Abusing the GDPR to get someone’s intimate personal data.
- 7 june 2019
Look at these 4 simple statements and decide for yourself whether they are valid:
- If you Google your name, you will certainly find a couple of related social media websites.
- On your birthday, people congratulate you with social media posts.
- At least one of your social media profiles shows the city in which you live.
- When you Google your name, you will find some old eBay items of yours, which disclose your home address.
If at least 2 statements are true for you, then criminals have the possibility to steal and abuse your personal information from a broad range of organizations. For example, this can disclose:
- Your financial transactions from institutes such as e.g. your bank, or insurance agency.
- Your browsing history from online news outlets you are subscribed to.
- Locations that you have visited by train,bus or taxi.
- The products you bought in some online and retail shops.
In other words: by only knowing your name, date of birth and home address; a criminal, your angry sister, your ex-partner or a disgruntled colleague is able to get all that personal information listed above and abuse it in any way possible.
But wait, how is that even possible?
Before we show you the actual issue, let’s take a step back and explain a couple of concepts first:
GDPR: The General Data Protection Regulation (GDPR) is a legal framework that contain laws that are intended to protect European citizens (and visitors) against privacy violations such as organizations leaking or abusing your personal information. It came into effect on May 25th 2018, almost a year ago.
‘Right of Access’: A part of the GDPR that allows European consumers (people) to request all personal information that any organization has on them. Yes, this includes your bank, your favorite social media platform and even your local grocery shop.
So by simply sending an email or letter to the organization and requesting your personal information, the organization has to provide you with your personal information within a month (usually).
Fortunately, many large corporations allow you to request that information by logging into your online account and request it directly from the website, without sending an email or letter. For instance, Facebook allows you to obtain all your personal data automatically with a simple click of a button. However, we found out that about 75% of organizations also allow you to send an email requesting all your personal information, without logging into your online account.
If an organization denies you access to request your personal information, it risks a fine of up to 20 million euros or 4% of their total turnover. Due to these heavy fines, most organizations are really inclined to answer and provide your personal information as quickly as possible.
Now that we have explained the GDPR and ‘Right of Access’ concepts, you probably already have some questions about this. Well, I mean, WE had one big question …
How does an organization verify if the person who requests his personal information is really the person he/she claims to be ?
Think about that. An organization receives a request for personal information (which is called a ‘Data Request’) and has to verify if it is really you who is asking for your personal information. It doesn’t want to give your information to someone impersonating you …
In order to make the process of requesting your data as smooth as possible, the GDPR suggests organizations to let people login in on the organization’s website and request all personal information from there, so that you require your username/email address and password (which other people should not know). However, implementing such thing is often expensive and not always possible. As a result, we found out that organizations verify your identity for a data request in a number of ways:
- They ask your name.
- They might ask for your date of birth.
- They might ask for your home address.
- They might ask for a copy of your identity card or passport.
- They might call you on your cell phone.
- They might make sure to only accept data requests from an email address that they know belongs to you.
Organizations often ask combinations of these elements. For example: one organization might ask you for a copy of your identity card and your home address. While another organization might only ask your name and date of birth.
As you have probably already noticed, some of these are relatively safe to ask. For instance, if an organization calls you on your cell phone, it is difficult for someone else to be on that phone when they call. But there are also a couple of these things that are really easy for someone else to find out, such as the name, date of birth and home address …
So are you saying that there are organizations that verify your identity by only asking your date of birth and home address? And thus, anyone can get my personal information with only that?
Yes and yes. In order to prove that, two of our researchers (my colleague and myself) made an agreement and tried to impersonate each other by sending data requests under each other’s name.
To send these requests, we both needed some basic information from each other, which we happily took from each other’s social media pages.
Next, we collected a list of 55 organizations ranging from financial institutes and news outlets to retail shops and entertainment companies, of which we knew had lots of personal data about us (half of them are from the Alexa Belgian Top 50 websites). Then we finally sent those requests to each organization. So we essentially attempted to obtain each other’s personal data from all these organizations by only using minimal information extracted from social media.
