for processing personal information securely. You must adopt appropriate technical and organisational measures to protect the information you collect. It is difficult to see how you could do this without having a secure, encryption-based transmission system if the personal information is sensitive or poses a risk to individuals, for example, if it includes credit card numbers.
You should be aware that although a secure transmission system will protect the personal information in transit, there is a potentially greater threat to the security of the information when it is decrypted and held on a website operator's server. Any sensitive personal information, or information that would pose a risk to individuals, should not be held on a website server unless it is properly secured by encryption or similar techniques."
Unfortunately, this answer is also not clear-cut. While it does talk about "a secure, encryption-based transmission system", it is only with respect to personal information that is "sensitive". And "sensitive personal information" has a special meaning. See the section "Sensitive personal information" in About the Code.
The Data Protection Commissioner is responsible for personal data in Ireland. The document A Guide to the New Data Protection Rules is a bit more specific:
- "Transmission over external networks, such as the internet, should normally be subject to robust encryption"
This would imply that SSL (or equivalent) should "normally" be used.
Other EU Countries
The legislation in other EU countries was not examined.
It seems to be unclear whether websites that transmit personal data in clear text are in breach of EU Data Protection legislation.
However the EU Data Protection bodies were able to force Google to make changes to its Streetview product to comply with Data Protection legislation. These same bodies should be in a position to force the major websites to configure and use SSL properly.