I think the GDPR approach (transparency rules, huge fines) is probably good enough to address this
Clemens Vasters 🇪🇺📨🇮🇱🇺🇦 @clemensv
1 Oct 2018
While I trust that everyone tries their best, I am skeptical about the EU having a policy team at hand that can factually teach Facebook (one of the most attacked properties in the world) better cybersecurity processes and operational practices.
3
4
I’ve been talking GDPR for weeks and like, nobody knows how to comply. So many people have totally different thoughts.
2
2
I know, I’m not claiming it’s clear or easy to execute. I completely agree with its intention and the general model, though. Anything specific that comes up in terms of compliance? Always interested in discussing how to go about it technically.
1
1
So for me the biggest confusion is around personally identifiable information. Loosely this could mean so many things and affect every single tier of the architecture including cold storage of logs.
1
1
Agreed. E.g. there are lots of things you shouldn’t log, or at least not keep, which of course complicates things. Keeping aggregated stats instead might work.
3
It’s also hard to do attack threat analysis without IP addresses.
1
IANAL, but I don’t think IP addresses you only briefly use for processing, or store only for, say, a few hours, can be considered a GDPR violation.
2
Replying to @stilkov @kellabyte
So far, I’ve been able to get by with asking myself “is this kind of usage something for which I can reasonably be expected to ask for the user’s consent”, given the kind of contractual relationship I already have with them

Oct 1, 2018 · 6:37 AM UTC

1
Replying to @stilkov
I bet you I can poke many holes in your systems based on the law such as the section I just described. The law is so vague and far reaching people basically comply with their theoretical understanding.