Protection through frugality: 28 January is data protection day

Estimated reading time: 3 minutes

Happy data protection day to everyone!

Data Protection Day has been an international event since 2007. A lot has changed since the European Council initiated it, and data protection becomes more and more important each year.

When talking about data protection and privacy, it is very common to raise the topic of encryption, either of data in rest or in transit. But a word you rarely hear is “data frugality”.

What does data frugality mean?

In short: Don’t collect any data you do not need or use.

Whenever we visit a website or install a new app, we’re asked to accept cookie policies, share our location and sign up for newsletter. But there are important questions we don’t always ask. Why does the home page of my dentist need to know the click behavior of visitors? Why should an online translator know about my location?

Of course, there is always a use case for data - if necessary one can simply invent one. But why should we be concerned about data collection if we are sure that our data is secure and encrypted? Here comes the bummer: There is no perfectly safe system. Any data you possess can eventually be stolen. To protect the data of your customers and website visitors, the best protection you can think of is not being in possession of the data at all.

Just like in previous years, we experienced numerous security breaches, like Log4Shell or the (in)famous Facebook leak in 2021. Some of these data breaches could have been less serious, if the data collected had been tailored to the actual needs of both users and corporations.

A very clear example of that statement is the alleged hack of the “CDU connect” app and the server’s API in Germany’s election campaign in the summer of 2021, responsibly disclosed by Lilith Wittmann. An erroneously public API contained data about representatives visiting citizens, including the citizens’ address, gender, exact geographic location, and topics they talked about. The purpose of the app was, contrary to the data collected, not to track individual citizens and their whereabouts. Instead, it was supposed to serve as an evaluation of the party’s own election campaign, which could have been achieved by pseudonymization each visitor that participated.

What can we as OpenProject do?

For us, the protection of your personal data is more than just a legal requirement. The awareness and importance for security and data privacy actions have always been a major topic for us and are one of the main motives for developing this open source project management software.

  • We provide our website and service without the use of any non-functional cookies.
  • We respect and accept do-not-track (DNT) headers sent by requests to our website.
  • We do not enforce any personal data in the OpenProject authentication process. If you decide to use your OpenProject instance completely anonymously, you can even avoid using an email address.

Data protection is an ever evolving topic and there is still a long road ahead of us to data frugality and privacy. We want to walk that road together with you, towards an internet where every user can decide which data to expose, and where all data is handled responsibly.

Our goal is to bring OpenProject to perfection as a lighthouse project for data privacy and security in Europe.

You can find out more about data protection in our blog posts about Data protection in remote work settings and our Data privacy commitment, or have a look at our Data protection policy and our Data protection section on our website.

Please contact us if you have any questions or feedback regarding privacy and data protection for OpenProject.