124 comments

[ 3.4 ms ] story [ 192 ms ] thread
> The watchdog also wanted to avoid bankrupting the company. "The overall financial burden on the company was taken into account in addition to other circumstances," the authority noted.

Anyone bashing the GDPR for being too hostile towards startups and smaller businesses should read this. Looks like the fine was almost a bit too low in this case...

On the other hand, they could have bankrupted them if they wanted to. Do we really want the government to have that much say in whether businesses live or die?
It's a worthwhile question, but remember that the alternative is companies that aren't accountable to anyone, and which are cavalier with their users' security.
They are accountable to their users. If a company is negligent with user data and their customers actually do care about this issue, this company will either eventually improve or go out of business. And if customers don't deem this important, it's not a government's role to decide it is.

To be clear, I'm not arguing for no control at all. However, fines should not be so egregious that it ends up being up to bureaucrats to decide whether a company lives or dies. This will easily lead to selective enforcement and corruption.

> If a company is negligent with user data and their customers actually do care about this issue, this company will either eventually improve or go out of business.

I think we've seen enough of how this theory works in practice (or how it doesn't) to be able to say that there is absolutely no good reason to rely on it.

1. The problem is that most population is terribly poor at defining and managing risk, by biological design and social selection - those who are good at it are usually not the best neighbors you want to have.

2. In many businesses, the actual customers are not the end-users, whose data is leaked (all the nice free services you're getting over this invisible thing called internet), they are the merchandise business is selling to somebody else (ads, etc.).

3. There are two ways of coping with this:

3.1 darwinian, where stupid users who choose to hand their data to dumb businesses all jump off the cliff holding hands

3.2 paternalistic, where we elect somebody competent to make choices for the rest of the community, which would prevent people's poor judgment to both hand data to insecure businesses and for businesses to be insecure in the first place.

4. We tried darwinian one since the day 1 in many fields. Reverting it comes at cost (antibiotics would be one good example to think of).

That's assuming the company explains in enough detail how it secures its product for consumers to tell the difference. More likely is that company A has a breach, and consumers who care about security move to company B, which is just as insecure but hasn't recently been hit by the risk realisation bat.
It also requires the end users understanding the downstream consequences of multiple breaches of various online services over time.

Even on breach could result in real damage to an individual, but that risk increases as more of that individuals data can be collated.

Take this argument over to Facebook. How many breaches of trust have happened over the past year? Have they improved? Not a bit. If anything, they are becoming worse.
> If a company is negligent with user data and their customers actually do care about this issue, this company will either eventually improve or go out of business.

1. Knuddels is largely targeting minors

2. its customers are other companies not its users

3. in the real world there are externalities (like the network effect)

That is not even theoretically valid. Even if customer care, customer has no way to review security. Moreover, companies lie a lot about their systems security. All systems totally secure and there were no succesfull attacks until laws about mandatory announcements came around.

It is only after publicly known exploit that small customer can know about issue.

So you are saying, if a company negligently loses some important data about me; lets say enough to create a fake identity or access my medical records, my only recourse should be to stop using them?

How does that work in a case like Equifax?

Replace "user data" with "toxic waste." Does it still work? History seems to indicate that it doesn't. Why would this be different?
> Do we really want the government to have that much say in whether businesses live or die?

Frankly, yes.

By that logic, governments shouldn't be able to impose meaningful punishments on any business.
My point is that it should not be discretionary. Either apply the law universally (without taking the viability of the company into account), or lower the fines to a meaningful level.
> My point is that it should not be discretionary.

Right. But that won't work.

We set the fines at say, 20% of the business.

So a 'mom and pop' firm breaks it, gets reported. Ok, now they're out say, 20,000 EUR (scale to whatever is appropriate in your country for a small company).

Then a big business breaks it for maybe, gets reported. Ok, now they're out $35.57bn.

These might indeed be acceptable amounts. Now imagine that for example, instead of having a fair number of people affected, it is just two people. Or three people. And perhaps in this instance the people involved were only marginally affected by it, perhaps at worst they would have lost a couple of hundred $currency.

Technically speaking, the companies still broke the law, but suddenly perhaps the punishment does not quite fit the crime!

So you want them to bankrupt small companies while letting large companies getting away with not even a slap on the wrists? That seems strange. The law as written has leeway in the amount to make it more fair than it would be if you applied it universally.
So if Amazon were caught doing this they should be fined €20k too?
One would assume the same care would be taken not to drive Amazon out of business, but considering the difference in size of the two businesses, the fine would most likely be much larger.
There is discretion in the application of almost all laws. The law is not computer code, it must be interpreted and applied.
That's not how the law operates in basically any jurisdiction. If we allow discretion in punishment for things like murder, why not this? If you think discretion should be removed from all law then that could be a sensible argument, but it's a tough one to make and the GDPR is probably not the place to start with it.
(comment deleted)
Except that fundamentally biases the law towards a certain size of business.

Universally large fines would threaten small businesses while reasonably charging large businesses. Universally small fines would potentially be reasonable for small businesses, but would be negligible for large businesses.

Why shouldn't it be tailored to the company's size/viability?

Yes, society at large should shut down businesses in the same sense that we jail individuals who act improperly
If your business operates outside of the law of course it should be shutdown. I think fines are a good way to cause compliance without causing more harm than necessary.

Are you advocating government not be able to influence businesses to comply with the law at all?

GDPR is actually a very well thought through piece of legislation and I've implemented compliant systems: best rule of thumb I heard - treat peoples personal information as if it is credit card data and you will comply in a fairly straight forward way.

One problem is that the law significantly changed right under their noses. I don't think that they have either a significant development team/effort for their platform, nor a very good revenue. It's basically a very old chat platform I used about 15 years ago...
> law significantly changed right under their noses.

You mean two years to comply before it went into effect. + over 10 years of similar local laws.

"right under their noses" my ass

Ah, the old a-planet-full-of-media-attention variety of right under their noses.
Even if it had changed right under their noses, that would still be OK in my book. The Lawmakers are elected by the people (somewhat -- the EU could be more democratic, but that's a different topic), and they should therefore be able to change the laws on the behalf of the people.
That would have been a reasonable argument if they were found to have been using something like DES-based crypt(3) to hash their passwords. But they didn't, they were just plain text.
Even setting aside the years they had to become compliant, it still wasn't a good idea to store passwords in plain text before GDPR.
Regardless of the law, it's completely irresponsible to store passwords in plaintext, and it's been widely considered so for decades - the company's behavior here is inexcusable, and I really can't understand why anyone would try to defend it.
> treat peoples personal information as if it is credit card data and you will comply in a fairly straight forward way

Yet so many business use third parties to avoid to deal with storing credit card data....

The IP is considered a PII too.

> Do we really want the government to have that much say in whether businesses live or die?

The company broke the law in a way that could have potentially harmed* individuals (passwords are critical secrets, many users do not have more than one, and so could lose their entire identity and maybe several years worth of funds. Sure, you can say that is the fault of the user, but there is the assumption of security here that was given by the company and not fulfilled).

If you rent a deposit box at a bank, with the assumption of safety, and it turns out they leave all the doors unlocked, don't hire guards, and someone came in and stole everyone's things and took them to the market, then closure of the bank is absolutely deserved.

Conversely, if a prison gives the assumption of security, but doesn't hire guards, or bother locking cells, and all the inmates walk out and some people are killed, does the prison deserve to go bankrupt?

These examples are exaggerated, yes, but roughly similar in circumstance. Hopefully enough to show that, yes, there are circumstances in which we want the government to have that hold over companies.

Now, do we want governments to have restraint? Sure. But it seems clear to me that they very openly are acting in restraint in this case. 20k EUR is a pittance to what was potentially lost by the people involved in the breach.

* - (Indeed, in America and a few other countries with weak to non-existent social welfare nets, loss of identity and money is likely to lead to homelessness and eventual death for the person, if they do not have family to rely on).

> If you rent a deposit box at a bank, with the assumption of safety, and it turns out they leave all the doors unlocked, don't hire guards, and someone came in and stole everyone's things and took them to the market, then closure of the bank is absolutely deserved.

OK, but I don't think any government action to close the bank would be necessary in that case.

So how does giving the government a say help?

In that example the goods stolen are tangible and have real, solid value that anybody can recognize.

In the case of things covered by GDPR the value is opaque and intangible, and only valuable to certain people. Letting 'the free hand of the market, driven by the layman who doesn't understand this, is not effective.

If you want proof, well, it's in the pudding.

Edit: also, if banks wheew getting knocked over as much as sites and apps, the government would intervene

I have yet to see a person against regulation that didn't run screaming for the authorities as soon as they were tricked, swindled, defrauded, abused by some company because no regulation was put in place.

Most recent cases that come to mind are Bitcoin thefts. "The government shouldn't do anything to regulate or even look in the general direction of Bitcoin". Oh, the exchange left your pockets empty? "The Police and the government should do something!"

Companies aren't scared of consumers because as a mass they have no idea what's good for them or how to protect themselves. Without a watchdog we'd all just be open for abuse with no leverage to stop it. Companies are far more motivated and capable to abuse you than you are to defend yourself.

It's not the same situation because in the case of a bank the risk is obvious to anyone, but it's might be hard for non-tech users of a chat app to understand the dangers of unencrypted passwords. It's the same like regulating the other industries, say layman can't assess how good lawyer or civil engineer someone is, so government requires them to have certain education and licenses or they can't work. We will need something like that sooner or later in IT because there's simply too much amateurism in industry now, where everyone and their mother has a startup these days and people with no proper experience and knowledge are trying to handle often very sensitive things. Just look at crypto-market and all those hacked sites - not hacked because hackers are evil geniuses, but because programmers who built them suck at their job... and market can't regulate it itself because the demand is so damn high
> ...passwords are critical secrets, many users do not have more than one, and so could lose their entire identity and maybe several years worth of funds. Sure, you can say that is the fault of the user, but there is the assumption of security here that was given by the company and not fulfilled...

I have so little sympathy for this position that despite generally having been pro-GDPR I no longer can support it if it is going to be used to encourage users to do something fundamentally stupid :/. The reality is that if we are going to make users think using one password is somehow ok then we need to be using authentication protocols that don't involve sending that password to a server in the first place: this is 2018, and challenge response takes like an hour to implement; the idea that sending a critical password to someone in the hope that they immediately hash it and store it is something that is somehow protected is insane.

I have little sympathy for the position that users just need to be not stupid and do things differently like they have been told to do for the last 20 years and yet have never done.
...but what they are doing will never actually be secure no matter how hard we all cover our ears and scream into the void so we don't hear it when they keep getting screwed over and over again. We can't actually make that secure no matter how many passwords we hash, we can only attempt to mitigate some fraction of the eventual carnage.

What we need to be doing is spending our time either on a massive education campaign or on technological solutions (like challenge response passwords, which HTTP never added even while every other old protocol was carefully adapting to get this right), not entrenching the position that users should be allowed to do the thing that will never ever ever be secure by putting up laws that somehow make it look sane.

The point here isn't "shame on the users": the point here is "shame on developers and lawmakers for working against users by encouraging them to do this horribly insecure thing rather than doing something sane". Seriously: how about we instead make a law (with a GDRP-like lead up of multiple years to "get ready for it") which says that "handling passwords at all isn't legal, even in transit (whether on a third-party SSL termination service or on your own servers)", and lets see how many mere hours it suddenly takes the Chrome/Firefox teams to come up with a real solution to this problem?

That's a really weak argument.

The fact that users do insecure things—and that real-world systems need to be designed to deal with that fact—is orthogonal to the idea that we should be making things more secure as well. Yes – security is broken and we need to fix it. The way to do that is emphatically not to pretend that it's already fixed.

The problem is that this does pretend it is "already fixed": the attitude that we have legal mechanisms in place to try to make "users do this thing that will never ever ever actually be secure" somehow legally protected means that people think it should be ok and keep doing it.

I mean, seriously: why would the law make it so illegal to allow passwords to be dumped, with technical people coming out saying "these passwords might protect something really important as the user is using the same password on more than one thing", if that wasn't at all how you were supposed to use passwords?

Imagine if the opposite were the case: if banks were not liable for any money lost by a user if it could be shown that the user was using their banking password for any other service. That would be a very different conceptualization of the risks and how passwords work, and frankly "fits reality" better than what people seem to want out of this situation (which is the exact opposite of that) :(.

If you don't want to claim that the issue is "already fixed" by "a bunch of websites that know what they are doing hash passwords and hopefully never have code bugs or people tapping their web servers or employees who can modify the code or debug logs that dump POST requests accessible to anyone or any other number of ways this password could be leaked because you sent it to this company's web server (which quite often might have used some SSL termination from some third party and so who knows how many people have access to your password!)", we might come up with actual solutions (or maybe spend the effort to educate users, as right now I don't know anyone who really tries).

> if banks were not liable for any money lost by a user if it could be shown that the user was using their banking password for any other service.

I believe in some places this is the case.

If you get hacked or use 123456 as password it is not the bank fault. If a service get hacked and the attacker discover your bank password it is not the service fault if they did their due diligence in securing your data.

Implementing challenge response in your javascript that you serf yourself is, for the general public, not much different from trusting them to hash it on the server.
We've only had like, what, two decades to add a feature to a web browser that handles this better than "type your password into this box, rendered by the server and controlled by the server to be sent to the server, in a form where it is given exactly the password"?
Regarding this point a "generate password" on the right click menu would be fantastic in a browser.

most people use the built in password manager anyway

Even if I use a unique strong password, if the chat service stores it in plain text, a hacker can get the pass from the database and login with my identity and cause who know how many problems, having a strong password and unique did not helps me if the service stores it in plain text or some bad hash.
> the government

It's not the government, it's the judiciary. The business can go to court to appeal any fines with the final court being outside the country.

Given the nature of the violation I think bankrupting them would have been perfectly warranted.
> Do we really want the government to have that much say in whether businesses live or die?

GDPR is nothing new in this respect.

In this case yes, I'd be totally fine with them being shut the fuck down.
> Do we really want the government to have that much say in whether businesses live or die?

Sure, because before the GDPR businesses needed to follow no laws and never would have been closed by the government by not following laws and regulations.

Yes, but I suspect it’s a European truth.

There is a fundamental difference between America and Europe, in that Americans distrust their government but trust corporations and the free market. Europe is the exact opposite.

You can agree or disagree our world view, but that doesn’t change the fact that in average, more than 70% of Europeans trust the EU to have their best interests in mind, mich higher for GDPR.

I don’t think it’s really start-up hostile either. I think there is a huge potential for disruption for privacy centric companies.

> Americans distrust their government but trust corporations and the free market

I don't think that's true; that's a common European misinterpretation. I think, in general, Americans trust their government less than they trust corporations, but they are generally distrustful of any entity that wields or appears to wield significant power over them. Exceptions are made for entities that "agree" with a particular person (and these exceptions are not entirely rational).

There's the idea that a corporation has at least some economic incentive to do a decent job and government doesn't since it has zero competition. The classic example to the average person of the government's level of hustle being your local DMV.
Not the "government" the political unit, but the legal system: courts and regulatory bodies.

Turn this statement around. Would you say that no matter what it does, no matter how many crimes are committed or citizens harmed, a business should be able to carry on without interference? That companies should be superior to people - entirely above the law?

(It's not a very big harm in this case, but I don't see anyone arguing that e.g. companies should be able to dump unlimited amounts of toxic waste into rivers any more)

> On the other hand, they could have bankrupted them if they wanted to. Do we really want the government to have that much say in whether businesses live or die?

"The government" have the ability to remove the freedom of people who have erred. In some backwards countries the government even has the ability to execute people.

> Do we really want the government to have that much say in whether businesses live or die?

Businesses that break the law, yes!

Do you really not want your government to be able to fine or even shut down repeat offenders?

> Do we really want the government to have that much say in whether businesses live or die?

I would say "no", but you have to understand that's coming from the perspective of an anarchist.

Rationally, this power pales in comparison to the others that governments already possess. If a state wants a business to fail, it will fail. GDPR has zero impact whatsoever on that.

The maximum penalty is a small percentage of earnings of 1 year. I doubt this will bankrupt any company. There are other laws that can do a lot more damage.

In this case, storing passwords in plain text is equivalent to building cars with defective breaks. Definitely something the government should punish.

jfc, "brakes" not "breaks"
There are polite ways to correct someone's spelling.
Civility hasn't been a thing on HN for quite some time now, especially in any polarized thread. It's terrible, but even the moderators get in on the action by taking sides and burying viewpoints they don't like. This allows the Valley's toxic monoculture to shine through, which leads to rude comments like this one. Notice how that comment wasn't even flagged.
You don't have to swear because of a typo, English is not my first language.

You look much dumber than the person you're correcting by acting like that.

> storing passwords in plain text is equivalent to building cars with defective breaks

This strikes me as hyperbole. Storing passwords in plaintext is a serious security issue, to the point of gross negligence - but the potential harm isn't even in the same ballpark. If your password is compromised and you have poor security practices, you could lose access to online services and perhaps even suffer significant financial loss. If your brakes fail you stand a good chance of death or serious injury.

That's kind of obvious.

Car makers might have a bigger responsibility, but the amount of negligence is the same IMO. Many people recycle passwords, so having a company storing yours in plain text has the potential to ruin someone's life.

4% of global annual turnover, not profit.

If you sell 10,000 pieces of 15 dollar items for 20 dollars, your turnover is 200,000 dollars but your profit is 50,000 dollars because the cost of your investment was 1 50,000 dollars.

4% of the turnover would be 8000, which is suddenly 16% of your profits in this case. Oops.

Then you have to take into account that this is your global turnover. Your one branch in Germany made a mistake and suddenly the whole worldwide company has to pay.

Microsofts turnover last year was a 100B roughly. That could end up being a 4 billion dollar fine. 20 million dollars is peanuts compared to what it could be in the worst case. Hundreds of companies could take a 20m fine and not go bankrupt but a 4% global turnover fine will kill almost any company.

> Anyone bashing the GDPR for being too hostile towards startups and smaller businesses should read this. Looks like the fine was almost a bit too low in this case...

You make it seem like that's supposed to be assuring? Essentially, small companies and startups are left to the whims of bunch of bureaucrats.

The fact that they have to make the fine "almost a bit too low" just shows you what a terrible thing GDPR is.

> Essentially, small companies and startups that break the law are left to the whims of bunch of bureaucrats.

Fixed that for you. There's a way for small companies to avoid this - take your user's data security at least slightly seriously

So sad to see reddit leaking into HN.

> There's a way for small companies to avoid this - take your user's data security at least slightly seriously

No kidding. My point wasn't about that. My point is that the bureaucrats chose not to apply the law - "Looks like the fine was almost a bit too low in this case..."

AKA leaving the fines/punishment to the whims of bureaucrats.

If even the bureaucrats are refusing to enforce the law correctly, it usually implies that there is something wrong with the law.

> If even the bureaucrats are refusing to enforce the law correctly

The law says "up to [that much of a fine]", not "exactly [that much of a fine]".

AKA, "up to the whims of a bureaucrat"? My god the pro-GPDR brigade is running wild.
There are very few punishments in Western democracies not subject to some level of judgement call. Until we've got AIs, questions like "was this deliberate" and "how much non-monetary harm was caused" will require a human (or group of them) to make a call.
And even with the most perfect AIs we should still a lot of human judgement
Any time a decision is made, it's up to the whims of somebody. What you're saying wouldn't make sense even if we had technical means to deterministically decide everything.
> small companies and startups are left to the whims of bunch of bureaucrats

... and they might even have to comply to other laws, too. god forbid. why can't they just make a quick buck without anyone bothering them? ...

The things is, laws aren't whims.

Law shouldn't be applied based on the opinion of some bureaucrats. That's how you get a tiny fine for a big multinational because "they are responsible for too many jobs" or the classical one "their lobby pay me well enough" while the tiny startup get a too big for them fine because, who cares.

Can't we both agree that this fine is WAY too small? Can we both agree that this fine would be WAY too big if it was for a tiny website with a few hundred users?

The idea behind GDPR is amazing, I agree with the concept. What I disagree with is the execution and that fine is the proof that it's pretty badly done.

(comment deleted)
yes, i agree with both of your statements. :) As far as i understood (correct me if i'm wrong pls) the GDPR fines apply to each single violation and depends on the severity of the violation, so having a big range makes kind of sense, IMHO. I don't know if that applies to this case, though.
You have no idea what their financial situation is. Just because the government claims that it won't bankrupt them, doesn't mean that it won't. EU countries tend to have very high tax rates, and they don't seem to think that will have any impact on the well-being of their businesses and citizens either, so their judgment in such matters has been proven to be suspect at best.

You also have absolutely no way of knowing if all countries will attempt to be benevolent data overlords, as Germany appears to have been in this case. My guess is that had this been an American company, the gloves would have come off. There are 28 unique countries subject to GDPR, and each will have their own interpretations and enforcement policies. The only thing that any smaller company knows for sure about GDPR is that they may be fined up to 20M EUR, regardless of their ability to pay. Other than that, both its requirements and its enforcement are entirely up in the air.

It’s a slippery slope when you leave such a wide range to a boards discretion.
Arguments that are presented without evidence can be dismissed without evidence.

It's not a slippery slope.

False in one thing, false in all things.

See I can do it too.

You can't just say "it's a slippery slope" without any evidence or context.

That's not even a statement. Slippery slope to what end? By refusing to spell it out you can claim any interpretation that results in absurdity is a strawman.

"It's a slippery slope" is literally a bullshit statement. It's vague enough to express disapproval without really presenting any argument other than "just don't" yet it has the appearance of sophistication.

Either make an argument or just say you disapprove. Being vaguely ominous doesn't add anything to the conversation.

Here, I'll give you a start: "I think leaving such a wide range to a board's decision is dangerous because...".

Fines can be appealed, so it's not so much of a slippery slope.
Not when they err on the side of making them too low.

Then you get the problem of (hypothetically) “Yeah, BMW compromised everyone’s information ... but we took into account how much our country/state depends on them and gave a slap on the wrist.”

Like the VW case.

Edit: or does the EU allow third parties to sue over too-low fines? That would be a surprise.

Agree. Fucking bury bad actors. What we've been doing hasn't worked.
Well consider it a slap on the fingers with probably a follow up with potentially greater implications?
I really don't know what part of opposing GDPR is disproved by this example. Actually, the one of the points was that it is blurred, and can be applied too arbitrary. The story clearly proves it, even if this time rulers were so merciful.
They should have been fined more than a measly €20k in my opnion. As a developer I'm deeply ashamed that people are still storing user passwords in plain text. There is no reason behind this behaviour what so ever, other than pure laziness ...
Laziness implies you know the right thing to do but don't do it due to the extra effort. I'd put this more likely down to incompetence.
So you think that someone who's capable of building a system like this, has somehow missed the fact that you should store passwords safely? Nah, I don't buy that.
I do. You do an online tutorial, and together with bits of code from Stack Overflow you can tie together APIs, including payment processing APIs relatively easily into what you want. You don't read the documentation, you just google till you get the code you want from SO, so any warnings in there are lost. Your boss is on your back about it and you're on your 4th straight 20 hour day, so you just do whatever to get the result your boss requires.
I'm sure that Orange (Telecom) does that as well for Consumer password. "Technical debt" probably.

(My password was reset by something/someone, as it contained a '*'; when trying to set it anew, 'star' was a forbidden character...)

I find this kind of error the most unsettling, it implies the people writing the authentication system don't trust the underlying ORM/database sanitisation layer (if there even is one!) enough, so to 'play it safe' they manually filter out 'suspicious characters'.

It makes you wonder that if there's a team that isn't as rigorous elsewhere (or a team on which pressure has been applied to accidentally leave in some such 'mistakes') what kind of SQL injection possibilities exist.

I was once doing some SEO work for a client and noticed something similar. Any URL that contained an apostrophe would return a completely blank page. I asked my manager if I could spend a little time investigating that as a security vulnerability that would have been out of scope for the project and within 45 minutes I had a working SQL injection proof of concept that would return credit card details from their order table.

1. They tried to prevent SQL injection attacks by stopping the page from loading instead of properly escaping data.

2. They failed to actually check if parameters had the forbidden characters they were looking for (they checked the URL, instead of the parameters after they were parsed so all it took was URL encoding an apostrophe)

3. They stored credit card details that they should have never recorded in the first place (including CVV code) rather than just storing the transaction ID from Authorize.net

4. They never bothered to archive old order data even though their ecommerce site didn't even have a customer login and they had absolutely no use for old orders after they were complete.

If you spot that kind of incompetence on something inconsequential from a small team, dollars to donuts they're making the same kind of mistakes with far more serious code. And due to the Dunning-Kruger effect, they're probably too incompetent to realize that they shouldn't be touching anything related to i.e. payment processing or authentication.

When the breach was announced, they revealed that they did not store the passwords themselves in plain text, but had a second store that did, so they could prevent users from posting their passwords in chats. [0]

Still stupid, but at least the had good intentions, just bad execution.

[0] https://www.golem.de/news/datenleck-warum-knuddels-seine-pas... (in german)

This just goes to show that badly designed security measures can be worse than no security measures at all.
Huh, that's actually... a decent-sounding intention.

