Hacker News new | past | comments | ask | show | jobs | submit login

It's not clear to me how from a privacy perspective that's different from the hash of an id.



It's different because a hash of the ID can be used by anyone who knows the hashing algorithm. If the ID is combined with a UUID/GUID and the UUID/GUID is kept secret/isolated by the entity doing verification, then nobody else can make use of the hash, even those within the entity organization who do not have access to the UUID/GUID. The UUID/GUID itself is not PII so it can probably be retained without violating the GDPR. The same goes for the hash. And since there is no way to reconstruct the original ID given the UUID/GUID and hash, there should be no GDPR violation.

In a large entity such as Google, you almost need to outsource ID verification to ensure it's not abused by other (advertising/marketing) parts of Google. Of course all of this requires good faith on the part of the implementing entity, which is certainly not guaranteed.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: