No Privacy Policy in D tools (dmd, dub, phobos, etc)

Adam Wilson flyboynw at gmail.com
Sun Jan 28 04:31:21 UTC 2024 

On Sunday, 28 January 2024 at 04:04:42 UTC, FairEnough wrote:
> However, the focus (and your focus as a developer) should be on 
> protecting the personal data of citizens, and not on geography.
>
> That GDPR compliance can be too onerous for some, is certainly 
> an issue, but not an excuse to not take all reasonable measures 
> to protect the personal data of citizens, including U.S 
> citizens.
>
> Privacy by design and default, should be the guiding principle, 
> regardless of local laws and geography. If it's not, it WILL 
> come back to bite you, that's is for certain.

I don't disagree with any of that, and we do take it very 
seriously, probably more so than most. And I've actually done 
this kind of work for MSFT and others. But most regulation 
compliance regimes do very little in practice to actually ensure 
that data is secure, and GDPR is no exception.

These types of laws are all about liability and redress when 
something does go wrong. By complying with GDPR the company gets 
a "pass" on liability so long as it complied with said 
regulations. A simple example would be: Company implements a 
compliant password hashing regime, Customer selects weak password 
that is on a rainbow table, Customers data is stolen. The company 
can say "We complied with the regulations, the customer as at 
fault for selecting a weak password." You could argue that the 
companies password hashing regime was also sufficiently weak to 
allow a hashed password that appears in a rainbow table, but the 
company gets a pass because it "complied".

Essentially, this is incredibly expensive cover for businesses so 
that they can outsource their liability to the user or 
government. I can either spend the money on meeting some 
regulations, or spend the money on implementing actually systems. 
In a capital constrained environment, it is better to solve the 
regulation problem as cheaply as possible (IP blocks are free), 
and focus on building a secure system.

In any case, a sufficiently well developed security system is 
going to far exceed the standards of any government regulation, 
so if one day down the road you decide to open up to other 
countries, you aren't paying to redevelop the whole security 
system for "compliance." You pay the fat legal/audit fees and 
move on.

More information about the Digitalmars-d mailing list