GDPR compleance? Bit too easy to grab user's full details
Moderators: Hacker, petermad, Stefan2, white
GDPR compleance? Bit too easy to grab user's full details
Hi,
I feel this a bit problematic / questionable topic, mainly due to the now-relevant GDPR law.
As a registered user my full name and address can be seen in the title bar/about dialog of TC, which is really-really too easy for practically ANY software running on the PC to grab and use, for virtually any purpose... just some 5-10 lines of code is needed to achieve this.
I have some concerns about it - am I the only one? -, shouldn't it be possible to me if I'd like to hide it from the world if I am in fact Santa Claus, so no other application is capable of reading it out with some simple winAPI commands, without any real effort?
The fun fact is that if you're a non-registered user you don't have to worry that your sensitive data may silently travel to somewhere else, to a 3rd party you don't even know; but in case you're registered and paid for TC, the problem is real (even though there are no known cases of stoling data using such ways - as of yet -, it may exist).
Image: https://image.ibb.co/jBYy3J/sshot.png
Demonstration app (run it from TC):
https://bluesoft.hu/software/tools/TcWhoAmI.zip
Virustotal check:
https://www.virustotal.com/#/file/e69675f63697d734fc53942afd101f5e15615b74863b97cfd028e4f686f35865/detection
Thanks,
Regards,
Bluestar
I feel this a bit problematic / questionable topic, mainly due to the now-relevant GDPR law.
As a registered user my full name and address can be seen in the title bar/about dialog of TC, which is really-really too easy for practically ANY software running on the PC to grab and use, for virtually any purpose... just some 5-10 lines of code is needed to achieve this.
I have some concerns about it - am I the only one? -, shouldn't it be possible to me if I'd like to hide it from the world if I am in fact Santa Claus, so no other application is capable of reading it out with some simple winAPI commands, without any real effort?
The fun fact is that if you're a non-registered user you don't have to worry that your sensitive data may silently travel to somewhere else, to a 3rd party you don't even know; but in case you're registered and paid for TC, the problem is real (even though there are no known cases of stoling data using such ways - as of yet -, it may exist).
Image: https://image.ibb.co/jBYy3J/sshot.png
Demonstration app (run it from TC):
https://bluesoft.hu/software/tools/TcWhoAmI.zip
Virustotal check:
https://www.virustotal.com/#/file/e69675f63697d734fc53942afd101f5e15615b74863b97cfd028e4f686f35865/detection
Thanks,
Regards,
Bluestar
- ghisler(Author)
- Site Admin
- Posts: 48523
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
The GDPR is about storing and processing user data on the company computers. It's not about showing the user name on the user's own PC.
The request of the name and address from the user is necessary for tax purposes, especially sales tax, which depends on the user's country.
The request of the name and address from the user is necessary for tax purposes, especially sales tax, which depends on the user's country.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
- sqa_wizard
- Power Member
- Posts: 3878
- Joined: 2003-02-06, 11:41 UTC
- Location: Germany
@Hacker: Thanks, you too! Bit lost in the way of life but always keeping an eye on TC
@ghisler(Author):
Thanks for your quick answer - I can completely understand that requiring full name & address is absolutely necessary for tax & license validation purposes, but I still have doubts if showing it in the title bar of the software is really necessary, and not even optionally disable-able (how strange it sounds ).
I mean, if we look at applications dealing with similar issues, most came to such an agreement on this topic like REAPER (audio tool), which I think is a nice way of doing it (show it by default, but let the user have the chance to optionally disable it if he/she wants to do so):
Image: https://image.ibb.co/ca5wqy/reaper_about_dialog.png
Is there any reason we are forced to use 3rd party tools to make this feature available regarding TC? (there are bunch of them available)
I have no software on my PC that would force me to show my full legal name and address to anyone, except Total Commander which doubtlessly wants to do so. This is still strange to me, why is it so necessary - do you think it is really the best practice you could do to make the license sharing on public sites even less (I guess this is the main reason of having it), is it even still necessary in 21th century… ?
(By the way, GDPR is not just about storing/processing, but also about the effort to protect user data, even on his own computer, so noone and nothing can grab their hands on it without any notice - now TC allows to make it happen.)
P.S.: I'd even appreciate a way that in case TC would allow to disable showing it in title bar/address in the about dialog, it would require some small extra communication/online license check using TC's server, and if it fails then it would show the name in the title anyway + some notice about the license being invalid. So this way you could use your license without showing your name to anyone staring at your screen/any app, in case you agree to have a small (even random) license check this way - or you'd have to "live with" having the name everywhere in the app, in case you don't have internet connection/you are using an invalid license. This way you could get even more info about people using the same license without any rights.
Whats your opinion?
@ghisler(Author):
Thanks for your quick answer - I can completely understand that requiring full name & address is absolutely necessary for tax & license validation purposes, but I still have doubts if showing it in the title bar of the software is really necessary, and not even optionally disable-able (how strange it sounds ).
