back to article Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data

When Europe introduced the General Data Protection Regulation (GDPR) it was supposed to be a major step forward in data safety, but sloppy implementation and a little social engineering can make it heaven for identity thieves. In a presentation at the Black Hat security conference in Las Vegas James Pavur, a PhD student at …

  1. Cynical Pie

    Sorry but the fault here isn't GDPR, its just p!ss poor data protection controls from these companies and I suspect they'd have been equally as rubbish before GDPR came into effect.

    As someone who deals with SARs regularly our first task is always to verify the requestors ID and from what is in the article this seems to be the regular failing.

    1. Peter 26

      It is GDPR's fault. The reason GDPR exists is because we know most companies have piss poor data protection controls. Therefore in the design of it they need to force companies to ensure they protect our personal data. Let's hope they add protocols that have to be followed into GDPR v2.

      In the mean time this is great news for companies, they now have an excuse not to deal with GDPR requests, let them get stuck in the red tape of proving who they are.

      1. Anonymous Coward
        Anonymous Coward

        "It is GDPR's fault."

        This comes down to how a regulation/law is enforced and potentially how that enforcement changes over time - if the regulation/law involves a significant change in behavior (I believe this is the case with GDPR), expecting the diverse range of organisations affected to comply fully on day 1, year 1 or even, I suspect in years 1-5, is likely to be unrealistic, so it should be eased in with case law building to support ideal practices across differing industries. I'm not suggesting that this removes the need to comply with GDPR, just how it should be enforced to avoid it being workable.

        While I believe there are some poorly thought out parts of the GDPR (around IP addresses being an identity as while that is possible, for the majority of cases, an IP address becomes an identity only after a GPDR inquiry is raised to associate it with an individual...), the majority of the regulations provides a much clearer guide to what is in-scope, who is responsible and the consequences of things not being done correctly in a way that can be applied across the EU and I believe more widely if administered appropriately.

        The cases we have seen so far are either clear violations or the interesting test cases that will define whether the framework can achieve it's stated goals or whether major revisions will be required to ensure it remains workable.

        1. Anonymous Coward
          Anonymous Coward

          "for the majority of cases, an IP address becomes an identity only after a GPDR inquiry is raised to associate it with an individual..."

          Actually, I think they're quite right it is.

          Facebook (& probably others) already associate your IP address to your identity.

          At least, that's the only way FB could know what apps I have installed on my phone: even though I have never used Facebook from said phone, I have used it and my FB account from the same IP regularly.

          So the data collected by 3rd party apps (apps used without any sort of identification, least of all FB's) was at some point correlated to what Facebook has about me.

          1. Tom Paine

            Aha. No. What they've done is to track you across other, non-Facebook apps which you've used on your phone.

          2. Wayland

            Virgin Media provide a Reverse DNS lookup for my IP address. This means sites know my unique virgin hostname. If they record that then it does not matter that DHCP may supply a different IP next time.

            1. Anonymous Coward
              Anonymous Coward

              "Virgin Media provide a Reverse DNS lookup for my IP address. "

              OK, lets take a look:

              86.11.x.y cpcXXXXXX-<area>XX-X-X-custXXX.XX-X.cable.virginm.net

              It looks like it might give details of an exchange (listed as area above) and customer offset on that exchange, but I suspect that very few sites would use that information unless they had a way of converting VM DNS names to locations - as GeoIP databases already exist and there are ways of obtaining more exact locations via GPS etc, I'd be surprised if was used for anything other than people on the Internet trying to show they know where you live...

              1. Anonymous Coward
                Anonymous Coward

                It's the law...

                All ISPs should provide a reverse DNS lookup for every used IP address, according to very old RFCs....

                Otherwise things can go slow, or even break entirely for bad apps.

                I've never seen anyone even vaguely linked to reverse DNS - BT puts me living around 50 miles away, virgin is usually the nearest big city - but not always.

                Remember that your mobile devices are wifi beaconing all the time, and retail establishments will be using that beacon to identify you as a person of interest. Unless you query by your wifi MAC, it's hard to know what they know about your location habits - but it's pretty easy for them to link wifi MAC with transactions over just 2 separate purchases, and then know when you arrived, how long you shopped for, where you stopped for in the shop, and what exactly you bought. If they're smart they can adjust the store to improve the number, and speed, of purchases......creepy, yes, but welcome to sales. :-(

            2. JBowler

              Providing a reverse DNS violates your privacy?

              Eh, sorry. You use your IP to get some stuff and you don't want anyone to know who you are? Duh.

              John Bowler (forward, reverse, shake it all about readily available).

      2. c1ue

        The fact that these companies have this sensitive data is the issue, not the attack channel which GDPR has created.

        No data, no attack channel.

        1. YJotta

          Some companies actually need your data to provide you their services.

      3. Anonymous Coward
        Anonymous Coward

        Peter 26

        > It is GDPR's fault.

        Since you are quite expert, care to explain what Section 2 of Regulation (EU) 2016/679 (aka GDPR) deals with, exactly? Article 25?

        Many thanks.

        1. Anonymous Coward
          Anonymous Coward

          Re: Peter 26

          Section 2 begins with Article 32. Article 25 comes within Section 1? What's your point?

          1. Anonymous Coward
            Anonymous Coward

            Re: Peter 26

            > Section 2 begins with Article 32. Article 25 comes within Section 1?

            Yes it does come within section 1, to answer your question. That's why I mentioned it separately.

      4. phuzz Silver badge
        Headmaster

        The GDPR regulation specifically says that the organisation holding the data should be cautious in identifying if a person really is the data subject:

        (Article 12, pt 3)

        "Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject."

    2. Sulky

      Totally, this isn't even new to GDPR, SARs were part of DPA 98, you just had to pay for them and the punishment for none compliance was basically none existent. This isn't new research, anyone who has been involved in DPA work since the 98 act came into force has known about this issue.

      1. FollyGoLightly

        Regardless of whether you think this is old research rebranded or not; the headline is that the lack of understanding of GDPR and the responsibilities that companies have regarding data protection has been exposed by James' efforts and may help address that concern. A lot more companies know about GDPR than were probably aware of DPA98 and they have also read the scare stories associated with none-compliance... I'd say his research helps and isn't wasted effort.

        1. Anonymous Coward
          Anonymous Coward

          It certainly helps. The article's clickbait scaremongering bogeyman title, on the other hand...

          1. Anonymous Coward
            Anonymous Coward

            > The article's clickbait scaremongering bogeyman title, on the other hand...

            The old subeds, 2000-2010 like, used to be a lot wittier. These days it's the same old tired clichés over and over. One of the reasons I am no longer a regular reader.

      2. Anonymous Coward
        Anonymous Coward

        Didn’t have to pay, organisations were allowed to charge an admin fee of up to £10 though.

        1. Lazlo Woodbine

          They used to be able to charge, but they are no longer able to charge an admin fee for a Subject Access Request

    3. Will Godfrey Silver badge
      Thumb Up

      Good point.

      Interestingly, it does however, highlight a simple way to check integrity of any organisation you might deal with.

      1. Sulky

        No doubt someone will suggest a system using AI + Blockchain technology can solve this problem, after all it's solving all of the world's other woes :)

        1. AndrueC Silver badge
          Joke

          Neither of those will be any use unless implemented using IoT.

          :)

          1. MrXavia
            Big Brother

            I think you mean AI with blockchain using IOT in the Cloud! without the cloud it is totally useless!

            1. Sulky

              I think we've got something here! We need to "reach out" to some VCs!!

              1. AndrueC Silver badge
                Joke

                We need to "reach out" to some VCs!!

                Are the Viet Cong still around?

                1. Sulky

                  Well, this product will quickly disappear down a rabbit hole!

                2. Anonymous Coward
                  Anonymous Coward

                  > Are the Viet Cong still around?

                  Given that they won the war and that to this day, Vietnam is a communist country (I've been there), I would say yes they're still around. Let's go and talk to them. :-)

                  1. A.P. Veening Silver badge

                    Given that they won the war and that to this day, Vietnam is a communist country (I've been there), I would say yes they're still around. Let's go and talk to them. :-)

                    The Viet Cong didn't win, but they were on the winning side. And there are still surviving members, but those aren't active anymore and getting on in years. And after the reunification of Viet Nam, the active Viet Cong were absorbed into the ranks of the regular (North) Vietnamese army.

              2. Tom 38
                Coat

                I worked with a Lithuanian guy, who didn't quite have the English Business Idioms down pat, he would keep offering to "reach around" to people.

                1. Tom Paine
                  Coat

                  It's glas someone, at least, is still trying to get a grip on things.

                2. Bongwater

                  That means

                  he is courteous to his fellow solider ;)

                3. NeilPost Silver badge

                  Front or back reach !

              3. Tom Paine

                Going nowhere...

                without some big data and machine learning, thy're be toast before the next payroll run!

    4. big_D Silver badge

      Agreed, these companies would be in breach of GDPR if they provided this information, without formally verifying the requesters identity.

      A PostIdent (Postal identity verification), in Germany, for example would be a good way of confirming the identity. The person requesting goes to a post office, provides their identity card or passport and their ID will be validated by the Post and they send the confirmation to the requester.

    5. Warm Braw

      The interesting thing here is that you may find yourself asking a data subject for a more rigorous proof of their identity than you required when they first identified themselves to you.

      If you're happy to process someone's information without holding any strong proof of identity, you can't reasonably expect them to provide a stronger proof of identity if they request you to stop. And if they do provide that additional proof, how reasonably do you expect to verify it without further processing their data in ways they may not originally have agreed to?

      1. Graham Cobb Silver badge

        Yes. For that reason, it needs to be tied to proving you can log in to the account, for any business that has an account.

        A big question is "how do I make a SAR to Facebook?". I have never had any relationship with FB - never had any account. However, I suspect they might have some data about me from my friends or from companies who have one of my email addresses or phone numbers. The last thing I want to do is give them any information they don't already have, or confirm that any of my identities are actually linked.

        How do I ask?

        1. Mike 137 Silver badge

          Genuine weaknesses of the GDPR

          Quite apart from the right of access under Article 15, Article 14 requires a data controller obtaining personal information from sources other than the data subject to inform the data subject of the processing and their rights (as under Article 13 where the data subject supplies the information) and also of where the data were obtained from. So far all well and good, as the data subject should in principle have been informed, either by the data controller they provided their data to (under Article 13) or the recipient of a data sharing (under Article 14).

          However Article 14.5(b) provides a discretionary get out clause (that I guess most behemoth data slurpers might choose to rely on) if "the provision of such information proves impossible or would involve a disproportionate effort".

          Furthermore, it appears so far (there being very little precedent yet) that where a data controller shares personal data with a third party data controller on the basis of legitimate interest, the responsibility of the sourcing data controller is limited to the actual process of sharing (as a joint controller for that process) unless the sharing involves a "transfer" to a third country. Otherwise, the sourcing data controller is not responsible even for checking whether the recipient processes the data in accordance with the legislation.

          Consequently, you've asked the $64,000 question. How indeed?

          The ideal answer would be enforcement of Article 14 with strict attention to abuse of 14.5(b) to facilitate evasion. Given an enforcement regime that essentially relies on complaints (policing by data subjects) that's not likely to happen soon.

          The position is in principle different if the third party is a data processor for the sourcing data controller, in which case the obligations are well defined. However even in that case two major problems have not yet been solved:

          [1] Most of the behemoths that provide "processing" for data controllers under the GDPR nevertheless impose their own unilaterally defined non-negotiable contracts on the data controller. This inverts the status of the controller/processor relationship and should in principle be unlawful, but has not yet gained sufficient attention;

          [2] Many of the behemoths providing "processor" services currently include in their privacy statements to data subjects AN assumed right also to act as data controllers for for their own purposes of the information provided to them in their capacity as processors. Whether this could be considered unlawful is still an open question, as the lawful basis usually relied on is the much abused "legitimate interest".

          The greatest weakness of the GDPR is that it has not been in force for long enough. It is likely to take many years of precedent before all these issues are considered properly and ruled upon conclusively.

    6. This post has been deleted by its author

    7. Anonymous Coward
      Anonymous Coward

      Problem with GDRP is that it is regulation that is not regulated. No GDPR Audit requirement. Seems to be an expectation that the public will provide the assessment of each organisation.

      Its only value is that of a deterrent.

      1. Anonymous Coward
        Anonymous Coward

        The real problem with GPRD is how GPDR triggers my dyslexia and I come out with GRDP instead of GDPR.

        1. Wayland

          As lnog as the mddile cnotians all the ltteers and begins and ends wtih the rgiht ones it's readable.

    8. Trenjeska
      Coat

      How to ID?

      when sending a copy of an ID is forbidden by the state?

      Here only a few strictly defined groups are even allowed to ask for a copy of an ID:

      - Government itself

      - Approved Banks (having an active license in The Netherlands)

      - Your employer when your contract falls under Dutch law

      Outside if that verification of identity may only be done IN PERSON and the document may not leave your direct control/view.

      1. phuzz Silver badge

        Re: How to ID?

        Well, the obvious way for most sites would be to require your username and password.

    9. Lars Silver badge
      Happy

      Yes, this a bit like blaming the car maker when some people refuse to fasten their seat belts. The ease at how people can be fooled is nothing new, and this time I will not mention brexir at all.

    10. Anonymous Coward
      Anonymous Coward

      Black Hat conference: entertainment?

      I don't know if it's just a coincidence or an actual trend, but this is the second article that I read in the last two days about flawed "research" presented in that conference, by people who in neither case were subject matter experts (in fact, as far as I can ascertain they were both complete unknowns) and predictably drew flawed conclusions from their "research".

      I wonder if the guy who ran this presentation so much as bothered to read the GDPR. If you skip the recital it is not even particularly long nor too technical.

      If he had, he would have found out that the Regulation does in fact cover this ground throughout, with particular emphasis in Article 25 and the whole of Section 2. It also has to be read in conjunction with other EU and national laws (not at my work computer now, so can't provide the references) that deal with computer security, labour and commerce, and which are relevant.

      In other words, if you want your fifteen minutes of fame at this conference, pick a subject that has "media pull" and give a talk on some sensationalist (but incorrect) claim. It is guaranteed that your name will be in print.

