Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Answering the question "what data do I collect" usually doesn't include a full code review. You should already know that. The only thing you really have to check are third-party scripts that send stuff to third-party servers.
But the auditors will want proof and in my experience that gets down to providing them with screen shots (!! !!) of the responsible code. OK, that's not a full code review but it may in some ways be worse since they'll ask you in dribs and drabs.
-
@Benjamin-Hall said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
So instead, what you get it cargo-cult compliance--a bunch of pop-ups with no fundamental changes (or ones that don't do what they're supposed to).
Not gonna argue against that. What I saw on some US websites was hilariously non-compliant. They just added a new pop-up that basically told you all the shitty services they send your data to, with no way to opt out, and forced you to click "OK" to use the service. 10 minutes of Google would have told them that this is explicitly forbidden.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Benjamin-Hall said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
So instead, what you get it cargo-cult compliance--a bunch of pop-ups with no fundamental changes (or ones that don't do what they're supposed to).
Not gonna argue against that. What I saw on some US websites was hilariously non-compliant. They just added a new pop-up that basically told you all the shitty services they send your data to, with no way to opt out, and forced you to click "OK" to use the service. 10 minutes of Google would have told them that this is explicitly forbidden.
When your options are
a) shut down because the cost of being compliant is too much
b) ban European IPs (which is both costly and has a false-negative rate)
c) put up a fig leaf because they don't really have many EU customers and hope they don't get suedwhich should they pick?
Note: I'm not saying that for every company the compliance costs are too much. But for some they are. You're talking about completely re-architecting the entire web presence to allow granular opt-ins (so you could opt out of X-ZY but opt-in to ZZ and everything has to work right for all combinatorial explosion worth of combinations), and even then risking fines because the auditors often claim you're not compliant with their super secret interpretation of the regulation and want their money now.
-
@Benjamin-Hall said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
You're talking about completely re-architecting the entire web presence to allow granular opt-ins (so you could opt out of X-ZY but opt-in to ZZ and everything has to work right for all combinatorial explosion worth of combinations)
I'm not aware of anything in the regulation that enforces this granularity. The big todo item is to make sure users can opt out of everything unnecessary and that they're aware of this. I'm pretty sure it's perfectly legal to simply have two checkboxes for "analytics" and "targeted advertising", even if you use multiple 3rd party services, as long as you tell the user where the data goes.
-
@Benjamin-Hall said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Note: I'm not saying that for every company the compliance costs are too much. But for some they are.
Yeah, I'm sure that a lot of places all over (US and Europe and wherever else) are just sort of hoping for the best.
-
Surely all you need is
npm install gdpr-compliance-pack
, which will work until left pad is taken down again
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Stop it. Your ignorance level is so high that you might soon become a president.
Tell me this. Has the EU ever created legislation that resulted in huge fines for an EU company and zero fines for any US companies?
All the time. There are also multi-billion fines for member countries every few months or so.
-
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
IP addresses do not have that level of security risk. You can't use an IP address to steal one's identity or make unauthorized transactions if stolen.
Webstore X stores your IP address history, your name and your house address. Because their security is terrible, they get hacked and the database ends up in a public dump.
Website/forum Y, in which you do not want to reveal your real name or even acknowledge publicly that you're a member (think porn, controversial political party, or TDWTF garage), stores your IP address history and your nickname. Because their security is terrible, they get hacked and the database ends up in a public dump.
Anyone can use your IP address history to link both sources, and end up with the real names and mail addresses of members of site Y. With a bit of trivial coding, you can even automatize blackmail ("we know you're a member of Y, pay us 1 BTC or we'll publicly reveal your real name").
Lesson learned: by itself, your IP address may not be enough to identify you with certainty, but it's sensitive enough to be classified as PII.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
How much? $2? $35?
Add two digits and you're in the right range. I don't know how you think web developers make their living if you think they'd write a bill for less than 400€. For a more complex website, they'd certainly charge four figures for any change.
Ok, so by "literally every business", you actually meant "every business that has a website that collects data of some sort". That's far more agreeable. And much lesser in scope. In this situation, yes, the few hundred to few thousand euros - depending on the size of project - looks reasonable. And I still think it's not that bad. It's not even periodic cost - you only have to do it one time. It's less than most other things you have to pay for when running business, both big and small.
-
@Benjamin-Hall My personal favorite: if a user opts-out of data collection, can you store the fact that they opted out or do you have to ask them again and again every time they visit the site?
There's no exemption in the law for storing whether a user opted-out already.
-
@Jaloopa All right, I give up. What is the left pad meme?
-
-
@Gąska
It's "every undertaking that has a website that collects data of some sort, including IP addresses in server access logs." I, personally, am not a business, but I am an undertaking. And while there is a carve-out for personal use (e.g. guild roster), it only applies when using someone else's social platform; running it yourself like Tag Cloud Attack or Server Cooties puts you back in the crosshairs.And it's not a one-time-only cost -- unless you want to be my EU-based data privacy compliance officer for free. Any EU country could fine me for €20M at any time for not having one, regardless of any other aspects I'm in compliance with.
-
@TwelveBaud don't you need like 50 employees before compliance officer is mandatory?
-
@boomzilla That's amazing. Cargo specifically prevents build breaks if anyone uses
cargo yank
for this very reason.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
cookie notices
The fun part? Lots of those notices were the only parts of those site that were actually illegal. ;)
Sometimes you've just got to laugh at it all.
-
@boomzilla said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Yeah, I'm sure that a lot of places all over (US and Europe and wherever else) are just sort of hoping for the best.
And as long as they're using it honestly, they'll actually have the law on their side. (This is basically according to what our legal dept sent round back in spring.) It's a lot of hoo-hah over nearly nothing except for the scummiest of scum.
-
@dkf Yeah yeah, Euro-people tell us "oh don't worry the courts won't do X and they won't do Y and they won't be mean and they don't levy fines if people made a good effort" but guess what? None of that is written into the text of the law. So no, that doesn't count.
-
@dkf said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
It's a lot of hoo-hah over nearly nothing except for the scummiest of scum.
For now.
-
@Gąska Let me know where it says that. I'll wait.
(Spoilers: No. Rules-as-written, it's mandatory for all sizes. If you live in the EU, you can be your own DP officer, but I in the USA don't have that option. The only part that depends on the size of the business is that sub-250 business don't have to maintain a paper audit log of who's accessing the PII and why, unless the information is extra special or unless they do it routinely.)
-
@pie_flavor said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Jaloopa All right, I give up. What is the left pad meme?
Short version: due to NPM's horrible architecture having no concept of a "foreign key," some dev who threw a temper tantrum was able to delete all of his contributions from NPM, even though one of them (a package called left-pad) was used by stuff that was used by stuff that was used by stuff that was used by everything, and so it managed to break a non-trivial amount of the entire Web.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@dkf Yeah yeah, Euro-people tell us "oh don't worry the courts won't do X and they won't do Y and they won't be mean and they don't levy fines if people made a good effort" but guess what? None of that is written into the text of the law.
Actually, it IS written. What you worry about is administrative agencies and courts of law interpreting the law NOT as written.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Actually, it IS written.
Not in the version I read, but I'm not going to read the updated version (if there is one and you aren't simply lying) because I got shit to do.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Actually, it IS written.
Read more carefully. It says that countries' data protection authorities should be mindful of small-to-medium-sized businesses when writing their own GDPR implementation, but explicitly (Whereas #13) doesn't give SMBs any relief from compliance. Any "don't worry about it" relies on the DP authorities interpreting the law NOT as written.
-
@TwelveBaud I thought the problem was the bill as a whole, not lack of special provisions for small to mid businesses?
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Ok, so by "literally every business", you actually meant "every business that has a website that collects data of some sort".
Show me a business website that doesn't collect any kind of data. Even shitty restaurant websites usually have a contact form.
-
@dfdub And they all collect IPs, because the servers do that automatically and by default. The restaurant owner probably isn't even aware of that.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Ok, so by "literally every business", you actually meant "every business that has a website that collects data of some sort".
Show me a business website that doesn't collect any kind of data.
That I can't do that is the reason why this law was made.
-
@TwelveBaud said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Let me know where it says that. I'll wait.
Section 4, Article 37. It's legalese, but it basically says that you only need one if you handle sensitive data or if data processing is a large part of your business.
Edit: Obviously, "data processing" = processing of personal data.
-
@Gąska Please. The guy running your local sushi shop installed Google Analytics because:
- He wants to see which menu items are most popular, and
- It's orders of magnitude easier to install than in-house analytics packages, like Motomo
And he's collecting IP addresses because all of the web servers on Dreamhost just happen to do that by default. He's not even aware of that data collection. (He might not even be aware of the Google Analytics one-- that high school kid he hired to maintain the site might have done it without telling him.)
It's not because he's trying to sell your data to Dirk VillianHitler.
Treating him the same as Dirk VillianHitler's customer list is shitty lawmaking.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Then make all analytics scripts opt-in. Then tell users what you use the information for. Voila, you're compliant.
Whoops, forgot to update one part of that site. Guess we are now liable for millions in fines.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
None of that is written into the text of the law.
Because that law is subject to other, higher law that requires everything be proportionate. Since that's the case, why the fuck would you want it written into this law as well? That's like rejecting dynamic libraries in software…
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@TwelveBaud don't you need like 50 employees before compliance officer is mandatory?
Whoops, I've hired my 50th employee. Guess I'm not a small business anymore and I have to retain essentially an attorney on staff 24/7 or face multi-million Euro fines.
-
@dkf said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
None of that is written into the text of the law.
