Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
25% Recurring Discount on NVMe VPS
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
CloudLinux
Shells Virtual Desktop
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

GINERNET will now enforce KYC to all customers, offering a 5€ incentive.

124»

Comments

  • maxxxxxmaxxxxx Member
    edited 9:10AM

    @jmginer said:
    We understand that facial checks make some people uncomfortable. That is completely understandable, and we are not going to pretend otherwise.

    Can you point out to the GDPR Article 9 exception that you are using to justify your processing?

    @jmginer said:
    But let’s put things into perspective. In the physical world, there is always a minimum level of visibility: you walk into a shop, a hotel, or a data center, and someone sees you come in. Honestly, every day we are surrounded by cameras in streets, shops, and building entrances, recording us without us knowing where that footage ends up, who stores it, or for how long. Most people do not even think about it. On the internet, however, that basic visibility does not exist: anyone can register with a disposable email address, a fake phone number, a stolen card, and a VPN, and start using real infrastructure without being accountable to anyone.

    Bad example and not even true. It's not at all easy to do this without proper justification and a real objective threat that actually exists, not just a hypothetical one or just a general notion of security. Even with proper justification you need to make sure to notify the data subjects before they enter the perimeter where the camera is recording, failing to do this makes it illegal. It's much less complicated to do just suveillance without the cameras having the possibility of saving the recording at all.

    @jmginer said:
    We are not trying to harvest your personal data, we just want to make sure there is a real human behind each account, because that alone stops most large-scale abuse.

    Seriously, doing this as an anti bot measure? I hope this is a joke.

    @jmginer said:
    Regarding the 5 EUR/USD credit: no, we are not "buying your biometric data". It is just a small gesture for the inconvenience of migrating to the new Manager. There is no need to overthink it.

    It's not just a gesture, this will fail the consent requirement as you provide incentive, the same is valid for other negative incentives you have to illegaly force the data subjects to consent. I know I asked you the question at the beginning of my post, but it's rather obvious consent is the only exception that is valid in this case.

    @jmginer said:
    If you prefer to use a provider that does not ask you to identify yourself at all, that is a completely legitimate preference, and there are plenty of them on the market. But we also have the same right to set a minimum level of trust for people running projects on our network.

    There is really no such "right" on your side, you can have a legal obligation which you don't or you can have legitimate interest but this needs to be justified with both a legal basis under GDPR aricle 6 and an exception under article 9 and even if you did both properly you would fail under other GDPR provisions as this is clearly not the least intrusive means to acheive your goal, which is your responsibility to prove that it is.

    @jmginer said:
    It’s a one-time process, conducted by Didit (a European provider that complies with the GDPR; we do not store images or biometric data). In addition to strengthening your account, it enables password recovery using your face (in case you ever lose your password), and we’ll credit you with a bonus balance once you complete it (you’ll find it in the Dashboard, in the bonuses section).

    How do you "not store it", you are the controller and Didit is the processor, Didit acts on your instructions and it's your responsibility, you can not delegate this responsibility to Didit as your processor. In case Didit has a data breach or in any way or form unlawfully processes this data that's your responsibility and you can be sure you'll pay for it.

    https://didit.me/terms/privacy-policy/#11-anonymized-model-training-and-fraud-detection-your-opt-out

    @ymginer where do you ask for consent for this? Do you use the API to delete the verification record? How do you ensure Didit is not processing this between the time the record is created and the time when you call the API? Same for the timeframe untill the "next refresh cycle"?

    "the deletion removes the record from training pipelines on the next refresh cycle", so this is processed without a valid consent and there's no possiblity for you to prevent this processing untill the next refresh cycle by looking at how this is written.

    @jmginer said:
    There is no alternative in-person or manual process.

    So you are claiming that this is a legal obligation? Can you point me to where this is required by law for you to process and where are you listed as an "obliged entity"?

    https://manager.ginernet.com/privacy -> "Protecting the platform and preventing fraud, abuse and non-payment: legitimate interest."

    So no legal obligation involved here, just legitimate interest and complete ignorance of GDPR article 9 on your part.

    @jmginer said:
    As for your question about what “reasonably necessary” means: for verifications on our platform, Didit retains data for a maximum of 10 years—the period allowed under European fraud prevention regulations—and automatically deletes it afterward. You can find all the details here: https://manager.ginernet.com/docs/general/verificacion-de-identidad

    Can you point me to those "regulations"?

    The period of "10 years" if from AML and anti terrorist financing and has nothing to do with you at all. "Obliged entities" are explicitly listed under article 2(1) so you can not justify this.

    The period is actually 5 years + another 5 only if there is a suspicion of serious crime and such and even then it needs a lot of documentation and work to justify.

    Thanked by 4forest zGato zed jsg
  • AlyxAlyx Member, Host Rep

    This is the first company that complains about bots willing to pay for their service 😅

  • forestforest Member
    edited 10:48AM

    @Alyx said:
    This is the first company that complains about bots willing to pay for their service 😅

    No no, it's not just about bots. @jmginer is lamenting that privacy on the internet is stopping people from being held accountable. Which is, when you think about it, really fucking disturbing coming from a hosting provider rather than a cop.

    Not that I trust cops either, but at least holding people accountable is their job.

    Thanked by 3Alyx zGato rpqu
  • jsgjsg Member, Resident Benchmarker
    edited 10:55AM

    To go constructive mode:
    I think @raindog308's proposition makes more sense and looks much more acceptable. I'd even be willing to give them my landline phone number.

  • edited 11:51AM

    @jsg said:
    To go constructive mode:
    I think @raindog308's proposition makes more sense and looks much more acceptable. I'd even be willing to give them my landline phone number.

    Agreed. Taking a call isn't much of a problem for me. Might need a correction to the number that i usually have on file though. I mean, it's real and all, it's just that there's no phone attached to the SIM card ;)

    Landline is sadly not an option for me as i don't have one.

    Thanked by 1jsg
  • AlyxAlyx Member, Host Rep

    I think netcup once did a address verification by calling me, and asking me about the local hardware store down the street.

    There was no hardware store. My confused reply about what store he is talking about was enough verification for them that I know the area enough that I could actually live here.

    I still think having any sort of verification for a stupid VPS is total bs.
    But if you really have to do it, then doing stuff like this is something I would prefer a lot.

  • rpqurpqu Member
    edited 12:12PM

    @Alyx said:
    I think netcup once did a address verification by calling me, and asking me about the local hardware store down the street.

    There was no hardware store. My confused reply about what store he is talking about was enough verification for them that I know the area enough that I could actually live here.

    I still think having any sort of verification for a stupid VPS is total bs.
    But if you really have to do it, then doing stuff like this is something I would prefer a lot.

    This is much preferable.

    Ask about your general location -> "Can you go to X by Y?" (200m walk) -> livestream the walking process with the agent (no face required) -> verify the process with google street view

    Thanked by 1Mainfrezzer
  • AlyxAlyx Member, Host Rep

    @rpqu said: Ask about your general location -> "Can you go to X by Y?" (200m walk) -> livestream the walking process with the agent (no face required) -> verify the process with google street view

    Now you are asking me to put pants on and leave the house, this is crossing a line 😅

    Thanked by 2rpqu jsg
  • maxxxxxmaxxxxx Member
    edited 3:53PM

    @William said:

    @zGato said: GINERNET can choose to store data from 30 days for up to 10 years. They have not disclosed anywhere for how long.

    https://didit.me/terms/verification-privacy-notice/

    This is where it is explained. GINERNET needs to determine the retention perior before it begins to process the data.

    Retention: "Biometric data retention is in every case subject to, and capped by, applicable biometric-privacy laws and regulations, including the EU General Data Protection Regulation (GDPR) Article 9"

    As I mentioned article 9 in my previous post.

    Automated processing: "Didit may use automated systems to review document integrity, liveness, face match, fraud indicators, and other verification signals... Except where a specific service states otherwise, the Customer remains responsible for how it uses the verification result in its own business decision-making."

