The story does not tell us how Linus Torvalds responded to the NSA, but I’m guessing he told them he wouldn’t be able to inject backdoors even if he wanted to, since the source code is open, and all changes to it are reviewed by many independent people.
Yeah I’m guessing the answer would be more colorful based on the historical data we have
Neat, I wonder who I’ll be in tomorrow’s morning stand up meeting
Yeah “legitimate interest” seem to be abused a lot
Copypasting here answer to similar question in superuser.com
https://superuser.com/a/1624773
Under GDPR there are 6 grounds based on which anybody can process personal data. Those are:
Consent
You explicitly agreeing to it. This needs to be opt-in, informed, specific and freely given, but also gives the greatest freedom to a company.
Contract
This is the basis which raj’s answer confused with legitimate interests. This is the processing that is required to fulfil a contractual obligation (note that contracts do not always need to be signed, e.g. an order from an eshop).
need to process someone’s personal data:
- to deliver a contractual service to them; or
- because they have asked you to do something before entering into a contract (eg provide a quote).
Source: ico.org.uk
Legal obligation
Vital interests
Public task
Legitimate interests
Legitimate interests are the most flexible lawful basis for processing personal data. In the words of the UK’s ICO 1:
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
Source: ico.org.uk (worth reading!!!)
The underlying text from the GDPR itself (definitions and links added are mine)
processing is necessary for the purposes [=a specific minimal type of processing] of the legitimate interests pursued by the controller [=the company wanting to process your data] or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [=you] which require protection of personal data, in particular where the data subject is a child.
Source: GDPR Article 6(1f)
So basically a legitimate interest claim by a company is them saying ‘we are convinced that our interest outweigh the negligible impact on the privacy of the people whose data we process’. This doesn’t give them a free pass though, as GDPR also gives the right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point [public interest] or [legitimate interest] of Article 6(1), including profiling based on those provisions.
Source: GDPR Article 21(1)
Which then require the company to either concede and stop the processing or justify their claim. Companies in practise have taken this to mean they can basically just do a bunch of processing and as long as they make the objection process (=opt-out) easy enough the theory is that they will get away with it.
1 The UK left the EU, but they still have by far the best English language resource explaining GDPR and for the time being “UK GDPR” matches “EU GDPR” one on one as far as I am aware
Why not just block access to Teams and other m365 apps via conditional access from non-managed devices then?
You can always “download” any content you’re viewing on the device, in fact you need to do so in order to view it.
Say, you don’t want a word document containing price sensitive information being downloaded, but someone with access to view the document on a non-managed device can just screenshot it. Or to be honest, just take a photo from a screen of a managed device.