Utm swiss 721 black condensed

978-1-7281-2856-6/19/$31.00 ©2019 IEEE

A Social Economic Analysis of the Impact of GDPR on Security and Privacy Practices

Roslyn Layton Center for Communication, Media and Information

Technologies Aalborg University

Copenhagen, Denmark rl@es.aau.dk

Silvia Elaluf-Calderwood Delray Beach, United States of America

silelf@me.com

Abstract— The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been presented by many policymakers as fundamental, welfare enhancing policies. While individuals value privacy, these policies require significant up front and ongoing investment by firms. For example, an analysis commissioned by the California Department of Justice’s Office of the Attorney General estimates 14:1 cost to benefit ratio. No such analysis could be found from EU authorities for the GDPR.

Sweeping regulatory regimes can create unintended consequences. This paper offers a brief introduction to the new cybersecurity challenges created by the GDPR and CCPA within firms and in the larger Internet ecosystem. As a result of the regulation, firms face many challenges to comply with costly and complex rules, broad definitions of personally identifiable information (PII), and increased risk of fee and/or lawsuit for violations, vulnerabilities, and lack of compliance. Since the promulgation of the GDPR, important security side effects have reported including the blocking of public information in the WHOIS internet protocol database, identity theft through the hacking of the Right to Access provision (Article 15) and other provisions, and the proliferation of network equipment with security and privacy vulnerabilities.

The paper also offers a brief overview of the Gordon- Loeb (GL) model used for calculating the optimal investment in cybersecurity. [1] A preliminary data set is offered to examine the difficulty of estimating the cost of cybersecurity investment in light of the GDPR. Notably, the value of the European Union’s data economy was estimated to be €300 billion in 2016 [2]. The given GL model would suggest that the optimal investment to protect data would be €13.2 billion. The actual European cyber spend was some €15 billion in 2015, [3] a slightly higher number which covers the EU plus additional European countries, suggesting that the GL model some applicability. There are limited GL type models and tools to guide data protection or privacy investments, and given the emergence of new data protection expectations, it is worth investigating how and whether firms can deliver both sets of expenditures and to what degree. The low level of GDPR compliance suggests that a workable equation of data protection is still not clear for most firms.

Keywords— GDPR, CCPA, security, cybersecurity, WHOIS, privacy, Huawei, Identity Theft

I. BACKGROUND ON THE GDPR In April 2016 the European Union (EU) adopted the

General Data Protection Regulation (Regulation 2016/679, GDPR) [4]. It includes 99 articles and 173 recitals detailing the regulatory requirements. Failure to comply with the regulation can be met with fines up to four percent

of an organization’s annual revenue. The GDPR is not the first data protection regulation for the EU. In fact, it repeals EU directive 95/46/EC, which was the basis for prior national data protection legislation. In the intervening years, data collection and storage has become lifeblood of online marketing and services [5]. The rate and severity of data breach in the EU is also significant.

Rapid technological development has enabled increasing collection, transmission, and storage of user- generated data. By leveraging existing hardware, such as smartphones, the cost for this collection is decreasing as well. This vast amount of data has also led to substantial new developments in Business Models, which enable vertical as well as horizontal integration of services [6]. It has enabled a shift from product development towards information aggregation: Facebook creates no content, Uber does not employ any drivers, Airbnb does not own any real estate, Apple co-shares serves with Amazon for the storage of iCloud users and so on.

Moreover, Internet norms have been resilient in the face of claims of national sovereignty, and many political leaders have argued for rules that restrict freedom of the network. While the policy debate may interchange the notions of data security, data protection, and data privacy, each of these terms has a specific legal meaning. Indeed, the word privacy does not appear in the text of the GDPR, but many believe that it protects privacy when in reality, the GDPR governs data and to regulates the conduct of enterprise. The GDPR applies to any entity in the world which processes the personal data of an EU citizen [7]. The GDPR has become the de facto standard for many information technology industries, however the cost of compliance is significant. For example, some estimates suggest that the cost of compliance for Internet of Things (IoT) firms could increase by three to four times on average and by as much as 18 times compared to earlier regulatory regimes [8].

The GDPR does not apply to non-personal information and states that disclosure of personal information can be warranted for matters such as consumer protection, public safety, law enforcement, enforcement of rights, cybersecurity, and combating fraud. Moreover, the GDPR does not apply to domain names registered to USA registrants, registrars, or registries. Nor does it apply to domain name registrants that are companies, businesses, or other legal entities, rather than “natural persons.” All the same, many actors including the Internet Corporation for Assigned Names and Numbers (ICANN) are practicing a prophylactic censorship of personal data because of fear of violating GDPR requirements.

2

The paper introduces some preliminary information about the Gordon-Loeb Model and cost benefit analysis, then illustrates examples of the security problems created by GDPR– some expected, others not envisaged – and their repercussions. It concludes with an attempt to apply these cases to the preliminary predictive Gordon Loeb model and draws conclusions for further analysis and research.

II. INTRODUCTION TO THE GORDON-LOEB MODEL The Gordon-Loeb (GL) model is a mathematical

economic model used to predict a firm’s optimal investment in information security. Compared to other investments by firms to maximize profits, investments in cybersecurity are designed to minimize loss [9]. Indeed, investments required by the GDPR to protect data have a similar counterintuitive accounting. The GL calculation requires a firm to estimate the value of its data set, the probability of an attack on the data, and the likelihood that the attack is a success. It is expected that a firm would spend some amount, equal to a small fraction of the total value of the data, to protect the data. The model shows that spending on cybersecurity generally tops out at 37 percent of predicted loss. However, not all losses are created equal. Depending on the vulnerability and type of attack, the firm could experience either increasing or decreasing returns to incremental investment.

