1

I'm aware of this post that GDPR apparently does not enforce a specific standard to secure sensible data. Based on this post e.g., there is no requirement to encrypt or hash login data in a local database, either.

GDPR however provides the user of a service the right to know what data are stored in the service's data base, and their purpose in this database. Based on these two, I would like to know: Does an individual user has the right to know how the login user name is stored in the service' database? With services like https://haveibeenpwned.com/ displaying possible breaches as known to them as one indicator, does it depend on courtesy if, e.g. my phone provider to disclose «we secure your login credentials hashed, with sha512sum / blake2». Or, are there companies in Europe which disclose this part of their applied cryptography voluntarily in their contract / on their website?

I'm willing to move this question to law.stackexchange if this question is not suitable for the current forum.

Buttonwood
  • 113
  • 3
  • Aren't you basically asking if a company must publish the full details on how exactly the users data are protected? Not only the kind of hash is relevant for security, but also details of the internal infrastructure, who has access, who can change code etc. I'm pretty sure that there is no requirement to publish these kind of information. All the company has to do is ensure that the data are sufficiently protected and not provide information how exactly this is achieved. – Steffen Ullrich Feb 12 '21 at 14:38
  • Yes, I do ask if a company must publish how user's data are protected. After attending a beginner's class about IT security, this would be what I understand now as obeying to Kerckhoff's principle. – Buttonwood Feb 12 '21 at 14:42
  • 2
    Kerchoff's principle is usually applied to, for example, crypto implementations (like a company's implementation of AES). I have never seen it applied to network infrastructure, human policies, etc. It's one thing for a company to get audited by a trusted 3rd party auditor, and the auditor attests that the company complies with the law, but it is a completely different thing for the company to make all their internal information public. – Mike Ounsworth Feb 12 '21 at 14:51
  • @MikeOunsworth The lecturer (Meinel, [openHPI](https://open.hpi.de/)) mentioned databases _should_ at least hash e.g., user names / passwords and use a salt; breaches however would again and again reveal these entries often as stored in clear text, or hashed only with something quick and no-longer secure as md5sum. With programs like Jack the Ripper and hashcat in sight (and parallelized GPU), successful breaches would be only a matter of time. – Buttonwood Feb 12 '21 at 15:17
  • @Buttonwood I think we're talking about different points. Companies are often unwilling to share their architectures and policies (often because that is intellectual property that they worked hard to design and don't want to give away for free). That does not excuse them to have shitty security and badly-designed apps. – Mike Ounsworth Feb 12 '21 at 15:24
  • There are many information security standards that a company can get audited under and provide a certificate for -- ISO 27001 is general; PCI-DSS in the credit card industry, WebTrust in the PKI industry, etc. While you would obviously prefer to do the audit yourself, you are not likely going to get that, so finding vendors who have security certifications is a good start. – Mike Ounsworth Feb 12 '21 at 15:29
  • @MikeOunsworth Ok, as an individual: First the identification of the standard, second who audits / certifies a company. Lastly asking the company X «do you have certificate Z». – Buttonwood Feb 12 '21 at 15:42

2 Answers2

2

This is probably a question that should be in Law.SE, but I'll try to write a quick answer anyway.

As far as I know, the users have no right to know any technical details or know how security controls are implemented. However, I believe that data controllers and data processors have the right to request specific technical details from other data processors they are relying on. In other words, you, as a user, have no right to ask StackExchange how they hash the passwords. However, StackExchange might have the right to ask their hosting provider if and how they encrypt their HDD, for example.

My opinion is based on the fact that I don't think I have ever seen such rights mentioned in the sections dedicated to the data subjects (the users), but I have seen something relevant in the sections dedicated to the data processors.

Here's an excerpt from article 28 (Processor), emphasis mine:

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
[...]
(c) takes all measures required pursuant to Article 32 (note: Article 32 is "Security of processing");
[...]
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
[...]
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

reed
  • 15,398
  • 6
  • 43
  • 64
1

No, a right to know how a controller (in terms of the GDPR) technically ensures confidentiality does not exist.

GDPR however provides the user of a service the right to know what data are stored in the service's data base, and their purpose in this database

The Right of access by the data subject (Article 15) says a controller shall inform you about which of your personal data they process for which purpose in general. It doesn't say anything regarding databases or technical specifications.

Article 32 says that a controller "shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk." This includes "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services."

This is important in two scenarios: When the controller contracts a processor to process data (see Article 28 1.), or when the controller has to prove that they implemented measures to address risks (e.g., after a data breach).

However, there is no obligation to tell you (the data subject) any specific technical details.

p011
  • 11
  • 1