7 votes

Security researcher successfully used false GDPR "right of access" requests to obtain extensive personal information about someone else

4 comments

  1. [4]
    nothis Link
    The thing about GDPR and Co. is that it's a good first step – transparency – but in the end it just lets you confirm that a company is collecting all your data, it doesn't put a stop to it. So we...

    The thing about GDPR and Co. is that it's a good first step – transparency – but in the end it just lets you confirm that a company is collecting all your data, it doesn't put a stop to it. So we end up with an absurd amount of popups which we blindly click away (because we don't really have a choice) and it's back to square one.

    We need laws that prevent companies from collecting that data in the first place. That's more tricky, of course, but it's the only law that would actually change things. For example, disallow ad companies from creating personalized profiles, force them to delete secondary information after a couple of months, etc.

    2 votes
    1. [3]
      Deimos Link Parent
      Hmm, I'd disagree with that somewhat. The GDPR does include multiple restrictions about how companies are allowed to use data, requirements for them to tell you what they're using it for (and...

      Hmm, I'd disagree with that somewhat. The GDPR does include multiple restrictions about how companies are allowed to use data, requirements for them to tell you what they're using it for (and require you to opt-in), and the ability for you to tell them to delete all of your data.

      I think the biggest overall problem (which regulation alone can't really fix) is that it's almost all based on the honor system and can only be verified or punished by investigations. How could we know what companies are using our data for? How do we know that they're really sending us all of our data when we ask for it? How can we verify that they really deleted it, even if they say they did?

      3 votes
      1. [2]
        nothis Link Parent
        I definitely agree that there's a huge gap between armchair idealism and real-world, enforceable laws. But I think what makes it easier is that the biggest offenders, almost by definition, are the...

        I definitely agree that there's a huge gap between armchair idealism and real-world, enforceable laws. But I think what makes it easier is that the biggest offenders, almost by definition, are the biggest companies since they have the most data. So a Google or facebook wouldn't risk being one whistleblower scandal away from facing a lawsuit and would probably comply.

        As for the ways GDPR genuinely restricts how to use data, I don't really see many. They have to justify what they need the data for (duh, ads) and inform the user ("click here to accept these 15 pages of conditions"). I don't think Google had to change a single thing for GDPR, they'll happily inform you about all the data they collect. The problem is that a single company has 12 Stasi files worth of information on half the population.

        2 votes
        1. nacho Link Parent
          The storage requirements and how to have decent control over the information they have are extremely important in limiting the consequences of a data breach. Punishments for personal data that...

          The storage requirements and how to have decent control over the information they have are extremely important in limiting the consequences of a data breach.

          Punishments for personal data that isn't treated according to the law (say it ends up at a third party that shouldn't have access) or is mistreated and misused by the company can lead to huge fines.


          I agree with you both that how the law is investigated/enforced to ensure this isn't just on the honor system with Google, Microsoft, Facebook, Twitter, and all the others systematically showing they're less than honorable.

          As I've had GDPR explained to me, the law doesn't say much about that enforcement, so there's presumably a lot of latitude and discretion given to the enforcers. So far they don't seem to have done much. Yet.