Skip to main content
SpringerLink
Log in
Book cover

Annual Privacy Forum

APF 2019: Privacy Technologies and Policy pp 182–209Cite as

Security Analysis of Subject Access Request Procedures

How to Authenticate Data Subjects Safely When They Request for Their Data

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11498))

Abstract

With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation defines rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject’s national identity card transmitted over an insecure channel. We define how a data controller should react to a subject’s request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62012CJ0131&from=EN.

  2. 2.

    Alexa measures web traffic and provides a ranking of the websites with respect to their traffic: https://www.alexa.com/topsites, extracted in October 2018.

  3. 3.

    Point 2.3 of the Terms of Service, https://help.mail.ru/mail-help/UA (available only in Russian).

  4. 4.

    TOR is an anonymity network, directs Internet traffic through a worldwide overlay network, and therefore the IP address of the user’s device is not visible to the server that receives requests from the user, www.torproject.org.

References

  1. Working party opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, (wp 171), p. 9. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171en.pdf

  2. 4.1 accès ou rectification de vos données à caractère personnel. https://twitter.com/fr/privacy. Accessed 28 Sept 2018

  3. Access, rectification, opposition and cancellation rights. https://www.baidu.eu/privacy-policy. Accessed 28 Sept 2018

  4. Accessing your reddit data. https://www.reddithelp.com/en/categories/using-reddit/your-reddit-account/accessing-your-reddit-data. Accessed 28 Sept 2018

  5. Googletakeout. https://takeout.google.com/?utm_source=pp&hl=en. Accessed 28 Sept 2018

  6. I want to make a request regarding personal data microsoft has about me related to my microsoft account. https://www.microsoft.com/en-us/concern/privacy. Accessed 28 Sept 2018

  7. Mail.Ru terms of service. https://help.mail.ru/mail-help/UA. Accessed 1 Oct 2018

  8. Opinion n\(^\circ \) 4/200 on the concept of personal data - wp 136, p. 17. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136en.pdf

  9. Privacy policy. https://alidropship.com/privacy-policy/. Accessed 28 Sept 2018

  10. Privacy policy/FAQ. https://foundation.wikimedia.org/wiki/Privacypolicy/FAQ#anonymize. Accessed 28 Sept 2018

  11. QQI DS rights request form. https://dl.url.cn/myapp/bhqq/iQQ/QQiDSRIGHTSREQUESTFORM.pdf. Accessed 28 Sept 2018

  12. Request a copy of my personal data. https://fr.pornhubpremium.com/terms. Accessed 28 Sept 2018

  13. Vi. How can you exercise your rights provided under the GDPR? Data download. https://www.instagram.com/about/legal/terms/api/. Accessed 28 Sept 2018

  14. Vk.com privacy policy. https://vk.com/privacy/eu for logged-in users. Accessed 1 Oct 2018

  15. Ways you can access, control, and correct your personal information. https://www.ebay.com/help/policies/member-behaviour-policies/user-privacy-notice-privacy-policy?id=4260#section6. Accessed 28 Sept 2018

  16. What choices and access do i have. https://www.imdb.com/privacy?ref=helpmshelpftrprivacy. Accessed 28 Sept 2018

  17. What information can i access. https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=502584. Accessed 28 Sept 2018

  18. What personal information Netflix holds about you and how to request a copy. https://help.netflix.com/en/node/100624?ba=SwiftypeResultClick&q=request%20a%20copy%20of%20my%20data. Accessed 28 Sept 2018

  19. Yandex.ru privacy policy. https://yandex.com/legal/privacy/. Accessed 1 Oct 2018

  20. Your choices and obligations. https://www.linkedin.com/legal/privacy-policy. Accessed 28 Sept 2018

  21. Your control and privacy rights. https://policies.oath.com/ie/en/oath/privacy/index.html. Accessed 28 Sept 2018

  22. Your privacy choices. https://www.twitch.tv/p/legal/privacy-choices/. Accessed 28 Sept 2018

  23. Your rights. https://info.xvideos.com/legal/privacy/. Accessed 28 Sept 2018

  24. Your rights with respect to your personal information. https://render.alipay.com/p/f/agreementpages/alipayeuprivacypolicy.html. Accessed 28 Sept 2018

  25. Yourfacebookinformation. https://www.facebook.com/full_data_use_policy. Accessed 28 Sept 2018

  26. Opinion 2/2010 on online behavioural advertising. Technical report 171 (2010)

    Google Scholar 

  27. The Schengen Information System A Guide For Exercising The Right of Access (2015). https://edps.europa.eu/sites/edp/files/publication/16-11-07_sis_ii_guide_of_access_en.pdf

