debanqued

Indeed, MS only makes GDPR rights available to people who are willing and able to solve their graphical CAPTCHA. You must execute their JavaScript and have image rendering enabled in your browser.

For sighted people it’s not the more shitty varieties of CAPTCHA. Looks easy. But still fucked up that there is a barrier to exercising GDPR rights.

Suppose you have the following parties to an email conversation:

• badDebtorOffice@douchebank.com (alias for bdo@douchebank.mail.protection.outlook.com)
• alice@freedomRespectingProvider…org

Douche Bank¹ manages to collect Alice’s email address either legitimately from her or illegitimately without her consent. DB sends her an email like this:

From: "Douche Bank" 
To: "Alice Marie Smith" 
Subject: Your unpaid debt of €20,000 on account № 354-987-156

Pay up.

Alice did not choose to do business with Microsoft Corporation and does not trust MS in the slightest. Yet Douche Bank has exposed sensitive financial information about Alice to MS, potentially without her consent. She may or may not have supplied an email address to D/B but certainly she opposes MS receiving her sensitive data, which it will then exploit to the fullest for surveillance marketing or otherwise.

Alice has no control over her bank’s choice of email provider. But in principle the GDPR is expected to give her control over her data exposure. If she makes an art.17 request to erase the privacy-abusing email, it’s too late b/c MS already saw it. The bank would not erase it because they have a legit need to track the fact that they sent a payment reminder. The bank /can/ mirror Alice’s art.17 request to MS if they are motivated, but most likely they will not, particularly if the bank is not treating the art.17 request themselves. And most likely MS would ignore it anyway.

If Alice sends a GDPR request direct to MS to erase MS’s copy of the email, MS would naturally respond with something like ”who are you? You are not our customer. Therefore we cannot properly identify you in accordance with GDPR rules. Also, we are just a “data processor” not a “data controller”. Sorry.. you can fuck off now.” (in so many words)

If Alice were to complain to the Data Protection Authority of Germany (where MS is headquartered), they would be helpless in this situation. I mean, there is Art.32 which requires processing to be secure, but most data controllers seem to be ignoring Art.32 w.r.t Art.77 requests. EDPB said in their “Contribution of the EDPB to the report on the application of the GDPR under Article 97” report:

“fines were imposed … for failure to comply with the obligations with regard to the rights of the data subjects (Article 12 to 22 GDPR),”

IOW, infringements on Articles outside the Art.12-22 range are not considered by the EDPB as “rights of the data subjects”. I’ve seen a similar sentiment expressed in other places.

¹fictitious name inspired by Deutche Bank/Bank of America

I read somewhere that GDPR requests for restricted processing (Art.18) cannot be combined with any other topic or request. E.g. If you request that they not use your e-mail for marketing purposes.

WTF. Yes, I understand the idea is that if the request stands on its own, it cannot be overlooked. But #GDPR requests are ignored so often that I deliberately combine a GDPR request with another request that is more difficult to ignore. That way when they ignore the GDPR request but treat the non-GDPR request from the same letter, it proves that the data controller received my letter. When a GDPR request is made on its own, they can more easily claim the letter never came and shift the proof-of-delivery burden onto me.

For the past four months beehaw has been unreachable to those of us on the Tor network. Glad to see access was finally restored. Was there an attack?

I could really use a way to periodically backup my posts to my local disk so if Tor is spontaneously blocked again I at least have my history. I’ve not found a Lemmy equivalent for Mastodon Archive.

(edit) For security, it would be a good idea to setup an onion instance. The Tor network has built-in DDoS protection for onion hosts.

I installed the Aria2 app from f-droid. I just want to take a list of URLs of files to download and feed it to something that does the work. That’s what Aria2c does on the PC. The phone app is a strange beast and it’s poorly described & documented. When I launch it, it requires creating a profile. This profile wants an address. It’s alienating as fuck. I have a long list of URLs to fetch, not just one. In digging around, I see sparse vague mention of an “Aria server”. I don’t have an aria server and don’t want one. Is the address it demands under the “connection” tab supposed to lead to a server?

The readme.md is useless:

https://github.com/devgianlu/Aria2App

The app points to this link which has no navigation chain:

https://github.com/devgianlu/Aria2App/wiki/Create-a-profile

Following the link at the bottom of the page superfically seems like it could have useful info:

“To understand how DirectDownload work and how to set it up go here.”

but clicking /here/ leads to a dead page. I believe the correct link is this one. But on that page, this so-called “direct download” is not direct in the slightest. It talks about setting up a server and running python scripts. WTF.. why do I need a server? I don’t want a server. I want a direct download in the true sense of the word direct.

These are Lemmy instances with a “Sign Up” link which present you with a form to fill out to register. Then after you fill out the form and supply information like email address to the server, they respond with “registration closed”:

• lemmy.escapebigtech.info (dead node now, but got instant reg. closed msg when they were alive)
• expats.zone
• hackertalks.com
• lemmie.be
• lemmy.killtime.online
• lemmy.kmoneyserver.com
• lemmy.sarcasticdeveloper.com
• level-up.zone
• zoo.splitlinux.org

I suppose it’s unlikely to be malice considering how many there are. It’s likely a case of shitty software design. There should be a toggle for open/closed registration and when it’s closed there should be no “Sign Up” button in the first place. And if someone visits the registration URL despite a lack of Sign Up link, it should show a reg. closed announcement.

Guess it’s worth mentioning there are some instances that accept your application for review (often with interview field) but then either let your application rot (“pending application” forever) or they silently reject it (you only discover non-acceptance when you make a login attempt and either get “login failed” or even more rudely it just re-renders the login form with no msg). These nodes fall into the selective non-acceptance category:

• lemmy.cringecollective.io
• lemmy.techtriage.guru
• lemmy.hacktheplanet.be (pretends to send confirmation email then silently neglects to)
• links.esq.social
• dubvee.org

To be fair, I use a disposable email address which could be a reason the 5 above to reject my application. And if they did give a reason via email, I would not see it. Not sure if that’s happening but that’s also a case of bad software. That is, when a login attempt is made, the server could present the rationale for refusal. Another software defect would be failing to instantly reject an unacceptible email address.

Utility companies, telecoms, and banks all want consumers to register on their website so they do not have to send paper invoices via snail mail. When I started the registration process, the first demand was for an e-mail address.

Is that really necessary? They would probably argue that they need to send notifications that a new invoice has been prepared. I would argue that e-mail should be optional because:

• They could send SMS notifications instead, if a data subject would prefer that.
• They need not send any notification at all, in fact. Reminders is why calendars and alarm clocks exist. A consumer can login and fetch their invoice on a schedule. If a consumer neglects to login during a certain window of time, the data controller could send a paper invoice (which is what they must do for offline customers anyway).

They might argue that they need an email for password resets. But we could argue that SMS or paper mail can serve that purpose as well.

Does anyone see any holes in my legal theory? Any justification for obligatory email address disclosure that I am missing?

Yikes. As some Tor users may know, the UN drafted the Unified Declaration of Human Rights, which in principle calls for privacy respect and inclusion. That same UN blocks the Tor community from their website. Indeed, being denied access to the text that embodies our human rights is rich in irony.

Well that same UN plans to create a “Global Digital Compact” to protect digital human rights. It’s a good idea, but wow, they just don’t have their shit together. I have so little confidence that they can grasp the problems they are hoping to solve. Cloudflare probably isn’t the least bit worried. Competence prevailing, Cloudflare should be worried, theoretically, but the UN doesn’t have the competence to even know who Cloudflare is.

I created a whitelist access profile. That ensures that the whole WAN is blocked except what is exceptionally whitelisted. I started with an empty whitelist. The LAN is rightfully accessible and the WAN is rightfully inaccessible.

The router does not use DSL. Instead, it uses a USB mobile broadband LTE modem. The modem has its own website which gives SMS capability. The modem is technically upstream to the router, so it is blocked when the WAN blocking profile is enabled. I want to whitelist the modem so that when I am blocking WAN access I can still reach the web UI of the modem and monitor SMS msgs.

Fritzbox is designed so that all attempts to directly access an IP is blocked if whitelisting is in play. IP addresses cannot be whitelisted, only URLs using FQDNs. So I did “nslookup 10.10.50.8” to get the hostname of the modem. Then I whitelisted the hostname. That does not work. The modem is still blocked.

BBC World Service was covering the US elections and gave a brief blurb to inform non-US listeners on the basic differences between republicans and democrats. They essentially said something like:

Democrats prefer a big government with a tax-and-spend culture while republicans favor minimal governance with running on a lean budget, less spending¹

That’s technically accurate enough but it seemed to reflect a right-wing bias that seems inconsistent with BBC World Service. I wouldn’t be listening to BBC if they were anything like Fox News (read: faux news). The BBC could have just as well phrased it this way:

“Democrats prefer a government that is financed well enough to ensure protection of human rights…”

It’s the same narrative but expressed with dignity. When they are speaking on behalf of a political party it’s an attack on their dignity and character to fixate on a side-effect rather than the goal and intent. A big tax-and-spend gov is not a goal of dems, it’s a means to achieve protection of human rights. It’s a means that has no effective alternative.

① Paraphrasing from what I heard over the air -- it’s not an exact quote

#BBC #BBCWorldService