To get your personal data, you need to give out even more personal data
California's new Personal Data Privacy Act gives consumers the right to see and delete their data. However, to access them often have to provide even more of their data.
Companies are asking users to provide their personal data before giving them access to their data - and all this is necessary to prevent access to the data for the wrong people. TheNew Year brought with it a new California law on personal data, which gives local residents more control over using their digital data. At the same time, not only residents of this state were lucky - many companies are expanding data protection for all users in the United States. The most important part of this protection is the user's right to see what data is collected about him and delete it.In the fall, I exercised my right to checkof this system, and sent requests for his data to companies involved in building consumer profiles and their assessment. One of the companies, Sift, which assesses the creditworthiness of consumers, sent me my 400-page file, which contained messages from Airbnb, orders from Yelp and activity with Coinbase for many years. Soon after the publication of my article, Sift was overwhelmed with requirements - the company in a short time received more than 16,000 such requests, and she had to hire a contractor to handle them.This contractor, Berbix , helped establish the identity of people requesting their data by requiring them to upload a photo of their passport and take selfies. Then the company demanded that they take a second selfie with the following condition: “Make sure that you look happy or joyful in the photo, and try again.”Many people who read about my experience with this system did not like what Berbix required, including the need to smile to gain access to the file.“This is a nightmarish future where I can’t ask for my data from some dumb shadow credit bureau without first smiling at him - and this is sheer madness,” wrote Jack Phelps, a programmer from New York.
“There is something wrong with sharing more personal information,” wrote another reader, retired Barbara Clancy, a neuroscience professor in Arkansas.This is an unpleasant reality: to get your personal data, you have to part with even more personal data. At first it seems awful. Alistair Barr of Bloomberg called it "a new circle of hell for privacy."However, there are serious reasons for this. Companies do not want to give personal data to the wrong person, but this already happened in the past. In 2018, Amazon sent a stranger 1,700 audio files of conversation records with Alexa's assistant to one of its customers.The right to access personal data is established by the new California Consumer Confidentiality Act. The law partially repeats the European regulation, known as the General Data Protection Regulation (GDPR). Shortly after the regulation came into force, in May 2018, one hacker gained access to the account of the Spotify service of the director of the technology company Jin Yang, and successfully checked the request for personal data, having learned her home address, information on a bank card and the history of the music she listened to.Since then, two groups of researchers have shown that it is possible to deceive systems created to meet the requirements of the GDPR, in order to obtain personal information of an outsider.One researcher, James Pavur, a 24-year-old graduate student at Oxford University, sent data requests on behalf of his research partner and wife, Casey Knerr, to 150 companies, using her data that could be easily found on the Internet - mailing address , email address and phone number. To send requests, he specially opened an electronic mail box, similar to one of the spellings of her name. And a quarter of these companies sent him her personal data.“I got her social security number, a list of school grades, a large slice of bank card information,” Pavur said. “The information security threat company has sent me all of its passwords that have leaked to the network.”Mariano Di Martino and Peter Robins, computer science researchers at the University of Hasselt in Belgium, achieved roughly the same percentage success by reaching 55 financial, entertainment, and news companies. They requested each other’s data, though using more advanced technologies than Pavyur’s, in particular, they substituted other people’s passports in a photo editor. In one case, Di Martino managed to obtain the data of a complete stranger, whose name was similar to the name of Robins.Researchers from both groups have decided that the new data right law is useful. However, they note that companies need to improve the security of their work in order to avoid further compromising user privacy.“Companies are in a hurry to make decisions leading them to unsafe practices,” said Robins.Different companies have different technologies to confirm their identity. Many just ask for a photo of a driver’s license. The company Retail Equation, which decides whether the consumer can return the goods to such retail stores as Best Buy and Victoria's Secret, asks for only the name and number of the driver’s license.A wide range of companies, which are now required to provide return data to the user, from Baskin Robbins to The New York Times, have very different levels of knowledge and experience in the field of data security.Companies such as Apple, Amazon, and Twitter may ask the user to verify their identity by logging into their account. Also, all of them inform the user about the receipt of a request for data, which can warn people in case their account is hacked. An Apple spokesman said that after submitting such a request, the company uses additional methods to verify the user's identity, although it noted that it cannot disclose the specifics regarding these methods for security reasons.In the event that users cannot verify their identity by logging in, Di Martino and Robins recommend that companies send them an email, call or request information that only the user can know - such as the number of a recent check.“Regulators need to think more deeply about the unintended consequences of user access to reading and deleting their data,” said Steve Kirkam, who worked on the Airbnb security team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and satisfy legitimate ones.”And regulators think about it. California law requires businesses to "verify the identity of the consumer who submitted the request with a reasonable degree of certainty" and provide a more rigorous check to obtain "sensitive or valuable information."Kirkam said Berbix asked for the first user selfie to find out if the face matches the photo on the documents, and the second, with an expression of joy or other emotion, to make sure that the attacker is not holding the photo in front of the camera. Kirkam said Berbix deletes collected data from seven days to a year, depending on what the employer requires (Sift deletes all data after two weeks).“This is a new area of threats that companies should think about,” said Blake Brennon, vice president of OneTrust, another company that helps businesses comply with new personal data laws. OneTrust offers its 4,500 customers the ability to create several levels of identity verification, for example, sending a code message to a phone or checking ownership of an email address.“If I ask for something simple, verification will be minimal, in contrast to a request to delete data,” Brennon said. “In the latter case, more verification levels are required.”Berkix's Kirkam said the identity verification process makes some people refuse to complete the request altogether. “Many people do not want to give out even more information,” Crickham said. “They suggest that we will do something malicious with her.” And he added: “However, this is the irony. We require additional information from people in order to protect them. We want to make sure that you are who you say you are. ”Source: https://habr.com/ru/post/undefined/
All Articles