Imperial Data Protection

(spoilers for Rogue One: A Star Wars Story)

The most recent Star Wars spin off turns out to be about Data Protection and information security (also hope, the seeds of Rebellion, terror weapons and engineering ethics). Potentially a turn-off for some, but there were plenty of beautiful space explosions and blaster battles. Also Star Wars has form.

The climax centres around the efforts of the Rebels to steal the plans for the Death Star from an Imperial data centre on the planet Scarif.

Being set a long time ago, in a galaxy far, far away, under the grip of a tyrannical Empire, we can’t assume that any existing national or EU-level data protection law applies. Rogue One predates not only A New Hope, but also this year’s Regulation (EU) 2016/679, and its predecessor, the Data Protection Directive 95/46/EC, as well as relevant law on cyber security such as Directive 2013/40/EU on attacks against information systems, and Directive 2016/1148 — the Network and Information Security Directive.

But in the absence of a Galactic Data Protection Regulation, we can use this legislation, as well as guidance from EU data protection authorities to assess the job the Empire was doing in keeping its data secure.

But, I hear you say, it was the engineering plans for the Death Star that were stolen, not personal data. Doesn’t that mean that the Regulation is irrelevant, given that it concerns personal data? Well, it was a massive file, and who is to say that it didn’t also contain personnel records of the thousands of lifeforms that worked on the Death Star? As in many real-world data breaches, it’s certainly likely to contain personal data.

First, lets look at an area of prime concern for the film — security. The EU’s GDPR states:

Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

The UK Information Commissioner’s Office’s guidance on security states:

design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;

be clear about who in your organisation is responsible for ensuring information security;

make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and

be ready to respond to any breach of security swiftly and effectively.

This looks like an area where the Empire gets a pass. The data is certainly, held in a secure facility, with heavy physical and technical security, including AT-AT walkers and both Stormtroopers and Sandtroopers). Based upon the accuracy of their blaster fire this time around, these are well trained Stormtroopers. The film (as with all Star Wars films) raise some concerns about the adequacy of access control. The data store is also impressively (perhaps excessively) air-gapped. Remember, just because a breach has occurred, it does not mean that the data contoller has acted negligently. Director Krennic certainty seems willing to take personal responsibility for information security.

The biggest problem for an analyst or auditor regulator, is that in response to the data breach, Grand Moff Tarkin orders the site blasted from orbit. Even at a single reactor’s destructive capacity, this an excessive response. It means that the Empire itself cannot know exactly what data was stolen in the breach, nor what else the Rebels might have done whilst they had access to the data centre. Actions like this might even act as a aggravating factor for any applicable administrative fines.

The GDPR introduces a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. Similarly, the NIS Directive introduces a similar requirement for certain critical industries. We can certainly include such a key piece of critical information infrastructure as the Imperial Data Centre under that. During the battle over Scarif, an Imperial Navy officer informs Tarkin of the breach, who in turn informs Lord Vader. According to the ICO:

A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.

We’ll just have to hope that after the panic of the battle, the Imperial Data Protection Authority is appropriately informed.

and as for the Rebel’s international transfer of data outside of the protection of the Shield… That’s so complicated at the moment, I’m not going to get into it.

May the Force be with you.