1. bookVolume 2022 (2022): Issue 2 (April 2022)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Revisiting Identification Issues in GDPR ‘Right Of Access’ Policies: A Technical and Longitudinal Analysis

Published Online: 03 Mar 2022
Page range: 95 - 113
Received: 31 Aug 2021
Accepted: 16 Dec 2021
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Several data protection regulations permit individuals to request all personal information that an organization holds about them by utilizing Subject Access Requests (SARs). Prior work has observed the identification process of such requests, demonstrating weak policies that are vulnerable to potential data breaches. In this paper, we analyze and compare prior work in terms of methodologies, requested identification credentials and threat models in the context of privacy and cybersecurity. Furthermore, we have devised a longitudinal study in which we examine the impact of responsible disclosures by re-evaluating the SAR authentication processes of 40 organizations after they had two years to improve their policies. Here, we demonstrate that 53% of the previously vulnerable organizations have not corrected their policy and an additional 27% of previously non-vulnerable organizations have potentially weakened their policies instead of improving them, thus leaking sensitive personal information to potential adversaries. To better understand state-of-the-art SAR policies, we interviewed several Data Protection Officers and explored the reasoning behind their processes from a viewpoint in the industry and gained insights about potential criminal abuse of weak SAR policies. Finally, we propose several technical modifications to SAR policies that reduce privacy and security risks of data controllers.

Keywords

[1] Ausloos, J., and Dewitte, P. Shattering one-way mirrors - data subject access rights in practice. International Data Privacy Law 8, 1 (03 2018), 4–28.10.1093/idpl/ipy001 Search in Google Scholar

[2] Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., and Santos, C. Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data. In Annual Privacy Forum (2019).10.1007/978-3-030-21752-5_12 Search in Google Scholar

[3] Bufalieri, L., Morgia, M. L., Mei, A., and Stefa, J. GDPR: When the Right to Access Personal Data Becomes a Threat. In 2020 IEEE International Conference on Web Services (ICWS) (2020), pp. 75–83. Search in Google Scholar

[4] Cagnazzo, M., Holz, T., and Pohlmann, N. GDPi-Rated – Stealing Personal Information On- and Offline. In Computer Security – ESORICS 2019 (Cham, 2019), K. Sako, S. Schneider, and P. Y. A. Ryan, Eds., Springer International Publishing, pp. 367–386.10.1007/978-3-030-29962-0_18 Search in Google Scholar

[5] CCPA. California Consumer Privacy Act, 2018. Cal. Legis. Serv. Ch.55 (A.B. 375). Search in Google Scholar

[6] Cormack, A. Is the Subject Access Right Now Too Great a Threat to Privacy? European Data Protection Law Review 2 (2016), 15–27. Search in Google Scholar

[7] Das, S., Kim, A., Jelen, B., Streiff, J., Camp, L. J., and Huber, L. Towards Implementing Inclusive Authentication Technologies for Older Adults. In Who Are You?! Adventures in Authentication Workshop (Santa Clara, California, USA, Aug. 2019), WAY ’19, pp. 1–5. Search in Google Scholar

[8] Di Martino, M., Robyns, P., Weyts, W., Quax, P., Lamotte, W., and Andries, K. Personal Information Leakage by Abusing the GDPR “Right of Access”. In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security (2019), SOUPS’19, USENIX Association, p. 371–386. Search in Google Scholar

[9] Galetta, A., Fonio, C., and Ceresa, A. Nothing is as it seems. The exercise of access rights in Italy and Belgium: dispelling fallacies in the legal reasoning from the ‘law in theory‘ to the ‘law in practice‘. International Data Privacy Law 6 (11 2015), ipv026.10.1093/idpl/ipv026 Search in Google Scholar

[10] Google Inc. Stronger security for your Google Account. https://www.google.com/landing/2step/, accessed on April 21st 2021. Search in Google Scholar

[11] Herrmann, D., and Lindemann, J. Obtaining personal data and asking for erasure: do app vendors and website owners honour your privacy rights? In Sicherheit 2016 - Sicherheit, Schutz und Zuverlässigkeit (Bonn, 2016), M. Meier, D. Reinhardt, and S. Wendzel, Eds., Gesellschaft für Informatik e.V., pp. 149–160. Search in Google Scholar

[12] Kröger, J. L., Lindemann, J., and Herrmann, D. How Do App Vendors Respond to Subject Access Requests? A Longitudinal Privacy Study on IOS and Android Apps. In Proceedings of the 15th International Conference on Availability, Reliability and Security (New York, NY, USA, 2020), ARES ’20, Association for Computing Machinery.10.1145/3407023.3407057 Search in Google Scholar

[13] Kutyłowski, M., Lauks-Dutka, A., and Yung, M. Gdpr – challenges for reconciling legal rules with technical reality. In Computer Security – ESORICS 2020 (2020), L. Chen, N. Li, K. Liang, and S. Schneider, Eds., Springer International Publishing, pp. 736–755. Search in Google Scholar

[14] Mahieu, R. L. P., Asghari, H., and van Eeten, M. Collectively exercising the right of access: individual effort, societal effect. Internet Policy Review 7, 3 (2018). Search in Google Scholar

[15] Markert, P., Farke, F., and Dürmuth, M. View The Email to Get Hacked: Attacking SMS-Based Two-Factor Authentication. In Who Are You?! Adventures in Authentication Workshop (Santa Clara, California, USA, Aug. 2019), WAY ’19, pp. 1–6. Search in Google Scholar

[16] Mustafa, H., Xu, W., Sadeghi, A. R., and Schulz, S. You Can Call but You Can’t Hide: Detecting Caller ID Spoofing Attacks. In 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2014), pp. 168–179. Search in Google Scholar

[17] Pavur, J., and Knerr, C. GDPArrrrr: Using Privacy Laws to Steal Identities. CoRR abs/1912.00731 (2019). Search in Google Scholar

[18] Petrlic, R. Identitätsprüfung bei elektronischen Auskunftsersuchen nach Art. 15 DSGVO. Datenschutz und Datensicherheit - DuD 43, 2 (Feb. 2019), 71–75. (German).10.1007/s11623-019-1066-x Search in Google Scholar

[19] Samarin, N., Kothari, S., Siyed, Z., Wijesekera, P., Fischer, J., Hoofnagle, C., and Egelman, S. Investigating the Compliance of Android App Developers with the CCPA. In 5th Workshop on Technology and Consumer Protection (ConPro ’21) (2021), Association for Computing Machinery. Search in Google Scholar

[20] Syrmoudis, E., Mager, S., Kuebler-Wachendorff, S., Pizzinini, P., Grossklags, J., and Kranz, J. Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20. Proceedings on Privacy Enhancing Technologies 2021, 3 (2021), 351–372. Search in Google Scholar

[21] The European Parliament and the Council. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281 (November 1995). Search in Google Scholar

[22] The European Parliament and the Council. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119 (May 2016), 1–88. Search in Google Scholar

[23] Urban, T., Degeling, M., Holz, T., and Pohlmann, N. “Your Hashed IP Address: Ubuntu.”: Perspectives on Transparency Tools for Online Advertising. In Proceedings of the 35th Annual Computer Security Applications Conference (New York, NY, USA, 2019), ACSAC ’19, Association for Computing Machinery, p. 702–717. Search in Google Scholar

[24] Urban, T., Tatang, D., Degeling, M., Holz, T., and Pohlmann, N. A Study on Subject Data Access in Online Advertising After the GDPR. In Data Privacy Management, Cryptocurrencies and Blockchain Technology (Cham, 2019), C. Pérez-Solà, G. Navarro-Arribas, A. Biryukov, and J. Garcia-Alfaro, Eds., Springer International Publishing, pp. 61–79.10.1007/978-3-030-31500-9_5 Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo