Hacker News new | comments | ask | show | jobs | submit login
Unintended Consequences: How the GDPR Can Undermine Privacy (techdirt.com)
43 points by someonelse17 3 months ago | hide | past | web | favorite | 48 comments

There's a better solution: Stop collecting and keeping personal data.

I can't even read this article without using firefox reader mode to skip the cookie warning / prompt (this works for a lot of sites!).

That's a choice that techdirt make. By framing it as an unavoidable consequence of the cookie legislation or GDPR moves the focus to the wrong place.

Dude, Spotify is a song streaming service. Holding on to song history is one of the features they offer. Lyft and Uber are taxi services. Holding on to history is a feature. Go start your own privacy car if you want. I’m not in favour of this world where you privacy first people want all these features removed from applications I use.

They keep quite a bit more than what you see on the surface, or what would be needed for the simplest definition of play history https://twitter.com/steipete/status/1025024813889478656

If they could tell me where I listened to what I’d love that. I wish there were Services for Feature-lovers. I’d love for my player to be able to handle mood (road trips vs work) and hold all these things without me thinking about it. I don’t want checkbox hell.

You're like the NSA's wet dream.

Just track everything and I don't want to think about it!!

Or, better yet, why don't those companies ask before keeping all this data?

Collecting data subsidizes the cost of the service.

Would facebook have 1 billion users if it cost $5.99 a month?

Data collection is not going anywhere, so long as people are willing (even unknowingly) to give up info for a perceived discount.

Now here - fill out my form with your address, email, phone, photo id, and passport number for a chance to win a brand new 2019 Honda!

There have been many free ad-supported services that don't collect your data for many years: newspapers, TV channels, radio, etc.

"Accept data collection or pay for it" is a false dichotomy. Ad-supported websites don't need data collection to be profitable, just as NBC doesn't.

Furthermore, there are many paid services that collect data as well. Last time I flew with KLM the online check-in didn't work because some JS errored out as its data collection script was blocked. Turned out it was sending data to 17 domains on the on-line checkin page:

4232724.fls.doubleclick.net ad.atdmt.com apps.static-afkl.com c.webtrends.com cdn.tagcommander.com connect.facebook.com dynamic.dimml.io googleads.g.doubleclick.net lm.commander1.com platform.twitter.com sjs.bizographics.com statse.webtrendslive.com t.svtrd.com tdn.r42tag.com w.usabilla.com www.google-analytics.com www.googleadservices.com

And KLM isn't even a budget airline like RyanAir. I paid good money for my flight.

Well Facebook makes about $1.50 per year per user. So they could charge a lot less than almost $6 per month, but it would be harder to capture that money.

>Data collection is not going anywhere, so long as people are willing (even unknowingly) to give up info for a perceived discount.

People are willing in large part because they have no clue what their data is actually worth and/or what pieces of their data are actually out there. Data collection survives because people don't realize they're already paying $5.99 a month (or whatever the real breakeven number is.)

I think it's a pretty good rule of markets that people should know what it is they're exchanging. To that end I should be able to see what these companies gather on me when I use their service.

Techdirt misses the point.

Companies should only collect what they need, and only keep it for as long as they need it, and they have to store it safely while they have it.

All companies get hacked. GDPR compliant companies will have less personal data than other companies who see personal data as something to be gathered in huge amounts and stored for as long as possible, or even sold off.

> Companies should only collect what they need, and only keep it for as long as they need it

For a public company that’s just not possible. They’d be trowing money out the window just for kicks. The only way we’ll ever get there is through law.

That's like how the EU Cookie law gives incentive to enable cookies:

Disable cookies? See annoying useless cookie warnings all the time everywhere!

You have to enable cookies to make it remember not to spam you with the warnings

EDIT: and good point in the article, one may wonder how making it easier to request data helps to improve privacy

No. Cookies required to do something the user asked do not require consent. This is solely on the lazy and/or dishonest webdevs.

See http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#se...

Yeah, dude, if I know users are going to not penalize me for this and the government is going to fine me 250k a day for it, I’m going to put it up. That isn’t lazy. That’s just time optimization.

No one’s going to fine me for blanket adding the feature so that’s fine.

