Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data
- Others:
- Privacy Models, Architectures and Tools for the Information Society (PRIVATICS) ; Inria Grenoble - Rhône-Alpes ; Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-CITI Centre of Innovation in Telecommunications and Integration of services (CITI) ; Institut National des Sciences Appliquées de Lyon (INSA Lyon) ; Université de Lyon-Institut National des Sciences Appliquées (INSA)-Université de Lyon-Institut National des Sciences Appliquées (INSA)-Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National des Sciences Appliquées de Lyon (INSA Lyon) ; Université de Lyon-Institut National des Sciences Appliquées (INSA)-Université de Lyon-Institut National des Sciences Appliquées (INSA)-Inria Lyon ; Institut National de Recherche en Informatique et en Automatique (Inria)
- Secure Diffuse Programming (INDES) ; Inria Sophia Antipolis - Méditerranée (CRISAM) ; Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)
- Université Toulouse 1 Capitole (UT1) ; Université Fédérale Toulouse Midi-Pyrénées
- ANSWER project PIA FSN2 (P159564-2661789nDOS0060094)
- ANR-15-IDEX-0002,UGA,IDEX UGA(2015)
- ANR-18-CE39-0008,PrivaWEB,Protection de la vie privée et le respect de la réglementation ePrivacy pour les utilisateurs Web(2018)
Description
With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation denes rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject's national identity card transmitted over an insecure channel. We define how a data controller should react to a subject's request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures.
Abstract
International audience
Additional details
- URL
- https://hal.inria.fr/hal-02072302
- URN
- urn:oai:HAL:hal-02072302v1
- Origin repository
- UNICA