Legal & Government Affairs Update Issue 1 - 2018
Meltdown and Spectre: no computer is safe
Project Zero, Google's team of security analysts, working in conjunction with academics and industry researchers worldwide, recently uncovered critical security flaws in Intel, AMD and ARM processors which could be exploited by hackers to obtain sensitive data. Nicknamed Meltdown and Spectre, both flaws exploit vulnerabilities in modern processors, allowing programs to steal data being processed on a computer.
Project Zero, as the name suggested, is focused on uncovering "zero-day" vulnerabilities in computer hardware and software. In computer security jargon, "Day Zero" is the day on which the vendor of a particular system learns of a vulnerability. So "zero-day" vulnerabilities are those that are currently unknown and therefore most dangerous.
Project Zero was formed as a dedicated team after Google found a number of these software flaws while working on other projects, such as the "Heartbleed" security bug that was exploited to obtain secure information from Mumsnet and the Canadian tax agency.
Meltdown and Spectre are the latest of such vulnerabilities to be found by Project Zero and their affiliated researchers. Together they affect almost every system in the world, including desktop computers, laptops, mobile phones and even cloud software. Malicious programs could use Meltdown and Spectre to read data from other running programs, which is typically prohibited. This means that hackers could gain access to passwords stored on your browser, personal photos and emails, banking data or sensitive business documents. All data is potentially vulnerable.
Meltdown is thought to mostly affect Intel processors manufactured since 1995, apart from the Itanium server chips and Atom processors released before 2014. A Meltdown attack works by breaking the fundamental isolation between the user's applications and their operating system. This allows access to the memory of other programs and the operating system itself, potentially exposing all information held on the system. Computers with a vulnerable processor that run an unpatched operating system are at risk of leaking sensitive information, and fixing the Meltdown flaw requires changing how the operating system handles memory. It has been estimated that such a fix could reduce the speed of a computer by up to 30% in some cases.
Spectre affects a large number of modern Intel and AMD processors, among others, including those designed by ARM. Spectre is harder to exploit than Meltdown, but is also harder to fix. It works by tricking programs into leaking sensitive data, even if they are error-free, by breaking the isolation between different applications. Shockingly, best practice safety checks actually increase the exposure of systems to a Spectre attack!
In a statement, Intel said that it "has begun providing software and firmware updates to mitigate these exploits" and suggested that any slowdowns would not be significant. Tech companies such as Apple and Microsoft have been quick to release patches to fix the vulnerabilities. It is recommended that readers keep their systems updated from trusted sources, such as the device's automatic update program.
The existence of such abundant vulnerabilities is a cause for concern. Security researchers have stated that they don’t know whether hackers had already learned of and exploited Meltdown or Spectre, as any attacks exploiting them would be very difficult to detect. It is perhaps reassuring that no major security breaches have come to light as a result of the flaws being made public and the race is now most certainly on to tackle Meltdown and Spectre before more serious damage is done.
Readers with concerns about the vulnerability of their systems can learn more about Meltdown and Spectre, as well as information on the latest security patches, here:
Legislation & Case Law Update
UK Government updates Investigatory Powers Regulations 2018
Published on 18 December 2017, this series of draft statutory instruments propose to update the regulations governing the powers granted by the UK government under the Investigatory Powers Act 2016 (commonly known as the "snooper's charter" in the media).
These codes of practice were subject to public consultation in 2017 and reflect the feedback received by the government. Together, these regulations enhance and clarify the rules surrounding the Investigatory Powers Act. While specific and technical, they impact a large portion of the data that we create and transmit, and outline the ways in which the Government can impose obligations of telecommunications and postal providers in the interests of security.
The main updates are found in the following draft statutory instruments:
The Investigatory Powers (Technical Capability) Regulations 2018 set out the obligations that may be imposed by technical capability notices issued by the Secretary of State. Essentially, these require postal and telecommunications operators to ensure that they have sufficient capabilities to assist with interception warrants, equipment interference warrants, or warrants or authorisations for the obtaining of communications data.
The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 set out the circumstances in which intentionally intercepting a communication is allowed. The Investigatory Powers Act 2016 makes it an offence for a person to do so without lawful authority so these regulations are key in helping telecommunications providers to set their procedures for monitoring and recording communications as required under the Investigatory Powers Act.
The Investigatory Powers (Review of Notices and Technical Advisory Board) Regulations 2018 sets out the basis on which a person may refer a notice received under the Investigatory Powers Act back to the Secretary of State for review. These include retention orders (to retain certain data), nation security notices, and technical capability notices (outlined above). These regulations also provide detail on the review process and will be of interest to all those who may be subject to such orders.
The powers granted by the Investigatory Powers Act are substantial and these regulations provide key updates to their practical operation. Readers wishing to delve into the updated regulations can do so here:
ICO seeks feedback on recommendations for children and GDPR online
On 21 December 2017, the UK Information Commissioner's Office (ICO) launched a consultation on its draft guidance setting out the recommended approach to General Data Protection Regulation (GDPR) compliance concerning children's personal data.
Children are less likely to be aware of the risks associated with the collection and processing of their personal data and these recommendations rightly identify the needs to provide greater protection to them under the GDPR. For those who process children's personal data, the ICO's guidance stipulates that child protection should be considered from the outset, and that systems and processes should be designed with this in mind.
The guidance is structured in a question and answer style, coving the main issues data processors will face when it comes to children's personal data, and contains a helpful checklist which covers the new requirements concerning children and the GDPR. Of particular note is that, when relying on consent as the lawful basis for processing, parental consent must be obtained for children under 13. Further, children must not be subject to decisions based solely on automated processing if this will have a legal or similarly significant effect on them and privacy notices for children must be clear and age-appropriate.
The ICO is looking for feedback in several areas, such as: how clearly it has communicated its recommendations, suggestions of examples or scenarios which would assist in illustrating its points, and areas of guidance requiring improvement.
The consultation closes on 28 February 2018. Readers wishing to provide feedback can do so here: