{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,10]],"date-time":"2026-01-10T03:54:57Z","timestamp":1768017297114,"version":"3.49.0"},"reference-count":24,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"2","license":[{"start":{"date-parts":[[2022,3,3]],"date-time":"2022-03-03T00:00:00Z","timestamp":1646265600000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/3.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,4,1]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Several data protection regulations permit individuals to request all personal information that an organization holds about them by utilizing Subject Access Requests (SARs). Prior work has observed the identification process of such requests, demonstrating weak policies that are vulnerable to potential data breaches. In this paper, we analyze and compare prior work in terms of methodologies, requested identification credentials and threat models in the context of privacy and cybersecurity. Furthermore, we have devised a longitudinal study in which we examine the impact of responsible disclosures by re-evaluating the SAR authentication processes of 40 organizations after they had two years to improve their policies. Here, we demonstrate that 53% of the previously vulnerable organizations have not corrected their policy and an additional 27% of previously non-vulnerable organizations have potentially weakened their policies instead of improving them, thus leaking sensitive personal information to potential adversaries. To better understand state-of-the-art SAR policies, we interviewed several Data Protection Officers and explored the reasoning behind their processes from a viewpoint in the industry and gained insights about potential criminal abuse of weak SAR policies. Finally, we propose several technical modifications to SAR policies that reduce privacy and security risks of data controllers.<\/jats:p>","DOI":"10.2478\/popets-2022-0037","type":"journal-article","created":{"date-parts":[[2022,3,5]],"date-time":"2022-03-05T04:38:04Z","timestamp":1646455084000},"page":"95-113","source":"Crossref","is-referenced-by-count":16,"title":["Revisiting Identification Issues in GDPR \u2018Right Of Access\u2019 Policies: A Technical and Longitudinal Analysis"],"prefix":"10.56553","volume":"2022","author":[{"given":"Mariano","family":"di Martino","sequence":"first","affiliation":[{"name":"Hasselt University - tUL, Expertise Center of Digital Media (EDM)"}]},{"given":"Isaac","family":"Meers","sequence":"additional","affiliation":[{"name":"Hasselt University - tUL, Expertise Center of Digital Media"}]},{"given":"Peter","family":"Quax","sequence":"additional","affiliation":[{"name":"Hasselt University - tUL, Expertise Center of Digital Media, Flanders Make"}]},{"given":"Ken","family":"Andries","sequence":"additional","affiliation":[{"name":"Hasselt University - Law Faculty, Attorney at the Brussels Bar"}]},{"given":"Wim","family":"Lamotte","sequence":"additional","affiliation":[{"name":"Hasselt University - tUL, Expertise Center of Digital Media"}]}],"member":"35752","published-online":{"date-parts":[[2022,3,3]]},"reference":[{"key":"2022060207203439529_j_popets-2022-0037_ref_001","doi-asserted-by":"crossref","unstructured":"[1] Ausloos, J., and Dewitte, P. Shattering one-way mirrors - data subject access rights in practice. International Data Privacy Law 8, 1 (03 2018), 4\u201328.10.1093\/idpl\/ipy001","DOI":"10.1093\/idpl\/ipy001"},{"key":"2022060207203439529_j_popets-2022-0037_ref_002","doi-asserted-by":"crossref","unstructured":"[2] Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., and Santos, C. Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data. In Annual Privacy Forum (2019).10.1007\/978-3-030-21752-5_12","DOI":"10.1007\/978-3-030-21752-5_12"},{"key":"2022060207203439529_j_popets-2022-0037_ref_003","doi-asserted-by":"crossref","unstructured":"[3] Bufalieri, L., Morgia, M. L., Mei, A., and Stefa, J. GDPR: When the Right to Access Personal Data Becomes a Threat. In 2020 IEEE International Conference on Web Services (ICWS) (2020), pp. 75\u201383.","DOI":"10.1109\/ICWS49710.2020.00017"},{"key":"2022060207203439529_j_popets-2022-0037_ref_004","doi-asserted-by":"crossref","unstructured":"[4] Cagnazzo, M., Holz, T., and Pohlmann, N. GDPi-Rated \u2013 Stealing Personal Information On- and Offline. In Computer Security \u2013 ESORICS 2019 (Cham, 2019), K. Sako, S. Schneider, and P. Y. A. Ryan, Eds., Springer International Publishing, pp. 367\u2013386.10.1007\/978-3-030-29962-0_18","DOI":"10.1007\/978-3-030-29962-0_18"},{"key":"2022060207203439529_j_popets-2022-0037_ref_005","unstructured":"[5] CCPA. California Consumer Privacy Act, 2018. Cal. Legis. Serv. Ch.55 (A.B. 375)."},{"key":"2022060207203439529_j_popets-2022-0037_ref_006","doi-asserted-by":"crossref","unstructured":"[6] Cormack, A. Is the Subject Access Right Now Too Great a Threat to Privacy? European Data Protection Law Review 2 (2016), 15\u201327.","DOI":"10.21552\/EDPL\/2016\/1\/5"},{"key":"2022060207203439529_j_popets-2022-0037_ref_007","unstructured":"[7] Das, S., Kim, A., Jelen, B., Streiff, J., Camp, L. J., and Huber, L. Towards Implementing Inclusive Authentication Technologies for Older Adults. In Who Are You?! Adventures in Authentication Workshop (Santa Clara, California, USA, Aug. 2019), WAY \u201919, pp. 1\u20135."},{"key":"2022060207203439529_j_popets-2022-0037_ref_008","unstructured":"[8] Di Martino, M., Robyns, P., Weyts, W., Quax, P., Lamotte, W., and Andries, K. Personal Information Leakage by Abusing the GDPR \u201cRight of Access\u201d. In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security (2019), SOUPS\u201919, USENIX Association, p. 371\u2013386."},{"key":"2022060207203439529_j_popets-2022-0037_ref_009","doi-asserted-by":"crossref","unstructured":"[9] Galetta, A., Fonio, C., and Ceresa, A. Nothing is as it seems. The exercise of access rights in Italy and Belgium: dispelling fallacies in the legal reasoning from the \u2018law in theory\u2018 to the \u2018law in practice\u2018. International Data Privacy Law 6 (11 2015), ipv026.10.1093\/idpl\/ipv026","DOI":"10.1093\/idpl\/ipv026"},{"key":"2022060207203439529_j_popets-2022-0037_ref_010","unstructured":"[10] Google Inc. Stronger security for your Google Account. https:\/\/www.google.com\/landing\/2step\/, accessed on April 21st 2021."},{"key":"2022060207203439529_j_popets-2022-0037_ref_011","unstructured":"[11] Herrmann, D., and Lindemann, J. Obtaining personal data and asking for erasure: do app vendors and website owners honour your privacy rights? In Sicherheit 2016 - Sicherheit, Schutz und Zuverl\u00e4ssigkeit (Bonn, 2016), M. Meier, D. Reinhardt, and S. Wendzel, Eds., Gesellschaft f\u00fcr Informatik e.V., pp. 149\u2013160."},{"key":"2022060207203439529_j_popets-2022-0037_ref_012","doi-asserted-by":"crossref","unstructured":"[12] Kr\u00f6ger, J. L., Lindemann, J., and Herrmann, D. How Do App Vendors Respond to Subject Access Requests? A Longitudinal Privacy Study on IOS and Android Apps. In Proceedings of the 15th International Conference on Availability, Reliability and Security (New York, NY, USA, 2020), ARES \u201920, Association for Computing Machinery.10.1145\/3407023.3407057","DOI":"10.1145\/3407023.3407057"},{"key":"2022060207203439529_j_popets-2022-0037_ref_013","doi-asserted-by":"crossref","unstructured":"[13] Kuty\u0142owski, M., Lauks-Dutka, A., and Yung, M. Gdpr \u2013 challenges for reconciling legal rules with technical reality. In Computer Security \u2013 ESORICS 2020 (2020), L. Chen, N. Li, K. Liang, and S. Schneider, Eds., Springer International Publishing, pp. 736\u2013755.","DOI":"10.1007\/978-3-030-58951-6_36"},{"key":"2022060207203439529_j_popets-2022-0037_ref_014","doi-asserted-by":"crossref","unstructured":"[14] Mahieu, R. L. P., Asghari, H., and van Eeten, M. Collectively exercising the right of access: individual effort, societal effect. Internet Policy Review 7, 3 (2018).","DOI":"10.14763\/2018.3.927"},{"key":"2022060207203439529_j_popets-2022-0037_ref_015","unstructured":"[15] Markert, P., Farke, F., and D\u00fcrmuth, M. View The Email to Get Hacked: Attacking SMS-Based Two-Factor Authentication. In Who Are You?! Adventures in Authentication Workshop (Santa Clara, California, USA, Aug. 2019), WAY \u201919, pp. 1\u20136."},{"key":"2022060207203439529_j_popets-2022-0037_ref_016","doi-asserted-by":"crossref","unstructured":"[16] Mustafa, H., Xu, W., Sadeghi, A. R., and Schulz, S. You Can Call but You Can\u2019t Hide: Detecting Caller ID Spoofing Attacks. In 2014 44th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (2014), pp. 168\u2013179.","DOI":"10.1109\/DSN.2014.102"},{"key":"2022060207203439529_j_popets-2022-0037_ref_017","unstructured":"[17] Pavur, J., and Knerr, C. GDPArrrrr: Using Privacy Laws to Steal Identities. CoRR abs\/1912.00731 (2019)."},{"key":"2022060207203439529_j_popets-2022-0037_ref_018","doi-asserted-by":"crossref","unstructured":"[18] Petrlic, R. Identit\u00e4tspr\u00fcfung bei elektronischen Auskunftsersuchen nach Art. 15 DSGVO. Datenschutz und Datensicherheit - DuD 43, 2 (Feb. 2019), 71\u201375. (German).10.1007\/s11623-019-1066-x","DOI":"10.1007\/s11623-019-1066-x"},{"key":"2022060207203439529_j_popets-2022-0037_ref_019","unstructured":"[19] Samarin, N., Kothari, S., Siyed, Z., Wijesekera, P., Fischer, J., Hoofnagle, C., and Egelman, S. Investigating the Compliance of Android App Developers with the CCPA. In 5th Workshop on Technology and Consumer Protection (ConPro \u201921) (2021), Association for Computing Machinery."},{"key":"2022060207203439529_j_popets-2022-0037_ref_020","doi-asserted-by":"crossref","unstructured":"[20] Syrmoudis, E., Mager, S., Kuebler-Wachendorff, S., Pizzinini, P., Grossklags, J., and Kranz, J. Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20. Proceedings on Privacy Enhancing Technologies 2021, 3 (2021), 351\u2013372.","DOI":"10.2478\/popets-2021-0051"},{"key":"2022060207203439529_j_popets-2022-0037_ref_021","unstructured":"[21] The European Parliament and the Council. Directive 95\/46\/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281 (November 1995)."},{"key":"2022060207203439529_j_popets-2022-0037_ref_022","unstructured":"[22] The European Parliament and the Council. Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation). OJ L 119 (May 2016), 1\u201388."},{"key":"2022060207203439529_j_popets-2022-0037_ref_023","doi-asserted-by":"crossref","unstructured":"[23] Urban, T., Degeling, M., Holz, T., and Pohlmann, N. \u201cYour Hashed IP Address: Ubuntu.\u201d: Perspectives on Transparency Tools for Online Advertising. In Proceedings of the 35th Annual Computer Security Applications Conference (New York, NY, USA, 2019), ACSAC \u201919, Association for Computing Machinery, p. 702\u2013717.","DOI":"10.1145\/3359789.3359798"},{"key":"2022060207203439529_j_popets-2022-0037_ref_024","doi-asserted-by":"crossref","unstructured":"[24] Urban, T., Tatang, D., Degeling, M., Holz, T., and Pohlmann, N. A Study on Subject Data Access in Online Advertising After the GDPR. In Data Privacy Management, Cryptocurrencies and Blockchain Technology (Cham, 2019), C. P\u00e9rez-Sol\u00e0, G. Navarro-Arribas, A. Biryukov, and J. Garcia-Alfaro, Eds., Springer International Publishing, pp. 61\u201379.10.1007\/978-3-030-31500-9_5","DOI":"10.1007\/978-3-030-31500-9_5"}],"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.sciendo.com\/pdf\/10.2478\/popets-2022-0037","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,19]],"date-time":"2024-09-19T20:21:12Z","timestamp":1726777272000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2022\/popets-2022-0037.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,3,3]]},"references-count":24,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2022,3,3]]},"published-print":{"date-parts":[[2022,4,1]]}},"alternative-id":["10.2478\/popets-2022-0037"],"URL":"https:\/\/doi.org\/10.2478\/popets-2022-0037","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,3,3]]}}}