- Dettagli della rivista
- Formato
- Rivista
- eISSN
- 2299-0984
- Prima pubblicazione
- 16 Apr 2015
- Frequenza di pubblicazione
- 4 volte all'anno
- Lingue
- Inglese
Several data protection regulations permit individuals to request all personal information that an organization holds about them by utilizing Subject Access Requests (SARs). Prior work has observed the identification process of such requests, demonstrating weak policies that are vulnerable to potential data breaches. In this paper, we analyze and compare prior work in terms of methodologies, requested identification credentials and threat models in the context of privacy and cybersecurity. Furthermore, we have devised a longitudinal study in which we examine the impact of responsible disclosures by re-evaluating the SAR authentication processes of 40 organizations after they had two years to improve their policies. Here, we demonstrate that 53% of the previously vulnerable organizations have not corrected their policy and an additional 27% of previously non-vulnerable organizations have potentially weakened their policies instead of improving them, thus leaking sensitive personal information to potential adversaries. To better understand state-of-the-art SAR policies, we interviewed several Data Protection Officers and explored the reasoning behind their processes from a viewpoint in the industry and gained insights about potential criminal abuse of weak SAR policies. Finally, we propose several technical modifications to SAR policies that reduce privacy and security risks of data controllers.
Keywords
- subject access request
- GDPR policies
- authentication issues
- social engineering
Understanding Privacy-Related Advice on Stack Overflow Revisiting Identification Issues in GDPR ‘Right Of Access’ Policies: A Technical and Longitudinal Analysis Employees’ privacy perceptions: exploring the dimensionality and antecedents of personal data sensitivity and willingness to disclose Visualizing Privacy-Utility Trade-Offs in Differentially Private Data Releases Analyzing the Feasibility and Generalizability of Fingerprinting Internet of Things Devices CoverDrop: Blowing the Whistle Through A News App Building a Privacy-Preserving Smart Camera System FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps How to prove any NP statement jointly? Efficient Distributed-prover Zero-Knowledge Protocols Editors’ Introduction PUBA: Privacy-Preserving User-Data Bookkeeping and Analytics Who Knows I Like Jelly Beans? An Investigation Into Search Privacy SoK: Plausibly Deniable Storage d3p - A Python Package for Differentially-Private Probabilistic Programming Updatable Private Set Intersection Knowledge Cross-Distillation for Membership Privacy RegulaTor: A Straightforward Website Fingerprinting Defense Privacy-Preserving Positioning in Wi-Fi Fine Timing Measurement Efficient Set Membership Proofs using MPC-in-the-Head Checking Websites’ GDPR Consent Compliance for Marketing Emails Comprehensive Analysis of Privacy Leakage in Vertical Federated Learning During Prediction Understanding Utility and Privacy of Demographic Data in Education Technology by Causal Analysis and Adversarial-Censoring User-Level Label Leakage from Gradients in Federated Learning Privacy-preserving training of tree ensembles over continuous data Differentially Private Simple Linear Regression Increasing Adoption of Tor Browser Using Informational and Planning Nudges