  28. Case C-210/16 Wirtschaftsakademie Schleswig-Holstein (2018). ECLI:EU:C:2018:388. http://curia.europa.eu/juris/document/document.jsf?docid=202543&doclang=EN

  29. Data subject requests, working paper 04/2018 (2018). https://www.iabeurope.eu/wp-content/uploads/2018/04/20180406-IABEU-GIG-Working-Paper04_Data-Subject-Requests.pdf

  30. European Data Protection Board (2018). https://edpb.europa.eu

  31. European Data Protection Supervisor (2018). https://edps.europa.eu

  32. Addthis - privacy policy. https://www.addthis.com/privacy/privacy-policy/

  33. Adform - privacy policy. https://site.adform.com/privacy-center/website-privacy/website-privacy-policy/

  34. Adnxs - appnexus data subject rights. https://www.appnexus.com/data-subject-rights-policy

  35. Adsrvr. https://www.adsrvr.org/

  36. AFCDP. Données personnelles - Index AFCDP du Droit d’accès. Technical report (2013, in french)

    Google Scholar 

  37. AFCDP. Données personnelles - Index AFCDP du Droit d’accès. Technical report (2014, in french)

    Google Scholar 

  38. AFCDP. Données personnelles - Index AFCDP du Droit d’accès. Technical report (2015, in french)

    Google Scholar 

  39. AFCDP. Données personnelles - Index AFCDP du Droit d’accès. Technical report (2017, in french)

    Google Scholar 

  40. Agencia de Protección de Datos. Ejerce tus derechos. https://www.aepd.es/media/formularios/formulario-derecho-de-acceso.pdf. Accessed 28 Sept 2018

  41. Alexa. https://www.alexa.com/

  42. Andmekaitse Inspektsioon. Andmekaitse Inspektsioon. http://www.aki.ee/. Accessed 28 Sept 2018

  43. Asghari, H., Mahieu, R.L.P., Mittal, P., Greenstadt, R.: The right of access as a tool for privacy governance. In: Proceedings of Hot Topics in Privacy Enhancing Technologies (HotPETs 2017) (2017)

    Google Scholar 

  44. Ausloos, J., Dewitte, P.: Shattering one-way mirrors - data subject access rights in practice. Int. Data Priv. Law 8(1), 4–28 (2018)

    Article  Google Scholar 

  45. Ihre rechte als betroffener (2018). https://www.dsb.gv.at/rechte-der-betroffenen. Accessed 28 Sept 2018

  46. Antrag gemäß art. 15 DSGVO auf auskunft (2018). https://www.dsb.gv.at/at.gv.bka.liferay-app/documents/22758/844171/Antrag+an+den+Verantwortlichen+Recht+auf+Auskunft+Art+15.pdf/00315f65-1ea8-438b-8f1f-766d20002702. Accessed 28 Sept 2018

  47. Autorité de protection des données. Lettre Type Droit Acces Direct. https://www.autoriteprotectiondonnees.be/node/3995. Accessed 28 Sept 2018

  48. Autoriteit Persoonsgegevens. Recht op inzage. https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/recht-op-inzage#. Accessed 28 Sept 2018

  49. Baidu - privacy policy. http://usa.baidu.com/privacy/

  50. Bayamlıoğlu, E.: Transparency of automated decisions in the GDPR: an attempt for systemisation (2018). https://ssrn.com/abstract=3097653

  51. Borgesius, F.Z.: Singling Out People Without Knowing Their Names - Behavioural Targeting, Pseudonymous Data, and the New Data Protection Regulation (2016). https://ssrn.com/abstract=2733115

  52. Casalemedia - privacy policy. http://casalemedia.com/

  53. CNIL Commission Nationale de l’Informatique et des Libertés. Guide sécurité des données personnelles. https://www.cnil.fr/fr/le-droit-dacces-connaitre-les-donnees-quun-organisme-detient-sur-vous. Accessed 28 Sept 2018

  54. Comissão Nacional de Protecção de Dados. Comissão Nacional de Protecção de Dados. https://www.cnpd.pt. Accessed 28 Sept 2018

  55. Commission for Personal Data Protection. Who can copy your identity card. https://www.cpdp.bg/index.php?p=element&aid=423. Accessed 28 Sept 2018

  56. Commissioner for Personal Data Protection. Commissioner for Personal Data Protection. http://www.dataprotection.gov.cy/. Accessed 28 Sept 2018

  57. Cormack, A.: Is the subject access right now too great a threat to privacy? Eur. Data Prot. Law Rev. 2(1), 15–27 (2016)

    Article  Google Scholar 

  58. Council of European Union. Council regulation (EU) no 2016/679 (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

  59. Access right criteo. https://www.criteo.com/privacy/

  60. Croatian Personal Data Protection Agency. Croatian Personal Data Protection Agency. https://azop.hr/. Accessed 28 Sept 2018

  61. Data Protection Commissioner. A guide to your rights. https://www.dataprotection.ie/docs/A-guide-to-your-rights-Plain-English-Version/r/858.htm. Accessed 28 Sept 2018

  62. Data Protection Commissioner of Hungary. Annual report of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) (2017). http://www.naih.hu/annual-reports.html. Accessed 28 Sept 2018

  63. Data State Inspectorate. Datu subjekta tiesibas. http://www.dvi.gov.lv/lv/wp-content/uploads/DVIbroshuradatusubjektties.pdf. Accessed 28 Sept 2018

  64. Datatilsynet. Guidance on the registrants’ rights. https://www.datatilsynet.dk/media/6893/registreredes-rettigheder.pdf. Accessed 28 Sept 2018

  65. Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit. Auskunftsrecht. https://www.bfdi.bund.de/DE/Datenschutz/Ueberblick/MeineRechte/Artikel/Auskunftsrecht.html. Accessed 28 Sept 2018

  66. Grogan, S., McDonald, A.M.: Access denied! contrasting data access in the United States and Ireland. PoPETs 2016(3), 191–211 (2016)

    Google Scholar 

  67. Hellenic Data Protection Authority. Law 2472/1997 & Citizen’s rights. http://www.dpa.gr/portal/page?_pageid=33,43290&dad=portal&schema=PORTAL. Accessed 28 Sept 2018

  68. Information Commissioner. Request for acquaintance with your own personal data. https://www.ip-rs.si/fileadmin/user_upload/doc/obrazci/ZVOP/ZahtevazaseznanitevzlastnimiosebnimipodatkiObrazecSLOP.doc. Accessed 28 Sept 2018

  69. Access right Innovid. https://www.innovid.com/privacy-policy/

  70. Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet Jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: 25th USENIX Security Symposium (USENIX Security 2016). USENIX Association (2016)

    Google Scholar 

  71. Mahieu, R., van Hoboken, J., Asghari, H.: Responsibility for data protection in a networked world - on the question of the controller, “effective and complete protection” and its application to data access rights in Europe (2019). https://ssrn.com/abstract=3256743

  72. Mathtag - privacy policy. http://www.mediamath.com/privacy-policy/#Section-11

  73. Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)

    MATH  Google Scholar 

  74. Miller, A.R.: Personal privacy in the computer age: the challenge of a new technology in an information-oriented society. Mich. Law Rev. 67(6), 1089–1246 (1969)

    Article  Google Scholar 

  75. National Commission for Data Protection. The right of access. https://cnpd.public.lu/en/particuliers/vos-droits/droit-acces.html. Accessed 28 Sept 2018

  76. New relic - privacy policy. https://www.simpli.fi/site-privacy-policy/

  77. Norris, C., de Hert, P., L’Hoiry, X., Galetta, A. (eds.): The Unaccountable State of Surveillance. LGTS, vol. 34. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-47573-8

    Book  Google Scholar 

  78. Office for Personal Data Protection of the Slovak Republic. Dina rättigheter enligt personuppgiftslagen. https://www.datainspektionen.se/globalassets/dokument/gammalt/dina-rattigheter-enligt-personuppgiftslagen.pdf. Accessed 28 Sept 2018

  79. Office for Personal Data Protection of the Slovak Republic. How to submit a petition initiating the procedure of personal data protection. https://dataprotection.gov.sk/uoou/en/content/how-submit-petition-initiating-procedure-personal-data-protection. Accessed 28 Sept 2018

  80. Office of the Data Protection Commissioner. What is the Right of Access?. https://idpc.org.mt/en/Pages/faq.aspx#3. Accessed 28 Sept 2018

  81. Office of the Data Protection Ombudsman. When you want to inspect your data. https://tietosuoja.fi/en/when-you-want-to-inspect-your-data. Accessed 28 Sept 2018

