
Brendan Eich Writes to the US Senate: We Need a GDPR for the United States - mochtar
https://brave.com/us-gdpr-senate
======
miracle2k
The practical effect of GDPR seems to me that I have to click away about half
a dozen consent popups every day. Sometimes a cookie warning in addition to
that.

If I use Private Browsing (to protect my privacy) I am punished with more
popups. If I open a website within a browser shell on mobile that doesn't have
my cookies (some kind of webview of an app), I am punished with more popups.

Am I expected to look at every one of those dialogs and figure out what I have
to click to "customize" my tracking?

Then there are the technical problems; one of those consent "solutions" that
you see around actually shows a spinner while your "preferences are being
saved". Sometimes it never closes.

I am frankly already so tired of this that I don't even care to look which of
the buttons says "Agree" and which one says "Refuse". I just click on whatever
I see. I know for certain that for less experienced users (my parents), every
additional button to click is just another hindrance to achieving what they
need to do. The thought "what if I click the wrong thing" is a permanent
companion of their computer use.

These are very real, very concrete negative effects of GDPR. Is there
something that we gained to make me feel better next time I am annoyed with
all the popups?

~~~
OskarS
> These are very real, very concrete negative effects of GDPR

Your annoyance is misplaced. Don't be annoyed at GDPR: be annoyed at all the
companies who have spent the last decades building an entire web-
infrastructure with zero respect for user privacy. We built massive amounts of
technology infrastructure that just assumed that privacy and tracking wasn't
an issue. Why do these websites need all these cookies in the first place? If
I'm visiting a random blog with no advertising on it, why is it asking my for
cookie consent? What possible purpose could that cookie serve, except tracking
users?

As an analogy, imagine taking a black-light to a hotel room and realizing that
the room is absolutely filthy. Would you be angry at the black-light for
revealing the filth to you? Or would you be angry at the hotel, for not
properly cleaning up?

If cookie consent forms or GDPR compliance forms annoy you, don't blame GDPR.
Blame the sites that have no regard for your privacy and make no effort to
comply beyond throwing up annoying prompts.

~~~
andrewla
Counterpoint: be annoyed at GDPR.

If a new regulation insisted that on entering a hotel room, a member of the
hotel staff had to use a blacklight and you needed to explicitly approve every
illuminated mark larger than a quarter, then you would be annoyed at that
regulation.

There are supposed to be all sorts of other GDPR protections, about rights to
be forgotten, about being able to access and selectively remove personal data
from an online profile, that I have no idea how to activate. Instead all I
get, as a user, is a bunch of consent forms, like the stupid cookie warnings,
that I have no idea how to respond to, and no idea what I'm committing to when
I click them.

~~~
apexalpha
>If a new regulation insisted that on entering a hotel room, a member of the
hotel staff had to use a blacklight and you needed to explicitly approve every
illuminated mark larger than a quarter, then you would be annoyed at that
regulation.

How about this. For the past 25 years every hotel that you checked into has
kept a record of:

\- How often did you visit?

\- How much money did you spend?

\- What type of CC do you have?

\- Did you watch porn?

\- If so, what is your favorite type?

\- Did you pass on dietary restrictions to the chef?

\- Were you alone?

\- Did someone other than the person listed as your wife on FB join you for
the night?

\- etc... etc... etc...

And then, without your consent, without even notifying you they sold this
information to credit score companies, to advertising companies and to whoever
the fuck will buy it.

Without. Your. Consent.

THIS is how the internet works today. Everyone grabs as much data as they can
and then sells it to whoever wants to buy it. You have no vote in this. It
just happens and it says so in weird legal terms on page 373 section 44
subsection 7a of their 700 page Terms of Service.

GDPR gives you this vote.

GDPR says: if you want to resell data you harvest you HAVE to get their
consent, in clear and understandable terms. Can't bury it in your TOS.

GDPR says: you cannot make your website / app / service unavailable if people
refuse this.

GDPR says: you can ask companies how much and which data they got on you and
they have to provide it.

GDPR protects you from an invisible industry many people don't even know
exists.

~~~
TomMarius
> And then, without your consent, without even notifying you they sold this
> information to credit score companies, to advertising companies and to
> whoever the fuck will buy it.

> Without. Your. Consent.

