Hacker News new | past | comments | ask | show | jobs | submit login
The problem isn’t data protection, it’s data collection (twitter.com/cnbci)
189 points by thereyougo on Nov 8, 2019 | hide | past | favorite | 60 comments

The whole cookie consent thing is a joke. We need rules that stop data collection, not rules that make us have to navigate arcane menus.

IANAL, but it is my understanding that those arcane menus are actually breaking the law (with respect to GDPR in the EU, at least). The default position should always be "No", and combined with that the "exit route" for anyone that opted-in should also be really, really easy. Like single-click easy. But business gonna business and bend the rules, I guess.

Pretty much none of those dialogs are compliant. https://twitter.com/random_walker/status/1187391482401038336

> But business gonna business and bend the rules, I guess.

Until some lawsuits will happen and the EU has been more than happy to collect fines.

The reason a majority of websites doesn't comply is because data protection agencies are doing fuck all and there has been no enforcement of the regulations. It doesn't help that reporting non-compliant websites is a pain, at least in the UK. It's as if they're not actually interested in collecting all that "free" money from the fines.

http://enforcementtracker.com/ may be of interest to you.

That's an interesting list, but almost none of the fines on it have anything to do with cookies or pre-checked forms. It's more like this gem:

"The fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years."

I think the previous poster's point stands: GDPR enforcement is doing almost nothing about improper cookies and internet tracking.

> data protection agencies are doing fuck all

Why do you say this? At least ours is just swamped, so it'll take a while. Plus big cases take up a lot of resources. But there have been GDPR fines issued, and many many more warnings that might lead to fines if the company doesn't comply.

Being swamped shouldn't prevent them from at least starting somewhere, and Google and Facebook are violating it so badly it should be a very easy case... yet none of the data protection agencies dare to go anywhere near it (there have been cases against but they seemed to hinge on minor violations as opposed to the elephant in the room).

Plus, the swamping problem will stop because the first high-profile case will scare everyone else into compliance.

> Google and Facebook are violating it so badly it should be a very easy case...

Not really, because Google and Facebook will also fight any accusation tooth and nail in the courts and through lobbying. The case must be very well documented and defended.

I'm not saying you're wrong, but it's too early to tell.

I’ve been a lawyer practicing in this area since the mid-90s. Nothing meaningful has changed since then. They pass laws and regs, consultants and lawyers get rich by scaring their clients about upcoming rule changes, and the regulators hand out completely ineffectual slaps on the wrist while the big players openly violate the rules.

The laws have grown muddy due to lack of enforcement. The notion that there is such a thing as opting in creates a huge gray area, and that has made law enforcement hesitant to open any cases as they are likely to take a lot of time, and probably won't lead to any big victories.

The only compliant way to show tracking ads is to first ask the user if they can, where the default in case of non-response must be NO. You can't have it default on, and you can't condition access to the site on accepting non-essential cookies (where "essential" is for the actual site function, and not "essential because our business model means tracking ads keeps the servers running").

Once this is enforced properly, the web will be a better place. Right now it's a mess of cookie banners with no real function, that people just click OK to.

>Once this is enforced properly

Which simply can't happen. There's a reason websites aren't manually indexed. And that same reason means you can never fully enforce these laws. What you can do, though, is score political points for selectively applying them to large unpopular players. It's always going to be a mess everywhere else, though.

You just need to set some examples. I'd pick a few violators and apply some reallyt painful fines with lots of publicity.

Other actors realize that noncompliance is more expensive (when multiplied by the risk of being caught) than compliance. Done.

No need to process thousands of violations. All that's needed is a few dozen with lots of publicity.

Obviously they can't literally apply it everywhere, but it's absolutely not true that they just go after large players. I've had complaints against very small players for relatively minor violations[1] enforced by my national privacy commission.

The GDPR opened the floodgates, but the wheels are in motion, and I know of multiple SMBs who got warnings to cut out their practices.

