BSidesAtlanta 2019 - Amber Welch - Data Access Rights - Exploits Under New Privacy Laws

we're going to get started welcome my name is Scott Christian here to welcome you to 2019 and Lenape sighs this is our fifth track presentation on the policy track we have amber Welch who is from the Islamic company she's going to be talking to us about privacy and which we do so I evaluate policies and privacy programs for a living I have an auditor program assessor I have worked with Silicon Valley big tech names small startups IOT firms so today we're going to talk about Davis subject access requests the D SRS which is what some people call them the exploits that you're able to do and some decent strategies or those of you who are working to the company that

they have to honor some of these requests so we'll start with the data subject requests is anybody familiar with this concept already okay so this is something that has come out mostly from GE PR that's where Americans got their first taste of it so we're living in a global privacy era now data is transferred between nations a lot of companies have branches internationally are processing international data and are responsible for maintaining privacy to law compliance across borders so it's very different from what we're used to and these access laws even though they're slightly different between nations most countries that do have some kind of privacy law will have something to access rights so we're gonna talk mostly

about GDP ours because it's a good case study but these concepts are applicable no matter where you are Canada California Brazil APEC region so there are four primary exploitable rights the first one is the access right this is the major the major issue for exploit concept so the right to access is just the right to tell a company hey I know you have data on me I want to know what you have give me a full record of everything that you've got the only thing you can do is request modification so you can tell accompany the data you have on me is incorrect and I'm going to tell you to change it this is also known

as directive rectification and sometimes you might see those it's a good way to get a foot in the door with some of the exploits without asking for the whole data set you can also request a Rea sure this is commonly known as the right to be forgotten a new gtp are not every access law has this but it does show up some places and there's also the right to portability where you can request a machine readable export of your information to warn it over to a competitor which obviously would give you all that data as well so there are a few new challenges that is shown up with these access laws we have in the

California privacy law the CCP game there's a concept of metadata and indirect identifiers they have added household data and device data to the concept of what constitutes PII or personal information GDP are also added things like IP addresses this is not originally been an American concept of so if you're thinking about protecting personal information the scope is very broad now also both GTR and CCPA have decided that if the data can potentially be linked to a person even if it's not currently identifiable that's also personal data this has a lot of implications for machine learning that we can't get into today but maybe next year I'll would talk on that so we'll see you then the other issue that we've

seen mostly from the new concept of control data controllers and data processors is that if you have personal information even infancy we need to collect it the source possible for fulfilling these privacy access right there is really interesting case where this guy sued Google Spain for the right to be forgotten under the previous the Data Protection Directive it's like GPR predecessor and Google argued we didn't information it's just the Internet supposed to do about the Internet it's just it is what it is but the EU decided that you as the data controller Google are still responsible for honoring his request to be forgotten even if you really had nothing to do with gathering that information and the information is

not associated with any particular account so now that you know that American companies have so much obligation to abide by European law these are new concepts that a lot of us orientations will have to learn to accept so this leaves us with the idea that it's potentially everything can be personal data it's very difficult to know for sure that something is not personal data if it could be linked to somebody right I mean how do you define for sure that something isn't personally identifiable or couldn't become the personally identifiable so what how company's done about this American companies went through a big panic mode if you'll remember the onslaught of privacy policy update emails the you know GPR day the day in

which privacy wears got PTSD so most companies just panicked a lot of things really bad decisions there's a lot of fear the four percent potential revenue fine by the EU was a big scare tactic a lot of privacy vendors really say this because they wanted the business and there was generally a lot of misunderstanding so most organizations took the food direction of just providing all of the information when they got one of these data subject applies a lot of them also determines from outsourced to legal firm partly as a cya move right like it's not our problem somebody else is to do it we've hired somebody so the problem with that is that legal firms are quite expensive

and don't necessarily understand your technical environment and the ottoman period understanding of security comes out especially regarding detention have data subjects so in general most companies fear non-compliance more than they fear a potential data breach of just one person's information with data subject access requests IRB's couple of ways that you can honor these requests you can give an automated way for data subjects to go into an account and submit this completely without any human intervention other than setting up the process in the first place or on the other end you can go completely manual we provide a forum for someone to fill out their information and annually process that request there's also a few hybrid approaches where you can have

people put a button in their account maybe and generate a few pieces of information and then someone else's usually companies decide which one they're going to do based on the cost to implement an automated solution versus how much they expect to get or the complexity so what can you do with all of this information the fun stuff right one of my favorite topics in legal deed ups so there used to be a clause in the Data Protection Directive where you could charge somebody under in the UK it was up to ten counts both zeros to submit these requests so even though sometimes the requests are more expensive to process than that it active is a bit of a deterrent people weren't

just able to do it for free under the GDP are you can't do that you have to process for free up until you can decide for sure and prove your position that this is becoming a himself so there's quite a lot of that report that can happen between that lawyer that you've hired as an outsourced firm and some data subject you've got the problem with you before you can prove missus finally abusive this is also very effective against large organizations that have an otherwise strong privacy program is not much that you can do about it so a lot of people organized together could really cause a lot of trouble for you but very well developed in general

privacy program is this also highly likely to happen after a data breach just naturally because people will say I no longer trust this organization I want to know what information you and I wanted to do it so if you are in the news for a briefs you should expect to have a lot of data subject requests following that and you need to be prepared to deal with that so outsourcing DSR through legal firms is super expensive this guy asked even white free clinic in the UK for information about the death of his infant son the UK firm have spent two hundred and forty thousand pounds on a legal firm to reflect that information and on the data subject request so that

ten pounds doesn't go very far in offsetting that and so a fun example Twitter believes that I'm a man I think this is hilarious so I figured you might as well ask the NATO Protection Officer Twitter why they think that I'm a man I have the right to do that I can ask for information about myself so you probably can't read it but they paid a lawyer to write this it took them a couple of weeks and they generated a response just because I felt like figuring out why and I also have the opportunity to continue this conversation with them until I'm satisfied the do request has been completed I don't really care that much

so I feel like we've served the purpose with that but there's quite a long ways that you could go in continuing this dialogue where it's free on more in and potentially very expensive for that there are a few other things that you can do with malicious activity on data subject requests some privacy firms have been doing guerilla marketing where they annoy a company into wanting to purchase of privacy solution which seems like bad marketing to me but I guess I'm not a salesperson also you can do competitor research we learned about how they're processing data subject requests and just copy the arab solution instead of hiring a consultant to or you disgruntled employees can submit a lot

of access requests just to pester the company or find out what information they have and some lawyers especially employment lawyers may be using PSRs as a free discovery tool because they some of the information that they might need is still there you also see unfortunately of some potential for domestic partner violence or intimate partner violence stalking other abuse victims since person who is in the relationship will have a lot of information on someone and can get in this line of messaging the location data a lot of really private information there's also a lot of incentive for fishing here you can use common names Google used to just accept the passport as proof of identity but when you think

about it what is a name really there are a lot of people who is my name I get their email address mixed up with mine all the time so I have information coming in to my gmail account DSR is work in much the same way if a company doesn't have a good identity solution they're just going to believe somebody who has some kind of scan of a document but really all that tells you is that they know somebody to pass that name or may have that name themselves we're able to find a picture of it or even Photoshop it you can also ask for updates you can ask for the privacy officer there's a lot of information you

can get about privacy program itself while you're in this dialog they have to process any further old requests so from a fishing standpoint that's great because you're probably going to be on the phone with the Tier one support person and build up how easy it is to get information see you succeed so they might give a lot of information about the record that they're looking at you can potentially match up to records that you have they want to confirm this in person you can fill in gaps that you have on a record if you're doing spearfishing or a semi old rod so the takeaway here is to remember that name is not really very important the name of the data subject

doesn't tell you much about whether that record is actually that person so what you can do with the fishing - from the profile data and and this is an area where you can learn new information really easily because you can guess that information and correct if you want to to do some of this as an activity or your pen tester and you want to see if this is an area where feed value your privacy policy with tool called private org it will entertain a privacy policy and parse it into this only real diagram so that a weak one seeing just kind of flows into on the specified choice which means they probably don't have many

policies in place about how to deal with DSR is because they haven't thought very much about that privacy policy so a really developed privacy policy that spaghetti going on so weak targets tend to be organizations that have a lot of indirect identifiers and metadata but not that counts associated with that metadata international charities because they are obligated to abide by a lot of privacy laws and probably don't have a much budget to do that social media startups tend to be a little loose about their privacy anyway and usually haven't hired compliance personnel also and that is in the middlee regulated space like hospitality and also any acts without paying so this I found on Twitter which was really

interesting somebody Canada her Spotify information had been downloaded because Spotify has an automated dsr form and somebody was able to access her account because there is no such thing so I thought well let's go back to Twitter see what this process actually looks like all you do is you go in so it doesn't problem for a secondary to a face so if you're already authenticated to a session somebody could do this if they just have a password you have to enter your password again but okay you click the button for request data it goes into retrieving data and about an hour later I get email saying that I can download the data now so I go

in and but this is everything that I get it is all of the data associated with a Twitter account which Twitter has been around for a very long time so that's potentially a decade of some of these private messages history contacts so what's concerning about this index subject access rights have been a potential issue for over 40 years now this has been known in Europe its meaning it to me to America but this is not a new concept and there's been a black market for this data very very long time and that security as a whole has no idea about this I very rarely run into someone who's even thought about this being a potential issue so as the

security professionals I'm not enlisting your help in this these care as a person with a common name what can you do about it so the usual DSR process of those types if you have any kind of to an interaction at all you get a generic email inbox where the information comes in your request comes in and it's parsed out into a high risk or lowers support staff usually do low risk even potentially down to password resets or somebody just got confused and lost in the system and then the high risk goes to a lawyer or maybe the privacy office which is mezzanine so the manual process within if that request is approved is sent to somebody

