WingNews logo WingNews GitHub [2]

ust's comments

ust | 5 years ago | on: Trump says he will ban TikTok through executive action

Explanation of the current legal structure that can be used to ban/force divestment of TikTok:

https://www.lawfareblog.com/tiktok-and-law-primer-case-you-n...

In short, a president has substantial powers (granted by Congress via IEEPA and CFIUS) to institute a ban or force a divestment of any company "engaged in interstate commerce in the United States", if "national emergency" or "national security" is involved. So, legally, it seems that president can ban TikTok, under certain conditions (that may not be so difficult to achieve). The link above only explains the current legal framework, not whether banning the TikTok is in itself a good or a bad thing. IANAL, so I can't judge the competence of the presented arguments, but it is written by a respected law professor.

ust | 8 years ago | on: Ask HN: How are you implementing GDPR-compliant soft deletes?

Yeah, I agree with everything you said.

It would be interesting to know whether the big companies have addressed (at least partially) their GDPR compliance. Maybe they do just "play Russian roulette" like you said, and hope for the best.. Of course, implementation guidelines are not yet fully defined (like WP29 opinions, some of them will change, even then, those opinions are not legally binding).

ust | 8 years ago | on: My new favorite book of all time

I'm sorry, but your comment about Yugoslavia is extremely simplistic, if not outright wrong. While ethnic tensions certainly played a large role, the causes for the war were numerous, and also include outside influences (end of Cold War, geopolitical situation, etc.). BTW, Tito was dead for 11 years before the war started, and while he certainly was a dictator, albeit somewhat more lenient than other communist dictators, describing him as a "violent warlord" is a mischaracterization.

ust | 8 years ago | on: GDPR consent design: how granular must adtech opt-ins be?

Hi, I'm involved with GDPR for my work, although in academic context, i.e. the primary motive in processing of personal data is in security, provisioning services, accounting purposes, etc. Also, I'm not a lawyer, and this is just my personal opinion.

So, while I do work in academic environment, I do have contact with people from industry, and they are taking this seriously. (Of topic, this actually created a new business opportunity, for compliance with the GDPR). However, GDPR is not that different from the Directive, if you were compliant with the Directive, chances are, you're probably (mostly) compliant with the GDPR. Yes, the conditions for consent are strengthened, and since now we have a Regulation, it is valid in all countries. There are other differences, and it is more stringent now, but it is not drastically different from the Directive. BTW, this link[1] have a nice overview (I'm completely unaffiliated with that firm, I just like how they structured it...):

[1] https://www.whitecase.com/publications/article/gdpr-handbook...

One thing that people lost sight of, at least in my opinion, that GDPR is not just about punishment, or stopping the processing of personal data, it is also about transparency. People should not be coy/evasive/unclear about what kind of data one is collecting and for which purpose. This is one of the most important things (again, in my opinion). Processing of personal data has a valid and important purpose, and the GDPR is not there to stop it.

And for the question will the GDPR be enforced, I think it will. For the moment, though, all data protection authorities (DPAs) are a bit overloaded, and I suspect that will be the case in the near future. But obviously, EU and EC are taking GDPR quite seriously.

Hope this answers your question.

(Edited for grammar...)

ust | 8 years ago | on: With a $1k Price, Apple’s iPhone Crosses a Threshold

I have Nexus 4, too, and changed stock OS to LineageOS (previosly I've used cyanogenmod) and it works great, and now I have Android 7.1.2. and I receive weekly updates...

I realize that "flashing" the ROM is not what normal user would do, but it has become very easy to do, and it does extend the (usable) life of the phone..

ust | 8 years ago | on: Euro MPs back end-to-end encryption for all citizens

That is correct, user will have access to the data, e.g. the images/videos user uploaded to Facebook, and I presume the Facebook will have to delete (successfully) these data upon request. However, personal data are not just images, or similar. It is also IP addresses, logs containing user's actions, etc. everything and anything that may identify a person. So, e.g. if some logs somewhere may contain IPs of a user, or some actions of the user were recorded in logs that are scattered throughout the system, the controller may argue that it "reasonably" tried to remove also these data for the user, but it can't guarantee that. However, GDRP now stipulates Privacy by design, which means some of these scenarios might have to be taken into account before creating and providing a service, so the removal of (all) user data should be more feasible.

ust | 8 years ago | on: Euro MPs back end-to-end encryption for all citizens

For my work, I'm working on the impact of the GDPR on the research, and how will the GDPR work in scientific communities. I'm not a lawyer, of course, so my interpretation might be a bit off (so disclaimer, IANAL, this is not a legal advice, and etc.). Anyway, these are just some of my thoughts on the subject.

