Unintended Consequences: How The GDPR Can Undermine Privacy
from the be-careful-what-you-wish-for dept
We've highlighted a few times now, just how problematic the GDPR is. This is not because we don't care about privacy -- we do very much. We just think that the GDPR's approach is not a very good one with a lot more downsides than upsides -- and, it's unlikely to do very much to actually protect your privacy. For example, we just wrote about the GDPR being used (successfully!) to try to erase a public court docket.
But not only do we think that the GDPR doesn't actually protect your privacy, it might actually put it at much greater risk. Take the story of Jean Yang, who noted that someone hacked her Spotify account and then, thanks to GDPR requirements, was able to download her entire Spotify history.
Today I discovered an unfortunate consequence of GDPR: once someone hacks into your account, they can request--and potentially access--all of your data. Whoever hacked into my @spotify account got all of my streaming, song, etc. history simply by requesting it. 😱
— Jean Yang (@jeanqasaur) September 11, 2018
That's because, under the GDPR, platforms are supposed to make all of the data they have on you easily downloadable. The theory is that this will help you understand what a company has on you (and, potentially, to request certain data be deleted). But, it also means that should anyone else get access to your account, they could access an awful lot of important and/or personal data. Your Spotify interactions might not seem like that big of a deal, but plenty of other services could expose much more sensitive data (and, who knows, there are situations where your Spotify data might be quite sensitive as well).
As Jean notes in a later tweet, this kind of thing could really come back to bite other services, such as Lyft or Uber. She jokes: "Would be pretty bad to get hacked and kidnapped in the same day."
There are possible technological solutions that could help (again, as Jean suggests), such as using multi-factor authentication to access your own data (one-time passwords, Yubikey, etc), but it's telling that few companies (or regulators!) have really thought about that, because that vector of attack probably hasn't occurred to many people. But, it probably will now.
This is, of course, yet another good example of the unintended consequences of regulating technology, even with good intentions. Very little thought has been put into the second and third order effects. Instead, you have a bunch of policymakers who think "platforms collecting too much data is bad, thus, we have to let people check on their own data." It never occurs to them that this now creates a brand new route to accessing potentially valuable, sensitive and private data.
And, as an end result, a regulation designed to increase our privacy... could sometimes have the exact opposite effect.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breaches, data, data protection, gdpr, hacked accounts, privacy
Companies: spotify
Reader Comments
Subscribe: RSS
View by: Time | Thread
Fake left, move right, explain up while moving down
Was it actually designed to increase privacy, or was a bunch of platitudes that supported one agenda or another thrown together so that it met a multitude of goals that were actually other than the ones stated? The process used to move it through the legislature certainly seems to suggest so.
[ link to this | view in chronology ]
NO, problem is Spotify and GIVING it your data in first place.
You cannot have both privacy and "cool" web features.
The Internet isn't actually workable for civilization.
This is inherent in the corporatized Internet: they are rabid for getting every detail and tracking you. All that's really needed is name and credit card number -- PLUS high penalties for those getting "hacked". -- Masnick of course can never conceive of ANY change to what favors corporations.
Problems solved. GDPR is fine.
Though all the above deserves to be in caps and six-inch high font, Techdirt doesn't provide the means for due emphasis.
[ link to this | view in chronology ]
Re: NO, problem is Spotify and GIVING it your data in first place.
[ link to this | view in chronology ]
Re: Re: NO, problem is Spotify and GIVING it your data in first place.
[ link to this | view in chronology ]
Re: Re: Re: NO, problem is Spotify and GIVING it your data in first place.
[ link to this | view in chronology ]
Re: Re: Re: Re: NO, problem is Spotify and GIVING it your data in first place.
I do not.
A well spoken argument may get me to listen, but does not necessarily get me to agree. But at least it got me to listen.
This dood who is an idiot is failing to pass the first hurdle of getting me to listen by wrapping what he has to say in bluster and accusation. I have chosen to tell him this, because I wanted to tell him this.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: NO, problem is Spotify and GIVING it your data in first place.