Did it work?
Partially. With only the date of birth and home address, we were able to receive each other’s personal information from 8 out of the 55 organizations. In other words, anyone who knows your name, home address and date of birth is able to get your personal information from at least 8 organizations.
But that’s not all. For organizations that require an ID card to prove one’s identity, we went further and photographed our own ID cards, but altered the image with each other’s name, date of birth and picture, found on social media.
By using this simulated identity card of each other, we were able to receive each other’s personal information from another 8 organizations. Which makes a grand total of 16 organizations of the 55 organizations. This means that 26% of the organizations might leak personal information about yourself to anyone who barely knows you!
How could organizations have not foreseen this ? Didn’t they check the email address with which you send out these data requests ?
Some did. Interestingly, some organizations do ask you to send a data request with a known email address, but they can often be persuaded by using an email address that looks very similar. For example, John Doe’s original email address is ‘email@example.com’ , while some criminal might create a new email address ‘firstname.lastname@example.org’ (note the double ‘l’ at the end) and then the criminal sends a data request to Johns’ local car dealer using that similar-looking email address. The person at the local car dealer handling the data request might look over the small difference and thus believes that he is really talking to the real John Doe! We applied this very same concept to our data requests. It also shows that if humans are handling data requests, then there is an increased risk of persuasion in the form of social engineering.
Okay, so I just remove or hide all personal information from my social media profiles and problem solved. Right?
Not really. There are always trails left behind on other social media profiles from your friends or family. For example, a friend might upload a picture of your birthday party and thus indeliberately leaking the day and month of your birthday. Also, there exist online services that allow you to browse through your social media profile in the past, even though you have already removed it.
On top of that, there are numerous ways to get your date of birth and/or address outside of social media such as telephone books or public registers.
So it will help but it won’t guarantee that my personal information is kept safe? What can I do to avoid this?
Yes, it will help. All of the organizations that have leaked personal information about ourselves have been contacted 45 days before the publication of this blogpost. This means, that by now, they have improved their ‘Right Of Access’ policies accordingly.
On the other side, we have only performed our experiment on 55 organizations, which means thousands of other organizations might still be incorrectly verifying your identity with publicly known information.
What you can do is send a legitimate data request to the organizations that you don’t trust and then check if the verification questions are sufficiently safe. And of course, the next time you use a product or online service, check if that organization takes privacy seriously.
That’s a lot of information. Can you summarize it for me?
Sure. In our research, we have shown that manually verifying the identity for organizations to handle data requests under the ‘Right Of Access’ is difficult. Even though, we (as researchers) have only impersonated each other with prior permission, a criminal however, might not be that kind to you.
Gathering information such as the date of birth or address from individuals is often very easy and can be used to impersonate you. We suggest users to remove or hide as much of their personal information as possible on the internet and elsewhere and look out for any suspicious emails related to data requests from any organization.
Finally, many organizations really have a lot of personal information about you. If someone tries to impersonate you and successfully abuses the ‘Right Of Access’, they have access to a broad range of data such as financial transactions, browsing histories, etc … .
More information to:
- Delete your data: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/can-i-ask-company-delete-my-personal-data_en
- Access your data: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/how-can-i-access-my-personal-data-held-company-organisation_en
This is a blogpost written about our scientific publication ‘Personal Information Leakages By Abusing the GDPR ‘Right Of Access’(co-authored by Mariano Di Martino, Pieter Robyns, Winnie Weyts, Peter Quax, Wim Lamotte and Ken Andries) and conducted at the Hasselt University (UHasselt) and Expertise Center for Digital Media (EDM). The paper is submitted for the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019) in Santa Clara, California on August 11–13 and is conditionally accepted.
The experiment of this publication has been conducted in a controlled environment with prior permission from the researchers. Please do not try to impersonate others.
Link to original blogpost : Medium