How do you object to the site's legitimate interest use of your personal data? That is a legal grounds for processing, which can be enabled by default as long as you are provided with an option to actively object.
>How do you object to the site's legitimate interest use of your personal data?
With the legitimate individual control over one own data required to run a healthy society and unavoidable to sustain a democracy. If a business can't exist without threatening society, the sooner it's going out of existence the better.
If it is an actual legitimate interest then you would likely be expected to contact the site out of band to object to the use of your data. Depending on the technical details you might not be able to continue using the site after a successful objection. In some cases the site might be able to reject your request.
The cookie banner thing is intended to allow the user to explicitly provide consent, should they for some reason wish to do so.
The cookie banners are routinely used to object to "legitimate interest" uses and the corresponding sites continue to work normally, not sure what your alternate understanding is based on.
The cookie banners are for initial consent. You just consent to less stuff sometimes.
A website might claim some sort of legitimate interest for the initial collection of data but might not think that they can claim that for the retention of data I suppose. That would seem kind of dodgy to me...
Just because a website claims something doesn't mean it is valid. There isn't a lot that falls under legitimate interest for a website.
It’s also to check if something works. I recently added something new and while I cannot and will not track any personally identifying information, I still need some data if people go through the whole process alright. That covers legitimate interest. It’s the minimum data I collect and its get wiped after some time.
An IP address is not "personally identifiable data". You can not know who the person is just because you got an IP address in the request.
We are almost 10 years into the GDPR, and we still have these gross misunderstandings about how to interpret it. Meanwhile, it has done nothing to stop companies from tracking people and for AI scrapers to run around. If this is not a perfect example of Regulatory Capture in action, I don't know what is.
- they don't care about the cookies they are setting on their properties, if most of the functionality they have require you to be authenticated anyway.
- These "smaller websites" are exactly the ones more likely than not to be Google's and Facebook's largest source of data, because these sites are the ones using Google Analytics/Meta Pixel/etc.
This is not my experience at all with Facebook. Since six months ago or so, Facebook is saying my three option are to pay them a subscription, accept tracking, or not use their products. I went with option three, but my reading of the GDPR as that it's illegal for them to ask me to make this choice.
I'm in Spain, this is probably not the same worldwide.
The "Reject all" does not in fact reject all. They are taking extreme liberties with the "legitimate interest" clause to effectively do all tracking and analytics under it.
The YouTube consent screen for example includes this as a mandatory item:
> Measure audience engagement and site statistics to understand how our services are used and enhance the quality of those services
I don't believe this complies with the GDPR to have this mandatory.
IP address is considered personal data and can be considered personally identifiable data in some circumstances for example if you can geolocate someone to a small area using it
> An IP address is not "personally identifiable data".
GDPR says it is [1][2].
> We are almost 10 years into the GDPR, and we still have these gross misunderstandings
Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:
> Fortunately, the GDPR provides several examples in Recital 30 that include:
> Internet protocol (IP) addresses;
From Recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses
When an IP address is linked to any other data, then it counts as PII. By itself, it's not.
So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".
An IP address linked with the website being accessed is already PII.
When serving content, you're by necessity linking it to a website that's being accessed.
For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.
IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)
Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.
Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing.
So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.
Not really, no. I don’t think I can make it more clear than I, or the law, already did: IPs are PII no matter what. Period. It’s literally spelled out in the law.
The misconception is that you need explicit consent for any kind of processing of PII. That is not the case. The law gives you alternatives to consent, if you can justify them. Some will confuse this with “must mean IPs aren’t PII”, which is not the case.
800 W is que conservative for a schucko plug, which is typically rated for 13 or 16 A (>3000 W). I regularly charge the car at 10 amps (2400 W) on a schucko.
The problem is not the plug itself but the rating for the circuit it's connected to. If there is a 16A breaker for the circuit to protect the wiring from overload but you add 10A via a plugged in battery you're now allowing a total of 26A to flow through those same wires.
The 800W is a compromise, the wiring for a 16A circuit (typically 2.5 mm2) is able to handle 20A without a fire risk.
