One year following the entry into force of the GDPR, all websites and data controllers have updated their procedures to store users' data. The GDPR does not only cover how and what data should be saved by the service providers, but it also guarantees an easy way to know what data are collected and the freedom to export them. In this paper, we carry out a comprehensive study on the right to access data provided by Article 15 of the GDPR. We examined more than 300 data controllers, requesting access to personal data to each of them. We found that almost each data controller has a slightly different procedure to fulfill the request and several ways to provide data back to the user, from a structured file like CSV to a screenshot of the monitor. We measure the time needed to complete the access data request and the completeness of the information provided. After this phase of data gathering, we analyze the authentication process followed by the data controllers to establish the identity of the requester. We find that 50.4% of the data controllers that handled the request have flaws in their procedures of identifying users or in their phase of sending the data, exposing users to new threats, even if these data controllers store data in compliance with the GDPR. Our surprising and undesired results show that, in its present deployment, the GDRP has actually decreased the privacy of users of web services.

GDPR: When the Right to Access Personal Data Becomes a Threat / Bufalieri, L.; La Morgia, M.; Mei, A.; Stefa, J.. - (2020), pp. 75-83. (Intervento presentato al convegno 13th IEEE International Conference on Web Services, ICWS 2020 tenutosi a chn) [10.1109/ICWS49710.2020.00017].

GDPR: When the Right to Access Personal Data Becomes a Threat

Bufalieri L.;La Morgia M.
;
Mei A.;Stefa J.
2020

Abstract

One year following the entry into force of the GDPR, all websites and data controllers have updated their procedures to store users' data. The GDPR does not only cover how and what data should be saved by the service providers, but it also guarantees an easy way to know what data are collected and the freedom to export them. In this paper, we carry out a comprehensive study on the right to access data provided by Article 15 of the GDPR. We examined more than 300 data controllers, requesting access to personal data to each of them. We found that almost each data controller has a slightly different procedure to fulfill the request and several ways to provide data back to the user, from a structured file like CSV to a screenshot of the monitor. We measure the time needed to complete the access data request and the completeness of the information provided. After this phase of data gathering, we analyze the authentication process followed by the data controllers to establish the identity of the requester. We find that 50.4% of the data controllers that handled the request have flaws in their procedures of identifying users or in their phase of sending the data, exposing users to new threats, even if these data controllers store data in compliance with the GDPR. Our surprising and undesired results show that, in its present deployment, the GDRP has actually decreased the privacy of users of web services.
2020
13th IEEE International Conference on Web Services, ICWS 2020
Data Controllers; GDPR; Law Compliance; Privacy; Web services
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
GDPR: When the Right to Access Personal Data Becomes a Threat / Bufalieri, L.; La Morgia, M.; Mei, A.; Stefa, J.. - (2020), pp. 75-83. (Intervento presentato al convegno 13th IEEE International Conference on Web Services, ICWS 2020 tenutosi a chn) [10.1109/ICWS49710.2020.00017].
File allegati a questo prodotto
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1518052
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 20
  • ???jsp.display-item.citation.isi??? 15
social impact