Loading...
Paper Number
1802
Paper Type
Complete
Description
Despite its ambitious goals of protecting personal data and generally being well-received, the General Data Protection Regulation (GDPR) can be exploited for identity theft by weaponizing subject access requests (SARs). To understand this threat and investigate the impact of victims’ privacy awareness and public exposure on its effectiveness, we selected three victims – highly privacy aware person, average user, and semipublic figure – and tasked six realistic attackers with stealing their personal data. Based on 718 submitted SARs, we provide novel insights from a realistic case study of a law being weaponized and advance the understanding of GDPR-based identity theft by demonstrating its practical viability. Further, we derive patterns from common flaws observed in SAR handling processes, and explore threat mitigation options for individuals, organizations, and lawmakers. Generalizing our findings, we uncover approaches for cybersecurity researchers to probe further laws for flaws.
Recommended Citation
Gladis, Alexander; Hartwich, Nicole Janine; and Salge, Oliver, "Weaponizing the GDPR: How Flawed Implementations Turn the Gold Standard for Privacy Laws into Fool's Gold" (2022). ICIS 2022 Proceedings. 7.
https://aisel.aisnet.org/icis2022/security/security/7
Weaponizing the GDPR: How Flawed Implementations Turn the Gold Standard for Privacy Laws into Fool's Gold
Despite its ambitious goals of protecting personal data and generally being well-received, the General Data Protection Regulation (GDPR) can be exploited for identity theft by weaponizing subject access requests (SARs). To understand this threat and investigate the impact of victims’ privacy awareness and public exposure on its effectiveness, we selected three victims – highly privacy aware person, average user, and semipublic figure – and tasked six realistic attackers with stealing their personal data. Based on 718 submitted SARs, we provide novel insights from a realistic case study of a law being weaponized and advance the understanding of GDPR-based identity theft by demonstrating its practical viability. Further, we derive patterns from common flaws observed in SAR handling processes, and explore threat mitigation options for individuals, organizations, and lawmakers. Generalizing our findings, we uncover approaches for cybersecurity researchers to probe further laws for flaws.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
06-Security