California’s privacy law giving customers the right to their personal data is based on a European law that inadvertently lets hackers gain widespread access to people’s credit card numbers and home addresses.
The California Consumer Privacy Act went into effect Jan. 1 and effectively gives citizens the ability to obtain and delete whatever data companies have on them. It’s also based on Europe’s General Data Protection Regulation, or GDPR, which hackers are gaming to collect on people’s data.
“Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information,” The New York Times’Kashmir Hill wrote Wednesday.
Companies that collect the personal information of 50,000 people and those with annual revenues of $25 million or more are required to fork over the data upon request.
Vendors like Berbix ask people to upload photos of government-issued identification and take a selfie to verify the identify of those making requests for such data, Hill noted. Berbix also asked requesters to take another photo of themselves as a secondary form of verification.
Critics are questioning the need for people to provide more personal information to collect private data.
“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, told Hill. Researchers are demonstrating how the law allowed this to happen.
James Pavur, an Oxford University researcher, filed data requests on behalf of wife at several companies across Europe using her phone number and other publicly accessible information. He created an email address that was similar to his wife’s name. A quarter of the 150 companies sent Pavur her files.
“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Pavur told TheNYT’s Hill. “A threat intelligence company sent me all her user names and passwords that had been leaked.”
Other researchers replicated similar techniques and found the same results.
Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, used more advanced techniques to request each other’s data, such as photoshopping government ID, Hill reported. Di Martino received data of a stranger whose name was similar to that of his research partner.
California’s law is partially a response to what state officials’ concern that lax federal regulations are allowing tech companies to gobble up unprecedented amounts of data. The state’s AG accused Facebook in November of not complying with subpoena requests regarding its investigation into the Cambridge Analytica, a company that gained access to user data.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [email protected]