  82. OpenX - privacy policy. https://www.openx.com/legal/privacy-policy/

  83. Garante per la protezione dei dati personali. Guida all’applicazione del regolamento europeo in materia di protezione dei dati personali - diritti degli interessati (2018). https://www.garanteprivacy.it/regolamentoue/diritti-degli-interessati. Accessed 28 Sept 2018

  84. Data subject rights notice, PubMatic. https://pubmatic.com/legal/eea-data-subject-rights-notice/

  85. PubMatic - cookie policy. https://pubmatic.com/legal/platform-cookie-policy/

  86. Quantserve - privacy policy. https://www.quantcast.com/privacy/

  87. Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2012, pp. 155–168 (2012)

    Google Scholar 

  88. Access right Rubiconproject. https://rubiconproject.com/terms-conditions/subject-access-request-policy/

  89. Access right Scorecardresearch. https://www.scorecardresearch.com/privacy.aspx

  90. Simpli - privacy policy. https://www.simpli.fi/site-privacy-policy/

  91. Smart Ad Server - privacy policy. https://smartadserver.com/end-user-privacy-policy//

  92. Solon, O.: How much data did facebook have on one man? 1.200 pages of data in 57 categories. Wired (2012). https://www.wired.co.uk/article/privacy-versus-facebook

  93. Sporny, M., Longley D.: Verifiable claims data model and representations. Technical report, W3C (2017). https://www.w3.org/TR/verifiable-claims-data-model/

  94. SpotXchange - privacy policy. https://www.spotx.tv/privacy-policy/

  95. SpotXchange portal. https://www.spotx.tv/privacy-policy/gdpr/

  96. Teads - privacy policy. https://www.teads.tv/privacy-policy/

  97. The Bureau of the Inspector General for the Protection of Personal Data - GIODO. Rights of data subject. https://giodo.gov.pl/en/293. Accessed 28 Sept 2018

  98. The Information Commissioner’s Office. Your right of access. https://ico.org.uk/your-data-matters/your-right-of-access/. Accessed 28 Sept 2018

  99. The Information Commissioner’s Office. Your right to get copies of your data. https://ico.org.uk/your-data-matters/your-right-of-access/. Accessed 28 Sept 2018

  100. The National Supervisory Authority for Personal Data Processing. Derptul de Acces. http://www.dataprotection.ro/servlet/ViewDocument?id=386. Accessed 28 Sept 2018

  101. The Office for Personal Data Protection. The Office for Personal Data Protection. http://www.uoou.cz/. Accessed 28 Sept 2018

  102. Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: The Unwanted Sharing Economy: An Analysis of Cookie Syncing and User Transparency under GDPR. CoRR, abs/1811.08660 (2018)

    Google Scholar 

  103. Weborama - privacy policy. https://weborama.com/weborama-privacy-commitment/

  104. Yandex.ru - privacy policy. https://yandex.com/legal/privacy/

Download references

Acknowledgments

This work is supported by the French National Research Agency in the framework of the Investissements d’Avenir program (ANR-15-IDEX-02) and project PrivaWEB (ANR-18-CE39-0008-01), and as well ANSWER project PIA FSN2 (P159564-2661789\(\backslash \)DOS0060094).

Author information

Authors and Affiliations

  1. Univ. Grenoble Alpes, Inria, France

    Coline Boniface & Cédric Lauradoux

  2. Université Côte d’Azur, Inria, France

    Imane Fouad & Nataliia Bielova

  3. School of Law, University Toulouse 1 Capitole, SIRIUS Chair, Toulouse, France

    Cristiana Santos

Authors
  1. Coline Boniface
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Imane Fouad
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nataliia Bielova
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cédric Lauradoux
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Cristiana Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cédric Lauradoux .

Editor information

Editors and Affiliations

  1. Università di Roma - Tor Vergata, Rome, Italy

    Maurizio Naldi

  2. LUISS Guido Carli University, Rome, Italy

    Giuseppe F. Italiano

  3. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  4. Universitat Politècnica de Catalunya, Barcelona, Spain

    Manel Medina

  5. ENISA, Heraklion, Greece

    Athena Bourka

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C. (2019). Security Analysis of Subject Access Request Procedures. In: Naldi, M., Italiano, G., Rannenberg, K., Medina, M., Bourka, A. (eds) Privacy Technologies and Policy. APF 2019. Lecture Notes in Computer Science(), vol 11498. Springer, Cham. https://doi.org/10.1007/978-3-030-21752-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-21752-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-21751-8

  • Online ISBN: 978-3-030-21752-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation