The Google Fonts case was decided based on the transmission of the full IP address in a jurisdiction (Germany) where there are ways to identify a user by means of that address. CNIL's press release follows a decision by the Austrian data protection authority where the Google Analytics cookies were at issue.
If you can read German, you can look at the Austrian decision directly, the complainant has uploaded it at [1] and the relevant section is D.2 b) starting at page 27.
The website tried to rely on legitimate interest as the legal basis for processing the data, and that precisely requires a balancing test between the interests of the website host and the interests of the data subject.
If you want to make sure that you're not getting the balancing test wrong, you can always go for the legal basis of last resort: consent. Just ask the user whether you can load content from Instagram and only do it if they agree. In fact, since in parallel to the question of your legal basis under GDPR, you also have to comply with the cookie provision from the e-Privacy Directive, where there is no "legitimate interest" exception to the requirement to ask for consent, you will have to ask for consent anyway (as Instagram embeds place cookies).
> In fact, since in parallel to the question of your legal basis under GDPR, you also have to comply with the cookie provision from the e-Privacy Directive, where there is no "legitimate interest" exception to the requirement to ask for consent, you will have to ask for consent anyway (as Instagram embeds place cookies).
I don't think that's true. The cookie provision is misunderstood when you think you have to ask for consent for functional cookies. Follows from the GDPR, and there is no specific cookie law actually implemented in european countries. See also https://gdpr.eu/cookies/. Ah, but maybe I misunderstood and you are only talking about the cookie set by the embed?
It is not true that "functional" cookies are generally exempt from the consent requirement. What is concretely exempt are necessary cookies for a service that the user explicitly requested. This is not the case for cookies placed by Instagram embeds.
Sorry, but an opinion from 2012 has no chance to be relevant if it disagrees with the current GDPR interpretation I linked to. Note how it explains that the ePrivacy Regulation is not in effect. I do not see how there could be any basis to legislate cookie usage if it is not linked to private data/analytics, if this happens it will not survive the courts I think. I do understand that this cookie consent interpretation is common - one just has to look at those stupid cookie consent forms on private blogs - but it does not follow from real legislation.
However:
> This is not the case for cookies placed by Instagram embeds.
Yeah, I can see how this is complicated and how it fits the topic. It's not a third party cookie for the embed, but for the website it might be, and is it even a functional cookie? I doubt it. I'm not sure how those would be judged and what is a reasonable way to work with embeds. It's only certain that there is not a solution as easy as it was in this case, where self-hosting the fonts was possible.
You're making the mistake of thinking that the cookie consent requirements are somehow a consequence of GDPR. The cookie consent requirements exist separately from and additionally to GDPR as a consequence of the e-Privacy Directive. What GDPR changed in regard to cookie consent is what exactly constitutes "consent", as it updated the Data Protection Directive in that regard, but it did not change when consent for cookies is required.
Other than court judgments, the Article 29 Working Party opinion is the most authoritative opinion you will get on the interpretation of the e-Privacy Directive, which is the "real legislation" that you need to look at.
edit: Nobody claims that the e-Privacy Regulation is in effect, by the way -- of course it isn't, it hasn't even been passed. The cookie consent clause of the e-Privacy Directive is however in effect, and has been since 2009.
Also the e-Privacy Directive does exempt strictly necessary cookies from any consent requirements, or am I completely confused now?
Edit: No, I'm not. The GDPR page I linked states the situation that follows both from the GDPR and the e-Privacy Directive. It also fits to what is written in the directive itself.
Strictly necessary cookies for a service the user explicitly requested. And, importantly, this is true even if no personal data is involved and the process is therefore not covered by GDPR at all -- the cookie clause of e-Privacy Directive applies regardless.
Careful. That is an 100% unofficial site. It is not chartered or funded by the EU. The linked article is from “Richie Koch”an editor working on human rights stories who wrote the article on behalf of Proton VPN, which runs the GDPR.eu site as a content marketing scheme. The linked article is not the law and not official guidance, though it provides a reasonably good summary.
Everything sqrt2 says in the comments is entirely correct, as far as I can tell.
Fair point. And thanks. I think now that my position - while how it should be, consistent with the GDPR and repeated at multiple places - is possibly not in line with a court decision from 2019 or so, that interpreted the e-Privacy Directive in a wrong way imho, and at the very least might depends on local practice of how EU "law" is applied. So you two are probably right.
Ridiculous to govern non-privacy relevant tech usage like this. I still think that's illegal where I live. Regardless, let's hope the e-Privacy Regulation or future court decisions solve this.
A MAC of a message m can only be computed with the knowledge of a key K. Specifically, with a cryptographic hash function h,
HMAC(K, m) = h(K + a || h(K + b || m)),
where + is addition mod 2 (xor), || is concatenation and a and b are constants. (This construction takes into account possible length extension attacks on h.)
Given that h is secure, knowledge of any reasonable number of pairs (m, HMAC(K, m)) does not allow you to recover K, and without K, you cannot compute HMAC(K, m) for known m, i.e. enumerate all the possible MACs for serial numbers.
