
The GDPR blog post - aychedee
https://medium.com/tsengineering/the-gdpr-blog-post-9a571b13079d
======
baq
I got a few dozen gdpr emails today, some from companies I didn't know
existed. This law is a fantastic development for end users/consumers.

~~~
TeMPOraL
Yup. Today I opened my fridge wondering if I'll see a note about an updated
privacy policy inside.

It's ironic seeing that the law was in power for the last 2 years, but
companies woke up only last week. A lot of those mails are only information,
with no (clearly marked) link to a consent panel, so I assume that me ignoring
them means they won't be allowed to spam me anymore.

~~~
varjag
You're joking, but _my_ fridge did hand me a GDPR notice in the morning:

[https://twitter.com/varjag/status/998496423019778048](https://twitter.com/varjag/status/998496423019778048)

~~~
TeMPOraL
Wow. That's the funniest thing I've seen this week.

Beats the schadenfreude I'm having with some of the IoT lightbulbs no longer
working for EU customers - a problem which actually impacted a friend of mine.
See:
[https://twitter.com/internetofshit/status/999619364541394944](https://twitter.com/internetofshit/status/999619364541394944).

EDIT: 2 friends now. I wonder how many more bought those lightbulbs...

~~~
Symbiote
Anyone who bought these lightbulbs should return them to the retailer for a
full refund.

~~~
retSava
The yeelights are typically bought on eg Aliexpress. I have mine with the
local network developer functionality enabled, here's to hoping they will
still work with that at least.

------
kbsletten
So, I'm _really_ not trying to start a fight, please read this with curious
intent.

I personally don't really feel like keeping my email is a violation of my
privacy. If they're not "processing" it (that feels like code for "data
mining") is this really required? I mean my email address is literally a
public means of contacting me. It's kind of fun that they decided to use a
one-way hash, but this story doesn't make me feel like the internet has really
been improved.

~~~
TeMPOraL
The problem is identification of physical persons. Your e-mail is public, but
it also identifies you as a person. This is important, because it allows for
correlating different data sets.

Touch Surgery sounds like a honest company, so for them this was just some
extra burden. But the same law prevents ShadyAdtechCo from getting datasets
from _several_ companies and joining them on e-mail column to build a profile
of you, without your explicit, informed consent in several places.

~~~
ensmotko
Wouldn't then a hash of your email also identify you as a person? The
companies can still build a profile of you if they just agree to use the same
hashing function :/

~~~
comex
Or even if ShadyAdtechCo just knows what the hashing function is, and has a
list of plaintext email addresses to test against – perhaps obtained from one
of the datasets they're joining against, or even from crawling the web.

~~~
TeMPOraL
Hashing should be done with salt for precisely that reason.

~~~
comex
If you mean a static salt, that could help mitigate against hacks (if the
attacker has access to the database but not the code), but where adtech is
concerned it's probably more realistic to assume that the datasets they're
using were disclosed willingly. If you mean using a different salt for each
address, that could work for some use cases, but it wouldn't work for the use
case described in the blog post, since Touch Surgery needs to be able to
lookup whether a given address is in the database (to see whether they've
previously declined an invitation).

~~~
aychedee
It's really no problem to do this. We're using a variation on this:
[https://unix.stackexchange.com/questions/158400/etc-
shadow-h...](https://unix.stackexchange.com/questions/158400/etc-shadow-how-
to-generate-6-s-encrypted-password). The output of crypt (where the input is
an email address) is pretty useless if we did suffer a data breach. They'd
have to hash every known email address with that salt in order to figure out
who had declined an invite from us.

~~~
comex
What is the salt based on?

------
tomelders
I had a recruiter call me up with what I suspect was a made up role. At the
end of the call he casually dropped in the line "ok, well, is it ok if I get
back in touch when something more suitable comes in?"

It was conspicuous. I asked is he'd asked me that because of GDPR. He said
yes. I said no.

------
wdr1
> I would be very wary of a company who claims this legislation is onerous.

... and elsewhere ...

> On the other hand it also was not very hard for us. We are not a creepy
> company.

> This is not to say that preparing for GDPR didn’t take us 100s of hours. It
> did.

A company who it didn't affect much, spent 100s of our hours? I think it would
reasonable to call that onerous.

