FYI: Wikispaces is a wiki hosting service based in San Francisco, California. Launched by Tangient LLC in March 2005, Wikispaces was purchased by TSL Education in March 2014. It competes with PBworks, Wetpaint, Wikia, and Google Sites (formerly JotSpot). It was among the largest wiki hosts.[Wikipedia]
It was a paid-for service, run into the ground with technical debt to the point where it's an economic write-off? Is someone at TSL Education going to be sweating about the due diligence they should have done?
Read the article : it was a trade off. Paying the technical debt when designing the tool would simply have made them fail far faster.
Having this tool, correctly designed, was too expensive and not worth what people were willing to pay for it. We still had the tool because it was hacked together.
My guess: in trying to do GDPR compliance they basically did their first real code change in years. They found that everything was an undocumented web of dependencies and that even starting to understand the problem was months or years of operating profit. At that point they decided to shitcan the whole thing.
This is an American (USA) organisation. What on earth has GDPR (an EU thing) got to do with them?
I note that the do not mention GDPR anywhere on the homepage. This reads to me like "our business model is no longer viable" or "income is less than expenditure".
* Over the last twelve months we have been carrying out a complete technical review of the infrastructure and software we use to serve Wikispaces users. As part of the review, it has become apparent that the required investment to bring the infrastructure and code in line with modern standards is very substantial.
GDPR applies to any company that offers a service or product, paid or free, to users within the EU. An American company with EU users must comply with the regulation.
Websites offer services to all countries by default; all websites are subject to GDPR, regardless of where their owners live, unless they do something like GeoIP restrictions to exclude EU citizens.
GDPR is going to be a tax on software for a good chunk of time, and probably a decent source of employment for engineers, as companies wake up and realize that they now have to deal with it. Unless there specifically are requirements to make deleting user data easy, or even possible, that's probably been punted on for years in most software products.
GDPR is going to be a tax on software for a good chunk of time
Unless you are Facebook or Google or Amazon or Microsoft (etc), most reasonably responsible companies will already be very close to GDPR compliance. The regulations really are not too onerous.
From what I've seen, I wouldn't be too surprised if some practices make this hard for some companies. In particular, mixing customer data with company data and having a practice of tomb stoning rows.
That could mean anything from “site was written in PHP and our programmer only knows ASP.NET MVC4” through to “it is a giant mud ball and there is no documentation. We figure it would take less time to rewrite from scratch and can’t afford either project.”
GDPR might be a small factor, but that space has changed a lot over the past 13 years. Google giving schools free access to G-Suite, (including sites) pretty much killed usage of wikispaces in schools that took up Google. Other online collaborative tools and LMSs have no doubt eaten other parts of their education market. And facebook has probably eaten a lot of their community lunch.
I wonder how much GDPR had to do with bringing them down. For a site like this, blocking EU traffic wouldn't have been a reasonable option, and even for sites smaller than Wikispaces, GDPR compliance can easily cost 7 figures. The timing is likely not a coincidence.
> I wonder how much GDPR had to do with bringing them down.
Since they didn't cite that as a reason, I am going to conclude none. Even if they did cite it, I would still be inclined to assume it was being offered as a palatable pretext for a simpler baser bottom-line-driven business decision.
A little Googling shows that TES Global acquired Wikispaces in 2014:
TES appears to fancy itself a social network. Wikis are a slightly different animal. And now that TES has Wikispaces users in pocket, I imagine they could care less about maintaining a wiki platform.
>I imagine they could care less about maintaining a wiki platform
And yet they spent money to buy it just a few short years ago. Seems odd doesn't it? I have been on the Wikispaces site within the last year, and there were no obvious attempts to get me to sign up for any other site, so this was not a grab at users. Now they're closing less than a month before GDPR takes effect (after 13 years of operation), citing the high cost of keeping up with modern standards. While they didn't specifically mention GDPR, I'd say the likelihood that it had no impact is roughly 0.
They wouldn't be the first company to pull out of EU over GDPR, nor would they be the last. Here's one example: https://www.brentozar.com/archive/2017/12/gdpr-stopped-selli... . According to that blog post, even Microsoft shutdown a specific service due to GDPR compliance issues.
