lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <d72d6992-ded8-4eb3-24a4-fe40cc1ff5bd@zoller.lu>
Date: Thu, 11 Mar 2021 13:33:35 +0100
From: Thierry Zoller <thierry@...ler.lu>
To: fulldisclosure@...lists.org
Subject: Re: [FD] [CDPWE-0001] - RocketReach

===================================================================
Adapting the Mechanics of Vulnerability Disclosure to an area where 
Privacy Rights need to be scrutinized and where transparency becomes 
paramount.
===================================================================

On the 29.05.2020 I reported a way to bypass the GDPR as the Data 
Protection Authorities claimed to not have a possibility to act against
such abuse.

I am happy to announce that a Patch is being developed and that NOYB is
taking the CNPD to court on this matter. You can read more about it here:
https://noyb.eu/en/luxemburgs-watchdog-refuses-show-its-teeth-us-companies




================================================================

Adapting the Mechanics of Vulnerability Disclosure to an area where 
Privacy Rights need to be scrutinized and where transparency becomes 
paramount.

________________________________________________________________________

How to effectively evade the GDPR and the reach of the DPA (CDPWE-0001)
________________________________________________________________________

Company : Rocketreach
Status  : DPA does not pursue any further
CDPWE   : CDPWE-0001 - Does not designate a Representative in the 
European Union
URL     : 
https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html
Vulnerability Disclosure Policy: https://caravelahq.com/b/policy/20949


I. Background
----------------
RocketReach is selling access to millions of European Data Subjects 
without recognising it is a Data Controller, without a representative
in the EU (ART.27) and with a questionable legal basis for processing.

II. Impact
----------------------------
Companies around the World can Process and sell Information about 
European data subjects without that the DPA sanctions them for doing
so by simply not designating a EU Representative accourding to Art.27 of 
the GDPR.

Note: That representative would be held accountable, without it the CNPD 
(LUX DPA) argues that their is no way for them to proceed.

https://www.privacy-regulation.eu/en/article-27-representatives-of-controllers-or-processors-not-established-in-the-union-GDPR.htm

III. Advisory
----------------------------
If your data is also included in Rocketreach (just search on their 
website), then file a complain with your local DPA (it's usually very 
easy and fast) .


V. Timeline
----------------------------

5th of April  2019 - Issued a DSAR to RocketReach
5th of April  2019 - Rocketreach responds by deleteing my data
5th of April  2019 - File a complain via my national DPA (CNPD)
6th of March  2020 - The CNPD agrees with my position but claims to not 
be able to pursue further.
See: 
https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html






_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