Privacy Risks from Public Data Sources

TL;DR

This paper investigates privacy vulnerabilities in Greek state data sources, demonstrating how they can be exploited for personal data extraction and proposing mitigation strategies to protect citizen privacy.

Contribution

It provides a comprehensive survey of Greek government data sources, revealing security flaws and suggesting measures to prevent privacy breaches and misuse of personal information.

Findings

Significant data can be scraped from government sources

Vulnerabilities enable impersonation and identity theft

Mitigation strategies can reduce attack risks

Abstract

In the fight against tax evaders and other cheats, governments seek to gather more information about their citizens. In this paper we claim that this increased transparency, combined with ineptitude, or corruption, can lead to widespread violations of privacy, ultimately harming law-abiding individuals while helping those engaged in criminal activities such as stalking, identity theft and so on. In this paper we survey a number of data sources administrated by the Greek state, offered as web services, to investigate whether they can lead to leakage of sensitive information. Our study shows that we were able to download significant portions of the data stored in some of these data sources (scraping). Moreover, for those data sources that were not amenable to scraping we looked at ways of extracting information for specific individuals that we had identified by looking at other data sources. The vulnerabilities we have discovered enable the collection of personal data and, thus, open the way for a variety of impersonation attacks, identity theft, confidence trickster attacks and so on. We believe that the lack of a big picture which was caused by the piecemeal development of these data sources hides the true extent of the threat. Hence, by looking at all these data sources together, we outline a number of mitigation strategies that can alleviate some of the most obvious attack strategies. Finally, we look at measures that can be taken in the longer term to safeguard the privacy of the citizens.