Interview with researcher Mariano Di Martino

Interview with Mariano Di Martino

At the Privacy Enhancing Technologies Symposium 2022, also known as PETS, Kee sat down with Mariano Di Martino, one of the authors of this paper which investigates the security practices of companies which hold personal data covered by the GDPR. The interview has been transcribed below and lightly edited for readability. If you wish to view this interview in its entirety, you can watch the YouTube video embedded at the bottom of this article.

Kee: Hey guys, I’m here with Mariano who has been doing some research related to some EU legislation, specifically the GDPR. I know that two years ago you did an original study, and this piece is a follow up to that. Can you explain what you were doing in the original piece and what this piece is too?

Mariano: Yeah so in 2019 we did an experiment where we tried to see if the right of access of the GDPR is implemented in companies in a secure and safe way.

Kee: Can you quickly explain what the right of access is?

Mariano: So the right of access allows you as any individual in the EU to request your personal information from any company. So let’s say I have money in my bank account, and I would like to know what kind of personal information my bank holds about me. I can basically ask the bank — for instance by email saying “I’m Mariano Di Martino and I would like to get all my personal information”. But of course the problem there is that the bank has to verify you. They have to verify whether you’re really the person whose data is being requested. So in our experiment in 2019 we contacted I think 50-55 organisations to see how they’re implementing the right of access. And we noticed that a lot of them did it in very insecure ways with very unsafe practices. So we would ask as someone else, we would pretend to be our colleagues. And the way we did it was with a lot of social engineering, for instance we tried to say to companies “my account got hacked, I don’t have access to my original email, that’s why I’m sending this from a different address”. 

Kee: So you did this with your research colleagues? 

Mariano: Yes, so in 2019 we did it with one colleague. We also photoshopped some ID cards. So we would take a picture of our own ID card, and then we would try to see on social media what details we could find about them, like their name, date of birth, profile picture. And then we’d photoshop them onto the card and submit that to these organisations. And many of them, almost all of the ones that we submitted these to, believed it and gave us the data we were requesting. 

Kee: So in 2019, what were the results that you found? What was the nature of the data that was being given up?

Mariano: We contacted a wide range of companies from the entertainment industry to finances, but the most noteworthy companies were definitely the financial institutions, because they’re very well versed with handling ID cards — for setting up accounts, withdrawing money etc — but they tried to basically transfer their same processes for physically verifying the ID cards to doing it digitally. Which of course is not particularly safe because to physically copy an ID card they have security features which make it hard to reproduce, whereas uploading a picture of an ID card can easily be photoshopped. So those companies almost all accepted our photoshopped ID cards, and released data to us. And of course that data was very sensitive, it contained financial transactions, in some cases full transaction records of bank accounts.

Kee: So you gathered this data in the 2019 study, can you explain what you were looking for in this follow-up study?

Mariano: So in 2019, we reached out to all of the companies that we managed to gather data from, and let them know that their security practices regarding the right of access were very lacking and we suggested ways in which they could improve their security practices. So in this 2021 study we contacted all of these companies again and tried to see if they’ve improved their policies or implemented our suggestions. And when we did that we found that more companies were vulnerable than had been in 2019. Even some companies that weren’t vulnerable in 2019 we found were in 2021, which was a very worrying thing to see. 

Kee: So they didn’t seem to implement your suggestions, or some of them did? 

Mariano: Yeah, so some of them did. The companies that we found did improve their practices were the ones who had seemed interested in our suggestions originally. We had some meetings with financial institutions who basically said “We really want to fix this”, and those companies, while not implementing all of our suggestions, did enough to at least pass our specific tests. 

Kee: And maybe it’s time to name and shame some of these companies? Like who was the best and the worst?

Mariano: Well there are a few reasons we don’t do that. You don’t want to name and shame first of all because it is an experiment right? An experiment is ethically set up with the intention of making companies safer, not to call them out. And also some companies leaked data from other individuals who weren’t involved in the study. For instance, I’m Mariano Di Martino, but there are some other people with the same name as I do. And the fact is, even though we tried to get data from a colleague, sometimes that colleague had a common name, and when we requested their data we got data from someone else with the same name. So obviously it’s bad if they’re giving us our colleague’s data, but it’s even worse if they give us someone else’s. But to go back to the original question, the main reason we don’t name and shame is because we’re trying first and foremost to improve the processes. 

Kee: So where do you think some of the future research in this vein might go, I know you tried with the specific attack vector of photoshopping ID cards, but do you see future directions that people could go in while researching this space, or other interesting things that you found out while you were doing this that people could look into?

Mariano: So I think there is a lot of work that is being done around the right of access, not only trying to see if the parties are secure or not, but also trying to see what kind of data these companies have, what kind of data are they sharing, what credentials are they asking for, are they trying to call you because some companies will do that and ask if you’re really doing the request. So those sorts of things are happening currently, but for future work I think it’s important to actually understand why companies still aren't implementing better policies. And we did some of that in our study. We tried to do interviews with these companies to understand their behaviour and why they’re not implementing these policies. And often of course it seems to be that it takes a lot of time and money, but there’s also just the balancing act of trying to have safe and secure policies while not placing undue burden on the individual who wants to request their data, decreasing transparency. 

So lets say I’m trying to get my data from my bank and they’re asking me all these questions, get my ID card, call me, know where I live and so on. So you end up in a situation where you’re trying to find out what data they have on you, but now you’re giving them even more data and maybe they don’t even have this data already. For example, say you contact an entertainment company and they say ok we’ll give you your data but first prove that you’re really you, so you send a photocopy of your ID card, and maybe now they’ve got your address or your licence number which they didn’t have before. And you couldn’t know they didn’t have that’s what you’re trying to find out. 

So just giving them more and more data isn’t a good solution either. It’s important to strike a balance where you ask the right things, things which aren’t particularly sensitive but still let the company verify you. Of course the best solution would be to have some kind of automated process. So big companies like Google and Facebook have these processes, since they can implement them more easily. How they usually work is you just log in with your username and password and get your data that way, but many companies don’t have a username or password. For example some analytical company might have data on you but you don’t have an account with them, how do you verify your identity? So that’s a problem that exists in the cross section of like legal and and technical limitations

Kee: Alright thanks so much for giving us your time with this interview Mariano.