
Unintended Consequences: How the GDPR Can Undermine Privacy - someonelse17
https://www.techdirt.com/articles/20180921/00522040686/unintended-consequences-how-gdpr-can-undermine-privacy.shtml
======
WorkLifeBalance
There's a better solution: Stop collecting and keeping personal data.

I can't even read this article without using firefox reader mode to skip the
cookie warning / prompt (this works for a lot of sites!).

That's a choice that techdirt make. By framing it as an unavoidable
consequence of the cookie legislation or GDPR moves the focus to the wrong
place.

~~~
volak
Collecting data subsidizes the cost of the service.

Would facebook have 1 billion users if it cost $5.99 a month?

Data collection is not going anywhere, so long as people are willing (even
unknowingly) to give up info for a perceived discount.

Now here - fill out my form with your address, email, phone, photo id, and
passport number for a chance to win a brand new 2019 Honda!

~~~
Carpetsmoker
There have been many free ad-supported services that don't collect your data
for many years: newspapers, TV channels, radio, etc.

"Accept data collection or pay for it" is a false dichotomy. Ad-supported
websites don't need data collection to be profitable, just as NBC doesn't.

Furthermore, there are many _paid_ services that collect data as well. Last
time I flew with KLM the online check-in didn't work because some JS errored
out as its data collection script was blocked. Turned out it was sending data
to _17_ domains on the on-line checkin page:

4232724.fls.doubleclick.net ad.atdmt.com apps.static-afkl.com c.webtrends.com
cdn.tagcommander.com connect.facebook.com dynamic.dimml.io
googleads.g.doubleclick.net lm.commander1.com platform.twitter.com
sjs.bizographics.com statse.webtrendslive.com t.svtrd.com tdn.r42tag.com
w.usabilla.com www.google-analytics.com www.googleadservices.com

And KLM isn't even a budget airline like RyanAir. I paid good money for my
flight.

------
DanBC
Techdirt misses the point.

Companies should only collect what they need, and only keep it for as long as
they need it, and they have to store it safely while they have it.

All companies get hacked. GDPR compliant companies will have less personal
data than other companies who see personal data as something to be gathered in
huge amounts and stored for as long as possible, or even sold off.

~~~
talltimtom
> Companies should only collect what they need, and only keep it for as long
> as they need it

For a public company that’s just not possible. They’d be trowing money out the
window just for kicks. The only way we’ll ever get there is through law.

------
Aardwolf
That's like how the EU Cookie law gives incentive to enable cookies:

Disable cookies? See annoying useless cookie warnings all the time everywhere!

You have to enable cookies to make it remember not to spam you with the
warnings

EDIT: and good point in the article, one may wonder how making it easier to
request data helps to improve privacy

~~~
icebraining
No. Cookies required to do something the user asked do _not_ require consent.
This is solely on the lazy and/or dishonest webdevs.

See
[http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#se...](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#section_2)

~~~
Aardwolf
Before the cookie law websites did not have annoying useless cookie popups
though, so it's an unintended consequence

~~~
s73v3r_
No, it's more the bratty kid on the playground who isn't getting their way, so
they're throwing a fit and threatening to take their ball and go home.

~~~
yarrel
Avoiding big fines isn't throwing a fit.

~~~
true_religion
I agree. For all that people say there is nothing to worry about, these are
fines that would be levied by foreign governments so a company may not really
have insight to how likely it is they will be fined.

It's a lot easier for a government to fine a foreign corp than to fine a local
one whose workers are all voters and tax payers.

------
Normal_gaussian
Note that techdirt tracking consent form start with all options pre-toggled to
"active".

This is in violation of the GDPR, is a pain to turn off, and indicates that
no, techdirt does not care about the users privacy.

~~~
jakeogh
They are a US company, and therefore not subject to EU law. Sovereignty is a
beautiful thing.

