I think the GDPR approach (transparency rules, huge fines) is probably good enough to address this
Clemens Vasters 馃嚜馃嚭馃摠馃嚠馃嚤馃嚭馃嚘 @clemensv
1 Oct 2018
While I trust that everyone tries their best, I am skeptical about the EU having a policy team at hand that can factually teach Facebook (one of the most attacked properties in the world) better cybersecurity processes and operational practices.
3
4
I鈥檝e been talking GDPR for weeks and like, nobody knows how to comply. So many people have totally different thoughts.
2
2
I know, I鈥檓 not claiming it鈥檚 clear or easy to execute. I completely agree with its intention and the general model, though. Anything specific that comes up in terms of compliance? Always interested in discussing how to go about it technically.
1
1
So for me the biggest confusion is around personally identifiable information. Loosely this could mean so many things and affect every single tier of the architecture including cold storage of logs.
1
1
Replying to @kellabyte
Agreed. E.g. there are lots of things you shouldn鈥檛 log, or at least not keep, which of course complicates things. Keeping aggregated stats instead might work.

Oct 1, 2018 路 6:26 AM UTC

3
Replying to @stilkov
It鈥檚 also hard to do attack threat analysis without IP addresses.
1
IANAL, but I don鈥檛 think IP addresses you only briefly use for processing, or store only for, say, a few hours, can be considered a GDPR violation.
2
more replies
Replying to @stilkov
It鈥檚 my strong belief that every single system is in violation of the requirements. The requirements are so vague I can poke holes in almost any system described to me and consider it not compliant. So if a law exists that nobody can effectively comply with, what use is it?
2
2
I see your point, and I wish it were clearer. But my expectation (and experience) is that judges don鈥檛 follow overly literate interpretations. Possibly a EU/US difference?
3
more replies
Replying to @stilkov
But an IP address or user id can be personally identifiable. So now I can鈥檛 do fraud detection.
1