      Note: stay clear of subjects that can "bite back" (tech giants and so on). Go for stuff that the general public are vaguely familiar with, but only from media reporting not from direct knowledge. Good subjects are aviation, GDPR, autonomous driving, GPS and so on.

      1. Mike 137 Silver badge

        Re: Black Hat conference: entertainment?

        " If you skip the recital it is not even particularly long nor too technical"

        If you skip the Recitals, you won't understand the legislation. The recitals in European legislative documents are the explanations of the intent of the legislation and the criteria for adequate compliance. Leave them out and you just get a set of tick box "controls" to implement with no context. That's the state of most of the "GDPR compliance" I have examined so far as a professional consultant. So whether the law is adequate is still so far an open question - it hasn't really been tested yet.

        However this hardly differs from any other corporate "compliance", the basic approach to which is in general the question "what's the least we can get away with doing to keep the regulator off our backs?"

      2. Dr. Mouse

        Re: Black Hat conference: entertainment?

        While it may be true that these details are covered by both the GDPR and other EU and national laws, the fact that he was able to do this is problematic and has probably been aided by GDPR. It has made companies who don't normally have to check the identity of those they have data on be required to do so in some form when processing a SAR, while simultaneously requiring them to provide information back to the subject quickly or risk massive fines. It is not unreasonable that, having no experience in identity verification, they will fail at this task. This is especially true when some of the regulations they must comply with are not contained within the GDPR, the regulation they are implementing, and which they have had no interaction with or knowledge of previously.

        Taking a simple example: Say I'm an e-commerce company. I allow people to purchase from my site. My customers don't create accounts, they just enter their details upon ordering. I don't need to verify their identity, I just process their card payment and dispatch the goods. However, I now have info about them, and one issues a SAR.

        How am I to verify the identity of this person? Putting myself in their shoes, I would probably just ask for name, address and email, which is what I'd need in order to find the data. However, those details don't prove identity. If I was savy, I may also ask for the last 4 digits from their credit card, or details of the last order they placed, but a person could easily no longer have access to or remember those details. What next? Should I be asking for a drivers license or passport? These can be faked, so should I be verifying them with the relevant government agency?

        As someone completely unfamiliar with identity verification, it would be very easy and completely understandable for them to be unable to implement it in a reasonable manner. However, before GDPR, they may not have needed to. Hence, without clear guidelines on such verification GDPR is at least partially to blame.

        1. Wayland

          Re: Black Hat conference: entertainment?

          Sounds like installation dependencies.

          So you've just got this little tool you want to install but you can't until you've pulled in .NET and MSVC and JSON and the Chrome browser and MySQL and Autocad and SAP and MS Office and Steam.

    11. Wayland

      GDPR's Fault...

      ...because preventing misuse of person data was why it was created.

      Yes the companies being scammed were bad before GDPR but it actually gives the scammers a tool. As explained in the article there is pressure on the companies to comply which would not have been there so much before GDPR.

    12. Moog42

      Subject access requests existed before GDPR. You just had 10 days longer and it cost £10. The risk of data breach in this space has been around for years and I've personally dealt with many a vexatious spouse looking for financial data on their errant partners to 'further' their divorce settlement discussion through this vector.

      I think the ICO fining companies because they return in 40 days rather than 30 will be very low down their list of priorities, but if you don't have ID&V controls in place for these requests, then you deserve what you get.

  2. Peter 26

    A solution?

    Perhaps snail mail with a code, then a visit to an approved ID checker, such as a bank or post office with that code.

    There's an opportunity here for someone to set this service up and sign up the ID checkers and the companies who want to prove identity.

    Although this just proves a person is who they say they are, not that they own that particular login name, so it's only part of the puzzle.

    1. Kane
      Joke

      Re: A solution?

      "There's an opportunity here for someone to set this service up and sign up the ID checkers and the companies who want to prove identity."

      Dammit, you couldn't keep quiet, could you! You know Crapita are always looking for new revenue streams!

      1. Drs. Andor Demarteau (ShamrockInfoSec)

        Re: A solution?

        That already exists, it's a US company that checks the validity of your ID with all fields visible.

        This, by itself, is a breach of GDPR if used by EU companies as it will transport various amounts of data (including in the Dutch case the national identification number, a number they shouldn't have in the first place) to a country with lesser protections and safeguards.

    2. ACZ
      Coat

      Re: A solution?

      I hate to stir the hornets nest that is UK Gov IT projects, but wouldn't the Verify service https://www.theregister.co.uk/2019/07/18/verify_to_be_flagged_undeliverable_by_gov_projects_watchdog/ do the trick here?... ;)

  3. Anonymous Coward
    Anonymous Coward

    Article doesn't say what he used as a return address?

    If they are living together and he asked for the responses to be sent to the address they are both living at, and this matched their records, then I don't see any issue.

    1. mark l 2 Silver badge

      I suspect these companies were not sending the info by snail mail but electronically, so even if they asked for the account holders postal address to confirm identity that is of no use if they don't actually send it to that address but email it instead.

      Proof of identify in the UK can be difficult due to their being no government ID card, so if you don't drive or have never been overseas you might not have a photo ID.

      Any any sort of paper ID like a birth certificate is easily faked, and anyone that accepts a utility bill as ID is just crazy as it so easy to knock up a fake. But even photo ID can be easily faked, I remember seeing fake UK photo driving license on sale in Thailand for a few quid that when I compared it to my real one it would be hard to tell apart unless you an expert.

      1. KCIN

        A birth certificate doesn't even have to be faked.

        You can order any birth certificate online from the government for a fee

        1. Anonymous Coward
          Anonymous Coward

          > You can order any birth certificate online from the government for a fee

          Of course. It's a public registry.

      2. MrXavia

        Birth Certificate isn't ID

        Utility bills can be used for proof of address, not ID.

        Driving licenses are probably the best form of ID as you can share your information with car rental companies, what if you could use the same system to prove your ID to someone?

        I personally think the driving license system is where we should start for implementing a countrywide ID, the systems are already in place, all you need is to remove the requirement that your license lets you drive! (fairly easy to do, since it shows the categories you can drive on the back) maybe add a blue license for non-drivers.

        1. Anonymous Coward
          Anonymous Coward

          In the UK, millions of adults don't have driving licences. Similarly for passports.

      3. katrinab Silver badge

        A birth certificate is a public document, and is not ID. It doesn't prove anything about the person who has it in their possession.

    2. FollyGoLightly

      The issue is that she could have left and taken the dog with her and all he had left was some old business mail and a cunning plan. Actually, the issue is that businesses need to only accept valid forms of ID for such requests and it's safe to say that an envelope with your name and address on it won't cut it.

      1. MOH

        Or he could be a total stranger who moved in after someone else moved out.

    3. mark 120

      GDPr requires that if a request is made elctronically, then it must be responded to in electronic format, unless otherwise requested. He doesnt say what format he used, but assuming he requested email then:

      the response should have gone either to a secure portal to which the genuine account holder had access, or could be given access

      or the response should have been sent securely, and if by email then encrypted and 2fa used to provide the genuine account holder with the password

      In either case, the genuine account holder should also have been provided with an acknowledgement of the request, which would have alerted them to such a request.