    "if biometric verification is part of the configured workflow, the Customer may or may not offer an alternative verification method, depending on the Customer's policies and applicable law."

    As I also mentioned in the previous post, no manual review will not do. And alternative method as customers are not required to consent to this. I explained this in the SeFlow therad...

    https://didit.me/terms/identity-verification/

    Eligibility: "You may only use the Verification Services if: you are legally permitted to do so;... your use of the Verification Services does not violate applicable law, the rights of another person, or the Customer's terms..."

    It's all there in various documents and if Didit didn't fuck up somehow, this is designed to sell you the service and take your(GINERNET's that is) money, not their problem if GINERNET is not compliant. But it's not uncommon for processors to fuck up somewhere and the supervisory authority will simply say they are the controllers or joint controllers in that case and fine them both.

    @William said:
    GINERNET has no data, they use Didit which also does banks and other verifications. ALl GInernet gets with the selfie only setting it either Pass or Fail; even with the ID settings GInernet provides THEM your data to match the ID and again only gets Pass/Fail.

    This is not correct. GINERNET makes all the decisions regading the data and if Didit did that they would be joint controllers or controllers. Explained here: https://didit.me/terms/privacy-policy/

    "We may disclose personal data to: The customer that asked us to perform the verification, ..."

    This is needed simply by the fact that GINERNET is the controller.

    "GINERNET has no data" sounds as stupid as if I rent a VPS from GINERNET and put my customers data there and then I say "I have no data, GINERNET has it".

    Thanked by 1rpqu
  • zGatozGato Member
    edited 4:14PM

    They have updated the KYC message. Yet, no additional comments from @jmginer besides the initial comment.

    I think everything's already been said in this thread. They're not going back and will force KYC to everyone while trying to paint it with bs bs and more bs.
    I believe all the nonsense, changes, and incoherences that @jmginer has already said and done proves how sketchy and scummy this shit is.

    Thanked by 3Alyx jsg zed
  • edited 4:36PM

    @zGato said:
    They have updated the KYC message. Yet, no additional comments from @jmginer

    Actually i'm surprised they bothered to comment at all. At least in a way that would predictably be picked apart. If i were to ask my crystal ball it would probably say that they simply believe in what they stated (at least the honesty is commendable in my opinion) and there hadn't been much outside input on this up until now, so the pushback wasn't anticipated.

    There might be some regrets but actually backpaddling on the whole thing would probably be too much of an ego hit and/or would render too many past decisions void. I mean, it's unlikely they'll be able to just cancel whatever contract they have with Didit without taking some kind of loss, so i figure they'll try riding it out.

    I'm not enough of an asshole to wish the guy to take a ton of damage over this but i can't help but hope that the impact will be felt enough to revert the whole thing somewhere in the future.

    Edit: Didit storing the picture for 2 years (up to... yeah right...) if the client explicitly opts out of password-recovery-by-face is kind of a bad joke.

    Thanked by 2zGato jsg
  • raindog308raindog308 Administrator, Veteran

    The fact that the selfie you upload to Ginernet will be used to train Didit's AI models unless you take action to opt-out is really appalling.

  • ehabehab Member
    edited 5:40PM

    we can all use @vpsric

    Thanked by 2Murv zGato
  • edited 5:56PM

    @raindog308 said:
    The fact that the selfie you upload to Ginernet will be used to train Didit's AI models unless you take action to opt-out is really appalling.

    Yeah, basically the whole handling beyond the actual KYC pretty much is. If you absolutely have to confirm people's identities using a picture the picture becomes useless (in any reasonable sense) once the identity is confirmed and should just be immediately and irrevocably deleted - no strings attached.

    As is it's kind of like ordering stuff at IONOS. You know the second you put your guard down and don't analyze everything on a microscopic level they'll sign you into a 5 year business listing contract at $99.99/y.

    Thanked by 1zGato
  • NeoonNeoon Community Contributor, Veteran

    @raindog308 said:
    The fact that the selfie you upload to Ginernet will be used to train Didit's AI models unless you take action to opt-out is really appalling.

    Should upload dick pics instead then.

Sign In or Register to comment.