←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 3 comments | 10 Dec 25 07:06 UTC | HN request time: 0.015s | source
Show context
samuel ◴[10 Dec 25 09:31 UTC] No.46215799[source]
I agree with the sentiment, but I think it's a pretty naive view of the issue. Companies will want all info they can in case some of their workers does something illegal-inappropiate to deflect the blame. That's a much more palpable risk than "local CA certificates being compromised or something like that.

And some of the arguments are just very easily dismissed. You don't want your employer to see you medical records? Why were you browsing them during work hours and using your employers' device in the first place?

replies(3): >>46215855 #>>46216169 #>>46216703 #
immibis ◴[10 Dec 25 09:42 UTC] No.46215855[source]
In Europe they prefer not to go to jail for privacy violations. It turns out most of these "communist" regulations are actually pretty great.
replies(1): >>46215994 #
johncolanduoni ◴[10 Dec 25 10:02 UTC] No.46215994[source]
Does GDPR (or similar) establish privacy rights to an employee’s use of a company-owned machine against snooping by their employer? Honest question, I hadn’t heard of that angle. Can employers not install EDR on company-owned machines for EU employees?
replies(5): >>46216082 #>>46216180 #>>46216380 #>>46216557 #>>46218221 #
Msurrow ◴[10 Dec 25 11:00 UTC] No.46216380[source]
Yes. GDPR covers all handling of PII that a company does. And its sort of default deny, meaning that a company is not allowed to handle (process and/or store) your data UNLESS it has a reason that makes it legal. This is where it becomes more blurry: figuring out if the company has a valid reason. Some are simple, eg. if required by law => valid reason.

GDPR does not care how the data got “in the hands of” the company; the same rules apply. Another important thing is the pricipals of GDPR. They sort of unline everything. One principal to consider here is that of data minimization. This basically means that IF you have a valid reason to handle an individuals PII, you must limit the data points you handle to exactly what you need and not more.

So - company proxy breaking TLS and logging everything? Well, the company has valid reason to handle some employee data obviously. But if I use my work laptop to access privat health records, then that is very much outside the scope of what my company is allowed handle. And logging (storing) my health data without valid reason is not GDPR compliant.

Could the company fire me for doing private stuff on a work laptop? Yes probably. Does it matter in terms of GDPR? Nope.

Edit: Also, “automatic” or “implicit” consent is not valid. So the company cannot say something like “if you access private info on you work pc the you automatically content to $company handling your data”. All consent must be specific, explicit and retractable

replies(1): >>46216537 #
johncolanduoni ◴[10 Dec 25 11:25 UTC] No.46216537[source]
What if your employer says “don’t access your health records on our machine”? If you put private health information in your Twitter bio, Twitter is not obligated to suddenly treat it as if they were collecting private health information. Otherwise every single user-provided field would be maximally radioactive under GDPR.
replies(3): >>46216618 #>>46218243 #>>46222987 #
1. immibis ◴[10 Dec 25 14:43 UTC] No.46218243[source]
Many programmers tend to treat the legal system as if it was a computer program: if(form.is_public && form.contains(private_health_records)) move(form.owner, get_nearest_jail()); - but this is not how the legal system actually works. Not even in excessively-bureaucratic-and-wording-of-rules-based Germany.
replies(1): >>46222388 #
2. johncolanduoni ◴[10 Dec 25 19:28 UTC] No.46222388[source]
Yeah, that’s my point. I don’t understand why the fact that you could access a bunch of personal data via your work laptop in express violation of the laptop owner’s wishes would mean that your company has the same responsibilities to protect it that your doctor’s office does. That’s definitely not how it works in general.
replies(1): >>46222952 #
3. immibis ◴[10 Dec 25 20:03 UTC] No.46222952[source]
The legal default assumption seems to be that you can use your work laptop for personal things that don't interfere with your work. Because that's a normal thing people do.