Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
EU Privacy Social Networks The Internet Technology

Researchers Show How Europe's Data Protection Laws Can Dox People (vice.com) 52

An anonymous reader quotes a report from Motherboard: Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR -- has been hailed by some as a solution to tech companies' pervasive data collection and tracking. What maybe no one saw coming is that GDPR can become another tool in the arsenal of enterprising and malicious social engineers, hackers, and people who want to dox and harass others. That's what Ph.D student and cybersecurity researcher James Pavur discovered when he and his fiance -- and co-author on their paper -- Casey Knerr made an unusual wager about using GDPR's right of access requests -- a mechanism that allows Europeans to ask any company about what data they have on themselves -- with the goal of extracting sensitive information.

Along with his fiance Knerr, who also works in the infosec industry -- and with her full consent -- Pavur devised a clever, yet very simple experiment. He started with just Knerr's full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, "the weakest possible form of attack," as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data -- such as home addresses -- he found through the first wave of requests using an email address designed to look like that of Knerr. Thanks to these requests, Pavur was able to get his fiance's Social Security Number, date of birth, mother's maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services.
"Pavur and Knerr said 25 percent of companies never responded. Two thirds of companies, including online data services, responded with enough information to reveal that Pavur's fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender.

Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would've been relatively hard to fake, according to the study.
This discussion has been archived. No new comments can be posted.

Researchers Show How Europe's Data Protection Laws Can Dox People

Comments Filter:
  • Paved with good intentions etc.
    • This always happens when government intervention tries to do something good: unintended consequences. Now instead of improving privacy, hackers can just go around demanding your personal details from everybody you interact with. And every web site you visit, you get an annoying pop up message about "how we use cookies" that you have to click through. Thanks a lot, really making the world a better place.
      • by JaredOfEuropa ( 526365 ) on Saturday August 10, 2019 @02:48AM (#59073232) Journal
        I’m not so sure the cookie law had a lot to do with good intentions. Everyone remotely knowledgable about IT warned beforehand that the law would only lead to annoyance while solving nothing.

        The GDPR is another matter. And what TFA deceives is not so much a problem of the law, but of companies not properly verifying identities or even understanding basic authentication or security. It’s nothing new either, hackers used similar methods to obtain SIM clones from providers in order to hijack high profile social media accounts. The solution is not do do away with the GDPR.
      • by kubajz ( 964091 )
        So what would be your solution? Not allowing me to ask companies what data they have on me? Also, note that providing the personal data to someone else than the data subject is clearly a violation of GDPR - so to me, it does not seem like a failure of the legislation.
      • This always happens when government intervention tries to do something good: unintended consequences.

        Silly generalisations aside (no it doesn't "always happen") this is not the result of this law but rather a complete lack of due diligence by companies. The likes of Facebook and Google have policies to hand over your data long before GDPR existed. All the GDPR did was mandate a similar mechanism. Likewise we have had an endless string of social engineering attacks in the past 10 years handing over complete control over an account to some 3rd party, in some cases with quite public effects such as the releas

    • Pueblok infotainmentees is DOâXING!

      The net completely went to shit when doxing became a fucking thing. Sorry kids and dumb fucks information wants to be free plz ENJOY IT. It's been 20 years of something more pathetic than the previous year and hand in hand with the idea of doxing being the most fucked up neutering of the net we have ever seen!

  • by Richard_at_work ( 517087 ) on Friday August 09, 2019 @07:51PM (#59072606)

    This has nothing inherently to do with the GDPR, and everything to do with companies not having a proper, legally approved process for handling Subject Access Requests or simply not following their approved processes - it's pretty much certain that these same companies that failed in this test would have failed under the older UK Data Protection Act requests as well (which are broadly similar in terms of Subject Access Requests as the GDPR).

    In short, it's a hit piece on the GDPR - the same would have happened under the UKs pre-GDPR data laws as well.

    • Re: (Score:2, Insightful)

      by guruevi ( 827432 )

      And that is exactly the problem. The law tells companies to do something but neither party has any idea how to do it properly and the government doesn't end up holding the cost of these implementations.

      Now every company has to have a clearinghouse with much more private information just to verify the information they want to hold which as a result makes stuff less private. This is off course very predictable and all of us real cyber security nerds have been telling people for years the GDPR and co is a stup

      • by Richard_at_work ( 517087 ) on Friday August 09, 2019 @10:03PM (#59072872)

        There is copious guidance given by the EU and various individual governments on how to implement these checks.

        And when businesses have been fucking up with peoples data and privacy so badly like they have ever since the internet became a thing, the government certainly has business getting involved in business - the GDPR is a good thing, businesses need to understand that my data is no longer theirs to do with as they wish. The American ideal of "the market will sort itself out" is patently false and broken when it comes to consumer protections.