    4. Anonymous Coward
      Facepalm

      The issue isn't that he got his fiancee's info

      The issue is that anyone can get anyone else's info, by just saying they are that person - apparently there's nothing stopping me requesting his fiancee's info if I had a few scraps of information about her. I find it ironic that the GDPR, passed in a continent where I've never lived or have any citizenship and supposed to help privacy of Europeans, has made it easier for people to steal to the identity of Americans who have no dog in this fight!

      They just need to make a GDPR request in my name to some company that will answer and is likely to have my social security number, birthdate, etc. such as a big US bank. HOpefully I have only done business with the 5% to refused to respond!

      You lot better better fix your broken law and make it clear exactly how GDPR information requests are to be authenticated in a secure manner. You made the mess, now fix it!

      1. EnviableOne

        Re: The issue isn't that he got his fiancee's info

        As a Non-EU citizen, you are not automaticaly protected by GDPR

        If a company choses to treat your information in line with GDPR then that is their choice.

        However said company is not required to respond to any provisions of the act for anyone who is not an EU-Citizen or operating with the EU.

        if the company is properly verifying the person making a SAR then there is no issue, and if they are not its a breach of GDPR.

        But to be fair most US companies data security is so lax, that this info is pretty much publically available, and even if it is exposed they get a slap on the wrist from the SEC ot FTC and have to sign-up to some extra audits for the next few years, and you have no redress.

  4. Pascal Monett Silver badge

    Thorny issue indeed

    Here I was thinking that GDPR was the bee's knees and I find that someone else can request details on me ? I'd never thought of that. Now that I'm thinking of that, I don't like it one bit.

    That being said, this guy lives in America. It doesn't say where he sent his requests, but I'm guessing it was mostly to American companies. In Europe, you wouldn't get far with banks because, in order to make any changes, you have to either do it via your online banking account or, most often, you have to present yourself in person with a valid ID at the desk. So I'm of the opinion that European banks would be a lot less likely to fall into this kind of trap. But for the rest of companies, I don't see that my side of the pond would be any different.

    With one notable exception : there is no mere company that has anyone's Social Security number. You'd have to try the Administration for that, and I have no idea how that would work out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Thorny issue indeed

      Wagon pulling the horse?

      GDPR is the law. That can be fantastic. The companies may still fail to follow it. They can still be trash.

    2. Kubla Cant

      Re: Thorny issue indeed

      That being said, this guy lives in America.

      He's "a PhD student at Oxford University", so he presumably lives in Oxford for rather more than half the year. I can't see anything that says he lives in America, though the use of the term "Social Security Number" implies that the fiancée is a US citizen. In the UK that would be a NINO.

      1. dajames

        Re: Thorny issue indeed

        He's "a PhD student at Oxford University", so he presumably lives in Oxford for rather more than half the year. I can't see anything that says he lives in America, ...

        A little light exercise with $SEARCH_ENGINE reveals the fact that he is a graduate of Georgetown University, which I believe is an American institution. A tad more searching reveals that the fiancee in question is one Casey Knerr, also a Georgetown graduate. It's surprising how much one can learn without gaming GDPR!

        Further, his quoted remark "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them." uses "we'd" (= "we would") in a way that is idiomatic in US English but not British English.

        ... the use of the term "Social Security Number" implies that the fiancée is a US citizen. In the UK that would be a NINO.

        Given his name, and the context given by the article, I'd originally assumed he might be Polish, and guessed that "Social Security Number" might be a translation into American English (for his Las Vegas audience) of whatever the Polish equivalent is ... but it seems not.

        NINO, though? Is that we we (and HMRC) usually call an NI Number?

        1. Anonymous Coward
          Anonymous Coward

          Re: Thorny issue indeed

          NINO, though? Is that we we (and HMRC) usually call an NI Number?

          Yes. NINO is a common term, at least inside some govt departments (source: worked with a few).

      2. katrinab Silver badge

        Re: Thorny issue indeed

        If an American Company asked me for my Social Security Number, I would probably give them something along the lines of AB123456C and see if they accept that. Or maybe, for example, if I was at a car rental desk, I would show them my EHIC (European Health Insurance Card) and let them take the number from that.

    3. Anonymous Coward
      Anonymous Coward

      "No mere company has anyone Social Security number"?

      Where the hell do you live, obviously no the US! Just about every company you do any business with involving credit (even of the monthly recurring payment type like a cable TV company) has your SSN since it is the "key" used to identify one to credit reporting agencies like Equifax.

      1. Pascal Monett Silver badge

        I live in France, which is why I said "my side of the pond" after spending three sentences talking about Europe.

        And yes, I am well aware of the insane stupidity of your country in throwing about personal identifying information. I thank God I don't live there.

    4. Claverhouse Silver badge

      Re: Thorny issue indeed

      Your companies of employment never see your SSN ?

      1. Pascal Monett Silver badge

        Actually, no. In Europe it's none of their business. At least, not in France, Belgium or Luxembourg.

        1. Stork Silver badge

          This varies a _lot_ depending of the country you are in.

          In Denmark, virtually everything is linked to your CPR (~SSN, Tax number, ...). Used for tax, banks and any interaction with public authorities, and is in your passport too. But it seems that any abuse is likely to be caught fast, at least I never heard of identity theft there.

          In Portugal the big one is your tax number (NIF). If you make purchases over €1000 you have to provide one, this is to reduce tax/VAT evasion. Also, some tax discounts are dependent on your NIF being on the receipt. No-one checks if it is actually your number, and in the beginning lots of people used the PMs NIF as a protest - the system flagged him up for further investigation as he spent more that his declared income.

  5. Anonymous Coward
    Anonymous Coward

    A Phd Student?

    Perhaps I'm just getting old and everyone looks young now, but to me he looks like he should still be studying for his GCSEs.

    1. Kubla Cant

      Re: A Phd Student?

      If he's at Oxford then he's actually a DPhil student.

      Assuming, that is, that they haven't cravenly conformed, as they did when they dropped their 1st, 2nd, 3rd, 4th classification of degrees and adopted the ludicrous 1st, 2:1, 2:2, 3rd convention?

    2. Ken Hagan Gold badge

      Re: A Phd Student?

      To me he looks like Bill Gates in that old police mugshot.

  6. tapemonkey

    Over caution

    The thing is just like the DPA the training given to front line and even admin staff is woeful and usually provided by idiots who have no real understanding of it either.

    A prime example was 2 years ago following the death of my wife I was calling various companies to inform them of her death and get her name removed or transferred into mine.

    Some companies I called just accepted my word one saying "well you wouldnt lie about something like that would you". Me no of course I wouldnt lie ...COUGH COUGH

    Then you go to the other extreme. I told one organisation of her death and they replied that because of Data Protection they could only speank to the account holder and needed here authority to speak with me. When I reitterated thatshe was deceased and I could provide a copy of hear death certificate they told me again they would need her permision to talk to me and that this was company policy. When I finally suggested that we all sit around a table, holding hands, and organise an effing seance they hung up.

    When you put people in charge of anything you invariably end up with the lunatics running the asylum.

