Impersonation feature on company platforms

The Reality of the Impersonation Feature on Company Platforms.

Many company platforms and apps include an impersonation feature which allows administrative users to access accounts as though they were logged in as the users themselves.

Imagine knowing that by simply having an account with a company, you are unknowingly granting access to this company’s everyday employees to access your data in just the same way that you would, had you logged in with your username and password. Such is, or has been the case with many companies that we all use on a regular basis. The truth is that there are “user impersonation” tools built into the software of many tech companies like Facebook and Twitter, which not only allow employees to access your account as though they have logged in as you, but also this could be happening without your knowledge. The account holder, or user is typically not notified when this happens, nor is their consent needed in order for this to happen. According to a recent article on OneZero, “…these tools are generally accepted by engineers as common practice and rarely disclosed to users.” The problem is that these tools can be, and have been misused by employees to access users’ private information and even track the whereabouts of users of these companies’ platforms.

The Fiasco Surrounding Uber’s “God mode” Impersonation Feature.

In recent years, the popular transport company, Uber has come under fire for its privacy policies, and in particular, its questionable impersonation features, known as “God mode”. Using the feature, the company’s employees were able to track the whereabouts of any user. Uber employees were said to have been tracking the movements of all sorts of users from famous politicians to their own personal relations. After being called to task by US lawmakers, the company apologized for the misuse of this feature by some of its executives and stated that it’s policies have since been updated to avoid this issue in the future. Uber is not unique to this sort of privacy breach. Lyft is also known to have comparable tools, along with several other companies.

Impersonation Features Form Part of Most Popular Programming Tools.

Impersonation Feature use is much more widespread than just a few known companies. Popular programming languages like Ruby on Rails and Laravel offer this feature, which has been downloaded several million times. The impersonation tools offered by these services do not usually require users’ permission, nor do they notify users that their account has been accessed. It is pretty common for developers to simply white list users with administrator access giving them access to impersonator mode, thereby allowing them to access any account as though they were logged in as that user.

How Impersonation Features Can Be Made Safer.

Some companies have made changes to their policies and procedures in order to make impersonation features safer for customers. For example Uber, following their legal troubles over the ‘ God mode’ feature, have made it necessary for their employees to request access to accounts through security. Other companies have resolved to require the user to specifically invite administrators in order to grant them access.

According to Dr Bostjan Makarovic, Aphaia’s Managing Partner, “Whereas there may be legitimate reasons to view a profile through the eyes of the user to whom it belongs, such as further app development and bug repair, GDPR requires that such interests are not overridden by the individual’s privacy interests. This can only be ensured by means of an assessment that is carried out prior to such operations.”

Does your company use impersonation features and want to be sure you are operating within GDPR requirements? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

European Supermarket Chain may face inspection over new fingerprinting system

Belgian data protection authority, Gegevensbeschermingsautoriteit, may launch an investigation into supermarket chain Carrefour’s fingerprint payment system.


Theres no denying that we currently live in a fast paced, highly technological era. One which constantly ushers in new means of identifying individuals and processing digital paymentsall geared towards increased convenience. At this stage, thanks to mobile phone advances, fingerprinting may very well be one of the more widely used means of identification but its uses are certainly not confined merely to mobile devices. In fact just this week, one of Europes largest supermarket chains, Carrefour, announced that it will organise a pilot project allowing clients to pay for their groceries with their fingerprints in a store in the centre of Brussels.  



A report from the Brussels Times explains that the Carrefour pilot project will enable clients to pay by scanning their finger at the cash register, after which the money will disappear from their bank account. And while this may result in faster check out times and a more convenient means of shopping there are undoubtedly privacy and security risksrisks which the Belgian data Protection authority would not only like consumers to be aware of but which may warrant and lead to an investigation by the DPA.


Referencing a report from De Standaard,  the Brussels Times presented the following comment from David Stevens, president of the GBA;


We asked Carrefour a few questions and discovered that a test had already taken place . . . It turned out that Carrefour had already collected fingerprints. Now that weve heard the news about the new experiment with fingerprint payments, theres a good chance well send our inspectors. I cannot yet formally confirm that we will do that, but I think there is a good chance.


….that is more than just a signature on paper. Customers really have to understand the risks. If, through hacking, your password falls into the wrong hands, you can replace it. But you cannot just change your fingerprint, face or the iris of your eye. Hence the strict rules,Stevens is further reported to have said.


Fingerprint risks are covered by GDPR Article 30, which generically refers to online identifiers, which means data protection rules directly apply to fingerprint. This is because fingerprinting constitutes the use of biometric datai.e a way to measure a persons physical characteristics to verify their identity. Biometric data is therefore personal data which must be processed on a lawful basis in compliance with GDPR and the UKs Data Protective Act.


Does your company utilize biometric data such as fingerprinting, voiceprinting and facial recognition? If yes, failure to adhere fully to the guidelines and rules of the GDPR and Data Protection Act 2018 could result in a hefty financial penalty. Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. Contact us today.




eprivacy regulation draft

ePrivacy Regulation Draft to be updated and presented at next EU Presidency

A revamped draft ePrivacy Regulation is expected to be presented at next Presidency of the EU.

Last week, Aphaia reported on the  newsoriginally presented by the European Digital Rights (EDRi)that EU states had rejected the draft ePrivacy Regulation. Understandably, this shocking outcome had spurred EU wide concern. The head of policy at the EDRi had forcefully admonished that the EUs inability to date to ensure strong privacy protections in the ePrivacy Regulation is a step backwards for the EU.Today, it seems that fears that the recent rejection would result in a permanent withdrawal of draft ePrivacy regulation can now be laid to rest. Three days ago (on December 3), Internal Market Commissioner Thierry Breton announced that the European Commission will present a revised ePrivacy proposal as part of the forthcoming Croatian Presidency of the EU.

Well have to put a new proposal on the table because I definitely think that everybody wants to do something, but obviously you are not in agreement,an Euractiv article quotes Breton as he appeared in front of the Transport, Telecommunications and Energy Council. So, I propose, that, for the next presidency, we will put on the table a new proposal obviously matching all your concerns and interests, because I really think that regarding our fellow citizens, there is an urgent need to move forward.

The revamped ePrivacy Regulation is expected to offer regulations for internet phone and message services like Skype and WhatsApp. The existing 2002 ePrivacy and Electronic Directivewhich the proposed new ePrivacy regulation is expected to replaceoffers strict privacy protection only to text messages and voice calls provided by traditional telecoms.

Privacy rules should be the same across EU, but not at any price. We trust the final ePrivacy Regulation draft will properly protect citizens’ electronic privacy rights and, at the same time, it will not be a game changer”. Cristina Contero Almagro, Partner in Aphaia.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR and ePrivacyadaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.