Many organizations seem to issue personal data to users without sufficient identity control. This is the result of a study by British student James Pavur, last week was presented at the Black Hat security conference in Las Vegas, In doing so, Pavur used the EU General Data Protection Regulation (DSGVO), which has anchored a right of access for users. Although he used a fake e-mail address for his requests for information, he came to numerous data of his girlfriend, who acted as a subject.
The GDPR, which came into force in May 2018, guarantees users a right of access (Article 15) and a right to data portability (Article 20). Several months of consumer protection research has shown that consumers are on social media despite appropriate requirements "no satisfactory answer to your requests for information" received. For the study, the consumer advocates used a fictitious account, but had access to the account on Facebook or Twitter.
Pavur went the other way. He pretended to be his girlfriend and co-author Casey Knerr and set up a new email account under her name. He then sent a standard request to 150 organizations, though he did not know if Knerr had ever used their services. He relied on the right to information under the GDPR and requested the return of all personal data to the specified address. However, in the cover letter he gave not only the fake address, but also other publicly available data from Knerr in order to increase the legitimacy of the request.
Fake address and public data
According to Pavur, at least 72 percent of the organizations responded to the request. In 23 percent of the cases, he received no answer. Five percent of the providers rejected the request for information, which would constitute a violation of the GDPR. Among them, according to the study were four major providers, which are mainly active in the US market. In their view, EU citizens are not entitled to the information.
According to Pavur, in two-thirds of the cases, the first answers from the providers showed that Knerr had stored any data at all. Among them were also dating sites. Even this knowledge can be uncomfortable for those affected, as the hack of the fling Ashley Madison of a few years has shown.
No identity control at many providers
What is even more frightening: 24 percent of the responding organizations submitted the stored data without further identity checks. Another 16 percent demanded a weak identity check, which according to Pavur would have been easy to circumvent. These included device cookies or a written statement to actually be the affected person. Five percent of the platforms said that they had not saved any data, even though Knerr had created an account there. What could be annoying: Three percent misunderstood the request and deleted the account instead of publishing the data.