    1. davenewman

      Re: Over caution

      When you get probate, they cannot refuse.

      1. Anonymous Coward
        Anonymous Coward

        Re: Over caution

        Funny thing. Is things like probate might make you legally represent the person named on the probate, so you could say "you are talking to them".

      2. tapemonkey

        Re: Over caution

        But you dont have to get probate if there is not an estate to leave

      3. dajames

        Re: Over caution

        When you get probate, they cannot refuse.

        You have to get probate first, though. A friend had the problem that he couldn't get probate for his late father without submitting the value of some share certificates his father had deposited in a bank box at his bank ... and the bank wouldn't give access to the box until probate had been granted!

        The lunatics really are running the asylum.

    2. Anonymous Coward
      Anonymous Coward

      Re: Over caution

      99% got it right, when I had to do it. Mainly, those who did not ask for proof, was because either (I assume) they had other records (credit reports already contacted by me) or I was paying *off* the account, so the reason (death, lottery winning, kind gesture) did not matter to me, especially if I had all the account info, so they also were not giving any data out.

      Those like banks etc, required full proof of everything.

    3. Sherrie Ludwig

      Re: Over caution

      First of all, tapemonkey, Sincere condolences on the death of your wife. Secondly, I have had the same sort of trouble when dealing with US companies over my mother's estate, which did not go to probate (she had assets that transferred to beneficiary upon death). Oddly, Social Security Administration was the worst, as I tried to get them to STOP her check.

  7. rg287

    A lot of companies asked for her account login details as proof of identity, which is actually a pretty good idea, Pavur opined. But when one gaming company tried it, he simply said he'd forgotten the login and they sent it anyway.

    Presumably not her password? And certainly not by e-mail? Companies have just spent years teaching users that they will never ask for your password!

    It seems like there's a simple solution for this in cases where the user has some form of online account (gaming, shopping, etc):

    Only send SARs to the e-mail address attached to the account. Want it sent to a different e-mail? Login and change it. Forgotten your creds? Do a password reset. At the very least, this means you're limiting it to the person in control of the account (which could have been hijacked of course, but that's a different matter). You're immediately limiting requests coming in from arbitrary email addresses.

    Since you have an obligation to respond to GDPR requests regardless (having established identity), you would then need a fallback process for someone who insists that they want the SAR delivered to a secondary email address and not the one attached to their account - but you can make the process relatively onerous to put people off that option unless they're genuinely serious about it.

    1. Tom 38

      You don't have to "have an account" to make a SAR.

      1. eldakka
        Holmes

        You obviously missed the caveat:

        where the user has some form of online account

        The OP's post, as stated in the post, applies only in those cases where you do have an account.

        It does not say you must have an account to make a SAR.

  8. tapemonkey

    One easy solution regarding identifying that the request for information is coming from the person who the information belongs to for say the local registrar of births deaths and marriages to have equipment of a similar size to a photo booth installed.

    This booth could contain retinal, fingerprint & vocal scanners as well as facial regognition.

    To access the booth you should first provide the registrar with the standard 3 forms of ID (Utility Bill,Birth Certificate & Photo Driving License/Passport).

    Also provided should be a form with a photo attached signed by your doctor to say they have known you for 2 years or more and that this is a true likeness of you).

    Once you have satisfied that step you enter the booth and are scanned. Then the data is transferred to a central encrypted database.

    The booth then displays a QR code so that your smartphone can download an app that also scans for fingerprints, retina using selfie camera, voice and facial recognition. The app then transfers this scanned data to the database for cross checking (obviously with allowable tolerances) and if they match generate a key of suitable length and security. You include that key in your information request.

    Obviously this will come at a cost say £50 per head to pay for the tech and maintanence but you would only need to do this once as the app would be transferrable from device to device.

    I fully expect this to be ripped apart but the point is technology can be used to solve this problem.

    1. Peter Gathercole Silver badge

      Flawed in so many respects

      Neither utility bill nor birth certificate prove identity. And many people have neither a driving license nor a passport, and many young people I know are opting to not learn to drive. And I don't think that my doctor would recognize me. because I've seen them about 5 times since I registered 20 years ago, and mostly saw a locum when I did!

      Truth is that the UK needs an ID card, with some biometrics. The driving license system would be a good place to start as mentioned in a previous comment, or maybe what has been installed for IABS or the plastic visa card for immigrants, but it would have to not have the additional government uses hung on like the last attempt, and most importantly, would have to be paid for by the government as a fundamental right, rather than having a charge like the last ID card scheme.

      Trying to make a government backed, voluntary ID card scheme chargeable guaranteed that it would never be universally taken up, and taken with the flaws and lack of definition and purpose of the backing database doomed it to fail.

      1. Dr. Mouse

        Re: Flawed in so many respects

        Truth is that the UK needs an ID card... but it would have to not have the additional government uses hung on like the last attempt, and most importantly, would have to be paid for by the government as a fundamental right

        I agree with this, but I don't think it will ever happen. The government wants ID cards, but they don't want them in order to make it easier for you to identify yourselves. They want it to make it easier for them to keep massive amounts of cross referenced data about you and to track your actions.

        It is not in the government's (short-term self-centred) interests to provide a free ID card purely to help you identify yourself. They want their "value added services".

        However, as we're on this, here's how I see the ideal government ID cards working:

        - Provided for free to anyone who asks, but not compulsory

        - All identity data validated not NOT stored by the government (or a third party)

        - All identity data stored only on the card itself, signed by the government and encrypted (hashed?) such that it can only be used for verification purposes

        - Cards usable over the internet using, for example, contactless and/or card readers

        - Cards implement electronic cash in a way which everyone can use (including personal transfers from one person to another), but this can be disabled if the holder chooses

        - Cards can store bank card details for payments, but this is not mandatory

        - Cards allow third party use, for instance storing membership information for clubs

        Anyway, I doubt it will ever happen, but I could see a card implemented in such a way taking off

        1. onemark03

          Re: Flawed in so many respects

          @ Dr. Mouse: Re: Flawed in so many respects.

          However, as we're on this, here's how I see the ideal government ID cards working:

          A few thoughts of my own:

          1. Cards free but voluntary: Agreed, but can't see the former happening.

          2. Data not stored by the gummint: Are you kidding? Very tempting but not going to happen: the civil service/police/security services etc. are always going to want rapid and direct access. Y' know: just because.

          3. Use online. Agreed: car registration etc. and all other similar interaction with officialdom. Potentially very useful.

          4. Electronic cash, bank card details, membership details etc.? No! No! No! The more separate functions you pile onto an ID card, the more attractive it becomes as an object of theft / forgery. Compartmentalisation (separate cards for separate functions) is absolutely vital!

          5. Also voluntary: having one's address on the card for ease of proving address. Does away with the need to flash utility bills etc. Admittedly debatable because potentially disastrous in case of loss.

          6. Absolute no-no: having a National Insurance Number (or similar) on the card. Makes it more attractive as an object of theft and / forgery. (Admittedly tempting.) Alternative: a "card no.". (similar to a passport no.) which would expire with the card, e.g. after 10 years.

