The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.
In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.
That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.
Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.
“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.
“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.
That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”
But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.
The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe's law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.
One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.
“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”
Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.
Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.
“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.
Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.
The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.
Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.
If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.
“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”
It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”
Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)
“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.
“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”
Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.
“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”
He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”