18
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 30 Dec 2024
18 points (100.0% liked)
TechTakes
1563 readers
227 users here now
Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.
This is not debate club. Unless it’s amusing debate.
For actually-good tech, you want our NotAwfulTech community
founded 2 years ago
MODERATORS
The Google post appears to be Updating our platform policies to reflect innovations in the ads ecosystem.
I have no idea what the heck those words mean (it appears to be some bizarro form of English), so I diffed the policy itself. Here are the parts I found notable.
This will be removed:
This will be removed:
This will be added:
you just gotta love how vacuously pointless the wording is
google-rfc "must": "we want something we can bend you over a barrel with if you're caught out by one, but that's all we'll bother committing because otherwise it eats into our lovely extortion profits"
Also I'm having a fun time imagining an accurate device fingerprinting disclosure from someone who was really really thorough.
Not-A-Cookie-I-Swear Technologies LTD may collect the following information:
Don't worry none of it is a cookie :D
Some stuff in this list is me being silly, but overall it shows that the talk about "privacy-enhancing technologies" is premature on the web platform. The web has been trying to have better privacy defaults over time; but there's a long legacy of features from before this was considered as much, as well as Google tossing around their weight in the web standards and browser space.
now i wonder how much of that is blocked by firefox enhanced tracking protection. not all, of course, and it's probably much more than needed for unique identifier. there's mozilla security blog post on this topic says that some anti-fingerprinting measures were built in all the way back in 2020 (firefox 72)
Above I listed a bunch of things which would help narrow down browser version, but that's hopeless anyway -- an adversary will probably be able to figure out your rough browser version even if you fake the UA string, and that you're running in anti-fingerprinting mode.
So assuming that's out of scope I think these are probably the big categories:
That said while I've worked with browsers, I'm not in the biz of fingerprinting or anti-fingerprinting, so there's surely stuff I haven't thought of.
* Actually we should probably just disable non-HTTPS entirely...
** Running under a VM is probably the minimum required to mitigate the chances of cutting-edge side-channel timing attacks from James Bond level adversaries, but at that point maybe you just want a dedicated browsing computer heh. I did chuckle at the idea of someone trying to apply cryptographic constant-time algorithm techniques to writing a browser though.
I remember during my very very first job a security guy explaining to me why I can't record work emails of people borrowing stuff from the company's internal library because GDPR. In a company of like 100 people. I guess Google is too big to care.
It's the same feeling as when it's reported some guy was able to defraud literal millions from public funds while I had to separately report and bring a receipt for the $5 I spent on a city bus while out on a business trip because it was funded from a public grant or I'd get fired and sued, in that order.
I'm not a gdpr person (nor even european) but this sounds like bullshit - was it?
I simplified , but:
The problem is that if someone leaves the company you should delete all of their PII you don't need for compliance reasons. The emails were firstname.lastname@company.com, as is usual, so it was PII. So if someone borrowed something from the library and that record stayed in the database, when their company profile got deactivated we would've had to have a flow that deleted that row or at least anonymised it. Needless to say, this was a minor side project with a time budget of one month, so we just ended up not storing any PII in the first place instead of bothering with archiving and removal.