like a DBA or someone responsible for running a script against the database the security team is also never involved in this as far as I've seen and usually even if there is a policy that says you need to identify somebody there's not much information about how to do it they're very rarely rules about what is what constitutes sufficient identification for that data subject so the identity challenge is very complicated with this especially because of that requirement to fulfill a DSR even where you don't have an account California specifically said you cannot require somebody to have an account in order to fulfill the DSR so you've got a lot of issues you can't link the data

with one person potentially my name you might not have an account but at the same time the tenth is rejected because it's difficult you can't ask them for excessive information if you do taking an identity documents they still might not tell you who that person is and now you've just collected even more sensitive information so key takeaway here remember you don't need identity documents the only time that you would ever need a scanned of somebody's ID is if you've already had that information in the first place if you have a driver's license number that you know is associated with then fine go ahead and ask for a scam does that make sense but if you don't

then why are you asking for that it doesn't tell me anything at all the other good method is that you and basically the only sufficient method for most most DSR is to confirm with a secret between that individual and the David is on that record so in the hotel idea let's say after this you know we we hang out at a hotel bar and I sided with my room number on the part and it targets to the part in the room somebody else comes by and picks up that receipt has my name and has my room number so they know the date of the last stay so if that person makes a fraudulent TSR under my name they would have one secret

right the date of the last date so it's not when we think about secret information and transaction history you have to make sure they're sufficiently different and come multiple transactions they are confirming so that it's not you're not accidentally confirming it's incidental data that's quite public so another good option would be date of the last day plus lots Portage's on the card associated with the account and you can have a list of acceptable options maybe requirement or types if you didn't have a week does anybody know what this is to Arecibo message yes I have like people that are really excited in everyone else's confused so this is the air a telescope in Puerto Rico which is

super awesome you can never go to Puerto Rico I highly recommend it James Bond like to do the Arecibo message is is meant to be a way to communicate between life-forms that essentially have no other information about each other no identity not even any knowledge the other one might exist so when you're thinking about identification try to step away from identifying an individual and focus instead on identifying data and confirming that data matches the same person it originated from just don't even worry about names unless you actually have some really good ideas so risk based identification processes you want to use graduated ID requirements so if you have highly sensitive information don't just give it away to somebody who

is able to answer a couple of questions that are quite easy at the same time if you have a low risk information don't make somebody to go through like you know the DNA stand is to get there you know a couple of pieces of data about some you know athletes signed up for you have to assume that all ID numbers are compromised so even if you have a number on the account if you're using that as an ID you need to get a scan stuff but also make sure that you're not making that email that to you in an unsecured form at all all documents should be provided in sometimes communication all this should happen

either through a portal or some other way that can be secured it also has digital identity guidelines which can be helpful especially if you're working in an organization that has a lot of sensitive information this would give you really strong support that you did due diligence on this process so we see you can minimize risk you can go with that automated self-service option but if you do that make sure you come to it they in place so that we can avoid you know Spotify issues also if you are doing a hybrid or animal kind of way of doing it and there is an account put it in some kind of UI banner so that somebody who does access the account can

see oh my accounts compromised you know Twitter told send me an email say not to worry about it it's my if I got this request but that happened behind authentication right so that should be a really big plug so you make sure that users who have a potentially compromised account being done a little while if you're doing a request there's no reason to send it back in an hour if you think that you know maybe a 24-hour waiting period would be more appropriate and a lot of data that you're delivering also you don't need to export accessible data there's no requirement for you to provide information to do any kind of do the eke rest if that dude a subject can

actually access that information already you could just direct them to it in the application and then that's it you've fulfilled your responsibility so don't send it out of the organization until you actually have to do that all right that's a lot of it for instance if you're like that morning you can take a picture of this if you want I'm not going to read through all of it these are the red flags if you want to look for metrics or ways that you might identify a potential attack campaign or somebody who's trying to get information from your DSR process all right so the other thing to keep in mind is that you're perfectly within your rights to reject any subject

requests you do not have to fulfill every request your default should be deny until it has been validated don't validate until you did since fighting sense that something might be wrong because especially if lawyers are the ones doing this that's basically never gonna happen they don't tend to think of it of something I need a fisherman this is your second photo sign these are all of the reasons that are supported by the laws that you can use to reject requests I also have the legal text in a TV that I will give you a github link to for both CPA and GTR as they stands right now CCPA might change but make sure that you know enough about the law

so that you have the ability to turn something down and you have a justification for it so ah 3:24 I made it so we need security people we need security people to know about these problems to care about them it's your personal information - there's very little that any individual can do about these kind of weaknesses so all we can do is make sure that companies are aware as issue implementing good processes and please make friends with your lawyers I'm fatal bite I promise to gently educate them so if you want the cheat sheet there it is on github I'm also on Twitter so if you want to talk about this feel free to I love privacy I love

hearing weird news cases so feel free to you