Re: HCaptcha absolutely sucks
It does seem to be somewhat tedious.
34 posts • joined 10 Apr 2017
This tone assumes Morrisons was powerless against KPMG's proposed mechanism,.
Morrisons is of course entitled to refuse a process they consider to be contrary to their data protection obligations.
They're required to be audited, they're not required to be audited according to a process invented by a third party they don't agree with. Of course they may not have reviewed it..
"That seems like an edge case to me. I'm purely speculating here, but it seems to me that an org that is so small that it can't sort out infrastructure is probably also so small that the infrastructure it needs is simple enough that they could sort it out themselves."
As someone in this position, I see both sides. We use o365, but that's because we're a dev shop working on MS stuff and get it free though the partner program. If we weren't a dev shop we'd likely not have the infrastructure / skills in house run something like that ourselves.
It takes care of a lot of bits of stuff - AD, Fleet admin, E-Mails, OneDrive, Office, various resilliance and audit issues.. so it probably would be worth the full cost if you were starting out with none of that. Once you learn a little bbit about it, there's also various approahes around to avoid the full costs (I mean the legal ones).
We had slighlty mixed messaged on that.
On one hand you've got "required to function" granting exception, and a clause (somewhere, can't find it right now) pharsed as "…taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures".
On the other hand, you've got the ICO publishing things (I think it was clarification statement about backups) that say "technical difficulties doing it aren't an excuse".
In which case, see standard process for someone who releases something into the public domain without your consent; liability lies with them, not the key server. Once in the public domain, there's not a lot that can be done.
I could have a local cache of your key recorded from the key server, which I did on the understanding you'd consented to typical use of the pgp system. Is the onus on me to monitor the key server for status changes?
So complying with a US law will mean violating EU law. That comes with a set of follow up quetsions:
1. Is there anything in US law which permits "we can't do that, it'd be against someone else's law" as a defence?
2. If Microsoft refuses to comply, gets fined, and still refuses to comply, can it continue to be punished or is that the end of the matter?
3. Is there a limit to what they could be fined? Basically, on a pure buiness costs basis, what makes more sense, breaking GDPR or braking CLOUD?
That exemption is a Member State Derogation. ie. Member states can execute discretion to legislate over these areas. The UK won't be a member state, so we won't be entitled to derogations of our own making unless we obtain an agreement to the contrary, dispite the fact we're pretty likely to stiill have to comply with thme.
One of the really important points of the census is to validate all the other data excercises going on day to day. ie. is the admin data any good, or does government miss big sections of the population (always shows that it does..).
This move threatens to render missed groups off the radar indefinately, which has all kinds of knock on in service provision, democracy etc.
Doing bits of it online to save postage is seems fine form that this point of view, but not doing it at all is a huge failing.
"I dont believe there is ever likely to be full privacy on the internet"
That'd basically be oxymoronic. The internet exists to communicate data. "Full privacy" for everyone about everything would mean don't communicate any data... As you say, it's about agreeing boundaries. The system is still relatively immature (compared to walking down the street..), opinions vary, the scope is wide, and enforcement is difficult. We're a long way off.
You walk down your street with knowledge of the area / community, and having decided the risk is acceptable; there maybe some streets you don't walk down because you don't feel that's true.
The real difference vs the down the street analogy is the scale and extent at which it can happen. People elsewhere in the world can do it en-masse in your street, and every other street. That changes the discussion because you no longer know which streets are safe, or what communicty you're interacting with, so your ability to choose is being eroded. Oddly enough that's an inverse privacy problem, where those doing the monitoring have too much privacy.
That's rather mixed bag then:
"due domestic demands" - that would indicate the issue is socital bias in domestic responsibilities; not really within an employers scope to mitigate, but clearly a route cause for various other gender issues.
"gaming the system" - seems to be about experience rather than gender. It's probably still something Uber should address; presumably through tweaks to the pricing model to try and minimise the advantages so all fares yield equvilant rewards. They'll never get that perfect, but can probably do better that an current. This however, would be primarily for the benefit of the customers rather than the
That's my assumption as well, and I see the point of that; otherwise any crook can just turn round, claim to be a researcher and simply "not have reported it yet".
Whether 72hrs is the right number is a fair question, along with how extensive the report is.
If it's a simple "Dear ICO, I believe that combining X with Y can reveal Z, but I'm sitll working on. Cheers" then that could be reasonable. If we're talking about an indepth analysis, then that's a different situation.
I'm inclined to agree with jmch.
While there is some residual risk fo taking 10 days to notify, it's probably better average for something of this size.
it practice it does take a bit of time to confirm it's actually happened, evaluate exactly what data has been taken, and which people need notifying.
They could have used the 2 step-model; of a general "something has been breached, be alert, details to follow", followed by a "this does/doesn't actually imapct you peronsally, in this way...", but I guess that's being balanced vs reputational damage risk of broadcasting a worse meessage than they actually need to.
It's more than difficut to manage. In infeasibly problematic without effectively a new interational agreement on it and a huge wodge of policy everyone has to find ways to implement.
There are issues around how to record such information, confidence in such information, burden of proof.
Then there are ambiguities around things made in multiple juristrictions (collaborative authoring), out of duristiction (international waters), the list goes on and on.
"Because, yeah, devs hate code and love GUIs."
I actually think that's a misunderstanding. There's quite a mix of people who do this knida stuff.
Devs who write it themselves where there's an off-the-shelf solution available have special circumstances or are doing it wrong.
The data science crowd prefer to save their smarts for the analytics bit, they'd probably rather just push some buttons and have the data automagically become available.
I think the response is "How can you possible do statistics without a guess!?". Given that there are no comprehensive models of the world, and practically nothing is truely independant, you always assume something, whether you realise it or not.
"If you already have a Nest device set up in your house, the new camera won't require you to enter any login or Wi-Fi password details, but will grab the information through your existing account."
How exactly; they're broadcasting your local network credentials out of your house into the www? Why?
Biting the hand that feeds IT © 1998–2021