Unintended Consequences: How The GDPR Can Undermine Privacy

from the be-careful-what-you-wish-for dept

We've highlighted a few times now, just how problematic the GDPR is. This is not because we don't care about privacy -- we do very much. We just think that the GDPR's approach is not a very good one with a lot more downsides than upsides -- and, it's unlikely to do very much to actually protect your privacy. For example, we just wrote about the GDPR being used (successfully!) to try to erase a public court docket.

But not only do we think that the GDPR doesn't actually protect your privacy, it might actually put it at much greater risk. Take the story of Jean Yang, who noted that someone hacked her Spotify account and then, thanks to GDPR requirements, was able to download her entire Spotify history.

That's because, under the GDPR, platforms are supposed to make all of the data they have on you easily downloadable. The theory is that this will help you understand what a company has on you (and, potentially, to request certain data be deleted). But, it also means that should anyone else get access to your account, they could access an awful lot of important and/or personal data. Your Spotify interactions might not seem like that big of a deal, but plenty of other services could expose much more sensitive data (and, who knows, there are situations where your Spotify data might be quite sensitive as well).

As Jean notes in a later tweet, this kind of thing could really come back to bite other services, such as Lyft or Uber. She jokes: "Would be pretty bad to get hacked and kidnapped in the same day."

There are possible technological solutions that could help (again, as Jean suggests), such as using multi-factor authentication to access your own data (one-time passwords, Yubikey, etc), but it's telling that few companies (or regulators!) have really thought about that, because that vector of attack probably hasn't occurred to many people. But, it probably will now.

This is, of course, yet another good example of the unintended consequences of regulating technology, even with good intentions. Very little thought has been put into the second and third order effects. Instead, you have a bunch of policymakers who think "platforms collecting too much data is bad, thus, we have to let people check on their own data." It never occurs to them that this now creates a brand new route to accessing potentially valuable, sensitive and private data.

And, as an end result, a regulation designed to increase our privacy... could sometimes have the exact opposite effect.

Filed Under: breaches, data, data protection, gdpr, hacked accounts, privacy
Companies: spotify


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 26 Sep 2018 @ 11:06am

    Re:

    Well for one making it readily available is its own threat. It forces them to keep all of their data online and accessible instead of just periodically stowing it someplace offline in write only memory like tape drives or on its own isolated network. Keeping frozen data backups isn't kosher as it means deleted data could persist. Security isn't just in being impenetrable but also in limiting what there is to lose.

    The mandate means they need to keep the data accessible for read and write regardless of how secure they know or think they are.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.