Data Access Rights Exploits under New Privacy Laws

all right so today I'm going to tell you all about how to get personal information all right today we're gonna talk about how to get personal information from the new privacy laws exciting topic I'm amber Welch I evaluate corporate privacy programs for a living so I hope you like xkcd even if you don't like privacy laws so there will be something for everyone I also like Oxford commas in reading the privacy laws so that you don't have to I'm a privacy technical lead at an audit firm so I go into corporations and tell them basically what they're doing wrong and I see a lot of terrifying things before that I managed a security and privacy program for a suite of

hospitality SAS apps so I've I've been on both sides of this I evaluate them and I've done it myself so for the next 20 minutes I'm gonna tell you about what the data subject rights are D SRS data subject request that's what they're often called the exploits that you can do with them and some defense strategies if you happen to work for an organization that might be subject to using so the data subject requests aka D SARS DSR s SARS consumer Oh

yeah should be this is what happens when you use Google slides okay here we go see my lovely cat that's not mine so there xkcd that's what I was talking about and you're gonna have to look at these slides online so that you can actually laugh about that very hilarious comic about privacy okay so we're in a global data privacy era there are new privacy laws popping up every day federal laws state laws international laws it's something that has become a big part of the internet right now anybody who had stuff online has their information being accessed everywhere it's available everywhere transferred you know you outsource everything to India so there's a lot of information

that that is subject to rights of governments that you might not even really know about so there's four key rights to exploit I'm gonna focus on GDP are since that's the one that's active right now CCPA is a big one so I do have information about that online for this cheat sheet that I'm gonna give you but since there are still amendments for it and they're not quite finished it's also not in place I'm not going to get too far in the weeds on that just in case it changes so the the key rights to exploit are access which is the ability to request access to all of the information a company has on you even stuff you

can't really see through your account rectification or modification which is the ability to update incorrect information about yourself the right to erasure or the right to deletion the right to be forgotten you might know about those and portability so most most companies are subject to at least one government's laws that have access rights because these are very common across all privacy locks now gdpr did something interesting these have been in these access rights have been in place for almost 40 years now but GDP are added indirect and identifiers to the definition of personal information which potentially makes all information PII because they also included the idea with California household and device information and they both decided that yeah sure see

if I can get this closer both California and gdpr identify any information that could potentially be linked to a person even in the future as PII so you have a lot of data right now that you might consider anonymous but if it could be combined with something else in a new data set it becomes PII so it really changes how you have to think about protection and the potential for access exploits the Google Spain lawsuit is a really interesting idea because somebody someone sued Google the Spanish guy because he wanted some information taken off of Google and Google said not our problem we don't have any control over this the EU decided it is your problem

even if you don't have control you're still legally the controller of the data so I asked Jason Scott what he thought about that and he basically said let's see what happens I hope they don't get him on their radar so in the US companies are mostly unprepared for this because they haven't had these types of rights before there's been a lot of panic you've heard about the 4% global annual revenue fine so when companies think about comparing giving access to an individual who asks for it versus four percent fine they say here you go so their responses mostly just been provide all of the data they see this as a legal issue they don't see it as a

security topic usually it's just sorted out by lawyers they consider non-compliance a greater risk than the breach of one individual's data so now we're going to talk about the fun stuff what you can do with this so bad actors this is one of my favorite ones the legal DDoS bad actors can jump in along with legitimate grassroots protests or educational campaign you see these show up every once in a while when some enterprising person says this company is bad and does bad things with your data so take your rights back here's a bunch of boilerplate text and the form and maybe thousands of people submit these requests at the same time so anybody that's a little bit also enterprising on

the other side can say perfect I can flood you with requests from with boilerplate language which you normally wouldn't be able to get away with it would be noticed if you are submitting lots of requests with the same text so that's an area where there's a lot of difficulty because security and legal streams are really teams are really distracted they have a hard time fulfilling all of those requests and if it's quite challenging it can be very expensive so the average manually processed data subject request cost and the only company country that tracks this is the UK and they say it's 145 pounds so this guy asked for his information from a midwifery clinic and