          1. Dr. Mouse

            Re: Flawed in so many respects

            "Electronic cash, bank card details, membership details etc.? No! No! No! The more separate functions you pile onto an ID card, the more attractive it becomes as an object of theft / forgery. Compartmentalisation (separate cards for separate functions) is absolutely vital!"

            Most people carry all their cards in one wallet. It's most likely that the wallet will be stolen as one. Therefore it doesn't really matter if it's all on one card or separate ones from a theft point of view.

            However, as I said all these functions should be optional, so one could chose not to use them as such.

            On the positive side, most people are not going to be falling over themselves to get an ID card. It's.... boring. However, by including added services which people would find useful, more people would take it up.

          2. Dr. Mouse

            Re: Flawed in so many respects

            Another couple of replies:

            WRT 2: This was my idealised list, I agree it's not going to happen but I wanted to list how it would be in my "perfect vision".

            WRT 5 & 6: Identity info, if my plan was followed, would not be readable, only verifiable. So, for instance, you could tell someone your address, an operator types it into a machine, presents your card, and the machine says "yes" or "no". Same with NI number, name, age, DoB. Noone can read the info from your card, but they can check that what you've told them separately is accurate.

    2. Claverhouse Silver badge

      Wizard... !

      A very similar technology is under development at Conservative Central Office to mitigate the Undemocratic Irish Backstop right now !

      Once in place it will be a mere matter of hours to process each item or person passing through in either direction.

    3. onemark03

      "This booth could contain retinal, fingerprint & vocal scanners as well as facial regognition."

      Yebbit how transparent is the citizen supposed to be?

  9. don't you hate it when you lose your account

    Shirley

    These firms are in breach of GDPR. Their sharing info with 3rd parties without the persons consent. The American ones that refuse are typical assholes

    1. mark 120

      Re: Shirley

      Not neccessarily. Depends on why they share the info, as for some non-marketing purposes they don't need consent. It's the legitimate business interest argument - when you apply for a mortgage, they could ask for all sorts of ID to prove your identiity, or they can choose to go off to a checking service and get the info that way. It's a more efficient way of doing it, and they don;t need consent provided they tell you that as part of the application process they''ll be doing it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Shirley

        See? That's why some employees of some companies mess up. Because like you, they don't understand the GDPR.

        Consent is *always* needed. They can't just "tell you that as part of the application process". That is absolutely not enough. And a checking service, as the data controller, would not be allowed to give data away without your consent. A 3rd-party can't just come say "hey, I have consent, give me whatever you have on Mr Mark 120". That is precisely what the article is about in the first place!

        1. Tom 38

          Re: Shirley

          This is also why people mess up GDPR, because you also do not understand GDPR. Under Article 6, there are six legal basis for possessing personal data, only the first is that consent of the data subject has been requested.

          The others are to fulfil contractual obligations with a data subject, to comply with a data controllers legal obligations, to protect the interests of a data subject, to perform a task in the public interest, and finally, for the legitimate interests of a data controller or third party.

          If you are a marketing company, and you have a list of people to which you market things to, you do not have to obtain consent to retain this information; the personal data you possess is necessary for you to achieve the legitimate business goal of marketing to them.

          If someone has a contract with you, you do not need to obtain consent to store and process their personal data if it is required for the operation of your business and fulfilment of that contract.

          "Consent" is one of the worst reasons to keep data. All the others rely on the data controller having legitimate reasons for having and using that data, whilst "consent" simply means that you can keep any information you have obtained, regardless of whether you have a legitimate need under the other 5 reasons, once you have obtained their consent.

          This is why companies were all asking for consent in the lead up to GDPR, so they did not have to fully audit what data they possessed (and come up with a valid reason under the other 5 reasons for having it), they simply asked for consent. All this "You must consent or you will never hear from us again" is total bollocks, they just didn't want to say "We store your email address so that we can contact you when there are issues with your account" for each piece of personal data stored.

          1. Gonzo wizard
            FAIL

            Er, really, nope

            "If you are a marketing company, and you have a list of people to which you market things to, you do not have to obtain consent to retain this information; the personal data you possess is necessary for you to achieve the legitimate business goal of marketing to them."

            Wrong. Totally and completely wrong. Completely missed the point. You're focussing on the possession of personal data. You also have to consider:

            - How that personal data came into your possession in the first place, and

            - What purpose the personal data was supplied for.

            OK so lets look at the six legal basis - http://www.privacy-regulation.eu/en/article-6-lawfulness-of-processing-GDPR.htm - in relation to a marketing company from whom I've purchased a TV.

            1. You've given consent: I'm not unilaterally giving consent for my personal data to be held. I'm giving it you as part of a contract.

            2. You've entered into a contract :I bought a TV from you and you need my personal data to supply and ship my purchase. You may process my personal data to perform this function. As part of the purchase process I have opted out of marketing activities.

            3. Compliance with a legal obligation: You are required to notify TV licencing that I bought a TV and had it shipped to a specific address. You may process my personal data to perform this function.

            4. To protect your, or another person's, vital interests: Not applicable.

            5. In the public interest: Not applicable.

            6. There is a legitimate interest: Ah, here we turn to article 21: "Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing."

            So without some form of initial consent, the marketing company cannot acquire, possess or process my personal data - at all. It also can't get my details from a third party that I did give them to - unless I've consented to be marketed at and for those details to be passed to a third party.

            This is the whole point of GDPR - to prevent personal data provided for one purpose being used for other purposes, and being passed to third parties, without consent.

            1. Anonymous Coward
              Anonymous Coward

              Re: Er, really, nope

              Indeed, and along with this you need a system in place for that consent to be withdrawn, and be able to record that request. Consent isn’t a one time thing, it is continuous.

            2. eldakka

              Re: Er, really, nope

              2. You've entered into a contract :I bought a TV from you and you need my personal data to supply and ship my purchase. You may process my personal data to perform this function. As part of the purchase process I have opted out of marketing activities.

              My understanding is that opt-out systems are not considered a valid form of consent. Therefore you wouldn't have to opt-out of marketing activities. For marketing activities to be validly conducted, you would have to explicitly opt-in to them. Therefore perhaps this should have read "As part of the purchasing process I didn't opt in to marketing activities."

              Or have I misunderstood?

              4. To protect your, or another person's, vital interests: Not applicable.
              I would think they'd need to keep on file for accounting and liability and financial fraud purposes that they shipped a TV for $x to y address for at least the standard accounting/tax-filing record-keeping period and as a record of the contract entered into. That is, if someone did a chargeback on the TV purchase if bought on CC or complained to their back about an unauthorised funds transfer to the store, the store would want to keep a record of the details provided for a reasonable time to protect themselves and/or the customer wouldn't they?

              1. rg287

                Re: Er, really, nope

                eldakka

                Your understanding is correct re: marketing - it's opt-in. Amazon don't need my consent to ship the product I ordered to my home address nor to bill me for it. They do need my consent to send daily offers or marketing materials.

                However, Purpose (d) vital interests - is not for businesses. It generally applies to things like schools, councils and case workers (public sector type stuff) - they do not need your consent to maintain information about pupils nor to pass/share information with the relevant authorities if they suspected (for instance) child abuse to be taking place at home. (d) can overlap a bit with (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; which covers all manner of sins for Police, Security services, etc, etc.

