Jul 11, 2019

Hacking the vulnerabilities in privacy laws

Photo: Valery Brozhinsky/Getty Images

A researcher has demonstrated how to exploit Europe's privacy protection laws to violate other people's privacy — and new privacy rules on the way in the U.S. could be vulnerable in the same way.

The state of play: Privacy laws, including Europe's mammoth General Data Protection Regulation (GDPR) and California's recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.

Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.

Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.

  • He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly a quarter of those provided it to him, no questions asked.

"The very big companies did an excellent job fighting fraud and told me to access that information through my profile or email from the account I used to sign up," Pavur, who will present his research in August at the Black Hat conference, told Axios. "The small companies — like a podcast company in the U.S. — knew the law didn't apply to them."

  • Many midsized companies took the bait. They knew they had to respond to the requests, but hadn't adopted processes for doing so safely.
  • Pavur has not released any names of the companies he tested.

Between the lines: "These laws focus upon the user, not the company," said Matthew McCabe, senior vice president and assistant general counsel for cyber policy at Marsh.

  • More robust regulations would outline acceptable identity verification practices. "They would not just consider end points, but process as well," said Pavur. "And they would say it's OK to say 'no.'"

What's next: "The same problem in GDPR is in the California Consumer Privacy Act," which goes into effect at the start of 2020, said Shannon Yavorsky, data security and privacy partner at Venable.

  • Yavorsky hopes the California attorney general will clarify best practices for fighting fraud in upcoming commentary on the law.

Why it matters: Without a concerted effort to mandate fighting fraud while protecting privacy, these experts agree, new U.S. privacy laws are likely to create similar new vulnerabilities.

Go deeper: Europe's privacy law celebrates its first birthday

Go deeper

Updated 1 hour ago - Politics & Policy

U.S. enters 6th day of nationwide protests over George Floyd's killing

A protest in Philadelphia on May 31. Photo: Mark Makela/Getty Images

The D.C. National Guard is being called to assist police with protests, per AP, as protests continue past the city's 11 p.m. curfew.

What's happening: Police fired tear gas into a crowd of over 1,000 people in Washington, D.C.'s Lafayette Square across from the White House one hour before Sunday's 11 p.m. curfew, AP reports. Earlier in the night, protestors held a stand off in Lafayette Square, after previously breaking through a White House police barricade. A fire in the basement of the city's historic St. Johns Church was extinguished.

Updated 4 hours ago - Politics & Policy

Journalists get caught in the crosshairs as protests unfold

A man waves a Black Lives Matter flag atop the CNN logo outside the CNN Center during a protest in response to the police killing of George Floyd, Atlanta, Georgia, May 29. Photo: Elijah Nouvelage/Getty Images

Dozens of journalists across the country tweeted videos Saturday night of themselves and their crews getting arrested, being shot at by police with rubber bullets, targeted with tear gas by authorities or assaulted by protesters.

Driving the news: The violence got so bad over the weekend that on Sunday the Cleveland police said the media was not allowed downtown unless "they are inside their place of business" — drawing ire from news outlets around the country, who argued that such access is a critical part of adequately covering protests.

Updated 4 hours ago - Politics & Policy

Tanker truck plows into Minneapolis protesters

The tanker after plowing into protesters on the shut-down bridge in Minneapolis on Sunday evening. Authorities said it appeared protesters escaped injury. Photo: Jeff Wheeler/Star Tribune via Getty Images

Minnesota authorities said in a statement they're investigating as a criminal matter what happened with a truck that "drove into demonstrators" on a Minneapolis bridge Sunday evening while the eight-lane road was closed for a protest.

What they're saying: Minnesota Department of Public Safety tweeted, "Very disturbing actions by a truck driver on I-35W, inciting a crowd of peaceful demonstrators. The truck driver was injured & taken to a hospital with non-life threatening injuries. He is under arrest. It doesn't appear any protesters were hit by the truck."