Abusing the GDPR to get someone’s intimate personal data.Mariano DI MARTINO
This is a blogpost written about our scientific publication‘Personal Information Leakages By Abusing the GDPR ‘Right Of Access’ (link) (co-authored by Mariano Di Martino, Pieter Robyns, Winnie Weyts, Peter Quax, Wim Lamotte and Ken Andries) and conducted at the Hasselt University (UHasselt) and Expertise Center for Digital Media (EDM).
Note that we left out many technical details in this post. We suggest interested users to read our scientific publication.
Look at these 4 simple statements and decide for yourself whether they are valid:
- If you Google your name, you will certainly find a couple of related social media websites.
- On your birthday, people congratulate you with social media posts.
- At least one of your social media profiles shows the city in which you live.
- When you Google your name, you will find some old eBay items of yours, which disclose your home address.
New Report: Unknown Data Scraper Breach
If at least 2 statements are true for you, then criminals have the possibility to steal and abuse your personal information from a broad range of organizations. For example, this can disclose:
- Your financial transactions from institutes such as e.g. your bank, or insurance agency.
- Your browsing history from online news outlets you are subscribed to.
- Locations that you have visited by train,bus or taxi.
- The products you bought in some online and retail shops.
In other words: by only knowing your name, date of birth and home address; a criminal, your angry sister, your ex-partner or a disgruntled colleague is able to get all that personal information listed above and abuse it in any way possible.
But wait, how is that even possible?
Before we show you the actual issue, let’s take a step back and explain a couple of concepts first:
GDPR: The General Data Protection Regulation (GDPR) is a legal framework that contain laws that are intended to protect European citizens against privacy violations such as organizations leaking or abusing your personal information. It came into effect on May 25th 2018, almost a year ago.
‘Right of Access’: A part of the GDPR that allows European consumers (people) to request all personal information that any organization has on them. Yes, this includes your bank, your favorite social media platform and even your local grocery shop.
So by simply sending an email or letter to the organization and requesting your personal information, the organization has to provide you with your personal information within a month (usually).
Fortunately, many large corporations allow you to request that information by logging into your online account and request it directly from the website, without sending an email or letter. For instance, Facebook allows you to obtain all your personal data automatically with a simple click of a button. However, we found out that about 75% of organizations also allow you to send an email requesting all your personal information, without logging into your online account.
If an organization denies you access to request your personal information, it risks a fine of up to 20 million euros or 4% of their total turnover. Due to these heavy fines, most organizations are really inclined to answer and provide your personal information as quickly as possible.
Now that we have explained the GDPR and ‘Right of Access’ concepts, you probably already have some questions about this. Well, I mean, WE had one big question …
How does an organization verify if the person who requests his personal information is really the person he/she claims to be ?
Think about that. An organization receives a request for personal information (which is called a ‘Data Request’) and has to verify if it is really you who is asking for your personal information. It doesn’t want to give your information to someone impersonating you …
In order to make the process of requesting your data as smooth as possible, the GDPR suggests organizations to let people login in on the organization’s website and request all personal information from there, so that you require your username/email address and password (which other people should not know). However, implementing such thing is often expensive and not always possible. As a result, we found out that organizations verify your identity for a data request in a number of ways:
- They ask your name.
- They might ask for your date of birth.
- They might ask for your home address.
- They might ask for a copy of your identity card or passport.
- They might call you on your cell phone.
- They might make sure to only accept data requests from an email address that they know belongs to you.
Organizations often ask combinations of these elements. For example: one organization might ask you for a copy of your identity card and your home address. While another organization might only ask your name and date of birth.
As you have probably already noticed, some of these are relatively safe to ask. For instance, if an organization calls you on your cell phone, it is difficult for someone else to be on that phone when they call. But there are also a couple of these things that are really easy for someone else to find out, such as the name, date of birth and home address …
So are you saying that there are organizations that verify your identity by only asking your date of birth and home address? And thus, anyone can get my personal information with only that?
Yes and yes. In order to prove that, two of our researchers (my colleague and myself) made an agreement and tried to impersonate each other by sending data requests under each other’s name.
To send these requests, we both needed some basic information from each other, which we happily took from each other’s social media pages.
In the case of the geographic information, information gathered through GPS will be significantly more accurate on average than browser estimated values. That may indicate that your browser is not sharing that information or it does not apply to you (such as accelerometer and gyroscope information while you are using a desktop computer).
Next, we collected a list of 55 organizations ranging from financial institutes and news outlets to retail shops and entertainment companies, of which we knew had lots of personal data about us (half of them are from the Alexa Belgian Top 50 websites). Then we finally sent those requests to each organization. So we essentially attempted to obtain each other’s personal data from all these organizations by only using minimal information extracted from social media.
Did it work?
Partially. With only the date of birth and home address, we were able to receive each other’s personal information from 8 out of the 55 organizations. In other words, anyone who knows your name, home address and date of birth is able to get your personal information from at least 8 organizations.
But that’s not all. For organizations that require an ID card to prove one’s identity, we went further and photographed our own ID cards, but altered the image with each other’s name, date of birth and picture, found on social media.