
Show HN: Avoid GDPR by blocking EU visitors - fiatjaf
https://euroshield.xyz/
======
geocar
I'm of two minds about this.

Companies who are buying into the idea of the GDPR being scary, and who think
this sort of thing is a good way to _ignore_ the GDPR, are leaving money on
the table.

But those other companies, who actively want to defy the GDPR; who don't want
to protect their servers from hacking and think they can ignore my requests to
stop calling me or emailing me, those are companies that I don't want any
involvement with anyway. This sort of script doesn't protect them, and they
deserve what they get.

------
xchaotic
The script's default message says that you are very sorry, twice. But you're
not really sorry are you? You just install the script rather than address the
problem of data privacy.

~~~
debeers
It's a crude weapon... for a less civilized age.

------
tscs37
>Well, if the user is a begginer-level hacker it will easily be able to bypass
the block.

Or alternatively, operating uMatrix at default settings. Didn't even see
anything.

~~~
willsinclair
I experienced the same thing. I wonder if this qualifies as "explicitly
blocking EU residents", since someone taking privacy measures (like using
uMatrix) wouldn't even receive the message.

If this is the case, then perhaps javascript is not the best place to put the
EU blocking functionality.

~~~
fiatjaf
I'm going to offer a full website proxy service for a small price so the
external JS isn't needed and hopefully these cases can be mitigated.

But surely it is dubious (another reason to fear and dislike the GDPR as it
is) if a visitor is actively bypassing website contents and features -
effectively changing the website - and that makes the website liable.

It's like if I have a browser extension that rewrites landing page contents to
racial offenses, then I browse landing pages, get offended by them all and sue
the websites.

~~~
zackbloom
It should be possible soon to build this as a Cloudflare App using Workers,
rather than needing to build your own proxy service.

~~~
fiatjaf
Shh! That was my idea. Don't tell other people about it.

------
djsumdog
Have we seen any actual enforcement of the "cookie law" on non-EU entities (or
even on EU entities?)

If you're not physically in the EU and run a service platform, could you just
ignore it until you get hit with a notice?

I'm really puzzled at how the EU realistically thinks they can enforce these
types of restrictions on an international scale.

~~~
DanBC
> enforce

People keep saying "enforce". That's the wrong word. Enforcement is a last
resort. What actually happens is that the regulator writes you a letter asking
you to come back into compliance, and points you to latest best practice.

At that point you decide what you want to do. If you have a European presence
it's easier for them to impose fines. If you don't I guess they can declare
you non-compliant which makes it harder for EU businesses to send you data.

Here's a case where a large firm was handling _sensitive_ personal details and
didn't bother with their legal duty to register with the Information
Commissioner.

If the fear-mongering about fines is correct they'd get hit with a huge fine.

[https://www.bloomberg.com/news/articles/2018-04-26/u-k-
healt...](https://www.bloomberg.com/news/articles/2018-04-26/u-k-healthcare-
startup-cera-is-said-to-have-posted-fake-reviews)

> The U.K.’s Data Protection Act requires all organizations processing
> personal information to register with the U.K. data regulator. Although
> handling sensitive data on recent patients and those needing regular health
> care, Cera also failed to register with the Information Commissioner’s
> Office until February this year. The ICO said in a statement that it would
> only consider “enforcement action” if a company failed to register despite
> ICO advice.

------
SippinLean
I highly encourage all my competitors to use this immediately

~~~
foobarbazetc
Definitely just turn away 30-40% of your customers. Good idea for everyone. :)

------
koverda
This is pretty appealing. A quick and easy CYA to keep you out of trouble
while you work on compliance (or not).

------
chomp
So, yes and no. These approaches to blocking EU visitors do somewhat protect
you from having to comply with GDPR. However, "targeting" can mean a lot of
things. If you have global adsense campaigns that advertise your service for
EU customers, you're still targeting those data subjects. If you end up
sponsoring any events in the EU with your company name where people may be
able to draw a connection between your service and it being available in the
EU, you're still targeting those data subjects. I mean, if you write a blog
post on your branded company blog about a subject you know people in the EU
would care about (let's say you're selling $foo_service and you are musing
about $foo_field in the EU) and it gets really popular in EU circles, one
could say that you were really just targeting advertising to those data
subjects (a stretch, but I don't like to leave things up to lawyers).

Something like this needs to be a multi pronged approach - warnings displayed
to EU customers, complete non-advertisement to EU sectors, and you should
probably include terms of service as well.

A single page insert does not completely cut it. A lot is left open to
interpretation in this regulation, and you need to effectively black out any
interaction you have with the EU.

~~~
matthewmacleod
_Something like this needs to be a multi pronged approach - warnings displayed
to EU customers, complete non-advertisement to EU sectors, and you should
probably include terms of service as well._

Ironically, likely to be more work than not being an ass with customers' data
in the first place.

~~~
chomp
>Ironically, likely to be more work than not being an ass with customers' data
in the first place.

Your comment is pretty rude. Every business is going to have different things
that work for them. Some businesses aren't going to have resources to get
counseling and make changes to comply with the regulation. Some businesses
don't exist in the EU and have no interest in servicing the EU (most
businesses in the world), and want to make sure they aren't going to run afoul
of GDPR. And, some people are upset that they're having to spend brain cycles
on a law that heavily modifies business and tech processes, that was enacted
in a foreign government, and had no elected representation to present their
concerns.

I think the amount of data leaks and irresponsible data handling that
companies take part in nowadays is completely awful, and shows disregard for
people's well being. I think that companies need to treat personal data as a
liability instead of an asset. I think that companies that choose to forgo EU
business are leaving a lot of money on the table and put themselves at a
competitive disadvantage. I also think that companies in foreign countries
should have the right to opt-out of doing business with whoever they want, and
exempt themselves of regulation by not doing business in the host state.

And no, "not being an ass with customers' data" is not going to be less work
than the few steps necessary to exempt yourself from GDPR.

------
matthewmacleod
I'm sorry to be mean, but this is as dumb as the rest of this GDPR panic that
seems to have swept the less informed parts of the US tech community.

GDPR basically means: "Do all the stuff you should have already been doing to
protect user data."

Paradoxically, I suppose it's pretty good as an EU citizen if sites that _don
't_ do this are blocked, since it's a massive flashing red flag.

~~~
kazinator
People are going to install shit like this even if they are already protecting
user data. Or not even collecting any in the first place.

------
timvdalen
Under the GDPR, you'll have to explicitly ask users to agree for their visit
data to be shared with euroshield _before_ you load this external JS.

~~~
orwin
Even if this was true (and that depend on euroshield implementation), this is
not the spirit of the law. You don't even have to take a european lawyer (and
those are at least an order of magnitude cheaper than US ones) to win your
case (i'm joking, please take a lawyer). European courts don't like bullshit,
even when it come from big company, so if you're afraid of trolling (a la
patent trolls), please don't be.

------
httptoolkit
New browser extension idea for people outside the EU: automatically spot sites
using tools like this, and put enormous great big warnings all over the page.

Seriously, _most_ of GDPR is good practice don't-screw-your-users' personal
data steps. Don't store personal data for uses that isn't strictly necessary
without their consent. Make sure users can find out what data you do store,
and how you'll use it. Have a way they can ask you about it, or ask you to
remove it.

If complying with GDPR isn't reasonably practical with your product/business
model it's a _huge_ red flag imo, EU or no.

