The GDPR Is A Wide Open Vulnerability For Identity Fraud And Scams

from the how-does-this-help-privacy-again? dept

We've spent the last year and a half or so pointing out that, while it may have been well-intentioned, there are all sorts of consequences -- whether intended or not -- to the EU's General Data Protection Regulation (GDPR), including giving more power to the giant internet companies (when many argued the GDPR was necessary to curb their power), censorship of media, and a way for the rich and famous to harass people. But, of course, some might argue that those are worthy trade-offs if it did a better job protecting people's privacy.

About that... Last year, we pointed out that one consequence of the GDPR was that, in making it easy to "download" your data, it could open up serious privacy consequences for anyone who has their accounts hacked. In that story, we talked about someone having their Spotify account hacked, and having all the data downloaded -- a situation that might not be that impactful. However, last week, at Black Hat, James Pavur, a PhD student at Oxford, explained how he exploited the GDPR to access a ton of private info about his fiancee.

In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at Oxford University who usually specialises in satellite hacking, explained how he was able to game the GDPR system to get all kinds of useful information on his fiancée, including credit card and social security numbers, passwords, and even her mother's maiden name.

"Privacy laws, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them."

In other words, in giving more "protection" over data, the EU has also opened up a new vulnerability. Here's how it worked:

Over the space of two months Pavur sent out 150 GDPR requests in his fiancée's name, asking for all and any data on her. In all, 72 per cent of companies replied back, and 83 companies said that they had information on her.

Interestingly, five per cent of responses, mainly from large US companies, said that they weren’t liable to GDPR rules. They may be in for a rude shock if they have a meaningful presence in the EU and come before the courts.

Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fiancée. A further 16 per cent requested easily forged ID information and 3 per cent took the rather extreme step of simply deleting her accounts.

That last one is kind of fascinating. What companies delete the accounts of people making a GDPR request? At least some of the companies required login info, but Pavur noted that in one case, he told the company he'd forgotten the login... and they gave him the data anyway.

"An organisation she had never heard of, and never interacted with, had some of the most sensitive data about her," he said. "GDPR provided a pretext for anyone in the world to collect that information."

This could be fixed, and one could argue that companies handing out this info without real proof of ID are, themselves, in violation of the GDPR. But, given that the GDPR is so strict -- you have a very short time frame to return the info or face massive fines), the incentive structure is designed to ignore those formalities and just fork over the information -- even if it's right into the hands of a scammer.

Filed Under: data, downloads, fraud, gdpr, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Michael, 16 Aug 2019 @ 10:33am

    "3 per cent took the rather extreme step of simply deleting her accounts"

    That's a fantastic response. A big middle finger to the EU - in response to GDPR requests they simply ensure any response would result in nothing.

    This must have been crafted by an engineer with a law degree.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2019 @ 10:43am

      Re:

      This must have been crafted by an engineer with a law degree.

      Or not. In general, one can't legally just delete data one is required to provide, and then claim "we have no data!". They might have screwed themselves: they're still required to send the data, and now have no way to do it.

      It's like deleting data in response to a subpoena. People have gone to prison for stuff like that.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Aug 2019 @ 1:05pm

        Re: Re:

        I doubt it is like a subpoena

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Aug 2019 @ 2:15pm

          Re: Re: Re:

          I doubt it is like a subpoena

          Subpoenas and court orders have special legal treatment (eg. rules preventing data destruction), so no, it's not quite like that, but shows similar contempt for the law. Courts dislike such bad-faith actions.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2019 @ 10:52am

    Next week's news prediction: "Security Researcher James Pavur arrested for hacking, GDPR violations"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2019 @ 11:09am

    There is no "but"

    one could argue that companies handing out this info without real proof of ID are, themselves, in violation of the GDPR. But, ...

    There is no "but" here. The GDPR is not at fault for bad implementations of the GDPR any more than the law is at fault for LEOs' bad implementation of the law.

