
Microsoft .NET SDK is violating the GDPR, object now - dgl
https://dgl.cx/2020/08/dotnet-sdk-gdpr
======
manyxcxi
For a client we added support for some synonymous Azure services to the AWS
ones we use and I’ll be honest, the amount of garbage the Azure SDK created in
our JVM codebase was quite annoying.

Now, I fully understand a Java SDK isn’t going to get quite the same love as
their bread and butter, but everything about their Java SDK feels like, just
copy the .NET SDK and make it work in Java.

I assumed the telemetry traces (or attempted traces) I was seeing, even with
every configurable telemetry config flag EXPLICITLY set to disabled was just
more of their bad choices of log levels, leaky internal log messages, and just
generally not doing things “the Java way”.

Now I’m starting to wonder if there’s just flat out no way to turn all the
telemetry off. Originally we built with the AWS and Azure SDKs and the cloud
providers were configurable at run time. I was getting so annoyed with the
garbage that MSFT was leaving in our logs even when disabled and running in
AWS that we eventually bifurcated our build and re-organized the project.

We spent about a week adding abstractions we previously didn’t need, and
another week testing, for what we were assuming was just an annoyance. Turns
out maybe we were doing our other clients a solid and didn’t even know it.

~~~
aliswe
Could you elaborate on your first point? What kind of stuff was added?

------
x0x0
The author doesn't understand GDPR.

The GDPR governs consent for processing of _personal data_. Generally,
anonymized data is not personal.

The author attacks the anonymization method, but that is a thin branch to
stand on. In particular, given how GDPR is very much about usage, Microsoft
helps substantiate their anonymization simply by not attempting to
deanonymize.

See eg Art 7,

> _Where processing is based on consent, the controller shall be able to
> demonstrate that the data subject has consented to processing of his or her
> personal data._

And Recital 26

> _The principles of data protection should therefore not apply to anonymous
> information, namely information which does not relate to an identified or
> identifiable natural person or to personal data rendered anonymous in such a
> manner that the data subject is not or no longer identifiable._

~~~
user5994461
It's personal data, they collect the MAC address and can search by MAC
address.

That's literally an identifier to identity any computer on the planet. That's
quite personal and traceable really.

~~~
lacker
No, read the description. To be personal data for the purposes of the GDPR, it
must be related to an identifiable natural person (ie not a corporation). I
don’t see how Microsoft could relate a MAC address to a natural person.

~~~
user5994461
The MAC address uniquely identifies a computer/laptop on the planet, that
belongs to a person. It is as personal an identifier as it gets ;)

------
OnlyOneCannolo
Who enforces GDPR? Can you file a formal complaint, or do you just have to
complain about it on the internet and hope that the offender complies?

~~~
notRobot
Countries within the EU have their own regulators. For instance, France has
the National Data Protection Commission (CNIL)

~~~
naruciakk
There is nonetheless the European private data protection office as well

