Paper Number

1802

Paper Type

Complete

Description

Despite its ambitious goals of protecting personal data and generally being well-received, the General Data Protection Regulation (GDPR) can be exploited for identity theft by weaponizing subject access requests (SARs). To understand this threat and investigate the impact of victims’ privacy awareness and public exposure on its effectiveness, we selected three victims – highly privacy aware person, average user, and semipublic figure – and tasked six realistic attackers with stealing their personal data. Based on 718 submitted SARs, we provide novel insights from a realistic case study of a law being weaponized and advance the understanding of GDPR-based identity theft by demonstrating its practical viability. Further, we derive patterns from common flaws observed in SAR handling processes, and explore threat mitigation options for individuals, organizations, and lawmakers. Generalizing our findings, we uncover approaches for cybersecurity researchers to probe further laws for flaws.

Comments

06-Security

Share

COinS
 
Dec 12th, 12:00 AM

Weaponizing the GDPR: How Flawed Implementations Turn the Gold Standard for Privacy Laws into Fool's Gold

Despite its ambitious goals of protecting personal data and generally being well-received, the General Data Protection Regulation (GDPR) can be exploited for identity theft by weaponizing subject access requests (SARs). To understand this threat and investigate the impact of victims’ privacy awareness and public exposure on its effectiveness, we selected three victims – highly privacy aware person, average user, and semipublic figure – and tasked six realistic attackers with stealing their personal data. Based on 718 submitted SARs, we provide novel insights from a realistic case study of a law being weaponized and advance the understanding of GDPR-based identity theft by demonstrating its practical viability. Further, we derive patterns from common flaws observed in SAR handling processes, and explore threat mitigation options for individuals, organizations, and lawmakers. Generalizing our findings, we uncover approaches for cybersecurity researchers to probe further laws for flaws.

When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.