GDPR AND THIRD PARTY JS - CAN IT BE DONE? presented at blackhateu 2017

by Avital Grushcovski,

Summary : The European Union's General Data Protection Regulation (GDPR) is set to go into effect in a matter of months, and already it is having a profound effect. Under GDPR rules, companies that collect or store data belonging to EU citizens or entities are required to provide top-notch privacy and security to protect that data; otherwise they could could face huge fines – as large as €20m.As a result, companies that collect or store data are working to meet GDPR compliance. But some things are out of their control – among them third-party scripts that almost all websites depend upon to provide essential web services. Those scripts are controlled by third-parties, who may not be GDPR-compliant themselves.Under GDPR rules, they may get fined – but the site that hosted the script is responsible too, and itself could face fines if a hacker compromises those scripts, hijacking data, installing keyloggers, etc. It's far from an uncommon problem; Banks, e-commerce sites, publishers, HMOs, insurance firms, and many others have unwittingly taken on partners whose scripts provide social media, e-commerce, advertising, content, analytics, and more – thus 'owning' their partners' security risks, too.There have been many attempts to identify these breaches, from isolating scripts inside iFrames to scanning websites remotely using robots, to code review prior to implementation, but none of these have eliminated the problem. We propose a system where the script's actions could be isolated, and executed in an isolated environment before it is allowed to act on a "live" page. A security system would examine the script's actions; if it acts as expected, it is allowed to apply its execution to the actual page, and if not, it remains isolated and the page remains unaffected by its payload. Thus can administrators protect themselves and avoid violating GDPR rules.