[1] The part-time manager of a three story building posted a "list of debtors" on the lobby (which contained false information, though that wasn't relevant for the commission, which focuses on the privacy aspect)

The amount of stupidity surrounding this legislation is appalling. The obvious solution could have been:

- Use or make something similar of the ill fated Do Not Track header for anonymous users. The user decides on his stance regarding privacy. His machine makes it known to the server, the server acts according to the users wishes. No further user interaction required.

- Decide what to do if the user authenticates. Use the method above or offer a more granular way to control privacy settings to be configured by the user in his account settings.

Though that would basically kill analytics. The reasonable default for such a Header is no tracking. The controversy around the existing DNT header and the attempts of at least Microsoft to set it to "no track" on default, is "enlightening".


I the meantime I installed the Firefox Add-on "I don't care about cookies" which does a reasonably good job to remove these annoyances.

The legislation proposed the most obvious solution:

- just don’t collect anything, don’t even require cookies

From there every significant actors of the industry, short of firefox and Apple (perhaps Microsoft ?) just went on looking for the other ways, workarounds, anything to keep their business as close as it is now.

That going as far as completely cutting off whole swaths of users just to not bend to the rules.

Blame the players cheating and conspiring to bend the game and ignore or weaken any attempt to limit their reach.

I agree the cookie law was a failure. The EU does too, so it's being revised. The GDPR is a different matter altogether, it doesn't specify technical solutions at all, and covers all personal data, not just tracking.

Agreed, there should be much stricter rules around tracking.

And instead of the cookie popups it would have been much better to solve it the same way localization and notifications work: the browser asks users with an integrated dialog and the user can set it to not even show that popup in the settings. If the browser doesn't support that feature the website has to assume the user doesn't consent.

Well, publisher and advertiser made it a joke, by trying for the last ten years to extorcate unappropriate consent from users (and bothering them as much as possible in the process).

And regarding the option to set your preferences at the browser level, of course this is the best possible solution, but if you are following the ePrivacy reglement discussion, the article 10 (permitting browser to obtain consent for website with a standardized interface) is pretty close to getting killed.. Money talks.

The user experience should improve significantly once the new EU ePrivacy regulations are effected; these will make browser settings (for example, your settings could be: 'accept first-party cookies, reject third-party cookies') the source of consent. There's a decent summary here:


Perhaps this will lead some advertisers to attempt sketchy things like server-side application integration so that their cookies 'appear' to be first-party; either way, the policy has teeth and can apply fines the same way GDPR can, so any advertisers (or services themselves) found to be storing cookies without consent which are not strictly for site functionality may find themselves in hot water.

I'll be willing to bet that less scrupulous marketers who make a decent chunk of their revenue from users who they mislead into clicking / purchasing goods (i.e. targeting less skeptical users) will also attempt to get their audiences to lower their cookie settings. Think banners with content such as 'to get access to this special deal, we need you to update your settings'.

Note that it's completely possible to build rich web applications that don't use any cookies at all, especially nowadays with localStorage and all the infrastructure for progressive web applications.

It's also worth noting that cookies were controversial when they were originally introduced - it's not like they're some fundamental infrastructure that we've always relied upon. Here's some privacy and cookie advice from 1998, for example: https://web.archive.org/web/19980210083135/http://internet.j...

Damn, very real.

The whole thing looked a bit strange to me. First the interview started with a basic presentation of who Edward Snowden is and what he did... at the Websummit.

His talk brought nothing new if you follow him, maybe it brought attention to the issues to a wider public (it was all over the news in Portugal).

On the other hand I feel his presence could serve to white wash the whole thing. How many companies represented there would be out of business if they embraced Snoden's beliefs?

Tracking needs to be illegal. Period. As long as it's legal, even conditionally, we will be playing whack-a-mole. There's a helluva lot of trash on the internet that's there only because somebody is trying to game the advertising industry.

If you allow conditional tracking, and invite workarounds, we are in a race to the bottom. Ethical players are caught in a position of play dirty or die. When growth/profits sag a bit, they will have no riposte to the board member who questions their unwillingness to engage in cutting-edge gamesmanship to get around the law.

