GDPR's unintended consequences (The Register)

  • Thread starter Thread starter anorlunda
  • Start date Start date
AI Thread Summary
GDPR, the EU's General Data Protection Regulation, aims to protect personal data and user privacy but has inadvertently facilitated identity theft. While companies are required to provide personal data upon request, they are not mandated to verify the identity of the requester, leading to vulnerabilities. For instance, a PhD student exploited this loophole by submitting numerous GDPR requests in his fiancée's name, successfully obtaining sensitive information from various companies with minimal verification, such as just an email address and phone number. This situation raises concerns about the balance between protecting personal data and the potential for misuse by identity thieves. Additionally, the implications of GDPR extend to security solutions that rely on the same data to safeguard individuals, creating an ongoing challenge for both cybercriminals and security professionals in adapting to the evolving landscape of data protection.
anorlunda
Staff Emeritus
Science Advisor
Homework Helper
Insights Author
Messages
11,326
Reaction score
8,750
TL;DR Summary
GDPR's unintended consequences
I would like to share this because GDPR has been discussed before on PF.

Some parties, like my bank, use multi-factor identification to assure I am who I say I am when I request personal data. But many third parties who are required to respond to GDPR requests will not have the data needed to support multi-factor identification.

Rejecting all requests is illegal. Allowing all requests (see below) is harmful to the public and probably leave the info provider liable to lawsuits. What are they supposed to do? Who are they supposed to ask what they are supposed to do?
The Risks List [URL]http://catless.ncl.ac.uk/Risks/31/36#subj5[/URL] said:
Steven Klein <steven@klein.us>Fri, 9 Aug 2019 13:33:14 -0400GDPR, the EU's General Data Protection Regulation, is supposed to protect
personal data and user privacy for EU cititzens. But it has made it life
much easier for identity thieves. The law obligates companies to provide a
copy of any personal data they have, but doesn't require companies to verify
the identity of those requesting the info.

“James Paver, a PhD student at Oxford University who usually specialises in
satellite hacking, explained how he was able to game the GDPR system to get
all kinds of useful information on his fiancée [with her permission],
including credit card and social security numbers, passwords, and even her
mother's maiden name. [...] Over the space of two months Pavur sent out 150
GDPR requests in his fiancée's name, asking for all and any data on her. In
all, 72 per cent of companies replied back, and 83 companies said that they
had information on her. ... Of the responses, 24 per cent simply accepted
an email address and phone number as proof of identity and sent over any
files they had on his fiancée.''

“A threat-intelligence company sent over a list of her email addresses and
passwords which had already been compromised in attacks. Several of these
still worked on some accounts.''

Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>
 
  • Like
Likes aaroman and Wrichik Basu
Computer science news on Phys.org
GDPR and similar legislation designed to protect people's privacy will have negative implications for security solutions that use the same data to protect people. Both cybercriminals and security practitioners will both have to adapt as they always have. With such complex technology that changes so quickly, it's an arms race.
 

Thread 'Google DeepMind, AI/ML and ALPHA-fold'

I came across a video regarding the use of AI/ML to work through complex datasets to determine complicated protein structures. It is a promising and beneficial use of AI/ML. AlphaFold - The Most Useful Thing AI Has Ever Done https://www.ebi.ac.uk/training/online/courses/alphafold/an-introductory-guide-to-its-strengths-and-limitations/what-is-alphafold/ https://en.wikipedia.org/wiki/AlphaFold https://deepmind.google/about/ Edit/update: The AlphaFold article in Nature John Jumper...
View full post »
Thread 'Urgent: Physically repair - or bypass - power button on Asus laptop'

Thread 'Urgent: Physically repair - or bypass - power button on Asus laptop'

Asus Vivobook S14 flip. The power button is wrecked. Unable to turn it on AT ALL. We can get into how and why it got wrecked later, but suffice to say a kitchen knife was involved: These buttons do want to NOT come off, not like other lappies, where they can snap in and out. And they sure don't go back on. So, in the absence of a longer-term solution that might involve a replacement, is there any way I can activate the power button, like with a paperclip or wire or something? It looks...
View full post »

Similar threads

Internet fraud and other tech problems
Replies
16
Views
3K
BRS: PKI Cryptosystems for SA/Ms: A Tutorial
Replies
13
Views
3K
Protesting Negative Responses in Online Forums: Physics and Math Help
Replies
20
Views
5K
News Bush Honest & Trustworthy Until How Many Lies?
2
Replies
65
Views
10K
ECONOMICS: It's stupid to be afraid (Lee Kuan Yew to Der Spiegel)
Replies
6
Views
4K
News Downing Street - New memos released
Replies
2
Views
2K
A review of dowsing: Evidence for and against
Replies
11
Views
27K

Hot Threads

Recent Insights

Back
Top