How do app vendors respond to subject access requests? A longitudinal privacy study on iOS and Android Apps

Several data protection regulations permit individuals to request all personal information that an organization holds about them by utilizing Subject Access Requests (SARs). Prior work has observed the identification process of such requests, demonstrating weak policies that are vulnerable to potential data breaches. In this paper, we analyze and compare prior work in terms of methodologies, requested identification credentials and threat models in the context of privacy and cybersecurity. Furthermore, we have devised a longitudinal study in which we examine the impact of responsible disclosures by re-evaluating the SAR authentication processes of 40 organizations after they had two years to improve their policies. Here, we demonstrate that 53% of the previously vulnerable organizations have not corrected their policy and an additional 27% of previously non-vulnerable organizations have potentially weakened their policies instead of improving them, thus leaking sensitive personal information to potential adversaries. To better understand state-of-the-art SAR policies, we interviewed several Data Protection Officers and explored the reasoning behind their processes from a viewpoint in the industry and gained insights about potential criminal abuse of weak SAR policies. Finally, we propose several technical modifications to SAR policies that reduce privacy and security risks of data controllers.

Section: Resultssupporting

confidence: 87%

Section: Related Workmentioning

confidence: 99%

Section: Subject Email Accessmentioning

confidence: 99%

See 1 more Smart Citation

Revisiting Identification Issues in GDPR ‘Right Of Access’ Policies: A Technical and Longitudinal Analysis

Martino

Meers

Quax

et al. 2022

“…Each of these rights aims to raise the bargaining power of consumers in digital markets [18] and to increase consumers' informational self-determination in comparison to pre-GDPR privacy laws. Regrettably, prior work [19][20][21][22] demonstrated -on the basis of a previous Californian privacy law -that corporations frequently ignored or declined requests of individuals for information access or corporate information sharing practices. As such, the RtDP -and especially its subright of direct data transfer between providers -represents the right with the highest potential economic implications only if it is applied correctly [9].…”

Section: Data Portability In Privacy Legislation and In Practicementioning

confidence: 99%

Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20

Syrmoudis

Mager

Kuebler-Wachendorff

et al. 2021

Data portability regulation has promised that individuals will be easily able to transfer their personal data between online service providers. Yet, after more than two years of an active privacy regulation regime in the European Union, this promise is far from being fulfilled. Given the lack of a functioning infrastructure for direct data portability between multiple providers, we investigate in our study how easily an individual could currently make use of an indirect data transfer between providers. We define such porting as a two-step transfer: firstly, requesting a data export from one provider, followed secondly by the import of the obtained data to another provider. To answer this question, we examine the data export practices of 182 online services, including the top one hundred visited websites in Germany according to the Alexa ranking, as well as their data import capabilities. Our main results show that high-ranking services, which primarily represent incumbents of key online markets, provide significantly larger data export scope and increased import possibilities than their lower-ranking competitors. Moreover, they establish more thorough authentication of individuals before export. These first empirical results challenge the theoretical literature on data portability, according to which, it would be expected that incumbents only complied with the minimal possible export scope in order to not lose exclusive consumer data to market competitors free-of-charge. We attribute the practices of incumbents observed in our study to the absence of an infrastructure realizing direct data portability.

“…For data subjects, being able to answer the question "who knows what about me?" is a necessary precondition for exercising other data protection rights (e. g., data rectification, erasure, restriction of processing) in an informed manner [39]. The widespread lack of understanding of how personal data can be collected, inferred, and misused calls into question the notion of "informed consent" and may warrant some form of paternalistic government intervention.…”

Section: Regulatory Implicationsmentioning

confidence: 99%

Personal information inference from voice recordings: User awareness and privacy concerns

Kröger

Gellrich

Pape

et al. 2021

Self Cite

Through voice characteristics and manner of expression, even seemingly benign voice recordings can reveal sensitive attributes about a recorded speaker (e. g., geographical origin, health status, personality). We conducted a nationally representative survey in the UK (n = 683, 18–69 years) to investigate people’s awareness about the inferential power of voice and speech analysis. Our results show that – while awareness levels vary between different categories of inferred information – there is generally low awareness across all participant demographics, even among participants with professional experience in computer science, data mining, and IT security. For instance, only 18.7% of participants are at least somewhat aware that physical and mental health information can be inferred from voice recordings. Many participants have rarely (28.4%) or never (42.5%) even thought about the possibility of personal information being inferred from speech data. After a short educational video on the topic, participants express only moderate privacy concern. However, based on an analysis of open text responses, unconcerned reactions seem to be largely explained by knowledge gaps about possible data misuses. Watching the educational video lowered participants’ intention to use voice-enabled devices. In discussing the regulatory implications of our findings, we challenge the notion of “informed consent” to data processing. We also argue that inferences about individuals need to be legally recognized as personal data and protected accordingly.