Unintended Consequences: How The GDPR Can Undermine Privacy

from the be-careful-what-you-wish-for dept

We've highlighted a few times now, just how problematic the GDPR is. This is not because we don't care about privacy -- we do very much. We just think that the GDPR's approach is not a very good one with a lot more downsides than upsides -- and, it's unlikely to do very much to actually protect your privacy. For example, we just wrote about the GDPR being used (successfully!) to try to erase a public court docket.

But not only do we think that the GDPR doesn't actually protect your privacy, it might actually put it at much greater risk. Take the story of Jean Yang, who noted that someone hacked her Spotify account and then, thanks to GDPR requirements, was able to download her entire Spotify history.

That's because, under the GDPR, platforms are supposed to make all of the data they have on you easily downloadable. The theory is that this will help you understand what a company has on you (and, potentially, to request certain data be deleted). But, it also means that should anyone else get access to your account, they could access an awful lot of important and/or personal data. Your Spotify interactions might not seem like that big of a deal, but plenty of other services could expose much more sensitive data (and, who knows, there are situations where your Spotify data might be quite sensitive as well).

As Jean notes in a later tweet, this kind of thing could really come back to bite other services, such as Lyft or Uber. She jokes: "Would be pretty bad to get hacked and kidnapped in the same day."

There are possible technological solutions that could help (again, as Jean suggests), such as using multi-factor authentication to access your own data (one-time passwords, Yubikey, etc), but it's telling that few companies (or regulators!) have really thought about that, because that vector of attack probably hasn't occurred to many people. But, it probably will now.

This is, of course, yet another good example of the unintended consequences of regulating technology, even with good intentions. Very little thought has been put into the second and third order effects. Instead, you have a bunch of policymakers who think "platforms collecting too much data is bad, thus, we have to let people check on their own data." It never occurs to them that this now creates a brand new route to accessing potentially valuable, sensitive and private data.

And, as an end result, a regulation designed to increase our privacy... could sometimes have the exact opposite effect.

Filed Under: breaches, data, data protection, gdpr, hacked accounts, privacy
Companies: spotify

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Anonymous Anonymous Coward (profile), 25 Sep 2018 @ 7:57pm

    Re: Re: Re:

    No, I use Google, but have turned off all the available options to turn off. If they are doing more, shame on them and when they get caught at it, there will be more to turn off, ie. the new accusation that when you go to a Google site you are automatically logged in. That, I expect, when sufficient user and world commendation takes place will be disabled.

    The problem with GDRC is that it mandates what Google calls Takeout (which I have never heard of until today) and which I presume is an opt in service. With GDRC there is no opt in or out. The platforms are required to make information easily downloadable.

    The hackers are merely making use of that (unusual) ability. That the GDRC demands that downloading client data be made 'easy' is merely making targets for hackers.

    That websites are inherently insecure is not news (ask the developers who asked for the budget to do so and were turned down, we hear from them a lot). That they do nothing about it is not news. That they don't do anything about it, given the demands of GDRC will eventually be really big news, and I suspect a whole lot of things will be done to secure websites. Especially after a few of them are sued for not taking appropriate precautions.

    What are appropriate precautions? Time will tell as the vectors for attack will change. But there are things that can be done now (best practice stuff) and things that will need to be done in the future. Timeliness will become important if things are left as they are.

    Websites will be sued. Users are stupid. 2F authentication is not the end all many think it is, (and yes that article is old, but what has changed?) What if you lose your Yubikey? What if your cellphone is stolen or lost? What if...what if...what if...? Biographical data (eye scan, finger print, dna, whatever) good for a login name. Password managers and a website that allows a 64 digit (or more if we need to) not just alpha/numeric passwords? Not many of them around, my bank won't and I seriously wonder why.

    And governments demand things with unintended consequences that they do not perceive partially because they fail to listen to experts (at least experts that don't spend their time validating the outcome their clients want) and don't think things through because their agenda doesn't allow of any other outcome.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.