You lose money when everyone browsing in incognito/tor/cookie-blocking sessions gets the damned cookie warning every visit, and eventually tires of your site's nagging and goes somewhere else. Or maybe you don't, maybe those users had 17 ad blockers and you don't lose a dime, but it certainly hurts your company's goodwill to have less eyeballs.

If users don't bounce, is that based on short-term or long-term research?

Users don’t behave that way. I don’t care about the incognito dudes. Cookie warnings are so passé that all users have trained themselves to always accept. That’s what my user research shows.

Fears of bounces over cookie warnings are overstated. Users do not care.

If a site I use regularly has an annoying cookie warning, I just use uBlock Origin's element picker to hide it. I wonder how narrow the set of users are who care enough to block cookies but can't easily disable the warning.

Before the cookie law websites did not have annoying useless cookie popups though, so it's an unintended consequence

Most bigger websites and websites hosted in EU did have useless cookie warnings that they didn't need before the GDPR.

No, it's more the bratty kid on the playground who isn't getting their way, so they're throwing a fit and threatening to take their ball and go home.

There's a lot of bratty kids then, most of the articles linked to by hacker news are on sites with cookie warnings for example. Not sure if those are visible in the US, but in the EU they are, and they are very annoying

Avoiding big fines isn't throwing a fit.

I agree. For all that people say there is nothing to worry about, these are fines that would be levied by foreign governments so a company may not really have insight to how likely it is they will be fined.

It's a lot easier for a government to fine a foreign corp than to fine a local one whose workers are all voters and tax payers.

Note that techdirt tracking consent form start with all options pre-toggled to "active".

This is in violation of the GDPR, is a pain to turn off, and indicates that no, techdirt does not care about the users privacy.

They are a US company, and therefore not subject to EU law. Sovereignty is a beautiful thing.

A lot the companies that store the data aren't. It's not TechDirt storing most of the data: it's all the 3rd-party crap they load.

But that's not really the point I think, the article claims that they care "very much" about your privacy, while at the same time sending your data to dozens of different companies and making it hard to get it to stop doing that. That's not caring "very much" about privacy.

True, it's difficult not to leak personal details in ways that most users do not expect and/or want, which makes it easy to game by providing deceptive solutions.

GDPR is a attack on memory, starting with conditioning to accept regulation on what experiences can be legally remembered* (like who visited your property and their attributes). It starts on a subclass to make it acceptable.

Once that is 'OK' the power centers can expand memory restrictions and go back to adding rules on what can be said (transmitted or acknowledged).

*I'm deliberately trying to mix 'remembered' (like wetware does) with 'saved', or 'written' (like wetware creations do).

No, GDPR is not an initial wedge to drive in censorship at all.

That has been tried before (SOPA, PIPA).

It is, because it censors what you can remember.

Anyway, what I was alluding to already happened: Article 13

It will get worse before the EU breaks up completely. I bet POLEXIT next.

Who can come up with these stories? Like saying that if you let someone hack your email and download all your emails its the providers fault. These unknowingly ignorant media superstars of today.. Cheeze.

On other services, when you request your data, they send it (with some delay) through a secondary channel (email, for example), which would prevent this attack.

(Yes, ideally services would collect less data, but if your account gets hacked they can access some data regardless)

This is absolutely a problem we thought about, but we never found a good solution. Try getting the general public to use two-factor auth. Just try and see how that works out.

What is wrong with simply sending a confirmation link via email?

You need to have a secure email and an email address is protected user identifying data subject to GDPR.

Web does not require email for most things.

Promotes falling to phishing attacks

Unintended consequences of flatscreen tv’s. They increase the loss when people break into your home! When will lawmakers take action and ban those pesky flatscreens...

That's a poor analogy, since flatscreens aren't state-mandated (nor have a mandated value-increasing component).

A better analogy would be catalytic converters, which increase the loss when a car is stolen, since there's a significant quantity of precious metal up the tailpipe.

Perhaps an even better analogy (since it provides a direct safety benefit to the purchaser) is that of airbags. For a while, they created an attractive break-in/theft target on their own, due to their very high value to size/weight ratio. I'm pretty sure that was an unintended consequence, too.

People stole airbags?

It's not even past tense, in that it still happens. A web search for "airbag theft" should reveal that it's still an issue.

Presumably it's only less of an issue because the cost of the part has come down from $1k or more (in '92 dollars, no less).

