Is Full SSL/Deep-Packet Inspection Allowed Under GDPR

Posted by DH_Net_Tech@reddit | sysadmin | View on Reddit | 6 comments

Just curious if anyone else has been faced with this type of scenario. My understanding is that the implementation of Full SSL/DPI has become a fairly standard measure for most organizations as it allows for much better coverage and forensics with Web and Application filtering in modern firewalls, but I was unaware if it's use conflicted with GDPR as it lays everyone's internet traffic to bare in all but plaintext. Typical practice that I've witnessed only has DPI being used to enforce network security polices, but I have heard tell of it being used in forensics to unknowingly mirror all of a suspect user's data out for forensics purposes. Are there certain measures that need to be taken to allow typical DPI while still remaining compliant with the GDPR or do those polices effectively make DPI impossible to do if you want to stay legal in the EU?

Reply to Post

6 Comments

[-]

cubic_sq@reddit

Have been through this exercise with many clients the past few years, including once the government body that oversees data privacy in Norway. The short version highlights after many attempts: - DPI is not compatible with either GPDR and local privacy laws. - implementing blocklists either on gateway or within browser for known malicious hosts or known illegal sites - user activity must not be tracked or recorded outside of what is blocked with blocklist - and logs absolutely must retain EU (and in some cases, Norwegian) sovereignty

[-]

Dramatic-Love7670@reddit

Hello, I am new on reddit and found your exchange on DPI and GDPR very interesting. Could you please let me know if there are any official texts mentioning that " DPI is not compatible with either GPDR and local privacy laws" in EU? I looked for it but could not find any ... Thank you in advance and best regards, Fred

[-]

gg_VikingTime@reddit

I can't find offical text that say you cannot use it. That's probaply becasue it can be legal in some specific cases. Conducting a Data Protection Impact Assessment (DPIA) is both recommended and often required when considering such invasive measures, as it helps assess and mitigate privacy risks. [WP249 by the article 29 working party](https://ec.europa.eu/newsroom/document.cfm?doc_id=45631) does contain some text about TLS interception and the GDPR. 5.3 suggests that DPI could be compatible. guidelines from the Article 29 Data Protection Working Party highlight the need to balance employers' legitimate interests with employees' privacy rights. They recommend conducting assessments, implementing acceptable use policies, and minimizing monitoring activities. Specific laws may vary, so consulting local legislation is advisable. It important to keep in mind that TLS interception isn'[t recommended by the NSA](https://www.bleepingcomputer.com/news/security/nsa-publishes-advisory-addressing-encrypted-traffic-inspection-risks/). The Dutch government also [has a factsheet](https://english.ncsc.nl/publications/factsheets/2019/juni/01/factsheet-tls-interception) that gives some recommendations. Although they don't explicitly advise against it, they caution that a TLS proxy should be regarded as a valuable target and treated as one of the organization's critical assets. DM me if you are located in the Netherlands.

[-]

cubic_sq@reddit

We have submitted use cases to “Datatilsynet” (Norwegian Data Protection Authority) twice and both submissions have come back as incompatible. That said - foreign based companies do DPI, but that does not mean it will stand up in court… You need to submit your use cases to your local authority and ask for clarification….

[-]

cubic_sq@reddit

As these are case by case submissions in our jurisdiction, we are not allow to share. Again - submit the use caee with your jurisdictions data protection authority.

[-]

cubic_sq@reddit

Nothing has been tested in court here. All sides are too concerned with consequences of that decision i think…