togus (u/togus) - Readit News

togus commented on Find every domain someone owns automatically securitytrails.com/blog/f... · Posted by u/tzury

>one could argue that they (security trails) don't have to remove the data.

It doesn't work that way. The "right to be forgotten" can be used to remove search results from Google, even if the original content stays up.

togus · 8 years ago

Interesting! From a quick google the following wikipedia citation seems to what you are referring to: Grounds for removal include cases where the search result(s) "appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed."[1]

Under GDPR, Security trails (company or person that operates it) could be classified as a "Data controller" [2] and then would of course be liable to delete information gathered about a person upon request and when the data is deemed to be "inadequate, irrelevant or no longer relevant or excessive". So for example, John Doe wants to remove the historic information that he used to own porn.com which he doesn't anymore.

However, I do not think it's clear that you have to delete the data for the current owner of porn.com due to his or hers need for privacy as long as they have collect the information lawfully.

As an actual advice to the people at security trails I would recommend they put up clear instructions on how to request a data erasure from their database. Like "Email erasure@securitytrails.com to request removal of your personal information" and what information they need to delete it.

[1] https://en.wikipedia.org/wiki/Google_Spain_v_AEPD_and_Mario_...

[2] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

Edit: formatting

togus commented on Find every domain someone owns automatically securitytrails.com/blog/f... · Posted by u/tzury

toomuchtodo · 8 years ago

How do you plan on handling the EU’s “right to be forgotten” (it’s pretty straightforward to make the argument you’re a search engine) and other components of the GDPR?

togus · 8 years ago

"The right to erasure" is not an absolute right for anyone to get all their data deleted. If the data owner (read: the registrars) still have a legal right to collect and maintain the data public and it has not been revoked one could argue that they (security trails) don't have to remove the data.

It's my understanding that the registrars are the ones with the burden here. They need to inform everyone of the data erasure and/or data updates on private information. Fun times when you have public information for anyone to gather on the internet. It could be that there are exemptions for these kind of services, I do not know, but would the exemption not also include the services that aggregate/collect historic information as well?

Disclaimer; I am not a lawyer. I am not well versed in GDPR. Anyone finding this interesting should go read up on GDPR.

togus commented on LinkedIn is now officially blocked in Russia techcrunch.com/2016/11/17... · Posted by u/DyslexicAtheist

tobltobs · 9 years ago

I didn't know about this crazy new regulatory requirements until now. Quoting from an article [1] describing the new law:

> “When collecting personal data, including through information and the internet telecommunications network, the operator is required to provide a record that the systematization, accumulation, storage, updating and retrieval of personal data of citizens of the Russian Federation, is held on databases located in the territory of the Russian Federation.”

I could imagine that complying to this regulation wont be worthwhile for most companies.

Edit: The interesting thing is, that the law seems not to forbid to store the data outside of Russia, it "just" dictates that the data has to be stored in Russia also.

[1] https://techcrunch.com/2014/07/02/russia-moves-to-ban-online...

togus · 9 years ago

> The interesting thing is, that the law seems not to forbid to store the data outside of Russia, it "just" dictates that the data has to be stored in Russia also.

Correct! I was on a team trying to architect a solution for this and the requirements was really diffuse. We ended up doing a DB "replication" (via triggers) to a Russian cloud provider after the data had been committed in a european data center. The lawyers signed off on it but there were no clear guidelines from the Ministry of Communication (http://minsvyaz.ru/) on what was OK from an tech implementation view.

However, I feel that the best solution for solving it was to have all Russian traffic routed through something like a reverse web proxy which would first write the data to servers located in Russia or fail the request.