2020 has been full of surprises, but what’s not surprising is that we’re now more virtual than we have ever been. Consider the last 30 days of your life. Have you entered credit card information online? Did you allow said website(s) to save that information for future use? What about patient intake forms — your medical history, social security number, age, email address, home address, phone number — do you remember every website you’ve given your personal information?
With more and more companies experiencing breaches and our personal information being shared with so many companies, one might feel compelled to figure out just what information is out there and where. But can you? Do you, as the individual in question, have a right to that data?
Global Data Privacy Regulations are Forcing Policy Re-evaluation
Privacy focused regulations across the globe have started to tackle these very questions. Depending on your location and citizenship, some hold that access to your data is certainly a right. Two heavy-hitters on this side of the fence are the California Consumer Privacy Act (CCPA) a U.S. privacy statute that governs residents of California, and the General Data Protection Regulation (GDPR) a data privacy law in the European Union. Regulations like these grant special privileges to those covered, namely the right of subject access, which gives individuals the right to obtain a copy of their personal data as well as other supplementary information used by companies. Being residents of Colorado, our LogRhythm Labs team is not afforded rights by either of these directly. Never deterred and ever curious, we set out to explore these rights, test corporate willingness to provide our data to us, and determine if threat actors could hypothetically exploit these rights for their own gain.
The Data Privacy Experiment
Our Labs team spent a few weeks reaching out to companies across the globe and from various industries (e.g., retail, airlines, cloud services, healthcare, and finance), each requesting our individual personal data on file. We conducted our requests in a few ways:
- Requests with only accurate information: Through this method, we attempted to gain access to our data with as little (but completely accurate) verifiable information as possible; we did this to determine which, if any, companies or industries would allow us access to our personal data, even if we weren’t legally entitled to that information under GDPR and CCPA
- Requests with a combination of fabricated and accurate information (including addresses, emails, and birthdays): With this testing method, we attempted to cite CCPA and GDPR to increase our likelihood of receiving data but still use the minimum amount of verifiable information to simulate a threat actor attempting to socially engineer access to our data.
- Requests with only accurate information from LogRhythm employees who are EU citizens
Because our Boulder-based Labs team couldn’t claim GDPR rights in our requests for data, we reached out to colleagues in our UK office. Our hope was that, by having EU citizens put in their own data requests from the same companies, we would be able to compare and contrast the experience as a whole.
With a list in hand of roughly 25 companies to contact, we began to research how exactly one goes about actually carrying out subject access requests. The short answer is, it depends; some were simple, some were difficult and ongoing. Requests were made by the following methods, depending entirely on the procedures of the company in question:
- Online Portal: For some companies (primarily in the cloud services, social media, gaming, and retail industries), data requests were handled autonomously. By signing into your online account and navigating to various forms of a “Download Your Data” page, a download link would be sent shortly thereafter.
- Request Form/Email: Slightly more involved than the aforementioned, certain requests required either completing an online form (which typically initiated an email conversation with a representative) or reaching out to the company’s privacy office directly via email. Verifiable information required was similar in both scenarios, typically including some combination of email, address of residence, phone number, SSN, security questions, and specific account information. This was far and away the most common method. Industries common here were airlines, hotels, some financial institutions and large retailers.
- Phone: In the rarest of circumstances, personal data requests were only accepted via phone call with a privacy representative and required extensive information. This was specific to a few financial services organizations, and data was not released as we were not covered by CCPA or GDPR.
The Results on Data Privacy (Drum Roll, Please)
Results were interesting and varied greatly. First and foremost, it’s worth noting that none of our requests with false information were accepted. We were, however, able to access our personal data in roughly 50 percent of cases regardless of the fact that we weren’t covered by the aforementioned privacy laws. Beyond that, results were virtually identical within industries.
As mentioned, most requests in retail, social media, gaming, and cloud services were completely independent with data available almost immediately. This ease of access is, in some of the circumstances, a little jarring — with nothing but access to your personal account, a download link via email reports on your device information, electronic payment and retail store activity, maps, calendars, notes, social media posts, files saved to your cloud, and more. It was all available at the click of a button, the only real deterrent preventing an outside third party from accessing it themselves being your username and password.
Some industries, like hospitality and financial services, mostly required ongoing conversations with a company’s privacy office and additional information. Also worth noting, only half or fewer of our requests were honored in these cases. While intentionally trying to give as little information as possible in the spirit of the exercise, companies in these industries were less inclined to divulge our information. Data would not be released without all the required fields, which had to correspond directly to what was on record; once released, data could only be accessed through a third-party privacy portal that required a case ID and temporary login. In cases where we were able to access our data, records included stay and trip information, credit cards used in transactions, contact information, and place of residence on file.
Airlines arguably proved to be the most interesting; after repeated requests (and in some cases, demand) based on correct information, no airline honored requests for personal data. This was after completing lengthy access request forms, which included all geolocation and contact information, frequent flyer account numbers, an open-ended “What information are you requesting?” section, and details on how you are claiming to exercise such rights. When trying to claim rights under CCPA, airlines cited the Airline Deregulation Act of 1978 (ADA) which prohibits states from enacting or enforcing laws that relate to the rates, routes, or services of an air carrier — meaning that, as a federally regulated airline governed by the ADA, these airlines are not subject to state-based privacy laws such as CCPA. We were told requests would only be fulfilled for EU residents covered by GDPR, which proved to be more difficult than anticipated.
In the process of submitting access requests from both a covered and uncovered perspective, it became clear that GDPR coverage did not guarantee an easy route, if any, to accessing your data; our EU colleagues had weeks of back-and-forth communication regarding their requests with various companies in multiple circumstances. Virtually all requests required them to submit uploads of multiple documents including licenses, passports, marriage certificates, and transaction history to name a few. The process ultimately ended with data still not being released to them in each scenario, either because of marital name changes or other ongoing confirmations of identity. In a way, GDPR coverage seemed to almost make it more difficult to access your personal data due to the sheer amount of forms of identification a person needed to have at the ready to prove their identity.
A Data Privacy Reflection
With these experiences in mind, we returned to some of our original questions. It seems on paper that the answer is “Yes” — legally speaking and dependent on your geographic location, that right is granted to you by various state entities; however, practically speaking, getting that data is not quite as black and white as it would seem.
In a larger context, our results present a few clear positives and negatives to the state of data privacy across industries today. On the one hand, it’s reassuring to know that there are clear barriers to a threat actor leveraging subject access rights to steal personal information — the safeguards and checks performed by the privacy office in most companies would prevent most fraudulent attempts. Even in many attempts with correct information, data still wouldn’t be released, including scenarios where individuals are covered by the law. On the other hand, this makes it difficult to determine exactly what sensitive information one might have in circulation and have a say in how it’s managed. In circumstances where you do successfully access your data and see just how much you have floating around the ether, it can be anxiety-inducing.
It’s a toss-up.
Perhaps widespread data availability brings its own batch of unforeseen issues. Maybe we should be implementing greater efforts to secure that information from the wrong hands. Maybe, in being denied a right of access, we are in turn actually making our data safer. Who’s to say? If this exercise proved nothing else, it has shown us that companies in the year 2020 seem to do an adequate job of vetting false requests and protecting our information. Maybe, for the time being, that’s good enough.
The security landscape of both the U.S. and global economies is ever-evolving, and privacy will continue to be at the forefront of those conversations as we persist to question these theories. Stay tuned for more privacy updates from our LogRhythm Labs team as we chart a course into 2021.