
The problem isn’t data protection, it’s data collection - Yuval_Halevi
https://twitter.com/CNBCi/status/1191431197332852737
======
NohatCoder
The whole cookie consent thing is a joke. We need rules that stop data
collection, not rules that make us have to navigate arcane menus.

~~~
Jestar342
IANAL, but it is my understanding that those arcane menus are actually
breaking the law (with respect to GDPR in the EU, at least). The default
position should always be "No", and combined with that the "exit route" for
anyone that opted-in should also be really, really easy. Like single-click
easy. But business gonna business and bend the rules, I guess.

~~~
bad_user
> _But business gonna business and bend the rules, I guess._

Until some lawsuits will happen and the EU has been more than happy to collect
fines.

~~~
Nextgrid
The reason a majority of websites doesn't comply is because data protection
agencies are doing fuck all and there has been no enforcement of the
regulations. It doesn't help that reporting non-compliant websites is a pain,
at least in the UK. It's as if they're not actually interested in collecting
all that "free" money from the fines.

~~~
icebraining
> data protection agencies are doing fuck all

Why do you say this? At least ours is just swamped, so it'll take a while.
Plus big cases take up a lot of resources. But there have been GDPR fines
issued, and many many more warnings that might lead to fines if the company
doesn't comply.

~~~
Nextgrid
Being swamped shouldn't prevent them from at least starting somewhere, and
Google and Facebook are violating it so badly it should be a very easy case...
yet none of the data protection agencies dare to go anywhere near it (there
have been cases against but they seemed to hinge on minor violations as
opposed to the elephant in the room).

Plus, the swamping problem will stop because the first high-profile case will
scare everyone else into compliance.

~~~
icebraining
> Google and Facebook are violating it so badly it should be a very easy
> case...

Not really, because Google and Facebook will also fight any accusation tooth
and nail in the courts and through lobbying. The case must be very well
documented and defended.

I'm not saying you're wrong, but it's too early to tell.

------
fimdomeio
The whole thing looked a bit strange to me. First the interview started with a
basic presentation of who Edward Snowden is and what he did... at the
Websummit.

His talk brought nothing new if you follow him, maybe it brought attention to
the issues to a wider public (it was all over the news in Portugal).

On the other hand I feel his presence could serve to white wash the whole
thing. How many companies represented there would be out of business if they
embraced Snoden's beliefs?

------
dhimes
Tracking needs to be illegal. Period. As long as it's legal, even
conditionally, we will be playing whack-a-mole. There's a helluva lot of trash
on the internet that's there _only_ because somebody is trying to game the
advertising industry.

If you allow conditional tracking, and invite workarounds, we are in a race to
the bottom. Ethical players are caught in a position of play dirty or die.
When growth/profits sag a bit, they will have no riposte to the board member
who questions their unwillingness to engage in cutting-edge gamesmanship to
get around the law.

On the other hand, if you make it strictly illegal, and make the penalty an
_existential threat_ to the company, then everybody can play a fair game. The
board member who pressures the company to do such things will be putting the
company at risk, and the ethical folks have their response.

Advertisers don't need to track people. They don't need our personal
information.

Case-in-point: Alphabet just bough Fitbit. Fitbit knows your _most intimate
details._ They know when you sleep, when you are awake, where you are. They
know when you go up and down stairs. I'm guessing they have a pretty good idea
of when you make love, where you make love, and with whom (if you're both
wearing). And they just sold their data-collection to a company that _exists_
to exploit your data.

This needs to be stopped. Now.

~~~
shantly
Strongly agree. I don't care _why_ they're doing it. That a voyeur is taking
creepy photos of me in order to advertise better rather than to get off, or
that someone's trying to record my conversations to advertise better rather
than to hunt and kill dissidents, _does not make those activities OK at all_.
They are still, _per se_ , abhorrent.

That the collected data is open to _any imaginable abuse_ in the future, just
as if the _motivations_ , in addition to the actions themselves, had also been
extremely malicious, since they (the big tech companies and the savvier small
ones) default to collecting everything they can and never deleting it if they
can avoid it, means stopping this is also pressing for very real, very serious
safety reasons.

------
WA
Data protection suggests that it is okay in the first place to collect data,
as long as it is going to be protected. But this is a problem. Data shouldn't
be collected in the first place, because you can't probably protect it
properly anyways (leaks etc.).

He's totally right imho, but to defend the GDPR at least a bit: It does have
the concept of "consent" so that data should only be collected if people agree
to it being collected. However, I still have my doubts that it works like that
in reality for several reasons:

\- Too many websites place tracking cookies first and then let you disable
them

\- Too many apps use some kind of analytics without any consent

\- The GDPR has different mechanisms to give companies a "legitimate interest
in collecting data". How this is enforced is kind of unclear.

\- The GDPR issued fines in the past, but _what 's gone is gone_. It maybe
helps that companies stop collecting more data in the future after they were
caught, but you, as an individual, are still screwed.

So, the only way indeed is to stop SOME data collection in the first place and
do it yourself. And you certainly can forget cookie banners and all that junk.
Only thing that works is:

\- don't sign up to abusive services

\- use tracking protection on the web (uBlock Origin)

\- possibly use something like pi-hole to prevent tracking for all your
devices and apps

But of course, this doesn't stop data collection where you really have no
choice but to agree to something.

Edit: Clarification

~~~
matheusmoreira
> It does have the concept of "consent" so that data should only be collected
> if people agree to it being collected.

