coffeeClean @ coffeeClean @infosec.pub

Posts

0

Comments

33

Joined

2 yr. ago

I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.

GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.

Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.

Right, so e-mail address together with IP address would then make the e-mail that of an identifiable user under Art.4(1). So the OP needs to find out if an IP address was logged and retained in connection with the email address.

See https://infosec.pub/comment/6975469

That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?

According to the Commission, “an email address such as name.surname@company.com;” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)

The EC also says “an email address such as info@company.com” is not an example of personal data.

This should really be covered by an EDPB Guideline, but I’m not finding one.

If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing.. it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.

As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam.. I do not have access to the Cloudflared image the OP posted).

(edit) more clarity here, hopefully → https://infosec.pub/comment/6975469

Kind of. Yes you really should make an Art.17 request to ensure having a strong GDPR case in the event of non-compliance, but technically there is still an Art.5 data minimization rule that applies to data that is no longer needed for performance of the contract.

So cool to hear that Brazil has a GDPR equivalent. That (and the fact that Bolsanaro got booted) makes me want to live there.

Embarrassing that the US can’t get on the ball with this.

Delete is not same thing, as requesting to destroying all identifiable data of you.

This is what I don’t get. How are Reddit accounts not pseudo/anonymous? Back when I had an account (~5+ years ago at latest) they had nothing personally identifiable on me, in which case there are no GDPR rights to speak of. Even if I were to make an Art.17 request and go above and beyond by supplying a copy of my ID card with the request, Reddit would have no way to even verify that my ID is associated to the acct.

I think the whole discussion is moot when the data is “anonymous”.

But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.

It’s in the GDPR jurisdiction but Reddit accounts are anonymous AFAIK. IMO the GDPR does not protect anonymous data.

/cc @Gork@lemm.ee

The GDPR is a not a directive. It’s a regulation. Nontheless, I read that the GDPR was specifically mirrored into UK law with a couple minor modifications.

But to answer @automaton@lemmy.world, AFAIK the #GDPR does not apply in this situation anyway because Reddit accounts are “anonymous”. The GDPR only protects identified people.

/cc @d00ery@lemmy.world

You are on a privacy-offending Cloudflare site (#LemmyWorld), so Tor users are blocked from seeing your Cloudflare-jailed image. If you care about privacy you will bounce from that instance.

Without seeing the image, I have to ask how an anonymous user gets #GDPR rights. Or has #Reddit started supporting an identification mechanism of some kind? When I start the reg process, it asks for an email address, username, and pw, not a first + lastname (but my test stopped when a Google reCAPTCHA push was attempted). I have zero sympathy for Reddit -- they are rotten to the core scumbags, but I do not see how the GDPR can be applied to anonymous accounts.

(edit) I gather from other comments you must have posted an email. Would be great if you could copy the text of the email into the body of your post so everyone can see it and so people using screen readers can hear it. Thanks!

it would be more usable if the left column were locked so you don’t lose it when scrolling horizontally. Same for the top row.

“Email / Phone required for signup” ← these are on two very different levels of intrusiveness.. really needs to split into two rows. And from there, it’s interesting to know whether a phone must be a mobile phone or not. With email, it’s interesting to know if disposable addresses are blocked or not.

Also, for “decentralized network” for #Signal, you simply have “no”. I would change that to “No (Amazon)” to inform people they are feeding Amazon by using Signal.

In fact I suggest also adding a row: “feeds a tech giant” because privacy from tech giants is not the only factor -- some of us trying to live ethically do not want to even feed privacy offending tech giants, such as:

• Amazon
• Microsoft
• Google
• Cloudflare
• Apple
• Facebook

And as someone else pointed out, Delta Chat is missing.