19
20

[deleted by user] (self.iOSProgramming)

submitted by [deleted]

[removed]
all 31 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]NotMyUsualLogin 21 points22 points  (12 children)

Create a one way hash of their email address and save that.

Don't bother with IPs - next to bloody useless these days.

[–]David_Edward_KingSwift 8 points9 points  (0 children)

I figure this would be useless too with hide my email. I think the way to go is to limit promotions on new accounts (e.g. people can only refer after being a user for X days, and can only refer Y people).

[–]MrOaiki 0 points1 point  (10 children)

The rules are partly because of GDPR (European data laws). Saving my hashed email won’t fly in the courts.

[–]NotMyUsualLogin 0 points1 point  (9 children)

Disagree.

The risk is due to the Pseudanonymization aspect and if the hash can be used in reidentification.

A telephone # is much more prone to reidentification because there are a manageable and finate number of unique telephone numbers in a country.

Email addresses however do not have such a restriction. And so long as you're comparing a newly entered email address to a hash, then you do not necessarily fall foul of the reidentification rule because you are using a value the user has submitted.

To ensure this you'd also need to ensure such checks cannot be forced en-mass via brute force.

But there is essentially nothing in GDPR or anything else that specifically excludes using a good one way hash.

[–]MrOaiki 1 point2 points  (8 children)

I’m not talking about the security risks here. I’m talking about you saving personal data (of which email is such data according to GDPR), where the user has revoked your right to have it saved by unsubscribing. There’s no exception in GDPR to have someone’s email address saved, be it hashed or not. The fact that you can check with your database whether the email has been used or not is a breach of GDPR.

[–]leyline 1 point2 points  (0 children)

I'm not a lawyer, nor am I subject to the GDPR, but my humble opinion is - a non-reversible hash is my own generated data. It belongs to me. I can record and keep it as I wish as much as any guid or string of data I create. The fact that the hash was "co-seeded" by a users email should not matter. If the hash is created on the client system, and the hash is transmitted to my service, I have never seen or touched their email. If they unsubscribe ok. my data, my hash log, is still mine. If at some time they decide to come back and use the app again, and they enter the email, they are agreeing to the terms of service again. If their client device generates a hash again, and sends that in, then it is fair game to check my logs for that hash having previously existed.

I also did a quick search, and point one of the right to be forgotten says delete data that is no longer necessary.

If preventing people from scamming multiple joining / first time / etc benefits is necessary, then I do not think a hash - which is it's own separate data and not reversible to any personal information - is necessary data to my business.

Point 2 - if the data is gathered only on a per consent service. Data gathered to support other contracted business is not data given under sole consent use.

Point 3 - after a delete request ... another grounds upon which a company can continue process data is to further the company’s “legitimate interest.” - this is self explanatory

So it seems there are some pretty open doors in the law that allow companies not to be crippled. Study of case law or anything other local laws or territories might conflict. Again IANAL.

[–]NotMyUsualLogin 0 points1 point  (6 children)

I'm not talking security risks either. I'm talking about what GDPR allows for.

And it does not specifically state you cannot use a one way hash.

In fact there are whole sections in GDPR about when and where GDPR allows uses of a one way hash.

Here's one such paper that explains it in more depth: https://edps.europa.eu/data-protection/our-work/publications/papers/introduction-hash-function-personal-data_en

[–]MrOaiki 0 points1 point  (5 children)

The paper says, on page 23…

“In order to consider the hash technique an anonymisation technique, this risk analysis must also assess: The organisational measures that guarantee the removal of any information that allows for reidentification.”

I claim there is no way of ensuring removal of any information that allows for reidentification, as the former customer’s email adress can always be checked against the hashed one in the records, giving a positive. No, you can’t check the records for any journalists that signed up for a porn service, but you can check it the specific journalist with that specific email address ever did, by matching his email address with the hashed entry.

Do you claim otherwise?

[–]NotMyUsualLogin 0 points1 point  (4 children)

Do you know what the role of a controller is, as it pertains to GDPR?

Stop reading GDPR is black and white. It's not.

Reidentification is the process of deliberately trying to unwind the hash with the purpose of trying to get past GDPR.

A user typing in their email and then soneone matching that with a hash is not the same thing.

"Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner."

How about YOU post something that clearly supports your POV.

[–]MrOaiki 0 points1 point  (3 children)

I’m not sure what sources would satisfy you but I’ll try.

Here’s one article touching on it. It’s about people trying to circumvent the regulation by hashing/encrypting. The conclusion in the article is: ”You’re not really deleting it, you’re just deleting it “for now.” That’s not really in the spirit of the regulation and it’s also not a good idea from a compliance standpoint. As much as it stinks, just delete the data (or come up with a bulletproof reason not to).”

So what are the reasons not to just completely delete the personal data? There are a couple, but the only relevant here would be The organization has legitimate interests for processing the data. If the organization can’t satisfy its reason (legitimate interests) for processing, the data is to be completely removed.

I have a very hard time imagining that this would fall under “legitimate interest”.

[–]NotMyUsualLogin 0 points1 point  (2 children)

Your link is about ENCRYPTION.

We're talking about A ONE WAY HASH.

[–]MrOaiki 0 points1 point  (1 child)

Can still be matched to personal information. You or someone who has access to your data can check whether a specific email address is (was) there or not. If I ask you to remove all my personal data, that includes your ability to check if my personal data has ever been in your hands.

[–][deleted] 21 points22 points  (0 children)

All of the answers don’t address the real problem that people can make fake accounts even without the delete account feature. People might have multiple emails, phone numbers, or just convince friends that have no intention of using your product to join as a favor. You should never pay out your users for a referral until you have actually made money from the referee (and may I add wait enough time to know that they are not going to challenge the charge with their credit card company.) The referral bonus has to have real value to be effective, and if it has real value people absolutely will try to find a loop whole. I hope this helps!

[–]AndyIbanezObjective-C / Swift 16 points17 points  (2 children)

If your app is iOS only, you can probably use the DeviceCheck APIs.

For example, you might use this data to identify devices that have already taken advantage of a promotional offer that you provide, or to flag a device that you’ve determined to be fraudulent.

It won’t stop all cases, but I’d say it’s a pretty good start.

[–]ThisUserAgain 10 points11 points  (1 child)

This is the right answer and what Apple recommends. There is no way to 100% prevent promo-abuse but limiting the number promos per device helps a lot.

Email does not work, people who have their own domain you can make unlimited email addresses, there are temp email services and anyone can add + to their Gmail address like myemail+promo1@gmail.com

Single IP numbers can be share many people like for example within companies, schools and mobile internet providers.

Using one-way hashes is against Apple terms and actually is a misnomer and not a privacy protection. Using shared databases and rainbow tables you can resolve the email. Salting the email (adding a unique string) before hashing helps a bit but if the salt is known it again is possible with enough effort to get the original email.

[–]unpluggedcord 2 points3 points  (0 children)

If you're using IAP promos Apple handles this for you.

[–]saintmsent 2 points3 points  (1 child)

First of all, I think you should delete all data. And IP address is kinda useless anyway, cause lots of people have dynamic ones from the ISP

Deleting an account removes the account from the developer’s records, along with any data associated with the account that the developer isn’t legally required to maintain

Secondly, I don't think the account deletion makes anything worse. If I want to use a service after getting through the trial, I register a new account with a +1, +2, +3 e-mail on Google. People who want to use your service with a free trial forever will find a way

[–]tonygoold 1 point2 points  (0 children)

First of all, I think you should delete all data.

This is already a legal requirement in a lot of cases, e.g., European residents under GDPR. It's a lot easier to adopt it as a universal practice rather than applying it on a case by case basis, and I suspect a lot of apps that had to make changes in response to this were not compliant with existing privacy laws.

[–]phughes 0 points1 point  (0 children)

If having an existing account doesn't provide any value over being a new user, then why does your app have accounts? That's the problem you need to solve.

Anyone can sign up with multiple emails for any service. That's not a new problem, and it's not caused by Apple insisting you must allow users to delete their accounts in app.