        • by AHuxley ( 892839 )
          The EU "guidance" is in giving the information out.
          Not on asking a person to walk in as a person with photo ID and then get the information in person.
          • Not on asking a person to walk in as a person with photo ID and then get the information in person.

            This would be unpractical to the point of making the GDPR moot. Most people from, say, Romania wouldn't be able to just make a trip to Irland to appear in person at the Facebook offices there to prove their identity. And that's just looking at the GDPR within the EU. The GDPR also governs companies from all over the world that do business within the EU. Travelling to the States or to Asia just to prove ones identity would be impossible to practically everyone.

      • by rtb61 ( 674572 ) on Friday August 09, 2019 @10:24PM (#59072926) Homepage

        Ijiot, all this just proves is that corporations should not have that information in the first place unless they are legally required to do so by law. The message to corporations MIND YOUR OWN FUCKING BUSINESS and it is quite clear corporations can not be trusted with this information and should be punished for attempting to do so, severe custodial sentences for all individuals involved.

        • by guruevi ( 827432 )

          In Europe especially you have to hold a lot of information by law. Whether it's tax law, employment law, terrorism law, copyright law - most transactions are required to be kept track of in great detail so the government can later demand them directly or report on them.

          Point in fact, if you read the GDPR you are required to keep track of any data used just to make a query whether the data exist. So even if you don't keep data if anyone, if anyone asks, you are now required to keep track of their data just s

      • by AmiMoJo ( 196126 ) on Saturday August 10, 2019 @03:02AM (#59073244) Homepage Journal

        I have no sympathy for these companies. They had years to get their systems straightened out, the rules are clear and compliance isn't difficult at all. They just didn't bother, and even a few years down the road are often incapable of servicing these legal requests properly.

        That tells us that they probably aren't handling our personal data properly either. We need to get to a point where personal data is properly protected, and any company that can't reach that low bar needs to stop processing it.

        I've submitted nearly 100 SARs so far. Some of them are very smooth and properly managed, but many are not. I had trouble with PayPal, for example, because they needed me to log in to make the request. I don't have an account. That one had to go through two national regulators to get fixed. Apple had the same problem but were able to fix it rather more quickly.

      • The law tells companies to do something but neither party has any idea how to do it properly and the government doesn't end up holding the cost of these implementations.

        OMG the government doesn't cover the cost of doing business?

        Now every company has to have a clearinghouse with much more private information just to verify the information they want to hold which as a result makes stuff less private.

        Or they could hoard less data. Crazy I know.

        • by guruevi ( 827432 )

          Having a single IP address in your server logs is enough to require GDPR compliance. And then, as I said, you are required to collect more information just to keep track of that IP address just so later some SJW or criminal can demand whether you have any information on their (perhaps illegal) actions and delete it, which you can't because of EU terrorism and copyright regulation.

          • Having a single IP address in your server logs is enough to require GDPR compliance.

            If he IP address isn't sufficient to identify a person then no you don't have to. And if you're worried, then don't log it forever. There is no requirement under the GDPR to instantly respond to any deletion requests, so delete your logs and you're fine.

            just so later some SJW

            Have you finished your 2 minutes hate yet? We know how this goes: you screech about SJW, then on the assumption that all SJW are evil, anything done by

      • The law tells companies to do something but neither party has any idea how to do it properly and the government doesn't end up holding the cost of these implementations.

        It's not up to the government to change your diapers. When we live in a world of a government that actively prevents you from being negligent through regulation that is called a "nanny state" and it's a bad thing.

        The government should not end up holding the cost. I'm no fan of the USA "sue everyone" approach, but I do wish in Europe people would take a more active role at punishing companies who are negligent (such as handing over your data without due diligence) and not rely on governments to do it.

    • You mean private companies don't magically run themselves with the same accountability as government employees just because someone passed a law? NO WAY. INCREDIBLY SHOCKING.

      The submissions point is damn important. The EU has "legislated" a mechanism with checks to actually ensure it isn't being abused. They might as well be legislating that the sky should be sunny--they'd have a higher compliance rate in most countries.

      • Yeah, fuck legislation, it doesn't solve anything. Let's get rid of it. All of it.

        Companies that fail to do proper identification checks for Subject Access Requests can be referred to the information commissioners office and face large fines - fines designed to actually threaten a companies existence if they continually fail to act properly.

        So yeah, the EU legislated, and they also legislated teeth for it. Like a legislative body should.

  • by anarcobra ( 1551067 ) on Friday August 09, 2019 @07:57PM (#59072614)
    People already do this constantly, with and without GDPR.
    • Re: (Score:2, Troll)

      You missed the point entirely. They used GDPR, which carries a __threat of law__ to get their personal information. Except it wasn't their information.

      You shoot an e-mail to random company X "I want my data" and they'll ignore it. You shoot them "per GDPR I want my data" they're going to comply with the assumption they'll be sued if they don't.

