home Cyber Cyber Security EU’s Right To Be Forgotten Flaws Revealed

EU’s Right To Be Forgotten Flaws Revealed

Jun 17, 2016

This post is also available in: עברית (Hebrew)

Under EU law, citizens have the “Right to be Forgotten,” whereby they can petition internet search providers such as Google to remove search results that display personal information that is defamatory or negative. Often, these results relate to accusations of financial difficulties and misdoings or criminal activity. These can be “delisted” in cases where the information is erroneous or no longer relevant, but a new study shows that “gone” is not always “forgotten.”

“The Right to Be Forgotten has been largely working and is responding to legitimate privacy concerns of many Europeans,” said New York University Professor Keith Ross, principal researcher of the study. “Our research shows, however, that a third-party, such as a transparency activist or a private investigator, can discover many delisted links and determine the names of the people who requested the delistings.”

The study focused only on requests to delist content from major online mass media outlets such as newspapers and broadcasters, says NYU. Under the current law, search providers are required to delist search links, media providers, however, are under no obligation to remove articles from the internet.

The study showed that when the URL of the article is known, it is almost trivial to determine who requested the delisting. Out of 283 delisted URLs, the researchers were able to determine successfully the names of 103 requesters.

But the research shows that even without knowing the URL this information is possible to reveal. All one has to do is download articles on topics commonly requested for delisting, such as financial misconduct or sexual assault, extract names from the article, and query them in a European variant of Google search.

Using this method, a third-party could successfully determine 30 to 40 percent of delisted mass-media articles, including the names of delisting requesters. The researchers believe there is very little to be done to defend against these attacks on privacy.