Confidentiality is a hot topic for legislators around the world.
Democratic presidential candidates have privacy laws and regulations in their campaign platforms. Amy Klobuchar discussed a tax on companies that share user data. Elizabeth Warren presented legislation that takes into account the idea of jail time for CEOs for breaches of privacy. Before retiring from the race, John Delaney proposed to the United States to pass a law similar to the California Consumer Privacy Act, which gives consumers more power when it comes to limiting the companies that collect their data .
Voters demand action. A recent Morning Consult poll found that 79% of registered voters said that Congress should pass a bill to better protect consumer online data, while 65% rated data privacy as one of society’s biggest problems.
The European Union, 27 member states with the loss of the United Kingdom, has promulgated the General Data Protection Regulation (GDPR), enshrining the idea that people have control over personal data. California recently enacted its own privacy law, the California Consumer Privacy Act (CCPA), which takes effect January 1. The law allows Californian consumers to know when private companies collect, share or sell their data and to stop this sale if necessary. It applies to businesses whose gross annual income exceeds $ 25 million or which have information on 50,000 or more consumers.
But laws can have unintended consequences. Sometimes the very laws that enforce privacy can lead companies to share it. The GDPR paves the way for scammers to impersonate people and obtain their data from businesses.
One year after the entry into force of the GDPR, EU researchers have shown how easy it is to access personal data from companies.
“It’s not a problem with the law itself, but rather with the companies and organizations that enforce it,” told CoinDesk in an interview with Mariano Di Martino, one of the researchers, a doctoral student at the Hasselt University in Belgium. “This may be due to budget constraints or perhaps because they do not understand the risks of this data.”
One group used publicly available information, such as names, emails, and phone numbers, in addition to more complicated methods of requesting information about their research partners from 55 companies under the GDPR. One of these complex methods of obtaining the data included replacing the name, date of birth and photo on the image of an identity document to reflect the person from whom the researchers wanted the information. Of these 55 companies, 15 companies have sold sensitive personal information to researchers. Four companies never responded to their requests for data, in flagrant violation of the GDPR.
The information they gathered included financial companies giving details such as ID card numbers, a list of time-stamped financial transactions, customer IDs, phone numbers and place of birth, and transport and logistics releasing the places visited in the past as well as the routes they had saved.
Another team of EU researchers found similar problems when information was asked about his research partner and his wife using a spoofed email account which was a variant of the name of the wife. About a quarter of the 150 companies and organizations contacted have transferred sensitive personal information without verifying the identity of the requester. The information provided to her included everything from her social security number to her high school grades and various account passwords.
As the CCPA takes effect, we may find similar problems. Research on the GDPR shows that privacy laws cannot be as good as those of the companies involved. What scares. These leaks have real implications.
“Let’s say I was trying to track someone down and want to know more about them,” says Di Martino. “I could send a data request to a company that provides taxi or bus services and try to get all of the routes or GPS locations that person has been to.” And it could work. “
Disclosure Lily More
The leader in blockchain news, CoinDesk is a medium that aims for the highest journalistic standards and respects a strict set of editorial policies. CoinDesk is an independent operational subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.