It’s also to check if something works. I recently added something new and while I cannot and will not track any personally identifying information, I still need some data if people go through the whole process alright. That covers legitimate interest. It’s the minimum data I collect and its get wiped after some time.
An IP address is not "personally identifiable data". You can not know who the person is just because you got an IP address in the request.
We are almost 10 years into the GDPR, and we still have these gross misunderstandings about how to interpret it. Meanwhile, it has done nothing to stop companies from tracking people and for AI scrapers to run around. If this is not a perfect example of Regulatory Capture in action, I don't know what is.
- they don't care about the cookies they are setting on their properties, if most of the functionality they have require you to be authenticated anyway.
- These "smaller websites" are exactly the ones more likely than not to be Google's and Facebook's largest source of data, because these sites are the ones using Google Analytics/Meta Pixel/etc.
This is not my experience at all with Facebook. Since six months ago or so, Facebook is saying my three option are to pay them a subscription, accept tracking, or not use their products. I went with option three, but my reading of the GDPR as that it's illegal for them to ask me to make this choice.
I'm in Spain, this is probably not the same worldwide.
The "Reject all" does not in fact reject all. They are taking extreme liberties with the "legitimate interest" clause to effectively do all tracking and analytics under it.
The YouTube consent screen for example includes this as a mandatory item:
> Measure audience engagement and site statistics to understand how our services are used and enhance the quality of those services
I don't believe this complies with the GDPR to have this mandatory.
IP address is considered personal data and can be considered personally identifiable data in some circumstances for example if you can geolocate someone to a small area using it
> An IP address is not "personally identifiable data".
GDPR says it is [1][2].
> We are almost 10 years into the GDPR, and we still have these gross misunderstandings
Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:
> Fortunately, the GDPR provides several examples in Recital 30 that include:
> Internet protocol (IP) addresses;
From Recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses
When an IP address is linked to any other data, then it counts as PII. By itself, it's not.
So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".
An IP address linked with the website being accessed is already PII.
When serving content, you're by necessity linking it to a website that's being accessed.
For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.
IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)
Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.
Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing.
So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.
Not really, no. I don’t think I can make it more clear than I, or the law, already did: IPs are PII no matter what. Period. It’s literally spelled out in the law.
The misconception is that you need explicit consent for any kind of processing of PII. That is not the case. The law gives you alternatives to consent, if you can justify them. Some will confuse this with “must mean IPs aren’t PII”, which is not the case.
Germany does actually have station fees. And DB isn't the only operator. The RRX trains, one of which OP talked about, are operated by DB and National Express, ordered by the RRX group comprised of VRR, go.Rheinland, NWL, SPNV-Nord and NVV, running on tracks and stations by DB InfraGO.
> Small neural networks I believe are the current state of the art (e.g. train to reverse a 16x16 color filter pattern for the given camera). What is currently in use by modern digital cameras is all trade secret stuff.
Considering you usually shoot RAW, and debayer and process in post, the camera hasn't done any of that.
It's only smartphones that might be doing internal AI Debayering, but they're already hallucinating most of the image anyway.
Sure - if you don't want to do demosaicing on the camera, that's fine. It doesn't mean there is not an algorithm there as an option.
If you care about trying to get an image that is as accurate as possible to the scene, then it is well within your interest to use a Convolutional Neural Network based algorithm, since these are amongst the highest performing in terms of measured PSNR (which is what nearly all demosaicing algorithms in academia are measured on). You are maybe thinking of generative AI?
At least in broadcast/cinema, no one uses CNN for debayering, because why would you?
In cinema, you just use a 6K sensor and use conventional debayering for a perfect 4K image. Even the $2000 Sony FX-30 ships with that feature nowadays. Combined with a good optical low pass filter, that'll also avoid any and all moiré noise.
In broadcast, if you worry about moiré noise or debayering quality, you just buy a Sony Z750 with a three-chip prism design, which avoids the problem entirely by just having three separate full-resolution sensors.
Yes, people usually shoot RAW (anyone spending this much on a camera knows better) - but these cameras default to JPEG and often have dual-capture (RAW+JPEG) modes.
To be clear, they default to JPEG for the image preview on the monitor (LCD screen). Whenever viewing an image on a professional camera, you’re always seeing the resulting JPEG image.