The GDPR requires the “security of processing” which provides for the controller and process to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” (Article 32). While the GDPR regulations fall equally on firms, firms are not equally situated to bear the cost of compliance nor do they have the same risk profile. Consider the resources of Google versus one of its ad tech startup competitors. Both must invest in a Chief Privacy Officer, assessment, audits, and the technical capabilities to deliver the 17 enumerated rights (access, correction, deletion, transfer, stopping algorithmic processing etc.). Moreover, both can be subject to legal action and investigation for violation and non-compliance. However, Google has far more resources to comply with the regulation and to defend itself from enforcement and lawsuits.

Firms are also situated differently depending on their hard or soft assets. Take that European invention, the mobile network virtual operator (MVNO), which regulators designed to create artificial competition against mobile network operators (MNO). Imagine a mobile network operator with 1 million customers, each with a monthly average revenue per user (ARPU) of €10 per month, and a total turnover of €12 million. Then consider its MVNO competitor with 1 million customers each with ARPU of €10 and a total turnover of €12 million. The value of the personal data of the two firms may be the same, but the MNO must also secure the physical networks from cyberattacks, while the MVNO, being merely a reseller of traffic, does not have this same security cost. The situation becomes even more difficult when accounting for the complexity of network

equipment which itself may entail security and privacy risks, as detailed later in the paper.

The appendix provides simple GL calculations with given variables such as the value of the firm’s data, the attack probability, the attack success probability, the potential loss, the GL coefficient of 37%, and the optimal investment. Any one of these numbers could vary widely depending on the firm, the risks, the types of attacks, and the cybersecurity solutions employed. Even the value of data itself can vary depending on whether the data is in a standalone record versus an aggregated database. Indeed, this itself is likely to bedevil firms in estimating the total value of their data because the value will be constantly changing if and when users request to change or remove their data or to stop processing. Moreover, firms know very little about the probability of attack or the likelihood of its success. The proposed calculations demonstrate how changing the variables even slightly can have a major impact on expected investment, for example a high probability attack with a low success rate can require double the investment to mitigate versus a low probability attack with a high success rate. The model calculations are linear with no discounting. The question of cybersecurity investment becomes even more important because of GDPR, which represents a new cost for firms and strains the overall enterprise budget. Whereas cybersecurity investment protects against loss, it is not clear how firms benefit from GDPR, other than to comply with the law and possibly to avoid fines and litigation. The GDPR has broad definitions of personally identifiable information can create challenges for firms and other organizations in identifying which information to protect and how to do it. GDPR and CCPA can be construed to apply not only to explicit personal information such as name and phone number, but derivative information such as IP address, personal property records, biometric information, internet browsing, geolocation, and audio, visual, electronic, thermal, barometric, and olfactory information collected from internet of things devices

The International Association of Privacy Professionals reports that the average spend for a European firm for GDPR compliance is about €2.7 million [10]. This amount comes on top of cybersecurity investments. Many Fortune 500 firms have earmarked funds for additional GDPR upgrades, some €7 billion in total [11]. However, many firms, notably small and medium sized enterprises (SMEs) have decided not to comply with the GDPR either because of the cost, complexity, or the view that they will not be targeted by authorities or litigants. Indeed, less than half of eligible firms are fully compliant with the GDPR; one-fifth say that full compliance is impossible [12]. In a recent survey of small business owners in the EU, nine out of ten reported not knowing about the GDPR or that its fines for non-compliance could adversely impact them [13].

Firms are right to be concerned about non-compliance. Fines up to 4 percent of total annual revenue can be levied for violation and failure to comply. Failing to meet one of

3

the 45 business regulations of the GDPR appears to be the leading cause of complaints against individuals, small businesses, and nonprofit organizations, as noted by the of Ireland’s Data Protection Commission (DPC) [14]. The chief of the DPC reported that the bulk of complaints are billing issues with retailers and bank statement disputes. While these issues are already covered under other laws, plaintiffs can use the GDPR to win additional leverage for separate legal actions and litigation such as wrongful termination, personal injury, identity theft, inappropriate disclosure, and so on. The cost that GDPR imposes on the economy is associated with a direct welfare loss of about €260 per European citizen [15]. The monetary benefits of the GDPR to European citizens are unclear.

Given the GDPR’s cost and complexity, many firms turn to cyberinsurance to protect themselves from risk, and the insurance industry has seen an increase of activity as a result [16].

By way of comparison, the CCPA has a similar cost profile to the GDPR. The California Department of Justice’s Office of the Attorney General recently issued a cost benefit analysis of the CCPA legislation and its own supplementary regulation. It notes the total initial compliance cost of $55 billion, 1.8 percent of California’s gross domestic product in 2018, and another $16 billion in the coming decade. [17] About half of surveyed firms expect costs to run between $100,000 and $1 million, with vast majority of the fees going for legal services. The report also notes that 99 percent of California companies have fewer than 500 employees, meaning that costs will fall hardest on the firms with the least amount of resources and employees. [18]

Even with sophisticated modeling and economic projections, there are no scenarios in which benefits either meet or exceed costs with the CCPA. The most generous models suggest consumer benefit could amount to $1.6– $5.4 billion over time based on experiments in which consumers report willingness to pay for privacy features. Other cost benefit models suggest conservatively that the costs of the CCPA exceed benefits by a factor of four. [19]

III. GDPR AND CYBERSECURITY

This section details the key cyber risks of the GDPR: identity theft, WHOIS blocking, and the proliferation of vulnerable network equipment.

A. Identity Theft Identity theft is a key area of application for the GL model [20]. The GDPR enforcement has unwittingly created incentives for identity theft and online fraud. [21]. The GDPR and the CCPA mandate that firms enable a series of “rights” for users to control their data including access, rectification/erasure, ability to be “forgotten”, restriction of processing, objection to marketing, and data portability. In addition to declaring the technical acts of data protection as fundamental rights, the GDPR assure rights to complaint, representation by non-profit organizations, and judicial remedy. These rights are not insignificant for firms, as the GDPR provisions incentivize non-profit organizations to form and to litigate with class action lawsuits with users from around the world. Few firms

have the resources to withstand such a global onslaught and the sophistication of litigation financiers such as Roland-Prozessfinanz that partner with GDPR-driven non-profits such as “none of your business” (noyb), an organization founded by Austrian activist Max Schrems and whose board members and advisors include data protection authorities from nation states and the European Commission.

