Hacker News new | comments | ask | show | jobs | submit login
Things to know about the GDPR, Mozilla and Firefox (blog.mozilla.org)
430 points by Garbage 9 months ago | hide | past | web | favorite | 97 comments



I have a profitable, bootstrapped SaaS business. It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.

I've been talking to a very well known giant corporation for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses, (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.

The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.

This is the side-effect of GDPR.

I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.


That's interesting as what it's website privacy policy actually says looks the exact opposite of GDPR compliant. From https://www.mozilla.org/privacy/websites/ which is linked from as Privacy link from https://addons.mozilla.org.

>We may use cookies, clear GIFs, third party web analytics, device information, and IP addresses for functionality and to better understand user interaction with our products, services, and communications. Learn More

>You can control individual cookie preferences, indicate your cookie preferences to others, and opt-out of web analytics and optimization tools. Learn More


If the data collected is not personally identifying data, then GDPR is not interested in it. Maybe it is PII, but the quoted policies don't say that.

> We may also use cookies, device information and IP addresses, along with clear GIFs, cookies and third party services to help us understand in the aggregate how users engage with our products, …


This brings up a interesting point: cookies are not just for user/session identification. Yes that's how the majority of the apps work but instead, it's totally possible to use cookies to customize a site's experience, feature by feature. A cookie for the theme, a cookie for the font prefs, etc. Yet most sites still insist on logging the user in to customize the experience, and rely on some central storage to determime user preferences.


"User-interface customization" cookies are actually explicitly exempt from EU consent requirements: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

I believe they should not be affected by GDPR either, since they're not actually identifying a person.


Yet you could use them to do that once there is a significantly high amount of customised settings ...


Wasn't there some website where you could pull a relatively small number of easily accessible prefs from the browser (OS, list of fonts, browser, etc.) and get a nearly uniquely identifying set of facts about someone?



Yup, the fingerprinting portion of that was what I had in mind.


This is a terrible use case for cookies. Any browser reset or change, new computer, your phone, etc, and you need to redo the whole experience every time. I'd rather login and customize once.

Cookies get sent with most requests as headers so you're unnecessarily bogging down requests with data unrelated to the session.


It can be worked around. For example, you can use those cookies just to initialize the client web browser. Once it's done, the data can be cached inside the localStorage, and the cookie itself can be deleted (Or changed to a marker that tells the server that the client has been customized).

Of course this may require some heavy changes on the client-side code, as the client now must have the ability to apply user's customization locally, but there are benefit: After you done that, then you don't have to read user's customization data from any of your infrastructure every time user reloads your page.


I don't think a gzipped header with some hundreds of bytes of JSON (or BSON) for preferences is that much bigger than one with a session id string in a cookie.


100% exactly. Cookies are device and moment specific. Whereas a user account can easily save and transport the saved experience/setting anywhere the user wants to access them.


I specifically do not want to have the same experience on multiple devices.

I do not want to have the same experience on my work computer vs my home computer.

I do not want to have the same experience on my home computer vs my personal phone.

I do not want to have the same experience on my personal phone vs my work phone.

I do not want to have the same experience on my work phone vs my work computer.


Firefox (and Chrom{e,ium} AFAIK) can sync up your cookies, among other things.


but if you go this route, you have to share them with a third party (Mozilla or Google)?


Yes, but Firefox's Sync is open source [1], so you should be able to set up a private instance. IDK how easy or hard it is though.

[1] https://wiki.mozilla.org/CloudServices/Sync


Thanks for the suggestion. That wiki page brought me to https://mozilla-services.readthedocs.io/en/latest/howtos/run... which I intend to try out. I want to migrate my a Firefox profile from Windows to Linux and synching seems to be the easiest way to transfer bookmarks and saved passwords.


I am struggling to understand how it is bogging down requests with data that are "unrelated" to the session.

Cookies are delivered with the request. If it has feature selections, great, no more work necessary on your part.

If the feature selection is hidden behind a user ID, then you need to look up the user ID in a database and then request the user's features.

Indeed, it seems to me that requiring a login in order to customize the viewing experience is what bogs down requests.


You could backup your cookies and share them across devices? ... I don't think "bogging down" requests is a very big issue nowadays...


Once upon a day, twenty years ago, site feature selection were exactly what cookies were used for.


A cookie is such a transient data source. Some people regularly purge them all. Some people use more than one device.

I wouldn't bother changing any preferences that disappear every time I clear out my cookies. For starters, I'd have to figure out where on the website the preferences are set -- and if it's in the user profile, well, just save my preferences there.


