Researchers Show How Europe’s Data Protection Laws Can Dox People

Europe’s controversial privacy law, the General Data Protection Regulator—better known as GDPR—has been hailed by some as a solution to tech companies’ pervasive data collection and tracking.

What maybe no one saw coming is that GDPR can become another tool in the arsenal of enterprising and malicious social engineers, hackers, and people who want to dox and harass others.

That’s what Ph.D student and cybersecurity researcher James Pavur discovered when he and his fiance—and co-author on their paper—Casey Knerr made an unusual wager about using GDPR’s right of access requests—a mechanism that allows Europeans to ask any company about what data they have on themselves—with the goal of extracting sensitive information.

“I made a bet that I could steal her identity using these GDPR requests,” Pavur said.

“I think James definitely won the bet,” Knerr said. Using GDPR, Pavur was able to get a treasure trove Knerr’s personal information, including her Social Security Number.

Along with his fiance Knerr, who also works in the infosec industry—and with her full consent—Pavur devised a clever, yet very simple experiment.

He started with just Knerr’s full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, “the weakest possible form of attack,” as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data—such as home addresses—he found through the first wave of requests using an email address designed to look like that of Knerr.

Thanks to these requests, Pavur was able to get his fiance’s Social Security Number, date of birth, mother’s maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services.

“That’s a huge amount of information that I was able to get just knowing her email address and her phone number,” Pavur, who spoke about his research project at the Black Hat security conference in Las Vegas on Thursday, said in an interview ahead of the event. “Very sensitive stuff that she’s never told me, and probably never told anyone.”

According to Pavur and Knerr, 25 percent of companies he contacted never responded. Two thirds of companies, including online dating services, responded with enough information to reveal that Pavur’s fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender. Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would’ve been relatively hard to fake, according to the study.

Have a tip about a data breach or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

Of course, Pavur wasn’t actually trying to dox Knerr. He wanted to show that while GDPR is great for giving consumers control over their data, it opens up new scary scenarios where strangers can request and obtain other people’s data.

“The main goal of this was to point out that privacy laws can have vulnerabilities and it’s not just about the companies you’re regulating as the only enemy in this scenario,” Pavur explained. “There are a bunch of attackers who might be interested in this data and might try to abuse the laws to get at it.”

Pavur concluded that we need better mechanism to verify that the person who sends the right of access request really is who they claim to be. Some companies, Pavur noted in his white paper, which he shared with Motherboard in advance, were pretty good at verifying his identity. In some cases, they requested him to log in with the original email his fiance used, or sent an email to the address on file (which Pavur had no access to) and asked to click a link.

But in other cases companies didn’t even bother asking for verification and just sent back the data, like in the case of the company that turned over Knerr’s SSN. In the middle, there were companies asking for documents such as passports or bank statements, which could easily be forged.

“I do feel a bit concerned about how easy it was to get sensitive information on me,” Knerr said, “though I’m hoping that with time and maybe more awareness companies improve their processes.”

In the future, Pavur hopes regulators will give companies more strict verification requirements. And perhaps even create government agencies that can verify documents like passports, which would solve the problem of a consumer having to send their documents to companies.

“So instead of me sending my passport to a shoe store I would send it to a government store that would send a ‘yes’ or ‘no’ answer to a shoe store about whether or not that was a real passport. I think that has the benefit of a strong form of identity without the risk of sharing it to just whoever asks for it,” Pavur said. “I trust them a little bit more than random shoe store.”

Subscribe to our new cybersecurity podcast, CYBER.