Photo: Valery Brozhinsky/Getty Images

A researcher has demonstrated how to exploit Europe's privacy protection laws to violate other people's privacy — and new privacy rules on the way in the U.S. could be vulnerable in the same way.

The state of play: Privacy laws, including Europe's mammoth General Data Protection Regulation (GDPR) and California's recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.

Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.

Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.

  • He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly a quarter of those provided it to him, no questions asked.

"The very big companies did an excellent job fighting fraud and told me to access that information through my profile or email from the account I used to sign up," Pavur, who will present his research in August at the Black Hat conference, told Axios. "The small companies — like a podcast company in the U.S. — knew the law didn't apply to them."

  • Many midsized companies took the bait. They knew they had to respond to the requests, but hadn't adopted processes for doing so safely.
  • Pavur has not released any names of the companies he tested.

Between the lines: "These laws focus upon the user, not the company," said Matthew McCabe, senior vice president and assistant general counsel for cyber policy at Marsh.

  • More robust regulations would outline acceptable identity verification practices. "They would not just consider end points, but process as well," said Pavur. "And they would say it's OK to say 'no.'"

What's next: "The same problem in GDPR is in the California Consumer Privacy Act," which goes into effect at the start of 2020, said Shannon Yavorsky, data security and privacy partner at Venable.

  • Yavorsky hopes the California attorney general will clarify best practices for fighting fraud in upcoming commentary on the law.

Why it matters: Without a concerted effort to mandate fighting fraud while protecting privacy, these experts agree, new U.S. privacy laws are likely to create similar new vulnerabilities.

Go deeper: Europe's privacy law celebrates its first birthday

Go deeper

Updated 15 mins ago - World

Hong Kong media tycoon Jimmy Lai arrested under national security law

Media tycoon Jimmy Lai at the Next Digital offices in Hong Kong in June. Photo: Anthony Wallace/AFP via Getty Images

Hong Kong pro-democracy activist Jimmy Lai has been arrested for "collusion with foreign powers" and the offices of his newspaper raided, said Mark Simon, an executive at the tycoon's media firm Next Digital on Monday.

Why it matters: He was arrested under the new national security law that gives Beijing more powers over the former British colony. Lai is the most prominent person arrested under the law — which prompted the U.S. to sanction Chinese officials, including Hong Kong leader Carrie Lam, over Beijing's efforts to strip the territory of its autonomy.

Updated 25 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 1:30 a.m. ET: 19,861,683 — Total deaths: 731,326 — Total recoveries — 12,115,825Map.
  2. U.S.: Total confirmed cases as of 1:30 a.m. ET: 5,044,864 — Total deaths: 162,938 — Total recoveries: 1,656,864 — Total tests: 61,792,571Map.
  3. Politics: Pelosi says states don't have the funds to comply with Trump's executive order on unemployment — Mnuchin says Trump executive orders were cleared by Justice Department.
  4. States: New York reports lowest rate of positive coronavirus test results since pandemic began
  5. Public health: Ex-FDA head: U.S. will "definitely" see 200,000 to 300,000 virus deaths by end of 2020. 
  6. Schools: 97,000 children test positive for coronavirus in two weeks — Nine test positive at Georgia school where photo showing packed hallway went viral .

97,000 children test positive for coronavirus in two weeks

A boy has his temperature checked as he receives a free COVID-19 test in South Los Angeles in July. Photo: Mario Tama/Getty Images

At least 97,000 children tested positive for COVID-19 in the final two weeks of July and there's been an estimated 338,000 cases involving kids in the U.S. since the pandemic began, a new report finds.

Why it matters: The findings in the report by the American Academy of Pediatrics and the Children’s Hospital Association comes as schools and day cares look to reopen in the U.S., with New York Gov. Andrew Cuomo (D) announcing Friday that school districts in the state can reopen in the fall amid lower coronavirus transmission rates.