A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?
A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?
It’s way too easy to spoof email “from” addresses.
There should be a way to do it through their website though. Requiring an app is just stupid.
They literally replied to his registered email and he has the reply. That would indicate that he has at least access to the account. So with OP’s next email quoting the reply ownership over the associated email address should be reasonably established.
If you can read emails sent to a given address, and send replies from that address, it basically is your email address for all practical purposes no matter who was meant to be using the account. This is not necessarily a good thing and better end-to-end security would be nice but it is what it is. Odds are the app itself would let anyone change the password and log in provided they can read the emails, unless it’s using some form of 2FA.
Their site is just a landing page, there’s no login option or anything like that. Their business is a smartphone application.
Edit: Gmail uses SPF, DMARC and DKIM signing so spoofing is not possible if their email services are configured properly.
SPF/DKIM/DMARC does not prevent sending the spoofed message, though. It is up to the recipient system to filter out the message should the checks fail. Even then, the message often lands into spam instead of being dropped.
Anyway they should configure their systems to reject unsigned e-mails and providers that don’t have a proper SPF configuration. SPF (Sender Policy Framework) allows you to make sure that the message was sent by an approved server and was not forged by some hackur.
You’d be surprised how many legitimate email are sent with failed SPF. Even Microsoft sometimes doesn’t update their MX records and the SPF fails.
That is especially true with large organizations where multiple non-technical teams are ordering/configuring products that send email.
Unfortunately it is difficult to solve, unless services stop allowing sending without verifying and forcing proper configuration. That would drive sales to competitors who do not enforce this, though.
But there are other services than GMail around. Companies want one process that handles all requests equally, so there will be no exceptions for “check if the provider uses DMARC and DKIM”.
[This comment has been deleted by an automated system]