top | item 47137722

(no title)

Macha | 6 days ago

K-id is the vendor they were proposing which did on device processing. They were trying to downplay the initiative by saying all the k-id data stayed on device.

This was undermined by the fact they were also trialling a switch to Persona (the vendor in the story), which did not uphold that guarantee. It was horrific optics to be reassuring people that it was ok because you didn’t save data but also be trialling a switch to a vendor which did save data, which I guess is a lot of the reason this vendor switch was cancelled. (Though it does call into question discord’s judgment that they thought this was a good idea).

Anyway, Persona was also breached which is how the government links were discovered and also probably a part of this decision. This is not to be confused with the breach in November of 5CA, _another_ vendor they used in the initial UK and Australia roll outs. The fact that two vendors were breached in four months is a good example of why this is a bad idea

discuss

m4rtink|6 days ago

I don't think you can ever trust closed source software that also requires network for other features that it really does on-device processing for something specific.

It might not even send the sensitive data immediately but bundle it with other traffic once it goes online.