Encryption and Privacy II: Lifespan of personal data
Within the framework of a processing, when selecting an encryption system, it must be considered that the options available have different characteristics; therefore, it is necessary to analyse and choose the most appropriate encryption system for the product or service in which it will be integrated.
Each processing will have particular requirements with regard to the encryption system. For instance, a sports pay-per-view system will have significant latency restrictions, online sales processes require to nimbly establish the secure channel, the integrated encryption on smart cards will have memory limitations, that of mobile systems will have restrictions on consumption, app developers will look for open-source and cross-platform solutions, the protection of classified materials requires certified encryption systems, hard drive encryption requires high performance, signature services need asymmetric encryption, protection of large volumes of data require symmetric encryption, etc. In short, the encryption system integrated in a processing must comply with the requirements arising from the business purposes.
An important parameter when choosing the encryption system is its strength; that is, the difficulty or volume of work required to break off any cryptographic system. Strength establishes the probability for the system to be compromised within a time frame. The greater the strength of the encryption system, the greater the likelihood that the encrypted information will be confidential for longer, always considering the pace of technology.
The strength requirements of the encryption system differ from one application to another. In some cases, such as short-term financial transactions or distribution of press material, confidentiality should be guaranteed for a few days, even only a few hours. Information regarding mergers, marketing plans or product launches usually has confidentiality guarantee requirements for a few weeks or months. On the other hand, political and diplomatic secrets must remain confidential for years, even for many years. The lifetime of the message, understood as the period of time in which it is relevant to keep the message confidential, is different for each processing and is the relevant criterion for determining the strength requirements of the encryption system.
A high strength in the encryption system is a very expensive requirement. In addition, when this requirement is more demanding, it is more complicated to assess it and it will be more in conflict with the fulfilment of other requirements that the processing needs, such as: latency, settling time, consumption, resources, performance, portability, usability, cost, etc.
In the event that encryption techniques are used to add additional protection guarantees to the processing of personal data, it is necessary to consider what strength is needed and, for this purpose, it is necessary to consider what the lifetime of the message is from the GDPR point of view, that is, the lifetime of the data. As defined by the GDPR in article 4.1, a personal data has this nature as long as it is information about an identified or identifiable natural person; therefore, we are talking about very high strength requirements (let's think about the data currently collected from minors).
In the event that the main guarantee for any processing is the encryption of personal data, it is necessary to validate the strength of the encryption system. There are analyses to estimate the strength of certain encryption systems, normally made with many limitations, since they only cover the algorithm, the relation with the key length and the most elementary attack model. Even taking into account these limitations of analysis, algorithms such as DES, for example, are revealed as inadequate for the protection of personal information in the long term. When validating the encryption system, it is important to keep in mind that it comprises much more than the verification of the algorithm; it is essential to include, among others, the verification of the key relationship procedures, the entropy and the pre-process of the data, the communication protocols, the analysis of the specific implementation of all these elements and, finally, the review of the organisational aspects of the system management and the coding material.
This validation must be undertaken “from the design” and the encryption system must be integrated into the processing as established in the Privacy Guide from the Design, published in the Spanish Data Protection Agency.
This post about encryption and privacy is related to another article in the Blog of AEPD named ‘Encryption and Privacy: Encryption in the GDPR’.