Researchers Show How Europe's Data Protection Laws Can Dox People (vice.com) 52
An anonymous reader quotes a report from Motherboard: Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR -- has been hailed by some as a solution to tech companies' pervasive data collection and tracking. What maybe no one saw coming is that GDPR can become another tool in the arsenal of enterprising and malicious social engineers, hackers, and people who want to dox and harass others. That's what Ph.D student and cybersecurity researcher James Pavur discovered when he and his fiance -- and co-author on their paper -- Casey Knerr made an unusual wager about using GDPR's right of access requests -- a mechanism that allows Europeans to ask any company about what data they have on themselves -- with the goal of extracting sensitive information.
Along with his fiance Knerr, who also works in the infosec industry -- and with her full consent -- Pavur devised a clever, yet very simple experiment. He started with just Knerr's full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, "the weakest possible form of attack," as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data -- such as home addresses -- he found through the first wave of requests using an email address designed to look like that of Knerr. Thanks to these requests, Pavur was able to get his fiance's Social Security Number, date of birth, mother's maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services. "Pavur and Knerr said 25 percent of companies never responded. Two thirds of companies, including online data services, responded with enough information to reveal that Pavur's fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender.
Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would've been relatively hard to fake, according to the study.
Along with his fiance Knerr, who also works in the infosec industry -- and with her full consent -- Pavur devised a clever, yet very simple experiment. He started with just Knerr's full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, "the weakest possible form of attack," as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data -- such as home addresses -- he found through the first wave of requests using an email address designed to look like that of Knerr. Thanks to these requests, Pavur was able to get his fiance's Social Security Number, date of birth, mother's maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services. "Pavur and Knerr said 25 percent of companies never responded. Two thirds of companies, including online data services, responded with enough information to reveal that Pavur's fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender.
Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would've been relatively hard to fake, according to the study.
Road to hell (Score:1, Insightful)
Not surprised... This always happens. (Score:2, Insightful)
Re:Not surprised... This always happens. (Score:4, Insightful)
The GDPR is another matter. And what TFA deceives is not so much a problem of the law, but of companies not properly verifying identities or even understanding basic authentication or security. It’s nothing new either, hackers used similar methods to obtain SIM clones from providers in order to hijack high profile social media accounts. The solution is not do do away with the GDPR.
Re: (Score:3)
Re: (Score:2)
This always happens when government intervention tries to do something good: unintended consequences.
Silly generalisations aside (no it doesn't "always happen") this is not the result of this law but rather a complete lack of due diligence by companies. The likes of Facebook and Google have policies to hand over your data long before GDPR existed. All the GDPR did was mandate a similar mechanism. Likewise we have had an endless string of social engineering attacks in the past 10 years handing over complete control over an account to some 3rd party, in some cases with quite public effects such as the releas
Re: Road to hell (Score:2)
Pueblok infotainmentees is DOâXING!
The net completely went to shit when doxing became a fucking thing. Sorry kids and dumb fucks information wants to be free plz ENJOY IT. It's been 20 years of something more pathetic than the previous year and hand in hand with the idea of doxing being the most fucked up neutering of the net we have ever seen!
Bad headline and summary (Score:5, Insightful)
This has nothing inherently to do with the GDPR, and everything to do with companies not having a proper, legally approved process for handling Subject Access Requests or simply not following their approved processes - it's pretty much certain that these same companies that failed in this test would have failed under the older UK Data Protection Act requests as well (which are broadly similar in terms of Subject Access Requests as the GDPR).
In short, it's a hit piece on the GDPR - the same would have happened under the UKs pre-GDPR data laws as well.
Re: (Score:2, Insightful)
And that is exactly the problem. The law tells companies to do something but neither party has any idea how to do it properly and the government doesn't end up holding the cost of these implementations.
Now every company has to have a clearinghouse with much more private information just to verify the information they want to hold which as a result makes stuff less private. This is off course very predictable and all of us real cyber security nerds have been telling people for years the GDPR and co is a stup
Re:Bad headline and summary (Score:4, Insightful)
There is copious guidance given by the EU and various individual governments on how to implement these checks.
And when businesses have been fucking up with peoples data and privacy so badly like they have ever since the internet became a thing, the government certainly has business getting involved in business - the GDPR is a good thing, businesses need to understand that my data is no longer theirs to do with as they wish. The American ideal of "the market will sort itself out" is patently false and broken when it comes to consumer protections.
Re: (Score:1)
Not on asking a person to walk in as a person with photo ID and then get the information in person.
Re: (Score:3)
Not on asking a person to walk in as a person with photo ID and then get the information in person.
This would be unpractical to the point of making the GDPR moot. Most people from, say, Romania wouldn't be able to just make a trip to Irland to appear in person at the Facebook offices there to prove their identity. And that's just looking at the GDPR within the EU. The GDPR also governs companies from all over the world that do business within the EU. Travelling to the States or to Asia just to prove ones identity would be impossible to practically everyone.
Re:Bad headline and summary (Score:4, Interesting)
Ijiot, all this just proves is that corporations should not have that information in the first place unless they are legally required to do so by law. The message to corporations MIND YOUR OWN FUCKING BUSINESS and it is quite clear corporations can not be trusted with this information and should be punished for attempting to do so, severe custodial sentences for all individuals involved.
Re: (Score:2)
In Europe especially you have to hold a lot of information by law. Whether it's tax law, employment law, terrorism law, copyright law - most transactions are required to be kept track of in great detail so the government can later demand them directly or report on them.
Point in fact, if you read the GDPR you are required to keep track of any data used just to make a query whether the data exist. So even if you don't keep data if anyone, if anyone asks, you are now required to keep track of their data just s
Re:Bad headline and summary (Score:5, Interesting)
I have no sympathy for these companies. They had years to get their systems straightened out, the rules are clear and compliance isn't difficult at all. They just didn't bother, and even a few years down the road are often incapable of servicing these legal requests properly.
That tells us that they probably aren't handling our personal data properly either. We need to get to a point where personal data is properly protected, and any company that can't reach that low bar needs to stop processing it.
I've submitted nearly 100 SARs so far. Some of them are very smooth and properly managed, but many are not. I had trouble with PayPal, for example, because they needed me to log in to make the request. I don't have an account. That one had to go through two national regulators to get fixed. Apple had the same problem but were able to fix it rather more quickly.
Re: (Score:3)
The law tells companies to do something but neither party has any idea how to do it properly and the government doesn't end up holding the cost of these implementations.
OMG the government doesn't cover the cost of doing business?
Now every company has to have a clearinghouse with much more private information just to verify the information they want to hold which as a result makes stuff less private.
Or they could hoard less data. Crazy I know.
Re: (Score:2)
Having a single IP address in your server logs is enough to require GDPR compliance. And then, as I said, you are required to collect more information just to keep track of that IP address just so later some SJW or criminal can demand whether you have any information on their (perhaps illegal) actions and delete it, which you can't because of EU terrorism and copyright regulation.
Re: (Score:2)
Having a single IP address in your server logs is enough to require GDPR compliance.
If he IP address isn't sufficient to identify a person then no you don't have to. And if you're worried, then don't log it forever. There is no requirement under the GDPR to instantly respond to any deletion requests, so delete your logs and you're fine.
just so later some SJW
Have you finished your 2 minutes hate yet? We know how this goes: you screech about SJW, then on the assumption that all SJW are evil, anything done by
Re: (Score:2)
The law tells companies to do something but neither party has any idea how to do it properly and the government doesn't end up holding the cost of these implementations.
It's not up to the government to change your diapers. When we live in a world of a government that actively prevents you from being negligent through regulation that is called a "nanny state" and it's a bad thing.
The government should not end up holding the cost. I'm no fan of the USA "sue everyone" approach, but I do wish in Europe people would take a more active role at punishing companies who are negligent (such as handing over your data without due diligence) and not rely on governments to do it.
Re: (Score:1)
You mean private companies don't magically run themselves with the same accountability as government employees just because someone passed a law? NO WAY. INCREDIBLY SHOCKING.
The submissions point is damn important. The EU has "legislated" a mechanism with checks to actually ensure it isn't being abused. They might as well be legislating that the sky should be sunny--they'd have a higher compliance rate in most countries.
Re: (Score:3)
Yeah, fuck legislation, it doesn't solve anything. Let's get rid of it. All of it.
Companies that fail to do proper identification checks for Subject Access Requests can be referred to the information commissioners office and face large fines - fines designed to actually threaten a companies existence if they continually fail to act properly.
So yeah, the EU legislated, and they also legislated teeth for it. Like a legislative body should.
Re:Bad headline and summary (Score:4, Informative)
As below, your assertion that "before the GDPR people would have to ask in person" is utter bullshit - remote requests were just fine under the Data Protection Act in the UK. They would have been just as vulnerable to companies not having proper procedures as now, because it's the same companies fielding the requests.
Would have worked without GDPR (Score:5, Insightful)
Re: (Score:2, Troll)
You missed the point entirely. They used GDPR, which carries a __threat of law__ to get their personal information. Except it wasn't their information.
You shoot an e-mail to random company X "I want my data" and they'll ignore it. You shoot them "per GDPR I want my data" they're going to comply with the assumption they'll be sued if they don't.
Stop intentionally conflating what's going on here.
Re: (Score:3)
Where are you getting that bullshit from? Pre GDPR in the UK you could do a Subject Access Request without physically going anywhere to show an ID under the Data Protections Act, so your (repeated) assertion of that in these comments is complete bollocks.
The failure here is the companies failing to put a proper process in place and following it, not anything introduced by the GDPR.
This would have happened pre-GDPR, the GDPR didn't cause this.
Re: (Score:1)
Re: (Score:2)
So how would you, without even more government intervention and without the government collecting and databasing all the private and financial and IP address data (basically your entire life in detail) on its citizens, set up a clearinghouse that can verify someone's identity.
And every company with a website requires this per the GDPR (IP address is identifiable information)
What happened to anonymous posting? (Score:1)
Re: (Score:2)
Re: (Score:2)
Yea, kind of wondering how long this will last. With only 20-30 comments per article traffic is going to drop off quickly. We may all be seeing the end of what we thought couldn't die.
Re: (Score:1)
People had to pay to not be in the phone book. It was called "unlisted number" and came at a price. Extremely few people did it - local politicians, business people that didn't want to be bothered at home with a phone call, etc. Hardly anyone hid from people. Now there's heart palpitations over people knowing totally useless shit like where you live. Again, I think people need to grow a pair and quit worrying.
Blame a law... (Score:5, Insightful)
...because people break it? Yes, if we didn't have the GDPR, none of these companies would need to know how to adequately verify someone's identity before handing over their personal data.
By the same logic, if we got rid of road safety laws, there would be a sharp reduction in the number of driving offences & prosecutions. However, I wouldn't want to go anywhere near a road in a country where they did that.
Re: (Score:2)
Without GDPR they wouldn't HAVE to give any data at all... so they wouldn't.
And stop conflating the issue. Nobody is saying "GDPR is bad for us, get rid of it." They're saying "GDPR has a loop-hole, fix the goddamn loophole."
Re:Blame a law... (Score:4, Informative)
The alleged loophole is already fixed by design: the GDPR doesn't allow companies to give private data to unauthorized persons. It's the 25% of companies who responded without checking who asked for it, that didn't respect the GDPR.
The law is clear (Score:2)
May I add an excerpt from the GDPR relating to requests about personal data:
"(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers"
Re: (Score:2)
Without GDPR they wouldn't HAVE to give any data at all... so they wouldn't.
Is that why Google and Facebook will happily hand over your data to you and did so in the USA before the GDPR is a thing?
Don't be silly.
Re: (Score:1)
The GDPR is bad for us. Don't conflate the issue, the GDPR is designed for more information to be collected so the government can eventually get involved and demand it all into a central database because by design it's impossible to comply with GDPR.
There is no conceivable way for private industry to either comply or fix the issue. Non compliance is the fix. Companies can simply say: we don't collect sufficient information to be able to verify your identity so we cannot release the data - which the EU would
Re: (Score:2)
...because people break it? Yes, if we didn't have the GDPR, none of these companies would need to know how to adequately verify someone's identity before handing over their personal data.
By the same logic, if we got rid of road safety laws, there would be a sharp reduction in the number of driving offences & prosecutions. However, I wouldn't want to go anywhere near a road in a country where they did that.
It would seem to me that having a government run request system, where the user was identified via information on an official registry and contacted to confirm the request by say SMS or email would make such DOX attacks harder. No system is perfect but it would at least add a level of verification. Once verified, the request is forward to the appropriate contact at the company for fulfillment. Companies verifies request is genuine through government portal and the sends the info to the requester at an addre
Re: (Score:2)
Yes, please have the GOVERNMENT collect all my private data into a website and then keep track of all the private entities I interact with.
That's the end goal of GDPR, government control and regulation. EU privacy is f--ked.
An accurate write up (Score:3)
The vice article is a roast on EU data protection laws. The problem here is not the laws but corporations lack of respect in upholding them or having proper process in place to ensure compliance which makes vices's spin all the more ironic.
There is a far less emotive write ups at the register and BBC.
https://www.bbc.co.uk/news/tec... [bbc.co.uk]
https://www.theregister.co.uk/... [theregister.co.uk]
Re: (Score:2)
They will call them different things. For example, in the UK, we have National Insurance numbers, except they tend to have letters in them too..
Perhaps in some places they link them to their ID card numbers. We don't have government ID cards (yet).
Controversial? (Score:4, Interesting)
Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR
Two problems with that line...
1. The R in GDPR stands for regulations, not regulator.
2. The GDPR is about as uncontroversial as it gets.
A large part of the public does not care about it. Those of them who had, immediately dropped it when they found it was "to do with computers" and they think that phones are something else. They haven't clocked that it applies to paper, CCTV and all sorts of other stuff.
Those of us who work in information systems do not find it very controversial either. Certainly, it is a hassle, but so are speed limits, planning rules and waste recycling rules. I can follow them quite happily (even the speed limits if I am paying attention) as they exist for good reason. GDPR is a positive update of previous laws.
The only objections I come across to GDPR are from websites in the USA who object to the idea that their misuse of my data might be curtailed. There are some who have just not got round to dealing with it. After all, it is not much more than 3 years since the whole thing was finalised and made available. It is only 12 months since it went live...
Re: (Score:2)
Mod parent as Insightful!
How do you spell "unintended consequences"?? (Score:1)
And the winners are... the usual suspects: lawyers, legislators, and lobbyists for entrenched interests.
Controversial, really ? (Score:2)
Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR
Controversial for whom ? Definitely not the customers