The underlying data is always captured as a RAW file, and only discarded if you’ve configured the camera to only store the JPEG image (discarding the original RAW file after processing).
> Whenever viewing an image on a professional camera
Viewing any preview image on any camera implies a debayered version: who says is it JPEG-encoded - why would it need to be? Every time I browse my SD card full of persisted RAWs, is the camera unnecessarily converting to JPEG just to convert it back to bitmap display data?
> The underlying data is always captured as a RAW file, and only discarded if you’ve configured the camera to only store the JPEG image (discarding the original RAW file after processing).
Retaining only JPEG is the default configuration on all current-generation Sony and Canon mirrorless cameras: you have to go out of your way to persist RAW.
Even my doctor's office and local government agencies support PGP encrypted emails, and refuse to send personal data via unencrypted email, but tech nerds still claim no one can use it?
No? With let's encrypt the certificate is rotated, but the private key remains the same, and importantly, let's encrypt never gets to see it, and anything is logged.
I said “typically” because Let’s Encrypt doesn’t control key rotation: the issuance managing client (like Certbot) does.
But AFAICT, Certbot has rotated private keys automatically on reissuance since at least 2016[1]. There’s no reason not to in a fully automated scheme. I would expect all of the other major issuing clients to do the same.
That's because you're using planned economy principles for your cities.
Remove all zoning but for industrial zoning, and remove prop 13, like it is in most of Europe, and the invisible hand of the market will transform most of cities into medium-density mixed-use like in Europe, though in your case likely accomplished with 5-over-1s instead.
And with increased density, maybe you'd even have space for some public parks again.
Part of being CEO/running a business is considering all options, but it doesn't mean it will ever move beyond the ROI/risk phase. Ever read one of the risk assessments in a companies public filings? It's the same thing.
All options that are in line with the organization’s mission.
The CEO of an organization like Mozilla even considering blocking adblockers for profit is like the president of Amnesty International considering to sell lists of dissidents to the secret police.
> The CEO of an organization like Mozilla even considering blocking adblockers for profit is like the president of Amnesty International considering to sell lists of dissidents to the secret police.
No, for Amnesty International it would be more like not considering somebody a political prisoner because the country that took the prisoner is a 1st world country and they don't want to expose themselves on a matter that would risk the donations from a certain population.
Yes, that happened in the aftermath of the Catalan attempt at peaceful independence in October 2017 by Amnesty International Spain.
Yes, the problem is that it is considered an option at all. Are they running ROIs on harvesting passwords, blackmailing users and infecting all clients with malware?
It's not hard to imagine the last default search contract negotiation had Google go "we'll give you $x if you kill manifest v2, $x-$150 million if you don't."
for it to be considered, somebody must have offered to pay that 150M. Or he considered going to somebody (we all know that somebody is Google) and asking them for that money in return for killing ad blockers.
> You wouldn't calculate the expected RoI of killing adblockers if killing adblockers was never considered.
I agree, although if someone isn't the kind of person who would calculate that, they're probably not the person who will become the CEO of a company that size in the first place. I don't think organizations have the right incentives in place to push people with those values to the top.
You wouldn't calculate a figure and publish it as the first step in any reasonable price negotiation. Any pricing you mention publicly would be double or triple the number you are willing to accept. By the time you are talking publicly about realistic numbers you are well into the private negotiations.
I agree with all the people saying it would drive a lot of the remaining users away, and I hope they don't do it. But I'm not remotely surprised that they considered following what their biggest competitor (Chrome) already did.
Because Chrome was built by the world's biggest advertising company. If the World Wildlife Fund started selling ivory to pay the bills, would that not be surprising?
That analogy doesn't really work, though: Mozilla's goal is not specifically to fight against online advertising. Ad-blocking is connected to their goals, definitely, but they clearly have to make compromises, and I'm not that surprised that they'd think about that one.
Why? They have ample free cashflow. They haven't had money problems in 10 years. If they're worried about Google withdrawing support they should save money in an endowment, not do things to help Google.
Legitimate interest is for example a website using your IP to send you the necessary TCP/IP packets with the website's content upon request.
Many websites use the term "legitimate interest" misleadingly (or even fraudulently), but that's not how GDPR defines it.
reply