6.3CYMay 26Code
Faults and Pitfalls in Implementing the Right to be ForgottenChen Sun, Nikolas Guggenberger, Supreeth Shastri
Right to be Forgotten (RTBF) in one of the oldest and prominent of the legal data rights. While its legal intention is straight forward (for example, the GDPR describes it in just 417 words), the computing community has found it challenging to implement this in practice. For example, regulators have issued 205 RTBF violations in the first five years of GDPR i.e., an RTBF failure once every 9 days, on average. In this work, we identify the uncertainties and risks in supporting RTBF from a computing perspective. Then, to mitigate these challenges, we propose a two-phase approach that bridges an intrinsic dichotomy between law and computing. We demonstrate the effectiveness of our technique by showing how it could have fully avoided 80% of RTBF violations that occurred in the year-6 of GDPR. We also discover six long-standing practices of computing and data management that have become anti-patterns for RTBF. Finally, to ground our research, we introduce RTBF capability into Elasticsearch, a popular open-source search engine.
CYMar 8, 2019
The Seven Sins of Personal-Data Processing Systems under GDPRSupreeth Shastri, Melissa Wasserman, Vijay Chidambaram
In recent years, our society is being plagued by unprecedented levels of privacy and security breaches. To rein in this trend, the European Union, in 2018, introduced a comprehensive legislation called the General Data Protection Regulation (GDPR). In this paper, we review GDPR from a system design perspective, and identify how its regulations conflict with the design, architecture, and operation of modern systems. We illustrate these conflicts via the seven GDPR sins: storing data forever; reusing data indiscriminately; walled gardens and black markets; risk-agnostic data processing; hiding data breaches; making unexplainable decisions; treating security as a secondary goal. Our findings reveal a deep-rooted tussle between GDPR requirements and how modern systems have evolved. We believe that achieving compliance requires comprehensive, grounds up solutions, and anything short would amount to fixing a leaky faucet in a sinking ship.