GDPR: Beware Data Leaks via Online Search and Translation Tools

Claire Brown is Head of Operations at Today Translations. She is a specialist in business process transformation, a certified APMP project manager, and is the lead officer for ISO9001 and ISO27001 conformance at Today Translations.

The recent announcement at DefCon 2017 in Las Vegas by two German researchers that it was easy to obtain and de-anonymise browsing data and reveal user habits, including a judge’s porn preferences, will come as little surprise to the world-wise.

What is perhaps more surprising, is that some public figures and regulated professionals appear blind to the risks of disclosing sensitive information about their work, clients and private lives and the potential breach of data protection rules.

The latest news came to light following research presented at the DefCon conference by journalist Svea Eckert and data scientist Andreas Dewes. The pair established a fake marketing company and used social engineering techniques to obtain the ‘anonymous’ browsing habits of millions of citizens in Germany.

Google Translate Vulnerability

By examining Google Translate URLs, which are stored in the full text of any query, the researchers even identified details of an ongoing police investigation after matching one clickstream to a particular police detective. The case related to a cybercrime investigation and the investigator was translating requests for assistance made to foreign police forces.

New European Union laws that come into force next year with the General Data Protection Regulation (GDPR) could see companies receiving heavy fines if they are found guilty of data breaches such as losing or unlawfully sharing sensitive information about citizens. In July 2014, Don DePalma of Common Sense Advisory warned that free machine translation tools such as Google Translate can inadvertently result in a data leak.

In June 2017, Sally Anne Poole, enforcement manager at the Information Commissioner’s Office warned that “If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

Her warning followed a fine the ICO imposed on Berkshire-based Boomerang Video Ltd that failed to take basic steps to stop its website being attacked.

Citizens have a right to expect organisations to look after the information they hold on them. That means having basic controls in place to prevent criminals getting in and stealing data, and avoiding the situation where staff inadvertently disclose sensitive information through emails, online browsing, and so on.

Organisations that routinely use free online tools to conduct research on customers or translate information received from them should be cautious about how much information they are disclosing and whether the explicit consent of the customer is required to process the data in this manner. David Clarke, the former head of the National Fraud Intelligence Bureau, encourages regulated professionals to be especially careful when online, and to have an effective information security management system in place that conforms to ISO 27001:2013.

Before using free online search tools, professionals should always ask themselves if they and their customer would be content if the information became publicly available? As the researcher Svea Eckert said at DefCon 2017, “What would you think if somebody showed up at your door saying: ‘Hey, I have your complete browsing history – every day, every hour, every minute, every click you did on the web for the last month’?”

Today Translations Board Member David Clarke spoke to the BBC about corporate fraud and data security.