Please use this identifier to cite or link to this item:
http://hdl.handle.net/1942/29194
Full metadata record
DC Field | Value | Language |
---|---|---|
dc.contributor.author | DI MARTINO, Mariano | - |
dc.contributor.author | ROBYNS, Pieter | - |
dc.contributor.author | Weyts, Winnie | - |
dc.contributor.author | QUAX, Peter | - |
dc.contributor.author | LAMOTTE, Wim | - |
dc.contributor.author | ANDRIES, Ken | - |
dc.date.accessioned | 2019-09-16T10:44:47Z | - |
dc.date.available | 2019-09-16T10:44:47Z | - |
dc.date.issued | 2019 | - |
dc.identifier.citation | Proceedings of the Fifteenth Symposium on Usable Privacy and Security, USENIX,p. 371-386 | - |
dc.identifier.isbn | 9781939133052 | - |
dc.identifier.uri | http://hdl.handle.net/1942/29194 | - |
dc.description.abstract | The General Data Protection Regulation (GDPR) “Right of Access” grants (European) natural persons the right to request and access all their personal data that is being processed by a given organization. Verifying the identity of the requester is an important aspect of this process, since it is essential to prevent data leaks to unauthorized third parties (e.g. criminals).in this paper, we evaluate the verification process as implemented by 55 organizations from the domains of finances, entertainment, retail and others. To this end, we attempt to impersonate targeted individuals who have their data processed by these organizations, using only forged or publicly available information extracted from social media and alike. We show that policies and practices regarding the handling of GDPR data requests vary significantly between organizations and can often be manipulated using social engineering techniques. For 15 out of the 55 organizations, we were successfully able to impersonate a subject and obtained full access to their personal data. The leaked personal data contained a wide variety of sensitive information, including financial transactions, website visits and physical location history. Finally, we also suggest a number of practical policy improvements that can be implemented by organizations in order to minimize the risk of personal information leakage to unauthorized third parties. | - |
dc.description.sponsorship | This research was funded in part by the Bijzonder Onderzoeksfonds (BOF) of Hasselt University and by a Ph.D. Grant of the Research Foundation Flanders (FWO), grant number 1S14916N. Finally, we thank the reviewers and shepherd for their in-depth feedback. | - |
dc.language.iso | en | - |
dc.publisher | USENIX | - |
dc.rights | 2019 by The USENIX Association. All Rights Reserved This volume is published as a collective work. Rights to individual papers remain with the author or the author’s employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. Permission is granted to print, primarily for one person’s exclusive use, a single copy of these Proceedings. USENIX acknowledges all trademarks herein. | - |
dc.title | Personal Information Leakage by Abusing the GDPR 'Right of Access' | - |
dc.type | Proceedings Paper | - |
local.bibliographicCitation.conferencedate | 12/08/2019 - 13/08/2019 | - |
local.bibliographicCitation.conferencename | Conference: 15th Symposium on Usable Privacy and Security | - |
local.bibliographicCitation.conferenceplace | Santa Clara, California, USA | - |
dc.identifier.epage | 386 | - |
dc.identifier.spage | 371 | - |
local.bibliographicCitation.jcat | C1 | - |
local.publisher.place | Santa Clara, CA, USA | - |
local.type.refereed | Refereed | - |
local.type.specified | Proceedings Paper | - |
dc.source.type | Meeting | - |
dc.identifier.isi | WOS:000527571900022 | - |
dc.identifier.url | https://www.usenix.org/conference/soups2019/presentation/dimartino | - |
local.provider.type | Web of Science | - |
local.bibliographicCitation.btitle | Proceedings of the Fifteenth Symposium on Usable Privacy and Security | - |
local.uhasselt.uhpub | yes | - |
item.validation | ecoom 2021 | - |
item.fullcitation | DI MARTINO, Mariano; ROBYNS, Pieter; Weyts, Winnie; QUAX, Peter; LAMOTTE, Wim & ANDRIES, Ken (2019) Personal Information Leakage by Abusing the GDPR 'Right of Access'. In: Proceedings of the Fifteenth Symposium on Usable Privacy and Security, USENIX,p. 371-386. | - |
item.contributor | DI MARTINO, Mariano | - |
item.contributor | ROBYNS, Pieter | - |
item.contributor | Weyts, Winnie | - |
item.contributor | QUAX, Peter | - |
item.contributor | LAMOTTE, Wim | - |
item.contributor | ANDRIES, Ken | - |
item.accessRights | Open Access | - |
item.fulltext | With Fulltext | - |
Appears in Collections: | Research publications |
Files in This Item:
File | Description | Size | Format | |
---|---|---|---|---|
Revised_GDPR_paper.pdf | Peer-reviewed author version | 1.92 MB | Adobe PDF | View/Open |
soups2019-di_martino.pdf Restricted Access | Published version | 3.28 MB | Adobe PDF | View/Open Request a copy |
WEB OF SCIENCETM
Citations
9
checked on May 2, 2024
Page view(s)
128
checked on Sep 7, 2022
Download(s)
34
checked on Sep 7, 2022
Google ScholarTM
Check
Altmetric
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.