Unintended Consequences: How The GDPR Can Undermine Privacy
from the be-careful-what-you-wish-for dept
We’ve highlighted a few times now, just how problematic the GDPR is. This is not because we don’t care about privacy — we do very much. We just think that the GDPR’s approach is not a very good one with a lot more downsides than upsides — and, it’s unlikely to do very much to actually protect your privacy. For example, we just wrote about the GDPR being used (successfully!) to try to erase a public court docket.
But not only do we think that the GDPR doesn’t actually protect your privacy, it might actually put it at much greater risk. Take the story of Jean Yang, who noted that someone hacked her Spotify account and then, thanks to GDPR requirements, was able to download her entire Spotify history.
Today I discovered an unfortunate consequence of GDPR: once someone hacks into your account, they can request–and potentially access–all of your data. Whoever hacked into my @spotify account got all of my streaming, song, etc. history simply by requesting it. ?
— Jean Yang (@jeanqasaur) September 11, 2018
That’s because, under the GDPR, platforms are supposed to make all of the data they have on you easily downloadable. The theory is that this will help you understand what a company has on you (and, potentially, to request certain data be deleted). But, it also means that should anyone else get access to your account, they could access an awful lot of important and/or personal data. Your Spotify interactions might not seem like that big of a deal, but plenty of other services could expose much more sensitive data (and, who knows, there are situations where your Spotify data might be quite sensitive as well).
As Jean notes in a later tweet, this kind of thing could really come back to bite other services, such as Lyft or Uber. She jokes: “Would be pretty bad to get hacked and kidnapped in the same day.”
There are possible technological solutions that could help (again, as Jean suggests), such as using multi-factor authentication to access your own data (one-time passwords, Yubikey, etc), but it’s telling that few companies (or regulators!) have really thought about that, because that vector of attack probably hasn’t occurred to many people. But, it probably will now.
This is, of course, yet another good example of the unintended consequences of regulating technology, even with good intentions. Very little thought has been put into the second and third order effects. Instead, you have a bunch of policymakers who think “platforms collecting too much data is bad, thus, we have to let people check on their own data.” It never occurs to them that this now creates a brand new route to accessing potentially valuable, sensitive and private data.
And, as an end result, a regulation designed to increase our privacy… could sometimes have the exact opposite effect.