GDPR - How Good Intentions Can (Partially) Backfire
The EU’s General Data Protection Regulation (GDPR) is one of the most comprehensive laws protecting consumer information that is currently in effect. For the most part, it is doing a commendable job. However as with all legislation, the actual implementation and compliance with a new law can lead to unforeseen consequences. One such consequence was recently demonstrated by a security researcher named James Pavur at the Black Hat security conference.
Right of Access
Mr. Pavur chose to test the compliance with a key element of the GDPR: The so-called right of access. In summary, this right stipulates that companies must turn over all information that they have on an individual if said individual requests it. Deadlines and penalties are also specified.
On the surface, this is a great policy. After all, this transparency allows users to better understand what data is being kept on them and either request its deletion or adjust their own behavior accordingly.
The Problem of Identity
The problem arises from the fact that the law pertains to actual people while companies usually interact with accounts. In other words, if someone requests that their data is handed over, the companies have to comply - even if that user no longer has access to their account. This in turn means that it is wholly unclear how individuals should be identified before data is transferred.
Mr. Pavur exploited exactly this loophole by creating a new email address in the name of his (cooperating) fiancé and sending requests for access to a large number of companies from it. To be clear, this email address was not the one registered with said companies.
Without being able to identify the user through their email address or a login, the companies were faced with a dilemma: How to identify a person correctly over the internet. Identifying people is a daunting task that has kept many experts busy for decades. National identification is often equipped with biometrics and anti-forgery features for exactly this purpose. But the companies neither have access to nor the legal right to such information.
This in turn led to predictable outcomes. While industry giants had the infrastructure and policies to verify identity documents in place, many medium size companies simply complied with the request. This means they ultimately handed over highly confidential information like credit card details, travel routes and criminal background checks to someone that wasn’t their actual account-holder.
Some of the companies first requested proof of identity ranging from photo ID scans to copies of received invoices. Mr. Pavur chose not to cross the line into forgery to gather more data as this enters a legal grey area but still managed to receive data without any verification from 24% of the companies.
It is important to note that the strong verification documents requested by many of the remaining companies can easily be forged by actual attackers. Mr. Pavur’s hands were tied since he is a researcher. Criminals have no such qualms. This leads us to the uncomfortable conclusion that an actual attacker - be it an identity thief, hacker, personal enemy or stalker - could likely collect your private information from 50-70% of companies without having access to any of your real accounts.
This is - in lack of a better word - terrifying.
Why does this happen?
Part of the blame falls on the companies in question. Since they operate within the EU, it is on them to read, understand and comply with the GDPR. This includes creating policies and mechanisms for identity verification.
However, in pragmatic terms, for many smaller companies this is plainly impossible. Service providers will crop up over the coming years but at this point in time expecting a company with 10 employees to be prepared for any and all GDPR related requests and have infrastructure in place for complex high-end tasks like identity verification is unreasonable.
Take the singular example of verifying photo IDs. With 195 countries in the world and most of them issuing several IDs (passports, national ID, drivers’ license, insurance, state ID, …) a company would need to be able to identify and verify the security markers of literally thousands of document types.
The other part of the blame falls on EU legislators. By creating requirements without creating the guidelines and tools to fulfill them securely, the security of citizens was placed into the hands of companies that may be unwilling or plainly unable to handle it.
What lies in the future?
In an ideal world, laws would be passed in a perfectly well thought-out format. This is unfortunately almost never the case. When laws pertain to information security this can often create short-term or long-lasting security issues.
Considering the relative slowness of the EU legislative progress and the relative speed and high incentives to provide turnkey solutions in the private sector, we do not expect the GDPR to be adjusted on these points. Instead, private sector solutions will spring up to make identity verification easier for companies affected by the GDPR.
In the meantime however, it is highly likely that the vulnerability publicized by Mr. Pavur is already actively being exploited by dozens, hundreds or thousands of real-world attackers. And unfortunately, there is very little that you - the user - can do about it.