Photo: Valery Brozhinsky/Getty Images
A researcher has demonstrated how to exploit Europe's privacy protection laws to violate other people's privacy — and new privacy rules on the way in the U.S. could be vulnerable in the same way.
The state of play: Privacy laws, including Europe's mammoth General Data Protection Regulation (GDPR) and California's recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.
Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.
Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.
- He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly a quarter of those provided it to him, no questions asked.
"The very big companies did an excellent job fighting fraud and told me to access that information through my profile or email from the account I used to sign up," Pavur, who will present his research in August at the Black Hat conference, told Axios. "The small companies — like a podcast company in the U.S. — knew the law didn't apply to them."
- Many midsized companies took the bait. They knew they had to respond to the requests, but hadn't adopted processes for doing so safely.
- Pavur has not released any names of the companies he tested.
Between the lines: "These laws focus upon the user, not the company," said Matthew McCabe, senior vice president and assistant general counsel for cyber policy at Marsh.
- More robust regulations would outline acceptable identity verification practices. "They would not just consider end points, but process as well," said Pavur. "And they would say it's OK to say 'no.'"
What's next: "The same problem in GDPR is in the California Consumer Privacy Act," which goes into effect at the start of 2020, said Shannon Yavorsky, data security and privacy partner at Venable.
- Yavorsky hopes the California attorney general will clarify best practices for fighting fraud in upcoming commentary on the law.
Why it matters: Without a concerted effort to mandate fighting fraud while protecting privacy, these experts agree, new U.S. privacy laws are likely to create similar new vulnerabilities.