The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.
In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.
That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.
Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.
“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.
“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.
That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”
But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.
The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or GDPR. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.
Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with GDPR to get someone else’s personal information.
One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Knerr’s name. A quarter of the companies sent him her file.
“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”
Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Pavur, such as photoshopping each other’s government ID. In one case, Di Martino received the data file of a complete stranger whose name was similar to that of Robyns.
Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.
“Companies are rushing to solutions that lead to insecure practices,” Robyns said.
Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.
The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.
Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.
If consumers can’t verify their identity by logging into an existing account, Di Martino and Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.
“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”