The different & fair question would be if time was justified.

~~~
y0ghur7_xxx
> A company who it didn't affect much, spent 100s of our hours? I think it
> would reasonable to call that onerous.

100 hours is 12.5 days. That is not much to protect your users data.

------
severine
Even in Europe (at least in Spain), mainstream journalists and pundits are
generally misstating the effects and contents of GDPR.

I wish not-so-hot takes like this are more widely read, and along with sane
enforcing, contribute to the sorely needed education on these topics of the
general population.

------
maaaats
A colleague sent me this, lots of funny variants
[https://gdprhallofshame.com/](https://gdprhallofshame.com/)

~~~
zerostar07
Warning though: that site is not gdpr-compliant

~~~
MitjaBezensek
Why? Is there a company behind this webpage?

~~~
zerostar07
doesnt have to be a company. it processes data and it's not a strictly
personal site, it's all over the internet in fact.

------
meta_AU
Is there not any issue with having a hashed version of the email, given the
entropy of an email address is quite small?

~~~
hvidgaard
Maybe, but they have a good reason to keep that data, and they even go out of
their way to "hide it" the best they can using a one-way function.

To save the information that a certain email address has explicitly withdrawn
consent, they need to store it. The alternative is to send out a new email the
next time someone adds then. I think the interpretation of GDPR this
particular instance of information storing is still open, but they have done
everything possible to keep it safe. Should the list of hashes be leaked, the
best an adversary can realistically do is check known emails against the list
of hashes.

~~~
lvh
You're right, but there are safer constructions to do this. Maybe this kind of
knowledge will get more popular now that GDPR is mandating it :)

Active concern for me: GDPR will promote a bunch more homegrown looks-fine-
but-actually-busted crypto schemes. I don't think GDPR will be used to enforce
that even in the case of breach, and I'm not sure it should -- I think we
should make better schemes available instead.

~~~
talkingtab
What is the 'safer construction' to do this? I'm looking for ideas and trying
to solve a problem. My understanding of the GDPR, which is very basic,
supports the view that hashing email addresses is at least questionable. On
the other hand, if an email list is a core function, de-spamming seems valid.

~~~
zwily
An appropriately tuned bloom filter would probably suffice.

~~~
lvh
A Bloom filter is an interesting approach, but the problem is that the
attacker and you need the same property: to know if an email is in the set. If
you could tell set membership with (effectively) perfect accuracy the Bloom
filter may improve performance but not privacy.

I posted an alternative construction elsewhere in the thread.

~~~
tripletao
The difference is that you may be willing to accept a much higher false-
positive rate than your attacker can. This is the same idea behind the old
"flip a coin, and then raise your hand if either the coin came up heads or you
have [embarrassing problem]" method to statistically count everyone with the
embarrassing problem, without disclosing anyone's status with certainty.
That's the same property your truncated hash achieves.

A Bloom filter could also be designed accordingly. I'm guessing this post's
grandparent was thinking of the filter's natural false-positive rate, or you
could add deliberate noise.

~~~
hvidgaard
If had a service where I wanted people to use it and only remember explicitly
opt-out, I wouldn't want any false positives to the "have already opted out"
question.

~~~
tripletao
Let's say my list has 10^4 members, and there are 10^9 people worldwide. If I
design for a 10^-4 false positive rate, then a list constructed by reverse-
engineering my algorithm (whether it's a Bloom filter or a truncated hash or
anything else) will be 91% false positives, 9% true positives. That's not a
huge improvement, but I could imagine applications where someone judged it
worth the ~one customer I inconvenience.

This raises fun questions of what it means to disclose a fact, when you're
disclosing it probabilistically. Let's say that you tell me the yes/no answer
to a question you consider private. I then generate a uniform random number X
on [0, 1], and disclose (("you told me yes") || (X >= a)) for some agreed
constant a.

If a = 1, then I've almost surely just disclosed your secret. If a = 0, then
I've almost surely disclosed nothing. At what value of a do you start to care?
That's a really messy question, depending on the social consequences of the
information being disclosed (what fraction of innocent candidates would you
reject to make sure your child's tutor isn't on the list of clients of a
psychologist known for treating pedophiles?), and the other public information
about you and about my population that an attacker can fuse to make a stronger
estimate.

I don't think privacy-through-false-positives is a terribly effective tool.
It's just the only possible tool for creating privacy when your rule is public
(whether deliberately or after a breach)--so it's interesting to think about
places where it could have some benefit.

------
merinowool
So far I have received over 300 GDPR emails. When I am supposed to read all
this? How do I track it? How can I track what each company stores about me? Do
I feel this in any way improved safety of my data? I don't think so.

~~~
baq
In theory, if you don't reply, all these companies should stop using your data
and quite likely delete it. Sounds like improving safety for me.

~~~
drusepth
It sounds pretty tedious to sift through 300+ emails to find everyone you want
to keep using your data and go through whatever process they have for
replying.

~~~
RugnirViking
Why do you want them to keep using your data?

~~~
drusepth
Why wouldn't I? With the exception of one or two emails, they've all been from
companies/services I signed up to originally.

------
appdrag
I have reported as SPAM all the GDPR emails i got from unknown companies, i
never asked to receive all this shit (250 GDPR messages just this week)

------
mychael
American entrepreneurs who are proponents of GDPR are experiencing some
serious Stockholm Syndrome. Or possibly they're just faking their love for
GDPR to virtue signal.

------
pojkofd00m
Love how I got a popup asking me to sign up with a fb/ggle account, stating
"To make Medium work, we log user data and share it with service providers."

------
matte_black
We’re still not GDPR compliant and don’t plan to be. So far so good.

~~~
SpecialistEMT
Same here.

------
y0ghur7_xxx
"To make Medium work, we log user data and share it with processors. To use
Medium, you must agree to our Privacy Policy, including cookie policy."

No Medium, I must NOT agree to your privacy policy and your cookie policy,
because to use and share my data you need my FREE consent. AND you can NOT
deny me reading an article without giving consent, because then the consent is
not FREE, and it is NOT strictly necessary for the service.

Medium: either you allow me to read blog posts on your webserver without
FORCING me to allow you to collect my data, or you don't. Choose. But stop
fucking annoying me with lying banners.

~~~
dpwm
I think it's more likely that "to make Medium make money," they engage in
tracking for advertising purposes.

Medium works perfectly well for my purposes without that banner being
displayed. I can open up developer tools and delete that node.

If I don't click agree, does that mean that this information isn't collected?
Because tracking cookies are still placed.

Now what is interesting is that I don't remember being asked for consent for
them to place a cookie to log the number of articles I read in a month as part
of their sign-up funnel.

~~~
TeMPOraL
> _Now what is interesting is that I don 't remember being asked for consent
> for them to place a cookie to log the number of articles I read in a month
> as part of their sign-up funnel._

They could probably make this compliant by storing the counter in your local
storage and never sending it anywhere - just having a piece of JS that
essentially does: if(Storage.getItem("visits") > 6) { displaySignnupPopup(); }

~~~
netsharc
Ah, when I used to bother with Proxomitron
([https://www.proxomitron.info/](https://www.proxomitron.info/)), I could
rewrite anything that went "over the wire" because it acts as a HTTP-proxy
listening at localhost. I remember modifying Javascript lines so adding my own
code was possible...

One could add an SSL library and basically MITM HTTPS connections, but I never
tried that.

------
TeMPOraL
A popup (probably what used to be cookie warning) on Medium says:

> _Medium uses browser cookies to give you the best possible experience. To
> make Medium work, we log user data and share it with processors. To use
> Medium, you must agree to our Privacy Policy._

I _must_ agree to logging user data and sharing it with processors?

EDIT: come to think of it, it might be a new, GDPR-specific, dark pattern. I
can use the site without clicking "I agree", and the existence of that button
sort of implies the consent is not assumed. The wording of the message ("you
must agree") is just trying to bait consent.

EDIT2: I just read[0] that biggest sites in my country are treating closing
the GDPR popup as giving consent to everything. This definitely does not sound
as explicit, informed consent. I sincerely hope it'll land them in a world of
hurt.

\--

[0] - (PL link) [https://zaufanatrzeciastrona.pl/post/klikasz-x-w-
komunikacie...](https://zaufanatrzeciastrona.pl/post/klikasz-x-w-komunikacie-
o-rodo-wyrazasz-zgode-na-przetwarzanie-danych/)

~~~
inopinatus
Isn't that the quid pro quo, though? I don't feel obliged to accept their
shitty privacy policy, and in return they are not obliged to serve me their
often equally shitty content.

~~~
merijnv
> I don't feel obliged to accept their shitty privacy policy, and in return
> they are not obliged to serve me their often equally shitty content.

Yes and no. Yes, in the sense that you can argue that. No, in the sense that
the GDPR just says "no, you cannot ask people to pay with personal
information". So either they must show me the article even if I opt-out of
giving my information. Or they must make reading their article conditional
upon something else (say, paying them). They CANNOT make it conditional upon
my consent to use my personal data, because that's just coercing me into
clicking "yes", which is exactly what GDPR is supposed to curb.

------
Grue3
> this is going to be another ridiculous Cookie Law

Given the number of ugly popups I had to click within the last few days, it
already is.

~~~
SpecialistEMT
I never added this cookie law notice to any of our websites and apps and never
had a single problem. We operate in the EU. Pretty small scale. We did nothing
for gdpr.

