|
|
Subscribe / Log in / New account

GDPR violation

GDPR violation

Posted Aug 13, 2025 14:19 UTC (Wed) by Wol (subscriber, #4433)
In reply to: GDPR violation by linuxrocks123
Parent article: StarDict sends X11 clipboard to remote servers

> (we go in circles 3-5 times)

Me: But the user does NOT HAVE LAWFUL POWER to consent to sharing this particular data. They are NOT the data subject, who is the only person who can.

This is the exact same problem we have with TPMs, and DRMs (the bad version) where some people seem incapable of understanding that the USER and the OWNER do not have the same rights, and are not necessarily one and the same.

If you are not the data subject, you cannot consent to share someone else's data, and to do this in the EU is a serious breach of the GDPR. "but I didn't realise this program was sending everything to China" is likely to get *extremely* short shrift from the regulators - and the fines can be *extremely* painful.

Cheers,
Wol

to post comments

GDPR violation

Posted Aug 13, 2025 14:30 UTC (Wed) by pizza (subscriber, #46) [Link] (3 responses)

> But the user does NOT HAVE LAWFUL POWER to consent to sharing this particular data. They are NOT the data subject, who is the only person who can.

Huh?

"this particular data" is the user's. Why don't they have the lawful power to consent to sharing their own data?

GDPR violation

Posted Aug 13, 2025 14:45 UTC (Wed) by Wol (subscriber, #4433) [Link] (2 responses)

How do you know that? How do you know they are not copying someone else's PII? How do you know they are not copying the contents of a confidential document, which they have authority to USE but not SHARE?

The whole premise of this sub-thread (if I have it right) is that by typing/copying data into Firefox's search bar, the user is consenting to it being sent out for processing elsewhere. NOWHERE has there been any discussion about whether the user actually has the power to consent, or whether the data is theirs, leading to the classic ASS-U-ME scenario.

Which is the exact same problem we have with StarDict, that started all this ...

Cheers,
Wol

GDPR violation

Posted Aug 13, 2025 15:25 UTC (Wed) by pizza (subscriber, #46) [Link] (1 responses)

> The whole premise of this sub-thread (if I have it right) is that by typing/copying data into Firefox's search bar, the user is consenting to it being sent out for processing elsewhere. NOWHERE has there been any discussion about whether the user actually has the power to consent, or whether the data is theirs, leading to the classic ASS-U-ME scenario.

While your point about how the "user" and "subject" are not necessarily the same person is valid, you keep using "user" interchangeably to refer to both. Please be consistent!

Meanwhile, any potential liability for leaking third-party PII falls entirely on the [employer of the] meatbag sitting in the chair. Assuming they even had the right to "process" that PII to begin with, they are responsible for safeguarding that information, which extents to their choice of tools and properly configuring/maintaining them.

But in a more general sense, the "problem" you describe is as old as humanity itself; There is no way to prevent two people from gossiping about a third party. There is only punishment after the fact, Sometimes. Long after any damage has been done.

GDPR violation

Posted Aug 13, 2025 16:55 UTC (Wed) by Wol (subscriber, #4433) [Link]

> While your point about how the "user" and "subject" are not necessarily the same person is valid, you keep using "user" interchangeably to refer to both. Please be consistent!

And where exactly have *I* done that? Of course, if the user and the data subject are the same person, the terms *are* interchangeable. But if they're *not* the same person, then the user is the pbkac, and the location of the data subject is completely unknown. And the *user* "hat" does not have power to consent. Ever.

> Meanwhile, any potential liability for leaking third-party PII falls entirely on the [employer of the] meatbag sitting in the chair. Assuming they even had the right to "process" that PII to begin with, they are responsible for safeguarding that information, which extents to their choice of tools and properly configuring/maintaining them.

Notice in my example I did explicitly say I had the right to *process* the data.

> But in a more general sense, the "problem" you describe is as old as humanity itself; There is no way to prevent two people from gossiping about a third party. There is only punishment after the fact, Sometimes. Long after any damage has been done.

I have to agree. There are (and have been for a long time) laws on libel, slander, and eavesdropping. But Linux should not include programs whose default (and undeclared) activity falls blatantly within the eavesdropping category. It's basically the same as all the screams about Microsoft backing up all your activity so that any random 3rd-party who gains access to that data (that you quite possibly didn't even realise existed) can retrospectively view everything you did!

This basically is the point. Firefox is EXPECTED to share the stuff you type in. If the user is not the data subject, then there is potential for a serious GDPR breach (I expect it's like trespass - if you have good grounds for expecting the data subject to agree, then the risk is minimal. If you expect (or know) the data subject will refuse, then DON'T DO IT!) If the user isn't aware of the law, the response will be "ignorance is no excuse".

The problem with StarDict, is the user has no expectation that the data will be shared, so the blame could easily end up landing on the entity responsible for installing it. And that could end up being the distro itself.

Cheers,
Wol


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds