Jul 11, 2019

Hacking the vulnerabilities in privacy laws

Photo: Valery Brozhinsky/Getty Images

A researcher has demonstrated how to exploit Europe's privacy protection laws to violate other people's privacy — and new privacy rules on the way in the U.S. could be vulnerable in the same way.

The state of play: Privacy laws, including Europe's mammoth General Data Protection Regulation (GDPR) and California's recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.

Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.

Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.

  • He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly a quarter of those provided it to him, no questions asked.

"The very big companies did an excellent job fighting fraud and told me to access that information through my profile or email from the account I used to sign up," Pavur, who will present his research in August at the Black Hat conference, told Axios. "The small companies — like a podcast company in the U.S. — knew the law didn't apply to them."

  • Many midsized companies took the bait. They knew they had to respond to the requests, but hadn't adopted processes for doing so safely.
  • Pavur has not released any names of the companies he tested.

Between the lines: "These laws focus upon the user, not the company," said Matthew McCabe, senior vice president and assistant general counsel for cyber policy at Marsh.

  • More robust regulations would outline acceptable identity verification practices. "They would not just consider end points, but process as well," said Pavur. "And they would say it's OK to say 'no.'"

What's next: "The same problem in GDPR is in the California Consumer Privacy Act," which goes into effect at the start of 2020, said Shannon Yavorsky, data security and privacy partner at Venable.

  • Yavorsky hopes the California attorney general will clarify best practices for fighting fraud in upcoming commentary on the law.

Why it matters: Without a concerted effort to mandate fighting fraud while protecting privacy, these experts agree, new U.S. privacy laws are likely to create similar new vulnerabilities.

Go deeper: Europe's privacy law celebrates its first birthday

Go deeper

FTC's Facebook fine draws fire

Facebook CEO Mark Zuckerberg. Photo: Artur Widak/NurPhoto via Getty Images

News that the Federal Trade Commission has approved a roughly $5 billion fine against Facebook for privacy violations prompted instant outcry from some critics and lawmakers.

Why it matters: The FTC decision could have consequences for Facebook's billions of users — and frame the next stage of a global debate over how to regulate consumer privacy. A consensus that the settlement is weak would provide more ammo for proponents of new privacy laws — whereas an assessment that the penalties are serious would strengthen the hands of those who oppose new regulation.

Go deeperArrowJul 13, 2019

The FTC writes Facebook's new rulebook

Facebook CEO Mark Zuckerberg at the F8 Developer Conference in April. Photo: Justin Sullivan/Getty Images

While Facebook's privacy settlement with the Federal Trade Commission includes a record $5 billion fine, its most important provisions lie in new restrictions it places on the company's practices.

Why it matters: The settlement's effectiveness will lie in whether these terms end up protecting consumers — yet policymakers on both sides of the aisle are already saying they don't go far enough.

Go deeperArrowJul 25, 2019

Kids' privacy forces best behavior on Big Tech

Illustration: Aïda Amer/Axios

Although the U.S. government is still struggling to define regulations for the tech industry, it's finding ways to take action over the growing portion of the internet used by kids.

Why it matters: An increase in federal penalties against tech companies for violating kids' privacy rules is shaping new expectations for how the internet will be governed.

Go deeperArrowJul 22, 2019