Well, GDPR is a big topic, and it not yet clear how all the provisions will be implemented. It is not that different from the (currently valid) Directive, but it does clarify certain points, and makes much more stringent penalties, as mentioned in parent post (the fine is actually 4% of the global revenue, or 20M Euro, whichever is greater). The changes in respect to the Directive are, in short:

  • GDPR applies to the processing of personal data by controllers and processors in the EU, regardless
    where it takes place

  • Penalties – up to 4% of annual global turnover or 20M€ (whichever is greater)

  • Consent – conditions are strengthened (clear and plain language, explicitly related to the
    processing, easy to withdraw)

  • Breach notification

  • Privacy by design

  • Right to be forgotten

  • Data Protection Officers

  • Right to access
Now, as mentioned in another comment, the right to be forgotten and erasure of data is not really wipeout, the data controller and data processor are supposed to do it using "industry standards" and "reasonable effort" (controller, e.g. should flag that the processing the data should be restricted). Also, there are exceptions (legal claims, public authorities, free speech, etc.).

Different comment points out that the Regulation, unlike Directive, makes GDPR valid in all EU countries, and this is true. However, the EU states are free to implement their own data privacy laws, which of course, need to be in line with the GDRP. This may potentially introduce legal inconsistencies across the EU for certain points.

Also, one should not underestimate the legitimate interest of the service provider, or controller, to retain the data, even if the user has asked for the data to be removed. The data may also be retained by the request of relevant public authorities, etc. One comment has suggested what will happen if the EU citizen requests the removal of it's data, while the US public authorities asks for access to this data. In this case, the relevant EU public authorities may request for the data to be kept (or not, I guess this will be decided on case by case, also the provider may have a legitimate reason to keep the data..).

And of course, the biggest problem, the transfer of data to non-EU countries. For this, there are several ways to do it, one is mentioned already, i.e. user consent (which must be clear and unambiguously given, and can be revoked at any time). Then, of course, there are contracts, binding corporate rules, etc. For EU-US transfer, there is Privacy Shield for transfer of data to US (which is a replacement for the Safe Harbor, stricken by EJC), but this is mostly for commercial services (so it does not work for academic environments..).

There are some other interesting aspects to GDPR, but this post is already getting a bit long. For more info, these links are interesting:

[1] https://aarc-project.eu/aarc-infoshare/ -- for academic environments..

[2] https://iapp.org/resources/article/top-10-operational-impact...

[3] https://www.whitecase.com/publications/article/unlocking-eu-...

There are multiple WP29 interpretations on various points (some of them are actually human readable, not just legal talk..), etc. In any case, it will be interesting to see all these developments in the future.

[Edited for mistakes..]

ust | 9 years ago | on: Google reveals its servers all contain custom security silicon

It seems a bit counterintuitive that open hardware results in less choice, so I disagree. I think that hardware is getting more and more open, also drivers for it. With FPGAs it is (relatively) straightforward for one to create it's own crypto processor and integrate it in the system. Also PCBs are getting easier and cheaper to make. I hope that also there will be some open PCB designs that incorporate some kind of crypto chips and functionalities outside of CPUs, so everyone can start creating their own servers, if desired.

Didn't also Facebook started some open server hardware initiative? I don't remember what happened with that...

I do agree that the current status is not great, and that we could all benefit from more open hardware design. I think that it would also benefit large companies as well.

ust | 9 years ago | on: How to Enable Two-Factor Authentication on Amazon

Yes, there is oathtool that you can use on Linux (well, that's how it's called in Debian). I use the same, just type:

oathtool --totp -b "key value"

where your "key value" is your secret (same thing you would get if you scan QR code). And then you just need to keep the secret safe, and you can run it on as many devices you need.

EDIT: just realized that michaelt had much more substantial comment.

ust | 9 years ago | on: Ransomware gives free decryption keys to victims who infect their friends

I do have a follow up question to this. If the ransomware encrypt the files, then it would also need to delete the original files. Unless the original files are overwritten, wouldn't it be possible to recover them? If the files are indeed overwritten, I would presume it would take a really long time, and, if I remember correctly, this wouldn't work on SSDs, unless you fill the SSD completely. Or am I missing something?

ust | 9 years ago | on: Joe Armstrong Interviews Alan Kay [video]

I've just seen the movie after your comments, it was interesting to see that they use emacs (without syntax highlighting, it appears..). OT, but how's vim for coding in erlang, anyone?
page 1
more