From the consultants I have spoken with and looking at the issue for my own company. Depending on what your service does, the process of GDPR compliance can be incredibly complex and involve rewriting a significant percentage of your code. Even then, you may not be in the clear because it is up for unique interpretations in the courts of 28 distinct countries. It is, quite simply, a mess. Maybe it's one that will work out to users' benefit in the end, but that doesn't help the companies trying to serve them that don't have millions of dollars to spend on compliance.
Depends. If you happen to be both a lawyer that is well versed in the laws of all 28 EU countries, who can divine how each country will interpret and enforce the law, and also a coder with lots of time on your hands to implement in code what you hope is the correct interpretation of these laws, you may be able to do it for free. Most companies don't have a person like this though, and need to rely on outside experts for one or both of these.
The interpretation of laws and specific contexts are usually relatively straightforward for people who are trained in legal speak, not engineers.
There should be hardly any change needed as long as the service only gathers data that is required for it and users are willingly using the service.
The problem if for companies that do heavy identification of users against their will like in adtech or companies that gather and resell personal information.
Bollocks! First off: GDPR will be harmonised across all 28 member states (not countries) - that's the point of it. For example in the UK, the current Data Protection Act of 1998 will be superseded by GDPR (https://www.itgovernance.co.uk/data-protection)
You do not need to be a lawyer to understand GDPR, you merely need the ability to read, and have a few hours to devote to research. Implementing a policy that is compatible with GDPR is not hard. It does require some thought and some time and will need some training across your organisation. If you do not have a market in the EU then it need not worry you at all. Funnily enough, if you bin (or neuter) those social icons and a few .js thingies from your website you'll be well on the way. Now think about how you would like to be treated, personally ... yep - you'll be fine. No lawyers needed and certainly not seven figure sums for handwaving. You really can use research and common sense and some time, to do the job in house effectively.
I might politely suggest that it is a pretty good standard to work to anyway: it is designed to protect the privacy of individual people. I consider myself an individual and perhaps you do too.
And yet billions are being spent on exactly that - because it's an incredibly complex law that can indeed be subject to different interpretations in each country. I have been briefed on this point specific by lawyers in the EU for to whom we paid a fortune, only to decide that it was too risky to allow EU traffic.
It's not just a matter of taking away "a few .js thingies" as you put it.
I am a director of a UK based IT company (MD) I am also the ISO9001 senior worrier and an ISO27001 sponsor. Just in case you are concerned that I might be a PHB (I do not have enough hair anyway): I run Arch Linux on all my PCs and am personally CREST accredited.
The purpose of GDPR is protect individual's right to privacy - I doubt you can fault that. You and I are both individuals ...
Have you actually sat down with a copy of the GDPR a clear mind, and some really good coffee and bothered to read it? If you are arguing the toss with me based on something that someone else has told you then go away.
GDPR is designed to protect people - you and I if you like. I'm a fan of it.
I have read it, as have our lawyers, which is why we have no choice but to block all EU traffic from our services.
All fans of the law think it will only be used to go after "bad" guys. But that just isn't how laws like this are used in practice. They are designed to be easy to violate for a reason - that reason being to generate massive revenue from fines.
All legal questions can be answered with "It Depends." The lack of clarity form the courts is to be expected, but isn't that different than any other legal grey area. And yes, there are concerns. And yes, if a company wants to skip out of the EU and wait for the dust to settle, that is a valid business choice.
But people are arguing with you because you are all over this thread acting like it is the only business choice. Or that we all need to spend millions to make that choice. In truth, it is a risk management decision, not a legal one, because the legal answers are unknowns. You clearly are drawing this into the quadrant of both high likelihood and high consequences... which is fine, for you. But different organizations may have different answers, putting GDPR compliance into a different risk quadrant, and those are their own decisions to make.
As someone who has had to try to figure out how to implement GDPR, my takeaway so far is that it might eventually be ok, once the courts have clarified what it actually requires. But, that process will be quite profitable for European governments.
My employer, https://shadow.cat/ is offering GDPR compliance consultancy, and so far the take away has been "if you're a non-tech company, it's not honestly that hard" plus "if you're a tech company, it's only hard if your entire business model is built around exploiting your customers' data".
If it costs 7 figures to hire consultants, either your business model was parasitic in the first place or your consultants are attempting to fleece you.
(if you don't believe me, email mdk@shadowcat.co.uk and ask - I run the tech team, I'm not nearly as much of an expert on the rules as he is - and if you're emailing him to ask with no intention to pay us anything, that's fine, just make sure to blame me)
I’m sorry, I have a great deal of difficulty believing this.
there are essentially no situations in which GDPR compliance should be particularly onerous. The principles are pretty simple, and while it will take some time until there is clarity on edge cases, most actions required should be straigtforward.
I’d be fascinated to know what product you build that is so inextricably tied to user data that it will cost “millions” to comply.
It it possible that you’ve been fleeced by your consultants? You’ve notably avoided talking what you’re doing that would require onerous compliance, details of which would go at least part way towards substantiating our rather unbelievable ideas about the cost of compliance.
Ironically, your employer (from your HN profile) loaded a Facebook tracking pixel, Google Analytics, and a multitude of third-party javascript libraries (from which it calls functions such as "clickTrackerInit") when I went to their home page - all without asking for permission. If you helped with their GDPR implementation, perhaps you aren't as familiar with GDPR requirements as you seem to think you are, because those are glaring violations.
Yeah, anybody I’ve met with experience is pretty confident in that.
The people I’ve met who aren’t fall into three categories:
1. People who don’t know much about the rules and have concocted a distorted version of them
2. People who are running a business that relies on misuse of personal data and who will be directly affected
3. People who have some ideological or politicical viewpoint which generally opposes regulation.
I have encountered no situation where someone has been able to demonstrate to me a convincing case where GDPR compliance is onerous, or indeed more work than any best practices they should have already been following.
I’m beating a dead horse talking to you, but you really should look outside of your own opinion and do some research on the issue one of those days. There is a reason that so many people have issues with this law.
I doubt this had much to do with GDPR given the advanced shutdown notice Wikispaces have given, which means their service will still be active long after GDPR comes into effect. If GDPR was an issue then they'd have released this notice last year instead.
> The timing is likely not a coincidence.
Online services shutdown all the time. I appreciate it's human nature to find patterns but this doesn't strike me as one of those occasions it's warranted.
I doubt this had much to do with GDPR given the advanced shutdown notice Wikispaces have given, which means their service will still be active long after GDPR comes into effect.
That's possible, however it could also be that they've cleared any money that they could be fined for out of the LLC and are just hoping that rudimentary measures will be enough to get them by without much hassle from EU regulators even if they aren't in full compliance, while giving enough warning to users to be courteous.
You're overthinking it in my opinion. If it were GDPR related then you could bet they'd have added something about that.
More likely is they just have years of tech debt and their operating profit isn't high enough to warrant the reinvestment into the platform. Particularly if their paying membership has been in decline (or even just stagnating). They're in a crowded space and sometimes it's better to bail out while you're still in the black rather than throwing money at a problem that simply is never going to see high returns anyway.
Also for what it's worth the EU isn't some evil organisation that will go after every single business until everyone is bankrupt. There seems to be a fair amount of hysteria in your post about just how negatively GDPR will affect the average online business. So long as you handle your data properly and don't work in the ad / social media industry or other sectors where your business is selling user data, you don't have much to worry about. Frankly I welcome the GDPR.
Also for what it's worth the EU isn't some evil organisation that will go after every single business until everyone is bankrupt
You must not have much experience with government-types. Laws are always used to the furthest extent that they can be. In this case, the EU has declared itself an Internet dictator, with the authority to reach into the pockets of foreign companies that have no presence in the EU. This will be a boon to government coffers, at least for a few years, and then most foreign sites will close their doors to EU traffic as horror stories flourish. Only a handful of giants that can afford to comply will still allow this traffic, and they will be able to obtain user permission to do anything they want, because of the lack of competitors still serving the EU market (rendering informed consent and all disclosures effectively worthless).
That's not how the EU operates nor has it ever done. I live in the EU (and also work with online services by the way) and I'll grant you the EU is about as anti-business as governments get but only to the extent that it actually looks out for consumer rights. Which is a good thing because you're not going to get any of that from the US government.
However the EU has also frequently put processes in place to protect businesses - particularly the little ones - from unfair bullying (eg FRAND patents).
Let's be honest, the web / online industry isn't new anymore. They've had a chance to self regulate and instead all they've done is finely honed how to capitalise on their customers data. Even services you pay for are now in the business of tracking their users and selling that data. So someone had to step in and regulate the industry. And if GDPR really affects your forums that significantly (I'd wager not because forums are a dying breed and you're hardly sounds at the forefront of forum tech, from little you have disclosed) then I'd suggest you're likely doing something shady with your user data as well in which case I welcome the EU protecting me against your unethical business model as well. But more likely is the argument that your site isn't that big of a risk and you're just being irrational / listening to so bad advice. Maybe the consultants you've bought in are trying to justify their own jobs by feeding you FUD about GDPR? Either way I'd recommend you switch kool aid brands.
The cost of GDPR compliance depends in large part on what personally identifiable information a company collects, from whom it is collected, and what they do with it.
For a company like Google or Facebook, which collects a broad variety of PII from users all over the Internet and shares extracts of that data with advertisers, compliance is a big deal.
For a company like Wikispaces, which is unlikely to collect much (if any) PII, compliance is relatively straightforward.
You don't think that if it were anything to do with GDPR it would have at least rated a sentence on their closure page? So why try and make a conspiracy theory of it?
Wikispaces has operated for 13 years. It isn't the least bit curious to you that they are announcing its closure less than a month before GDPR comes to life, complaining that "...[bringing the] code in line with modern standards is very substantial"?
Sounds more like they are unable to maintain the code since the TES takeover. Perhaps from having a fraction of the former team or being an unmaintainable fur-ball?
TES are a long standing UK company so Wikispaces will have already been subject to the Data Protection Act if there is any possible GDPR angle. DPA wasn't so different, GDPR just adds, modernises and adjusts.
Umm..wut? The code that controls how data is handled must be entirely rewritten. Also, code has to be written to enable new functions dictated to us by our friends in the EU, such as being able to easily delete and/or download all data submitted to the site.
I hope this doesn't become a regular occurrence. EU regs in this case may end up doing a lot of collateral damage, and possibly even (unlikely to me) more damage than good as a result.
That's just bullshit. GDPR compliance isn't a thing you can get accredited for in the first place and besides that any company that (1) respects their users and their data and (2) has proper security in place is most likely going to already be mostly compliant before they even start.
If you're into adtech and your hobby is to try to find exactly what is and isn't legal then yes, it will cost you but for a normal business that acts in good faith you are looking at much more modest figures than the one you quote.
(1) respects their users and their data and (2) has proper security in place is most likely going to already be mostly compliant before they even start.
If the law said this, and only this, that would be fine. But that's not what it says. It's a very complex law subject to unique interpretations in the courts of 28 unique countries.
GDPR compliance isn't a thing you can get accredited for in the first place
Did I say you could get accredited for it? I didn't, but nevertheless, you have to comply with the law (or block EU traffic, if you don't rely on it), and doing so can be very expensive.
It's not a very complex law subject (whatever that is) You do need to do some research and spend some time in consideration but it is not beyond the wit of man.
> If the law said this, and only this, that would be fine. But that's not what it says. It's a very complex law subject to unique interpretations in the courts of 28 unique countries.
Sure you can make it as complex as you want. But the practical upshot is this: as long as you are going around using FUD rather than fact to pretend that the GDPR is unworkable you're setting yourself up for a nasty surprise. Instead go and make a 'best effort' and spend a few productive weeks on getting rid of the most obvious differences between where you are today and where the law says you should be and you will be doing better than most and will be able to sleep just fine because just like with running away from hungry lions you only have to run faster than the competition.
And as long as you're not in fintech, social media, advertising, medtech, insurance or doing something really shady you most likely will be fine anyway because those segments are where the majority of the people that I talk to about this subject expect the first action.
The courts of '28 unique countries' are not each and every one of them going to give a unique interpretation of this law. What you can expect is that starting 2019 or so a couple of serious offenders will be first warned and then fined to show the rest of the world they're not dicking around this time so make-believe arguments won't cut it.
I'm pretty happy that the GDPR exists, the business world had a bowshot in the form of the cookie law, that got ignored or arm-chair legalesed into an ineffective operation when everybody had the option to actually comply with the spirit of the law as well as the letter (the spirit: stop tricking users everywhere: the letter: put up a cookie wall and continue tracking like before once the user inevitably clicks 'ok').
When industries fail to self-regulate sooner or later regulators step in. In this case it is later but as laws come the GDPR is surprisingly clear and accessible.
Instead go and make a 'best effort' and spend a few productive weeks on getting rid of the most obvious differences between where you are today and where the law says you should be and you will be doing better than most and will be able to sleep just fine because just like with running away from hungry lions you only have to run faster than the competition.
In our case, the best decision was to block EU traffic and ban EU users from the forums we operate. GDPR compliance for forums specifically is essentially impossible, because almost all forums allow users to embed external images. The owners of the servers on which those images reside could start deploying tracking cookies that the forum doesn't know about at any moment, and therefore there will likely be exactly 0 GDPR compliant forums, except perhaps text-only forums. That issue alone was enough to get us to block EU users, but that doesn't begin to address any of the other fine points of the law.
You also seem to be uner the impression that the law will not be abused by revenue hungry governments to reach into the pockets of foreign corporations. Call me cynical, but if that doesn't happen, it would be the first time in history. The spirit of GDPR is great. The implementation is the exact opposite of great.
> In our case, the best decision was to block EU traffic and ban EU users from the forums we operate. GDPR compliance for forums specifically is essentially impossible, because almost all forums allow users to embed external images. The owners of the servers on which those images reside could start deploying tracking cookies that the forum doesn't know about at any moment, and therefore there will likely be exactly 0 GDPR compliant forums, except perhaps text-only forums. That issue alone was enough to get us to block EU users, but that doesn't begin to address any of the other fine points of the law.
You are not going to get fined by the EU for that happening. The sites issuing the tracking cookies are the ones in breach, not you.
> You also seem to be [under] the impression that the law will not be abused by revenue hungry governments to reach into the pockets of foreign corporations. Call me cynical, but if that doesn't happen, it would be the first time in history. The spirit of GDPR is great. The implementation is the exact opposite of great.
I honestly cannot see that happening in this instance. Most governments bend over backwards to appease big businesses and often at the expense of consumers. What you're suggesting would be a complete U-turn on Western politics.
You are not going to get fined by the EU for that happening. The sites issuing the tracking cookies are the ones in breach, not you.
That's a misinterpretation of the law. We can indeed be held responsible for that - it's no different than putting a pixel on ourselves. The burden is on us to know what we are including on pages under GDPR.
Most of the people in favor of this law, who claim it's not a big deal unless you have bad intentions, haven't neither read it nor spoken to legal experts about it, and are not in charge of having to comply with it themselves. If they were, most would be singing a different tune. I am not arguing that there wasn't a need for some reasonable limits on tracking. But GDPR is an atrocious law designed to allow the governments of EU countries to reach into the pockets of companies in other parts of the world (especially the US). This serves a dual purpose: to make it easier for EU Internet companies to flourish by sucking down the capital of their foreign competitors, and filling government coffers with money they aren't entitled to. That is how this law will be used, regardless of the well-intentioned hopes of those that support it.
it's no different than putting a pixel on ourselves. The burden is on us to know what we are including on pages under GDPR.
IMO, forums that are large enough to be potential GDPR enforcement targets -- which is a vanishingly-small percentage of them -- should be doing their own image rehosting anyway.
Image hotlinking has always been a very perilous thing to allow, from both legal and technical standpoints.
IMO, forums that are large enough to be potential GDPR enforcement targets
GDPR does not discriminate based on the size of the site. My 7 year old niece could start a site, throw Google Analytics code on there, and be fined millions of dollars for not disclosing it if an EU visitor happens to come by. That is the world we now live in.
Nobody is going to fine your 7 year old niece millions of dollars for using GA. At least not unless that was 4% of her little sites income and even then she would have needed to flount the GDPR rules in a number of more serious was as well to receive the maximum penalty.
According to the letter of the law - the only thing that matters - this is exactly what could happen and would be perfectly legal. Are you arguing that fining her would be illegal under GDPR if she failed to disclose it? You’re wrong if you are.
I'm saying there is no precidence in history of any of the EU members imposing a maximum fine against a child for their personal project.
You're pulling out the scariest parts of the GDPR and assuming everyone is going to get bettered with it regardless of:
* whether they've already been warned or not
* their site's size or income
* business size or income
* nor even the severity of the transgression
Thankfully our universe and reality doesn't operate in your worst case fear-mongering. And as I've already stated, you can look back at the history of EU legislation to see evidence to that effect. Posting absurd and unfounded arguments like your previous example really doesn't help the situation one bit.
But it would be legal under the GDPR, correct? That’s the problem with this whole argument. Nobody wants to have to depend on the good graces of the EU to “only” fine them “small” amounts (maybe $2 million instead of $10 million, considering her age and all). This law can be used essentially as an EU imposed tax on the entire Internet, and there’s no reason why it wouldn’t be used that way.
By the way, there are zero provisions in the law that require warnings before an action is taken to issue fines. You can keep saying that they’ll issue warnings, that doesn’t make it true.
Again, there is no precedent in history of any of the members of the EU doing what you keep saying they will do. Personally I trust their track record more than I trust your comments because one is a proof by example and the other is just absurd hypotheticals.
Or to phrase it in our own words: You can keep saying that they'll fine your niece millions for a hobby project but that doesn't make it true.
We thought about that, but then you run into other issues. All of a sudden DMCA claims will skyrocket, bandwidth costs rise, we may get our servers blocked from retrieving images from certain image hosting services, etc. That is not a silver bullet without its own risks and additional costs.
Having done this myself for large forums, I think we had a single DMCA. Bandwidth costs are relatively inexpensive, too. You can cache images for an indefinite amount of time, serving them over your existing CDN, and purge the older cache based on last-to-access. I've not been blocked from any image hosting sites.
All 28 countries also have different privacy laws, consumer-protection laws, trademark laws (to some extent), language laws, etc. How much is that costing you?
The new issue is the extent of the extraterritorial reach that was built into this law. With GDPR, the EU is essentially making the claim that it can dictate rules to and reach into the pockets of any company anywhere in the world, whether or not they have a presence in the EU.
GDPR is internally consistent and designed from the ground up to protect individuals like you and I from the sort of companies that I at least do run and I have no idea what you do.
There is no extraterritorial reach at all. If you want to deal with Europeans then you should respect their laws. In the same way I would not dream of abusing your rights, according to those laws that your legislature have granted you (within reason).
In a way you might describe GDPR as a form of politeness and I'm sure we are all in favour of that. (No lawyers needed)
Can you please not post this kind of thing to HN? You veered into being uncivil/unsubstantive several times in this thread. Besides being against the rules (https://news.ycombinator.com/newsguidelines.html), it undermines your argument.
Mostly compliant is not actually compliant. Respecting users and their data has nothing to do with the policies, procedures, and technical operations necessary to become and stay compliant. That being said it doesn't need to cost 7 figures but it is a material expense to businesses of all sizes.
Sort of a bullshit reason. Too expensive to "bring the infrastructure and code in line with modern standards." What does that mean? Why is it necessary to do that at the expense of shutting down the service?
What it means is that they have let their technical debt accrue to the point where they feel the only way forward is too costly to justify the work. It happens to 'cash cows' that are only milked but not fed. Eventually the cow dies of malnutrition.
Why is that bullshit? They're saying that the site is too expensive to run as-is and too expensive to fix. That's pretty much the most obvious reason possible.
From my understanding, the code is lost or there is noone who knows how to run the software or the infrastructure.
These are real problems that can kill a company. The only resolution is to rewrite or reverse engineer everything, not an option for old software with little revenues.
Major security or stability bugs resulting in increased operational costs over time? Ones that are difficult to fix with the current infrastructure and codebase?
Op-ex exceeds revenue to the point that operating capital is better invested elsewhere.
Some things possibly adding step changes to the costs can be regulatory (GDPR) and patching (outdated dependencies having no obvious upgrade paths). The latter is a killer, especially if it's a platform going away, eg some LTS OS.
