Websites blocking FIDO vendors is nothing new. In corporate environments this may be necessary. Imagine a 2-tiered environment where generally all vendors are allowed (no blocks) for accessing tier-1 information, but to access tier-2 you need a special vendor. That is not uncommon.

By the way, SAML has similar authentication restrictions, so this is not something FIDO came up with.

What a toxic response.

There's nothing in the reply that suggests sarcasm. How do you expect people who don't already know the answer, to identify the response as sarcasm?

Context - the sibling comments, the things I said afterwards, and that the answer is easily searchable.

IMO the toxicity here is from the other commenter insisting on taking what I said literally, and then digging in and fortifying that demand rather than just taking a step back.

The don't need you to believe it. They just need themselves to hear say it.

You age much faster when older. Don't read too much into it

User critisised missing transparency and trust.

Company apologises for delay.

The comedic timing is insane.

if anyone reading this would like access to S3, i can get you added.

I would like to be added so I can benchmark you, in process of picking a EU vendor for data storage.

I'd like to be a added, who should I email?

send me an email jamie @

That would be awesome! I'll email as well.

>User critisised missing transparency and trust.

Company apologises for delay.

The comedic timing is insane.

..internet user points out said comedy.

..Company backtracks on initial apology and s3 access rollout plans and commits to providing immediate s3 access through social media thread replies.

The issue lies somewhere in between.

I agree that businesses who unlawfully sell your data or do not implement a minimum of security measures should be punished hard.

I also agree that a flat 5000 € is problematic. Not because I believe that breaking the law shouldn't be punished. It's because you also get punished if you protect the data and respect your customers, but you don't document the thousand things you must document as a small business.

I don't know if you ever looked at GDPR, but that does not distinguish between a company with five employees and 50,000 employees.

The company with 5 employees must exactly (!!!) implement the same audit trail and processes that the 50,000 employee company has to do. Or worse, there's literally no difference between you founding a company and Facebook.

This shit gets extremely overwhelming extremely fast and that's just killing small businesses.

As someone with experience with it, I heartedly disagree. It’s not that hard to not invade user privacy. You have to go out of your way to be invasive, just respect your users and collect as little data possible. That’s truly the way to go and reduces your liability in a multitude of ways, including protecting you of data breaches (if you don’t keep the data, there’s nothing to steal).

You have not read a word of what I was writing...

Can you give a specific example of what needs to be documented?

I hope these are the correct English translation:

Record of processing activities, data processing agreements, consent documentation, technical and organisational measures, data protection impact assessment, data retention and deletion concepts, legal basis documentations, etc. etc.

Yeah, but basically all of those are either standard for SMEs or no-ops.

For instance, if I run a bakery and sell baked goods online, I'm probably using Shopify who comply with this with one button.

Even if I built the baking website myself, all I need is email address and physical address to send delicious baked goods to you. I need to keep the payment records for a long time (for dispute prevention if nothing else) but that's it.

Where is the GDPR hassle in this case?

Just stop collecting data you don't need (or make sure it's for a good reason, like fraud prevention) and you'll be fine.

If said bakery creates accounts, it's a little more involved but basically you just need to implement soft delete to comply with your obligations.

I'm not sure this is a massive hit, can you help me understand what SMEs exactly are going to be hit by complex GDPR compliance?

No, a bakery using Shopify will not spare them having these documents. You show a respectable amount of ignorance only to then claim GDPR won't be a hassle in this case. It absolutely is a hassle, which you would know, had you familiarized yourself with the subject.

Even stating "just stop collecting data you don't need" shows, that you did not care to read my response before you replied to it, and how little you generally know about the topic.

Not repeating what I said, I will add this: if you do collect personal data (and you WILL if you do anything online, write invoices or just have a security camera on premises) than you will have to have these documents ready.

> No, a bakery using Shopify will not spare them having these documents.

https://help.shopify.com/en/manual/privacy-and-security/priv...

Most of the information relates to online marketing, which does tend to come with more GDPR compliance requirements. My wife runs a business through Shopify and the only thing we need to worry about is email addresses.

Can you help me understand what you see as the issues around GDPR compliance here?

Checksums are useless in this case. The binary would have to be signed and the installation routine would have to check that the new binary would have been signed with the certificate. That adds complexity, but would have thwarted this specific attempt.

However, there are ways around this, too. No solution is perfect.

You could install a door. Then again, who am I telling people what to do.