New EU data laws started today and complaints have already been made against Google and Facebook.

[Sniperfox47]

10 minutes ago, asus killer said:

If you just have a list of IP adresses it may seem harmless, but if a company like PornHub accidentally shares a list of IP addresses that see midget porn. Someone else may use it to link with other data they have and know exactly who the midget porn lovers are. 

Forgetting about GDPR for a moment, i would always argue that IP addresses are identifiable. You may use it for the most harmless of uses, you still could never leak it.

Back to GDPR i don't know this specifically and not going to google it now, but if you leak a list of IP's you should have to notify, it should be in the GDPR.

Oh yeah IP address sharing is definitely a no-go for GDPR. Don't share that kind of stuff because it's definitely personal data.

 

But it doesn't identify a user. Or a machine. Or a residence. Or really much of anything. All it does is identify the NAT node that serves that residence. In many cases these days that NAT node can serve hundreds of other uses so you're still anonymized to a degree. Can that data be de-anonymized by correlating it with other data? Yeah but *any* information can be de-anonymized.

 

But even if it was perfectly anonymized info there's no reason you should be sharing it with third parties.

 

I'm curious the implications GDPR will have on community run sites where the "owner" of the site is a single individual and all of the "staff" are third parties. @LAwLz probably has a better idea on this than I do, but it's something I'm not clear on from my reading so I'm rather curious.

[LAwLz]

14 minutes ago, Sniperfox47 said:

I'm curious the implications GDPR will have on community run sites where the "owner" of the site is a single individual and all of the "staff" are third parties. @LAwLz probably has a better idea on this than I do, but it's something I'm not clear on from my reading so I'm rather curious.

I really don't.

The only reason I know the definition of personal data is because someone argued that Microsoft did not collect any personal data whatsoever through Windows 10, so I looked up the definition and saw that it even included things like IPs.

[Sniperfox47]

1 minute ago, LAwLz said:

I really don't.

The only reason I know the definition of personal data is because someone argued that Microsoft did not collect any personal data whatsoever through Windows 10, so I looked up the definition and saw that it even included things like IPs.

I think a lot of people who claimed that, including myself, claimed it more from the colloquial meaning, not the legal one. I mean for most people your name or SIN or address are personal data because they identify you. Personally. Your medical records are personal data because they're about you. Personally.

 

To be perfectly honest nothing on the computer is *personal* in the colloqial sense because none of it identifies a person. The most precise that you're going to be able to get is identifying it to a particular user session, but that user may be *many* individual persons. What files are opened on the machine and what websites you access aren't personal in the colloquial sense, even if they are in the legal sense. Are they sensitive? Yeah. Are they potentially identifying? Indirectly. But they're not about you as a person.

 

I totally get the feeling that these companies shouldn't be farming all this data without users unambiguously agreeing, but I also don't think we should be referring to data that's not about a person as "personal".

[Centurius]

38 minutes ago, Sniperfox47 said:

Oh yeah IP address sharing is definitely a no-go for GDPR. Don't share that kind of stuff because it's definitely personal data.

 

But it doesn't identify a user. Or a machine. Or a residence. Or really much of anything. All it does is identify the NAT node that serves that residence. In many cases these days that NAT node can serve hundreds of other uses so you're still anonymized to a degree. Can that data be de-anonymized by correlating it with other data? Yeah but *any* information can be de-anonymized.

 

But even if it was perfectly anonymized info there's no reason you should be sharing it with third parties.

 

I'm curious the implications GDPR will have on community run sites where the "owner" of the site is a single individual and all of the "staff" are third parties. @LAwLz probably has a better idea on this than I do, but it's something I'm not clear on from my reading so I'm rather curious.

For the purposes of the GDPR the staff are not third parties in the conventional sense but at the very least unpaid contractors. Their access to personal data is justified in as far as it is needed to execute their functions. To take a forum like this as an example, moderators need access to ip information and e-mail addresses to track repeat offenders. 

[jagdtigger]

I wonder why MS didnt get caught in all of this...

[System Error Message]

16 hours ago, Sniperfox47 said:

A) Handling data *is* storing data

B) That's not at all what the GDPR is about and people seem to be totally missing the point of this and applying it to all kinds of situations where it doesn't apply. Have you read the legislation or any of the fact sheets? I've had to ensure that our software met GDPR requirements and so far everything I've read, from the legislation itself to all the white papers on it, has lead me to believe that everyone else is going massively overboard and all our services were already compliant.

C) Your suggestion of never storing IPs is absolutely asinine. Internet servers literally cannot function without having a backlog of the IP addresses and access rates of those IP addresses. Between DDOS mitigation, request interrupts, multicast, and many other things Apache or whatever other server you're using is going to store a list because without that list it literally can't do it's job.

 

Also I just want to point out that your IP address isn't personally identifiable anyways... It's not in any way sensitive personal information so you don't need explicit consent to collect it, just unambiguous consent. And that's even if it can be considered personal information in the first place, since one IP address typically applies to large swaths of people (i.e. NAT).

Ip address is personal, because in the past i used to be able to get GPS coordinates for an IP address . You can imagine its far worse for anyone with greater tech access, its to the point where they can just send a missile accurately to an IP.

 

Your IP address will also have registered detail like names, addresses, etc , so IP addresses are very very identifiable.

 

I would like to quote from person of interest "a black box system, no human sees it therefore no privacy is invaded or laws broken and gives plausible deniability" Essentially this is just what google and other companies that require personal info to function can argue.

 

Moderators for instance have to be able to see IP addresses on a forum for doing their job. For instance knowing if it is an imposter, hacked account, duplicate accounts or to do an IP ban but one can argue that a hash of the IP will work the same as well.

 

3rd party means anything outside the company. Google can function without giving any identifiable information to 3rd parties. They need to collect info to function correctly such as with targeted ads but those ads only see statistics and no specific information. I think a lot of companies did not correctly write their forms as well.

[Sniperfox47]

1 hour ago, System Error Message said:

~snip~

Except

A) an IP address doesn't have any GPS data tied to it. Most devices that receive public IP addresses don't even have GPS receivers in the first place. Are you talking the coordinates on an IP lookup chart? All that is is a guesstimate based on where that IP address has been seen by lookup apps.

 

B) Even if an IP was leased specifically to you the only person any of that information would be visible to is your ISP.

 

199.7.158.48 < my current public IP. Do your worst. The most it'll tell you is that I live in Canada and currently use Wind Mobile as my ISP. It'll also probably tell you that Wind Mobile leases the IP from a distribution center in the city of Edmonton but that doesn't mean I'm in Edmonton. Not to mention that probably at the very least 20-30 other people currently have this IP because Wind heavily NATs IPs to save addresses. And none of that mentions that I'll have a totally different one the next time I reboot my device.

 

Not everybody has such short lease times of course. You may have a single IP for a month. Or a year. Or a static IP that never changes, but with most ISPs unless you're paying for a business plan you're probably sharing your IPv4 address with several other people nowadays.

 

[jagdtigger]

5 minutes ago, Sniperfox47 said:

but with most ISPs unless you're paying for a business plan you're probably sharing your IPv4 address with several other people nowadays.

Then im lucky since i only needed to ask it over the phone and they done it free of charge(or maybe the CGN device couldnt handle our plan since at first it was 5>/1,xx instead of 100/10, then switched it over to public and boom, 100/10 ). BTW using CGN is just lame, its a total waste of time and money...

[SlowMixit]

19 hours ago, Sniperfox47 said:

A) Handling data *is* storing data

B) That's not at all what the GDPR is about and people seem to be totally missing the point of this and applying it to all kinds of situations where it doesn't apply. Have you read the legislation or any of the fact sheets? I've had to ensure that our software met GDPR requirements and so far everything I've read, from the legislation itself to all the white papers on it, has lead me to believe that everyone else is going massively overboard and all our services were already compliant.

C) Your suggestion of never storing IPs is absolutely asinine. Internet servers literally cannot function without having a backlog of the IP addresses and access rates of those IP addresses. Between DDOS mitigation, request interrupts, multicast, and many other things Apache or whatever other server you're using is going to store a list because without that list it literally can't do it's job.

 

Also I just want to point out that your IP address isn't personally identifiable anyways... It's not in any way sensitive personal information so you don't need explicit consent to collect it, just unambiguous consent. And that's even if it can be considered personal information in the first place, since one IP address typically applies to large swaths of people (i.e. NAT).

Maybe language barrier (not native english speaker) but lets say this way. Allowing someone else than server or person who is using the IP address to view it is illegal according to GDPR.

So in LTT's case, allowing forum moderators or admins to view users ip is according to GDPR illegal.

 

Also by EU law, IP address is defined as personally identifiable information so consent is required.

 

I have read GDPR and EU Privacy laws, all these laws have also officially translated version for each EU country (i have read the finnish one).

[System Error Message]

1 hour ago, Sniperfox47 said:

Except

A) an IP address doesn't have any GPS data tied to it. Most devices that receive public IP addresses don't even have GPS receivers in the first place. Are you talking the coordinates on an IP lookup chart? All that is is a guesstimate based on where that IP address has been seen by lookup apps.

 

B) Even if an IP was leased specifically to you the only person any of that information would be visible to is your ISP.

 

199.7.158.48 < my current public IP. Do your worst. The most it'll tell you is that I live in Canada and currently use Wind Mobile as my ISP. It'll also probably tell you that Wind Mobile leases the IP from a distribution center in the city of Edmonton but that doesn't mean I'm in Edmonton. Not to mention that probably at the very least 20-30 other people currently have this IP because Wind heavily NATs IPs to save addresses. And none of that mentions that I'll have a totally different one the next time I reboot my device.

 

Not everybody has such short lease times of course. You may have a single IP for a month. Or a year. Or a static IP that never changes, but with most ISPs unless you're paying for a business plan you're probably sharing your IPv4 address with several other people nowadays.

 

by law ISPs have to log you, so even if you have a dynamic IP upon request you can get the personal info tied to the IP used at that time.

Theres ways to get GPS coordinates, using that personal info alongside tracing and timing you can determine distance as well.

[Sniperfox47]

5 hours ago, jagdtigger said:

Then im lucky since i only needed to ask it over the phone and they done it free of charge(or maybe the CGN device couldnt handle our plan since at first it was 5>/1,xx instead of 100/10, then switched it over to public and boom, 100/10 ). BTW using CGN is just lame, its a total waste of time and money...

Ehh it's kinda a necessary evil until people get off their rear and actually support IPv6. IPv4 is like... suuuuuuuper exhausted at this point. The last pool to exhaust was North America and that was all the way back in 2015, and a bunch of carriers we're already using CGN by that point.

 

Good to know they did it upon request for you. I've never bothered asking. I just know Bell/Telus/Rogers and Wind all default to NATed IPs for consumer clients and open IPs for business clients.

 

 

[Lurick]

1 minute ago, Sniperfox47 said:

Ehh it's kinda a necessary evil until people get off their rear and actually support IPv6. IPv4 is like... suuuuuuuper exhausted at this point. The last pool to exhaust was North America and that was all the way back in 2015, and a bunch of carriers we're already using CGN by that point.

 

Good to know they did it upon request for you. I've never bothered asking. I just know Bell/Telus/Rogers and Wind all default to NATed IPs for consumer clients and open IPs for business clients.

 

 

Or they could pull all the /8's and /16's that were given to companies like candy back in the day to help a bit

[Cole5]

I love this, if not for one thing

 

A Fine is only a fine if it's more than the profit of such an activity, Otherwise its a fee of doing business 

[Christophe Corazza]

39 minutes ago, Cole5 said:

I love this, if not for one thing

 

A Fine is only a fine if it's more than the profit of such an activity, Otherwise its a fee of doing business 

 

You sir have figured it out!

[Cole5]

Just now, Christophe Corazza said:

 

You sir have figured it out!

My 4 years in accounting college weren't for nothing!

Like we did tests over this stuff, but for us it was like the cost of recalls vs Wrongful death suits...I just remembered how sick that class made me 

[jagdtigger]

14 hours ago, Sniperfox47 said:

Ehh it's kinda a necessary evil until people get off their rear and actually support IPv6

The problem is that the ball is on the ISP's side. Many software supports IPv6 but the rest wont follow if there is no reason to implement it, since the ISP's stubbornly hold onto their ancient equipment wasting money on band-aid solutions...