                Keeping records for tax/fraud/chargeback purposes would be Lawful Purpose (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

        2. mark 120

          Re: Shirley

          you mjight want to read what the ICO say, about Consent not being required always and, in fact, not relying on it if theres sonething else more appropriate:

          https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

  10. Anonymous Coward
    Devil

    How many of these companies are from a country where ID cards are a common way to identify people? And faking an ID card is a crime?

  11. Tom Paine

    O/T

    Utterly, utterly wrong of me, but -- item! -- the pic of the presenter reminded me irresistibly of the scene from In The Loop where Malcolm Tucker meets one of the US Gov's "Best and brightest".

  12. Karmi

    As someone who work with GDPR , reading this article makes me cringe!

    First of all, it is not clear to what type of orgnaisatiosn the SAR requetss were sent. Is it all US Organisations or EEA organisations.

    If its EEA organisations, i would like to see percentige of how many provided data without reasonable checks.

    As someone coming from UK data protection perspective, the Data Protection laws ecsisted from 1988. The last Data Protection Legislation was 1998. Yes, i agree some irganisatiosn have bad practises, but thats not due to lack of clarity from legislation (as the COde or practice and guidance on legislation is provided by the supervisory authority in UK case ICO.)

    I think this is an issue with oirganisations either having as their DPO/Data Protection advisor, someone who never done the job or getting a bad advice from lawyers.

    If you read any guidance from the ICO, on identification they state the following:

    "If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.

    You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information."

    So if the requesT came via emai, asking for confirmation if we hold data, and the request came from email name.lastname@hotmail.com and we had this email address on recrod belonging to that individual, we have to ascertain if this is the data subject.

    We can reasonably say yes it is, so we can confirm we have their data.

    If we dont have hold that email address on record and we have doubts, we would either ask for more information or ask for ID.

    However if we are a marketing organisation, asking for an ID is excessive, as we dont have those details to verify their ID agains. So you wold have to use the data you have as a verification.

    It all comes down to what data you hold and for what purposes.

    If i hold Social Security Number etc, and this is requested, i would ask for ID.

    1. The Real SteveP

      Just for your information, the current UK legislation is the Data Protection Act 2018 and it incorporates the whole of the GDPR. Just saying...

  13. Tom Paine
    Facepalm

    I don't understand why these orgs didn't reply to the email address the fiance provided when she first signed up or registered for whatever it was. Or were these bricks-and-mortar orgs that wouldn't necessarily have an email address on record? (Do such orgs still exist?)

    A lot of companies asked for her account login details as proof of identity, which is actually a pretty good idea, Pavur opined.

    If it's a pretty good idea, it must just mean username or associated email account, not password, as that would obviously be a very bad idea indeed. Right, kids?

  14. Kubla Cant

    And so ad infinitum

    I make a request to know what personal information a company has about me.

    The company says it can only supply the information if I provide proof of identity.

    I supply proof of identity.

    The company now has even more personal information about me.

    1. GrapeBunch

      Re: And so ad infinitum

      Known in the biz as Kubla Cantch 22. Bite 'em.

    2. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: And so ad infinitum

      yes they have, but do they have any reason to hold on to that copy of your ID or drivers' license after the request has been completed and fulfilled?

      The basic answer I suspect would be: no, not really.

      As such they should delete it immediately as it has served its purpose.

      A bigger problem is that they usually request such copies via e-mail, which is inherently insecure.

      And yes, that goes for all personal data (minimisation principle, only keep the data you really need to have unless there are legal reasons why you need to have it longer than the usage requires).

      1. Dr. Mouse

        Re: And so ad infinitum

        This is where I believe a service could prosper which puts you in control of your data.

        For instance, I have envisaged a mobile app which keeps all your data (locally). When a company requests information, it sends a request to the app for said specific information, along with why they need the info, how long they need it for, etc. This is then supplied encrypted, along with keys to access it, to a system belonging to the company (or a third party, with keys encrypted so that the third party cannot access it). This system will then delete the keys when the data is no longer needed, and the company is prohibited from storing any of those details except in encrypted form on the system.

        I know this is not explained well...

        I looked into making such a system, but never found the time to do so. Link this up with authentication, possibly an anonymised email system, and maybe even identity verification, and it's remove a large chunk of data protection overhead from companies while simultaneously giving people much more control over their personal data.

  15. Tom Paine
    Facepalm

    An educational software company sent Pavur his fiancée's social security number, date of birth and her mother's maiden name.

    Lawful basis for a software vendor collecting that data in the first place...?

    1. Tom 38

      Probably consent.

      1. Anonymous Coward
        Anonymous Coward

        The requirement to provide personal information in return for a service that does not depend on that information is not a valid form of consent, in fact the two cannot be tied together.

    2. Anonymous Coward
      Anonymous Coward

      If they have her social security number she's American (unless there are other countries who have something called a "social security number") and if they collected it is almost certainly an American company because EU companies have no reason to collect it. GDPR doesn't apply to that transaction. The EU can't make a law that controls what a US company collects from a US citizen just because they do business in the EU. They can only control what that US company collects about an EU citizen.

      Before someone tries to claim that the GDPR DOES (or should) let the EU control what an American company collects about an American citizen, consider first what happens if the shoe was on the other foot, and the US made a law that companies can collect any information they like about their customers and those customers have no business knowing what was collected. How would the two conflicting laws be reconciled? Obviously by applying them only to the citizens of the country/countries that passed such laws.

      1. dajames

        Before someone tries to claim that the GDPR DOES (or should) let the EU control what an American company collects about an American citizen, consider first what happens if the shoe was on the other foot ...

        You're missing the point. What GDPR is supposed to do is to control what a company operating within the EU can collect about anyone, and what that company can do with the data so collected (including restrictions on the expatriation of data). The nationality or ownership of the company is not an issue, neither is the nationality of the individual whose details are (supposedly) being protected.

        1. Anonymous Coward
          Facepalm

          Sorry, EU law can't control what a US company that happens to also operate in the EU collects on US servers about a US citizen located in the US. If you think it can, then the US government could pass a law saying "people regardless of citizenship or location have no right to know what information a US company has collected about them" which would conflict with the EU law. How exactly would that be resolved?

          People who live outside the US are always (rightly) complaining about the US overreaching and trying to enforce its laws worldwide, but it does that cause no favors to support this stupid idea claiming that your laws should impact how a US company can interact with US citizens on US soil!

  16. Gonzo wizard
    Facepalm

    "A driver's licence would also be a good alternative"

    And immediately the problem is that they now have an additional and very sensitive piece of information about you that could be leaked or stolen. I suspect this is a catch 22 situation as you'd expect anyone providing information in response to a personal GDPR request to hold on to the documentation provided to prove the legitimacy of the request...

  17. rcxb Silver badge

    3 per cent took the rather extreme step of simply deleting her accounts.

    Perfect! This is the proper response to any GDPR request. Slightly disruptive in the case of impersonation, but a 100% safe failure-mode.

    1. dajames

      Perfect! This is the proper response to any GDPR request. Slightly disruptive in the case of impersonation, but a 100% safe failure-mode.

