PRIVATICS - 2019 - Annual activity report

PRIVATICS

PRIVATICS - 2019

Project-Team Privatics

Team, Visitors, External Collaborators

Overall Objectives

Context

Application Domains

Highlights of the Year

New Software and Platforms

New Results

Differential Inference Testing
Analyse des impacts de la reconnaissance faciale - Quelques éléments de méthode (in French)
Towards a generic framework for black-box explanation methods
A generic information and consent framework for the IoT
Analysis of privacy policies to enhance informed consent
Understanding algorithmic decision-making: Opportunities and challenges, Study for the European Parliament (STOA)
Saving Private Addresses: An Analysis of Privacy Issues in the Bluetooth-Low-Energy Advertising Mechanism
Fingerprinting Bluetooth-Low-Energy Devices Based on the Generic Attribute Profile
Privacy implications of switching ON a light bulb in the IoT world
Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data
Plausible Deniability for Practical Privacy-Preserving Live Streaming
Protecting motion sensor data against sensitive inferences through an adversarial network approach
Inria white book on Cybersecurity: Current challenges and Inria's research directions
Inspect what your location history reveals about you - Raising user awareness on privacy threats associated with disclosing his location data
Pseudonymisation techniques and best practices

Partnerships and Cooperations

Dissemination

Bibliography

Publications of the year

Previous |

Home | Next next

Section: New Results

Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data

Participants : Cédric Lauradoux, Coline Boniface.

With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation defines rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. In [4], we try to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject's national identity card transmitted over an insecure channel. We define how a data controller should react to a subject's request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures.

Previous |

Home | Next next