A few days ago I sent a GDPR request to some company to delete my personal data. They said to install their app and send a ticket from the app. The email was sent from the email address to which the account is registered. Is this even legal?

  • Blackmist@feddit.uk
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    4
    ·
    1 year ago

    It’s way too easy to spoof email “from” addresses.

    There should be a way to do it through their website though. Requiring an app is just stupid.

    • wido@lemmy.tf
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      1 year ago

      They literally replied to his registered email and he has the reply. That would indicate that he has at least access to the account. So with OP’s next email quoting the reply ownership over the associated email address should be reasonably established.

    • My Password Is 1234@lemmy.worldOP
      link
      fedilink
      arrow-up
      10
      ·
      edit-2
      1 year ago

      Their site is just a landing page, there’s no login option or anything like that. Their business is a smartphone application.

      Edit: Gmail uses SPF, DMARC and DKIM signing so spoofing is not possible if their email services are configured properly.

      • Onioneer@sopuli.xyz
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        SPF/DKIM/DMARC does not prevent sending the spoofed message, though. It is up to the recipient system to filter out the message should the checks fail. Even then, the message often lands into spam instead of being dropped.

        • My Password Is 1234@lemmy.worldOP
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Anyway they should configure their systems to reject unsigned e-mails and providers that don’t have a proper SPF configuration. SPF (Sender Policy Framework) allows you to make sure that the message was sent by an approved server and was not forged by some hackur.

          • fatalError@lemmy.sdf.org
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            You’d be surprised how many legitimate email are sent with failed SPF. Even Microsoft sometimes doesn’t update their MX records and the SPF fails.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        arrow-up
        3
        arrow-down
        2
        ·
        1 year ago

        SPF, DMARC, and DKIM don’t work to actually verify that the message you sent is from the person it says sent it. I know it’s stupid, but DKIM has been designed more as spam protection than as email verification.

        Also, anyone with access to a Google mail server can generate valid DKIM signatures for any Google operated mail domain because of Gmail weirdness.

        While their demand to install an app just to contact them is rather stupid, they may ask you to identify yourself to verify your identity, and that request may involve sending over a picture of your ID. An email address alone isn’t enough to verify your identity, that’s why modern apps have 2FA.

        You can always ask your local DPA for guidance of to lodge a complaint, but installing the app may be the most privacy friendly way to identify yourself by proving account access.