why GDPR and data privacy matters

[ik9000]

So another forum had a post mentioninig this article. https://www.nbcnews.com/news/us-news...phone-n1274596

Setting aside the schadenfreude and hypocrisy etc this is a good example of why GDPR and privacy matters.

This was apparently derived by someone tracing the device identifier (apparently easy to do if you know the number and are able to make a call to their phone) and then cross referencing that against aggregated data obtained from Grindr which logged device ID.

Just because something doesn't personally identify users in the data they collect doesn't mean that data can't be extrapolated or interpreted using cross references to other data sources to make it personally identifiable!!

A lot of websites, even those with cookie opt outs, etc list a non-opt-outable consent for "identifying and linking devices". This seems to be a shortfall in the GDPR and allows just this kind of data aggregation from pooled sources. It's not just priests hooking up on grindr who need to worry about this kind of thing.

What's the answer for users to protect themselves? VPN, random MAC addressing?

[kalniel]

GDPR protects against aggregated data too if it can still be used to identify individuals.

[ik9000]

GDPR protects against aggregated data too if it can still be used to identify individuals.

so why do so many website opt outs not let you veto this?

edit: articles out there to suggest there are loopholes enough to use cross-device tracking:

https://leadsrx.com/blog/cross-device-tracking-gdpr

we require that the customer “log in” or fill out a form on a device in order for the LeadsRX system to recognize them and connect their actions across devices....

This strategy ensures that all customers have given appropriate permissions for every piece of data that our customers collect.

So those forms not allowing deselection of device linking etc are making you give consent to their practices. This is GDPR compliant according to the article so long as they don't store IP address. But it implies other data is fair game with the opt-in. So basically don't use a good number of websites if the list "device linking" or "user identification across devices" then? Hardly ideal where it's your bank or utility company etc.

[Saracen999]

Sadly, the world we live in is one where privacy is largely illusory, and has been for quite a while. And it's getting far, far worse. Even my personal CCTV (locally stored) can scan for and count known people in certain areas (I don't need or do that, but the system can), and it recognisises faces too. Connect that capability to shop CCTV and give them credit card data, and ....

Connect that capability to traffic cameras with your car reg number, and then your driving licence photo (I still have old paper licence, but that only slows the process up for as long as it takes to find, check and link a passport photo) and, now the state can pretty muh track your movement from public CCTV if they wish. This capability will only get more prolific, and commonplace, with increases in storage density and processing power.

And so on.

Despite however well-meaning the GDPR is, it's illusory, and so is privacy.

It's why, despite tin-foil hat remarks, I've long argued the only way to even minimise the loss of privacy is to avoid putting every byte of data you can on the net in the firstplace, but that inevitably is by sacrificing convenience and it only reduces the loss, not prevents it. For instance, it's why I pay for groceries in cash, not with card, but facial-rec and CCTV renders even that pretty much futile.

Even for minimising loss of privacy, if you start right now, today, you're several years too late.