This article is a biased hit piece against the GDPR that only wants to present one side of the issue. It is true that the GDPR requires websites to allow users to download their personal data in a machine readable format[0], also known as 'the right to data portability', and this is what was 'exploited' here. The rationale behind this article is as the name implies, it grants the user the right to easily transfer their data from one platform to another. The historic rationale for this is to allow users to easily move between social media platforms, instead of noting down the names and emails of every one of your friends you can just download your full profile and, in principle, upload this to another social media platform that can automatically do the work of readding all your friends. It is also useful for other websites, say you have uploaded 500 photos to one image hosting site and have customised them by giving them titles and descriptions, the right of data portability means that you can download all of these photos and titles/descriptions in a machine readable format so that they can be uploaded to another competing website.

The GDPR also requires companies to provide another means to access data that is different from the right to data portability, this different article is known as 'the right of access by the data subject'[1] and has much more stringent requirements. It can apply to things like your work place or previous places that you have worked, it can apply to health providers, it can apply to a security consultancy agency you hired 15 years ago to install alarms to your house, etc. The purpose of this article is to provide the 'checks' part in checks and balances, it allows a user to verify whether a company is holding information on them, what data they're holding, why they're holding it, and the rights of rectification or erasure (that is again separate from the 'right to erasure' article) among other things. This may seem similar to the right of data portability at first glance but it covers different niches and is much more broad with a bigger bite, it can apply to companies that do not have a website and to companies you do not have an account with (but may still be holding data on you).

Techdirt however confuses the purpose of these two articles and instead transposes the rationale behind article 15 onto article 20 and calls it a failing of the GDPR. Quoted here:

>That's because, under the GDPR, platforms are supposed to make all of the data they have on you easily downloadable. The theory is that this will help you understand what a company has on you (and, potentially, to request certain data be deleted). But, it also means that should anyone else get access to your account, they could access an awful lot of important and/or personal data.

Let's be clear here, this is not a failing of the GDPR and is arguably a reason as to why the GDPR needs to exist in the first place especially in regards to requiring clear and informed consent or having clear explanations of what data is kept and why. The last part of the quote rings true, if someone has access to your account they can collect the data that is on that account. It should almost go without saying, but it is an embarrassment that it needs to be explained to a tech blog that is masquerading as tech journalism. Other people in the thread have given the example that if someone has access to your email account they can download all of your emails. If someone has access to your Facebook account, they can access all your messages and posts, private or otherwise - hopefully you haven't sent any private pictures to anybody. If someone has access to your Google account they likely have access to 1) your emails, 2) your full search history for however long you have had that account, 3) your full Youtube search history, 4) any private or unlisted Youtube videos that you may have uploaded, 5) any files you have uploaded to Google Drive, 6) any spreadsheets or documents you may have uploaded (if you have flown before and have opened your e-ticket in Google Docs this will have your passport number on it), 7) your full payment history through Google Play or Google Wallet (now defunct), 8) your full location/gps history if you have location enabled on your mobile device, etc. The list goes on. More importantly than having access to all of this, with nothing more than knowing the password, a black hat will be able to crawl all of this data using public scripts that can be found on Github and they can do all of this without the right to data portability. This is one area where black hats as well as technically inclined people have been more aware of the risks of using services like Google than the average person has, and it should remind anybody of the adage 'convenience is the enemy of security'.

The article goes on,

>As Jean notes in a later tweet, this kind of thing could really come back to bite other services, such as Lyft or Uber. She jokes: "Would be pretty bad to get hacked and kidnapped in the same day."

Yes, that would be unfortunate. What is more unfortunate is that companies have trained users to accept that there is no compromise, that it's all or nothing, that users need to store their full location and travel data or none at all. I understand the convenience that being able to rebook frequent frequently travelled taxi routes, I understand the convenience of having a fitness tracker that logs GPS data, however is it a convenience that needs to come with clear and informed consent, with an explanation of the implications of keeping this data that may be accessed and updated in real time, and it needs to come with the option of selectively being able to choose where or how much you would like to opt out. I am struggling to think of how this could possibly be a failing of the GDPR over a failing of the companies to provide these features and opt-outs without formal legislation, as a thought experiment, what would happen if Uber or Lyft had a data breach that had leaked all of their booking history? What would happen if Google had an authentication failure and allowed anybody to view your location history? Or how about allowing anybody to use 'Find your phone'?

The final insult to injury in the article is this quote,

>There are possible technological solutions that could help (again, as Jean suggests), such as using multi-factor authentication to access your own data (one-time passwords, Yubikey, etc), but it's telling that few companies (or regulators!) have really thought about that, because that vector of attack probably hasn't occurred to many people. But, it probably will now.

This is not a new attack vector by any stretch of the imagination and to suggest that it's due to the GDPR is quite frankly horribly misinformed. There was a technique that was popular around 2004-2006 (if Google Trends is anything to go by) that was known as 'fusking', the gist of it is that incremental or predictable file names can easily be guessed and crawled by computer scripts and utilities, it was more often than not used to extract all urls from an image gallery (usually pornographic) however it presented difficulties in personal image hosting websites, as filenames along the lines of "2004-07-22-0035.jpg" could just as easily lead to images that could accidentally be crawled if an attacker were to put "2004-07-22-[0000-0100].jpg" into their fusker utility. This presented some challenges to hosting companies who needed to add UUIDs to the filenames, and eventually the attack was somewhat mitigated when mobile phones started naming images with much finer granularity or even adding a salt to the image so that it could not be guessed. This is why websites like Facebook have long and unwieldy urls so that they cannot be guessed. While this attack is an old one it still pops up from time to time, in 2006 both Microsoft and Google had a vulnerability where their url shortening services could be guessed, which led to accidental exposure for users who were using short urls to generate links to private folders. You may be thinking that this is only tangentially related to being able to download user profiles, and I'll admit that it is, but I want to reinforce the point that black hats and other attackers, or even more technically inclined people, are far more equipped to think about the possibility of crawling and downloading large amounts of data that a regular user may be oblivious to or not even realise exists.

To give the article a tiny bit of credit, the GDPR does not stipulate that the right to data portability should require additional authentication like multi-factor (which can be as simple as an email link with a one time token), and this is certainly a shortcoming that should be addressed, but it is also a shortcoming that a company that cares about your privacy should be able to address of their own accord.

EDIT: on reflection it is a novel idea that just anybody can download your full profile if they have access to your account but at that point the damage has arguably already been done, a site like Facebook requires you to wait for a while before a download link is generated and ones like Google require a password before you can change any account settings. It's probably less intrusive and noticeable if you crawl the profile than to use the download link as there won't be any emails sent.

[0] https://gdpr-info.eu/art-20-gdpr/

[1] https://gdpr-info.eu/art-15-gdpr/

[2] https://arstechnica.com/information-technology/2016/04/guess...

It's ironical that websites implement GDPR compliance using cookies.

How is that ironic? GDPR does not say that you cannot use cookies. It says that you must apply limits to the scope of data that you collect about users regardless of the means that you use to store or collect that data.

Also cookies are not stored on their systems. The result though is that they also have to comply with EU "cookie law".

TL;DR, someone who has gained access to your account can also download your account history.

It's like complaining that someone who "hacks" into your email account can download all your email.

E2E encryption of email by a client-controlled key avoids this problem.

The encrypted archive remains accessible, but actually reading it requires a key only the client holds. This neutralises most email account phishing attacks.

It's not like that at all.

Email history is a useful feature. You're at risk of unauthorized access to it in exchange for that useful feature. Anyone could theoretically offer a service without that feature, though there might not be demand for it. (then again, see mailinator.com)

Everything-history is a compliance feature. You're at risk of unauthorized access to it in exchange for compliance with the law. Offering a service without that feature would be illegal.

It's entirely fair to blame the increased risk on the law. The law's benefit might outweigh those costs, but pretending that the costs do not exist serves no one.

This particular case is a poor example. It's about someone screwing up her password management and getting pwned, and then suggesting everyone should be burdened with two-factor nonsense to protect her from such a thing ever affecting her again.

But the GDPR itself, yes, of course it has negative effect like most centralized bessermachen from the EU commissars has. I've never understood all the starry-eyed hosannas for this slide down into supranational control of things no governing body ought concern itself with.

It has its moments, if you're into dadaism. The other day I had phone call from my vet. Because of GDPR they felt obliged - belatedly - to mail all customers some info about why and what. They didn't have my email address, could I please give it them?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact