Problems of access to personal data on behalf of all participants in the process

Greetings dear habrovchane.

A story about how a simple user started taking action.

First of all, I decided that one of my devices could be zombies. Since I almost do not use VPN, and even more so in the case of this resource, for verification, I decided to compare the access logs with my data. After a brief search, I discovered that the resource does not have a software function for user access to such information. Accordingly, I wrote in support of the request give me this information:

Greetings, I discovered that spam messages are being sent from my account. It is necessary to find out from which device this happened to try to determine how the attackers got the password from my account. Can I get information about the facts of access to my profile?

To which I received the answer:

Support Agent:
Hello, User.

We noticed signs of hacking in your profile. The tools with which the hacking was carried out are unknown to us.

As we can see, you have already changed the password from your Personal Account, and at the same time we recommend changing the password from email as well.

After logging in to your profile, check if your name, phone number and city are correctly specified in the Settings section (https: //www.service.ru/profile/settings).

How to protect your profile from hacking, you can read here: (https: //support.service.ru/articles / ...)
Good mood and successful transactions on the Service.

As you can see, there was no concrete answer to my question, but the followers made friendly recommendations. Well, I had to write again:

Thank you for the answer, and maybe ah-pi addresses or some logs can be seen? I wonder if this could be a zombie of one of my devices?

And here I get the traditional rejection:

User Support Agent , we do not disclose details so that this information cannot be used to the detriment of the service and users.
Hope for your understanding.

How our state defines the term personal data you can read in the Federal Law, or in these posts: What does the Federal Law No. 152 On Personal Data give an ordinary person?
For example, post As an ordinary user fought for compliance with the law "On personal data"contains the usual request for the removal of personal data, which negligent owners have performed with difficulty, after a painful reading of the law "On Personal Data". But what about the loss of time to resolve these issues if the “stubborn” operator refuses to provide data to the subject? Of course, in the same way, an attacker could have made a request on my behalf, so you should not expect instant returns from the operator. In this sense, such actions by operators are a more reliable way to save user data, especially if the account has been hacked.
Persistently and probably rather annoyingly, I try to put pressure on an employee of the company and issue the following:

In many respectable services, the transfer of such information is permissible and is in the public access.

In addition, I ask for information about the attacker, so who turns out to use this information to the detriment?

You withhold the information that the user requests from you, his personal, because it is "my" account on your service. In this context, I am not a third party and I have every right to demand this information from you based on your own rules. Just like you require data from your users.

Thank you, I hope for understanding.

Of course, no one gave it to me "right there" and the employee gives a fulfilled answer:

Support Agent
Hello, User.

This information is private. We can provide it only at the official request of the authorized state bodies.

How the Service processes and protects user data can be found in Section No. 4 of the terms of use of the Service and policies in the area of ​​processing and security of data of users of the Service: (https: // support.service.ru/articles / ...) and (https: / /www.service.ru/safety/personal/company).

We also comply with the requirements of the federal law “On Personal Data” dated July 27, 2006. You can ask for a detailed explanation of the law to experts in the field of law. Service support service does not advise on legal issues.

We wish you a warm autumn!

All right, here I am already sitting in warm pants, in a warm chair.

Well, the story continues:

Greetings, Agent Support.

This information is closed to me only if I decide this way or I will be restricted access in accordance with the law.

Familiarize yourself with the rights of the subject of personal data.

Federal Law of July 27, 2006 No. 152 FZ. Article 14. The right of the subject of personal data to access his personal data.
- I have the right to request any information related to my personal data.
- You are violating my user rights.
- You collect technical information about my devices, analyze it and make money on it.

I, in turn, use your service, consider working for you. The benefits to me for the years of operation you have brought as little as possible in such services.
If you provide me the information in an uncomfortable or unorganized form for me, I will request a complete download of the information for analysis.

If you plan to refuse me again, provide proof.
If you are not involved in legal issues, refer to those who are engaged.
Thank you for the warm autumn.

Here the personal assistant of the "raging" user comes into the business:

Support agent

Good afternoon.

My name is Daniel, I am a claim handling specialist.

In your situation, I check the information in addition. According to the result of the check, I will definitely return to you with the answer.

A few hours later he gives the following:

Support Agent
Hello.

Thank you for waiting: it took time to familiarize yourself with the situation.

The security of your credentials has a high priority for us - all communications with the Service are carried out via secure communication channels.

At the same time, we also need user assistance - we always advise:

1) not to share your password with anyone (even us);
2) a strong password includes letters, numbers, its length is at least 8 characters - so it will be difficult for outsiders to guess, I recommend changing the password every 2-3 months.
3) regularly check all devices from which you access the Internet for viruses;
4) do not follow suspicious links. If you still went to the site, where they require to enter your username and password, immediately close the tab.

