The TLS protocol (HTTPS traffic) is used on the Internet to secure from end to end the confidentiality and integrity of communications between a client and a server by online services websites, banks (of course) and electronic messages, as well as other websites, although it does not relate to sensitive communications such as a connection to Wikipedia or the CNIL website.
Today many companies wish to analyse the HTTPS traffic entering their information systems. The reasons are related to information systems security, as uncontrolled encrypted traffic leaves the door open to varied attacks: viruses and malware may get into systems, but attacks such as data exfiltration and disclosure also become possible. These attacks may harm the company’s information assets, confidentiality and trade secrets as well as the personal data that the company possesses on its clients and employees.
At the same time, the use of the TLS protocol is growing very fast. As a result of all this, companies are observing that HTTPS traffic accounts for over 50% of Internet traffic in transit on their information systems. This creates an increasingly significant source of vulnerability and a genuine security challenge.
Thus the CNIL is seizing the issue especially as it is updating this privacy paradox in which it strongly recommends using the TLS protocol given that it secures communications while preventing them from being intercepted, even though it may corrupt an information system containing personal data. On 31 March 2015, the CNIL ended its wait-and-see policy and met companies’ increasingly pressing demands by issuing a paper describing the conditions under which companies may “decrypt” HTTPS traffic.
The CNIL considers “decryption” of traffic by a data controller to be “legitimate” under the “Information Technology and Civil Liberties” law. The vocabulary employed by the authority seems deliberately imprecise. Indeed, it must be better understood that analysis of traffic under the TLS protocol is legal under the “Information Technology and Civil Liberties” law. On the one hand, the purpose of ensuring the security of an information system is legitimate as it is a legal requirement of the “Information Technology and Civil Liberties” law. On the other hand, analysis of traffic under the TLS protocol is proportionate, in accordance with the “Information Technology and Civil Liberties” law, to fulfilling this purpose provided that it is performed within a framework that includes specifying and determining the purposes of processing, safeguarding employees’ information, ensuring strict management of administrators’ rights of access to email accounts, minimising stored traces, and protecting the alert data extracted from analysis of HTTPS traffic.
These are requirements given by way of example only. The CNIL does not specify the precise, comprehensive requirements by which a data controller may entirely legally analyse HTTPS traffic. For example, the CNIL does not specify whether the preliminary formality is that of the statement, or whether any of the requirements that it lists are indispensable or may be adjusted. Technical means of decryption are not specified either.
To this confusing situation the CNIL adds another source of concern that may nullify the legality of processing analysis of TLS traffic (which might explain why the CNIL refers to “legitimate” as opposed to “legal” processing): decryption could represent one or more criminal offences regarding infringement of automated data processing systems (ADPS). Indeed, Articles 323-1 to 323-7 of the French Penal Code criminalise fraudulent access to or presence in all or part of an ADPS and hindrance or disruption of its operation. The scale of the penalties for these offences is enough to curb the most reckless impulses: two to five years of imprisonment, and a fine of €300,000 to €1.5 million for legal entities. The French Penal Code moreover provides for additional penalties that, while rarely imposed, must be mentioned. These include prohibiting the offender from engaging in its business activity for five years, closing one or more establishments used to commit the offence and publicising the decision.
The CNIL rightly notes its lack of jurisdiction in this matter which is for judges to decide. However, the CNIL believes that decryption may jeopardise the security of communications initiated by a third party and the confidentiality of the data that it transmits. Moreover, for the CNIL, the use of decryption could require a legal basis to justify potential infringement as a result of technical measures deployed by third parties to ensure the confidentiality of their exchanges. Suffice it to say that while the CNIL clarifies its lack of jurisdiction to identify criminally reprehensible behaviour, it does not hesitate to give its position on the substance of the offence that it believes to be constituted.
In the end, data controllers wishing to analyse HTTPS traffic are unable to move forward and even become more confused: they understand that they have an obligation to ensure the security of their information systems and that decryption is a legitimate means that they may implement, but at their own criminal risk.
It is essential to help data controllers end the gridlock and provide them with a clear, concise answer. The first step undoubtedly consists of describing the relevant processing. The CNIL uses the terms “analysis” of HTTPS traffic and “decryption” interchangeably. However, we believe that it is necessary to refer to “analysis” rather than “decryption” of HTTPS traffic. Indeed, what is actually happening? Traditionally, a TLS tunnel is established between a client and a server. The client queries the server by sending it a message. The server responds to it. The client and the server exchange encryption keys indicating that the data they are going to exchange and be able to read will be protected by encryption. The TLS protocol establishes a proper exchange of protected data between a client and a server that recognise each other.
In processing analysis of HTTPS traffic, the client is not the user’s Web browser, but the data controller’s HTTP proxy. The data controller’s HTTP proxy relays the initial query made by the user’s Web browser such that the server effectively authorises dialogue with the data controller’s HTTP proxy. Thus, since the initial user enables the data controller’s HTTP proxy to receive HTTPS traffic, no offence is committed under Articles 323-1 to 323-7 of the French Penal Code, as data is accessed not fraudulently but with the authorisation of both the end user and the server.
The responsibilities of HTTP proxies, and thus data controllers, are defined in the “Information Technology and Civil Liberties” law. First of all, they are responsible for ensuring that they are not going to have access to “sensitive” data and that the use of processing will be limited to security checks. Next, data controllers must inform the relevant people, obtain their consent where appropriate and ensure the security of the data they handle. They must implement this processing while taking precautions to eliminate, or at least circumvent or reduce, the additional risk that they create.
Analysis of HTTPS traffic then becomes possible. However, to be entirely legal, it must be specifically circumscribed on both a legal and technological level. Otherwise, it could constitute a criminal offence. In this regard, it is inadvisable to treat the requirements set forth by the CNIL in its 31 March 2015 paper as sufficient in themselves. The technical paper by the ANSSI providing security recommendations on this processing must also be used. It must be stressed that neither the CNIL’s recognition of the legitimacy of this processing nor the ANSSI’s recommendations concerning its implementation constitutes grounds for justification that strip it of its nature as an offence under criminal law.