It may be forgivable to use dynamic mass in an article written for laymen and using a simple model of the atom, but I feel I should mention that the concept of objects changing mass depending on the reference frame is a very dangerous one because substituting the dynamic mass for the mass in a classical formula does not always lead to correct results.
The concept of dynamic mass is motivated by wanting to continue to write the previously known three-momentum as p = m v, which does not conform to special relativity, hence the definition of mass is changed. However, in a formula as basic as F = m a (F and a being vectors), substituting the dynamic mass for m does not yield correct results because in general, under special relativity, F and a do not even have to be parallel.
Modern formulations of dynamics in special relativity use the more intuitive invariant mass, and three-momentum is written as p = m gamma v, where gamma is the factor previously included in m_r. This p is now the spacial components of four-momentum p^\mu = m u^\mu, where m is the invariant mass and u is the relativistic four-velocity of the moving object.
The article is correct. The nit from grandparent is, that it uses some outdated language. So if you do not look to closely in special relativity, you will find that the mass quite often appears together with the Lorentz factor, which describes time dilation. This lead historically to the claim that moving objects are heavier than the same object at rest. But since this does not hold in general relativity, it is nowadays usually assumed that mass is always the rest mass. And so the article reads a bit outdated.
Start off with this: relativity is complicated, and unintuitive from the standpoint of human experiences.
So, let's talk about gravity. Gravity is a force between objects which have a certain kind of property, let's call it property X. Gravity has a precise quantitative relationship with property X, the more property X an object has the more gravitational force it exerts.
What is "property X"? It's energy. And here is where things get a bit complex, because most people would instead have said that "mass" is property X. The problem with that is mass becomes variable depending on the reference frame, and it turns out to add a lot of excessive complexity to discussing things, especially when precision is required.
So you could imagine talking about mass as the equivalent of energy, which is typically an accurate viewpoint, and then you get to the idea of "relativistic mass". Which is the adjusted "property X" value of an object which might be traveling at relativistic speeds in a given reference frame.
Relativistic mass, or property X, can be a helpful mental model in some ways, and in normal uses of English it's often a more useful way of thinking about things. But it's also problematic because it's ambiguous.
This has led to a bit of an impedance mismatch between the way physicists talk about relativistic effects and the ways that it's more natural to talk about such things in plain English. In English "property X" is mass, but in physics it's actually energy, and it's difficult to get people to fully grok the intimate relationship between energy and mass.
Physically, mass is just a special name for invariant, or rest, energy, the energy of an object in the reference frame where the object is stationary. It's all energy, but it's important to separate out rest-energy vs. energy in a given reference frame, and so forth.
p^μ is the μ-th component of the vector p, and in an equation p^μ = m u^μ, μ is to be taken as a free variable, i.e. the equation is true for every μ. In relativity, Greek indices are taken to range over time and the three spacial dimensions (whereas Latin indices only range over the spacial dimensions).
This notation can be naturally extended to tensor products of vectors in the tangential and co-tangential spaces to the base manifold that is spacetime (simply called "tensors" by physicists): https://en.wikipedia.org/wiki/Einstein_notation
This reminds me of a blog post in German [1] by a person who due to a software bug had been falsely diagnosed by 23andMe with limb-girdle muscular dystrophy. (Fortunately, he was able to identify that it was a misdiagnosis.) It appears that in this case potential misdiagnoses aren't just a theoretical problem.
This is what 23andMe said about that person's genome:
"Has two mutations linked to limb-girdle muscular dystrophy. A person with two of these mutations typically has limb-girdle muscular dystrophy."
Of course this not a diagnosis in a technical sense, but to a lot of people it will sound like it is. Specifically, I don't see how this is "very clearly" not a diagnosis.
23andMe empowers you to better manage your health and wellness.
$99 [Add a kit]
There are no disclaimers on this page, just an aphorism, an assertion, and a call to action. Now I like the idea of 23andme, I like the company, and I'm educated and skeptical enough to enjoy some fluffy scientism for a hundred bucks, but don't tell me they're not selling the hell out of this.
Obviously Assange (et al.) didn't ask anyone if they could leak sensitive data -- and perhaps they should have (but how exactly would that have gone do you expect?) -- but I believe Assange is acting on this above principle.
In summary, he treats government as a conspiracy (liberally defined to be a social network) whose total conspiratorial power (the sum of the weights of the edges of the social graph, where the nodes represent people and the edges the potential to share information) can be kept in check by increasing the cost of exchanging information -- which is exactly the effect of leaking classified material.
It's quite silly that the author doesn't know this, but the feature he requests exists already and has existed for 10 years -- Privacy Extesions for SLAAC in IPv6 (RFC3041). It's even enabled by default on Windows.
If you can read German, you can look at the Austrian decision directly, the complainant has uploaded it at [1] and the relevant section is D.2 b) starting at page 27.
[1] https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Goog...