Skip to main content

Can Authoritative Governments Abuse the Right to Access?

  • 137 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 13279)

Abstract

The right to access is a great tool provided by the GDPR to empower data subjects with their data. However, it needs to be implemented properly otherwise it could turn subject access requests against the subjects privacy. Indeed, recent works have shown that it is possible to abuse the right to access using impersonation attacks. We propose to extend those impersonation attacks by considering that the adversary has an access to governmental resources. In this case, the adversary can forge official documents or exploit copy of them. Our attack affects more people than one may expect. To defeat the attacks from this kind of adversary, several solutions are available like multi-factors or proof of aliveness. Our attacks highlight the need for strong procedures to authenticate subject access requests.

Keywords

  • Subject access right
  • Authentication
  • Impersonation
  • Forgery

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-07315-1_2
  • Chapter length: 11 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   44.99
Price excludes VAT (USA)
  • ISBN: 978-3-031-07315-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   59.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.

Notes

  1. 1.

    http://europe-v-facebook.org.

  2. 2.

    Other more classical methods like postal mail are also available but they are not considered in this work.

  3. 3.

    https://tapmydata.com.

  4. 4.

    https://tapmydata.com/.

References

  1. Privacy Features of European eID Card Specifications. Technical Report, ENISA, January 2009

    Google Scholar 

  2. Remote ID Proofing. Technical Report, ENISA, March 2021

    Google Scholar 

  3. Remote ID Proofing: Attacks & Countermeasures. Technical Report, ENISA, January 2022

    Google Scholar 

  4. Adhatarao, S., Lauradoux, C., Santos, C.: IP-based Subject Access Requests Denied (2021)

    Google Scholar 

  5. Ausloos, J., Dewitte, P.: Shattering one-way mirrors - data subject access rights in practice. Int. Data Priv. Law 8(1), 4–28 (2018)

    CrossRef  Google Scholar 

  6. Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C.: Security analysis of subject access request procedures. In: Naldi, M., Italiano, G.F., Rannenberg, K., Medina, M., Bourka, A. (eds.) APF 2019. LNCS, vol. 11498, pp. 182–209. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21752-5_12

    CrossRef  Google Scholar 

  7. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: Passwords and the evolution of imperfect authentication. Commun. ACM 58(7), 78–87 (2015)

    CrossRef  Google Scholar 

  8. Bufalieri, L., Morgia, M.L., Mei, A., Stefa, J.: GDPR: when the right to access personal data becomes a threat. In: 2020 IEEE International Conference on Web Services, ICWS 2020, pp. 75–83. IEEE, Beijing, China, October 2020

    Google Scholar 

  9. Cagnazzo, M., Holz, T., Pohlmann, N.: GDPiRated – stealing personal information on- and offline. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 367–386. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_18

    CrossRef  Google Scholar 

  10. Council of European Union: Council regulation (EU) no 2016/679 (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

  11. Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy...now take some cookies: measuring the GDPR’s impact on web privacy. In: 26th Annual Network and Distributed System Security Symposium, NDSS 2019, The Internet Society, San Diego, California, USA, February 2019. https://arxiv.org/abs/1808.05096

  12. European Data Protection Board: Guidelines 01/2022 on data subject rights - Right of access. Technical Report, January 2022. https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-012022-data-subject-rights-right_en

  13. Information Commissioner’s Office: Enforcement Notice. Technical Report, 2258812, ICO (2018). https://ico.org.uk/media/action-weve-taken/enforcement-notices/2258812/en-scl-elections-20180504.pdf

  14. Martino, M.D., Meers, I., Quax, P., Andries, K., Lamotte, W.: Revisiting identification issues in GDPR ‘Right Of Access’ policies: a technical and longitudinal analysis. In: Privacy Enhancing Technologies, PETS 2022. Lecture Notes in Computer Science, vol. 8555, Springer (To appear 2022)

    Google Scholar 

  15. Martino, M.D., Robyns, P., Weyts, W., Quax, P., Lamotte, W., Andries, K.: Personal information leakage by abusing the GDPR ’Right of Access’. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS), pp. 371–386. ACM, USENIX Association, Santa Clara, CA, USA, August 2019

    Google Scholar 

  16. Pavur, J.: GDPArrrrr: using privacy laws to steal identities. In: Blackhat USA, Arxiv, Las Vegas, NV, USA (2019). https://arxiv.org/abs/1912.00731

  17. van Tilborg, H.C.A., Jajodia, S. (eds.): Multifactor Authentication, pp. 808–808. Springer, US (2011). https://doi.org/10.1007/978-1-4419-5906-5

  18. Tolsdorf, J., Fischer, M., Lo Iacono, L.: A case study on the implementation of the right of access in privacy dashboards. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds.) APF 2021. LNCS, vol. 12703, pp. 23–46. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-76663-4_2

    CrossRef  Google Scholar 

  19. Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: A study on subject data access in online advertising after the GDPR. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 61–79. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31500-9_5

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Cédric Lauradoux .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Lauradoux, C. (2022). Can Authoritative Governments Abuse the Right to Access?. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham. https://doi.org/10.1007/978-3-031-07315-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07315-1_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07314-4

  • Online ISBN: 978-3-031-07315-1

  • eBook Packages: Computer ScienceComputer Science (R0)