Date: Tue, 5 Jun 2018 08:30:08 -0800 From: Royce Williams <royce@...ho.org> To: passwords@...ts.openwall.com Subject: Re: GDPR On Tue, Jun 5, 2018 at 8:24 AM Royce Williams <royce@...ho.org> wrote: > On Tue, Jun 5, 2018 at 8:12 AM Royce Williams <royce@...hsolvency.com> > wrote: > >> On Mon, Jun 4, 2018 at 11:08 PM Jeffrey Goldberg <jeffrey@...dmark.org> >> wrote: >> >>> On Jun 5, 2018, at 1:04 AM, e@...tmx.net wrote: >>> >>> > GDPR very explicitly limits the "protected" category of "personal" info >>> > to the data that can IDENTIFY a user. >>> > A password can not identify you. >>> > Therefore, GDPR does not prohibit password stealing >>> > […] >>> > That's all you need to know about your government. >>> >>> The GDPR also doesn’t prohibit murder. I do not consider that a problem >>> with the GPDR. >>> >> >> Also, due to users' (understandable) expectation of the privacy of a >> password, passwords often contain highly personal information - even >> including SSNs, DOBs, etc >> >> Also, since passwords can be unique and yet also shared across multiple >> sites, being able to show that user@...mple.com has the same unique >> passwords on two different websites is strong circumstantial evidence that >> they're the same user. >> >> IANAL, but I think it's arguable that proper password storage (or lack >> thereof) could be in scope. GDPR's mission is clearly intended to incent >> data stewards to protect user data for which the misuse or compromise of >> which could harm individual persons. >> > > And by extension ... if any field or system allows entry of arbitrary > text - comment fields, password fields, etc - by the end user (or, for > that matter, employees) ... then individuals acting outside of the intent > of the design of the system can arbitrarily bring a system into scope. > > For those of us who have dealt with PCI, SOx, etc. ... if the customer > service agent starts putting credit-card numbers into the comments field .. > guess what? That's in scope. > > I think passwords are similarly positioned. > Also ... In the case of passwords, if they're properly stored, the data steward doesn't really know what's in them. But they *could* have SSNs, email addresses, DOBs, etc. in them (and very often do). So I would expect any data steward worth their salt to err on the side of caution, and *assume* that what's in there is sensitive enough to warrant GDPR-level handling. And honestly, that's the level of handling that it requires even if it's *not* within GDPR's scope, IMO. Royce Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.