Security Analysis of Subject Access Request Procedures How to Authenticate Data Subjects Safely When They Request for Their Data
With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation defines rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This p...
Saved in:
| Published in | Privacy Technologies and Policy pp. 182 - 209 |
|---|---|
| Main Authors | , , , , |
| Format | Book Chapter |
| Language | English |
| Published |
Cham
Springer International Publishing
2019
|
| Series | Lecture Notes in Computer Science |
| Subjects | |
| Online Access | Get full text |
| ISBN | 9783030217518 3030217515 |
| ISSN | 0302-9743 1611-3349 |
| DOI | 10.1007/978-3-030-21752-5_12 |
Cover
| Abstract | With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation defines rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject’s national identity card transmitted over an insecure channel. We define how a data controller should react to a subject’s request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures. |
|---|---|
| AbstractList | With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation defines rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject’s national identity card transmitted over an insecure channel. We define how a data controller should react to a subject’s request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures. |
| Author | Bielova, Nataliia Boniface, Coline Santos, Cristiana Lauradoux, Cédric Fouad, Imane |
| Author_xml | – sequence: 1 givenname: Coline surname: Boniface fullname: Boniface, Coline email: coline.boniface@inria.fr organization: Univ. Grenoble Alpes, Inria, France – sequence: 2 givenname: Imane surname: Fouad fullname: Fouad, Imane email: imane.fouad@inria.fr organization: Université Côte d’Azur, Inria, France – sequence: 3 givenname: Nataliia surname: Bielova fullname: Bielova, Nataliia email: nataliia.bielova@inria.fr organization: Université Côte d’Azur, Inria, France – sequence: 4 givenname: Cédric surname: Lauradoux fullname: Lauradoux, Cédric email: cedric.lauradoux@inria.fr organization: Univ. Grenoble Alpes, Inria, France – sequence: 5 givenname: Cristiana surname: Santos fullname: Santos, Cristiana email: cristiana.santos@ut-capitole.fr organization: School of Law, University Toulouse 1 Capitole, SIRIUS Chair, Toulouse, France |
| BookMark | eNo1kMFOwzAQRA0UibbkDzjkBwy73sSOj1EFBakSiMLZSuINSqkSiJND_560wGlWM6uR5i3ErO1aFuIG4RYBzJ01mSQJBFKhSZVMHaozsaDJORl0LuaoESVRYi9ENP3_Z5jNxPx4S2sSuhJRCDsAUAosJnou9JarsW-GQ5y3xf4QmhB3dbwdyx1XQ5xXFYcQv_L3yGGIX_quYj_2HK7FZV3sA0d_uhTvD_dvq0e5eV4_rfKNDGizQaa-1oS-YJ1RmQKwJ9S-9gQmAUyMBZqyMqt0YVKfUqEKSpiBtNK2LpmWQv32hq--aT-4d2XXfQaH4I5k3LTUkZv2uRMIdyRDP_ZKUqE |
| ContentType | Book Chapter |
| Copyright | Springer Nature Switzerland AG 2019 |
| Copyright_xml | – notice: Springer Nature Switzerland AG 2019 |
| DOI | 10.1007/978-3-030-21752-5_12 |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 3030217523 9783030217525 |
| EISSN | 1611-3349 |
| Editor | Bourka, Athena Medina, Manel Naldi, Maurizio Rannenberg, Kai Italiano, Giuseppe F. |
| Editor_xml | – sequence: 1 givenname: Maurizio orcidid: 0000-0002-0903-398X surname: Naldi fullname: Naldi, Maurizio email: maurizio.naldi@uniroma2.it – sequence: 2 givenname: Giuseppe F. orcidid: 0000-0002-9492-9894 surname: Italiano fullname: Italiano, Giuseppe F. email: gitaliano@luiss.it – sequence: 3 givenname: Kai surname: Rannenberg fullname: Rannenberg, Kai email: kai.rannenberg@m-chair.net – sequence: 4 givenname: Manel orcidid: 0000-0002-1763-1728 surname: Medina fullname: Medina, Manel email: medina@ac.upc.edu – sequence: 5 givenname: Athena surname: Bourka fullname: Bourka, Athena email: athena.bourka@enisa.europa.eu |
| EndPage | 209 |
| GroupedDBID | -DT -GH -~X 1SB 29L 2HA 2HV 5QI 875 AASHB ABMNI ACGFS ADCXD AEFIE ALMA_UNASSIGNED_HOLDINGS EJD F5P FEDTE HVGLF LAS LDH P2P RNI RSU SVGTG VI1 ~02 |
| ID | FETCH-LOGICAL-s198t-5df631dae683b500ed316dfd30740147903ae6b8c6a75d53a2a34ee036269fbe3 |
| ISBN | 9783030217518 3030217515 |
| ISSN | 0302-9743 |
| IngestDate | Wed Sep 17 03:09:45 EDT 2025 |
| IsPeerReviewed | true |
| IsScholarly | true |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-s198t-5df631dae683b500ed316dfd30740147903ae6b8c6a75d53a2a34ee036269fbe3 |
| PageCount | 28 |
| ParticipantIDs | springer_books_10_1007_978_3_030_21752_5_12 |
| PublicationCentury | 2000 |
| PublicationDate | 2019 |
| PublicationDateYYYYMMDD | 2019-01-01 |
| PublicationDate_xml | – year: 2019 text: 2019 |
| PublicationDecade | 2010 |
