Comment by scoutt
6 years ago
PII concept is not the same for everyone/everywhere. For GDPR we have:
> Article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
If this chrome browser ID is matched against a (for example) google account, then they can track every single person. And that is just a couple of IDs, let alone all the quantity of data they have.
It's against GDPR to not be clear about this kind of ID. If my browser has an unique ID that is transmitted, then this ID can be coupled with other information to retrieve my identity and behavior, so it should be informed (in the EU).
EDIT: TD;LR, hiding behind "there is no PII in that ID" is not enough.
Who's going to raise this issue though? And what if they put this in the browser's T&C?
I thought they needed explicit consent. T&Cs ain't that.
> Who's going to raise this issue though?
I'm sure there is someone out there who takes these kind of things seriously. Not me. I use firefox for that matter.
> And what if they put this in the browser's T&C?
Then the rest of GDPR applies: a clear message about the browser sending this info has to be shown, explaining why, with who they'll share it, the time they will keep this info, plus no auto opt-ins, the possibility of asking Google (or whatever) all the info relative to this ID and the option to cancel all the data, etc.
This is why I consider the GDPR to be unrealistically broad in its definition of PII; it denies even innocuous feature-mode-distinguishing headers intended to allow for bug-identification of massively-distributed software installs.
If I'm given a forced choice between "more privacy" and "better software quality" I'm going to lean towards "better software quality."
Me too. Then a breach happens and someone with a straight face tells you: "we take your privacy very seriously", asking apologies, because the breach used some of your data to push some political campaign or to bother you with spam/extortions because that night you were watching some porn.
Programmers should stop pushing buggy or incomplete software as is, and start releasing software that works. Otherwise upper levels have an excuse to do all this "experience" telemetry, and we all are smart enough to see the consequences of a data breach.
> Programmers should stop pushing buggy or incomplete software as is, and start releasing software that works
If you demand a perfection-of-function guarantee from something as complicated as a web browser, you'll never get a web browser with more features than the ones released in the '90s (and I'm not even sure we'd be that far along by now).
If I'm given a forced choice between "more privacy" and "the software ever having the features I want to use" I'm also going to lean towards "the software ever having the features I want to use." And we know this is true for users in general because of the number of users who had Flash installed back-in-the-day in spite of the fact that it allowed a total bypass of the browser security model, because it had features that the browser lacked otherwise.
13 replies →
> This is why I consider the GDPR to be unrealistically broad in its definition of PII
And I consider it far too narrow.
> If I'm given a forced choice between "more privacy" and "better software quality" I'm going to lean towards "better software quality."
Fair enough. I would go for "more privacy", personally. There is no technical reason why both of our preferences couldn't be honored.