
Show HN: Ship Your Enemies GDPR - JerreBM
https://shipyourenemiesgdpr.com
======
Quanttek
I actually like this but there are a lot of similar services that make it easy
to send GDPR requests with less such biased framing and without the abusive
intent.

The arguments brought forwards against GDPR tell you probably more about the
author than the regulation if Jerre's only concern is with the potential costs
for businesses. That may be news to some, but the maximization of company's
profits is not a value in itself or should be the goal of our societies.
Otherwise, we wouldn't have safety/labor/product standards regulations, such
as OSHA. Instead, ensuring human rights, such as privacy and data rights, (and
a high quality of life) should be our concern - and that can cost companies -
slavery would've been a lot cheaper too.

It speaks to a certain discourse prevalent in Silicon Valley and among
business owners. The main source has been pretty well counter-argued in the
original thread [1] but the author rather parrots that misleading information.

[1]
[https://news.ycombinator.com/item?id=20009017](https://news.ycombinator.com/item?id=20009017)

~~~
inapis
+1 to this. Author is primarily concerned about financial costs without taking
into account all other externalities that such hoarding such data causes.

------
airza
why would it be a good thing if companies spent more on fines than on costs to
comply with regulations?

~~~
dqpb
People will do the thing that costs less.

~~~
glacials
Total amount fined vs total amount spent complying aren't comparable numbers.
One side has orders of magnitude more organizations comprising its number than
the other.

We need a median amount fined to non-complying organizations vs. median amount
spent complying by complying organizations.

------
dqpb
Is there any research on combating policies by artificially overwhelming them?
This seems widely applicable.

~~~
filoleg
I don't know about any actual research, but some people are doing that to the
software patent system in the US. Current wait for a patent to be approved (or
rejected) is 3+ years iirc (and it keeps getting longer). And I definitely
know some people irl who think the whole software patent system is a load of
bs, which is why they keep filing patents (90%+ of which won't be approved)
for even the most minutiae stuff.

------
megous
If you want to weaken this regulation, abuse it like this.

~~~
Latty
That is the point of this page, if you see lower down the author is against
the regs and this is an attempt to undermine them.

Honestly, it's crazy—HN is the _only_ place I see this kind of anti-GDPR
stuff. Everyone I have talked to about it sees it as a huge positive. I
include myself in that by the way—being able to get (and delete) my data from
providers reliably is a huge positive, and it has clearly improved the way my
data gets handled a lot of the time. The cost is relatively small.

~~~
qwsxyh
That's because on HN there's five general types of people against the GDPR:

1) People who think any sort of government regulation is pure evil

2) People who read the opinions of the first group and assume that because it
was said on HN it's correct

3) Adtech startup devs

4) People who really hate not being able to hoard personal data for no reason

5) People who think money is significantly more important than privacy

~~~
novok
No it’s because we are working at companies that implement this and understand
that it creates a large compliance moat for google and facebook. If it had
proper carveouts for small business then it would be more positive. But the EU
wants to put its hands in its ears and pretend they don’t exist.

There is a difference between a 5 person biz like bear notes who would be
totally cool in deleting your login info on request / sending whatever small
amount of data they have on you, and what they actually have to do be properly
compliant with GDPR. They are probably not and they, like many small EU
software business, are a liability waiting to happen.

~~~
solarkraft
What kinds of carveouts are you proposing? Should small companies be allowed
to abuse personal data however they want?

~~~
novok
I would exempt small businesses from GDPR requirements outright unless the
business model is a surveillance capitalism one. Like small adtech startups.

Defining a surveillance capitalist company without BS is difficult although,
so in the end, I would probably just wholesale exempt private small businesses
that are not subsidiaries of larger ones. The small businesses would need to
be arms length from larger ones too.

A lot of the danger of surveillance capitalism come from concentrated power,
and many small businesses are by definition the opposite of that.

~~~
solarkraft
Small companies can sell their data. Almost all of the data collected by all
those small companies mentioned in those GDPR popups will end up in the hands
of a few large entities.

The data is the same, regardless of who collects it. Leaking it is equally
dangerous.

------
bryanrasmussen
I noticed it asked if you hate your government, government agencies do not
have as stringent requirements as non-governmental because damn if they did
there is a particular agency I would be screwing with daily.

~~~
scottlawson
But... Wouldn't the end result just be that your tax dollars get spent
responding to bogus requests that waste a lot of time?

If you are dissatisfied with a government agency, it seems counterproductive
to deliberately make them operate less efficiently. This attitude seems like
it would just reinforce an endless cycle of inefficiency and dissatisfaction

~~~
bryanrasmussen
Since the only real interactions I've had with this agency is them screwing me
over I don't care that much about its efficiency, and I couldn't be more
dissatisfied.

On the other hand you are right in that it helps do other stuff that does
benefit me, I just don't notice the benefits as much as the harm because the
harm is direct and the benefits are societal.

------
theamk
Isn't it kinda pointless because it will only work once per "enemy"? Sure, the
first time it will waste a bunch of their time, but the second email will just
get the same canned response.

I suppose you could make it a bit worse by asking to see the information
collected - then simple copy-paste will be insufficient, they will have to run
a script as well.

~~~
jsty
The truly malevolent thing to do would be to run a programme offering their
customers a payout for sending in a GDPR request. Bonus malefactor points for
using targeted ads to reach those customers.

------
fghtr
But what do _you_ do with our personal information entered?

~~~
JerreBM
No personal data is captured or stored. The form fields are pure front-end
(VueJS), immediately outputting the values you enter into the preview box.
There is no backend that stores anything. The only tracker currently installed
is GA, which doesn't capture inputs either.

~~~
panarky
Do you have my IP address in your logs or the logs of third parties like
Google or jquery.com or jsdelivr.net or producthunt.com?

Please post the name and address of your data protection officer.

------
Avernar
Saving this. If it works, it's spectacular. And using it for Revolut, they're
horrible scammers.

------
Y_Y
FTA on why it was made:

> To show that GDPR is fucking stupid. Really, have a look at these crazy
> stats after 1 yr of GDPR:
    
    
        ~$60m in fines
        compliance costs for US firms estimated at $150b (2500x fine amount!)
        small co's hurt more than large. GOOG actually benefits!
        VC $ invested in EU startups drops significantly
    

Is it redundant to say that this characterisation seriously misses the point
of the legislation, and that this is a lot of trouble to go to just make a
childish nuisance?

~~~
benjohnson
In my opinion, regulation is better judged on the facts and not on it's
intent.

For example, draconian drug laws have great intent but horrible externalities
- so much so, that even though I'm vehemently opposed to recreational drug
use, I'm now sympathetic to treating it as an illness and not as a crime.

------
JanMatas
So, let's say that I receive this and do no comply. What should my "enemy" who
sent this do next? What is the worst case outcome for me?

~~~
JerreBM
They can report you to their local authorities and (potentially) sue you. Take
a look at this: [https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-
personal-data-protection-rights-havent-been-respected_en)

~~~
emiliobumachar
Arguably it's an "undue burden" to send a form letter "designed to waste as
much of their time as possible"

~~~
vonmoltke
The targets will still need to spend time (and thus, indirectly, money) to
demonstrate that such a letter is such an "undue burden".

This assumes they can even do so; if there are national regulators who hold
the same opinions that some HN posters do about Google and Facebook, there may
be no definition of "undue burden" they are willing to accept.

------
NoGravitas
The usual New Yorker comic caption applies here.

~~~
nsfmc
_What a Misunderstanding!_ ?

~~~
hprotagonist
_Christ, what an asshole_

------
talonbragg
This is a really cool application. I like that you are advocating for internet
privacy. To add on to this, it would be cool if you made a .onion version of
the site for even better privacy. Then google isn't collecting my data while I
am on the site.

------
the_gipsy
Mhh, a gmail extension to reply to newsletter spam with this would be nice.

------
sparrish
EU-enabled DDoS attacks. Expect automation developments on both the attack and
the mitigation side to grow until it's cost prohibitive to do business with
those in the EU and companies simply stop offering services to its members.

~~~
mike-cardwell
Hopefully. It will be a good thing to see these privacy abusing
services/companies ceasing to exist in the EU.

~~~
TomMarius
At least 90% of sites [in the Czech Republic] required to implement GDPR are
not abusing privacy

~~~
yeppie
What does that even mean? Where did you get the 90% from? Do you have a list
of said sites? Not abusing privacy according to whom?

~~~
TomMarius
Well abusing privacy is a punishable crime here, so according to our courts -
do you say you don't trust the courts of a western, functioning, EU member
country? The figure is definitely way higher than I said since only a handful
of website operators have been found guilty ever since the law is active. The
law is not an exhaustive list btw.

> Do you have a list of said sites?

You are the one who claimed that all sites required to implement GDPR are
privacy abusers. Do _you_ have a list? In my country we adhere to the concept
of "innocent until proven guilty" and we don't keep lists of innocent
websites.

------
hrbf
This is why we can’t have nice things.

------
tomc1985
GDPR may be overkill but god damn is it needed. Startup "hackers" playing fast
and loose with data need to be reigned the fuck in.

~~~
newaccoutnas
It's not startups you should be worried about as finding data for them is
difficult unless they already have a widely used product, use open data or
have a partner.

The real ones to be worried about are the usual 'do no evil' suspects. They
already have all the data.

~~~
eli
Google will have no problem complying with this request. They already have the
systems in place to do so without much effort. Many people have already
requested data from Google.

Small companies dealing with their first request likely have (at best) a
manual process that will take many hours of someone's time to process.

~~~
newaccoutnas
Whilst their processes might be superior (although that's debatable), they
very much aren't up to speed with GDPR
[https://www.bbc.co.uk/news/technology-46944696](https://www.bbc.co.uk/news/technology-46944696)
(even if the fine is small fry to them and it's financially more attractive to
flaunt the rules)

~~~
eli
That's a completely different issue from their ability to respond to data
requests like the one linked. I'd assume the incremental cost for Google to
send you the data it has on you is close to zero.

~~~
newaccoutnas
And being able to respond to requests is completely different to the op's
comment about startups, which was the original comment I added.

------
return1
this is BS that trivializes GDPR and almost amounts to fraud. someone will get
sued for this.