| PublicationPlace | Cham |
| PublicationPlace_xml | – name: Cham |
| PublicationSeriesSubtitle | Security and Cryptology |
| PublicationSeriesTitle | Lecture Notes in Computer Science |
| PublicationSeriesTitleAlternate | Lect.Notes Computer |
| PublicationSubtitle | 7th Annual Privacy Forum, APF 2019, Rome, Italy, June 13–14, 2019, Proceedings |
| PublicationTitle | Privacy Technologies and Policy |
| PublicationYear | 2019 |
| Publisher | Springer International Publishing |
| Publisher_xml | – name: Springer International Publishing |
| RelatedPersons | Kleinberg, Jon M. Hartmanis, Juris Mattern, Friedemann Goos, Gerhard Steffen, Bernhard Kittler, Josef Naor, Moni Mitchell, John C. Terzopoulos, Demetri Pandu Rangan, C. Kanade, Takeo Hutchison, David Tygar, Doug |
| RelatedPersons_xml | – sequence: 1 givenname: David surname: Hutchison fullname: Hutchison, David organization: Lancaster University, Lancaster, UK – sequence: 2 givenname: Takeo surname: Kanade fullname: Kanade, Takeo organization: Carnegie Mellon University, Pittsburgh, USA – sequence: 3 givenname: Josef surname: Kittler fullname: Kittler, Josef organization: University of Surrey, Guildford, UK – sequence: 4 givenname: Jon M. surname: Kleinberg fullname: Kleinberg, Jon M. organization: Cornell University, Ithaca, USA – sequence: 5 givenname: Friedemann surname: Mattern fullname: Mattern, Friedemann organization: ETH Zurich, Zurich, Switzerland – sequence: 6 givenname: John C. surname: Mitchell fullname: Mitchell, John C. organization: Stanford University, Stanford, USA – sequence: 7 givenname: Moni surname: Naor fullname: Naor, Moni organization: Weizmann Institute of Science, Rehovot, Israel – sequence: 8 givenname: C. surname: Pandu Rangan fullname: Pandu Rangan, C. organization: Indian Institute of Technology Madras, Chennai, India – sequence: 9 givenname: Bernhard surname: Steffen fullname: Steffen, Bernhard organization: TU Dortmund University, Dortmund, Germany – sequence: 10 givenname: Demetri surname: Terzopoulos fullname: Terzopoulos, Demetri organization: University of California, Los Angeles, USA – sequence: 11 givenname: Doug surname: Tygar fullname: Tygar, Doug organization: University of California, Berkeley, USA – sequence: 12 givenname: Gerhard surname: Goos fullname: Goos, Gerhard organization: Karlsruhe, Germany – sequence: 13 givenname: Juris surname: Hartmanis fullname: Hartmanis, Juris organization: Ithaca, USA |
| SSID | ssj0002209146 ssj0002792 |
| Score | 2.028294 |
| Snippet | With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation... |
| SourceID | springer |
| SourceType | Publisher |
| StartPage | 182 |
| SubjectTerms | Data protection GDPR Identity verification Privacy Right of access Subject access request (SAR) |
| Subtitle | How to Authenticate Data Subjects Safely When They Request for Their Data |
| Title | Security Analysis of Subject Access Request Procedures |
| URI | http://link.springer.com/10.1007/978-3-030-21752-5_12 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1NT9wwELW2ywX1QEtBhRbkAzcUtFl_ZHPooUIgQJQLUHGL7NiWIrUbaTfhwG_gR3cmtjdZ4EIv0cpZOc68eMYz9rwh5EhoY10mTVLms0nClYM5Z0uZlEZZWB6kmTaYnPzrRl7c86sH8TAaPQ9OLbWNPimf3swr-R9UoQ1wxSzZdyC76hQa4DfgC1dAGK4vFr_rYVZPerGoHrFW-yo4Dj6vP_vfU_125wDnlQuh8lOs0GN7w9N6fC__qsHmemX_1I_Ka16kR6xWihtzqJWpW1-Z2G-xm0VVDj-721APb43tBLQThnuwNIVPTOmMkU9SMO0iHGNEkdnlj-uwq3FTN91hseNYeCLqoWGgAnOj1gIVMVD5ItTZR9vWPFuwrOgtiaFyxqYE_B-vEK1X2BJpGJmnPQ1KOPXljII9n3b0C69NxfB0CPSc4NPALy-wZPUHGMCYbPw8u7r-vYrYTaGnjmkn2HmkXvR7VH5UmDkURy08t1P_FoOszbce-Wofvlve3H0iHzHlhWIuCgjtMxnZ-TbZinKnQe5fiIzo0ogurR0N6FKPLg3o0h7dHXJ_fnZ3epGEwhvJMs1nTSKMkyyF2SpnTIvJxBqWSuMM2ANwx3mWTxjc07NSqkwYwdRUMW5tR22UO23ZLhnP67n9SihXQueKl-BZSK5KoVIrueNTpTNwJJzYI8fxxQucSssi8miDmApWgJiKTkwFimn_Xf_-Rjb77_A7GTeL1h7AErLRhwHbf0BdaEs |
| linkProvider | Library Specific Holdings |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.title=Privacy+Technologies+and+Policy&rft.au=Boniface%2C+Coline&rft.au=Fouad%2C+Imane&rft.au=Bielova%2C+Nataliia&rft.au=Lauradoux%2C+C%C3%A9dric&rft.atitle=Security+Analysis+of+Subject+Access+Request+Procedures&rft.series=Lecture+Notes+in+Computer+Science&rft.date=2019-01-01&rft.pub=Springer+International+Publishing&rft.isbn=9783030217518&rft.issn=0302-9743&rft.eissn=1611-3349&rft.spage=182&rft.epage=209&rft_id=info:doi/10.1007%2F978-3-030-21752-5_12 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0302-9743&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0302-9743&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0302-9743&client=summon |