      Stop intentionally conflating what's going on here.

  • Did anyone else lose the ability? If this is real I guess this is the transition from slashdot being for geeks to being a safe place for "nerds"
  • Blame a law... (Score:5, Insightful)

    by VeryFluffyBunny ( 5037285 ) on Friday August 09, 2019 @10:11PM (#59072894)

    ...because people break it? Yes, if we didn't have the GDPR, none of these companies would need to know how to adequately verify someone's identity before handing over their personal data.

    By the same logic, if we got rid of road safety laws, there would be a sharp reduction in the number of driving offences & prosecutions. However, I wouldn't want to go anywhere near a road in a country where they did that.

    • Without GDPR they wouldn't HAVE to give any data at all... so they wouldn't.

      And stop conflating the issue. Nobody is saying "GDPR is bad for us, get rid of it." They're saying "GDPR has a loop-hole, fix the goddamn loophole."

      • Re:Blame a law... (Score:4, Informative)

        by MS ( 18681 ) on Saturday August 10, 2019 @02:59AM (#59073242)

        The alleged loophole is already fixed by design: the GDPR doesn't allow companies to give private data to unauthorized persons. It's the 25% of companies who responded without checking who asked for it, that didn't respect the GDPR.

        • May I add an excerpt from the GDPR relating to requests about personal data:
          "(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers"

      • Without GDPR they wouldn't HAVE to give any data at all... so they wouldn't.

        Is that why Google and Facebook will happily hand over your data to you and did so in the USA before the GDPR is a thing?

        Don't be silly.

      • by guruevi ( 827432 )

        The GDPR is bad for us. Don't conflate the issue, the GDPR is designed for more information to be collected so the government can eventually get involved and demand it all into a central database because by design it's impossible to comply with GDPR.

        There is no conceivable way for private industry to either comply or fix the issue. Non compliance is the fix. Companies can simply say: we don't collect sufficient information to be able to verify your identity so we cannot release the data - which the EU would

    • ...because people break it? Yes, if we didn't have the GDPR, none of these companies would need to know how to adequately verify someone's identity before handing over their personal data.

      By the same logic, if we got rid of road safety laws, there would be a sharp reduction in the number of driving offences & prosecutions. However, I wouldn't want to go anywhere near a road in a country where they did that.

      It would seem to me that having a government run request system, where the user was identified via information on an official registry and contacted to confirm the request by say SMS or email would make such DOX attacks harder. No system is perfect but it would at least add a level of verification. Once verified, the request is forward to the appropriate contact at the company for fulfillment. Companies verifies request is genuine through government portal and the sends the info to the requester at an addre

      • by guruevi ( 827432 )

        Yes, please have the GOVERNMENT collect all my private data into a website and then keep track of all the private entities I interact with.

        That's the end goal of GDPR, government control and regulation. EU privacy is f--ked.

  • by Martin S. ( 98249 ) on Saturday August 10, 2019 @12:08AM (#59073056) Journal

    The vice article is a roast on EU data protection laws. The problem here is not the laws but corporations lack of respect in upholding them or having proper process in place to ensure compliance which makes vices's spin all the more ironic.

    There is a far less emotive write ups at the register and BBC.

    https://www.bbc.co.uk/news/tec... [bbc.co.uk]

    https://www.theregister.co.uk/... [theregister.co.uk]

  • Controversial? (Score:4, Interesting)

    by Gonoff ( 88518 ) on Saturday August 10, 2019 @08:36AM (#59073636)

    Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR

    Two problems with that line...

    1. The R in GDPR stands for regulations, not regulator.

    2. The GDPR is about as uncontroversial as it gets.

    A large part of the public does not care about it. Those of them who had, immediately dropped it when they found it was "to do with computers" and they think that phones are something else. They haven't clocked that it applies to paper, CCTV and all sorts of other stuff.

    Those of us who work in information systems do not find it very controversial either. Certainly, it is a hassle, but so are speed limits, planning rules and waste recycling rules. I can follow them quite happily (even the speed limits if I am paying attention) as they exist for good reason. GDPR is a positive update of previous laws.

    The only objections I come across to GDPR are from websites in the USA who object to the idea that their misuse of my data might be curtailed. There are some who have just not got round to dealing with it. After all, it is not much more than 3 years since the whole thing was finalised and made available. It is only 12 months since it went live...

  • What a shock. GDPR not only fails to provide any benefit, costs tech companies millions, and, oh yeah, provides a new attack vector to malicious actors.

    And the winners are... the usual suspects: lawyers, legislators, and lobbyists for entrenched interests.
  • Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR

    Controversial for whom ? Definitely not the customers

"Life sucks, but death doesn't put out at all...." -- Thomas J. Kopp

Working...