Unintended Consequences: How The GDPR Can Undermine Privacy
from the be-careful-what-you-wish-for dept
We’ve highlighted a few times now, just how problematic the GDPR is. This is not because we don’t care about privacy — we do very much. We just think that the GDPR’s approach is not a very good one with a lot more downsides than upsides — and, it’s unlikely to do very much to actually protect your privacy. For example, we just wrote about the GDPR being used (successfully!) to try to erase a public court docket.
But not only do we think that the GDPR doesn’t actually protect your privacy, it might actually put it at much greater risk. Take the story of Jean Yang, who noted that someone hacked her Spotify account and then, thanks to GDPR requirements, was able to download her entire Spotify history.
Today I discovered an unfortunate consequence of GDPR: once someone hacks into your account, they can request–and potentially access–all of your data. Whoever hacked into my @spotify account got all of my streaming, song, etc. history simply by requesting it. ?
— Jean Yang (@jeanqasaur) September 11, 2018
That’s because, under the GDPR, platforms are supposed to make all of the data they have on you easily downloadable. The theory is that this will help you understand what a company has on you (and, potentially, to request certain data be deleted). But, it also means that should anyone else get access to your account, they could access an awful lot of important and/or personal data. Your Spotify interactions might not seem like that big of a deal, but plenty of other services could expose much more sensitive data (and, who knows, there are situations where your Spotify data might be quite sensitive as well).
As Jean notes in a later tweet, this kind of thing could really come back to bite other services, such as Lyft or Uber. She jokes: “Would be pretty bad to get hacked and kidnapped in the same day.”
There are possible technological solutions that could help (again, as Jean suggests), such as using multi-factor authentication to access your own data (one-time passwords, Yubikey, etc), but it’s telling that few companies (or regulators!) have really thought about that, because that vector of attack probably hasn’t occurred to many people. But, it probably will now.
This is, of course, yet another good example of the unintended consequences of regulating technology, even with good intentions. Very little thought has been put into the second and third order effects. Instead, you have a bunch of policymakers who think “platforms collecting too much data is bad, thus, we have to let people check on their own data.” It never occurs to them that this now creates a brand new route to accessing potentially valuable, sensitive and private data.
And, as an end result, a regulation designed to increase our privacy… could sometimes have the exact opposite effect.
Filed Under: breaches, data, data protection, gdpr, hacked accounts, privacy
Companies: spotify
Comments on “Unintended Consequences: How The GDPR Can Undermine Privacy”
Fake left, move right, explain up while moving down
Was it actually designed to increase privacy, or was a bunch of platitudes that supported one agenda or another thrown together so that it met a multitude of goals that were actually other than the ones stated? The process used to move it through the legislature certainly seems to suggest so.
NO, problem is Spotify and GIVING it your data in first place.
Nothing to do with GDPR as such, only with the foolishness of FOOLS who use the services of data monsters — which are guaranteed to be hacked at some time, anyway.
You cannot have both privacy and “cool” web features.
The Internet isn’t actually workable for civilization.
This is inherent in the corporatized Internet: they are rabid for getting every detail and tracking you. All that’s really needed is name and credit card number — PLUS high penalties for those getting “hacked”. — Masnick of course can never conceive of ANY change to what favors corporations.
Problems solved. GDPR is fine.
Though all the above deserves to be in caps and six-inch high font, Techdirt doesn’t provide the means for due emphasis.
Re: NO, problem is Spotify and GIVING it your data in first place.
Forgot some boiler-plate: this is more of Masnick screaming “the sky is falling!” from one data point. These pieces always exactly fit his bias, just as do stories a cult leader tells.
Re: Re: NO, problem is Spotify and GIVING it your data in first place.
Try again without the chest-beating and name-calling, and I might bother to read instead of skim. You’re vanishing in to background noise with your delivery.
Re: Re: Re: NO, problem is Spotify and GIVING it your data in first place.
the dood is a moron, and if you need truth delivered in a certain format before you are willing to listen then don’t bother even trying because truth will escape you forever because you will swallow well told lies at a much faster rate. Truth is much harder to swallow!
Re: Re: Re:2 NO, problem is Spotify and GIVING it your data in first place.
This would be true, if I accepted everything I listen to at face value.
I do not.
A well spoken argument may get me to listen, but does not necessarily get me to agree. But at least it got me to listen.
This dood who is an idiot is failing to pass the first hurdle of getting me to listen by wrapping what he has to say in bluster and accusation. I have chosen to tell him this, because I wanted to tell him this.
Re: Re: Re:3 NO, problem is Spotify and GIVING it your data in first place.
I dismissed him because he is full of crap, the bluster and accusation mean nothing to me.
Re: Re: NO, problem is Trane
Mr. Reck,
I’m pleased you have taken such an interest in this and clearly you have a solution. How does one go about using a service in such a way that it has no information related to your usage of it?
Are you proposing a paid service should not keep enough information on you to record your billing usage? This seems like a rather bizarre suggestion.
Re: Re: NO, problem is Spotify and GIVING it your data in first place.
There is literally no “sky is falling” in this article at all, had you bothered to read it.
Re: Re: NO, problem is Spotify and GIVING it your data in first place.
Question, as a combination free/paid service, Spotify must maintain information for customers who are paying, such as billing info and track who you are to provide paid benefits like no ads. Additionally, to pay out to rights holders Spotify must maintain a history of song plays. Additionally, Spotify allows you to know what songs you have recently played, requiring at least temporary association between a user (identified by account, device id, or ip) and a specific song play.
Nowhere in this article do we address the length of storage of that information, and no where do you address rationally the concept that Spotify might have information on you. No where do you address the idea that song plays might only be associated temporarily, and that any analytics for more than a week or month might be touching information with no user association. You just say they shouldn’t ever have data on you which seems odd.
Re: Re: Re: NO, problem is Spotify and GIVING it your data in first place.
_You just say they shouldn’t ever have data on you which seems odd._
I believe Wreck may be thinking that as an intrepid ghost, afraid to show his real identity, anyone who uses their real name on the internet is a fool. (Maybe? Hard to say, speculating here.)
So he is bravely pointing out that the only way to keep the global lawyers away is to use TOR and hide. (Like, say, a coward.)
This would preclude actually using any online services that aren’t free. Or require registration with a real email address. (As in verified as a working address.)
Makes me wonder what Reck and his hillfolk kin would do if Mike turned on the requirement for a valid email to post. Only a single checkbox in wordpress.
Re: Re: Re: NO, problem is Spotify and GIVING it your data in first place.
There are zero-knowledge methods to prove you’ve paid for a service without identifying yourself.
Not associated with specific people.
That’s something that could be optional.
Re: NO, problem is Spotify and GIVING it your data in first place.
Hey, Shlomo, it’s MY data and I’ll give it to whom I please.
And if a bunch of Eurocrats mandate that Spotify give out MY data in circumstances where neither I nor Spotify want to, then it’s the mandate (GDPR) that’s the problem.
The moreso that I don’t even live in the EU.
Re: NO, problem is Spotify and GIVING it your data in first place.
So how much is some special interest group paying you per comment?
Must be a pretty boring job just sitting in front of techdirt hitting F5 all day so you can be one of the first to post a comment bashing them.
Re: NO, problem is Spotify and GIVING it your data in first place.
“The internet isn’t actually workable for civilization”
Lord above it all make sense now. This man works in the EU parliament…
Re: NO, problem is Spotify and GIVING it your data in first place.
“NO, problem is Spotify and GIVING it your data in first place.”
OK, then, genius. Since the data requested was the history of the songs you played on the service, how the hell are you meant to use it without giving them that data. I’ll wait…
Do you have an answer, or is this just you trying to be somehow even more moronic than your typical ramblings?
> it’s MY data and I’ll give it to whom I please.
GDPR in no way prevents people who *want* to feed their data to corporations from doing so.
> And if a bunch of Eurocrats mandate that Spotify give out MY data in circumstances where neither I nor Spotify want to, then it’s the mandate (GDPR) that’s the problem.
GDPR doesn’t mandate that, so your problem here is imaginary.
Re: Re:
No, they mandated this:
So the GDPR made it easier and the platforms failed to be secure for their clients data. That doesn’t seem imaginary, but it does make the problem more than just the GDPR.
Re: Re: Re:
Re: Re: Re: Re:
You’re being willfully obtuse.
The subject being discussed is not the hacking of the account, but how much information is (easily) available once the account is compromised.
Re: Re: Re:2 Re:
That has nothing to do with GDPR, though.
If someone hacked your gmail account, they’d have access to all of the e-mail stored there. Does that mean Google is “undermining privacy” by allowing users to access their e-mail when they log in?
If someone hacked your Amazon account, they’d have access to your entire order history. Does that mean Amazon has been “undermining privacy” since their inception by allowing users to access their own order history when logged in?
Same goes for Google’s data “takeout” tool, Facebook’s data download tool, and pretty much any other situation where you can access your own data by being logged in to your account.
As usual, Mike is stretching as far as he possibly can to try to spin some idiot getting their Spotify account hacked into a “the sky is falling because of GDPR” advertising/surveillance industry propaganda post.
Re: Re: Re:3 Re:
Ah, the wilfully ignorant, always willing to try and skew what’s actually said in order to pretend there’s a conspiracy…
“If someone hacked your gmail account, they’d have access to all of the e-mail stored there”
But, not the entire message history, which is what is at stake here. I can’t access the history of messages long deleted, but someone can now request that.
I can go into my Spotify account and see recently played, but I can’t access an complete history of everything I’ve ever done there without requesting it. The GDPR makes it so that this is now not only possible, but required to be effortless.
Is that simple enough for you, or do we need to dumb it down further?
Re: Re: Re:4 Re:
Re: Re: Re:5 Re:
“GDPR only requires…”
One of the ongoing problems is that what the GDPR actually requires, what the GDPR is intended to require and what people interpret it as requiring are generally not the same thing. Companies appear to be breaking it regularly while implementing what they believe it needs.
“In the Case of Spotify the problem is that spotify just keeps all data. That is like your email provider just keeping all your emails “deleted” or not.”
Not really. A large part of Spotify’s service is recommending music to you based of what you and other people with similar tastes play. The only real analog to that in terms of email would be spam, but that’s far more generalised as most spam is obviously spam regardless of the target user. An email provider can provide a spam filter without access to your deleted emails, Spotify cannot recommend music without access to your play history.
Re: Re: Re:6 Re:
Hmmm… updating to Mojave and Vivaldi 2.0 appears to have broken TD cookies for me, I didn’t notice until after making numerous replies in a few threads!
PaulT
Re: Re:
Another feature of GDPR is that the “Right to be Forgotten” was implemented.
Thus, you can demand that they delete their data about you. I would highly recommend people using that at set intervals to avoid the situation mentioned in the article.
In that way you can at least control the size of data-stack a thirdparty can acquire legally.
Wishful thinking. Most of them will have never heard of this story. It won’t blow up all over the place, at least not until someone dies from it like outlined with the Uber example.
Re: Re:
I’m not sure it’s wishful thinking so much as it’s looking at a potential problem and realizing that more and more people are going to realize this is something to exploit.
If one person has already exploited it, others will as well. It’s these people looking to exploit that I think are being referred to, more than anybody else. Since it’s happened once, it’ll happen again.
Letting people see their own data does not decrease privacy. Having crappy security decreases privacy.
It’s always possible some hacker steals your data. It’s always possible your data gets sold to the next Cambridge Analytica or spied on more or less legally by any number of governments around the world. It would be truly weird if you yourself should be the last person in the world to see your own data.
And corporations collecting too much data on people IS bad. The best way to secure data is to not collect it.
Mike,
Would you have blamed Google if this user had their Google account(s) hacked and their data was obtained by a hacker using their pre-GDPR data download tool?
Something tells me the answer to that is no.
How exactly is the GDPR’s requirement that companies make readily available the data they have on an individual any different from Google Takeout, which has long since been lauded as a valuable tool of empowerment for Google users?
Re: Re:
One is a choice the other is a mandate. Guess which is which.
Re: Re: Re:
In the context of this post, both would be equally problematic if a hacker were to gain access to your account… so I’m not sure what your point is here.
If GDPR is “undermining privacy” by mandating allowing people to gain access to the data being stored on them, Google has been “undermining privacy” for years with their “takeout” feature.
Re: Re: Re: Re:
I thnk the hackers are the ones undermining privacy.
Blaming the GDPR for the conduct of hackers would be like blaming Section 230 for the conduct of those who defame others.
The difference being that the hackers cause the damage in both cases, whereas search engines cause 99 percent of the damage from defamation.
Re: Re: Re:2 Re:
“Blaming the GDPR for the conduct of hackers would be like blaming Section 230 for the conduct of those who defame others.”
You still haven’t got the faintest clue about what section 230 is, do you?
“whereas search engines cause 99 percent of the damage from defamation”
…but it’s in no way the responsibility of the sites that host the content they’re indexing? Please…
Re: Re: Re:
….what?
Are you advocating for the privacy of the company that holds your personal information?
Re: Re: Re: Re:
No, I use Google, but have turned off all the available options to turn off. If they are doing more, shame on them and when they get caught at it, there will be more to turn off, ie. the new accusation that when you go to a Google site you are automatically logged in. That, I expect, when sufficient user and world commendation takes place will be disabled.
The problem with GDRC is that it mandates what Google calls Takeout (which I have never heard of until today) and which I presume is an opt in service. With GDRC there is no opt in or out. The platforms are required to make information easily downloadable.
The hackers are merely making use of that (unusual) ability. That the GDRC demands that downloading client data be made ‘easy’ is merely making targets for hackers.
That websites are inherently insecure is not news (ask the developers who asked for the budget to do so and were turned down, we hear from them a lot). That they do nothing about it is not news. That they don’t do anything about it, given the demands of GDRC will eventually be really big news, and I suspect a whole lot of things will be done to secure websites. Especially after a few of them are sued for not taking appropriate precautions.
What are appropriate precautions? Time will tell as the vectors for attack will change. But there are things that can be done now (best practice stuff) and things that will need to be done in the future. Timeliness will become important if things are left as they are.
Websites will be sued. Users are stupid. 2F authentication is not the end all many think it is, (and yes that article is old, but what has changed?) What if you lose your Yubikey? What if your cellphone is stolen or lost? What if…what if…what if…? Biographical data (eye scan, finger print, dna, whatever) good for a login name. Password managers and a website that allows a 64 digit (or more if we need to) not just alpha/numeric passwords? Not many of them around, my bank won’t and I seriously wonder why.
And governments demand things with unintended consequences that they do not perceive partially because they fail to listen to experts (at least experts that don’t spend their time validating the outcome their clients want) and don’t think things through because their agenda doesn’t allow of any other outcome.
Re: Re: Re:2 Re:
Google Takeout is an “Opt In” service in the sense that you have to manually request them to give you your data.
In that sense, the GDPR’s mandate is also “Opt In”.
Re: Re:
Well for one making it readily available is its own threat. It forces them to keep all of their data online and accessible instead of just periodically stowing it someplace offline in write only memory like tape drives or on its own isolated network. Keeping frozen data backups isn’t kosher as it means deleted data could persist. Security isn’t just in being impenetrable but also in limiting what there is to lose.
The mandate means they need to keep the data accessible for read and write regardless of how secure they know or think they are.
Here in the USA -
Wait, we are worse with legislating pretty much anything. No really!
V-chip for the LOSS. Our congressmen (specifically white/old/men) are unqualified to use smart phones, must less actually read and understand the Constitution. So, pardon the fuck out of me, there is zero chance they could even stumble on good legislation of anything technical. Ever.
And this particular party of clowns makes me wonder if they can do anything besides giving benefits to the rich. All while having designs on removing entitlements to everyone that needs them.
Re: Here in the USA -
Wyden’s pretty good.
Of course Mikey here is friendly with some lawyers who are a ltitle TOO friendly with a hacker mob that has done, among other things, pretended to be other people to exploit the recovery feature on a website, i.e., typing in their address so the user info and other info pos up (not saying Mikey does this just that some of us check out his friends apparently better than he does).
I’m sure it’s a coincidence that his lawyer buddies have made a fortune using Section 230 and SLAPP to defend against libel suits that at times were instigated by the hacker mob defaming people known to be litgouis.
Mikey would NEVER comrproomise his journalistic int inteigrty, so I know he’s oblivious to all of this, because he’s just too busy deep in tough, deciding, with the purest of intentions, which side of any issue to support.
His positions are very consistent: when an internet user with a grudfge weaponizes Google and Section 230 to destroy someone’s reputation, the user is at fault, and when a HAKCER weaponizes the GDPR and Spotify to figure out which music they’ve listened to (oh the horror!), it’s the GDPR’s fault!
Sue the original speaker
Do NOT sue the hacker
Blame the GDPR instead
Re: Re:
“his lawyer buddies have made a fortune using Section 230 “
God forbid they make money defending people against lawsuits holding them responsible for things they didn’t do! They should just allow injustice to occur because some random asshole doesn’t like the target!
I’m sure you’re equally critical of the lawyers who attack people for actions for which they are clearly not responsible, right?
Re: Re:
not saying Mikey does this just that some of us check out his friends apparently better than he does
Or in other words, you just admitted to violating the CFAA. Care to turn yourself in?
Thought not, hypocrite.
Re:
It’s already clear that you have no clue what Section 230 is, but the casual mention of “SLAPP” makes me question if you have any clue what anything is. You’re throwing baseless accusations left and right just because you know you can get away with it.
Fortunately for you, Techdirt makes it easy for your comment to be buried and ignored forever, otherwise you might genuinely have a potential libel case against you to worry about. Perhaps you should try understanding what the laws actually are before continuously insulting others over their superior understanding of them?
There are several significant problems with the GDPR, one is its serious conflict with freedom of press, and the other is its general vagueness, which means a lot of what it actually means still has to be established by the courts. With regard to the latter, you see a lot of panic with various parties, restricting things where you can fully justify processing data under the GDPR, and on the other hand, parties who totally ignore the GDPR. A number of US sites even completely block whoever they deem coming from the EU: I find myself using Tor far more than before.
I think the case mentioned in this article shouldn’t be attributed to the GDPR. If services would treat data more as a toxic asset (see Bruce Schneier’s blog), much less of it would be available to leak. Sites need to get over their hoarding mentality. Then, if sites would take account security more serious, the second part of this problem would be less of an issue. Just keep data on people’s devices (or use a cloud storage of their choice for that purpose, making sure access codes always remain at the user’s end of the line) will greatly reduce the information Spotify would hold and thus can leak.