NYU Researchers Find Weak Spots in Europe’s “Right to be Forgotten” Data Privacy Law

NYU Professor Keith Ross

Under Europe’s “Right to be Forgotten” law, citizens there can petition Internet search providers such as Google to remove search results linked to personal information that is negative or defamatory. In many cases, these links lead to information about accusations of criminal activity or financial difficulties, which may be “delisted” if the information is erroneous or no longer relevant.

But “gone” doesn’t always mean “forgotten,” according to a new study by researchers at the New York University Tandon School of Engineering, NYU Shanghai, and the Federal University of Minas Gerais in Brazil.

“The Right to Be Forgotten has been largely working and is responding to legitimate privacy concerns of many Europeans,” said New York University Professor Keith Ross. “Our research shows, however, that a third-party, such as a transparency activist or a private investigator, can discover many delisted links and determine the names of the people who requested the delistings.” Ross, the Leonard J. Shustek Professor of Computer Science at NYU Tandon and dean of engineering and computer science at NYU Shanghai, led the research team, which included  Professor of Computer Science Virgilio Almeida and doctoral students Evandro Cunha and Gabriel Magno, all of the Federal University of Minas Gerais, and Minhui Xue, a doctoral student at NYU Shanghai.

They focused only on requests to delist content from mass media sites such as online newspapers and broadcast outlets. Although the law requires search engines to delist search links, it does not require newspaper articles and other source material to be removed from the Internet.

A hacker faces a fairly low bar if he or she knows a particular URL has been delisted. Of 283 delisted URLs used in the study, the authors successfully determined the names of the requesters in 103 cases.

But the authors also demonstrated that a hacker can prevail even when the URL is unknown, by downloading media articles about topics most commonly associated with delisting, including sexual assault and financial misconduct; extracting the names from the articles; then sending multiple queries to a European Google search site to see if the articles were delisted.

The researchers estimate that a third party could potentially determine 30 to 40 percent of the delisted mass-media URLs, along with the names of the people who made the delisting requests. Such hackers do exist and have published the names of people who requested delisting, thereby opening them to even more public scrutiny — the so-called “Streisand effect,” a phenomenon, named for the reclusive star, whereby an attempt to hide a piece of information has the unintended consequence of publicizing the information more widely.

Their results show that the law has fundamental technical flaws that could compromise its effectiveness in the future.

Demographic analysis revealed that the majority of requesters were men, ages 20-40, and most were ordinary citizens, not celebrities. In accordance with the law, Google delisted links for persons who were wrongfully charged, acquitted, or who finished serving their sentences, among other privacy issues.

This distribution of the topics most often associated with links delisted by Google under Europe's Right to be Forgotten law are serious and troubling, including assault and sexual assault, murder, terrorism, financial misconduct, and drug use.

This distribution of the topics most often associated with links delisted by Google under Europe's Right to be Forgotten law are serious and troubling, including assault and sexual assault, murder, terrorism, financial misconduct, and drug use.

The researchers believe that defenses to these privacy attacks are limited. One possible defense would be for Google to never display the delisted URL in its search results. (Currently, Jane Doe’s delisted robbery article would not show up when her name is used in a search, but would do so if the name of the bank were searched, for example.) This defense is not only a strong form of censorship, but can also be partially circumvented, they said.

A French data protection authority recently ordered Google to delist links from all of its properties including Google.com, in addition to its search engines with European suffixes. Google has so far refused, and the dispute is likely to end up in European courts. “Even if this law is extended throughout all of the Google search properties, the potential for such attacks will be unchanged and they will continue to be effective,” said Almeida of the Federal University of Minas Gerais.

The researchers noted that they will never publicly share the names discovered in association with their analysis. They informed Google of the research results.

The paper, entitled The Right to be Forgotten in the Media: A Data-Driven Study is available at http://engineering.nyu.edu/files/RTBF_Data_Study.pdf.  It will be presented the 16th Annual Privacy Enhancing Technologies Symposium in Darmstadt, Germany, in July, and will be published in the proceedings.

Note: Image available at http://dam.poly.edu/?c=1739&k=6892ff72f9


The NYU Tandon School of Engineering dates to 1854, when the NYU School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, innovation and entrepreneurship. In addition to programs at its main campus in downtown Brooklyn, it is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai, and it operates business incubators in downtown Manhattan and Brooklyn.