it costs them two hundred and forty thousand pounds so sufficiently redact the information so other bad actors I don't have time to go into this today but there's lots of fun stuff that you can do with this if you have a creative bint fishing everybody wants to do fishing right so these the new ability to request indirect identifying data is even further complicated by Tala for Nia's requirement that you can't make somebody have an account with you to fulfill that request so when you think about IP address as an indirect identifiers or publicly scraped biometric information what how do you tell a person know if they have that information and you can't really associate them with that data they never

gave it to you but you still have it that leaves you in a really challenging situation so another thing that Fisher's can do is request data for other people with their own name so I have a very common name this terrifies me I could ask for all of the information from the other amber welch the more successful one with a PhD who lives in London I know this because I get her tube up dates [Laughter] so so what Google used to do is ask for passport information but you never made an account with Google with your passport right so if you send them your passport ID which which amber Welch one of them I'm just one in in a number of

them and I'm sure many of you or that way as well another tactic is escalating from low sensitivity requests to confidential information getting that foot in the door by saying oh I just want to I just want to update my address and verifying information and then saying by the way can I also get a copy of all of my data you're already through that validation so if they don't have good controls around verification this is a good way to get in California adding household or child data is another good potential tactic here because they haven't really identified what they mean by household data I think IOT is gonna be an area where this will be potentially very scary

so social engineering is interesting with this because you you are not allowed to reject a verbal request so if you call up a company and you say oh I you know computers are hard can you help me with my phone then a really good social engineer has a lot of freedom to move around within that company's data you can use that to confirm profile data that you suspect if you're trying to merge profiles from different data sets that you've gathered you can learn new data or it's a potential good use for freshly breached data that hasn't yet been disclosed and when you're evaluating a target stay away from the privacy officer the privacy officer does

nothing but think about these problems so they're a lot more likely to pick up on this stuff a good way to evaluate whether a company is a target for this is to look at two things their executive page and their private privacy policy page so the privacy policy will tell you if they have really vague or maybe old information on their know named privacy officer if there's no executive with any privacy or security responsibilities they probably have quite weak controls for this also some these are doing DPO for hire which is just a service where you can have someone act as your DP oh don't get a lot of attention and they don't know anything about the business this is a

tool called private org it turns any privacy policy into this nice little alluvial diagram so you can see this one at the top that's weak it just kind of narrows down into what they call unspecified choice which means there really no information in there at all so if you see a good strong policy like that I have a lot of information and it gives you a lot of detail about what you can do with the privacy so weak targets there there are a few profiles that I see as common problems companies that have a high volume of indirect identifiers that don't necessarily require an account especially one with a name so places where you might not have

an email address associated with an account you can make an account without really doing anything else or places where you might have an account that's entirely offline where you haven't really made any kind of login information it's very difficult to authenticate that person international charities are subject to a lot of privacy laws they really want to be helpful but they don't have a lot of money so unfortunately usually a good target social media startups tend to not care a lot about privacy because it's boring compliance stuff but they get an awful lot of data and they are data controllers they're b2c so targets that probably have a lot of leakage and then the small and medium businesses in

minimally regulated industries like hospitality entertainment they kind of know that they have to follow this stuff but it's not like they're HIPAA or anything they don't have any important data right so they don't tend to pay too much attention to it and also apps without 2fa this is what happens if you don't have to a PHA if you have a policy where somebody can get all of their information through just authenticating then you know easy all you have to do is hack in so the thing that scares me about this is that regulators have known this is problem for over 40 years and yet security teams really don't tend to get involved because they don't want to

people don't like to talk to lawyers and if they don't have to they won't so what can we do for defense strategies now that I have told you all of the terrifying things you feel a moral obligation to do something about it right as the person with common name please so this is how DSR czar usually processed request comes into a generic inbox either support or maybe a legal team the intake team decides valid invalid low-risk valid requests go to the support team maybe a password reset even valid requests that are high-risk or manual processing usually go to legal privacy team and then they tell IT or a DBA ok delete this person let us know

when it's done so the challenges with this we know that identification is really difficult and in this context even more difficult there's insufficient data often to link a person you might identify a human being but not know what record goes with them you can't require California customers to make an account you can't collect even a even more excessive information for the purpose of verifying ID so you have to work with what you have and you can't make the process burdensome also if you do need copies of identification documents you're just adding more sensitive information that you've collected and then even services like gov dot UK's verify service is only 51% successful and that's their statistic so what do

you do what's safe there's really only two good methods confirmation from the user themselves with two or more transactions some kind of account history the reason you want two or more is because if I go to the hotel bar after this and I pick up somebody's receipt I have their information their date of the last day and maybe a transaction on the account so for an organization that is only validating with one piece of transactional history then almost anything you do in your daily life could potentially become identifying information for a DSR so so this would be an example when did you last day at our hotel plus the last four digits of the card on file the

other thing that you can do is confirm identity as already known by the organization so you can use things like driver's license or passport but only if you already have that information on file that was already associated with that person don't just give you know John Smith's information out to every other John Smith and you have to kind of assume that those IDs are probably compromised so you would be looking to potentially get scans and this actually see that they have possession of the document so the key thing to remember here is that you don't need to know the person you need to know that the person making the request is the same person associated with data if you never

actually find out who that real human being is that's not actually that important you just need to make sure that that person is requesting the same information associated with their own history so here's my cat because I know this is long so take a risk based ID process graduated ID levels for low to high risk data don't let somebody escalate to a higher level of information based only on the fact that you talked to them on the support phone assume that all IDs are compromised the NIST digital identity guidelines are pretty good a safe bet and can also give you a lot of compliance kudos with regulators if you ever did have any problems and deny any high risk low

confidence request if you're just not sure they know document why you're not gonna get in trouble with regulators if you have a good reason for denying that request you just have to say why and you have to explain it to the person who's making the request when you do a denial you can give the person the information for the regulator that they can complain to if they want to escalate it so legitimate requests have a way to escalate and then scammers are not likely to do that obviously so some ways to minimize risk use automated self-service when possible please only do this if you have good to a fee if you have manual dsr process consider adding a

notice banner to the UI so if somebody has maliciously created that request in the real user will see it when they log in don't export any data that the user can already access you're not required to do that so if it's available to them in the app just tell them where to find it don't send it over an insecure method and then use secure communications for any ID verification please do not make people email passports alright remember that you're trying to meet the true need the heart of privacy laws is to honor what people actually want they won't control over their data they want to have a little bit more insight into what you're doing with their information so

sometimes they need a password reset sometimes they just need help navigating the application or they might only want a certain piece of information nobody's and no reason to export their entire file if they just want to know one specific thing and these are some red flags that you can look for keeps keep a few metrics on your system to make sure that you're identifying when you have high volume of requests a lot of strange requests text that looks the same kind of pay attention to what's happening across multiple requests if somebody's trying to figure out your process by submitting three different types of requests and seeing what you do with them and default to denying all requests make

them show you why it's a valid request don't just give them the information like I said it's not oh it's not a problem if you deny then just have to explain why and give them oh you know don't make it impossible let them actually get access but only if it's truly valid so you can these are all reasons according to the gdpr that you are allowed to reject requests so this is all on the cheat sheet I give the legal text as well so you can find that on this github I haven't actually added the part for the exploits under the gdpr yeah I will be doing that on Sunday but that includes all of the legal

relevant sections for both the CCPA and the GDP are both for the exploit side if you want to try to do some red teaming or pen testing with it and for the defense side if you'd like to brush up on your security alright I'm out of time but if you have questions please find me afterwards I love talking about this find me on Twitter I'm happy to hear about your stories or tell you where I found my great cat [Applause]