No Privacy Policy in D tools (dmd, dub, phobos, etc)
Adam Wilson
flyboynw at gmail.com
Sun Jan 28 04:31:21 UTC 2024
On Sunday, 28 January 2024 at 04:04:42 UTC, FairEnough wrote:
> However, the focus (and your focus as a developer) should be on
> protecting the personal data of citizens, and not on geography.
>
> That GDPR compliance can be too onerous for some, is certainly
> an issue, but not an excuse to not take all reasonable measures
> to protect the personal data of citizens, including U.S
> citizens.
>
> Privacy by design and default, should be the guiding principle,
> regardless of local laws and geography. If it's not, it WILL
> come back to bite you, that's is for certain.
I don't disagree with any of that, and we do take it very
seriously, probably more so than most. And I've actually done
this kind of work for MSFT and others. But most regulation
compliance regimes do very little in practice to actually ensure
that data is secure, and GDPR is no exception.
These types of laws are all about liability and redress when
something does go wrong. By complying with GDPR the company gets
a "pass" on liability so long as it complied with said
regulations. A simple example would be: Company implements a
compliant password hashing regime, Customer selects weak password
that is on a rainbow table, Customers data is stolen. The company
can say "We complied with the regulations, the customer as at
fault for selecting a weak password." You could argue that the
companies password hashing regime was also sufficiently weak to
allow a hashed password that appears in a rainbow table, but the
company gets a pass because it "complied".
Essentially, this is incredibly expensive cover for businesses so
that they can outsource their liability to the user or
government. I can either spend the money on meeting some
regulations, or spend the money on implementing actually systems.
In a capital constrained environment, it is better to solve the
regulation problem as cheaply as possible (IP blocks are free),
and focus on building a secure system.
In any case, a sufficiently well developed security system is
going to far exceed the standards of any government regulation,
so if one day down the road you decide to open up to other
countries, you aren't paying to redevelop the whole security
system for "compliance." You pay the fat legal/audit fees and
move on.
More information about the Digitalmars-d
mailing list