Hacker News new | comments | show | ask | jobs | submit login

The likes of YouTube will be affected the least. They already have aggressive copyright enforcement measures in place, and they can afford to do that.

Smaller, more independent platforms will not be able to afford to implement compliance with these new regulations, and will potentially be driven out of business.






YouTube, the company, will be fine. They'll just ban any content that triggers their enforcement systems. I'm worried about YouTube, the platform, and the bastion of free exchange of information and ideas that is has been until now. A response-type video or movie review will almost certainly be false-flagged by a system like this.

Of course, I agree with you that independent platforms are going to have a rough time. They either have to manually review all content themselves, not allow any user-uploaded content, or pay a company to do this for them.


I think at least the intent is to avoid smaller businesses being hit too much.

If the PDF (https://juliareda.eu/wp-content/uploads/2018/09/Copyright_Se...) posted elsewhere in this discussion is accurate, Article 13 paragraph 3 was amended:

> When defining best practices, special account shall be taken of fundamental rights, the use of exceptions and limitations as well as ensuring that the burden on SMEs remain appropriate and that automated blocking of content is avoided.

SMEs = Small and Medium-sized enterprises


The worse for YouTube the platform, the better for free, decentralized, federated competitor platforms like PeerTube.

Except they have to comply with the law too.

Well, of course the law applies to them too. But what happens in the instances that they don't comply? Laws are enforced by incentive structures, such as punishment. Who gets punished or otherwise incentivized to make PeerTube comply with the law, and what effect will that have on the functioning of PeerTube?

There are three main ways to do P2P content distribution. One is like BitTorrent, where you only host the content you yourself wanted. This has obvious privacy issues. Anyone can tell what you read/view based on what you host.

The second is you distribute content to random hosts, who don't even know what it is (so they can't associate it with whoever is downloading it). This solves the privacy problem and has adequate performance but it only works if you don't have bad laws that impose liability on people even if they aren't knowingly hosting something illegal. Otherwise the government can prosecute a couple of random innocent people and put enough fear into everyone else that they move back to Facebook.

The third is onion routing. Then it's hard to shut down specific hosts (you don't know who they are), but it's slow and if your laws are sufficiently bad it can be made illegal to use it at all even if you aren't doing anything wrong. At that point you go down the road into Tor Project vs. Chinese Firewall, but that's just a disgraceful way to have to operate your communities in a democracy. And for every bug an innocent person goes to prison.


Thats so depressing that we have to have serious discussions about technical countermeasures against our oppressive EU regime. Just because of some old ignorant evil assholes. Time to leave the EU I suppose.

If the solution were technical we would need a combination of 2 and 3. Distributed hidden services. Is this even possible?

The problem with technical solutions is basically Child Abuse Images. I am a big believer in freedom and privacy. I am also a big believer in protecting children. Many people understandably prefer protecting children to seemingly (to them) abstract concepts like freedom. Any technical solution needs a method to remove certain content - and as soon as such a method exists people will want to abuse it for political reasons.

The solution has to be political not technical - somehow we need a political situation where basic freedoms are respected. This can only exist as revisions to countrys' constitutions. Simple laws protecting freedom are too easy to overturn. And we can't carry on resisting re-heated versions of the same stupid law every two years.


> If the solution were technical we would need a combination of 2 and 3. Distributed hidden services. Is this even possible?

It is possible.

> The problem with technical solutions is basically Child Abuse Images.

This is a fake reason which is only used as a justification for censorship technologies. In practice it's better to allow distribution so that it happens in the open and new images can be discovered sooner and traced back to the perpetrators who created them. If you shut down a distribution network every time you find it then the only ones that exist are the ones you don't know about, which means you have no source of evidence to make cases against unknown active pedophiles.

The FBI had a successful campaign where they quietly seized a distribution server and then continued operating it so they could collect evidence and make cases against those using it. Naturally the headlines were "FBI distributes child pornography" rather than "FBI arrests many child pornographers" as though preventing distribution is somehow more important than arresting the creators and rescuing the children.


That's EU after all. They will mass punish everybody, then try to ban traffic.

> “Thousands of Swedes have received threatening letters from law firms which accuse them of illegal downloading. They are asked to pay a sum of money, ranging from a couple of thousand Swedish Kronors up to several thousand, to avoid being brought to justice,” Bahnhof Communicator Carolina Lindahl notes.

> “During 2018 the extortion business has increased dramatically. The numbers have already exceeded last year’s figures even though four months still remain.”

> This year to date, 49 separate court cases have been filed requesting ISPs to disclose the personal details of the account holders behind 35,711 IP-addresses. As the chart below shows, that’s already more than the two previous years combined.

> Also, the number of targeted people exceeds that of all US and Canadian file-sharing cases in 2018, which is quite extraordinary.

https://torrentfreak.com/more-than-35000-pirates-targeted-in...


No, that's not true. If the law mandated running content filtering system that costs $10M/year to run (in addition to any existing systems), then it'd be worse for YouTube, but they will survive. It would absolutely kill smaller providers dead.

Free, decentralized, federated competitor platforms are not small providers.

Unless by participating in free, decentralized, federated platform you expose yourself to legal liability for any content present on the network and passed through your node. In which case you probably can't afford it.

... which would also have to comply.

> A response-type video or movie review will almost certainly be false-flagged by a system like this.

To be fair, that hypothetical problem is caused by a broken classifier and not the law. After all, youtube already blocks and removes content like you've described but no one is accusing the classifier of stiffling free speech.


What about distributed systems without central control? Will the new laws force them to introduce filtering into the software (which could e.g. be open source and forkable by anyone)? Or does this only apply to systems with a centralized repository?

I'm curious how this is supposed to work.


Presumably anybody who runs a server / node would be liable

You can look up the legal actions related to Usenet to see an example of US State Attorneys General banding together to attack a distributed system because a few people were posting bad stuff on it.

"What about distributed systems without central control?"

The copyright industry and their bought-and-paid-for politicians have repeatedly demonstrated that they have no mental model for such forms of distribution. Have you forgotten the panic that ensued fifteen years ago, when the music industry was suing middle schoolers?

(The irony is that the very same platforms these industry lobbyists are whining about only became popular because they killed P2P via the courts.)


This is wrong. Small and micro platforms are excluded from directive’s scope.

Source from legislation: In particular, small and micro enterprises as defined in Title I of the Annex to Commission Recommendation 2003/361/EC, should be expected to be subject to less burdensome obligations than larger service providers. Therefore, taking into account the state of the art and the availability of technologies and their costs, in specific cases it may not be proportionate to expect small and micro enterprises to apply preventive measures and that therefore in such cases these enterprises should only be expected to expeditiously remove specific unauthorised works and other subject matter upon notification by rightholders.


The problem is that the gap between such platforms and Youtube is enormous, and long before they are even remotely competitive they will be required to spend vast sums of money on compliance. A secondary effect will be a reduced willingness to invest in small-to-medium sized competitors due to the regulatory costs and the risks of non-compliance, further hampering growth.

Much as I hate to admit it, the biggest reason US tech companies have been so much more successful than European tech companies is that the US imposes far fewer regulations, which allows companies to use more of their revenue on growth.


Yes, the Googles and Facebooks of the future will be affected the most.

This is consolidation of power, finally locking down the Free Internet just as we've done with every other industry. Stripping the power to change from the small.

And what are we doing about it?


While I agree that regulation favours big companies, potential competitors will base themselves offshore, or create distributed apps that have no jurisdiction.

Both strategies have been tried and are unlikely to hold up in court.

A bit challenging to sue a project when it has no owners and no jurisdiction.

PS: Jonathan Strange: Great books and even better TV.


Nor customers/users.

The problem is that 'normal' people don't know how to use most distributed/encrypted/stick-it-to-the-man products, nor do they care.


'Normal' people already use distributed content: Google and Facebook's content is held in data servers all across the planet. The next stage is to distribute the governance of that content, which similarly, most users won't be aware of.

This is just a pedantic disagreement about what "distributed" means. It's all about context.

Somebody has to host the content. You can sue those people. P2P filesharing works the same way. Normal people get unfriendly letters from lawyers.

And yet people still download Torrents.

> And what are we doing about it?

Make our own content and host it ourselves?

This type of law is only effective due to centralisation of Internet services. If everyone self-hosted and was accountable for their own content there would be no scope for such legislation. All HN would hold would be linked-lists of URLs, no actual comment content.

Imagine a decentralised, federated HN where each comment originated from its owner's site.


>This type of law is only effective due to centralisation of Internet services.

This type of law encourages that very centralization. Look at the provisions of GDPR, for example. Do you think a two-person startup is going to have the resources to deal with all of its provisions? Or in this case: do you think that a new video-sharing startup is going to have the resources to deal with the more stringent copyright enforcement requirements?

The EU has, in effect, made a Faustian bargain with Google, Facebook and Twitter: if you accept our regulation, we'll ensure that you have no competitors.


> Look at the provisions of GDPR, for example. Do you think a two-person startup is going to have the resources to deal with all of its provisions?

GDPR is a bad example, because yes, that's definitely possible. And it should be, if that startup handles personal data.


But what kind of startup doesn't handle personal data? All companies have that in the form of customer and supplier account information needed for billing purposes -- especially if they're not in the advertising business.

Absolutely, and that's kind of my point. Even a single person operation can comply with the GDPR, as most of the policies to do so should alreay be state-of-the-art for companies who handle personal data (in a non-malicous way). I agree there is some annoying administrative overhead, but it's definitely manageable (speaking from experience here).

It can't be everything all at once. "They process personal data" is equivalent to "they exist" and the compliance cost is non-trivial (or what is everybody complaining about?). The only remaining option is that it's destroying a significant percentage of startups and creating a moat around incumbents.

The only argument you can make at that point is that it's worth the cost, but is it? The damage to privacy of having everyone's data in the hands of conglomerates that are no longer subject to competitive pressure has got to be worse than Mom and Pop occasionally mishandling the information of their two hundred customers. Just having the centralization at all is worse than anything that could happen to any given 0.5% subset of it, because every misuse or compromise is 200 times worse even if they only happen 10% as often.


The operating part is "should already be state-of-the-art". The typical programmer already knows that personal data is sensitive and treats it that way. Maybe there are some adjustments here and there, or some oversights or things-that should-have-been-fixed-months ago. But most of what needs to be done has already been law in one form or another, so the programmer is trained to do it correctly. There are retention laws for tax data and business communication of 7 years and longer, which override the GDPR, so the startup will most likely be out of business before any deletion is required.

So what remains for the business part of the startup is to make sure the necessary contracts with all third parties are in place (the pressure-the-conglomerates-part), and to explain it to the users. This is annoying, but also not much worse than the typical legalese stuff the CEO has to deal with. The data privacy policy of a certain privacy activist reads, in essence: "We store only what we need, and delete it as soon as we can, as long as we are not required by law to store it for any longer." You don't even need a law degree for that, as you shouldn't, because the text should be readable for the end user.

> What is everybody complaining about?

I don't know, the GDPR is basically German data privacy law, and it hasn't stopped Berlin from becoming a startup center in Europe. I guess if you don't want to be GDPR compliant due to the effort that's fair, but you should know that there are much worse things ahead for a company.

However, if you are not _able_ to be GDPR compliant as a small organization, while many of your competitors are, you should absolutely not be entrusted with personal data.


> The operating part is "should already be state-of-the-art". The typical programmer already knows that personal data is sensitive and treats it that way.

The expense doesn't come from that. Even if you're doing the right thing in spirit, now you have to compare what you're doing to a complex regulatory framework. That's pure overhead that you pay even if you don't even have to change anything.

> This is annoying, but also not much worse than the typical legalese stuff the CEO has to deal with.

You're saying that this thing that harms small businesses and entrenches incumbents is like the other things that harm small businesses and entrench incumbents. But that's the problem. Each one you add is an incremental burden that moves the margin for how many startups you kill by another kilometer in the wrong direction.

> The data privacy policy of a certain privacy activist reads, in essence: "We store only what we need, and delete it as soon as we can, as long as we are not required by law to store it for any longer." You don't even need a law degree for that, as you shouldn't, because the text should be readable for the end user.

That is a very aspirational privacy policy that also happens to be very strict and trivial to violate unintentionally. And what are the consequences for not following your own very strict privacy policy?

This is why most of the big companies have one that says something to the effect of "we promise to use your data for things we want to do" but then have to be carefully crafted by lawyers to simultaneously minimize liability and hold up under scrutiny.

> I don't know, the GDPR is basically German data privacy law, and it hasn't stopped Berlin from becoming a startup center in Europe.

It's all relative. If Germany has a significant regulatory burden but Greece is a hotbed of corruption, Germany can still do better than Greece. But not as well as it could have done with less overhead.

> However, if you are not _able_ to be GDPR compliant as a small organization, while many of your competitors are, you should absolutely not be entrusted with personal data.

The pretense that complex regulations only cost you if you were previously doing something wrong is empirically false. The cost of complying with the regulation is in addition to the cost of doing the right thing and is still paid by everyone who was doing the right thing already. And it can be enough to destroy a company that was not actually mishandling data but merely had low operating margins.


I'm not arguing against any of that, including your statement that the GDPR might be the last drop to destroy a compliant-in-spirit company which has been surviving just so. I'm merely questioning the scale of the problem (based on my own experience implementing the GDPR in a low operating margin context) and their right to exist to begin with (based on my personal view on the sad necessity of data privacy regulation).

Most of the rules in GDPR apply only to personally-identifiable information that is not strictly required for business operations. The law recognizes that, when you want to ship some goods to a customer, you will have to process and store their address, and no opt-in is needed because the customer explicitly gives that information to you.

Explicit opt-ins are only required when you record personally-identifiable information surreptitiously, or share these information with other parties.


> Most of the rules in GDPR apply only to personally-identifiable information that is not strictly required for business operations.

I'm sure there are some provisions intended to help out smaller entities. But the compliance cost is the cost of understanding the legislation so you can comply with it. You still have to pay it even if it turns out not to apply at all -- because you can't know that until you go through all of it first.


It’s not without precedent though:

“copying restrictions were authorized by the Licensing of the Press Act 1662. These restrictions were enforced by the Stationers' Company, a guild of printers given the exclusive power to print—and the responsibility to censor—literary works”

https://en.m.wikipedia.org/wiki/Statute_of_Anne




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: