[gdpr-discuss] GDPR abuse ?
TJ
0.gdpr-discuss at iam.tj
Fri Apr 13 20:14:13 BST 2018
Thinking ahead, services could suffer Denial of Resources/Services
attacks via:
1. Repeated join, post, 'request deletion' from individual or multiple
data subjects acting in concert.
2. Individual data subjects may join, post, 'request deletion' to
multiple services simultaneously.
Because the 'deletion' data is PII that should make it possible to
identify these activities either by single services or services sharing
intelligence.
That brings up an interesting issue. In order to operate effective
anti-spam measures to deal with this, data controllers/processors would
need to retain some PII. That retention would likely come under the
heading of 'needed to operate the service'.
Hashing the identity items individually (email address, nick-name,
real-name, telephone, etc.) would mean the anti-spam data was anonymous.
The only time it could be linked to an identity would be when the data
subject tries to join a service or request deletion using the same data.
Which brings up the other difficult issue with casual pseudonymous
services: verifying the requester is the data subject.
More information about the gdpr-discuss
mailing list