On the other hand, if you make it strictly illegal, and make the penalty an existential threat to the company, then everybody can play a fair game. The board member who pressures the company to do such things will be putting the company at risk, and the ethical folks have their response.

Advertisers don't need to track people. They don't need our personal information.

Case-in-point: Alphabet just bough Fitbit. Fitbit knows your most intimate details. They know when you sleep, when you are awake, where you are. They know when you go up and down stairs. I'm guessing they have a pretty good idea of when you make love, where you make love, and with whom (if you're both wearing). And they just sold their data-collection to a company that exists to exploit your data.

This needs to be stopped. Now.

Strongly agree. I don't care why they're doing it. That a voyeur is taking creepy photos of me in order to advertise better rather than to get off, or that someone's trying to record my conversations to advertise better rather than to hunt and kill dissidents, does not make those activities OK at all. They are still, per se, abhorrent.

That the collected data is open to any imaginable abuse in the future, just as if the motivations, in addition to the actions themselves, had also been extremely malicious, since they (the big tech companies and the savvier small ones) default to collecting everything they can and never deleting it if they can avoid it, means stopping this is also pressing for very real, very serious safety reasons.

Data protection suggests that it is okay in the first place to collect data, as long as it is going to be protected. But this is a problem. Data shouldn't be collected in the first place, because you can't probably protect it properly anyways (leaks etc.).

He's totally right imho, but to defend the GDPR at least a bit: It does have the concept of "consent" so that data should only be collected if people agree to it being collected. However, I still have my doubts that it works like that in reality for several reasons:

- Too many websites place tracking cookies first and then let you disable them

- Too many apps use some kind of analytics without any consent

- The GDPR has different mechanisms to give companies a "legitimate interest in collecting data". How this is enforced is kind of unclear.

- The GDPR issued fines in the past, but what's gone is gone. It maybe helps that companies stop collecting more data in the future after they were caught, but you, as an individual, are still screwed.

So, the only way indeed is to stop SOME data collection in the first place and do it yourself. And you certainly can forget cookie banners and all that junk. Only thing that works is:

- don't sign up to abusive services

- use tracking protection on the web (uBlock Origin)

- possibly use something like pi-hole to prevent tracking for all your devices and apps

But of course, this doesn't stop data collection where you really have no choice but to agree to something.

Edit: Clarification

The idea is that the fines as supposed to act as a deterrent, but unfortunately there's been a shitload of really bad practices stemming from the fact that many consultants have drawn the erroneous conclusion that pre-ticked opt-in boxes are legal. Fines were handed out regarding a few specific cases, but very few businesses know about this and most of the ones that do claim it doesn't concern them for whatever reason. Furthermore, the Danish authorities set a very dangerous precedent when they refused to take on Google with the sole reason that Google are to big and that someone else have to do it.

But yes, until the situation has stabilized and someone has gotten very badly hurt from a financial perspective, the only sensible thing is to block non-HTML content by default and only whitelist the stuff you actually want to run.

> - Too many websites place tracking cookies first and then let you disable them

Under GDPR, unless the website owner can prove a legitimate interest (which is pretty hard to do and doesn't work for advertising), this is illegal.

> - Too many apps use some kind of analytics without any consent

Unfortunately usage analytics can qualify as a legitimate interest, but the actual data used and the purpose matters and you might be able to drop a tracking cookie for improving your service, but AFAIK collecting health data, GPS location or other sensitive information won't fly for analytics without explicit consent.

And we are talking about first party analytics only. Having analytics cookies dropped as part of an advertising network without consent will not fly either.

> - The GDPR has different mechanisms to give companies a "legitimate interest in collecting data". How this is enforced is kind of unclear.

Not sure what you mean by "enforced", but there are rules for establishing a legitimate interest and just because companies claim they have it, doesn't mean that they actually do.

It's basically up to the data protection authorities to do their jobs. Give them some time, there are a lot of lawsuits already.

> It does have the concept of "consent" so that data should only be collected if people agree to it being collected.

How does this work in practice? Sites just say "we collect data, click OK to accept". Where's the option to say no?

That is an excellent question, because this is indeed how it works on many sites. However, it is actually wrong. The proper way would be to have users opt-in.

This was even reinforced with a court decision recently: https://www.technologylawdispatch.com/2019/10/cookies-tracki...

In practice that's a violation of Art. 7 GDPR [0]. In particular, recital 42 [1] makes clear that consent can't be regarded as "freely given" if "the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."

[0]: https://gdpr-info.eu/art-7-gdpr/

[1]: https://gdpr-info.eu/recitals/no-42/

> "we collect data, click OK to accept

That's not compliant with the GDPR plain and simple. For example ads on a website are not required for that site to work (even if it's the only revenue), so the site cannot store data only to track users to show ads. The way a complliant site should work is it can say

"if you want to allow tracking cookies to get more relevant ads you can do so in settings".

I.e. no must be default in case of non-acceptance - and the site must still function.

Yeah. I just visited some news site and they gave me a cookie notice:

> We use cookies for analytics, advertising and to improve our site.

> You agree to our use of cookies by closing this message box or continuing to use our site.

Hopefully they will be fined huge amounts of money.

Exactly. At least some site will be fined, and that news site might make a calculation that it's a better business decision to comply than keep violating the law.

The [back] button.

The back button is too late. You already gave them a visit, a cookie might have been placed and your IP address was provided.

> Data shouldn't be collected in the first place, because you can't probably protect it properly anyways (leaks etc.).

That's an absurd argument, any data can be leaked. Your bank data can be leaked, mine was, should bank be banned to hold any personal data for that reason?

Of course. But not every service needs the same amount of personal data like a bank account. Just think of all the apps that want access to your contacts, often for no particular reason.

Obviously, if fewer services collect data, the overall chance of lots of data being leaked goes down.

> Of course. But not every service needs the same amount of personal data like a bank account. Just think of all the apps that want access to your contacts, often for no particular reason.

I'm not arguing whether data can be collected with wrong intends.

I'm arguing that the fact that it can be leaked isn't an argument in itself because everything can be leaked.

The person you’re replying to was quoting you saying no data collection should be done.

Now you’re saying banks have to collect data and saying other things.

So you do agree data does have to be collected at some level?

Yes I do agree. But not on the scale it is collected right now.

Please also note that I basically repeated what Snowden said in the video.

A technical solution is good, but it only protects the tech savvy. The GDPR gives us several additional guarantees compared to the technical solution:

- It protects everyone equally.

- It shifts the incentives towards not collecting, since the data becomes a liability.

- It empowers citizen to know what was collected through the use of GDPR requests. It further allows the citizen to know what that data was used for.

- It allows citizens to ask the collecting entity to remove any and all data they have about them.

- Finally, it allows legal recourse when data that was never supposed to get collected inevitably leaks.

So there are multiple things the GDPR does that a purely technical solution does not provide. As usual, the best protection is to have both. Used ublock, didn’t give consent, but still suspect foul play? Send the company a GDPR request, and if data was collected, ask for it to be deleted (and additionally report it to your gdpr regulation entity).


> - Too many websites place tracking cookies first and then let you disable them.


> - Too many apps use some kind of analytics without any consent

I’m pretty sure both of those are straight up illegal, thanks to the cookie law and the GDPR.

Is there a EU FF:FF:FF:FF:FF:FF GDPR request?

Love those cookie warnings. We need more popups like that. Imagine all the quality time spent clicking, knowing, for sure, that you are getting a cookie.

I agree. Power centers need rules on what we can remember and say; it's what they derive their protection and power from. Personal responsibility is the last thing they want people to have.

> Data protection suggests that it is okay in the first place to collect data, as long as it is going to be protected. But this is a problem. Data shouldn't be collected in the first place, because you can't probably protect it properly anyways (leaks etc.).

Article 5 of GDPR specifically deals with the reduction of what's collected and the destruction of data after it has served its purpose. The legislators were well aware that what isn't there cannot be lost, stolen or misused.

Not collecting personal data in the first place is always the preferred scenario.

Confused, doesn't GDPR prohibit you from collecting data in the first place unless you satisfy some criteria? Meaning it is data collection regulation?