    Place the blame where it is due else your argument is no better than those blaming Google or S230 for things outside their purview.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2019 @ 11:13am

      Re: There is no "but"

      There is a "but," though, and it's spelled out for you just after the place where you cut off the quote. Unintended consequences are a law of laws. When you're crafting legislation, you have to consider the incentives you're creating.

      Sorry, but you're just wrong.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Aug 2019 @ 11:27am

        Re: Re: There is no "but"

        GDPR Article 12 clearly states "provided that the identity of the data subject is proven by other means." and "Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject." What more need be said?

        Sorry, you're wrong. Read it yourself. Here, I'll help you out:
        https://gdpr-info.eu/art-12-gdpr/

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Aug 2019 @ 11:31am

          Re: Re: Re: There is no "but"

          You didn't actually respond to anything that either Mike or I said.

          Laws aren't magic, no system is perfect, and they all incentive unintended behaviors. You're ignoring that and reiterating what the law says instead of looking at the behavior it incentivizes. Neither the laws nor this case exist in a vacuum.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 16 Aug 2019 @ 11:35am

            Re: Re: Re: Re: There is no "but"

            I'm not ignoring anything. You, on the other hand, are ignoring the facts and seem to expect every law, rule and regulation to cover 100% of the ways it might be ignored and/or otherwise abused. The GDPR is clear and it requires that the data supplier verify the identity of the data subject before handing them the data. This article is about companies ignoring that directive. How is that at all the fault of the law?

            Yours is a sue-happy mentality that looks for any angle to blame someone else for your own actions.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 16 Aug 2019 @ 11:39am

              Re: Re: Re: Re: Re: There is no "but"

              You are ignoring reality and engaging in magical thinking.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 16 Aug 2019 @ 11:40am

                Re: Re: Re: Re: Re: Re: There is no "but"

                Strongest argument ever, folks.

                reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 16 Aug 2019 @ 11:42am

                  Re: Re: Re: Re: Re: Re: Re: There is no "but"

                  If I use too many words, you don't process them, and you instead fall back on magical thinking. I don't really know what you expect, given that.

                  reply to this | link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 16 Aug 2019 @ 11:44am

                    Re: Re: Re: Re: Re: Re: Re: Re: There is no "but"

                    Says the guy with reading comprehension problems.

                    I spelled it out twice but you don't seem to get it. The law requires identification. The companies discussed in this article ignored the law. That is not the fault of the law.

                    I don't know how to simplify that any more for you.

                    reply to this | link to this | view in chronology ]

                    • identicon
                      Anonymous Coward, 16 Aug 2019 @ 11:45am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: There is no "but"

                      I understand the law. The disconnect here is that you don't understand how the law fits into the real world.

                      reply to this | link to this | view in chronology ]

                      • icon
                        Stephen T. Stone (profile), 16 Aug 2019 @ 12:35pm

                        Then explain it to us in detail, since you believe you understand it so well.

                        reply to this | link to this | view in chronology ]

                        • identicon
                          Anonymous Coward, 16 Aug 2019 @ 12:42pm

                          Re:

                          I could write an essay spelling it out for you, but you'd still be stupid when I was done. So I'm not doing that.

                          reply to this | link to this | view in chronology ]

                          • icon
                            Stephen T. Stone (profile), 16 Aug 2019 @ 1:21pm

                            “I could, but I won’t” is a funny way of saying “I can’t”.

                            reply to this | link to this | view in chronology ]

                            • identicon
                              Mitch, 20 Aug 2019 @ 7:09am

                              Re:

                              I agree with Stephen T. Stone. I wonder if "Anonymous Coward" has ever been responsible for dealing with GDPR?

                              GDPR is clear on the identity requirement. If companies choose to ignore this part of the regulation, they are in error, and potentially subject to penalties.

                              Of course there will be unintended consequences, but the only unintended consequences here seem to be employees who work for the queried organizations ignoring, or being ignorant of, the identity vetting requirement.

                              reply to this | link to this | view in chronology ]

                    • icon
                      James Burkhardt (profile), 16 Aug 2019 @ 12:30pm

                      Re: Re: Re: Re: Re: Re: Re: Re: Re: There is no "but"

                      The law does not require the cited additional verification. It allows a provider to request it.

