GDPR: When the Right to Access Personal Data Becomes a Threat
- URL: http://arxiv.org/abs/2005.01868v1
- Date: Mon, 4 May 2020 22:01:46 GMT
- Title: GDPR: When the Right to Access Personal Data Becomes a Threat
- Authors: Luca Bufalieri, Massimo La Morgia, Alessandro Mei, Julinda Stefa
- Abstract summary: We examine more than 300 data controllers performing for each of them a request to access personal data.
We find that 50.4% of the data controllers that handled the request, have flaws in the procedure of identifying the users.
With the undesired and surprising result that, in its present deployment, has actually decreased the privacy of the users of web services.
- Score: 63.732639864601914
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: After one year since the entry into force of the GDPR, all web sites and data
controllers have updated their procedures to store users' data. The GDPR does
not only cover how and what data should be saved by the service providers, but
it also guarantees an easy way to know what data are collected and the freedom
to export them.
In this paper, we carry out a comprehensive study on the right to access data
provided by Article 15 of the GDPR. We examined more than 300 data controllers,
performing for each of them a request to access personal data. We found that
almost each data controller has a slightly different procedure to fulfill the
request and several ways to provide data back to the user, from a structured
file like CSV to a screenshot of the monitor. We measure the time needed to
complete the access data request and the completeness of the information
provided. After this phase of data gathering, we analyze the authentication
process followed by the data controllers to establish the identity of the
requester. We find that 50.4\% of the data controllers that handled the
request, even if they store the data in compliance with the GDPR, have flaws in
the procedure of identifying the users or in the phase of sending the data,
exposing the users to new threats. With the undesired and surprising result
that the GDPR, in its present deployment, has actually decreased the privacy of
the users of web services.
Related papers
- How to Drill Into Silos: Creating a Free-to-Use Dataset of Data Subject Access Packages [0.0]
European Union's General Data Protection Regulation strengthened data subjects' right to access personal data.
Subjects' possibilities for actually using controller-provided subject access request packages (SARPs) are severely limited so far.
This dataset is publicly provided and shall, in the future, serve as a starting point for researching and comparing novel approaches for practically viable use of SARPs.
arXiv Detail & Related papers (2024-07-05T12:39:51Z) - Data Acquisition: A New Frontier in Data-centric AI [65.90972015426274]
We first present an investigation of current data marketplaces, revealing lack of platforms offering detailed information about datasets.
We then introduce the DAM challenge, a benchmark to model the interaction between the data providers and acquirers.
Our evaluation of the submitted strategies underlines the need for effective data acquisition strategies in Machine Learning.
arXiv Detail & Related papers (2023-11-22T22:15:17Z) - Needle in the Haystack: Analyzing the Right of Access According to GDPR
Article 15 Five Years after the Implementation [0.0]
Article 15 of the European Union's General Data Protection Regulation (Article 15) was implemented in 2018 to strengthen data protection for Europeans.
This study aims to explore the challenges faced by individuals who request their data.
A few exceptions did not respond with any data or deliver machine-readable data.
The findings reveal ten patterns individuals face when requesting and accessing their data.
arXiv Detail & Related papers (2023-08-29T09:49:15Z) - Stop Uploading Test Data in Plain Text: Practical Strategies for
Mitigating Data Contamination by Evaluation Benchmarks [70.39633252935445]
Data contamination has become prevalent and challenging with the rise of models pretrained on large automatically-crawled corpora.
For closed models, the training data becomes a trade secret, and even for open models, it is not trivial to detect contamination.
We propose three strategies that can make a difference: (1) Test data made public should be encrypted with a public key and licensed to disallow derivative distribution; (2) demand training exclusion controls from closed API holders, and protect your test data by refusing to evaluate without them; and (3) avoid data which appears with its solution on the internet, and release the web-page context of internet-derived
arXiv Detail & Related papers (2023-05-17T12:23:38Z) - Protecting User Privacy in Online Settings via Supervised Learning [69.38374877559423]
We design an intelligent approach to online privacy protection that leverages supervised learning.
By detecting and blocking data collection that might infringe on a user's privacy, we can restore a degree of digital privacy to the user.
arXiv Detail & Related papers (2023-04-06T05:20:16Z) - Certified Data Removal in Sum-Product Networks [78.27542864367821]
Deleting the collected data is often insufficient to guarantee data privacy.
UnlearnSPN is an algorithm that removes the influence of single data points from a trained sum-product network.
arXiv Detail & Related papers (2022-10-04T08:22:37Z) - Scalable Discovery and Continuous Inventory of Personal Data at Rest in
Cloud Native Systems [0.0]
Cloud native systems are processing large amounts of personal data through numerous and possibly multi-paradigmatic data stores.
From a privacy engineering perspective, a core challenge is to keep track of all exact locations, where personal data is being stored.
We present Teiresias, comprising i) a workflow pattern for scalable discovery of personal data at rest, and ii) a cloud native system architecture and open source prototype implementation of said workflow pattern.
arXiv Detail & Related papers (2022-09-09T10:45:34Z) - Releasing survey microdata with exact cluster locations and additional
privacy safeguards [77.34726150561087]
We propose an alternative microdata dissemination strategy that leverages the utility of the original microdata with additional privacy safeguards.
Our strategy reduces the respondents' re-identification risk for any number of disclosed attributes by 60-80% even under re-identification attempts.
arXiv Detail & Related papers (2022-05-24T19:37:11Z) - Protecting Privacy and Transforming COVID-19 Case Surveillance Datasets
for Public Use [0.4462475518267084]
CDC has collected person-level, de-identified data from jurisdictions and currently has over 8 million records.
Data elements were included based on the usefulness, public request, and privacy implications.
Specific field values were suppressed to reduce risk of reidentification and exposure of confidential information.
arXiv Detail & Related papers (2021-01-13T14:24:20Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.