It was heralded by data security experts as a much-needed, sweeping change. But some elements of GDPR, it appears, are beginning to cause problems.
When the European Union’s General Data Protection Regulation (GDPR) came into play in May, data specialists and privacy experts breathed a joint sigh of relief. After 20 years of outdated legislation, drafted in the mid-Nineties, huge swathes of privacy encroachments would be resolved. GDPR was treated like a godsend; the be-all and end-all to data breaches and data misuse. But only three months into the legislation, the cracks are beginning to show.
Assistant professor of computer science at Carnegie Mellon University, Jean Yang, revealed on Twitter this week how her Spotify account had been hacked – and how the hackers were able to request, and ultimately download, her entire streaming history, date of birth, and card details through a newly accessible function required by GDPR.
Today I discovered an unfortunate consequence of GDPR: once someone hacks into your account, they can request–and potentially access–all of your data. Whoever hacked into my @spotify account got all of my streaming, song, etc. history simply by requesting it.
— Jean Yang (@jeanqasaur) September 11, 2018
The hacker seems to have exploited what is called the subject access right – your right to have access to your data, which was bolstered under GDPR (Yang is based in the US, but Spotify has implemented GDPR globally). In Information Commissioner’s Office (ICO) terms, this right means that, at any given moment, any individual has the right to request access to all of the data a company has, or has collected, on them.
The subject access right has existed in data protection law for 30 years, but before GDPR there were far more restrictions. Under the Data Protection Act 1998 – GDPR’s predecessor – organisations could charge fees for requesting data, it could take nearly two months to hand over information following a request, and they weren’t required to have an electronic database. GDPR has scrapped the fee, requires information to be dispensed immediately, and expects all companies to have electronic sets of this data at all times.
The personal information a company may have can include any sensitive information you have supplied to it – such as your date of birth, address, credit card number (all affected in Yang’s case) – as well as the information it has collected, such as the songs you’ve streamed or the websites you often visit.
But the real concern with GDPR lies with the speed with which this data can be supplied. The updated subject access right means individuals should be able to get automated access to their data immediately. While it is, of course, convenient for individuals to have such easy access to the information a company holds on them, it also means that, in the case of a hack, other people could have the same incredibly easy access. When logged into some accounts, the function that allows you …read more
Source:: New Statesman