[ link to this | view in chronology ]
Re: Re: NO, problem is Trane
I'm pleased you have taken such an interest in this and clearly you have a solution. How does one go about using a service in such a way that it has no information related to your usage of it?
Are you proposing a paid service should not keep enough information on you to record your billing usage? This seems like a rather bizarre suggestion.
[ link to this | view in chronology ]
Re: Re: NO, problem is Spotify and GIVING it your data in first place.
[ link to this | view in chronology ]
Re: Re: NO, problem is Spotify and GIVING it your data in first place.
Nowhere in this article do we address the length of storage of that information, and no where do you address rationally the concept that Spotify might have information on you. No where do you address the idea that song plays might only be associated temporarily, and that any analytics for more than a week or month might be touching information with no user association. You just say they shouldn't ever have data on you which seems odd.
[ link to this | view in chronology ]
Re: Re: Re: NO, problem is Spotify and GIVING it your data in first place.
I believe Wreck may be thinking that as an intrepid ghost, afraid to show his real identity, anyone who uses their real name on the internet is a fool. (Maybe? Hard to say, speculating here.)
So he is bravely pointing out that the only way to keep the global lawyers away is to use TOR and hide. (Like, say, a coward.)
This would preclude actually using any online services that aren't free. Or require registration with a real email address. (As in verified as a working address.)
Makes me wonder what Reck and his hillfolk kin would do if Mike turned on the requirement for a valid email to post. Only a single checkbox in wordpress.
[ link to this | view in chronology ]
Re: Re: Re: NO, problem is Spotify and GIVING it your data in first place.
There are zero-knowledge methods to prove you've paid for a service without identifying yourself.
Not associated with specific people.
That's something that could be optional.
[ link to this | view in chronology ]
Re: NO, problem is Spotify and GIVING it your data in first place.
And if a bunch of Eurocrats mandate that Spotify give out MY data in circumstances where neither I nor Spotify want to, then it's the mandate (GDPR) that's the problem.
The moreso that I don't even live in the EU.
[ link to this | view in chronology ]
Re: NO, problem is Spotify and GIVING it your data in first place.
Must be a pretty boring job just sitting in front of techdirt hitting F5 all day so you can be one of the first to post a comment bashing them.
[ link to this | view in chronology ]
Re: NO, problem is Spotify and GIVING it your data in first place.
Lord above it all make sense now. This man works in the EU parliament...
[ link to this | view in chronology ]
Re: NO, problem is Spotify and GIVING it your data in first place.
OK, then, genius. Since the data requested was the history of the songs you played on the service, how the hell are you meant to use it without giving them that data. I'll wait...
Do you have an answer, or is this just you trying to be somehow even more moronic than your typical ramblings?
[ link to this | view in chronology ]
GDPR in no way prevents people who *want* to feed their data to corporations from doing so.
> And if a bunch of Eurocrats mandate that Spotify give out MY data in circumstances where neither I nor Spotify want to, then it's the mandate (GDPR) that's the problem.
GDPR doesn't mandate that, so your problem here is imaginary.
[ link to this | view in chronology ]
Re:
No, they mandated this:
So the GDPR made it easier and the platforms failed to be secure for their clients data. That doesn't seem imaginary, but it does make the problem more than just the GDPR.
[ link to this | view in chronology ]
Re: Re:
It makes the problem *not* the GDPR. GDPR has nothing to do with this person's account being hacked.
Also, I doubt Spotify was the problem here. It's much more likely that the person who got hacked had a shitty password or did something else stupid to put themselves in that position.
[ link to this | view in chronology ]
Re: Re: Re:
The subject being discussed is not the hacking of the account, but how much information is (easily) available once the account is compromised.
[ link to this | view in chronology ]
Re: Re: Re: Re:
If someone hacked your gmail account, they'd have access to all of the e-mail stored there. Does that mean Google is "undermining privacy" by allowing users to access their e-mail when they log in?
If someone hacked your Amazon account, they'd have access to your entire order history. Does that mean Amazon has been "undermining privacy" since their inception by allowing users to access their own order history when logged in?
