Incentivizing companies to protect the data of consumers certainly makes sense, especially in industries discussed in this article such as healthcare and finance. I worry, however, that the vagaries of the more invasive requirements of data exporting and transferring might end up creating more problems than they solve by widening the attack surface available to malicious actors.
I also think applying the informed consumer consent requirement to browser cookies was a huge mistake, though that policy predates the GDPR. Just about every website now has an annoying prompt that requires the user to click "Accept" or some other affirmative just to proceed with their intended action.
Training users to mindlessly accept prompts like this is a recipe for disaster. To the average user, such prompts are easily confused with browser permission prompts that could allow the website to spam the user with notifications, gain access to hardware or install malicious extensions that can result in stolen passwords.
the vagaries of the more invasive requirements of data exporting and transferring
The reason I scouted this was because I'm giving a talk on that topic soon. I'm doing some research via Readup hehe.
might end up creating more problems than they solve by widening the attack surface available to malicious actors.
I see your concern, but I don't think the risks outweigh the benefits.
Almost every data export tool I've seen so far (I've seen quite some) was behind a login + email verification wall. Companies seem to be taking the basics seriously. Also legally speaking, the export data available should only consist of the data related to the user requesting it. The user had access to it anyway already via the application (in a non-machine readable way).
But I'm not a security expert/backend dev. Maybe you could see every additional back-end service as a potential new security threat. And once downloaded or in transfer, data may indeed be more vulnerable depending on the user or services involved.
Still, I belief that having the freedom to access the data you generate digitally is super important, simply because you can then reprocess it independently from the original processor. An example: I recently put my exported Google Location History data in an open-source visualizer to create a heatmap of my wanderings. Google doesn't offer that functionality, but I could use it to see where I've never been before in my city - fun for some running exploration.
Similarly, I might want to analyse my Readup data. There is the nice Stats functionality now, but that's only one data view. Imagine 5 years worth of reads in 2025. A data scientist could come up with with a cool visualization tool of the history of one Readup users' reading interest, categorizing & analyzing the titles & ratings s(he) gave. True, this opens security risks, but it also gives more meaningful decision power to people concerning their own data. And the GDPR Data Portability lays the groundwork of that idea (no pressure though 😅)
Training users to mindlessly accept prompts like this is a recipe for disaster.
I completely agree. And this exactly is one thing the GDPR tried to address by requiring explicit, unambiguous and informed consent.
I'm not entirely sure, but I don't think a simple link to the Terms & Conditions makes you compliant with the GDPR. Big tech like Facebook & Google now display concise info on privacy that is hard to dismiss. Google puts a banner "A privacy reminder" in your face when visiting google.com with a new cookie. You have 2 options: "Remind me later" and "Review now". You can use the site & search, but until you reviewed that simplified consent explanation and agreed, it won't go away. That's good, or at least, better than before.
The researcher really went out of his way to make it easy for companies by not even trying to forge documents, sign affidavits or even fake email headers. Keeping data exports behind a login is of course good practice, but remote identity verification is a minefield. Coupled with the threats of fines and timetables from the GDPR, companies will be pressured to acquiesce to requests from malicious actors who have claimed to lose access to their accounts.
Similarly, I might want to analyse my Readup data.
I love this! There's so much potential for mining really interesting information from all the article metadata and reading activity that we store. Of course right now even maintaining our own internal APIs is a nightmare, but once things stabilize and we can afford to hire a couple more developers I would love to open up a public API/export for our users. It would be amazing to see what people do with it!
I just read the article you linked. Very interest content, even if it's not so well-written. Thanks!
My take-away: many small/mid-sized companies (understandably) have no solid processes in place yet to handle GDPR requests. That poses a huge risk because an attacker could get some initial information from a careless provider, with which they can more easily request data in more secure processes.
Incentivizing companies to protect the data of consumers certainly makes sense, especially in industries discussed in this article such as healthcare and finance. I worry, however, that the vagaries of the more invasive requirements of data exporting and transferring might end up creating more problems than they solve by widening the attack surface available to malicious actors.
I also think applying the informed consumer consent requirement to browser cookies was a huge mistake, though that policy predates the GDPR. Just about every website now has an annoying prompt that requires the user to click "Accept" or some other affirmative just to proceed with their intended action.
Training users to mindlessly accept prompts like this is a recipe for disaster. To the average user, such prompts are easily confused with browser permission prompts that could allow the website to spam the user with notifications, gain access to hardware or install malicious extensions that can result in stolen passwords.
The reason I scouted this was because I'm giving a talk on that topic soon. I'm doing some research via Readup hehe.
I see your concern, but I don't think the risks outweigh the benefits.
Almost every data export tool I've seen so far (I've seen quite some) was behind a login + email verification wall. Companies seem to be taking the basics seriously. Also legally speaking, the export data available should only consist of the data related to the user requesting it. The user had access to it anyway already via the application (in a non-machine readable way).
But I'm not a security expert/backend dev. Maybe you could see every additional back-end service as a potential new security threat. And once downloaded or in transfer, data may indeed be more vulnerable depending on the user or services involved.
Still, I belief that having the freedom to access the data you generate digitally is super important, simply because you can then reprocess it independently from the original processor. An example: I recently put my exported Google Location History data in an open-source visualizer to create a heatmap of my wanderings. Google doesn't offer that functionality, but I could use it to see where I've never been before in my city - fun for some running exploration.
Similarly, I might want to analyse my Readup data. There is the nice Stats functionality now, but that's only one data view. Imagine 5 years worth of reads in 2025. A data scientist could come up with with a cool visualization tool of the history of one Readup users' reading interest, categorizing & analyzing the titles & ratings s(he) gave. True, this opens security risks, but it also gives more meaningful decision power to people concerning their own data. And the GDPR Data Portability lays the groundwork of that idea (no pressure though 😅)
I completely agree. And this exactly is one thing the GDPR tried to address by requiring explicit, unambiguous and informed consent.
I'm not entirely sure, but I don't think a simple link to the Terms & Conditions makes you compliant with the GDPR. Big tech like Facebook & Google now display concise info on privacy that is hard to dismiss. Google puts a banner "A privacy reminder" in your face when visiting google.com with a new cookie. You have 2 options: "Remind me later" and "Review now". You can use the site & search, but until you reviewed that simplified consent explanation and agreed, it won't go away. That's good, or at least, better than before.
Very cool!
I think this article from the BBC is worth a read: Black Hat: GDPR privacy law exploited to reveal personal data
The researcher really went out of his way to make it easy for companies by not even trying to forge documents, sign affidavits or even fake email headers. Keeping data exports behind a login is of course good practice, but remote identity verification is a minefield. Coupled with the threats of fines and timetables from the GDPR, companies will be pressured to acquiesce to requests from malicious actors who have claimed to lose access to their accounts.
I love this! There's so much potential for mining really interesting information from all the article metadata and reading activity that we store. Of course right now even maintaining our own internal APIs is a nightmare, but once things stabilize and we can afford to hire a couple more developers I would love to open up a public API/export for our users. It would be amazing to see what people do with it!
I just read the article you linked. Very interest content, even if it's not so well-written. Thanks!
My take-away: many small/mid-sized companies (understandably) have no solid processes in place yet to handle GDPR requests. That poses a huge risk because an attacker could get some initial information from a careless provider, with which they can more easily request data in more secure processes.
Thanks for the reference, I'll give it a read. The article seems really interesting for my talk as well.
& that's the attitude. Love it. Keep going! :)