
GDPR is an identity thief's dream ticket to Europeans' data - psanford
https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/
======
rlpb
"GDPR is an identity thief's dream ticket" would require that the GDPR somehow
permits companies to hand over personal data without reasonable identity
verification. The Register seems to be making this assumption in their
editorialized headline.

However, as far as I can tell, these companies have done the opposite and
_breached_ the GDPR by failing to keep personal data safe, as the GDPR itself
requires, in the process of handling a data access request (as happens to be
mandated by the GDPR).

I don't see how this is a problem with the GDPR itself. It _is_ a problem with
how some companies have implemented it.

According to the article, the researcher says that "lawmakers need to set a
standard for what is a legitimate form of ID for GDPR requests".

I'm not sure I want this. I want companies to remain liable for data breaches
even if they come from illegitimate data access requests. A single standard
won't suit all situations.

~~~
rlpb
Would the downvoters please explain why you think I'm wrong? Or is this just
the typical GDPR hate that seems to infest HN such that I defend the GDPR ergo
I'm automatically downvoted?

~~~
number6
I don't get this either. You are on point.

Giving out data to someone other than the data subject is a data breach.

If you can't identify the subject positively you don't give out the data.

You document this - it is not like you get an instant fine without anybody
asking you about what was going on.

This is not YouTube or PayPal or Twitter banning your account without a chance
to talk to someone. Before you get a fine someone will talk to you. If you get
a fine you can appeal. It is not instant 4% of you income decucdet
automatically from you account.

------
nitwit005
Surely this isn't a new problem given that credit bureaus, hospitals, and so
on already had to turn over information on demand?

~~~
tylerrobinson
But for any other industry, there would be no existing infrastructure to
support this.

~~~
dmix
They all used authentication systems though don't they? The problem is any bad
actor can exploit GDPR to get information on anyone else.

~~~
number6
That's not true. You are only allowed to give out information to the data
subject. You have to verify that you are giving the information only to the
subject.

If you can't verify you don't give out information.

There are so many ways to verify. Public Data is not a shared secret, thus not
something to verify identity with.

~~~
zaarn
If you have the home address of the subject, send it to that address, don't
allow recent changes without thorough investigation. A postal letter is more
secure than sending an email to the subjects email address.

------
HenryBemis
I notice the pattern that any opinions stating that this is not a GDPR issue,
it is a end-company issue, get downvoted. Oh how much would the US companies
like to get rid of GDOR and go back to a system where everything is up for
grabs, with zero accountability and rampant abuse. I think GDPR is one of the
best things that have happened to Europeans/European consumers since the
inception of internet, in the data ownership and privacy space.

What Pavur managed, is a wake up call for companies to further clean up their
act, and that is positive step to making GDPR stronger but not to remove it.

One cannot blame the whole system for some/many bad actors. If improvements
are needed in the identifying mechanisms, so be it, but as a system, it is
built to work FOR the people.

Also (without reducing the effort and results of Pavur) anything you read on
UK media condemning anything EU-made, take it with a pinch of salt, a no-deal
Brexit may be coming and some media will do their best to demonize all-things-
EU. Agendas will be served.

------
Traster
>"Privacy laws, like any other infosecurity control, have exploitable
vulnerabilities," he said. "If we'd look at these vulnerabilities before the
law was enacted, we could pick up on them."

Okay, now let's relate it back to what Hacker News knows about

> "Software, like any other infosecurity control, have exploitable
> vulnerabilities," he said. "If we'd look at these vulnerabilities before the
> Software was deployed, we could pick up on them."

It's correct to say that you can limit the number of vulnerabilities you ship,
but it's always going to be non-zero and you're always going to need to deploy
security patches.

I'm not sure poor implementation and compliance with a new law is a
particularly huge threat. Over time best practices will emerge and this will
essentially be a low success rate attack vector. Compare that to the counter-
factual, before GDPR the number of companies with your data was far higher,
the data they held was far more in depth, and they often had little to no
security procedures. The underlying message here is that the fundamentals of
GDPR make your data safer, not less safe.

------
WhoBeI
Right, so slap the largest fine on each one. They had 2 years to prepare and
obviously didn't.

Before the GDPR this would have been stamped "identity theft" putting the
company in the clear. As if you were somehow responsible for the company not
verifying the identity of their customers.

[Edit]

I should mention that around here there is an established 2FA solution used by
banks and the government so verification has been de facto standardized.

------
mpnordland
Point of fact: it's not the GDPR, per se, that causes companies to hand over
personal information to duplicitous individuals. It's those companies poor
verification and security practices.

The GDPR does create a new attack surface, in that companies now have a legal
obligation to provide information. The article did not say whether or not
there is a legal obligation to properly verify the identity of the requestor.

~~~
tialaramex
It isn't really a new attack surface because GDPR is only a refinement of
previous rules. Companies inside the EU already were subject to previous
iterations of this "Ask permission, don't keep stuff you don't need, tell
subjects what you know, fix mistakes on request" model.

Back when I first worked for a start up, Richmond Informatics (subsequently
Garlik, which was then bought by Experian) it began by doing subject data
access requests for key personnel just to see what was out there. That's well
over a decade ago.

And yes, they have a responsibility to ensure they only give the actual
subject the data, which is tricky but if it's too hard then probably "don't
keep any data" was the correct answer. "Thank you for your letter. We do not
keep any data whatsoever about our users". Done.

At Experian the main theme of the training in this area was "Do not try to
help, don't respond in any way except to forward everything to the special
department that handles these requests".

------
kerng
Bad headline by The Register, the problem is not GDPR as the headline might
try to convince you, the issue is identity validation and lack of security
controls.

The attach described is similar to "password reset", which gives an adversary
access to everything and companies that don't have strong security in place,
or users with weak passwords are likely subject to exploitation.

------
tzs
I'm not sure why GDPR requires companies to provide data subjects with actual
copies of the data (Article 15 section 3). In most cases, providing the actual
data doesn't really give any more information than just telling the data
subject that the company has the data.

For instance, I already know my mother's maiden name, so a response of "We
know your mother's maiden name" would be just as useful to me as "We know that
your mother's maiden name is <NAME>", but would be much less useful to someone
pretending to be me.

There are situations where you do need to see the actual data so it should
still be available, but getting that data should require a much more robust
proof that you are the data subject than is required for just getting the
existence data.

~~~
tialaramex
Subjects have a right for the information to be correct. So they need to see
what you've got, not just the claim to know my mother's maiden name (actually
a matter of public record in many countries) but the fact you think it's SMITH
(it isn't so you will need to fix that).

------
qserasera
If nobody can profit from it, it doesn't exist. Even in europe.