Many GDPR provisions can be gamed by hackers and identity thieves. In order to comply with rules, firms must develop data pools to respond to user requests, creating a target-rich environment for cyber criminals [22]. As part of a security conference, an Oxford University PhD student in digital security detailed how he could obtain his fiancées personal information through GDPR requests, including credit card and social security numbers, passwords, and even her mother's maiden name. [23] Firms not wanting to violate the GDPR requirements, have allow access with only with minimal user verification.

While firms can and should authenticate users,

the speed of GDPR promulgation and the severity of punishments is likely to have forced firms into enabling features without identifying and mitigating the security risks. Identity theft is significant in the EU (particularly the stealing of one’s identity to be used for financial transactions), with billions of euros of real losses annually, but the risk of increased identity theft with GDPR implementation does not appear to be a concern of EU policymakers. Even though the GDPR is purported to have security allowances, it is not clear how courts will rule; as it appears that firms can be criminalized for not making GDPR rights available, even if the provision of the right endangers users’ security.

B. WHOIS and Cyberrisks The GDPR has created increased cyber risk with

prophylactic masking of personal information from the WHOIS (short for "Who is responsible for this domain name?") [24]. The WHOIS query and response protocol for internet domain names, IP addresses, and autonomous systems is used by law enforcement, cybersecurity professionals, researchers, and trademark and intellectual property rights holders [25]. A key unintended consequence of the GDPR is that it undermines the transparency of the international systems and architectures that organize the internet. Following the promulgation of the GDPR, ICANN announced a Temporary Specification that allows registries and registrars to obscure WHOIS information that was previously required to make public [26]. This has hindered efforts to combat unlawful activity online, including terrorism [27], identity theft, cyberattacks, online espionage, theft of intellectual property, fraud, unlawful sale of drugs, human trafficking, and other criminal behavior. The GDPR does not require the masking of the WHOIS, but ICANN took this drastic step for fear of setting off the GDPR’s legal tripwire.

The GDPR does not apply at all to non-personal information and states that disclosure of personal information can be warranted for matters such as consumer protection, public safety, law enforcement, enforcement of

4

rights, cybersecurity, and combating fraud. Moreover, the GDPR does not apply to domain names registered to US registrants by USA registrars and registries. Nor does it apply to domain name registrants that are companies, businesses, or other legal entities, rather than “natural persons.” All the same, international actors including ICANN are practicing voluntary censorship because the GDPR’s provisions are so vague and the potential penalties so high. GDPR proponents and advocates have likely contributed to the impression that the GDPR urges measures such as the Temporary Specification. For example, in her role in the Article 29 Working Party, the group that drove the promulgation of the GDPR, Andrea Jelinek, head of Austria’s DPA, said that the elimination and masking of WHOIS information is justified under the GDPR [28].

The WHOIS problem can be described as the conflict between the enforcement of individual’s right to privacy and the public’s right to know [29]. The situation harkens back to the policy fallacy that caller ID violated the privacy rights of callers. Today the receiver’s right to know who is calling is prioritized over the caller’s right to remain anonymous [30]. Similarly, it is reasonable to expect that needs of public safety will sometimes supersede data protection, particularly in situations of danger to human life. Moreover, one should expect intellectual property to be in balance with data protection, not in conflict, as it is under the GDPR. The EU has chosen a normative path of data protection law that is significantly faster than that of other kinds of law, leading one scholar to suggest that it threatens to upend the balance with other fundamental rights [31]. This point is underscored by legal scholar Richard Epstein in his critique of the notion that granting positive rights is “always easy, if not inevitable, to expand the set of rights without adverse social consequences;” such expansive theories never stop to consider that, when rights are expanded, correlative duties are imposed on others [32]. Indeed, the notion that the GDPR should even be examined from an economic or cost-benefit framework is rejected by many policymakers, noting that rights transcend economic concerns. It could be that a realistic assessment of the cost and benefits of the GDPR could lead to discussion of alternative, less costly methods to deliver data protection.

C. Vulnerable network equipment In their rush to promulgate the GDPR and declare

global moral superiority, whilst trying to enable fast development of a European native digital economy, European policymakers minimized, if not disregarded, the threats to privacy and security posed by Chinese network hardware manufacturers Huawei, ZTE, Lenovo, and others [33]. European authorities, wanting to expand broadband networks quickly and cheaply, blessed the construction of communications networks with equipment and services from dubious vendors. The products and services of many of these vendors, whether directly or indirectly, enables Chinese government and military to access Europeans’ data in the cloud, through backdoors, by hacking, or through other illicit means. Ironically, the EU may have the perfect data protection regime, but it is built on unsafe networks. The GDPR means little if Europeans use the same makers of networks and services that the Chinese Community Party government uses to process and surveille the Chinese people.

The United Kingdom is investigating the makers of the Chinese app TikTok for GDPR violations (after it received record fines in the US for violating child privacy laws [34]), and at Huawei, which provides key infrastructure inputs for China’s surveillance state [35]. As many EU nations are entangled in trade with China, some data protection authorities may be pressured not to bring complaints against Chinese violators of the GDPR.

Information law scholar Jane Winn offers a valuable comparison between the approaches in the EU, US, and China in the digital domain. [36] She notes that the 2000 Lisbon Strategy promising to make EU "the most competitive and dynamic knowledge-based economy in the world capable of sustainable economic growth with more and better jobs and greater social cohesion" by 2010 was not achieved, and was subsequently followed by another 10 year plan calling for “smart, sustainable, inclusive growth.” By 2019, the digital dream of the EU has still not been realized. Many EU voters want to leave the EU, believing it to be a failed experiment. Moreover, while policymakers believe that bureaucratic administration of the personal control of data is a fundamental right, it does not appear that Europeans have more trust in the system as the result of successive data protection regulation. Indeed 18 months after the promulgation of the GDPR, Europeans report the lowest level of trust online ever. [37] Winn observes, “The unexpected and sudden rise of China as an innovation powerhouse with the aspiration to lead the global process of digital transformation demonstrates the short- sightedness of Europe’s strategy of allowing technocrats instead of entrepreneurs to lead Europe’s innovation and global competitiveness strategies. Neither the U.S. nor China have been hobbled by comprehensive, general data protection laws that were already a poor fit for business practice in the age of mainframe computers and are completely misaligned with the realities of the tsunami of digital transformation now sweeping over the world.” Winn advocates for certifiable technical standards for online privacy with a safe harbor for companies to transition rather than the EU’s command and control approach.

