GDPR is a useful law. Full stop. But if something can be improved, why not do it?

The privacy and the level of security offered to EU users after the release of the GDPR have surely improved, indeed some other countries took inspiration for new online regulations, but since it’s a quite new law (is active since 25 May 2018), it has some downsides, at least in its first implemention.

In fact it has been improved in the 2022, the cookies banner now is more consistent/useful and gives the users more control and more easy control over those annoying banners. Now you should be able to quick choose if accepts them or not and and continue whitout agree to the cookies. An example of the biggest change is this tiny -but necessary- button.

And as you know, the GDPR also allows you to request to your personal data stored by a company. And this is actually the major trouble of the GDPR and this hasn’t been changed in its ‘latest release’.

Indeed, the study “GDPR: When the Right to Access Personal Data Becomes a Threat” [pdf, 405Kb] made at the ‘Sapienza University of Rome, in Italy’, has highlighted some -important- flaws in the procedure of the data request:

we take into account how controllers transmit the data to the users and how they identify the requester. Surprisingly, we found that almost 50% of the data controllers that handled the request are affected by flaws that can compromise the users’ privacy.

The problem is that lots of companies don’t check if you’re the legit guy who is making the request to have your data/archive of information stored by the company:

They were able to impersonate the victim and get their personal data from 15 out of 55 controllers using several techniques, among which document tampering and email spoofing. Finally, Cagnazzo et al. [15] exploiting a social engineering flaw, was able to retrieve personal data from 10 out of 14 German companies. They forged an email address that looks like one of the victims. From the forged email address, they contact the companies to update personal info about the victim. Finally, some days later, they perform the subject access request from the forged email.

Further, the researchers have found that the companies send the user data without any kind of encryption or security measure, and -worse than all- also the password are sent inside the archive without security. Default email content is not encrypted, the mail can be sniffed by some kind of attack like ‘man-in-the-middle’, but I think it’s hard to happen. What is making me concerned is the all the mail providers can read your email (I mean the plain text). And companies are sending those (your) data also to the mail provider in a easily readable format. As if companies like Google or Microsoft don’t already have enough data on you, now they may also have the data you request from other companies.

We received most of the personal data by email. 82 of these shared the data as a plain file or a zip folder without using any security measure. […] Moreover, since the email and the attached file are saved on the email server, there is the risk that an attacker gains unauthorized access to it, as it happened in the recent past [10].

Instead, among the data collectors that send the personal data encrypted via email, 20 of them send also the password to decrypt the data on the same email account, or even in the same email with the data attached. This solution is clearly ineffective.

We also found 3 interesting cases, where the controllers correctly encrypt the data and send the password on a different channel. However, a careful observer can quickly note that the passwords used to encrypt the data follow a pattern based on the requester data. Examples of these patterns are: user’s surname concatenated to the same string, user’s date of birth, or the user’s full name. We double-check these patterns requesting the personal data to these controllers from 3 different accounts.

Finally, 2 of the collectors that use the email channel to provide the data, neither encrypt the file containing the personal data nor use TSL or s/MIME schemes to send the email, exposing the personal data to sniffing or a man-in-the- middle attacks.

And this is really a big trouble for the user privacy.

In the end I hope the EU regulators will consider these changes for the future, since GDPR is a great new law, with some flaws as any new law, spend some time to make it better and more secure should be the target for EU regulators. And users will be grateful for this.