Same goes for Google's data "takeout" tool, Facebook's data download tool, and pretty much any other situation where you can access your own data by being logged in to your account.
As usual, Mike is stretching as far as he possibly can to try to spin some idiot getting their Spotify account hacked into a "the sky is falling because of GDPR" advertising/surveillance industry propaganda post.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"If someone hacked your gmail account, they'd have access to all of the e-mail stored there"
But, not the entire message *history*, which is what is at stake here. I can't access the history of messages long deleted, but someone can now request that.
I can go into my Spotify account and see recently played, but I can't access an complete history of everything I've ever done there without requesting it. The GDPR makes it so that this is now not only possible, but required to be effortless.
Is that simple enough for you, or do we need to dumb it down further?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
This is plain wrong though. GDPR only requires that the user should be able to download their data and makes it very clear that the company should only keep any data that the company actually needs.
In the Case of Spotify the problem is that spotify just keeps all data. That is like your email provider just keeping all your emails "deleted" or not.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
One of the ongoing problems is that what the GDPR actually requires, what the GDPR is intended to require and what people interpret it as requiring are generally not the same thing. Companies appear to be breaking it regularly while implementing what they believe it needs.
"In the Case of Spotify the problem is that spotify just keeps all data. That is like your email provider just keeping all your emails "deleted" or not."
Not really. A large part of Spotify's service is recommending music to you based of what you and other people with similar tastes play. The only real analog to that in terms of email would be spam, but that's far more generalised as most spam is obviously spam regardless of the target user. An email provider can provide a spam filter without access to your deleted emails, Spotify cannot recommend music without access to your play history.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
PaulT
[ link to this | view in chronology ]
Re:
Thus, you can demand that they delete their data about you. I would highly recommend people using that at set intervals to avoid the situation mentioned in the article.
In that way you can at least control the size of data-stack a thirdparty can acquire legally.
[ link to this | view in chronology ]
Wishful thinking. Most of them will have never heard of this story. It won't blow up all over the place, at least not until someone dies from it like outlined with the Uber example.
[ link to this | view in chronology ]
Re:
If one person has already exploited it, others will as well. It's these people looking to exploit that I think are being referred to, more than anybody else. Since it's happened once, it'll happen again.
[ link to this | view in chronology ]
It's always possible some hacker steals your data. It's always possible your data gets sold to the next Cambridge Analytica or spied on more or less legally by any number of governments around the world. It would be truly weird if you yourself should be the last person in the world to see your own data.
And corporations collecting too much data on people IS bad. The best way to secure data is to not collect it.
[ link to this | view in chronology ]
Would you have blamed Google if this user had their Google account(s) hacked and their data was obtained by a hacker using their pre-GDPR data download tool?
Something tells me the answer to that is no.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
If GDPR is "undermining privacy" by mandating allowing people to gain access to the data being stored on them, Google has been "undermining privacy" for years with their "takeout" feature.
[ link to this | view in chronology ]
Re: Re: Re:
Blaming the GDPR for the conduct of hackers would be like blaming Section 230 for the conduct of those who defame others.
The difference being that the hackers cause the damage in both cases, whereas search engines cause 99 percent of the damage from defamation.
[ link to this | view in chronology ]
Re: Re: Re: Re:
You still haven't got the faintest clue about what section 230 is, do you?
"whereas search engines cause 99 percent of the damage from defamation"
...but it's in no way the responsibility of the sites that host the content they're indexing? Please...
[ link to this | view in chronology ]
Re: Re:
Are you advocating for the privacy of the company that holds your personal information?
[ link to this | view in chronology ]
Re: Re: Re:
No, I use Google, but have turned off all the available options to turn off. If they are doing more, shame on them and when they get caught at it, there will be more to turn off, ie. the new accusation that when you go to a Google site you are automatically logged in. That, I expect, when sufficient user and world commendation takes place will be disabled.
The problem with GDRC is that it mandates what Google calls Takeout (which I have never heard of until today) and which I presume is an opt in service. With GDRC there is no opt in or out. The platforms are required to make information easily downloadable.
The hackers are merely making use of that (unusual) ability. That the GDRC demands that downloading client data be made 'easy' is merely making targets for hackers.
That websites are inherently insecure is not news (ask the developers who asked for the budget to do so and were turned down, we hear from them a lot). That they do nothing about it is not news. That they don't do anything about it, given the demands of GDRC will eventually be really big news, and I suspect a whole lot of things will be done to secure websites. Especially after a few of them are sued for not taking appropriate precautions.
What are appropriate precautions? Time will tell as the vectors for attack will change. But there are things that can be done now (best practice stuff) and things that will need to be done in the future. Timeliness will become important if things are left as they are.
Websites will be sued. Users are stupid. 2F authentication is not the end all many think it is, (and yes that article is old, but what has changed?) What if you lose your Yubikey? What if your cellphone is stolen or lost? What if...what if...what if...? Biographical data (eye scan, finger print, dna, whatever) good for a login name. Password managers and a website that allows a 64 digit (or more if we need to) not just alpha/numeric passwords? Not many of them around, my bank won't and I seriously wonder why.
And governments demand things with unintended consequences that they do not perceive partially because they fail to listen to experts (at least experts that don't spend their time validating the outcome their clients want) and don't think things through because their agenda doesn't allow of any other outcome.
[ link to this | view in chronology ]
Re: Re: Re: Re:
In that sense, the GDPR's mandate is also "Opt In".
[ link to this | view in chronology ]
Re:
The mandate means they need to keep the data accessible for read and write regardless of how secure they know or think they are.
[ link to this | view in chronology ]
Here in the USA -
V-chip for the LOSS. Our congressmen (specifically white/old/men) are unqualified to use smart phones, must less actually read and understand the Constitution. So, pardon the fuck out of me, there is zero chance they could even stumble on good legislation of anything technical. Ever.
And this particular party of clowns makes me wonder if they can do anything besides giving benefits to the rich. All while having designs on removing entitlements to everyone that needs them.
[ link to this | view in chronology ]
Re: Here in the USA -
[ link to this | view in chronology ]
I'm sure it's a coincidence that his lawyer buddies have made a fortune using Section 230 and SLAPP to defend against libel suits that at times were instigated by the hacker mob defaming people known to be litgouis.
Mikey would NEVER comrproomise his journalistic int inteigrty, so I know he's oblivious to all of this, because he's just too busy deep in tough, deciding, with the purest of intentions, which side of any issue to support.
His positions are very consistent: when an internet user with a grudfge weaponizes Google and Section 230 to destroy someone's reputation, the user is at fault, and when a HAKCER weaponizes the GDPR and Spotify to figure out which music they've listened to (oh the horror!), it's the GDPR's fault!
Sue the original speaker
Do NOT sue the hacker
Blame the GDPR instead
[ link to this | view in chronology ]
Re:
God forbid they make money defending people against lawsuits holding them responsible for things they didn't do! They should just allow injustice to occur because some random asshole doesn't like the target!
I'm sure you're equally critical of the lawyers who attack people for actions for which they are clearly not responsible, right?
[ link to this | view in chronology ]
Re:
not saying Mikey does this just that some of us check out his friends apparently better than he does
Or in other words, you just admitted to violating the CFAA. Care to turn yourself in?
Thought not, hypocrite.
[ link to this | view in chronology ]
Fortunately for you, Techdirt makes it easy for your comment to be buried and ignored forever, otherwise you might genuinely have a potential libel case against you to worry about. Perhaps you should try understanding what the laws actually are before continuously insulting others over their superior understanding of them?
[ link to this | view in chronology ]
I think the case mentioned in this article shouldn't be attributed to the GDPR. If services would treat data more as a toxic asset (see Bruce Schneier's blog), much less of it would be available to leak. Sites need to get over their hoarding mentality. Then, if sites would take account security more serious, the second part of this problem would be less of an issue. Just keep data on people's devices (or use a cloud storage of their choice for that purpose, making sure access codes always remain at the user's end of the line) will greatly reduce the information Spotify would hold and thus can leak.
[ link to this | view in chronology ]