IV. CONCLUSIONS This paper explores some of the cybersecurity

implications of the GDPR and its challenge to enterprise – particularly SMEs. Not only does the economic impact of the GDPR seem of little concern to EU policymakers, its significant cyber risks have been downplayed, if not ignored outright. The paper presented a brief introduction to the Gordon-Loeb model and a preliminary data set to investigate how firms budget for cybersecurity investments. This is contrasted to the new regime of data protection and whether and how firms can budget for both domains. The question of budgeting is further complicated because the benefits of the GDPR for firms are unclear.

The GDPR has increased cyber risk, as immediately following its promulgation, vital information from the WHOIS was masked, crippling access to law enforcement and public safety officials which rely on this information. Meanwhile broad access rights were granted to users which can be gamed by cyber criminals. The proliferation

5

of vulnerable network equipment is a growing concern which has had mixed response from EU authorities. Personal data processing and surveillance by the Chinese Communist Party has reached an unprecedented scale, and the same vendors which enable these practices in China are operating with the same or similar products and services in the EU, likely enabling data processing of European citizens today in violation of the GDPR.

The paper points to areas for further research including but not limited to quantification of the costs and benefits of the GDPR and development of Gordon-Loeb type models for data protection investments. Given that less than half of all applicable firms comply with the GPDR, it worthwhile exploring low-cost alternatives to increase data protection such as cyberinsurance and certifiable technical standards.

REFERENCES [1] Gordon, Lawrence A., Martin P. Loeb, and Lei Zhou. ‘Investing in Cybersecurity: Insights from the Gordon-Loeb Model’. Journal of Information Security 7 (2016): 49–59. [2] European Commission, ‘Final results of the European Data Market study measuring the size and trends of the EU data economy’. Reports and Studies (May 2, 2017), https://ec.europa.eu/digital-single- market/en/news/final-results-european-data-market-study-measuring- size-and-trends-eu-data-economy [3] “Europe Cyber Security Market - By Type of Security (Network Security, End Point Security, Application Security, Cloud Security, Wireless Security), Solution (IAM, DLP, SVM, IPS, UTM, Enterprise Risk and Compliance, Managed Security Services), Services.” n.d. https://www.mordorintelligence.com/industry-reports/europe-cyber- security-market [4] European Union: Regulation 2016/679 of the European Parliament and the Council of the European Union (2016) [5] Menon, Mohan. ‘GDPR and Data Powered Marketing: The Beginning of a New Paradigm’. Journal of Marketing Development and Competitiveness 13, no. 2 (2019): 73–84. [6] Huth, Dominik. ‘A Pattern Catalog for GDPR Compliant Data Protection’. In PoEM 2017 Doctoral Consortium and Industry Track Papers, 2027:34–40. Leuven, Belgium: CEURS-WS.org, 2017. Accessible at : https://pdfs.semanticscholar.org/8516/123f68307638c6c95f202e43624af e9ab74d.pdf. [7] Garcia Martines, Francisco. ‘Analysis of the US Privacy Model: Implications of the GDPR in the US’. IGI Global Disseminator of Knowledge, 2019. https://www.igi-global.com/article/analysis-of-the-us- privacy-model/234344. [8] Seo, Junwoo, Kyoungmin Kim, Mookyu Park, and Kyungho Lee. ‘An Analysis of Economic Impact on IoT Industry under GDPR’. Mobile Information Systems Vol 2018, no. Online (2018): 6. https://doi.org/10.1155/2018/6792028. [9] Enisa, ‘Introduction to Return on Security Investment’, (December 2012), https://www.enisa.europa.eu/publications/introduction-to-return- on-security-investment/at_download/fullReport [10] International Association of Privacy Professionals, “IAPP-EY Annual Governance Report 2018,” 2019, https://iapp.org/resources/article/iapp-ey-annual-governance-report- 2018/. [11] https://iapp.org/news/a/survey-fortune-500-companies-to-spend-7- 8b-on-gdpr-compliance/ [12] International Association of Privacy Professionals, “IAPP-EY Annual Governance Report 2018.” [13] https://www.hiscox.co.uk/business-blog/gdpr-still-mystery-smes- risks-non-compliance/ [14] https://www.commerce.senate.gov/public/_cache/files/82740fd0- dc86-4665-9c3f- 378892c6fca0/649B8DBDAF3E93DC2B0B79B982E83585.05-01- 19dixon-testimony.pdf [15] Hosuk Lee-Makiyama, “The Political Economy of Data: EU Privacy Regulation and the International Redistribution of Its Costs,” in

Protection of Information and the Right to Privacy—A New Equilibrium?, ed. Luciano Floridi (Springer, 2014), 85–94. This methodology is expanded in Erik Van der Marel et al., “A Methodology to Estimate the Costs of Data Regulations,” International Economics 146 (2016): 12–39. [16] Schwartz, Mathew J., ‘How Cyber Insurance Is Changing in the GDPR Era’, Bankinfosecurity.com (November 7, 2018) https://www.bankinfosecurity.com/how-cyber-insurance-changing-in- gdpr-era-a-11686 [17] Berkeley Economic Advising and Research, “Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations,” State of California Department of Justice Office of the Attorney General, August 2019, http://www.dof.ca.gov/Forecasting/Economics/Major_Regulations/Majo r_Regulations_Table/documents/CCPA_Regulations-SRIA-DOF.pdf. [18] Ibid p. 31 [19] Roslyn Layton. “The costs of California’s online privacy rules far exceed the benefits.” AEIdeas. March 22, 2019. https://www.aei.org/technology-and-innovation/the-costs-of-californias- online-privacy-rules-far-exceed-the-benefits/ [20]Scott Farrow and Jules Szanton. “Cybersecurity_Investment Guidance_Extensions_of_the_Gordon_and_Loeb_Model.” Journal of Information Security 07(02):15-28.January 2016 [21] Zac Cohen, “The Fraud Risk Underlying GDPR’s ‘Right to Be Forgotten,’” Trulioo: Global Identity Verification (blog), July 3, 2018, https://www.trulioo.com/blog/fraud-risk-gdpr/. [22] ANA, “The CCPA—Making Things Worse,” March 4, 2019, https://www.ana.net/blogs/show/id/rr-blog-2019-01-The-CCPA-Making- Things-Worse. [23] https://www.insideprivacy.com/ccpa/new-research-exposes-perils- of-bogus-access-requests-under-gdpr-with-implications-for-ccpa/ [24] Anthony J. Ferrante, “The Impact of GDPR on WHOIS: Implications for Businesses Facing Cybercrime,” Text, 2018, https://www.ingentaconnect.com/content/hsp/jcs/2018/00000002/000000 02/art00006. [25] Shane Tews, “How European Data Protection Law Is Upending the Domain Name System,” AEIdeas, February 26, 2018, https://www.aei.org/publication/how-european-data-protection-law-is- upending-the-domain-name-system/. [26] Temporary Specification for gTLD Registration Data, ICANN, adopted May 17, 2018, https://www.icann.org/resources/pages/gtld- registration-data-specs-en. [27] https://www.bloomberg.com/news/articles/2019-07-08/european- privacy-laws-may-be-hampering-those-catching-terrorists [28] Letter from Andrea Jelinek, Chairperson of Article 29 Data Protection Working Party, to Göran Marby, President of ICANN, April 11, 2018, https://www.icann.org/en/system/files/correspondence/jelinek- to-marby-11apr18-en.pdf. [29] Shane Tews, Privacy and Europe’s Data Protection Law: Problems and Implications for the US, AEIdeas, May 8, 2018, http://www.aei.org/publication/privacy-and-europes-data-protection-law- problems-and-implications-for-the-us/. [30] See Hurwitz and Jaffer, “Modern Privacy Advocacy,” 179. [31] See Brkan, “The Unstoppable Expansion of the EU Fundamental Right to Data Protection,” 180. [32] Richard Epstein, “A Not Quite Contemporary View of Privacy,” Harvard Journal of Public Policy 41 no. 95 (2018), http://www.harvard- jlpp.com/wp-content/uploads/2018/01/EpsteinPanel_FINAL.pdf. [33] European Commission. “Member States publish a report on EU coordinated risk assessment of 5G networks security.” 9 October 2019 And NATO Cooperative Cyber Defence Centre of Excellence. “Huawei, 5G, and China as a Security Threat.” N.d. https://ccdcoe.org/library/publications/huawei-5g-and-china-as-a- security-threat/ [34] https://www.theguardian.com/technology/2019/jul/02/tiktok-under- investigation-over-child-data-use?CMP=Share_iOSApp_Other [35] https://gdpr.report/news/2019/04/01/huawei-security-criticised-in-a- new-study/ [36] Winn, Jane, The Governance Turn in Information Privacy Law (July 11, 2019). Available at SSRN: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3418286 [37] European Commission. Public Opinion on Trust on the Internet. September 2018. https://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/Chart/get Chart/themeKy/18/groupKy/93

6

APPENDIX

Data Value Attack Probability

Attack Success

Probability Potential Loss GL Coefficient

Optimal Investment

Basic Model* € 100,000 0.15 0.8 € 12,000 0.37 € 4,440 € 250,000 0.15 0.8 € 30,000 0.37 € 11,100 € 500,000 0.15 0.8 € 60,000 0.37 € 22,200 € 1,000,000 0.15 0.8 € 120,000 0.37 € 44,400 € 5,000,000 0.15 0.8 € 600,000 0.37 € 222,000 € 10,000,000 0.15 0.8 € 1,200,000 0.37 € 444,000 € 50,000,000 0.15 0.8 € 6,000,000 0.37 € 2,220,000 € 100,000,000 0.15 0.8 € 12,000,000 0.37 € 4,440,000 *Entering €300 billion into the basic models yields €13.2 billion. Model with Doubled Attack Probability € 100,000 0.3 0.8 € 24,000 0.37 € 8,880 € 250,000 0.3 0.8 € 60,000 0.37 € 22,200 € 500,000 0.3 0.8 € 120,000 0.37 € 44,400 € 1,000,000 0.3 0.8 € 240,000 0.37 € 88,800 € 5,000,000 0.3 0.8 € 1,200,000 0.37 € 444,000 € 10,000,000 0.3 0.8 € 2,400,000 0.37 € 888,000 € 50,000,000 0.3 0.8 € 12,000,000 0.37 € 4,440,000 € 100,000,000 0.3 0.8 € 24,000,000 0.37 € 8,880,000 Model with Basic Attack Probability but slightly increased attack success € 100,000 0.15 0.9 € 13,500 0.37 € 4,995 € 250,000 0.15 0.9 € 33,750 0.37 € 12,488 € 500,000 0.15 0.9 € 67,500 0.37 € 24,975 € 1,000,000 0.15 0.9 € 135,000 0.37 € 49,950 € 5,000,000 0.15 0.9 € 675,000 0.37 € 249,750 € 10,000,000 0.15 0.9 € 1,350,000 0.37 € 499,500 € 50,000,000 0.15 0.9 € 6,750,000 0.37 € 2,497,500 € 100,000,000 0.15 0.9 € 13,500,000 0.37 € 4,995,000 Model with High Attack Probability but low attack success € 100,000 0.5 0.5 € 25,000 0.37 € 9,250 € 250,000 0.5 0.5 € 62,500 0.37 € 23,125 € 500,000 0.5 0.5 € 125,000 0.37 € 46,250 € 1,000,000 0.5 0.5 € 250,000 0.37 € 92,500 € 5,000,000 0.5 0.5 € 1,250,000 0.37 € 462,500 € 10,000,000 0.5 0.5 € 2,500,000 0.37 € 925,000 € 50,000,000 0.5 0.5 € 12,500,000 0.37 € 4,625,000 € 100,000,000 0.5 0.5 € 25,000,000 0.37 € 9,250,000

<< /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles true /AutoRotatePages /None /Binding /Left /CalGrayProfile (Gray Gamma 2.2) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Error /CompatibilityLevel 1.7 /CompressObjects /Off /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.0000 /ColorConversionStrategy /LeaveColorUnchanged /DoThumbnails false /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams true /MaxSubsetPct 100 /Optimize true /OPM 0 /ParseDSCComments false /ParseDSCCommentsForDocInfo true /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo false /PreserveFlatness true /PreserveHalftoneInfo true /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts true /TransferFunctionInfo /Remove /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true /AbadiMT-CondensedLight /ACaslon-Italic /ACaslon-Regular /ACaslon-Semibold /ACaslon-SemiboldItalic /AdobeArabic-Bold /AdobeArabic-BoldItalic /AdobeArabic-Italic /AdobeArabic-Regular /AdobeHebrew-Bold /AdobeHebrew-BoldItalic /AdobeHebrew-Italic /AdobeHebrew-Regular /AdobeHeitiStd-Regular /AdobeMingStd-Light /AdobeMyungjoStd-Medium /AdobePiStd /AdobeSongStd-Light /AdobeThai-Bold /AdobeThai-BoldItalic /AdobeThai-Italic /AdobeThai-Regular /AGaramond-Bold /AGaramond-BoldItalic /AGaramond-Italic /AGaramond-Regular /AGaramond-Semibold /AGaramond-SemiboldItalic /AgencyFB-Bold /AgencyFB-Reg /AGOldFace-Outline /AharoniBold /Algerian /Americana /Americana-ExtraBold /AndaleMono /AndaleMonoIPA /AngsanaNew /AngsanaNew-Bold /AngsanaNew-BoldItalic /AngsanaNew-Italic /AngsanaUPC /AngsanaUPC-Bold /AngsanaUPC-BoldItalic /AngsanaUPC-Italic /Anna /ArialAlternative /ArialAlternativeSymbol /Arial-Black /Arial-BlackItalic /Arial-BoldItalicMT /Arial-BoldMT /Arial-ItalicMT /ArialMT /ArialMT-Black /ArialNarrow /ArialNarrow-Bold /ArialNarrow-BoldItalic /ArialNarrow-Italic /ArialRoundedMTBold /ArialUnicodeMS /ArrusBT-Bold /ArrusBT-BoldItalic /ArrusBT-Italic /ArrusBT-Roman /AvantGarde-Book /AvantGarde-BookOblique /AvantGarde-Demi /AvantGarde-DemiOblique /AvantGardeITCbyBT-Book /AvantGardeITCbyBT-BookOblique /BakerSignet /BankGothicBT-Medium /Barmeno-Bold /Barmeno-ExtraBold /Barmeno-Medium /Barmeno-Regular /Baskerville /BaskervilleBE-Italic /BaskervilleBE-Medium /BaskervilleBE-MediumItalic /BaskervilleBE-Regular /Baskerville-Bold /Baskerville-BoldItalic /Baskerville-Italic /BaskOldFace /Batang /BatangChe /Bauhaus93 /Bellevue /BellMT /BellMTBold /BellMTItalic /BerlingAntiqua-Bold /BerlingAntiqua-BoldItalic /BerlingAntiqua-Italic /BerlingAntiqua-Roman /BerlinSansFB-Bold /BerlinSansFBDemi-Bold /BerlinSansFB-Reg /BernardMT-Condensed /BernhardModernBT-Bold /BernhardModernBT-BoldItalic /BernhardModernBT-Italic /BernhardModernBT-Roman /BiffoMT /BinnerD /BinnerGothic /BlackadderITC-Regular /Blackoak /blex /blsy /Bodoni /Bodoni-Bold /Bodoni-BoldItalic /Bodoni-Italic /BodoniMT /BodoniMTBlack /BodoniMTBlack-Italic /BodoniMT-Bold /BodoniMT-BoldItalic /BodoniMTCondensed /BodoniMTCondensed-Bold /BodoniMTCondensed-BoldItalic /BodoniMTCondensed-Italic /BodoniMT-Italic /BodoniMTPosterCompressed /Bodoni-Poster /Bodoni-PosterCompressed /BookAntiqua /BookAntiqua-Bold /BookAntiqua-BoldItalic /BookAntiqua-Italic /Bookman-Demi /Bookman-DemiItalic /Bookman-Light /Bookman-LightItalic /BookmanOldStyle /BookmanOldStyle-Bold /BookmanOldStyle-BoldItalic /BookmanOldStyle-Italic /BookshelfSymbolOne-Regular /BookshelfSymbolSeven /BookshelfSymbolThree-Regular /BookshelfSymbolTwo-Regular /Botanical /Boton-Italic /Boton-Medium /Boton-MediumItalic /Boton-Regular /Boulevard /BradleyHandITC /Braggadocio /BritannicBold /Broadway /BrowalliaNew /BrowalliaNew-Bold /BrowalliaNew-BoldItalic /BrowalliaNew-Italic /BrowalliaUPC /BrowalliaUPC-Bold /BrowalliaUPC-BoldItalic /BrowalliaUPC-Italic /BrushScript /BrushScriptMT /CaflischScript-Bold /CaflischScript-Regular /Calibri /Calibri-Bold /Calibri-BoldItalic /Calibri-Italic /CalifornianFB-Bold /CalifornianFB-Italic /CalifornianFB-Reg /CalisMTBol /CalistoMT /CalistoMT-BoldItalic /CalistoMT-Italic /Cambria /Cambria-Bold /Cambria-BoldItalic /Cambria-Italic /CambriaMath /Candara /Candara-Bold /Candara-BoldItalic /Candara-Italic /Carta /CaslonOpenfaceBT-Regular /Castellar /CastellarMT /Centaur /Centaur-Italic /Century /CenturyGothic /CenturyGothic-Bold /CenturyGothic-BoldItalic /CenturyGothic-Italic /CenturySchL-Bold /CenturySchL-BoldItal /CenturySchL-Ital /CenturySchL-Roma /CenturySchoolbook /CenturySchoolbook-Bold /CenturySchoolbook-BoldItalic /CenturySchoolbook-Italic /CGTimes-Bold /CGTimes-BoldItalic /CGTimes-Italic /CGTimes-Regular /CharterBT-Bold /CharterBT-BoldItalic /CharterBT-Italic /CharterBT-Roman /CheltenhamITCbyBT-Bold /CheltenhamITCbyBT-BoldItalic /CheltenhamITCbyBT-Book /CheltenhamITCbyBT-BookItalic /Chiller-Regular /Cmb10 /CMB10 /Cmbsy10 /CMBSY10 /CMBSY5 /CMBSY6 /CMBSY7 /CMBSY8 /CMBSY9 /Cmbx10 /CMBX10 /Cmbx12 /CMBX12 /Cmbx5 /CMBX5 /Cmbx6 /CMBX6 /Cmbx7 /CMBX7 /Cmbx8 /CMBX8 /Cmbx9 /CMBX9 /Cmbxsl10 /CMBXSL10 /Cmbxti10 /CMBXTI10 /Cmcsc10 /CMCSC10 /Cmcsc8 /CMCSC8 /Cmcsc9 /CMCSC9 /Cmdunh10 /CMDUNH10 /Cmex10 /CMEX10 /CMEX7 /CMEX8 /CMEX9 /Cmff10 /CMFF10 /Cmfi10 /CMFI10 /Cmfib8 /CMFIB8 /Cminch /CMINCH /Cmitt10 /CMITT10 /Cmmi10 /CMMI10 /Cmmi12 /CMMI12 /Cmmi5 /CMMI5 /Cmmi6 /CMMI6 /Cmmi7 /CMMI7 /Cmmi8 /CMMI8 /Cmmi9 /CMMI9 /Cmmib10 /CMMIB10 /CMMIB5 /CMMIB6 /CMMIB7 /CMMIB8 /CMMIB9 /Cmr10 /CMR10 /Cmr12 /CMR12 /Cmr17 /CMR17 /Cmr5 /CMR5 /Cmr6 /CMR6 /Cmr7 /CMR7 /Cmr8 /CMR8 /Cmr9 /CMR9 /Cmsl10 /CMSL10 /Cmsl12 /CMSL12 /Cmsl8 /CMSL8 /Cmsl9 /CMSL9 /Cmsltt10 /CMSLTT10 /Cmss10 /CMSS10 /Cmss12 /CMSS12 /Cmss17 /CMSS17 /Cmss8 /CMSS8 /Cmss9 /CMSS9 /Cmssbx10 /CMSSBX10 /Cmssdc10 /CMSSDC10 /Cmssi10 /CMSSI10 /Cmssi12 /CMSSI12 /Cmssi17 /CMSSI17 /Cmssi8 /CMSSI8 /Cmssi9 /CMSSI9 /Cmssq8 /CMSSQ8 /Cmssqi8 /CMSSQI8 /Cmsy10 /CMSY10 /Cmsy5 /CMSY5 /Cmsy6 /CMSY6 /Cmsy7 /CMSY7 /Cmsy8 /CMSY8 /Cmsy9 /CMSY9 /Cmtcsc10 /CMTCSC10 /Cmtex10 /CMTEX10 /Cmtex8 /CMTEX8 /Cmtex9 /CMTEX9 /Cmti10 /CMTI10 /Cmti12 /CMTI12 /Cmti7 /CMTI7 /Cmti8 /CMTI8 /Cmti9 /CMTI9 /Cmtt10 /CMTT10 /Cmtt12 /CMTT12 /Cmtt8 /CMTT8 /Cmtt9 /CMTT9 /Cmu10 /CMU10 /Cmvtt10 /CMVTT10 /ColonnaMT /Colossalis-Bold /ComicSansMS /ComicSansMS-Bold /Consolas /Consolas-Bold /Consolas-BoldItalic /Consolas-Italic /Constantia /Constantia-Bold /Constantia-BoldItalic /Constantia-Italic /CooperBlack /CopperplateGothic-Bold /CopperplateGothic-Light /Copperplate-ThirtyThreeBC /Corbel /Corbel-Bold /Corbel-BoldItalic /Corbel-Italic /CordiaNew /CordiaNew-Bold /CordiaNew-BoldItalic /CordiaNew-Italic /CordiaUPC /CordiaUPC-Bold /CordiaUPC-BoldItalic /CordiaUPC-Italic /Courier /Courier-Bold /Courier-BoldOblique /CourierNewPS-BoldItalicMT /CourierNewPS-BoldMT /CourierNewPS-ItalicMT /CourierNewPSMT /Courier-Oblique /CourierStd /CourierStd-Bold /CourierStd-BoldOblique /CourierStd-Oblique /CourierX-Bold /CourierX-BoldOblique /CourierX-Oblique /CourierX-Regular /CreepyRegular /CurlzMT /David-Bold /David-Reg /DavidTransparent /Dcb10 /Dcbx10 /Dcbxsl10 /Dcbxti10 /Dccsc10 /Dcitt10 /Dcr10 /Desdemona /DilleniaUPC /DilleniaUPCBold /DilleniaUPCBoldItalic /DilleniaUPCItalic /Dingbats /DomCasual /Dotum /DotumChe /DoulosSIL /EdwardianScriptITC /Elephant-Italic /Elephant-Regular /EngraversGothicBT-Regular /EngraversMT /EraserDust /ErasITC-Bold /ErasITC-Demi /ErasITC-Light /ErasITC-Medium /ErieBlackPSMT /ErieLightPSMT /EriePSMT /EstrangeloEdessa /Euclid /Euclid-Bold /Euclid-BoldItalic /EuclidExtra /EuclidExtra-Bold /EuclidFraktur /EuclidFraktur-Bold /Euclid-Italic /EuclidMathOne /EuclidMathOne-Bold /EuclidMathTwo /EuclidMathTwo-Bold /EuclidSymbol /EuclidSymbol-Bold /EuclidSymbol-BoldItalic /EuclidSymbol-Italic /EucrosiaUPC /EucrosiaUPCBold /EucrosiaUPCBoldItalic /EucrosiaUPCItalic /EUEX10 /EUEX7 /EUEX8 /EUEX9 /EUFB10 /EUFB5 /EUFB7 /EUFM10 /EUFM5 /EUFM7 /EURB10 /EURB5 /EURB7 /EURM10 /EURM5 /EURM7 /EuroMono-Bold /EuroMono-BoldItalic /EuroMono-Italic /EuroMono-Regular /EuroSans-Bold /EuroSans-BoldItalic /EuroSans-Italic /EuroSans-Regular /EuroSerif-Bold /EuroSerif-BoldItalic /EuroSerif-Italic /EuroSerif-Regular /EUSB10 /EUSB5 /EUSB7 /EUSM10 /EUSM5 /EUSM7 /FelixTitlingMT /Fences /FencesPlain /FigaroMT /FixedMiriamTransparent /FootlightMTLight /Formata-Italic /Formata-Medium /Formata-MediumItalic /Formata-Regular /ForteMT /FranklinGothic-Book /FranklinGothic-BookItalic /FranklinGothic-Demi /FranklinGothic-DemiCond /FranklinGothic-DemiItalic /FranklinGothic-Heavy /FranklinGothic-HeavyItalic /FranklinGothicITCbyBT-Book /FranklinGothicITCbyBT-BookItal /FranklinGothicITCbyBT-Demi /FranklinGothicITCbyBT-DemiItal /FranklinGothic-Medium /FranklinGothic-MediumCond /FranklinGothic-MediumItalic /FrankRuehl /FreesiaUPC /FreesiaUPCBold /FreesiaUPCBoldItalic /FreesiaUPCItalic /FreestyleScript-Regular /FrenchScriptMT /Frutiger-Black /Frutiger-BlackCn /Frutiger-BlackItalic /Frutiger-Bold /Frutiger-BoldCn /Frutiger-BoldItalic /Frutiger-Cn /Frutiger-ExtraBlackCn /Frutiger-Italic /Frutiger-Light /Frutiger-LightCn /Frutiger-LightItalic /Frutiger-Roman /Frutiger-UltraBlack /Futura-Bold /Futura-BoldOblique /Futura-Book /Futura-BookOblique /FuturaBT-Bold /FuturaBT-BoldItalic /FuturaBT-Book /FuturaBT-BookItalic /FuturaBT-Medium /FuturaBT-MediumItalic /Futura-Light /Futura-LightOblique /GalliardITCbyBT-Bold /GalliardITCbyBT-BoldItalic /GalliardITCbyBT-Italic /GalliardITCbyBT-Roman /Garamond /Garamond-Bold /Garamond-BoldCondensed /Garamond-BoldCondensedItalic /Garamond-BoldItalic /Garamond-BookCondensed /Garamond-BookCondensedItalic /Garamond-Italic /Garamond-LightCondensed /Garamond-LightCondensedItalic /Gautami /GeometricSlab703BT-Light /GeometricSlab703BT-LightItalic /Georgia /Georgia-Bold /Georgia-BoldItalic /Georgia-Italic /GeorgiaRef /Giddyup /Giddyup-Thangs /Gigi-Regular /GillSans /GillSans-Bold /GillSans-BoldItalic /GillSans-Condensed /GillSans-CondensedBold /GillSans-Italic /GillSans-Light /GillSans-LightItalic /GillSansMT /GillSansMT-Bold /GillSansMT-BoldItalic /GillSansMT-Condensed /GillSansMT-ExtraCondensedBold /GillSansMT-Italic /GillSans-UltraBold /GillSans-UltraBoldCondensed /GloucesterMT-ExtraCondensed /Gothic-Thirteen /GoudyOldStyleBT-Bold /GoudyOldStyleBT-BoldItalic /GoudyOldStyleBT-Italic /GoudyOldStyleBT-Roman /GoudyOldStyleT-Bold /GoudyOldStyleT-Italic /GoudyOldStyleT-Regular /GoudyStout /GoudyTextMT-LombardicCapitals /GSIDefaultSymbols /Gulim /GulimChe /Gungsuh /GungsuhChe /Haettenschweiler /HarlowSolid /Harrington /Helvetica /Helvetica-Black /Helvetica-BlackOblique /Helvetica-Bold /Helvetica-BoldOblique /Helvetica-Condensed /Helvetica-Condensed-Black /Helvetica-Condensed-BlackObl /Helvetica-Condensed-Bold /Helvetica-Condensed-BoldObl /Helvetica-Condensed-Light /Helvetica-Condensed-LightObl /Helvetica-Condensed-Oblique /Helvetica-Fraction /Helvetica-Narrow /Helvetica-Narrow-Bold /Helvetica-Narrow-BoldOblique /Helvetica-Narrow-Oblique /Helvetica-Oblique /HighTowerText-Italic /HighTowerText-Reg /Humanist521BT-BoldCondensed /Humanist521BT-Light /Humanist521BT-LightItalic /Humanist521BT-RomanCondensed /Imago-ExtraBold /Impact /ImprintMT-Shadow /InformalRoman-Regular /IrisUPC /IrisUPCBold /IrisUPCBoldItalic