GDPR SAR exploit…. nah

Thanks to Matt Palmer for bringing this article to my attention, and there has been some Twitter activity on this… but I’m not very active on Twitter… maybe I should..

Anyhow, the claim is that the GDPR was exploited to get personal data via rights exercised by the data subject, but in this case it was some researchers.

What went wrong here is that some companies did NOT verify the identity of the requester (data subject). This is different to authentication.

Authentication is where you provide credentials in order to be permitted access to an application, system, device, whatever. For example you probably use your finger-print to authenticate to your smartphone. However, this could be just a username and password. Authentication doesn’t necessarily prove you are who you say you are. Clearly your fingerprint can do this as it is ‘something you are’ but your username/password combination does not.

ID verification is when you need to provide evidence that you are who you say you are, a strong example is your driving licence of ID card when referencing SARs requests in the GDPR.

https://www.dailyrecord.co.uk/whats-on/theatre-news/award-winning-show-full-monty-7838166

The question is how far do you need to go? The GDPR (Art 10) states that the controller should not need to collect additional personal data in order to comply. So this means that if you set up an account as donald.duck@gmail.com 6 months ago and nothing else was shared, e.g. Full name. Then what needs verification is that you are the same donald.duck who created the account. A full SAR Monty is not required.

In Sweden there has been defined somewhere, 4 levels of ID verification. The bottom 2 are based on the donald.duck example, the top 2 are based on a full ID check.

IMHO I think that companies are making it too difficult for the data subject to exercise their rights. In Sweden some companies are using a full ID check using something cool called BankID, and this works great, nice a simple and most people have this App loaded on their telephone!

Many organisations are requesting a copy of ID, driving license and even a utility bill, which is fine until you look at the insecure email channels over which ID verification is being sent over…. opps