                      Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request...the controller may request the provision of additional information necessary to confirm the identity of the data subject

                      There are two areas i have emphasized. The latter, only provides that they can, not that they must, request additionally information if they have reasonable suspision. Not it must, it may. And as we have seen here in the US, standards like 'reasonable doubts' are hotly contested. If the court disagrees, it could place the start of the timer at the original request, not at the end of the verification. Therefore, there is little incentive to request the verification, as under the law they do not need to. So either they request verification and risk a court deciding they don't have reasonable doubt, or just provide the requested info and hide behind the law that they are not required to request additional verification.

                      That is why Techdirt highlights the problem being short deadlines and large fines - they incentivize the wrong behavior, particularly when dealing with unsettled legal standards.

                      reply to this | link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 16 Aug 2019 @ 1:33pm

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: There is no "but"

                        As far as the portions I quoted this is true. However, other sections of the law add more coverage to this topic. For example, Art. 5.1f states

                        processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

                        I agree that this specific area is more vague than it ought to be. But I also argue that a thorough reading of the law doesn't leave much room for error on this point.

                        reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 16 Aug 2019 @ 12:17pm

            Re: Re: Re: Re: There is no "but"

            You didn't actually respond to anything that either Mike or I said.

            It directly responds to Mike's text "given that the GDPR is so strict -- you have a very short time frame to return the info or face massive fines". If the clock truly doesn't start until after verification, I see no incentive to respond without checking.

            reply to this | link to this | view in chronology ]

            • icon
              James Burkhardt (profile), 16 Aug 2019 @ 12:23pm

              Re: Re: Re: Re: Re: There is no "but"

              Its not strong. When a provider has 'reasonable doubts' (something the courts might disagree with the company on) it may request additional information. Not it must, it may. therefore, there is no incentive to request the verification, as under the law they do not need to. So either they request verification and risk a court deciding they don't have reasonable doubt, or just provide the requested info and hide that they are not required to request additional verification.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 16 Aug 2019 @ 12:55pm

                Re: Re: Re: Re: Re: Re: There is no "but"

                Not it must, it may. therefore, there is no incentive to request the verification, as under the law they do not need to.

                But they do need to. They'll be out of compliance with the GDPR if they release without proper authorization. The quoted text doesn't override that obligation, and should have been written more clearly to say that. Your point about "reasonable doubt" is valid.

                reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 16 Aug 2019 @ 1:34pm

                Re: Re: Re: Re: Re: Re: There is no "but"

                See my response above to your earlier comment. The law as a whole does cover this is more detail than the bits I originally quoted.

                reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 16 Aug 2019 @ 12:26pm

              Re: Re: Re: Re: Re: There is no "but"

              It only "directly responds to Mike's text" if you remove all context and pretend one tiny snippet of "Mike's text" exists in a vacuum.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 16 Aug 2019 @ 2:20pm

                Re: Re: Re: Re: Re: Re: There is no "but"

                Is that not Mike's thesis? That the need for a quick response, to avoid heavy fines, creates a perverse incentive structure? If the law actually does allow them to take their time to do this properly, it undermines the point.

                reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 16 Aug 2019 @ 12:44pm

    Allowing people control of their own data is a good thing. Though if the law allows, or does not properly punish, handing out data without verifying the requester's identity that may be a point of adjustment.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2019 @ 3:38pm

    "Real proof of ID"

    Real proof of ID is more difficult that most people realize.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2019 @ 4:00pm

      Re: "Real proof of ID"

      Granted. But "email and phone number" is pretty obviously insufficient. Email address and phone number alone do not meet any reasonable definition of "good enough". The companies that gave out the data without requiring some additional proof of identity are now liable for all the damages/compensation laid out in the GDPR. No court in any land would conclude otherwise, particularly not in the EU where all of this matters.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Aug 2019 @ 12:16pm

    of course it isn't! just ask the pricks who voted it in! those who just happen to be given immunity from it, like everything else that 'only affects ordinary people'!!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.