The GDPR Is A Wide Open Vulnerability For Identity Fraud And Scams
from the how-does-this-help-privacy-again? dept
We've spent the last year and a half or so pointing out that, while it may have been well-intentioned, there are all sorts of consequences -- whether intended or not -- to the EU's General Data Protection Regulation (GDPR), including giving more power to the giant internet companies (when many argued the GDPR was necessary to curb their power), censorship of media, and a way for the rich and famous to harass people. But, of course, some might argue that those are worthy trade-offs if it did a better job protecting people's privacy.
About that... Last year, we pointed out that one consequence of the GDPR was that, in making it easy to "download" your data, it could open up serious privacy consequences for anyone who has their accounts hacked. In that story, we talked about someone having their Spotify account hacked, and having all the data downloaded -- a situation that might not be that impactful. However, last week, at Black Hat, James Pavur, a PhD student at Oxford, explained how he exploited the GDPR to access a ton of private info about his fiancee.
In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée, including credit card and social security numbers, passwords, and even her mother's maiden name.
"Privacy laws, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them."
In other words, in giving more "protection" over data, the EU has also opened up a new vulnerability. Here's how it worked:
Over the space of two months Pavur sent out 150 GDPR requests in his fiancée's name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they had information on her.
Interestingly, five per cent of responses, mainly from large US companies, said that they weren’t liable to GDPR rules. They may be in for a rude shock if they have a meaningful presence in the EU and come before the courts.
Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fiancée. A further 16 per cent requested easily forged ID information and 3 per cent took the rather extreme step of simply deleting her accounts.
That last one is kind of fascinating. What companies delete the accounts of people making a GDPR request? At least some of the companies required login info, but Pavur noted that in one case, he told the company he'd forgotten the login... and they gave him the data anyway.
"An organisation she had never heard of, and never interacted with, had some of the most sensitive data about her," he said. "GDPR provided a pretext for anyone in the world to collect that information."
This could be fixed, and one could argue that companies handing out this info without real proof of ID are, themselves, in violation of the GDPR. But, given that the GDPR is so strict -- you have a very short time frame to return the info or face massive fines), the incentive structure is designed to ignore those formalities and just fork over the information -- even if it's right into the hands of a scammer.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
"3 per cent took the rather extreme step of simply deleting her accounts"
That's a fantastic response. A big middle finger to the EU - in response to GDPR requests they simply ensure any response would result in nothing.
This must have been crafted by an engineer with a law degree.
[ link to this | view in thread ]
Re:
Or not. In general, one can't legally just delete data one is required to provide, and then claim "we have no data!". They might have screwed themselves: they're still required to send the data, and now have no way to do it.
It's like deleting data in response to a subpoena. People have gone to prison for stuff like that.
[ link to this | view in thread ]
Next week's news prediction: "Security Researcher James Pavur arrested for hacking, GDPR violations"
[ link to this | view in thread ]
There is no "but"
There is no "but" here. The GDPR is not at fault for bad implementations of the GDPR any more than the law is at fault for LEOs' bad implementation of the law.
Place the blame where it is due else your argument is no better than those blaming Google or S230 for things outside their purview.
[ link to this | view in thread ]
Re: There is no "but"
There is a "but," though, and it's spelled out for you just after the place where you cut off the quote. Unintended consequences are a law of laws. When you're crafting legislation, you have to consider the incentives you're creating.
Sorry, but you're just wrong.
[ link to this | view in thread ]
Re: Re: There is no "but"
GDPR Article 12 clearly states "provided that the identity of the data subject is proven by other means." and "Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject." What more need be said?
Sorry, you're wrong. Read it yourself. Here, I'll help you out:
https://gdpr-info.eu/art-12-gdpr/
[ link to this | view in thread ]
Re: Re: Re: There is no "but"
You didn't actually respond to anything that either Mike or I said.
Laws aren't magic, no system is perfect, and they all incentive unintended behaviors. You're ignoring that and reiterating what the law says instead of looking at the behavior it incentivizes. Neither the laws nor this case exist in a vacuum.
[ link to this | view in thread ]
Re: Re: Re: Re: There is no "but"
I'm not ignoring anything. You, on the other hand, are ignoring the facts and seem to expect every law, rule and regulation to cover 100% of the ways it might be ignored and/or otherwise abused. The GDPR is clear and it requires that the data supplier verify the identity of the data subject before handing them the data. This article is about companies ignoring that directive. How is that at all the fault of the law?
Yours is a sue-happy mentality that looks for any angle to blame someone else for your own actions.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: There is no "but"
You are ignoring reality and engaging in magical thinking.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: There is no "but"
Strongest argument ever, folks.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: There is no "but"
If I use too many words, you don't process them, and you instead fall back on magical thinking. I don't really know what you expect, given that.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: There is no "but"
Says the guy with reading comprehension problems.
