Nik | Klampfradler 🎸🚲May 8

This evening has had a sad surprise for me.

Now, I am calling for #openSUSE to revert the recently imposed project-wide ban on young people:

https://lists.opensuse.org/archives/list/[email protected]/message/6PU6JU2IGKDANYNN3KIXDR2UQSVP6JI2/

(Update: Thanks for the overwhelming reactions! Please also consider https://toot.teckids.org/@nik/116550879189375534 .)

Show threadBilly O'NealMay 9
@nik I’m guessing they don’t want the liability of COPA and similar Acts. 😟
Show threadFuchsiii~~~May 9
@malwareminigun @nik Typical article 8 German GDPR problem. You need explicit parental permission to handle (note the “handle”, not just “save”) PII of ppl under 16 (and the IP address hitting Apache/NGINX counts as a PII, therefore every website is technically 16+ until someone wants to fight this in court).
Show threadFiona BianchiMay 10

@fuchsiii

@malwareminigun @nik is an IP address PII if it's NAT'ed? Surely not since numerous individuals could have that IP:port pair over a period of time. Would IPv6 count if not-NAT'ed? While it certainly can be used to get to a specific machine an IP with MAC address embedded (from SLAAC) hardly identifies the person on it's own. IANAL so I'm trying to be sensible, I accept that legal garbage might not be!

Show threadFuchsiii~~~May 10
@fionasboots I had the question about IP addressees at a mandatory work GDPR training certification test. (very boring) @malwareminigun @nik
Show threadFiona BianchiMay 11

@fuchsiii @malwareminigun @nik But IP addresses being PII makes no sense. For anything that is dynamnically annotated and NAT'ed the address itself will be used by thousands of people. The IP:port combination is only "you" for a brief time. Overall you could have multiple IP:port combinations over a day and someone else could be on these at other times.

If your ISP has fixed IPv4 the home router is *still* going to do NAT so the IP address only identifies an ISP account, not even a home location (my ISP, like many others, don't show up my location as where I live but a city where the peering connection is).

IPv6 without NAT would require you to know the MAC addresses of kit that an individual owns.

In all cases you need data from the ISP to map an IP address to a household or a specific user. So it's only law enforcement or hackers that could get that.

Show threadFuchsiii~~~
@fionasboots This goes back to a 2016 Court of Justice of the European Union ruling on request of Germany (the defender in this case) Reference Number C‑582/14 Some writeup in English: https://www.hunton.com/privacy-and-cybersecurity-law-blog/cjeu-rules-dynamic-ip-addresses-personal-data (the original court documents are only in German and French) @malwareminigun @nik
CJEU Rules That Dynamic IP Addresses Are Personal Data

May 12 at 4:40amWeb
Show threadFiona Bianchi6d ago
@fuchsiii @malwareminigun @nik Well that just sucks big time ... so presumably you can't log IP addresses then ... I wonder how this works with govt requiring the collection of IP addresses and similar tracking? I think this is nonsense though ... but it seems to be legel nonsense ... alot of that around these days!
Show threadNik | Klampfradler 🎸🚲6d ago

@fionasboots @fuchsiii @malwareminigun

Of course you can log IP addresses if you need it. Just do and write it down in your privacy policy. No consent is required (unless you do unethical things with the logged addresses).

Show threadBilly O'Neal6d ago
@nik @fionasboots @fuchsiii I think you all are missing the point. The question is not does the GDPR cover this. The question is will somebody sue you because they think that GDPR covers this.
Show threadNik | Klampfradler 🎸🚲6d ago

@malwareminigun @fionasboots @fuchsiii

GDPR *does* cover it. There is no doubt in that.

Something being covered by GDPR does not imply that it requires consent.

Fun fact, by the way: Asking for consent for something that does not require consent is something you can be sued for under GDPR ;).

Show threadBilly O'Neal5d ago
@nik @fionasboots @fuchsiii You are missing the point. The point is not what the law says. The point is will someone try to sue you for it. The fact that people believe the law says this is not allowed is enough.
Show threadNik | Klampfradler 🎸🚲5d ago

@malwareminigun

Oh dear. Mute…