Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20

Syrmoudis, Emmanuel; Mager, Stefan; Kuebler-Wachendorff, Sophie; Pizzinini, Paul; Großklags, Jens; Kranz, Johann

doi:10.2478/popets-2021-0051

Cited by 19 publications

(11 citation statements)

References 32 publications

(83 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unfortunately the latter data controller, Nike Run Club, interpreted the incoming transmission as an Article 17 (erasure) request and asked for confirmation that the data subject wished to have all of their data erased. This reiterates the findings of others [19,20] that Article 20(2) is not widely understood.…”

Section: Resultssupporting

confidence: 87%

“…Wong and Henderson make portability requests to 230 controllers and find variation in their ability to conform with the right's requirements [21]. Syrmoudis et al [19] look at 182 controllers to specifically study the ability to exercise Article 20(2) -the right to port data from one controller to another. In a smaller-scale study, Li compares a set of portability requests with another right, the right to erasure [13].…”

Section: Background and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Data Portability as a Tool for Audit

Zwiebelmann

Henderson

2021

Adjunct Proceedings of the 2021 ACM International Joint Conference on Pervasive and Ubiquitous Computing and Proceedings of The

View full text Add to dashboard Cite

Pervasive systems are almost omnipresent in their collection and processing of personal data. Understanding what these systems are doing is essential for trust, and to ensure that data being collected are accurate. Auditing these systems can help to determine the accuracy of these data. Such audit may take place internally by systems designers, but external audit is important for accountability.In this paper we explore whether users can conduct their own external audit of the systems with which they interact. In particular, we use the Right to Data Portability afforded to data subjects through the General Data Protection Regulation. Using fitness trackers, we collect and upload running data to a set of data controllers. By using data portability to then obtain a copy of our data, we compare the data held by the controllers with our groundtruth data. We find some inaccuracies in the data, but also that audit can be impeded by insufficient explanations from data controllers. CCS CONCEPTS• Applied computing → Law; • Social and professional topics → Technology audits; • Hardware → Sensor applications and deployments.

show abstract

Section: Resultssupporting

confidence: 87%

Section: Background and Related Workmentioning

confidence: 99%

Data Portability as a Tool for Audit

Zwiebelmann

Henderson

2021

Adjunct Proceedings of the 2021 ACM International Joint Conference on Pervasive and Ubiquitous Computing and Proceedings of The

View full text Add to dashboard Cite

show abstract

“…a list of the most popular websites currently available), but also lists 28% of these organizations not being responsive. However, [8] only lists 7% as unresponsive from a set of 55 organizations in the Alexa top, reinforcing the argument that smaller or less popular organizations (ranked lower in the Alexa top) are often insufficiently equipped with the necessary legal and technical knowledge to correctly handle SARs [20] and may therefore be more susceptible to such attacks. Although not listed in Table 1, Cagnazzo et al [4] partially send out SARs by postal mail, observing even less safe authentication methods when compared to sending it by email.…”

Section: Threat Model and Responsivenessmentioning

confidence: 99%

Revisiting Identification Issues in GDPR ‘Right Of Access’ Policies: A Technical and Longitudinal Analysis

Martino

Meers

Quax

et al. 2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Several data protection regulations permit individuals to request all personal information that an organization holds about them by utilizing Subject Access Requests (SARs). Prior work has observed the identification process of such requests, demonstrating weak policies that are vulnerable to potential data breaches. In this paper, we analyze and compare prior work in terms of methodologies, requested identification credentials and threat models in the context of privacy and cybersecurity. Furthermore, we have devised a longitudinal study in which we examine the impact of responsible disclosures by re-evaluating the SAR authentication processes of 40 organizations after they had two years to improve their policies. Here, we demonstrate that 53% of the previously vulnerable organizations have not corrected their policy and an additional 27% of previously non-vulnerable organizations have potentially weakened their policies instead of improving them, thus leaking sensitive personal information to potential adversaries. To better understand state-of-the-art SAR policies, we interviewed several Data Protection Officers and explored the reasoning behind their processes from a viewpoint in the industry and gained insights about potential criminal abuse of weak SAR policies. Finally, we propose several technical modifications to SAR policies that reduce privacy and security risks of data controllers.

show abstract

“…In future work, it would be useful to investigate perceived regulatory protection at a finer granularity by examining specific regulatory measures in the context of Smart Home Devices. For example, it would be interesting to explore whether users of Smart Home Device in the EU recognize their rights related to data erasure [46] or portability [56] under the GDPR and whether those in other regions would appreciate equivalent regulatory protection.…”

Section: Perceptions -Perceived Regulatory Protectionmentioning

confidence: 99%

“…For instance, the data that Smart Home Devices deal with may be explicitly provided, sensed, inferred, or predicted. GDPR arguably does not cover all of these types of data [17,56]. As a result, for handling the privacy and security aspects of their Smart Home Devices, users may need to rely on good faith self-regulation from the manufacturers of the devices.…”

Section: Policymentioning

confidence: 99%

A Multi-Region Investigation of the Perceptions and Use of Smart Home Devices

Bombik

Wenzel

Großklags

et al. 2022

PoPETs

Self Cite

View full text Add to dashboard Cite

Smart Home Devices are household objects and appliances that are augmented with network connectivity and interactive capabilities. However, the benefits and conveniences of such augmentation are tempered by corresponding increases in privacy and security threats. Studies of user perceptions of these threats and user practices for addressing them are limited mostly to specific devices and/or small samples from a single region. To address this gap, we compared perceptions and practices of people in three geographic regions regarding privacy and security matters related to Smart Home Devices. Across these regions, we found differences in perceived regulatory protection and other regional factors. Our findings suggest that a co-evolution of the design and public policy related to Smart Home Devices could enhance privacy protection and drive increased adoption of these devices.

show abstract

Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20

Cited by 19 publications

References 32 publications

Data Portability as a Tool for Audit

Data Portability as a Tool for Audit

Revisiting Identification Issues in GDPR ‘Right Of Access’ Policies: A Technical and Longitudinal Analysis

A Multi-Region Investigation of the Perceptions and Use of Smart Home Devices

Contact Info

Product

Resources

About