I'm _really_ sure that every hotel has its terms of services. So does Facebook
and every other site. What you described has always been illegal, and it has
also never happened. What was sold was composed of data according to the terms
of service that every person included agreed with. If agreement isn't consent,
what is?

~~~
TeMPOraL
Did you read, or was even aware of, a ToS of _a hotel_ on use of personal
data? This is entering the "local planning department in Alpha Centauri"
territory.

As a regular person, you should not _need_ to be aware of such things. What
GDPR tries to do is to restore some sane defaults into the process, just like
customer protection laws do.

~~~
TomMarius
Yes, I generally check ToS of whatever services I use, including hotels. And
no, it's no "local planning department of Alpha Centauri" territory, it's
available on their webpage and in paper form at the reception, usually framed
and hanging on the wall. I check it to see what happens if I overstay, but
skim through the whole thing.

As a regular person, if I want to use a service offered by someone, I should
at least look into their terms - even with GDPR in place.

I'm not saying I disagree with you - but that's an opinion; on the other hand
you said that consent _was not_ given, which is simply not true - consent has
a definition and that definition was fulfilled, the law doesn't treat ignorant
people differently. If you want to say "I don't think <something> should be
enough expression of consent", that's OK, say it - but don't lie.

~~~
TeMPOraL
Fair enough. I do read the regular ToS of the hotel that they frame and hang
on the wall; it's usually standard stuff and not once I remember reading
anything there about use of my data. It's just the usual "hotel night is from
X to Y, please don't do <list of ridiculous stuff that some people apparently
do in hotels>". So from your comment I assumed that there must be an _extra_
ToS that covers use of personal data. If there is, I've never noticed it.

~~~
TomMarius
I don't think there are many hotels handling your personal data except for
legal purposes, so they mostly don't need any data policy. So far I've
encountered one that simply said that data might be shared with other branches
of their company, which I'm happy about.

------
a008t
Somehow, I feel like the old, unregulated internet was better. I wonder if
that is just nostalgia or there is something to it.

With an unregulated internet, any internet user has to take care of their own
privacy and anonymity. Barriers for entry for new websites and services are
very low. Data breaches and abuses of data can lead to users being concerned
about giving their data to tech monopolies, which can enable competition.

Regulations like GDPR arguably make users complacent and lowers their guard,
as well as strengthens the tech monopolies by adding to their moats. Would
Facebook have been able to displace Myspace in the current environment? Or
Google displace Yahoo?

The internet was doing fine for decades with minimal involvement from
governments - why change things?

~~~
oblio
> The internet was doing fine for decades with minimal involvement from
> governments - why change things?

Things change on their own. The internet used to be accessed by highly
sophisticated and technical users. Now it's mainstream.

And all mainstream things follow two basic rules:

1\. Everything move at the speed of the slowest person.

2\. The weakest members of the community need to be protected.

~~~
shady-lady
> The internet used to be accessed by highly sophisticated and technical
> users.

Quaint but that's simply not true unless you're talking pre 90's. No point in
kidding ourselves.

The internet was accessed by people who accessed the internet. They popped a
floppy/cd in a drive and followed instructions. They then opened a browser and
typed a url.

Nothing sophisticated about it.

Nobody was creating electrical signals by hand and sending them down a home
made wire.

~~~
oblio
> Nobody was creating electrical signals by hand and sending them down a home
> made wire.

I think we're talking about completely different levels of sophistication.

You're talking about electrical engineers vs regular users, I'm talking about
levels of functional literacy... Don't forget that the average Joe/Jane has a
level of functional literacy of somewhere around mid to late secondary school.

The earliest internet adopters were universities (so a entirely different
level of education) and after that it was middle or upper class people who
could afford a PC and an internet connection plus had the interest in doing
so, considering that PCs until Windows 95 were either too expensive or not
very user friendly.

The current internet, thanks to mobile devices and cheap, ubiquitous internet
access, is truly accessible universally.

~~~
shady-lady
> highly sophisticated and technical users

I'm pointing out that referring to those users as the above is simply not
true.

As you then point out, wealth(direct or by proxy) was the determinant in
whether somebody had internet access, not high technical sophistication.

And wealth in and of itself is not a signal of high technical sophistication.

~~~
TeMPOraL
It wasn't wealth, it was interest. There was a period where the Internet (or
PCs in general) were more of a curiosity than anything else, and you had to
have some motivation to jump over the complexities of operating a computer and
going on-line (not to mention some motivation to buy a PC/get your parents to
do it). It served as a natural quality filter for a while.

------
Aissen
It's funny, I was listening to the Hanselminutes, and in a recent episode, his
guest (a lawyer) was underlining that the US partially created the current
situation where current its companies are at loss in front of GDPR: by
refusing to take the lead on data privacy issues, the US didn't have a
framework for privacy laws, and couldn't negotiate a convergence of laws with
the EU (I'm paraphrasing).

[https://www.hanselminutes.com/647/how-gdpr-is-affecting-
the-...](https://www.hanselminutes.com/647/how-gdpr-is-affecting-the-american-
legal-system-with-gary-nissenbaum)

~~~
18pfsmt
While I haven't listened to your linked episode, 'privacy laws' by definition
come into direct conflict with the 1st amendment (i.e. free speech) to the U.S
Constitution.

~~~
Tecuane
I admit I'm not an American citizen, and have never actually stepped foot on
American soil, but I do see the "first amendment" and "free speech" arguments
being trotted out for almost anything that involves communication between two
parties being restricted. This, in my experience has been common in (privately
owned) web forums when an American user is banned for misbehaviour, or rules
are changed to prohibit certain types of content or speech on those forums.

The text of the amendment, as I'm sure you're aware, reads as follows:

> Congress shall make no law respecting an establishment of religion, or
> prohibiting the free exercise thereof; or abridging the freedom of speech,
> or of the press; or the right of the people peaceably to assemble, and to
> petition the Government for a redress of grievances.

I admit I fail to see how this prohibits introducing a law preventing an
organisation from collecting data from individuals without them explicitly
opting in to it.

~~~
smu
I'm also not an American, so I might miss subtle cultural context, but I would
also be astonished to learn that the first amendment is absolute. There must
be at least provisions that limit speech that would harm others, as [1]
suggests (child pornography, fighting words,...).

The EU (you might be surprised to learn) also recognises the freedom of speech
(in fact it's a universal human right, see [2] article 19). However, this does
not mean GDPR is not valid law, just as I have a hard time understanding how
the first amendment would prohibit privacy laws to exist.

[1]
[https://en.wikipedia.org/wiki/United_States_free_speech_exce...](https://en.wikipedia.org/wiki/United_States_free_speech_exceptions)

[2] [http://www.un.org/en/universal-declaration-human-
rights/](http://www.un.org/en/universal-declaration-human-rights/)

------
JumpCrisscross
I would prefer starting small and cautiously scaling up. “If you lose my data,
you are strictly liable” is a good start because it lets case law work through
the holes. (It also causes companies to see personal data as an asset _and_ a
liability, not just the former.)

Full-blown GDPR is overkill. It makes more sense to wait a few years and see
if the situation in Europe evolves differently from the U.S. I personally
believe the law fails to incentivise the sort of behaviour it aspires to, but
that’s merely a hunch—better to wait until we have data.

~~~
brynjolf
"This is not the time to talk about guns"

~~~
JumpCrisscross
> _This is not the time to talk about guns_

That’s disengenuous. I’m saying this _is_ the time to talk about data. But
instead of coming out of the gate with a gargantuan salvo or complicated,
expensive and unpredictable regulation, let’s start small and work gradually.

------
jMyles
1) I don't agree. I prefer to have GDPR in Europe, no GDPR in the USA, and see
which turns out to be better for human rights. I suspect that GDPR will very
soon start to be used by corrupt politicians and other criminals who want "to
be forgotten" for their misdeeds (ie, censor us when we want to remind the
public).

2) I can't help but notice that GDPR is a great idea for Brave / BAT. And
look: I'm long on BAT (I'm not wealthy enough to be a whale or anything, but I
bought a small amount in the very early days). But this seems self-interested
to me, rather than an assessment of the proper course for American politics.

Eich admits this in part, of course, saying early in the letter that "I view
the General Data Protection Regulation (GDPR) as a great leveller. The GDPR
establishes the conditions that can allow young, innovative companies like
Brave to flourish."

But he also says "The enormous growth of ad-blocking by people across the
globe (to 615 million active devices by late 2017) proves the terrible cost of
inadequately regulating the tracking-based advertising system."

Does it? It seems to me that people are working to find ways to improve their
lives, and that they'll keep doing so to the shegrin of the internet behemoths
absent any "regulation". In other words, the state is not needed to make this
phenomenon regular - it's already quite regular and becoming moreso.

Let Brave and Chrome fight it out and the best (not the most politically
expedient) one win. For now, I'm using Firefox.

~~~
TorKlingberg
Ironically, I want an ad-blocker that hides all GDPR consent popovers, cookie
warnings, etc. They are constant annoyance, especially on mobile. Also a
browser that automatically uses a VPN when an American news site blocks
European IPs.

~~~
Rjevski
Cookie "warnings" and forced "consent" popups (with no or difficult opt-out)
are not GDPR compliant. GDPR mandates that all tracking and related bullshit
should be opt-in. So the annoyance isn't the GDPR, it's the lack of
enforcement of it that allow shit websites to get away with not being
compliant.

------
kodablah
If legislation is really required, and I'm not convinced it is, can we start
small? This stuff never gets rolled back and tech companies' use of personal
data is the new terrorism.

Again I'll take none, but if this ridiculous fervor that's been built requires
something, how about not-tech-specific rules around data sharing transparency?
Just require details on what's shared and with whom for those seeking it
(ideally companies publish it to prevent requiring individual request/response
scaling issues, but their choice). You're gonna find most people don't care
anyways, so they shouldn't be burdened with more hardline privacy
requirements. Just increase the visibility for now.

And please please learn from EU mistakes and establish enforcement mechanisms.
Don't just make exorbitant ceilings and move on. Have a framework to punish
violators, and again start with small legislation until it can be shown
enforcement occurs and is working.

Having said all that, can we just start with pro-privacy PSAs, education,
targeted advertisement awareness, punitive measures for breaches, and
relaxation of legislation preventing me from scraping/manipulating/proxying
these sites however I want? If we all have to hire lawyers and/or compliance
assistance, then the first step is too large. We can make our way towards
delete-all-my-data-on-request laws later. Not sure what made this an emergency
(actually I do know based on media and political driven fervor, but that will
be best studied through the lens of history). But all these tech people, OP
and commenters here especially, don't speak for many people who accept the
current state or reasonably understand heavy-handed government regulations on
the internet bring more bad than good.

And for goodness sake, don't use the domain of your should-be-neutral software
to make a political post. You aren't gonna feel any pain now because you are
in the same line with other popular pitchfork wielders, but your political
leanings have bit you before, why would you associate your company with them?

~~~
kiriakasis
> And please please learn from EU mistakes and establish enforcement
> mechanisms. Don't just make exorbitant ceilings and move on. Have a
> framework to punish violators, and again start with small legislation until
> it can be shown enforcement occurs and is working.

There are enforcement mechanism in the GDPR. IMO they also are quite good. The
max fine are huge, but there are mechanism to help misbehaving companies into
compliance and also protect companies from random lawsuit by individuals.

~~~
kodablah
> There are enforcement mechanism in the GDPR. IMO they also are quite good.

Based on my research into the lax enforcement of GDPR predecessors and GDPR
leveraging those same enforcement bodies, I disagree. This is why I advocate
an incremental approach; so you can prove you are adept at implementing the
measures you write down lest it become just words, or worse, an economic
warfare tool to subjectively apply on a whim. Sometimes you even have to
temper those words knowing your enforcement mechanisms aren't yet prepared.
Nobody's asking for going after all offenders, just reasonable attempts at
equitable large-scale enforcement.

------
cinquemb
It's somewhat amusing watching the overt rhetoric of advocating for data
privacy enforced by governments when the majority of even technical people
understand covert exploitation that is happening by said governments (and
leaked to n number of 3rd parties [non govs, ngos, even the public
occasionally via incompetence/leaks/hacks, etc] around the world on an
increasing basis), which has the dual benefits of making the uniformed or
willful ignorant feel good without actually changing the state of things.

~~~
simplecomplex
Yup, and notice not a single person crying about privacy has been materially
harmed from companies using their information to target ads or provide better
products.

------
denysonique
I don't want it to end up in annoying dialog boxes and degraded UX on every
website like it currently is in Europe.

~~~
furicane
That's great. I don't want my information stored, analyzed, cross-referenced
and re-sold around without me knowing what's going on.

Oddly enough, you're frustrated about "degraded UX", but for several years now
- UX has been terrible with annoying popups asking you for your email,
advertisement-ridden websites that attracts traffic via well-crafted titles
while the content is something to be desired...

Don't be a peon. But if you decide you want to be one, think about your other
fellow humans - maybe they don't want to be peons.

~~~
simplecomplex
Your information is still “stored, analyzed, cross-referenced and re-sold” and
even though the GDPR doesn’t stop that, you feel better because you “know
that’s going on”.

I don’t get it. Have you ever been materially harmed by businesses storing,
analyzing, or reselling information regulated by the GDPR?

------
exabrial
Gdpr makes using websites a terrible user experience with the million cookie
prompts. My parents will click on anything to make popups go away. Please no.

------
mychael
This is so misguided. GDPR is a disaster and only entrenches large companies.

~~~
BrendanEich
No, big companies have the greatest business-plan, tech, and compliance debt
and are slowest to change -- the bizplan debt alone can be retired rapidly
only at great risk of breaching fiduciary duty to shareholders.

Neither Google nor Facebook is in compliance with GDPR. FB was busted using
2FA phone number for ad targeting. Google has been taking data for various
purposes for decades and linking it all together for other purposes. These are
bright-line violations of GDPR's purpose-limitation design.

Smaller companies, by contrast, can change more quickly or start with
compliance by construction, as Brave has.

It's a silly slogan that GDPR only helps big incumbents. Regulation tends to
help incumbents under varying degrees of regulatory capture, as in the US.
Europe is different, and India, Brazil, and others jurisdictions are following
suit. California's CCPA is weaker (on protected data, opt out rather than opt
in, ambiguity about duress = denial of service if off-purpose data not
provided, enforcement), but also in line.

------
alkonaut
The GDPR is mostly good. The right to find out and delete the data is
excellent. The bad thing is the constant consent popups which have become
synonymous with the GDPR.

Obviously there are also still a lot of sites that try to wiggle around the
GDPR by saying "By entering the site you agree to X", a practice that should
soon be found to be in violation of the regulation. If that is allowed, the
regulation for storage/processing becomes almost pointless.

That data collection should be opt _in_ if it isn't an essential function of
the app/site/service.

~~~
icebraining
It's certainly in violation - Recital 43 is quite clear on that.

------
desireco42
I am sick and tired of auto playing videos, popups etc. It is not GDPRs fault,
media companies are milking us. Yesterday I got to an article that was covered
with overlays and popups. You couldn't even see the title. I realized, I
didn't care that badly to read it anyway and abandoned it.

Strangely, we are still enduring this terrrible UX experience, mostly because
we don't have good alternatives or those that exist, are not known. I think we
should spend time creating those and discovering and promoting healthier
information sources.

------
matchagaucho
_" Right to be forgotten"_ is a core tenant of GDPR. It'd be interesting to
see if the U.S. would enforce the hard delete of social media profiles upon
opting out.

------
scoom
Something to torpedo tech everywhere. Yay!

~~~
frockington
Maybe if the US regulates hard enough, they can stifle progress and become
like Europe!

------
the_gastropod
Really strange that the Brave website of all places includes a Javascript that
hijacks your native scroll. Why is that smooth scroll library so popular? It's
really obnoxious.

------
simplecomplex
No we don’t. There’s no privacy problem that needs solving.

Brendan Eich is seeking protection for his failing business from the
government. He wants to use the force of law to make his browser more
competitive.

I’ve got a better idea: let’s make JavaScript illegal. That’ll hurt the
advertising industry too!

------
aerovistae
Data protection we do need indeed, but the EU is the last entity I want to be
emulating on internet laws, except maybe China.

~~~
akuji1993
I just love having internet laws written by people who can't use a computer
without help. Makes so much sense...

~~~
toyg
Do you actually know any MEP? The younger generations are less stupid than you
might think.

Politics is a slow game, the people who grew up with Windows 95 are only now
starting to get elected.

~~~
lowry
In the current legislature, there is one former software programmer MEP and a
Linus's uncle, who is not a programmer but knows a bit about software.

There's also Julia Reda, but she is really just a filesharer and a politician.

~~~
pavlov
Small correction: Finnish MEP Nils Torvalds is actually Linus’s dad.