      That would not be a safe failure ... it would open the way for to a denial-of-service attack whereby an attacker could bring about the closure of another person's accounts merely by making a GDPR request. Not good when the account is, say, a bank account!

  18. Anonymous Coward
    Anonymous Coward

    Consent is mentioned a few times....

    .....when the subject of INITIAL data collection comes up. But since we know that FB (and everyone else) is re-packaging PII and selling it on, I'm wondering if the initial consent means "consent for the initial collection PLUS CONSENT TO SELL ON AND CONSENT FOR THIRD PARTY RECIPIENTS OF PII TO DO ANYTHING THEY LIKE WITH MY DATA".

    *

    So what exactly does "initial consent" mean? If it can be "passed on" to third parties, fourth parties, fifth parties.....

    *

    .....then I can NEVER know who to send a GDPR request to, and I can never know how to get my PPI deleted.

    *

    This does not sound like "protecting the interests of the consumer" or "keeping PPI safe". Confused person here!

    1. Drs. Andor Demarteau (ShamrockInfoSec)

      Re: Consent is mentioned a few times....

      Consent means the consent given for a well specified, defined and limited use of your personal data for a purpose you understand and can freely agree with.

      It does not mean: anything else that was not stated.

      It neither means: any massive lists of usage scenarios, either ones already in use or future purposes, with one consent button.

      For each different purpose consent needs to be requested and also be able to be withdrawn as easily as it was given.

      Do companies need consent for everything they do with your personal data?

      Hell no, there are 5 other legal reasons they can use to have and process your data including to fulfil a contract or pre-contractual actions, legal requirement.

      So FB selling on data and consent: only if you have given it explicitly.

      And not hidden within their privacy notice somewhere as part of the total package.

      (on that issue a complaint and possibly legal case has been brought by several parties on the 25th of May 2018 already).

  19. Anonymous Coward
    Anonymous Coward

    Even easier way

    Just contact your local Chinese hacker cell.

    They have all the cool data.

  20. Ken Moorhouse Silver badge

    Waaaay before GDPR but...

    When I went to get a building society cheque to buy my first home the cashier asked me to sign a scrap of paper. "Sorry sir, the signatures don't match."

    It turned out that the signature they had on-file was that of my father when he opened up the account on my behalf (I think I was 9 at the time), and I'd never withdrawn anything from the account in all those years.

    Having explained that to them and that I would lose the property if I didn't pay the requisite sum on that day, the branch manager (who knew my solicitor very well) intervened and promptly issued the cheque.

    The difference now is that all of these financial institutions have no day to day interactions with the people that can provide compelling "triangulation" of identity. GDPR doesn't "scale" for circumstances such as these. There would have to be a file-note on a Building Society account to the effect that, in the case of an account opened on behalf of a minor, the account would have to undergo some kind of verification process after the holder's 18th birthday.

  21. eldakka
    WTF?

    "Privacy laws, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them."

    The GDPR took years to pass into legislation.

    Once it did, there was 2 years between the act(directive?) passing and it coming into force.

    You sir, James Pavur, are part of the 'we'. So, where the fuck were you for those at least 5 years before it came into force with your look at these vulnerabilities? You had plenty of opportunity to look into it before the law was enacted and another 2 years after that before it came into force, and your complaining about it now a year after it came into force?

    1. Diogenes

      So, where the fuck were you for those at least 5 years before it came into force...

      Probably at college at home in the USA and possibly blissfully unaware, until he moved to EU to study.

  22. Drs. Andor Demarteau (ShamrockInfoSec)

    It's certainly not GDPR's fault

    The law is pretty clear, although it will not specify what prove of identity you need to provide it does leave the option open to request a copy of your ID (preferably not via e-mail for obvious security reasons).

    The fault here squarely lies with the companies that have implemented the requirements partially, maybe are afraid of exceeding time limits or have obtained bad advice.

    Should the law mandate how it must be done? No, as there are other laws to mandate what a prove-of-identity means and there is enough guidance available.

    Besides if you know all that information from your girlfriend, there is probably no rat's chance in hell you could not have pulled this off.

    Nice in showing at least the data providing part of the law works, okay it wasn't the right person. Btw, does she actually know you have her login credentials of certain website?

    As for the information this person obtained: that's precisely the goal of the law (article 15 to be precise), to obtain a copy of all data a company holds of you.

    An And yes that may include very sensitive information.

    It shows nicely that one company has stuff they shouldn't have had in the first place, if you can believe this information about that given in this talk and she indeed hasn't heard of the company.

    Btw, he precursor of the GDPR, at least in the Netherlands, already had the right to obtain a copy of information a company held of you anyway. So in that respect it may be less new than suggested.

  23. freecode99

    Best Internet Troll Ever

    GDPR is the best Internet troll move ever, bar none. It costs Billions to enforce and wreaks havoc on all businesses trying to deal with the law. It may end a lot of businesses in the EU that have to determine how to respond to the law, or forego doing business in the EU altogether. It is so little understood that businesses dealing with compliance are open to these shenanigans. How do you expect people to verify the requests exactly? How does the requester prove identity to the business? The best response for non EU black hats might be to request removal of the identify information for business directors and CEOs in the EU. Would be funny to see such silliness played out there in the land of unintended consequences. Another fine mess herein enacted into law. About as reasonable as the Brexit mess; people seem willing to drive over a cliff rather than think things through and be reasonable. I blame climate change and the growth of idiocracy through media, but neither compares with the ability of persons to suspend disbelief and buy into the latest fad of pure horse manure. Expect that at this rate, people will soon drink mercury again to cure what ails them, and eat lead paint to add minerals to their diet. We've lost the idea of progress in favor of the flavor of stupidity of the month.

  24. Mike 137 Silver badge

    Shock! Horror! (or to paraphrasef Edmund Blackadder - "spherical and plural")

    "companies only have a month to reply to requests and face fines of up to 4 per cent of revenues if they don't comply"

    Some homework needed here:

    [1] the provision is for a calendar month to provide the information or to indicate how long it will take to do so.

    [2] There's no way on earth the maximum fine would be levied just for missing the response deadline to a SAR.

  25. TiredAndShaggedOut

    Hardly surprising is it?

    A lot of companies don't have, or can't really spare, the resources to determine exactly what GDPR compliance means for their specific operation. The companies that do have the resources still want to maximise profit and spend as little on implementing the damned thing as possible.

    Result? Ill-thought out boilerplate implementation to avoid a fine manned by the lowest-paid, overworked script monkeys available.

    I applaud the intentions of those behind the GDPR legislation but in many cases it's just made things worse. And oh god am I sick of hunting down the "get the f-out-of-my-face" button every time I visit a site for the first time and get hit with the cookie notice.

  26. Anonymous Coward
    Anonymous Coward

    Governments and Bureaucrats Never Cease To Confirm Their Incompetence

    There is only one thing you can trust government and big bureaucracy like that in the EU to do - screw everything up. This is par for the course. All the BS about privacy laws and protection of the public. It is laughable.

  27. Anonymous Coward
    Anonymous Coward

    Catch-22

    Bob: Hi I'm making a request to see the data you have on me.

    Company: Of course, can you provide some ID

    Bob : sure, here you go

    Company: Sorry that ID doesn't match the data we have on you

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like