I mean, if we look at applications dealing with similar issues, most came to such an agreement on this topic like REAPER (audio tool), which I think is a nice way of doing it (show it by default, but let the user have the chance to optionally disable it if he/she wants to do so):
Image: https://image.ibb.co/ca5wqy/reaper_about_dialog.png
Is there any reason we are forced to use 3rd party tools to make this feature available regarding TC? (there are bunch of them available)
I have no software on my PC that would force me to show my full legal name and address to anyone, except Total Commander which doubtlessly wants to do so. This is still strange to me, why is it so necessary - do you think it is really the best practice you could do to make the license sharing on public sites even less (I guess this is the main reason of having it), is it even still necessary in 21th century… ?
(By the way, GDPR is not just about storing/processing, but also about the effort to protect user data, even on his own computer, so noone and nothing can grab their hands on it without any notice - now TC allows to make it happen.)
P.S.: I'd even appreciate a way that in case TC would allow to disable showing it in title bar/address in the about dialog, it would require some small extra communication/online license check using TC's server, and if it fails then it would show the name in the title anyway + some notice about the license being invalid. So this way you could use your license without showing your name to anyone staring at your screen/any app, in case you agree to have a small (even random) license check this way - or you'd have to "live with" having the name everywhere in the app, in case you don't have internet connection/you are using an invalid license. This way you could get even more info about people using the same license without any rights.
Whats your opinion?
@Sir_SiLvA: so you don't mind giving your personal details to anyone over the world, correct?
Being ignorant is rarely a real solution
TC sharing it in the caption/about dialog is like if you go to the city center where you live, and put some "post-it" notes with your name & address here and there. Would it be definitely a good idea?
Being ignorant is rarely a real solution
TC sharing it in the caption/about dialog is like if you go to the city center where you live, and put some "post-it" notes with your name & address here and there. Would it be definitely a good idea?
Last edited by Bluestar on 2018-06-02, 15:09 UTC, edited 2 times in total.
2Sir_SiLvA
Except for having to deal with the nag-screen!Run TC without your keyfile. Problem solved!
License #524 (1994)
Danish Total Commander Translator
TC 11.03 32+64bit on Win XP 32bit & Win 7, 8.1 & 10 (22H2) 64bit, 'Everything' 1.5.0.1383a
TC 3.60b4 on Android 6, 13 & 14
TC Extended Menus | TC Languagebar | TC Dark Help | PHSM-Calendar
Danish Total Commander Translator
TC 11.03 32+64bit on Win XP 32bit & Win 7, 8.1 & 10 (22H2) 64bit, 'Everything' 1.5.0.1383a
TC 3.60b4 on Android 6, 13 & 14
TC Extended Menus | TC Languagebar | TC Dark Help | PHSM-Calendar
GDPR does cover this kind of case, but... are YOU compliant with it, too? Who, and why have access to your computer screen? Do you lock your computer when away from it?
I agree that the name shouldn't be written on top bar, but also you should take care not letting anyone access your computer, especially if you have sensitive data on it.
I agree that the name shouldn't be written on top bar, but also you should take care not letting anyone access your computer, especially if you have sensitive data on it.
Well thats interesting what you say… look at some real life scenarios.
For example I'm sitting at a cafe bar with my notebook, having my TC on it.
I'm doing my usual stuff, people come and go everywhere. They can have a look at my monitor (should I constantly check who's checking my desktop?), and easily notice my personal name. Then they can call me on my own name without me letting them know who am I.
That would be creepy, wouldn't it? But TC allows this to happen.
(maybe I shouldn't use TC at cafe bars? only browse and listen to music, or use TC unlicensed? )
For example you're flying on a plane, doing some work stuff. You have an unknown companion next to your seat. He/she can also know your name, without having a single conversation, just by looking at your screen in a fine moment.
Does it matter if they know your name?
- Probably no(?) (however I wonder why don't we just print it on our t-shirt as well, including our address, mother name, birthdate etc, it could be so much fun).
Wouldn't it still be better if they wouldn't know ANY unnecessary information, which is not their business at all?
- Absolutely yes.
For example I'm sitting at a cafe bar with my notebook, having my TC on it.
I'm doing my usual stuff, people come and go everywhere. They can have a look at my monitor (should I constantly check who's checking my desktop?), and easily notice my personal name. Then they can call me on my own name without me letting them know who am I.
That would be creepy, wouldn't it? But TC allows this to happen.
(maybe I shouldn't use TC at cafe bars? only browse and listen to music, or use TC unlicensed? )
For example you're flying on a plane, doing some work stuff. You have an unknown companion next to your seat. He/she can also know your name, without having a single conversation, just by looking at your screen in a fine moment.
Does it matter if they know your name?
- Probably no(?) (however I wonder why don't we just print it on our t-shirt as well, including our address, mother name, birthdate etc, it could be so much fun).
Wouldn't it still be better if they wouldn't know ANY unnecessary information, which is not their business at all?
- Absolutely yes.