GDPR compleance? Bit too easy to grab user's full details

English support forum

Moderators: white, Hacker, petermad, Stefan2

Post Reply
User avatar
Bluestar
Senior Member
Senior Member
Posts: 377
Joined: 2007-06-10, 15:26 UTC
Location: Hungary
Contact:

GDPR compleance? Bit too easy to grab user's full details

Post by *Bluestar »

Hi,

I feel this a bit problematic / questionable topic, mainly due to the now-relevant GDPR law.

As a registered user my full name and address can be seen in the title bar/about dialog of TC, which is really-really too easy for practically ANY software running on the PC to grab and use, for virtually any purpose... just some 5-10 lines of code is needed to achieve this.

I have some concerns about it - am I the only one? -, shouldn't it be possible to me if I'd like to hide it from the world if I am in fact Santa Claus, so no other application is capable of reading it out with some simple winAPI commands, without any real effort?

The fun fact is that if you're a non-registered user you don't have to worry that your sensitive data may silently travel to somewhere else, to a 3rd party you don't even know; but in case you're registered and paid for TC, the problem is real (even though there are no known cases of stoling data using such ways - as of yet -, it may exist).


Image: https://image.ibb.co/jBYy3J/sshot.png

Demonstration app (run it from TC):
https://bluesoft.hu/software/tools/TcWhoAmI.zip

Virustotal check:
https://www.virustotal.com/#/file/e69675f63697d734fc53942afd101f5e15615b74863b97cfd028e4f686f35865/detection



Thanks,


Regards,
Bluestar
User avatar
Hacker
Moderator
Moderator
Posts: 13052
Joined: 2003-02-06, 14:56 UTC
Location: Bratislava, Slovakia

Post by *Hacker »

[mod]Moved to the English forum.

Hacker (Moderator)[/mod]
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.
User avatar
Hacker
Moderator
Moderator
Posts: 13052
Joined: 2003-02-06, 14:56 UTC
Location: Bratislava, Slovakia

Post by *Hacker »

[OT]
Bluestar is alive! Happy to see you! :)

Roman
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

The GDPR is about storing and processing user data on the company computers. It's not about showing the user name on the user's own PC.

The request of the name and address from the user is necessary for tax purposes, especially sales tax, which depends on the user's country.
Author of Total Commander
https://www.ghisler.com
User avatar
sqa_wizard
Power Member
Power Member
Posts: 3854
Joined: 2003-02-06, 11:41 UTC
Location: Germany

Post by *sqa_wizard »

In my opinion it is a kind of anti-theft system.
If someone gets your key file, it is of no worth, because YOUR name is always displayed at the title and blames "Stolen from ..."
#5767 Personal license
User avatar
Bluestar
Senior Member
Senior Member
Posts: 377
Joined: 2007-06-10, 15:26 UTC
Location: Hungary
Contact:

Post by *Bluestar »

@Hacker: Thanks, you too! :) Bit lost in the way of life but always keeping an eye on TC :wink:


@ghisler(Author):
Thanks for your quick answer - I can completely understand that requiring full name & address is absolutely necessary for tax & license validation purposes, but I still have doubts if showing it in the title bar of the software is really necessary, and not even optionally disable-able (how strange it sounds :)).

I mean, if we look at applications dealing with similar issues, most came to such an agreement on this topic like REAPER (audio tool), which I think is a nice way of doing it (show it by default, but let the user have the chance to optionally disable it if he/she wants to do so):

Image: https://image.ibb.co/ca5wqy/reaper_about_dialog.png


Is there any reason we are forced to use 3rd party tools to make this feature available regarding TC? (there are bunch of them available)

I have no software on my PC that would force me to show my full legal name and address to anyone, except Total Commander which doubtlessly wants to do so. This is still strange to me, why is it so necessary - do you think it is really the best practice you could do to make the license sharing on public sites even less (I guess this is the main reason of having it), is it even still necessary in 21th century… ?


(By the way, GDPR is not just about storing/processing, but also about the effort to protect user data, even on his own computer, so noone and nothing can grab their hands on it without any notice - now TC allows to make it happen.)


P.S.: I'd even appreciate a way that in case TC would allow to disable showing it in title bar/address in the about dialog, it would require some small extra communication/online license check using TC's server, and if it fails then it would show the name in the title anyway + some notice about the license being invalid. So this way you could use your license without showing your name to anyone staring at your screen/any app, in case you agree to have a small (even random) license check this way - or you'd have to "live with" having the name everywhere in the app, in case you don't have internet connection/you are using an invalid license. This way you could get even more info about people using the same license without any rights.

Whats your opinion?
User avatar
Sir_SiLvA
Power Member
Power Member
Posts: 3278
Joined: 2003-05-06, 11:46 UTC

Post by *Sir_SiLvA »

2Bluestar If you dont like your Data being readable
(apart from the fact that if thats a REAL concern for you, you have other problems) the solution is SIMPLE:
Run TC without your keyfile. Problem solved!
User avatar
Bluestar
Senior Member
Senior Member
Posts: 377
Joined: 2007-06-10, 15:26 UTC
Location: Hungary
Contact:

Post by *Bluestar »

:D @Sir_SiLvA: so you don't mind giving your personal details to anyone over the world, correct?
Being ignorant is rarely a real solution :)

TC sharing it in the caption/about dialog is like if you go to the city center where you live, and put some "post-it" notes with your name & address here and there. Would it be definitely a good idea?
Last edited by Bluestar on 2018-06-02, 15:09 UTC, edited 2 times in total.
User avatar
petermad
Power Member
Power Member
Posts: 14739
Joined: 2003-02-05, 20:24 UTC
Location: Denmark
Contact:

Post by *petermad »

2Sir_SiLvA
Run TC without your keyfile. Problem solved!
Except for having to deal with the nag-screen!
License #524 (1994)
Danish Total Commander Translator
TC 11.03 32+64bit on Win XP 32bit & Win 7, 8.1 & 10 (22H2) 64bit, 'Everything' 1.5.0.1371a
TC 3.50b4 on Android 6 & 13
Try: TC Extended Menus | TC Languagebar | TC Dark Help | PHSM-Calendar
User avatar
hlloyge
Member
Member
Posts: 131
Joined: 2006-11-02, 23:14 UTC

Post by *hlloyge »

GDPR does cover this kind of case, but... are YOU compliant with it, too? Who, and why have access to your computer screen? Do you lock your computer when away from it?
I agree that the name shouldn't be written on top bar, but also you should take care not letting anyone access your computer, especially if you have sensitive data on it.
User avatar
Bluestar
Senior Member
Senior Member
Posts: 377
Joined: 2007-06-10, 15:26 UTC
Location: Hungary
Contact:

Post by *Bluestar »

Well thats interesting what you say… look at some real life scenarios.
For example I'm sitting at a cafe bar with my notebook, having my TC on it.

I'm doing my usual stuff, people come and go everywhere. They can have a look at my monitor (should I constantly check who's checking my desktop?), and easily notice my personal name. Then they can call me on my own name without me letting them know who am I. :D
That would be creepy, wouldn't it? But TC allows this to happen.
(maybe I shouldn't use TC at cafe bars? only browse and listen to music, or use TC unlicensed? :) )

For example you're flying on a plane, doing some work stuff. You have an unknown companion next to your seat. He/she can also know your name, without having a single conversation, just by looking at your screen in a fine moment.


Does it matter if they know your name?
- Probably no(?) (however I wonder why don't we just print it on our t-shirt as well, including our address, mother name, birthdate etc, it could be so much fun).

Wouldn't it still be better if they wouldn't know ANY unnecessary information, which is not their business at all?
- Absolutely yes.
User avatar
hlloyge
Member
Member
Posts: 131
Joined: 2006-11-02, 23:14 UTC

Post by *hlloyge »

I am sorry, but I can't see the problem in that, except your paranoia. Worse problem would be 'man in the middle' attack while you're at some cafe wireless.
But I think there shouldn't be a problem removing that info with some checkbox - I, for instance, don't mind it.
Post Reply