Date: Tue, 5 Jun 2018 08:12:40 -0800 From: Royce Williams <royce@...hsolvency.com> To: passwords@...ts.openwall.com Subject: Re: GDPR On Mon, Jun 4, 2018 at 11:08 PM Jeffrey Goldberg <jeffrey@...dmark.org> wrote: > On Jun 5, 2018, at 1:04 AM, e@...tmx.net wrote: > > > GDPR very explicitly limits the "protected" category of "personal" info > > to the data that can IDENTIFY a user. > > A password can not identify you. > > Therefore, GDPR does not prohibit password stealing > > […] > > That's all you need to know about your government. > > The GDPR also doesn’t prohibit murder. I do not consider that a problem > with the GPDR. > Also, due to users' (understandable) expectation of the privacy of a password, passwords often contain highly personal information - even including SSNs, DOBs, etc Also, since passwords can be unique and yet also shared across multiple sites, being able to show that user@...mple.com has the same unique passwords on two different websites is strong circumstantial evidence that they're the same user. IANAL, but I think it's arguable that proper password storage (or lack thereof) could be in scope. GDPR's mission is clearly intended to incent data stewards to protect user data for which the misuse or compromise of which could harm individual persons. Royce Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.