Comment by ItsBob
6 hours ago
These days I treat other people's data like it's a live hand grenade. Case in point (bit of a shameless plug here :) I'm working on an App called Hockeytastic. It's an ice-hockey stickhandling app that my son's been using for months: the engine is solid but it looked like shit. However, his coach told me to get it on the app stores and sell subs. That meant I needed to clean it up, build a DB, store stuff etc.
Anyway, working with Google and Apple I realised that I quite literally do not need to store anything identifiable. The only identifier I store is the Apple id and the Google id and unless you steal those and then hack Google and Apple, they are utterly useless.
I do not store emails, names, addresses, nothing. That's the way I want it.
If the data is ever breached, the only thing hackers will see are many many instances of Connor McDavid, Nate Mckinnon and various other famous NHL player names :)
If more companies treated personal data like it was toxic, we'd have less issues with breaches, however, I see it in my day job where the marketing people want to take as much data as possible, all the time!
I wish that were the case, but because of there being barely any consequences for breaches, it's much more profitable to store everything you can and sell it to the highest bidder. Make it a huge risk to store data, then companies will start treating data like a live hand grenade.
That's exactly what the GDPR tried. If only it was properly enforced
Companies can and do get away with arguing that they have a "lawful basis" to collect whatever data they'd like. It's unfortunate.
IANAL, but the law seems a bit vague to me, and it appears that companies use that vagueness to their advantage. Maybe I'm just not articulating my arguments correctly.
1 reply →
Why does the app need to store the google/apple Id? Because it stores the data in the cloud, instead of locally for the app to use?
It's for your login and payments. I need to verify that you are authenticated somehow and Google/Apple also handle payments.
You "Login with Apple" or "Login with Google". They manage the login entirely and pass me your id and an access token (assuming you pass their login test). I store that in my DB so that your data from the app can sync (the paid-for app syncs your training data to my backend but I match it only based on the Google/Apple id.)
The alternative is that I build my own auth system and I'd need to store something you can type in the next time, e.g. email/password address etc.
If you have an Android/Apple phone you're already authenticated with them. I just need Google/Apple to say "this guy is cool, let him in" and I then use the id to check if you've paid, sync your training data etc.
On its own, the id is useless! Means nothing and cannot be traced back to a person. I genuinely do not know your name, email, what country you come from, GPS data, CC data. Nothing at all!
I don't want your data.