Is there any way to do that in a secure manner? Because a hash says nothing about the length of a password (and you certainly don't want to store the length, which would make the attack space much smaller)... so if passwords are anywhere, say, from 8-64 characters, then for each chat message you'd need to hash every possible consecutive string of characters for every possible window size separately, which if the hash is even remotely computationally intensive could possibly turn into too much -- especially if being done on the server instead of the client (in order not to expose the hash and salt).

Is this just something it's not possible to protect against?

Easiest way is to do it on the client. The client has the plaintext password anyway.
Good point.

But is storing a plaintext password, even on the client, good practice? E.g. in a browser that uses a cookie with something like a session ID to make sure you're logged-in... is storing a plaintext password in localStorage considered a valid security practice? I would have assumed not, although it's certainly not close to as bad as storing it on the server...

if you store plaintext password on the client, you'd be one XSS attack away from potentially having a lot of passwords stolen - best practice is to have password in plaintext for a little as possible (there's some research on not transmitting the password at all but I don't think there's anything widely accepted like bcrypt is for password hashing https://en.wikipedia.org/wiki/Zero-knowledge_password_proof)
You are already one xss attack away from having your session stolen or having your credentials stolen or any number of other bad things. Passwords on the client are fine.
Unless the user uses the same password for other things, which is extremely common.
anything that makes computation less intensive for you also makes it less intensive for a potential malefactor - it's just an inherent tradeoff.

Rather than scan for password being contained in the message, something more reasonable to try would be to check if the whole message is the password since you can just plug that into the normal password hasher and run just one slower hash op

or forbid password from having white spaces and only check at word boundaries
I wonder, though, whether this could also apply to email addresses or usernames themselves. They are, after all, personally identifying information too.
If you want to email someone, you need their email address. There is no way around this. And yes, that means that the business needs to store email addresses securely so that hackers can't harvest their database of customer email addresses and spam them. This is good.

Usernames can be whatever the user likes, unless there is a good reason for them to give their actual name. In which case, there is a good reason for them to give their actual name. And then the business has a responsibility to store the user's actual name securely, etc. This is good.

There is no good reason for anyone to store passwords in plain text. Fining people who do this is good.

The parts of gdpr that are fit-for purpose are the "non-regulator-ish" parts. The laws which basically establish what is ilegal and what carries liability.

The (most visible) part that isn't fit for purpose are all the things which gdpr solves by referring to a pseudo-contract between customer and website... permissions.

The premise, that a user/reader of a website has a contractual relationship with the website... this is madness. An average user's permissions on Google or BBC does not represent their privacy preferences. They don't understand the implications and expecting them to is silly.

That whole part of the legislation is doomed to (a) fail to benefit users and (b) cause freedom problems. Freedom as in free market and also freedom as in freedom and open platform.

It could) should be replaced with new rules governing online advertising platforms. Most privacy issues gdpr addresses begin here anyway.

I used to think like you until I heard my mother talk about the data her gardeners' association collected on her and which they now had to explicitly ask for due to the GDPR. The gardens are owned by the association and leased to association members, while house, trees and other objects are property of the member. So the association has an interest to ensure that there's insurance in case e.g. of a fire, and my mother agreed. However, she did not want to reveal private details such as the value the house was insured for, and refused, which GDPR requires to be possible for all data that is not absolutely required. Many other gardeners reacted the same way. In the end the association settled for looking at proof that an insurance contract exists without recording additional details.

Note that no online advertising platforms were involved, the data subjects were not exactly technically literate (most are retirees) and GDPR helped them greatly to protect their privacy.

The nice thing about GDPR is that all non-essential data collection needs to be opt-in, so if someone doesn't understand the implications of a choice presented to them, they can simply refuse to agree without negative consequences. How many people accidentally opt-in to being tracked for advertising when they have to individually allow each advertiser to do so?

> They don't understand the implications and expecting them to is silly.

Part pf the GDPR is a requirement that such things are spelled out explicitly in clear language.

Permission is one basis for lawful processing. There are others. A bunch of websites have been mislead into thinking that GDPR forces them to get permission for everything, or that them having permission allows them to do what they want.

They are wrong.

Even though the fine is low, at least this stuff is starting to get some attention and offenders are getting fined.
"And if you forget your 2FA hint, we can show you your password to jog your memory..."