For the protection of your rights, you can contact the regulatory authorities, for our part, we are ready to assist in resolving this issue. However, to provide such information, we need legal grounds. This can be a request from law enforcement / judicial officials, or from your lawyer.

We have a procedure when, upon official request (not only law enforcement / judicial authorities, but also your lawyer) can send it, we provide this or that information.

To obtain such information, they need to send to our address an official request on the letterhead of the organization stamped and signed by an authorized person, as well as contact information of the contractor, which can be contacted in case of additional questions, and the fax number of the organization mail is not provided). If this is a letter from your representative, he should additionally provide a scanned copy of the lawyer's certificate.

A scanned copy of the request must be sent by e-mail compliance@service.ru, the original request - by mail of Russia to the legal department of OOO Service addressed to the Head of the department for working with requests Head S.Z. to the address: 123456, Moscow, Ulitsa St., 1

I believe that in the future you will not encounter such situations. If you need help with the Service, please contact us, we are always open to dialogue.

And then I went to discover the laws and waste my time, and “spoil my eyes”:

Thanks for the detailed answer.

I understand your interest in protecting clients, as well as I see a reluctance to distribute information that is private to ordinary users. I can assume that you are not interested in this, instead of protecting my rights, you usurp them. What could be a risk, is it a regular user or a well-known blogger, will he consider information in search of a violation of his rights, or is he just defending his interest?

I will tell you the reason why I am so interested in resolving this issue. In my entire history of using passwords (just believe that I am very careful about security), there has not yet been a single hacking or password leak (at least fixed). Your system does not have a notification about the entrance from a new device; there is no open log for the client, as it is done on some systems. Therefore, it is important for me to find out information about this incident, it is desirable that it be complete and unchanged (Part 5, Art. 13.11 of the Administrative Code of the RF).

To protect my rights, the law does not require contacting regulatory authorities. If you need legal grounds, here they are:

Federal Law of July 27, 2006 No. 152 FZ. Article 14. The right of the subject of personal data to access his personal data.

The personal data subject has the right to require the operator to clarify his personal data, as well as to take measures provided for by law to protect his rights.

Information is provided to the subject of personal data by the operator upon request. The request must contain the number of the main document certifying the identity of the subject of personal data: Passport Issued by TP № of the Department of the Federal Migration Service of Russia for the region; information confirming the participation of the subject of personal data in relations with the operator: the user number is, then, as you see, I use your website, and according to your rules, this means my agreement with the user agreement. After the conclusion of additional agreements, I will attach a digital signature, because this is enough to send you a request in digital form.

My rights are protected by law. If you break the law, then you should be responsible for violation of the law on personal data. I do not have to resort to the help of a lawyer, because I am not at all interested in your procedure. Leave the bureaucracy with you.
It is better for you to fulfill my request, since Article 5.39 of the Administrative Code of the RF has already been assigned to you.
Keep in mind that you should be careful about our correspondence. Time goes by, if you wait three weeks and there is no reaction, you will fall under the operator’s failure to provide the personal data with information about the processing of his personal data Part 4 of Art. 13.11 of the Administrative Code.

I hope for your faith that I will not have to face a similar situation this time.
I'm waiting for your decision. Thank.

ps I sympathize with you as an employee of the company, if you go with me about it will not benefit your career, but the further we go, the higher the stakes. It’s just more interesting, right?

At the moment I am confidently following the path described by the hardworking comrade in this article: The mechanism of exercising their legal rights by personal data owners
The war of users and operators for the possession of personal data has been going on for many years.
According to the passport of the government program "Digital Economy" (details in this article), on the side of Russian users will soon be installed heavy artillery in the form of a simple and effective way to access personal data without unnecessary bureaucracy.

Nowadays, the issue of “protecting big data” has become relevant, which is more like the nationalization of the strongest resource. During the consideration of changes to the law“On Information, Information Technologies and Information Protection”. More details can be found in this publication.

All participants in the process

From the user's side, everything looks exactly like this; almost no one knows their rights and how to protect them. But personally it is interesting to me to look at it through the eyes of other participants.

What does the operator do, what means is he ready to go for, will he apply measures to the annoying user and how often does he encounter such requests? What programs of protection against such requests exist in large companies and how likely is it that my case flows according to a well-established pattern, where I will be “stoked” in bureaucracy? How valuable is the information that the user requests in this case and can it contain information that can be used against the operator? And is it possible to use?

If you write a complaint to Roskomnadzor, how is he interested in the execution of such complaints, how valuable are they for him? Is there any difference between a little known and a large resource?

Interesting opinion of experts in this field. Sorry if the questions are frequent (give references for review). Thank you for your attention.