If you install the same battery in a fixed setup by an electrician it would be on a dedicated circuit so the only limit is the wiring of that circuit and the breaker you let them install. They would then also consider limits on the upstream wiring and things like earth fault protection.
I had separate circuits installed for my solar and future battery, using 4 mm2 wiring and 25A breakers. Only a small change to the central installation swapping the earth fault protection for one that was rated for higher currents.
Yes! However, we are not allowed in Germany to use more than >800W on a Battery with a Schuko Plug, without a certified electrician. Everything is regulated! :D
I have been waiting for the electrician to hardwire the battery for about six months. He said he would stop by next week. Once he has done that, I will increase the maximum charge/discharge power to 1500 W (conservative, I know, but I think I don't need more to fully charge/discharge the battery on regular days).
I don't think this is a Schuko limitation... 800W is a limit that you can send back to the grid without having a properly registered PV plant with a normal inverter. Your meter might disconnect you if you try to send more.
He has 30 kW solar so the registration with the grid operator already happened.
This isn't a grid limitation but a rule about safe home installations. The limits are low for things the general public gets to plug in on their own. Those simple limits don't apply to the same battery installed by a professional. Professionals would instead follow a more complex set of rules and make some calculations, allowing for much higher currents if done in the right way.
What you say is correct. Except: As the AC battery was installed four years after the PV system, I did have to register it separately with the grid operator, which included creating a new entry in the Martstammdatenregister. In other words, registering the PV system and the battery were two completely separate processes for me.
The Iberian outage had nothing to do with inertia.
The root cause was insufficient dispatch of reactive power due to non compliance of some power providers, and ultimately traceable to outdated procedures for the dispatch of reactive power.
Don't waste your time and money on funding bug bounties or "getting audits done". Your staff will add another big security flaw just the next day, back to square one.
Something is seriously wrong when we say "hey, respect!" to a company who develops an unauthenticated RCE feature that should glaringly shine [0] during any internal security analysis, on software that they are licensing in exchange for money [1], and then fumble and drop the ball on security reports when someone does their due diligence for them.
If this company wants to earn any respect, they need at least to publish their post-mortem about how their software development practices allowed such a serious issue to reach shipping.
This should come as a given, especially seeing that this company already works on software related to security (OpenAuth [2]).
It’s like an unwritten rule to only praise each other because to give honest criticism invites people to do the same to you and too much criticism will halt the gravy train.
I've struggled a bit on this: LinkedIn's positivity echo chamber vs. the negativity-rewarding dunk culture here. No greater power exists on HN than critical thinking using techno-logic in a negative direction, revenue and growth be damned.
Opencode don't have to maintain Zen for so cheaply. I don't have to say anything positive nor encouraging, just like I don't have to sh!t on youtuber 'maintainers' to promise incredible open source efforts which do more to prove they should stick to videos rather than dev. Idk. Not exactly encouraging me to comment at effing all if any positivity or encouragement is responded with the usual "hm idk coach better check yoself"
ya honestly I think i know exactly what to do
It's called "the world wide web" and it works on the principle that a webpage served by computer A can contain links that point to other pages served by computer B.
Whether that principle should have been sustained in the special case of "B = localhost" is a valid question. I think the consensus from the past 40 years has been "yes", probably based on the amount of unknown failure possibilities if the default was reversed to "no".
owasp A01 addresses this: Violation of the principle of least privilege, commonly known as deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
Indeed, deny by default policy results in unknown failure possibilities, it's inherent to safety.
I completely agree with this, programs are too open most of the time.
But, this also brings up a conundrum...
Programs that are wide open and insecure typically are very forgiving of user misconfigurations and misunderstandings, so they are the ones that end up widely adopted. Whereas a secure by default application takes much more knowledge to use in most cases, even though they protect the end user better, see less distribution unless forced by some other mechanism such as compliance.
I believe the parent is referring to how GNOME 3.0 had some really bad resizing grabs. Single-pixel widths at the edges, and almost impossible to hit corners.
I was about to suggest Xfce as an example where window resizing is effortless due to the <super>+<right click> behavior. You can just grab the rough sector of a window to resize it.
https://noyb.eu/en/your-right-object-article-21
reply