Posts by cliffb_infosec@mastodon.social
 (DIR) Post #AQc8GRjyNfdaxPl9RQ by cliffb_infosec@mastodon.social
       2022-12-14T22:35:09Z
       
       0 likes, 0 repeats
       
       @apps It seems that you are saying "we don't store the email or send it to ourselves, so we didn't need to disclose it". But that's old thinking. Like most modern data-centric privacy thinking (see ISACA CDPSE, GDPR, and other privacy guidance), Google cares that you HANDLE or PROCESS the email address.
       
 (DIR) Post #AQc8GTNMIijk1rC7TE by cliffb_infosec@mastodon.social
       2022-12-14T22:35:57Z
       
       0 likes, 0 repeats
       
       @apps So the fact that the email address is in the control of your app is why you need to disclose and include in the privacy policy. Contrast that with an OAuth2 Authorization Code grant where the app would redirect the user to the service via browser, the user would enter their login info directly to the authorization server, then you'd receive only a token—never handling the email address or user info.
       
 (DIR) Post #B2lIQhhTkX94KhcZnM by cliffb_infosec@mastodon.social
       2026-01-28T23:03:11Z
       
       1 likes, 0 repeats
       
       @SecureOwl Paris, TX, is a place.