upvote

points

by ItsBob11 hours ago |
comments
upvoteby parable11 hours ago|
next
[-]
I wish that were the case, but because of there being barely any consequences for breaches, it's much more profitable to store everything you can and sell it to the highest bidder. Make it a huge risk to store data, then companies will start treating data like a live hand grenade.
reply
upvoteby wongarsu10 hours ago|
parent|
[-]
That's exactly what the GDPR tried. If only it was properly enforced
reply
upvoteby parable10 hours ago|
parent|
[-]
Companies can and do get away with arguing that they have a "lawful basis" to collect whatever data they'd like. It's unfortunate.

IANAL, but the law seems a bit vague to me, and it appears that companies use that vagueness to their advantage. Maybe I'm just not articulating my arguments correctly.

reply
upvoteby wongarsu10 hours ago|
parent|
[-]
Even if you have a lawful basis for collecting data, in theory the GDPR is in theory restricting you to only use it for that basis, delete it as soon as you don't need it anymore, have a plan on how to store and handle it, and requires you to follow best practices when doing so. Backups, encryption, regularly testing the technical and organizational measures that protect the data are in theory all mandated. Also, on the topic of this post, notification of data breaches when they occur

But enforcement is just laughable. Even on easy to observe issues like which data is collected

reply
upvoteby no-name-here11 hours ago|
prev|
[-]
Why does the app need to store the google/apple Id? Because it stores the data in the cloud, instead of locally for the app to use?
reply
upvoteby ItsBob9 hours ago|
parent|
[-]
It's for your login and payments. I need to verify that you are authenticated somehow and Google/Apple also handle payments.

You "Login with Apple" or "Login with Google". They manage the login entirely and pass me your id and an access token (assuming you pass their login test). I store that in my DB so that your data from the app can sync (the paid-for app syncs your training data to my backend but I match it only based on the Google/Apple id.)

The alternative is that I build my own auth system and I'd need to store something you can type in the next time, e.g. email/password address etc.

If you have an Android/Apple phone you're already authenticated with them. I just need Google/Apple to say "this guy is cool, let him in" and I then use the id to check if you've paid, sync your training data etc.

On its own, the id is useless! Means nothing and cannot be traced back to a person. I genuinely do not know your name, email, what country you come from, GPS data, CC data. Nothing at all!

I don't want your data.

reply
upvoteby trumpdong5 hours ago|
parent|
[-]
If I'm using an app I'm very skeptical of "Login with Google" because I have no way to verify that you're only getting a random identifier and not my email address. I prefer to sign up with a proxy email address.
reply
upvoteby thewebguyd4 hours ago|
parent|
next
[-]
At least with "Sign in with Apple" you can choose to give a random alias that forwards to your email. I do this for every single service I sign up for. Completely unique Email + password for everything.
reply
upvoteby ItsBob5 hours ago|
parent|
prev|
[-]
It's built into Android/iOS and an accepted way of logging into an app. The app store page (when it's released) shows exactly what I need: practically no information at all.

Google handle the payment and the subscription too (same with Apple) and that's a very common pattern too.

I understand the skepticism though.

reply