The new European Regulation on Data Protection introduces the right to be forgotten, which I discussed in a previous article (8 October 2012). From a security perspective, this raises the question whether it is possible to get personal data deleted by impersonation. While investigating these possibilities I realised there is a far more creative direction of exploitation: denying service.

At the IFIP World Computer Congress 2012 in Amsterdam, I got into a conversation with a legal expert with a company in the security business. He remarked that the chance that the right to be forgotten would be abused to get someone else’s personal data deleted is not negligible. If the methods used to invoke the right to be forgotten will be comparable to those used for the right to information on the data processing, this is probably true.

Spoofing the Right to be Forgotten
Although there are exceptions, such as the Dutch credit registration agency, getting insight in your personal data does not require strong authentication – it does take perseverance, but let’s forget about that issue. In practice, one sends a letter that mentions the right legislative articles and attaches a photocopy of his passport or identity card.

Of course, if the right to be forgotten will work comparable, it becomes fairly easy to impersonate someone else. It merely requires a photocopy of an identity document and the personal details written on it. Obtaining such a document is easier than it looks. For example, hotel clerks are an often named risk when it comes to passports.

Additionally, the previous explained replay attack (28 September 2012) is possible. When you send such a request per mail to a certain vendor, he could forge a new letter based on the one he received and send it with the original attachments to another company.

Our Infrastructure Is Not Ready Yet
One of the major criticisms of the right to be forgotten is the fact that erasure is not cheap. In modern information systems, cloud-based storage mechanisms and solutions that ensure data is saved redundantly make it very hard to exactly know all locations where a certain piece of information is stored. As we previously only had to break the link between the actual data and the place where it was shown, such infrastructures have not been built for erasure.

Additionally, any respectable computing system implements a backup mechanism. The general idea of backups is that they can be used to put the system back in the exact same state it was when the backup was made. Furthermore, they are expected to be stored securely and kept from any corruption. However, a right to be forgotten may also require the erasure of that data in the backups. This does not only defy the original purpose of the backup, but also puts the integrity of the securely guarded snapshots at risk.

DDoS in the Name of Privacy
Currently, erasing certain personal data from all systems is a difficult operation for most companies. However, the proposed regulation also requires that data processors comply timely, i.e. without delay. Therefore, it is not unlikely that a single request to be forgotten takes quite some resources.

So, what would happen if a large group of activists that bears strong feelings against Facebook would decide to file a deletion request for every single member at once? If Facebook has to comply timely and this operation is costly, they have a large burden on their hands. Practically, the activist group performed a DDoS using the right to be forgotten.

The Right to be Forgotten: Still a Wonderful Idea
As we have seen, in the current situation, the right to be forgotten could be exploited in some novel ways. Nevertheless, it still is a very interesting right. All discussed issues are concerned with the practical implementation of the right and not with the fundamental ideas. Therefore, it is a wonderful proposal, but we need to iron out the practical problems before we put it to use.

Leave a Reply

Your email address will not be published. Required fields are marked *