
GDPR Feels Useless - GuySake
https://medium.com/@fabien.ungerer/gdpr-feels-useless-b4bb70e89dd6
======
guitarbill
Don't read this. There's so much misunderstanding in this article, I'd be
surprised if any good discussion came from it. And refuting it would take
ages.

For example:

> And apparently typing your name, age and other information is not consent.
> How is this supposed to work by the way? I give you my name but I don’t
> consent to you using it or remember it?

The way it's phrased is misleading. If you _need_ the data and are going to
use it in the obvious way, e.g. for shipping a parcel to my address,
legitimate interests works fine. If you're a scumbag marketer or data
broker/reseller (etc), then yeah, it's going to impact you. That was the idea.

So instead of bikeshedding arbitrary scenarios, let's do something more
productive with our day.

~~~
pas
The better response to "typing is consent" is that, okay, you gave our
address, now we're creating adverts with your house, making it look like
you're selling it, soliciting offers in your name, and so on. Even though you
just ordered a bumper sticker from us.

So, consent is given for a purpose, and you can't really do that with just an
input box. Hence the fancy opt-in modal dialog wizard thingies, and the
checkboxes at registration/payment time, and so on.

------
Orangeair
This is just a weird article.

> But do you know what data I have access to when you come on my website ?
> Well only your IP and some information about your computer and browser.
> That’s all.

It's pretty well known by now that that's often more than enough to identify a
specific user. "That's all" really undersells it.

> It’s true I can create an ID and save it on your browser (I can do much more
> but we will stay focus). Your browser, not your computer.

That's effectively the same thing -- the vast _vast_ majority of users don't
use more than one browser per device, and I'd be willing to be that the few
who do use more than one mostly use them for different websites.

> So the very first thing you need to understand about data privacy is that
> YOU protect your own data by not giving it away without thinking.

And here it is. This article is basically just victim blaming. "You didn't
want this website to identify you based on the unique combination of user
agent, viewport, and feature detection? Then you shouldn't have visited this
website with that user agent, screen size, and set of features enabled in your
browser."

~~~
threatofrain
I’d ask similarly, when you enter the public sphere, does that give me the
right to collect DNA samples you’ve “voluntarily” dropped on the floor, like
in police shows? You abandon your privacy when you voluntarily expose yourself
to the public, right?

I think the public is divided on the issue and have no consensus nor common
language for matters of privacy.

------
Mirioron
I don't view GDPR to be quite as useless as the author does, but the point
about the user having to protect their data themselves is spot on. GDPR only
protects you against good actors that are under EU jurisdiction. Everyone else
could very well be doing whatever they want with the data you leak. The EU
can't fine a Chinese company if the Chinese company has no presence in the EU.

Another thing the author doesn't mention is that GDPR sets a minimum amount of
cost/effort to run a website that's way beyond the actual hardware cost and
the cost of making the website itself. It requires every website operator to
be familiar with how GDPR works, because you need to know whether you're
collecting personal data (you probably are) and how you need to handle it.
Furthermore, if you are collecting personal data then you must respond to
emails of users who request to know what data you know about them within a set
amount of time. In the case of a small website, such as a forum or blog, I
would consider the cost imposed by GDPR to be greater than the cost of making
the website itself and renting hardware to run it. I think it
disproportionately impacts smaller sites. It essentially leads to small sites
simply breaking the law and hoping that nobody complains about them.

~~~
pas
First of all, GDPR does not apply to personal sites. (
[https://law.stackexchange.com/a/28086](https://law.stackexchange.com/a/28086)
\- see current "in force" version of the directive: [https://eur-
lex.europa.eu/eli/reg/2016/679/oj](https://eur-
lex.europa.eu/eli/reg/2016/679/oj) see recital 18)

> [...] GDPR sets a minimum amount of cost/effort to run a website [...]

This is simply false. If you want to post something on the 'net, nothing
changes. You want to count page downloads? (You know those old school CGI
counters.) Nothing changes. You want to know how many individual visits you
got? Well, you need to try to distinguish between new and returning visitors,
hence you might put a cookie on the visitor's browser/client/useragent, now
you need to ask nicely, because it's eerily easy to use that cookie for a lot
of other purposes. (Similarly if you would try to use something else, like IP
address, and/or browser fingerprinting.)

And so on. Yes, I like pretty graphs about visitors (browser screen size
distribution, fancy geoip charts, etc), but so do the people that live off the
not so innocent usage of this kind of data.

And yes, if you collect personal data, then you should be able to protect it.
This was always the case, GDPR simply states this and tries to create a
mechanism that forces data holders to act accordingly (via the mandatory data
breach reporting). Again, similarly, if you handle a lot of data you should be
able to accurately take a stock of what kind of data you have about whom,
hence the requirement to respond to these inquiries.

> I think it disproportionately impacts smaller sites.

Agreed. But small sites were always at the mercy of random script kiddies.
They always lacked resources to properly handle updates/upgrades, security,
data, end-of-life termination, etc.

GDPR at least makes WordPress, discourse, and random blog and forum engines
able to deal with the reality of how much value their databases represent
nowadays.

~~~
samdunham
I'd say that medium sized sites are more troublesome in that regard. Once a
site has grown big enough to become cumbersome for one person to manage, but
not large enough for most to justify staff, then you have an issue. There
shouldn't be any excuse for a small site to fall behind with updates, etc...
It's simple.

~~~
pas
Absolutely. This is the typical problem of small-medium sized shops everywhere
around the world. If you're just a really small one-man army, big companies
don't really care. If you are getting bigger, suddenly you will find
competition and a lot of regulatory burden. (Most startups usually fail at
this point as far as I know.)

------
mrgreenfur
GDPR is a fundamental step towards controls of data as a basic human right. It
does not define clicking on banners or cookie disclaimers. He's mad that the
world hasn't already matured their adherence and that's reasonable but don't
throw the baby out with the bathwater.

GDPR is a great step towards empowering consumers. Give the industry and
regulators more than 1 year to change it's behaviors and set new standards.

------
youeseh
All I see is a lot of websites with a cookie notice that I agree to.

~~~
pas
maybe ... just a thought .. but, don't agree to them?

it should be just as easy to agree as to decline. if not, then they are likely
not adhering to the regulation, and eventually someone will/could alert them
or whatever authority.

~~~
youeseh
Do you mean that if I declined I should still be able to see the content?

~~~
pas
Yes.

And the whole practice of huge scary obtrusive modal-like dialogs (that tint
the background so you can't even read it normally) are the cheap tricks used
by sites to incentivize you to consent to tracking. So, it's almost certain
that those are not compliant. They replace the fundamental function and
purpose of the site with a fake choice.

------
BryanGiese
Interesting perspective and I can see some of the intent here, but it takes an
odd slant to the issue. There are a few failures in logic here (random number
becoming PII, only tracking on one browser, laws protecting you from getting
robbed) that detract from the goal of GDPR which is to outline the user's
digital rights, not define how data can be collected. GDPR does not define the
technological methods because those will always be evolving, much like our
understanding and expectations of data privacy will evolve. I agree that users
need to educate themselves on how to protect their own data, but there is a
ton of technology that they either aren't aware is being used, or simply don't
understand. GDPR isn't perfect but it will help in the long run. Here is a
summary of some of the details and how it will impact what developers need do
as they architect software. Some companies will take it seriously, others
won't. Then consumers may decide who to do business with.
[https://fusionauth.io/blog/2019/01/29/white-paper-
developers...](https://fusionauth.io/blog/2019/01/29/white-paper-developers-
guide-gdpr)

------
legitster
Here's an issue we ran into when implementing GDPR: marketing software keeps a
database of people who have opted out, so even if that email address shows up
again, we don't risk spamming them. But if they opt out now, under GDPR we
have to delete them completely, even from the opt-out list. So we can't
remember not to email or track you.

The author also points out the double set of cookies, which is how most sites
deal with tracking. One set of cookies that do not collect PII, that just tell
the other set of cookies to turn on or off.

I respect that the writers of GDPR did not confer with the industry insiders
beforehand. However, with how poorly some of it understands the technology
(implementation of cookies is a great example), I wish they would have had a
bit more understanding and drafted a better bill.

~~~
turbohz
Uh? Couldn't a hash be used for that?

~~~
legitster
According to our council, even encrypted or hashed data was still counted as
PII as those are security measures, not privacy measures.

~~~
ziddoap
I mean, trust your council over some random guy on the internet (me), but I
would seek a second opinion on this from a technilogically savvy lawyer.

There are absolutely implementations available that will allow you to have a
hash, not tied to other data, sitting in your opt-out list that you than check
other hashes against. No PII in the mix.

~~~
MattPalmer1086
If I got the hash database I could absolutely test whether specific people
were in it, and I could probably reverse a large number of them with
dictionary based attacks.

There are no completely robust options where you can claim that this data
cannot compromise personal privacy, so I guess from a legal perspective it
doesn't stop it being PII.

------
ydnaclementine
A law is only as effective as it is enforced

------
kzcqt
>This is so broad and vague that basically if I generate a random number to
identify you on my website it becomes your personal data.

That's cool. If something can identify me uniquely then it's personal data.

~~~
kerng
Totally agree! Especially, if you keep the link between the number and user,
which is very often the case. But even without that direct link one would have
to demonstrate a certain level of k-anonymity. Maybe GDPR wasn't detailed
enough to describe k-anonymity

