web analytics
a

Facebook

Twitter

Copyright 2015 Libero Themes.
All Rights Reserved.

8:30 - 6:00

Our Office Hours Mon. - Fri.

703-406-7616

Call For Free 15/M Consultation

Facebook

Twitter

Search
Menu
Westlake Legal Group > Posts tagged "Data Storage"

We’re Living in a Subscriptions World. Here’s How to Navigate It.

Westlake Legal Group 15Techfix-illo-facebookJumbo We’re Living in a Subscriptions World. Here’s How to Navigate It. Video Recordings, Downloads and Streaming Spotify Netflix Inc Music Movies Mobile Applications Data Storage Computers and the Internet Cloud Computing

Nowadays we don’t really buy things. We just subscribe to online services.

And how can we resist? The streaming revolution has brought us vast amounts of video and music entertainment at the click of a button. In an era of cloud storage, where we store our data on remote computer servers, tech companies like Google and Apple take care of the headache of managing our information so that we no longer lose important files or progress on our work.

For many of us, giving up control and ownership to these services is the point. But for others, there is a downside to losing some flexibility and freedom. While Spotify may not have all the music we want to listen to, if we cancel our subscription, we lose access to its large catalog of music. With cloud storage services, putting our documents and other files online is simple, but pulling them out can be a pain.

This can make some people feel trapped. We could always resort to the obvious old-school methods, like buying discs of music and carrying around thumb drives of our files and documents, but who wants to do that?

Fortunately, there are some approaches to taking control of our media while enjoying the benefits of subscription services. Those steps range from the obvious, like creating local copies of your data, to more advanced methods, like making a personal cloud using an internet-connected storage device that acts like a miniature server.

All it takes is some forethought and technological know-how. Here’s what you need to know.

Cloud storage services like Google Drive and Apple’s iCloud — which let you store small amounts of data online free and which charge a few dollars a month to hoard larger amounts — offer major benefits. Namely, we can get access to our data from any device with an internet connection, and because our files are copied onto a company’s servers, we can’t lose them.

But beware of becoming over-reliant on the cloud. What if one day you decide to cancel your subscription? For anything that is stored exclusively online, you would then have to download each piece of data to your own drive, which can be frustrating and time-consuming.

That’s why, as a rule of thumb, people should continue creating local copies of their data for their computers and smartphones and store only important files on the cloud.

Here are the tools you will need:

  • An external hard drive. Portable hard drives can store vast amounts of data, and they are generally cheap. Seagate’s Backup Plus Slim 2, a Wirecutter recommendation, costs about $60 and holds two terabytes of data, which is probably enough to store backups of your computer, tablet and smartphone.

  • A software program for creating computer backups. Mac computers include Apple’s Time Machine backup tool. Microsoft’s Windows 10 includes a free tool called File History. Both apps can be set up to automatically back up your computer data.

  • An app for backing up your smartphone data. Apple users can back up their iPhones to their computers via the Finder or iTunes apps. Android users with Windows computers can access their data via “My Computer,” and on a Mac, Android users can use the app Android File Transfer.

From there, the steps vary slightly depending on which device and apps you use, but the processes are generally the same. To back up your computer data, you plug your external hard drive into your computer and run the backup program. To back up your smartphone data to your computer, you plug the smartphone into the computer and run your backup app. (If you need more steps, Wirecutter published a comprehensive guide on creating data backups.)

This way, if we become dissatisfied with a cloud service, we can cancel the subscription and have the ease and flexibility to take our files elsewhere.

Streaming services like Netflix, Apple TV Plus and Hulu offer a buffet of TV shows and movies to binge on. Similarly, Spotify and Apple Music give you instant access to millions of songs. But streaming services don’t have access to everything out there, like obscure art house films or live performances by music artists.

So here’s how you can take control of the content you stream to your devices. There’s a clever approach that involves creating your own media cloud, which acts like an online locker for your own content.

Michael Calore, an editor for Wired and a part-time D.J., said that when Spotify lacks his favorite music, he extracts the songs from a disc and uploads them to Google Play Music, Google’s online music service. Then he plays the music on the Google Play Music app from his smartphone.

“It’s basically like my own private streaming music service,” he said. In general, people can apply this approach to any songs they can’t get on streaming services.

For movies, I’ll share my setup, which is not for the faint of heart.

As a film studies student, I owned a collection of hundreds of DVDs, many of them obscure indie titles that are nowhere to be found on any streaming service. So I converted the titles into digital video formats, which I stored on a network-attached storage device, essentially a miniature server.

From there, I installed the Plex video-streaming app on my Apple TV, and on my smartphone, I installed Infuse 6, another video-streaming app. I set up both apps to pull movies from my mini server. This way, I can still enjoy the ability to stream my special collection of art house movies via my own equipment.

Of course, for many of a certain (younger) age, physical discs are unheard-of, and newer obscure titles will more likely be released on a streaming service. Still, for those wanting to tailor the content they stream, physical media is worth exploring.

So here’s what you will need to create personal clouds for your movies and music:

  • Tech to extract content from discs. First, you will need an optical drive, which is still included with some desktop computers, to read discs.

    Second, you will need apps to “rip” the content and turn the movies into digital files. For videos, special computer programs like Handbrake can extract movies from discs and convert them into video files. For audio, programs like iTunes and Windows Media Player can rip digital music files from CDs.

  • Tech to create a video server. Basically, you need an internet-connected device with some storage for movies, which essentially acts as a miniature server. There are plenty of options, like the $150 Nvidia Shield TV, or the Synology DiskStation DS218+, which costs about $300.

  • Tech to play media over the internet. For music, Google Play Music lets you upload your own songs to a cloud library and stream them through the app. For movies, streaming apps like Plex or Infuse 6 let you play movies from a TV app or smartphone.

If that all sounds complicated, that’s because setting up your content to be easily accessible over the internet is no easy feat. But these options exist for people who want more freedom.

Mr. Calore said that despite having a nice setup for streaming media via a personal cloud, he still consumed the vast majority of music and movies from paid streaming services.

“We’ve lost the excitement and the specialness of a physical idea,” he said. “But what we’ve gained in exchange is abundance at a scale that we could never have imagined. That is very much worth the trade-off.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

We’re Living in a Subscriptions World. Here’s How to Navigate It.

Westlake Legal Group 15Techfix-illo-facebookJumbo We’re Living in a Subscriptions World. Here’s How to Navigate It. Video Recordings, Downloads and Streaming Spotify Netflix Inc Music Movies Mobile Applications Data Storage Computers and the Internet Cloud Computing

Nowadays we don’t really buy things. We just subscribe to online services.

And how can we resist? The streaming revolution has brought us vast amounts of video and music entertainment at the click of a button. In an era of cloud storage, where we store our data on remote computer servers, tech companies like Google and Apple take care of the headache of managing our information so that we no longer lose important files or progress on our work.

For many of us, giving up control and ownership to these services is the point. But for others, there is a downside to losing some flexibility and freedom. While Spotify may not have all the music we want to listen to, if we cancel our subscription, we lose access to its large catalog of music. With cloud storage services, putting our documents and other files online is simple, but pulling them out can be a pain.

This can make some people feel trapped. We could always resort to the obvious old-school methods, like buying discs of music and carrying around thumb drives of our files and documents, but who wants to do that?

Fortunately, there are some approaches to taking control of our media while enjoying the benefits of subscription services. Those steps range from the obvious, like creating local copies of your data, to more advanced methods, like making a personal cloud using an internet-connected storage device that acts like a miniature server.

All it takes is some forethought and technological know-how. Here’s what you need to know.

Cloud storage services like Google Drive and Apple’s iCloud — which let you store small amounts of data online free and which charge a few dollars a month to hoard larger amounts — offer major benefits. Namely, we can get access to our data from any device with an internet connection, and because our files are copied onto a company’s servers, we can’t lose them.

But beware of becoming over-reliant on the cloud. What if one day you decide to cancel your subscription? For anything that is stored exclusively online, you would then have to download each piece of data to your own drive, which can be frustrating and time-consuming.

That’s why, as a rule of thumb, people should continue creating local copies of their data for their computers and smartphones and store only important files on the cloud.

Here are the tools you will need:

  • An external hard drive. Portable hard drives can store vast amounts of data, and they are generally cheap. Seagate’s Backup Plus Slim 2, a Wirecutter recommendation, costs about $60 and holds two terabytes of data, which is probably enough to store backups of your computer, tablet and smartphone.

  • A software program for creating computer backups. Mac computers include Apple’s Time Machine backup tool. Microsoft’s Windows 10 includes a free tool called File History. Both apps can be set up to automatically back up your computer data.

  • An app for backing up your smartphone data. Apple users can back up their iPhones to their computers via the Finder or iTunes apps. Android users with Windows computers can access their data via “My Computer,” and on a Mac, Android users can use the app Android File Transfer.

From there, the steps vary slightly depending on which device and apps you use, but the processes are generally the same. To back up your computer data, you plug your external hard drive into your computer and run the backup program. To back up your smartphone data to your computer, you plug the smartphone into the computer and run your backup app. (If you need more steps, Wirecutter published a comprehensive guide on creating data backups.)

This way, if we become dissatisfied with a cloud service, we can cancel the subscription and have the ease and flexibility to take our files elsewhere.

Streaming services like Netflix, Apple TV Plus and Hulu offer a buffet of TV shows and movies to binge on. Similarly, Spotify and Apple Music give you instant access to millions of songs. But streaming services don’t have access to everything out there, like obscure art house films or live performances by music artists.

So here’s how you can take control of the content you stream to your devices. There’s a clever approach that involves creating your own media cloud, which acts like an online locker for your own content.

Michael Calore, an editor for Wired and a part-time D.J., said that when Spotify lacks his favorite music, he extracts the songs from a disc and uploads them to Google Play Music, Google’s online music service. Then he plays the music on the Google Play Music app from his smartphone.

“It’s basically like my own private streaming music service,” he said. In general, people can apply this approach to any songs they can’t get on streaming services.

For movies, I’ll share my setup, which is not for the faint of heart.

As a film studies student, I owned a collection of hundreds of DVDs, many of them obscure indie titles that are nowhere to be found on any streaming service. So I converted the titles into digital video formats, which I stored on a network-attached storage device, essentially a miniature server.

From there, I installed the Plex video-streaming app on my Apple TV, and on my smartphone, I installed Infuse 6, another video-streaming app. I set up both apps to pull movies from my mini server. This way, I can still enjoy the ability to stream my special collection of art house movies via my own equipment.

Of course, for many of a certain (younger) age, physical discs are unheard-of, and newer obscure titles will more likely be released on a streaming service. Still, for those wanting to tailor the content they stream, physical media is worth exploring.

So here’s what you will need to create personal clouds for your movies and music:

  • Tech to extract content from discs. First, you will need an optical drive, which is still included with some desktop computers, to read discs.

    Second, you will need apps to “rip” the content and turn the movies into digital files. For videos, special computer programs like Handbrake can extract movies from discs and convert them into video files. For audio, programs like iTunes and Windows Media Player can rip digital music files from CDs.

  • Tech to create a video server. Basically, you need an internet-connected device with some storage for movies, which essentially acts as a miniature server. There are plenty of options, like the $150 Nvidia Shield TV, or the Synology DiskStation DS218+, which costs about $300.

  • Tech to play media over the internet. For music, Google Play Music lets you upload your own songs to a cloud library and stream them through the app. For movies, streaming apps like Plex or Infuse 6 let you play movies from a TV app or smartphone.

If that all sounds complicated, that’s because setting up your content to be easily accessible over the internet is no easy feat. But these options exist for people who want more freedom.

Mr. Calore said that despite having a nice setup for streaming media via a personal cloud, he still consumed the vast majority of music and movies from paid streaming services.

“We’ve lost the excitement and the specialness of a physical idea,” he said. “But what we’ve gained in exchange is abundance at a scale that we could never have imagined. That is very much worth the trade-off.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

What’s the Price of Getting Your Data? More Data

Westlake Legal Group 00datarequests2-facebookJumbo-v2 What’s the Price of Getting Your Data? More Data Science and Technology Privacy Law and Legislation General Data Protection Regulation (GDPR) Data Storage California

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

Want Your Personal Data? Hand Over More

Westlake Legal Group 00datarequests2-facebookJumbo Want Your Personal Data? Hand Over More Science and Technology Privacy Law and Legislation General Data Protection Regulation (GDPR) Data Storage California

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

Want Your Personal Data? Hand Over More

Westlake Legal Group 00datarequests2-facebookJumbo Want Your Personal Data? Hand Over More Science and Technology Privacy Law and Legislation General Data Protection Regulation (GDPR) Data Storage California

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com 

Smile for Your Data File!

Westlake Legal Group 00datarequests2-facebookJumbo Smile for Your Data File! Science and Technology Privacy Law and Legislation General Data Protection Regulation (GDPR) Data Storage California

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Real Estate, and Personal Injury Lawyers. Contact us at: https://westlakelegal.com