Because that law is subject to other, higher law that requires everything be proportionate. Since that's the case, why the fuck would you want it written into this law as well? That's like rejecting dynamic libraries in software…
Why would that be a bad thing? No more DLL hell sounds awesome!
-
@masonwheeler Because giant binary size and unlicensable libraries is the name of the game, obviously.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Section 4, Article 37. It's legalese, but it basically says that you only need one if you handle sensitive data or if data processing is a large part of your business.
Edit: Obviously, "data processing" = processing of personal data.
That's what subsection 1 says. Subsection 4 allows any EU country to make it mandatory for any undertaking regardless of core business.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Benjamin-Hall said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
So instead, what you get it cargo-cult compliance--a bunch of pop-ups with no fundamental changes (or ones that don't do what they're supposed to).
Not gonna argue against that. What I saw on some US websites was hilariously non-compliant. They just added a new pop-up that basically told you all the shitty services they send your data to, with no way to opt out, and forced you to click "OK" to use the service. 10 minutes of Google would have told them that this is explicitly forbidden.
Why? Agree to it or don't use their services. What's the problem?
-
@Polygeekery It's apparently illegal to condition using their services on agreeing to disclosure.
-
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The big todo item is to make sure users can opt out of everything unnecessary
They can, by not using your site and/or services.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska Please. The guy running your local sushi shop installed Google Analytics because:
- He wants to see which menu items are most popular
I don't know what kind of sushi shops you have in Amazonland, but over here, most small restaurants have their menu posted as single image. Most don't even have a website - they just make a Facebook fanpage. Besides, there's a much simpler, much more precise way to find out most popular items, and it requires zero personal data collection - not even IP.
- It's orders of magnitude easier to install than in-house analytics packages, like Motomo
And with GDPR, it still is.
And he's collecting IP addresses because all of the web servers on Dreamhost just happen to do that by default. He's not even aware of that data collection. (He might not even be aware of the Google Analytics one-- that high school kid he hired to maintain the site might have done it without telling him.)
How's that different from any other illegal activity conducted by business that the owner is unaware of?
It's not because he's trying to sell your data to Dirk VillianHitler.
He doesn't, but sidebar ad provider definitely does. This law is mostly targeted at businesses that make a living of trading information about random people. And it seems fairly effective, looking at the lack of ad cookies in my fresh browser installation that I've been using for a week.
Treating him the same as Dirk VillianHitler's customer list is shitty lawmaking.
Are you suggesting there should be separate sets of laws for people we like and people we don't like?
-
@TwelveBaud said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Polygeekery It's apparently illegal to condition using their services on agreeing to disclosure.
That's a next level type of retarded evil. They are trying to prevent people from doing what I mentioned as an easy way to deal with their BS. This explains the blocking of Europe. I imagine they never considered that could be a possibility.
-
@JazzyJosh said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@TwelveBaud don't you need like 50 employees before compliance officer is mandatory?
Whoops, I've hired my 50th employee. Guess I'm not a small business anymore and I have to retain essentially an attorney on staff 24/7 or face multi-million Euro fines.
50 employees mean at least $40,000 in payroll alone. Surely you can spend couple bucks to make sure you know what you're doing with customers' and non-customers' personal information?
-
@pie_flavor said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
giant binary size
...will actually be smaller than the combined binary size of all the libraries, even before you apply a linker.
unlicensable libraries
Huh? Who said anything about unlicensable libraries?!? Have you been talking to @shoulder-alien again?
-
@blakeyrat
Daily? Today:
This is such a stupid remark I'm not even going to look for English articles for you.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
50 employees mean at least $40,000 in payroll alone.
50 employees means diddly squat in payroll alone. They could all be part time.
TIL lawyers cost $2/eternity. @Gąska got me a really good deal.
-
@TwelveBaud said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
fine me for €20M
Sure ... Only the maximum fine is relevant.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
This law is
mostlynot targetedat businesses that make a living of trading information about random people.If the target isn't in the text of the law, then it's irrelevant.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
that high school kid he hired to maintain the site might have done it without telling him
The high school kid he payed to clean the kitchen did a terrible job resulting in a shit fest among his customers. Is he not responsible for that?
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@dkf said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
None of that is written into the text of the law.
Because that law is subject to other, higher law that requires everything be proportionate. Since that's the case, why the fuck would you want it written into this law as well? That's like rejecting dynamic libraries in software…
Why would that be a bad thing? No more DLL hell sounds awesome!
You're too young to remember when that was a very real thing, and that shit sucked hard. Indeed, one of the selling points of early Linux was “it's a free Unix with working shared libraries!” and that really made it stand out from the crowd of that time.
Of course, the executable/shared library system it had was utterly horrid and , but everyone switched to ELF a few years later.
-
@dkf Not too young to remember that. And I've also seen, since then, the mess that arises from trying to do this the Linux way.