Is the Subject Access Right Now Too Great a Threat to Privacy?

Cormack, Andrew

doi:10.21552/edpl/2016/1/5

Cited by 6 publications

(3 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Herrmann and Lindemann [27] observed that businesses were more likely to respond to data deletion requests than subject access requests, and identified websites that adopted SAR mechanisms that made them vulnerable to revealing their users' data in their responses to adversarial data access requests. In a number of other studies, researchers further examined how businesses' SAR mechanisms can be used by adversaries to extract subjects' personal data through social engineering attacks (e.g., impersonation) [7,12,15,18,19,48]. Di Martino et al [19] showed how these types of attacks can be mounted against a number of organizations by relying on information that is available to the public.…”

Section: Efficacy Of Subject Access Requestsmentioning

confidence: 99%

“…App developers also requested specific pieces of personal information to match against their records, either as part of the initial VCR submission process or by following up with us after we submitted our requests. Most often, developers asked us to provide some basic information about ourselves, including, our email address (36 instances), full name (26), state (21), and country of residence (15). Developers also requested technical information that is not always easily accessible for smartphone users.…”

Section: Access Requestsmentioning

confidence: 99%

See 1 more Smart Citation

Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)

Samarin

Shayna

Zaina

et al. 2023

PoPETs

View full text Add to dashboard Cite

The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights. Our research investigated the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to "verifiable consumer requests" (VCRs) by disclosing personal information that they have collected, used, or shared about consumers for a business or commercial purpose. We compared the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies and the data contained in responses to "right to know" requests that we submitted to the app's developers. Of the 69 app developers who substantively replied to our requests, all but one provided specific pieces of personal data (as opposed to only categorical information). However, a significant percentage of apps collected information that was not disclosed, including identifiers (55 apps, 80%), geolocation data (21 apps, 30%), and sensory data (18 apps, 26%) among other categories. We discuss improvements to the CCPA that could help app developers comply with "right to know" requests and other related regulations.

show abstract

Section: Efficacy Of Subject Access Requestsmentioning

confidence: 99%

Section: Access Requestsmentioning

confidence: 99%

Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)

Samarin

Shayna

Zaina

et al. 2023

PoPETs

View full text Add to dashboard Cite

show abstract

“…More specifically, Herrmann and Lindemann [11] have analyzed the data responses from 150 popular websites and smartphone apps when exercising the 'Right of Access' under the now obsolete Directive 95/46/EC, demonstrating excessive carelessness of DCs when handling those requests as well as incidentally revealing possibilities of criminal abuse. Following the adoption of the GDPR in 2016, Cormack [6] argued that the additional provisions related to the 'Right of Access' (now Article 15 GDPR) may increase the hypothetical risk of leaking personal information to unauthorized third-parties when those parties attempt to impersonate real data subjects. To better conceptualize these risks, Boniface et al [2] examined potential authentication issues of various popular websites and third-party trackers more in-depth and compared the recommendations of European Data Protection Authorities (DPAs) concerning the transmission of sensitive information such as passports and national ID cards.…”

Section: Related Workmentioning

confidence: 99%

Revisiting Identification Issues in GDPR ‘Right Of Access’ Policies: A Technical and Longitudinal Analysis

Martino

Meers

Quax

et al. 2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Several data protection regulations permit individuals to request all personal information that an organization holds about them by utilizing Subject Access Requests (SARs). Prior work has observed the identification process of such requests, demonstrating weak policies that are vulnerable to potential data breaches. In this paper, we analyze and compare prior work in terms of methodologies, requested identification credentials and threat models in the context of privacy and cybersecurity. Furthermore, we have devised a longitudinal study in which we examine the impact of responsible disclosures by re-evaluating the SAR authentication processes of 40 organizations after they had two years to improve their policies. Here, we demonstrate that 53% of the previously vulnerable organizations have not corrected their policy and an additional 27% of previously non-vulnerable organizations have potentially weakened their policies instead of improving them, thus leaking sensitive personal information to potential adversaries. To better understand state-of-the-art SAR policies, we interviewed several Data Protection Officers and explored the reasoning behind their processes from a viewpoint in the industry and gained insights about potential criminal abuse of weak SAR policies. Finally, we propose several technical modifications to SAR policies that reduce privacy and security risks of data controllers.

show abstract