~~~
Carpetsmoker
A lot the companies that store the data aren't. It's not TechDirt storing most
of the data: it's all the 3rd-party crap they load.

But that's not really the point I think, the article claims that they care
"very much" about your privacy, while at the same time sending your data to
dozens of different companies and making it hard to get it to stop doing that.
That's not caring "very much" about privacy.

~~~
jakeogh
True, it's difficult not to leak personal details in ways that most users do
not expect and/or want, which makes it easy to game by providing deceptive
solutions.

GDPR is a attack on memory, starting with conditioning to accept regulation on
what experiences can be legally remembered* (like who visited your property
and their attributes). It starts on a subclass to make it acceptable.

Once that is 'OK' the power centers can expand memory restrictions and go back
to adding rules on what can be said (transmitted or acknowledged).

*I'm deliberately trying to mix 'remembered' (like wetware does) with 'saved', or 'written' (like wetware creations do).

~~~
AstralStorm
No, GDPR is not an initial wedge to drive in censorship at all.

That has been tried before (SOPA, PIPA).

~~~
jakeogh
It is, because it censors what you can remember.

Anyway, what I was alluding to already happened: Article 13

It will get worse before the EU breaks up completely. I bet POLEXIT next.

------
surak
Who can come up with these stories? Like saying that if you let someone hack
your email and download all your emails its the providers fault. These
unknowingly ignorant media superstars of today.. Cheeze.

------
raverbashing
On other services, when you request your data, they send it (with some delay)
through a secondary channel (email, for example), which would prevent this
attack.

(Yes, ideally services would collect less data, but if your account gets
hacked they can access some data regardless)

------
grigjd3
This is absolutely a problem we thought about, but we never found a good
solution. Try getting the general public to use two-factor auth. Just try and
see how that works out.

~~~
Aengeuad
What is wrong with simply sending a confirmation link via email?

~~~
AstralStorm
You need to have a secure email and an email address is protected user
identifying data subject to GDPR.

Web does not require email for most things.

------
talltimtom
Unintended consequences of flatscreen tv’s. They increase the loss when people
break into your home! When will lawmakers take action and ban those pesky
flatscreens...

~~~
mmt
That's a poor analogy, since flatscreens aren't state-mandated (nor have a
mandated value-increasing component).

A better analogy would be catalytic converters, which increase the loss when a
car is stolen, since there's a significant quantity of precious metal up the
tailpipe.

Perhaps an even better analogy (since it provides a direct safety benefit to
the purchaser) is that of airbags. For a while, they created an attractive
break-in/theft target on their own, due to their very high value to
size/weight ratio. I'm pretty sure that was an unintended consequence, too.

~~~
brokenmachine
People stole airbags?

~~~
mmt
It's not even past tense, in that it still happens. A web search for "airbag
theft" should reveal that it's still an issue.

Presumably it's only less of an issue because the cost of the part has come
down from $1k or more (in '92 dollars, no less).

------
Aengeuad
This article is a biased hit piece against the GDPR that only wants to present
one side of the issue. It is true that the GDPR requires websites to allow
users to download their personal data in a machine readable format[0], also
known as 'the right to data portability', and this is what was 'exploited'
here. The rationale behind this article is as the name implies, it grants the
user the right to easily transfer their data from one platform to another. The
historic rationale for this is to allow users to easily move between social
media platforms, instead of noting down the names and emails of every one of
your friends you can just download your full profile and, in principle, upload
this to another social media platform that can automatically do the work of
readding all your friends. It is also useful for other websites, say you have
uploaded 500 photos to one image hosting site and have customised them by
giving them titles and descriptions, the right of data portability means that
you can download all of these photos and titles/descriptions in a machine
readable format so that they can be uploaded to another competing website.

The GDPR also requires companies to provide another means to access data that
is different from the right to data portability, this different article is
known as 'the right of access by the data subject'[1] and has much more
stringent requirements. It can apply to things like your work place or
previous places that you have worked, it can apply to health providers, it can
apply to a security consultancy agency you hired 15 years ago to install
alarms to your house, etc. The purpose of this article is to provide the
'checks' part in checks and balances, it allows a user to verify whether a
company is holding information on them, what data they're holding, why they're
holding it, and the rights of rectification or erasure (that is again separate
from the 'right to erasure' article) among other things. This may seem similar
to the right of data portability at first glance but it covers different
niches and is much more broad with a bigger bite, it can apply to companies
that do not have a website and to companies you do not have an account with
(but may still be holding data on you).

Techdirt however confuses the purpose of these two articles and instead
transposes the rationale behind article 15 onto article 20 and calls it a
failing of the GDPR. Quoted here:

>That's because, under the GDPR, platforms are supposed to make all of the
data they have on you easily downloadable. The theory is that this will help
you understand what a company has on you (and, potentially, to request certain
data be deleted). But, it also means that should anyone else get access to
your account, they could access an awful lot of important and/or personal
data.

Let's be clear here, this is not a failing of the GDPR and is arguably a
reason as to why the GDPR needs to exist in the first place especially in
regards to requiring clear and informed consent or having clear explanations
of what data is kept and why. The last part of the quote rings true, if
someone has access to your account they can collect the data that is on that
account. It should almost go without saying, but it is an embarrassment that
it needs to be explained to a tech blog that is masquerading as tech
journalism. Other people in the thread have given the example that if someone
has access to your email account they can download all of your emails. If
someone has access to your Facebook account, they can access all your messages
and posts, private or otherwise - hopefully you haven't sent any private
pictures to anybody. If someone has access to your Google account they likely
have access to 1) your emails, 2) your full search history for however long
you have had that account, 3) your full Youtube search history, 4) any private
or unlisted Youtube videos that you may have uploaded, 5) any files you have
uploaded to Google Drive, 6) any spreadsheets or documents you may have
uploaded (if you have flown before and have opened your e-ticket in Google
Docs this will have your passport number on it), 7) your full payment history
through Google Play or Google Wallet (now defunct), 8) your full location/gps
history if you have location enabled on your mobile device, etc. The list goes
on. More importantly than having access to all of this, with nothing more than
knowing the password, a black hat will be able to crawl all of this data using
public scripts that can be found on Github and they can do _all_ of this
without the right to data portability. This is one area where black hats as
well as technically inclined people have been more aware of the risks of using
services like Google than the average person has, and it should remind anybody
of the adage 'convenience is the enemy of security'.

The article goes on,

>As Jean notes in a later tweet, this kind of thing could really come back to
bite other services, such as Lyft or Uber. She jokes: "Would be pretty bad to
get hacked and kidnapped in the same day."

Yes, that would be unfortunate. What is more unfortunate is that companies
have trained users to accept that there is no compromise, that it's all or
nothing, that users need to store their full location and travel data or none
at all. I understand the convenience that being able to rebook frequent
frequently travelled taxi routes, I understand the convenience of having a
fitness tracker that logs GPS data, however is it a convenience that needs to
come with clear and informed consent, with an explanation of the implications
of keeping this data that may be accessed and updated in real time, and it
needs to come with the option of selectively being able to choose where or how
much you would like to opt out. I am struggling to think of how this could
possibly be a failing of the GDPR over a failing of the companies to provide
these features and opt-outs without formal legislation, as a thought
experiment, what would happen if Uber or Lyft had a data breach that had
leaked all of their booking history? What would happen if Google had an
authentication failure and allowed anybody to view your location history? Or
how about allowing anybody to use 'Find your phone'?

The final insult to injury in the article is this quote,

>There are possible technological solutions that could help (again, as Jean
suggests), such as using multi-factor authentication to access your own data
(one-time passwords, Yubikey, etc), but it's telling that few companies (or
regulators!) have really thought about that, because that vector of attack
probably hasn't occurred to many people. But, it probably will now.

