|
Message-ID: <CA+E3k90C6YC2vTqVEcaOSKsfiecLcmQRB_gt1E6jnp9dBKgq9g@mail.gmail.com>
Date: Tue, 5 Jun 2018 08:12:40 -0800
From: Royce Williams <royce@...hsolvency.com>
To: passwords@...ts.openwall.com
Subject: Re: GDPR
On Mon, Jun 4, 2018 at 11:08 PM Jeffrey Goldberg <jeffrey@...dmark.org>
wrote:
> On Jun 5, 2018, at 1:04 AM, e@...tmx.net wrote:
>
> > GDPR very explicitly limits the "protected" category of "personal" info
> > to the data that can IDENTIFY a user.
> > A password can not identify you.
> > Therefore, GDPR does not prohibit password stealing
> > […]
> > That's all you need to know about your government.
>
> The GDPR also doesn’t prohibit murder. I do not consider that a problem
> with the GPDR.
>
Also, due to users' (understandable) expectation of the privacy of a
password, passwords often contain highly personal information - even
including SSNs, DOBs, etc
Also, since passwords can be unique and yet also shared across multiple
sites, being able to show that user@...mple.com has the same unique
passwords on two different websites is strong circumstantial evidence that
they're the same user.
IANAL, but I think it's arguable that proper password storage (or lack
thereof) could be in scope. GDPR's mission is clearly intended to incent
data stewards to protect user data for which the misuse or compromise of
which could harm individual persons.
Royce
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.