Staying on the Right Side of UK “People Data” Laws
Now, let’s talk compliance. If you store data about actual humans, you inherit a list of obligations whether you like it or not:
- Secure data in transit and at rest
- Sensible development practices and regular pen‑testing
- The ability to remove data on request (including from backups)
- And a general expectation that you won’t behave like a 1990s freeware toolbar
But here’s the twist: I don’t want to store personal data at all. Not because I’m lazy (well… not only because I’m lazy), but because if you avoid storing identifiable data, you avoid bringing the system into legal scope.
So how do we license users without storing anything personal?
Simple: we store a SHA‑2 hash of their MAC address.
A MAC address could identify a physical machine, but the hash cannot be reversed. It’s like shredding a document, burning the shreds, and scattering the ashes across the Isle of Skye. We have no idea who the user is, and that’s exactly how it should be.
Each new customer also gets a random GUID as their CustomerId. When the app checks its licence, it sends:
- the CustomerId
- the hashed MAC address
This lets us uniquely track usage without ever knowing who the human is. Think of it like a session ID that never reveals the person behind the keyboard.
And if someone shares their licence key with a friend? Well, their friend’s MAC hash won’t match, and the revenue‑protection system politely says, “Nice try.”
Security, Timing Attacks, and Other Fun Things
To make life harder for would‑be attackers, each licence request intentionally pauses for one second. Valid or invalid, the response time is identical. This prevents timing‑based brute‑force guessing.
It’s a small thing, but small things matter when you’re trying to stop clever people from doing silly things.