This is not a new attack vector by any stretch of the imagination and to
suggest that it's due to the GDPR is quite frankly horribly misinformed. There
was a technique that was popular around 2004-2006 (if Google Trends is
anything to go by) that was known as 'fusking', the gist of it is that
incremental or predictable file names can easily be guessed and crawled by
computer scripts and utilities, it was more often than not used to extract all
urls from an image gallery (usually pornographic) however it presented
difficulties in personal image hosting websites, as filenames along the lines
of "2004-07-22-0035.jpg" could just as easily lead to images that could
accidentally be crawled if an attacker were to put
"2004-07-22-[0000-0100].jpg" into their fusker utility. This presented some
challenges to hosting companies who needed to add UUIDs to the filenames, and
eventually the attack was somewhat mitigated when mobile phones started naming
images with much finer granularity or even adding a salt to the image so that
it could not be guessed. This is why websites like Facebook have long and
unwieldy urls so that they cannot be guessed. While this attack is an old one
it still pops up from time to time, in 2006 both Microsoft and Google had a
vulnerability where their url shortening services could be guessed, which led
to accidental exposure for users who were using short urls to generate links
to private folders. You may be thinking that this is only tangentially related
to being able to download user profiles, and I'll admit that it is, but I want
to reinforce the point that black hats and other attackers, or even more
technically inclined people, are far more equipped to think about the
possibility of crawling and downloading large amounts of data that a regular
user may be oblivious to or not even realise exists.

To give the article a tiny bit of credit, the GDPR does not stipulate that the
right to data portability should require additional authentication like multi-
factor (which can be as simple as an email link with a one time token), and
this is certainly a shortcoming that should be addressed, but it is also a
shortcoming that a company that cares about your privacy should be able to
address of their own accord.

EDIT: on reflection it is a novel idea that just anybody can download your
full profile if they have access to your account but at that point the damage
has arguably already been done, a site like Facebook requires you to wait for
a while before a download link is generated and ones like Google require a
password before you can change any account settings. It's probably less
intrusive and noticeable if you crawl the profile than to use the download
link as there won't be any emails sent.

[0] [https://gdpr-info.eu/art-20-gdpr/](https://gdpr-info.eu/art-20-gdpr/)

[1] [https://gdpr-info.eu/art-15-gdpr/](https://gdpr-info.eu/art-15-gdpr/)

[2] [https://arstechnica.com/information-
technology/2016/04/guess...](https://arstechnica.com/information-
technology/2016/04/guess-what-url-shorteners-short-circuit-cloud-security/)

------
lowry
It's ironical that websites implement GDPR compliance using cookies.

~~~
TheCoelacanth
How is that ironic? GDPR does not say that you cannot use cookies. It says
that you must apply limits to the scope of data that you collect about users
regardless of the means that you use to store or collect that data.

~~~
AstralStorm
Also cookies are not stored on their systems. The result though is that they
also have to comply with EU "cookie law".

------
amaccuish
TL;DR, someone who has gained access to your account can also download your
account history.

It's like complaining that someone who "hacks" into your email account can
download all your email.

~~~
dredmorbius
E2E encryption of email _by a client-controlled key_ avoids this problem.

The _encrypted_ archive remains accessible, but actually reading it requires a
key only the client holds. This neutralises most email account phishing
attacks.

------
interfixus
This particular case is a poor example. It's about someone screwing up her
password management and getting pwned, and then suggesting everyone should be
burdened with two-factor nonsense to protect her from such a thing ever
affecting her again.

But the GDPR itself, yes, _of course_ it has negative effect like most
centralized bessermachen from the EU commissars has. I've never understood all
the starry-eyed hosannas for this slide down into supranational control of
things no governing body ought concern itself with.

It has its moments, if you're into dadaism. The other day I had phone call
from my vet. Because of GDPR they felt obliged - belatedly - to mail all
customers some info about why and what. They didn't have my email address,
could I please give it them?

