Can Authoritative Governments Abuse the Right to Access?
C\'edric Lauradoux
TL;DR
This paper explores how authoritative governments could abuse the GDPR's right to access by forging documents or exploiting governmental resources, emphasizing the need for stronger authentication procedures to protect data subjects' privacy.
Contribution
It extends existing impersonation attack models by considering government-level adversaries and highlights vulnerabilities in current authentication methods for data access requests.
Findings
Governmental resources can be exploited to forge documents.
Current authentication methods may be insufficient against such attacks.
Stronger procedures like multi-factor authentication are necessary.
Abstract
The right to access is a great tool provided by the GDPR to empower data subjects with their data. However, it needs to be implemented properly otherwise it could turn subject access requests against the subjects privacy. Indeed, recent works have shown that it is possible to abuse the right to access using impersonation attacks. We propose to extend those impersonation attacks by considering that the adversary has an access to governmental resources. In this case, the adversary can forge official documents or exploit copy of them. Our attack affects more people than one may expect. To defeat the attacks from this kind of adversary, several solutions are available like multi-factors or proof of aliveness. Our attacks highlight the need for strong procedures to authenticate subject access requests.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy, Security, and Data Protection · Privacy-Preserving Technologies in Data · Internet Traffic Analysis and Secure E-voting