I spelled it out twice but you don't seem to get it. The law requires identification. The companies discussed in this article ignored the law. That is not the fault of the law.
I don't know how to simplify that any more for you.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: There is no "but"
I understand the law. The disconnect here is that you don't understand how the law fits into the real world.
[ link to this | view in thread ]
Re: Re: Re: Re: There is no "but"
It directly responds to Mike's text "given that the GDPR is so strict -- you have a very short time frame to return the info or face massive fines". If the clock truly doesn't start until after verification, I see no incentive to respond without checking.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: There is no "but"
Its not strong. When a provider has 'reasonable doubts' (something the courts might disagree with the company on) it may request additional information. Not it must, it may. therefore, there is no incentive to request the verification, as under the law they do not need to. So either they request verification and risk a court deciding they don't have reasonable doubt, or just provide the requested info and hide that they are not required to request additional verification.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: There is no "but"
It only "directly responds to Mike's text" if you remove all context and pretend one tiny snippet of "Mike's text" exists in a vacuum.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: There is no "but"
The law does not require the cited additional verification. It allows a provider to request it.
There are two areas i have emphasized. The latter, only provides that they can, not that they must, request additionally information if they have reasonable suspision. Not it must, it may. And as we have seen here in the US, standards like 'reasonable doubts' are hotly contested. If the court disagrees, it could place the start of the timer at the original request, not at the end of the verification. Therefore, there is little incentive to request the verification, as under the law they do not need to. So either they request verification and risk a court deciding they don't have reasonable doubt, or just provide the requested info and hide behind the law that they are not required to request additional verification.
That is why Techdirt highlights the problem being short deadlines and large fines - they incentivize the wrong behavior, particularly when dealing with unsettled legal standards.
[ link to this | view in thread ]
Then explain it to us in detail, since you believe you understand it so well.
[ link to this | view in thread ]
Re:
I could write an essay spelling it out for you, but you'd still be stupid when I was done. So I'm not doing that.
[ link to this | view in thread ]
Allowing people control of their own data is a good thing. Though if the law allows, or does not properly punish, handing out data without verifying the requester's identity that may be a point of adjustment.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: There is no "but"
But they do need to. They'll be out of compliance with the GDPR if they release without proper authorization. The quoted text doesn't override that obligation, and should have been written more clearly to say that. Your point about "reasonable doubt" is valid.
[ link to this | view in thread ]
Re: Re:
I doubt it is like a subpoena
[ link to this | view in thread ]
“I could, but I won’t” is a funny way of saying “I can’t”.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: There is no "but"
As far as the portions I quoted this is true. However, other sections of the law add more coverage to this topic. For example, Art. 5.1f states
I agree that this specific area is more vague than it ought to be. But I also argue that a thorough reading of the law doesn't leave much room for error on this point.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: There is no "but"
See my response above to your earlier comment. The law as a whole does cover this is more detail than the bits I originally quoted.
[ link to this | view in thread ]
Re:
See Chapter 8 of the GDPR which lays out specific rights and liabilities to violations of the law.
[ link to this | view in thread ]
Re: Re: Re:
Subpoenas and court orders have special legal treatment (eg. rules preventing data destruction), so no, it's not quite like that, but shows similar contempt for the law. Courts dislike such bad-faith actions.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: There is no "but"
Is that not Mike's thesis? That the need for a quick response, to avoid heavy fines, creates a perverse incentive structure? If the law actually does allow them to take their time to do this properly, it undermines the point.
[ link to this | view in thread ]
"Real proof of ID"
Real proof of ID is more difficult that most people realize.
[ link to this | view in thread ]
Re: "Real proof of ID"
Granted. But "email and phone number" is pretty obviously insufficient. Email address and phone number alone do not meet any reasonable definition of "good enough". The companies that gave out the data without requiring some additional proof of identity are now liable for all the damages/compensation laid out in the GDPR. No court in any land would conclude otherwise, particularly not in the EU where all of this matters.
[ link to this | view in thread ]
of course it isn't! just ask the pricks who voted it in! those who just happen to be given immunity from it, like everything else that 'only affects ordinary people'!!
[ link to this | view in thread ]
Re:
I agree with Stephen T. Stone. I wonder if "Anonymous Coward" has ever been responsible for dealing with GDPR?
GDPR is clear on the identity requirement. If companies choose to ignore this part of the regulation, they are in error, and potentially subject to penalties.
Of course there will be unintended consequences, but the only unintended consequences here seem to be employees who work for the queried organizations ignoring, or being ignorant of, the identity vetting requirement.
[ link to this | view in thread ]