How does this work in practice? Sites just say "we collect data, click OK to
accept". Where's the option to say no?

~~~
alkonaut
> "we collect data, click OK to accept

That's not compliant with the GDPR plain and simple. For example ads on a
website are not required for that site to work (even if it's the only
revenue), so the site cannot store data only to track users to show ads. The
way a complliant site should work is it can say

"if you want to allow tracking cookies to get more relevant ads you can do so
in settings".

I.e. no must be default in case of non-acceptance - and the site must still
function.

~~~
matheusmoreira
Yeah. I just visited some news site and they gave me a cookie notice:

> We use cookies for analytics, advertising and to improve our site.

> You agree to our use of cookies by closing this message box or continuing to
> use our site.

Hopefully they will be fined huge amounts of money.

~~~
alkonaut
Exactly. At least _some_ site will be fined, and that news site might make a
calculation that it's a better business decision to comply than keep violating
the law.

------
mehrdadn
Confused, doesn't GDPR prohibit you from collecting data in the first place
unless you satisfy some criteria? Meaning it _is_ data collection regulation?

~~~
buboard
It doesn't remove the ability to collect, but requires consent. When something
is technically possible, and there's a monetary incentive, consent is easy to
arrange, either with misleading popups, or by just making the product so sweet
that the user forgets about privacy

~~~
icebraining
Making the product sweet doesn't work (legally): if you rely on consent for
capturing data, you _cannot_ refuse access to the product if the user doesn't
consent.

~~~
buboard
my point is users don't think much before giving their (positive) consent
because of the expected dopamine hit from the "fun" of using these services.
Try asking the same questions the social media asks (such as your relationship
status) in some boring public service. People begin to notice.

------
OliverJones
Mr. Snowden is right. If you don't start with the assumption that ALL SECRETS
LEAK SOONER OR LATER, your information security plan is definitely flawed.

Not even state actors with unlimited resources (that's you, NSA) can prevent
stored secrets from leaking. It's ALWAYS something, whether teenaged hackers
or far-flung contract system administrators with too much access (that's you,
Mr. Snowden).

Rule 1. Don't collect data you don't need.

Rule 2. Don't store data you don't need.

Rule 3. Assume all data you store will leak, according to Murphy's law (at the
worst possible time).

Rule 4. Make your stored data has limited utility. Eternal Blue (hi again NSA)
was not such a secret.

Rule 5. Make sure your stored data has limited useful lifetime. US Social
Security numbers do not have limited useful lifetime. Strangely enough, credit
card numbers do have limited lifetime.

Rule 6. Do your best to set up leak detection. For example, seed your
financial secret caches with fake social security numbers that raise flags
when used.

Rule 7. See rule 3.

Secrets should be stored under the legal concept of strict liability. They're
just like bulls in a farmer's field. If the bull escapes and causes damage,
the farmer pays for it. No excuses. No need to prove negligence.

We have, up and running at scale, workers' compensation and the vaccine injury
fund. Both of those assume strict liability. A dangerous factory sees its
premiums go high enough to put it out of business. Same for a sloppy vaccine
manufacturer.

Why can't NSA and Equifax be held to the same standard? (I'd hate to be POTUS
announcing a tax increase to cover the damage caused by Eternal Blue.)

~~~
mtberatwork
Engineer: "Why are we collecting this much data?"

PHB: "We might need it someday for analytics, just keep storing it."

* Engineer, PHB leave company *

New Engineer: "Hey does anyone know what this data is being used for?"

New PHB: "No idea, just keep it running. Don't want to break anything."

* New Engineer, new PHB leave company *

New new Engineer: "What's all this data for?"

New new PHB: "No idea, just keep it running. Don't want to break anything."

...rinse, repeat.

~~~
OliverJones
True, true, true.

But how about this: Security auditor: "What's all this data for?"

PHB: "I don't know, it's the way it's always been done here."

Security auditor: "Your data retention policy doesn't pass ISO27001 (or PCI or
whatever). No certification for you.

Cyberinsurance company: "We're tripling your rates because you aren't
certified."

CEO: "PHB, deal with this problem."

------
pluma
He misrepresents the GDPR a bit.

At least in theory, the GDPR is meant to restrict collection, not just how the
data is used and stored. It has a big loophole in allowing for vague "business
interests" to be taken into consideration whether collection is legal or not.

More than that, the GDPR clearly establishes ownership of PII and asserts that
owners have the right to request information about how their data is handled
as well as demand that data be destroyed, exported or corrected.

~~~
buboard
I think he doesn't. GDPR could outright ban the collection of certain data.
Instead (and because this data is useful for govt. purposes) they chose to go
with consent.

------
Porthos9K
I'm sick of this whole situation. We need to ban "opt out". Everything
businesses do should be "opt in" with "informed consent", and noncompliance
should be be punished with summary closure and dissolution after the first
offense.

And while we're at it, let nuke the data brokers. Preferably literally.

------
jesperht
Here's a link to the full talk for anyone interested:

[https://www.youtube.com/watch?v=X4_7A-SGLo8](https://www.youtube.com/watch?v=X4_7A-SGLo8)

It helps frame the response a bit more in the context of the question the host
asked. (~"is GDPR the panacea?")

------
buboard
The problem isn't data collection, it's data centralization. Decentralize (or
encrypt) and conquer.

