this post was submitted on 08 Jul 2023
2 points (75.0% liked)

Cybersecurity

75 readers
4 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 1 year ago
MODERATORS
 

(article linked from m/Android)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

First of all, the answer to that wouldn’t matter because the article is about privacy protection not law enforcement. But to answer the question, collecting personal info about people without their express consent in Europe violates the #GDPR.

The GDPR makes some exceptions for cases where info can be collected on people nonconsentually (e.g. public health systems, law enforcement, scientific research), but your scenario does not match any legal exception. At best, you would have to make your activity part of a scientfiic study. And you wouldn’t get away with simply claiming it’s for science. You would have to make a convincing case that the study is for signficant public benefit.

[–] B16_BR0TH3R 1 points 1 year ago (1 children)

No, SSIDs are obviously public (since you're transmitting them to outside your own house) and would come under the GDPR provisions for collecting publically available information. You may need to inform me that you've collected my data, but that's all.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

There is no GDPR provision for collecting publicly available information that is personal w.r.t. individuals. You can only collect public info if it cannot be tied to an individual. For example, if a car is illegally parked and you photograph it and post it online, you must blur the license plate. It doesn’t matter that the image was in the public.

But again, this whole subthread is a #redHerring because the article is for those who actually intend to keep their sensitive info out of public view, not the others for whome the topic is irrelevant.

[–] B16_BR0TH3R 1 points 1 year ago (1 children)

Call it a red herring if you like, I'm just curious to see your rationale for claiming that others can't legally collect the information that I've willingly broadcasted to all and sundry. I can't say that I understand the rationale yet. I agree with your last example that I would need to obscure the license plate if I published a picture of your car on a public street, but the example doesn't seem to cover the actual case. A better example might be that you were shouting your license plate number out to a crowded street. Would I then be prevented from writing down (collecting) the number that you were shouting?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

A better example might be that you were shouting your license plate number out to a crowded street. Would I then be prevented from writing down (collecting) the number that you were shouting?

How would you comply with article 13? Would you walk over to me and give me your contact details as required by ¶1(a), the purpose of your collection ¶1(c), the length of time you will keep the data ¶2.(a), and also informing me of my right to erasure ¶2(c)?

What if I shouted my plate number from a moving car & you were only able to write it down before I was gone? How are you going to comply with article 13? Are you going to get in a faster car & chase me down to shout back all that information about you as a data controller?

Also, which article 6¶1 rationale do you think makes your collection lawful?

Google & Apple may or may not have the contact details of those whose WiFi data they collect but I certainly have never received an article 13 compliant notice from Google or Apple (neither of whom I have contracts with).