It doesn't remove the ability to collect, but requires consent. When something is technically possible, and there's a monetary incentive, consent is easy to arrange, either with misleading popups, or by just making the product so sweet that the user forgets about privacy

Making the product sweet doesn't work (legally): if you rely on consent for capturing data, you cannot refuse access to the product if the user doesn't consent.

my point is users don't think much before giving their (positive) consent because of the expected dopamine hit from the "fun" of using these services. Try asking the same questions the social media asks (such as your relationship status) in some boring public service. People begin to notice.

Yes, the GDPR prohibits most of it. But it's a law, so it doesn't inhibit data collection in any way. The inhibition must come from the companies themselves, and the mechanism to drive that is fines and penalties. Time will tell how effective the GDPR is at that.

Consider that collecting data is remembering.

Mr. Snowden is right. If you don't start with the assumption that ALL SECRETS LEAK SOONER OR LATER, your information security plan is definitely flawed.

Not even state actors with unlimited resources (that's you, NSA) can prevent stored secrets from leaking. It's ALWAYS something, whether teenaged hackers or far-flung contract system administrators with too much access (that's you, Mr. Snowden).

Rule 1. Don't collect data you don't need.

Rule 2. Don't store data you don't need.

Rule 3. Assume all data you store will leak, according to Murphy's law (at the worst possible time).

Rule 4. Make your stored data has limited utility. Eternal Blue (hi again NSA) was not such a secret.

Rule 5. Make sure your stored data has limited useful lifetime. US Social Security numbers do not have limited useful lifetime. Strangely enough, credit card numbers do have limited lifetime.

Rule 6. Do your best to set up leak detection. For example, seed your financial secret caches with fake social security numbers that raise flags when used.

Rule 7. See rule 3.

Secrets should be stored under the legal concept of strict liability. They're just like bulls in a farmer's field. If the bull escapes and causes damage, the farmer pays for it. No excuses. No need to prove negligence.

We have, up and running at scale, workers' compensation and the vaccine injury fund. Both of those assume strict liability. A dangerous factory sees its premiums go high enough to put it out of business. Same for a sloppy vaccine manufacturer.

Why can't NSA and Equifax be held to the same standard? (I'd hate to be POTUS announcing a tax increase to cover the damage caused by Eternal Blue.)

Engineer: "Why are we collecting this much data?"

PHB: "We might need it someday for analytics, just keep storing it."

* Engineer, PHB leave company *

New Engineer: "Hey does anyone know what this data is being used for?"

New PHB: "No idea, just keep it running. Don't want to break anything."

* New Engineer, new PHB leave company *

New new Engineer: "What's all this data for?"

New new PHB: "No idea, just keep it running. Don't want to break anything."

...rinse, repeat.

True, true, true.

But how about this: Security auditor: "What's all this data for?"

PHB: "I don't know, it's the way it's always been done here."

Security auditor: "Your data retention policy doesn't pass ISO27001 (or PCI or whatever). No certification for you.

Cyberinsurance company: "We're tripling your rates because you aren't certified."

CEO: "PHB, deal with this problem."

He misrepresents the GDPR a bit.

At least in theory, the GDPR is meant to restrict collection, not just how the data is used and stored. It has a big loophole in allowing for vague "business interests" to be taken into consideration whether collection is legal or not.

More than that, the GDPR clearly establishes ownership of PII and asserts that owners have the right to request information about how their data is handled as well as demand that data be destroyed, exported or corrected.

I think he doesn't. GDPR could outright ban the collection of certain data. Instead (and because this data is useful for govt. purposes) they chose to go with consent.

I'm sick of this whole situation. We need to ban "opt out". Everything businesses do should be "opt in" with "informed consent", and noncompliance should be be punished with summary closure and dissolution after the first offense.

And while we're at it, let nuke the data brokers. Preferably literally.

Here's a link to the full talk for anyone interested:


It helps frame the response a bit more in the context of the question the host asked. (~"is GDPR the panacea?")

The problem isn't data collection, it's data centralization. Decentralize (or encrypt) and conquer.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact