Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+E3k93BJpNi6PrUntWbPv_Waktdj_AbSqMPu51jPwXvLjbAjw@mail.gmail.com>
Date: Tue, 5 Jun 2018 08:30:08 -0800
From: Royce Williams <royce@...ho.org>
To: passwords@...ts.openwall.com
Subject: Re: GDPR

On Tue, Jun 5, 2018 at 8:24 AM Royce Williams <royce@...ho.org> wrote:

> On Tue, Jun 5, 2018 at 8:12 AM Royce Williams <royce@...hsolvency.com>
> wrote:
>
>> On Mon, Jun 4, 2018 at 11:08 PM Jeffrey Goldberg <jeffrey@...dmark.org>
>> wrote:
>>
>>> On Jun 5, 2018, at 1:04 AM, e@...tmx.net wrote:
>>>
>>> > GDPR very explicitly limits the "protected" category of "personal" info
>>> > to the data that can IDENTIFY a user.
>>> > A password can not identify you.
>>> > Therefore, GDPR does not prohibit password stealing
>>> > […]
>>> > That's all you need to know about your government.
>>>
>>> The GDPR also doesn’t prohibit murder. I do not consider that a problem
>>> with the GPDR.
>>>
>>
>> Also, due to users' (understandable) expectation of the privacy of a
>> password, passwords often contain highly personal information - even
>> including SSNs, DOBs, etc
>>
>> Also, since passwords can be unique and yet also shared across multiple
>> sites, being able to show that user@...mple.com has the same unique
>> passwords on two different websites is strong circumstantial evidence that
>> they're the same user.
>>
>> IANAL, but I think it's arguable that proper password storage (or lack
>> thereof) could be in scope. GDPR's mission is clearly intended to incent
>> data stewards to protect user data for which the misuse or compromise of
>> which could harm individual persons.
>>
>
> And by extension ... if any field or system allows entry of arbitrary
> text  - comment fields, password fields, etc - by the end user (or, for
> that matter, employees) ... then individuals acting outside of the intent
> of the design of the system can arbitrarily bring a system into scope.
>
> For those of us who have dealt with PCI, SOx, etc. ... if the customer
> service agent starts putting credit-card numbers into the comments field ..
> guess what? That's in scope.
>
> I think passwords are similarly positioned.
>

Also ...

In the case of passwords, if they're properly stored, the data steward
doesn't really know what's in them.  But they *could* have SSNs, email
addresses, DOBs, etc. in them (and very often do).

So I would expect any data steward worth their salt to err on the side of
caution, and *assume* that what's in there is sensitive enough to warrant
GDPR-level handling.

And honestly, that's the level of handling that it requires even if it's
*not* within GDPR's scope, IMO.

Royce

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.