An example of what you describe is duckduckgo.com, cookie contain preferences without any user identifiers.


Then, there are those who go in the opposite direction and store all session information in the URL!


One of the most common interpretation I've heard is that IP address is PII according to GDPR. Even if not combined with other PII.

So based on this description they are doing PII.


From the text of the directive:

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

An IP address is an "identifier". However, an IP address does not in and of itself identify a natural person; you know that, I know that, and even the GDPR knows that.

However, if you start building a map of IP addresses to user real names, or some other form of profile construction, then the IP addresses become personal information.

(comment hoisted from other thread)


GDPR introduces a new concept called "Personal Data" which includes things like IP addresses and opaque database keys. Something is personal data if it is tied to an individual, regardless of whether sufficient information to identify that individual is contained in the data itself. An IP Address (or, according to some interpretations, an IP Address + timestamp but not an IP Address on its own) is Personal Data but not PII.

The GDPR does not address PII at all. To a first approximation, PII is now an American legal concept and Europe has a completely different (and strictly broader) definition of privacy-relevant data.


If they _store_ IP. You will see an IP with every single connection to a service. If you don't store it - but say, you store a country level geolocation instead - it's not PII.


They’re using Google Analytics, by default, in the browser UI and on their Websites, without opt-in or visible opt-out (it’s hidden in the tracking prevention settings of the browser itself, and chained to the DNT setting).

That’s about as violating as it gets.


Are you accounting for the fact that Mozilla has a special contract with Google regarding the use of Analytics?

https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14


Yes. That still requires at least a cookie notice in any case.

But Mozilla doesn’t have that, and merely has a tiny grey-on-grey 10px tall "Privacy Policy" link in about:addons.


But a cookie notice is not part of the GDPR, right?


The notice not, the requirement is.


Users are free to block third party cookies.


They need to know that third-party cookies exist for that, though.


If Google is collecting the data, not Mozilla, who's violating?


After completing our mandatory and very boring GDPR training at work, I can tell you that it's Mozilla :)


OK. Can you tl;dr for me why that is?

Is it because I've asked Mozilla to show me a web page, and the data collection happens as an automatic result of that?


Yes, you asked Mozilla for the web page, and they decided to load Google Analytics.

Mozilla is the Data Controller, and they asked a third-party (Google Analytics) to process the data of Mozilla's users (that includes simple visitors to the site), making Google a Data Processor. The Data Controllers generally have more obligations than Processors, since they control how the data is handled, and to whom it's passed.


That's a powerful headline, but unless I'm being A/B tested, it has little to do with the article. Did you mean to link to "13 things to know about the GDPR"?


I don't see where the current headline fits in with the blog post linked. Perhaps a better article (though I still can't see as strong a headline) would be https://blog.mozilla.org/blog/2018/05/23/the-general-data-pr...

  >Our Firefox data collection review process is the
  cornerstone of our effort to meaningfully practice
  privacy-by-design and assess privacy impacts to our users.
  We believe it is consistent with the GDPR’s requirements
  for privacy impact assessments. Mozilla has had this
  process in place for several years and revamped it in
  2017.



I got the email from mozilla too, where they say it's not another privacy policy update and link to that same blog post.

I guess from the email it was implied that they are already compliant, but then the linked blog post in the email in no way confirms that...

Weird.

The email said:

>> Does it seem like every service, app or subscription you've signed up for is sending you a privacy policy update? It's all because of the General Data Protection Regulation, aka the "GDPR," a sweeping new European regulation taking effect this Friday.

GDPR has implications for many organizations, and that includes Mozilla. But unlike other organizations, Mozilla has always stood for and practiced data privacy principles that are at the heart of privacy laws like the GDPR. It feels like the rest of the world is catching up to where we've been all along.


OK great, can we have First Party Isolation enabled by default now? Y'know, for privacy. Browsers should be protecting users by default.


Just have the browser present the user with the choice on install.

( ) Enable third party cookies. This may allow third party websites to track you across the internet.

( ) Disable third party cookies. This may break some functionality on some websites.

It's no more confusing to end users than the endless sets of checkboxes websites have to use for GDRP or the pointless click OK to accept cookies notices.


Yeah I'd be happy with that approach, should include upgrades as well as new installs though. Just to have every user aware that their browsers contain a single setting that can prevent vast amounts of tracking would be a huge improvement over today.


Yup thats how it should be. Technical solutions are always superior to regulations.


It seems like the regulations help to create an environment conducive to innovation. There is now a strong incentive to solve the problem "a better way". Let's hope it happens!


Except they don't. If they'd simply legislated that all web browsers have to ask that question, awesome. Instead, they legislated that every business on earth has to explain it to end users and separately ask for consent. So, even if all web browsers were updated to correctly ask for third party cookie permission, every business on earth still needs to do all the expensive hoop jumping.


I've gotten emails from sites I signed up for at least a decade ago. I find it troubling that that many sites I've signed up for had to actually change their privacy policies because of this. But I guess in the end, it's a good thing that they're all changing.


Pretty much every site you ever had to sign up for has had to change things, it's part and parcel of the process.

kuschku 9 months ago [flagged]

Great, so about:addons doesn’t use tracking Google Analytics cookies anymore? Or has a visible way to disable it (you need to enable DNT to get rid of this).

And Firefox Nightly does not track personally identifiable telemetry anymore?

No. Mozilla still tracks every step I take.

What the fuck, Mozilla?

EDIT: Example. Go to If you go to view-source:https://addons.mozilla.org/en-US/firefox/ — In the code you’ll find Google Analytics, and if you open the page, it’ll set tracking cookies. No cookie notice, no opt-in, at all.

How the FUCK is this supposed to be GDPR-compliant? Cambridge Analytica is more GDPR-compliant than this.

EDIT 2: See also https://github.com/mozilla/addons-frontend/issues/2785 to show that about:addons loads addons.mozilla.org, including the Google Analytics trackers without opt-in.

EDIT 3: See also https://www.mozilla.org/en-US/firefox/channel/desktop/ which explains that Nightly and Beta always send telemetry, which can not be turned off in any way, and your only way to avoid it is to stop using the product, which again violates the GDPR section on "free consent".


> Great, so about:addons doesn’t use tracking Google Analytics cookies anymore? Or has a visible way to disable it (you need to enable DNT to get rid of this).

I can imagine this being legitimate interest, can be disabled with DNT flag, and it's not personal data. Mozilla signed a legal contract with Google which prevents Google from using this information.

> EDIT 3: See also https://www.mozilla.org/en-US/firefox/channel/desktop/ which explains that Nightly and Beta always send telemetry, which can not be turned off in any way, and your only way to avoid it is to stop using the product, which again violates the GDPR section on "free consent".

Options -> "Privacy & Security" > "Nightly Data Collection and Use"

Also, it uses word "automatically", not "always", and "Learn more" link on this page tells you how to disable that. Additionally, telemetry information is NOT personal data - it stores information like how many times you have opened web browsers, how many tabs do you use, but it doesn't send personal data.

Crash reports may contain personal data, but even on nightly, they aren't automatically submitted.


> I can imagine this being legitimate interest, can be disabled with DNT flag, and it's not personal data. Mozilla signed a legal contract with Google which prevents Google from using this information.

Still it would require at least a cookie notice.

> Options -> "Privacy & Security" > "Nightly Data Collection and Use"

That does not disable all telemetry, there were a few discussions about this on the bugtracker, in Nightly, some kinds of telemetry can not even disabled through about:config as they are set to "locked: true".


> I can imagine this being legitimate interest, can be disabled with DNT flag, and it's not personal data. Mozilla signed a legal contract with Google which prevents Google from using this information.

Actually the do not track and tetemetry preferences do not work on the addon page.


Do Not Track should work on addons page, if it doesn't, it's a bug.

Telemetry settings however don't work unfortunately :(.


> Still it would require at least a cookie notice.

Fair enough, I'm actually somewhat curious why Mozilla doesn't provide a cookie notice. Not that it matters, because those notices are used everywhere and people ignore them.


https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14

"GA also doesn't track IPs or store PII within the tool."


Still requires that they inform the user, with the Cookie Notice soft-consent (or whatever the new ePrivacy directive will replace that with soon).


If the Cookie does not track PII, then you don't need such a banner. Cookies used for logins are excluded as well. 99% of web publishers went completely over board with Cookie banners, because they did not understand the law.


It seems to me that if nobody can understand what the law actually covers, it's an exceptionally shitty law.


> Go to If you go to view-source:https://addons.mozilla.org/en-US/firefox/

Good catch!


The GDPR only regulates use of personal data, not all telemetry, though.


It makes me think back to the Mr. Robot ad fiasco a while back.


...in which no personal data was collected at all.

Just because in some ways it's technologically possible for Mozilla to track your stuff, does not mean that they actually do it, that they actually violate their privacy policy or now the GDPR.


Moreover, many EU companies don't need to update it either.


And a ton of non-EU companies don't, but are doing so for future purposes. Despite territorial scope, a company without any form of business in the EU, they can't entorce this against non-EU businesses.


You are wrong. This is a misconception that has thankfully died down a bit over the past week or so, but apparently it is still a bit alive. There are accords in place between (for example) the US and the EU, which allows the EU to hand out fines overseas. The reverse is also true (the US can and does litigate in the EU).


Show me case law where an EU government fined a US company and how they enforced payment of that fine.


When did I mention case law? Shouldn't you be asking me for proof of the accords I mentioned, which is what I'm actually talking about?


I asked for case law because that would give me evidence that this actually happened. That's because it can't happen. That's because you're dead wrong:

https://community.spiceworks.com/topic/2007530-how-the-eu-ca...

"While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."

That's politician for "We have absolutely no recourse if the company doesn't have an established business in the EU."

EDIT: That's a nice article. It goes to explain that if a company has no presence in the EU, it has to identify an agent in the EU to act on its behalf. So any company can simply NOT do this if they never intend to have EU offices and the EU has no recourse.


So where is the evidence of the accords? How will they enforce it?


You won't get a response. There aren't any accords and there's no way to enforce it. It's empty threats.


Microsoft for antitrust violations more than once is just an example, but that's the EU itself.


Just like the other two people that brought up the same thing:

Microsoft had a presence in the EU long before the antitrust violations came. I'm talking about a US company that has no presence in the EU. That's a harder example largely because it doesn't exist.



That's not an example of what I asked for. Microsoft had offices in the EU when this case started, which made them an EU company for all intents and purposes.



That's not an example of what I asked for. Microsoft had offices in the EU when this case started, which made them an EU company for all intents and purposes.


Bullshit. Please tell me how the EU has any possible way to enforce this law in the courts against some small business in the US that has no EU presence but many EU customers. There is zero chance that US courts are going to let this small business be fined by the EU for violating an EU only law.

Their absolute best option would be to attack global platforms that small businesses rely on to get the platforms to enforce compliance or blacklist those small companies. This is especially potent for Visa and MasterCard. I doubt that will ultimately work though.


> Their absolute best option would be to attack global platforms that small businesses rely on to get the platforms to enforce compliance or blacklist those small companies. This is especially potent for Visa and MasterCard. I doubt that will ultimately work though.

Actually, that part is the most plausible way that companies outside the EU with no EU presence could be forced to to comply the the GDPR.


Agreed that it’s most plausible, but still not very. I don’t think the US is going to stand for letting the EU squeeze these companies to enforce their laws on every small business with a website in the US.


FWIW while you're right, that's awfully shortsighted unless you're a mom & pop shop with no intent of ever expanding beyond your backyard.

A lot of devs hanging out on HN are working for companies that have at least some B2B aspect. Being GDPR non-compliant means these companies will have to avoid you too, because even if they're themselves not affected by GDPR they may have customers who are and need the compliance to be able to do business with those customers.

But that said, as an EU company, US companies are only an option if they're Privacy Shield certified and offer a Data Processing Agreement. And even then it's safer to go for a company in the EU or in an "adequate"[0] country. You don't want to be caught unaware when some court or orange person decides to blatantly violate the Privacy Shield guarantees and you have to treat it as a breach.

[0]: https://ec.europa.eu/info/law/law-topic/data-protection/data...


The US is an enormous market. You could easily be a multi-billion dollar company without having a single presence in the EU. Hell you don't even have to stay in the US market, since Asia is a thing.

Calling it a "backyard" is disingenuous. Most companies are going to follow this because they have global aspirations, but that doesn't mean it's impossible... or even all that hard.


They can.


Care to elaborate? In which US court does the EU have standing to bring suit against a US citizen or corporation for violation of regulations the US does not recognize by either law or treaty?


Yeah, you aren't going to get what you asked for. There are no civil enforcement agreements between the EU and the US so they can do exactly nothing.



I've seen plenty of EU news sites try to get away with an updated 'cookie' privacy policy popup, so we'll see what happens.


Where can you read about who needs to do what


Yet they still do.



Possibly they had user agreements that were so badly written they'd have been a problem even if they weren't actually collecting a lot of data.


Good. Now make sure you don't email me to tell me your privacy policy has not change please :)


GDPR is the best thing to have happened to the internet in a long while.


I downvoted because your comment doesn't add anything to the discussion and, in the context of this post, looks a bit like trolling.

There are people that like and do not like the GDPR. Telling that you belong to one group is not even information.


I'm stating an affirmative position. You wrote two paragraphs explaining why you clicked a button because you don't think my post adds anything to the discussion, or is somehow trolling.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: