On 11/09/13 03:27 AM, Daniel Veditz wrote:
On 9/9/2013 11:21 PM, Chris Peterson wrote:
The primary motivation for hashing the MAC+SSID was to avoid uploading
the SSID (which is considered private data in some European countries)
"private" means we can't even /look/ at it, rather than merely can't
store it?
The data regime might be simply put as this: you can't store a number
suitable for tracking (or any derivative of it if that simply creates a
new tracking number) unless you have a compelling business reason, and
you have agreement.
The EU data protection regime makes a very strong distinction about any
private tracking information. It also goes to another level if you
share that information with anyone.
The initial simple answer is, don't go there. (I have no idea how
google finessed this issue, or even if they didn't.)
I believe Europe also considers IP addresses private data, but
they certainly don't ban HTTP connections from giving up the IP address
to the server as part of a request.
That's because IP addresses have to be given up to the server as part of
TCP. A compelling case -- packets have to be returned somewhere.
However, post-session storage is another issue, and data deletion
practices should be in place. Logging is where it gets vexatious.
iang
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
