GDPR's unintended consequences (The Register)

  • Thread starter Thread starter anorlunda
  • Start date Start date
Join the discussion
Ask a follow-up here, or get your own question answered by working scientists, mathematicians and engineers — people, not an autocomplete.
Real named experts · corrections over time · the nuance an AI answer skips
1 reply · 1K views
TL;DR
GDPR's unintended consequences
I would like to share this because GDPR has been discussed before on PF.

Some parties, like my bank, use multi-factor identification to assure I am who I say I am when I request personal data. But many third parties who are required to respond to GDPR requests will not have the data needed to support multi-factor identification.

Rejecting all requests is illegal. Allowing all requests (see below) is harmful to the public and probably leave the info provider liable to lawsuits. What are they supposed to do? Who are they supposed to ask what they are supposed to do?
The Risks List [URL]http://catless.ncl.ac.uk/Risks/31/36#subj5[/URL] said:
Steven Klein <steven@klein.us>Fri, 9 Aug 2019 13:33:14 -0400GDPR, the EU's General Data Protection Regulation, is supposed to protect
personal data and user privacy for EU cititzens. But it has made it life
much easier for identity thieves. The law obligates companies to provide a
copy of any personal data they have, but doesn't require companies to verify
the identity of those requesting the info.

“James Paver, a PhD student at Oxford University who usually specialises in
satellite hacking, explained how he was able to game the GDPR system to get
all kinds of useful information on his fiancée [with her permission],
including credit card and social security numbers, passwords, and even her
mother's maiden name. [...] Over the space of two months Pavur sent out 150
GDPR requests in his fiancée's name, asking for all and any data on her. In
all, 72 per cent of companies replied back, and 83 companies said that they
had information on her. ... Of the responses, 24 per cent simply accepted
an email address and phone number as proof of identity and sent over any
files they had on his fiancée.''

“A threat-intelligence company sent over a list of her email addresses and
passwords which had already been compromised in attacks. Several of these
still worked on some accounts.''

Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>
 
  • Like
Likes   Reactions: aaroman and Wrichik Basu
Physics news on Phys.org
GDPR and similar legislation designed to protect people's privacy will have negative implications for security solutions that use the same data to protect people. Both cybercriminals and security practitioners will both have to adapt as they always have. With such complex technology that changes so quickly, it's an arms race.