Hacker News new | past | comments | ask | show | jobs | submit login
French bar owners arrested for offering free WiFi but not keeping logs (privateinternetaccess.com)
714 points by seigando 18 days ago | hide | past | favorite | 330 comments



I'm living in France, and "just" sharing the WIFI password is a very common practice in bars, coffee-shops, etc..

I only know of few places that actually use a compliant captive portal that requires some PII (name, email, phone...) to let you use the free WIFI.

My problem with these kind of laws is that they get ignored most of the time and then allow for selective enforcement when the police/local-gov has issues with you.


I think this is used as an intentional strategy of control, at least somewhat. Make a jillion tiny little laws that are impossible to keep track of or follow, that way you know everyone is a criminal if you want them to be.

Then if someone is acting up, it's only a matter of figuring out which unrelated laws they are already breaking.

It feels like this is the defining premise of the US tax code.


This is mentioned in the famous "Don't talk to the police" youtube video (from this point[0] and a minute on): there are just enough laws that even lawmakers and experts don't have an actual count, can't keep track of all of them, and they can say nearly anything.

(These are my words, not the video:) In the bigger scheme of things, you're likely to be guilty of something almost at all times. Whether or not people know, care, or come down on you depends on a variety of factors.

This is pretty much true in any country, it's just that the richest ones have codified it to give the madness more legitimacy.

[0] https://youtu.be/d-7o9xYp7eE?t=279


This is why I think our legal system is not really compatible with the world of surveillance. Everyone has something to hide, therefore everyone has something to fear.


That's why the universal panoramic panopticon is desirable for society's weak. When all can spy on all, everyone's crimes are public and whether you're the homeless man on the streets of SF or celebrated lawyer Jeff Adachi, the programmatic police will come for you.

Fair, just, unbiased. And therefore a scary situation for people like me who willfully violate the law but are generally safe from prosecution. This is power and advantage I don't want to give up.


Except we don't have universal access to really good lawyers.


...or "fuck you" money.


Where's the incompatibility? Sounds exactly on the money to me.


If you want a society that doesn't run on corruption then it's incompatible.


You and I want that, but let's not assume anything about the people who decide these things.


Lets. Any model that depends on intentional evil at every level is likely wrong.

The more likely reality is that politicians think they are doing what their constituents want by passing laws to address what they are currently complaining about. And constituents rarely complain about existing laws so the only natural way for the government to go is more laws and more regulations.

When’s the last time you heard a politician run on the platform of getting rid of laws? Even the Republicans who run on less regulation generates far more legislation than repealed.


> Any model that depends on intentional evil at every level is likely wrong.

This is unfounded (do you have any sort of backing for this ridiculously bold claim?), historically inaccurate (in nearly every generation, there's at least one mass-murdering regime born), and isn't actually relevant to the question (evil at every level discounts those who aren't involved, those that are victims, and those that are powerless to stop the evil).

The rest of your comment is spot on. The unfortunate truth is that people who are elected have the skills required to be elected, not the skills required to lead. Our legislative system is designed to encourage childish bickering, which is attractive to people with old faces and childish personalities. The system is built around the idea that the president will be the "adult in the room" and apply a considered direction to the children to mediate their bickering; it seems that doesn't work well.


You think evil requires intention? I have no idea what "model" you might be talking about.

On HN we are often downvoted for cautioning against unwarranted assumption. Meanwhile elaborate theories that just happen to affirm how great life is for everyone we care about in this best of all possible worlds are quite popular. In 2020. Good grief.

The fact that no politicians campaign in a way that would appeal to most citizens is no surprise. Our congress passed the trillion-dollar covid bailouts (that contained nothing to help normal citizens get health care) nearly unanimously.


Evil is ironically done with the best of intentions.

For the record - the federal bailout helped many business owners I know personally keep people on the payroll, and many unemployed friends (from food service and travel industry) able to keep paying their rent. With COVID’s 99% survivability rate for most of the working population, I think those benefits took priority over a healthcare stipend. Not trashing the idea of fixing healthcare at all, but given a limited bag of cash and choices to make, keeping people housed and fed en masse is arguably higher on the priority list than a healthcare half measure (if that).


I begrudge no small business anything they got. What they got, however, pales in comparison to the "open the Fed" measures that gave all the big guys access to trillions of dollars of "free" capital. Just as in the last recession, this giant transfer from the public to the assholes will destroy small firms and reward 2B2F firms.


Maybe he’s assuming a dystopia run by an all knowing and always consistent computer?

A legal system that no one in a functioning society can live without causing offenses will lead to a non-functioning state, if enforced.


It's actually worse for selective enforcement. That allows essentially prosecution for nothing against anyone currently out of favor with the powers that be. It obscures this deliberate corruption by hiding it behind a veneer of legalism, and allows apologists to claim "if they didn't want to be arrested, they shouldn't have done X". It erodes the idea of laws being backed by justice, and makes them simply another tool of the powerful against the powerless.


It doesn’t help that politicians face as much hardship in removing old laws as adding a new one.

Leading to us always creating laws and rarely removing them.


All laws in a democracy should have to be re-affirmed by the populace on a regular basis. That is, every law should be required to have a sunset date.

It's insane that we can be born into the tyranny of rotting corpses.


I’d agree but then there will just be an annual law that blanket renews all the laws that would expire in the upcoming year.

How about laws without cute names and that began by describing the problem they intend to solve? I have been told they are written that way in russia though I have no way to verify.


> I’d agree but then there will just be an annual law that blanket renews all the laws that would expire in the upcoming year.

maybe so, but every so often you get a happy accident. the patriot act missed its most recent deadline for renewal and is still not in effect (though not for a particularly good reason).


How about law as a subscription service? The maxim is if it has value in people’s eyes, then people should be willing to pay a monthly fee for it, voluntarily and without coercion.


A big part of government function is managing externalities (pollution, food safety, roads etc) -- things that are not economic when purchased individually. They suffer from a free rider issue: I benefit from clean air whether I pay for it or not.

In addition I don't know enough about traffic safety to figure out what the best speed limit is for certain roads, nor how the road should be constructed (especially given local environmental conditions, estimated use etc). It's cheaper overall to outsource it to people who know. Otherwise how can I decide if I want to subscribe to that safety rail at the edge of a certain roadway?


>A big part of government function is managing externalities (pollution, food safety, roads etc) -- things that are not economic when purchased individually.

Says you.

Damn near every government (from local to national) has a charter more along the lines of "do these specific mostly administrative things that we agree are best done at this level".


Taxes are pretty much that, but I suppose "with coercion".

Otherwise, if it's truly pick and choose... how much thought did we give to this? :)

Will everybody pay equally for each law, or rich people pay more?

If rich people pay more, and they decide they don't like the tax avoidance laws, will they be disproportionally funded?

If everybody pays the same, this will be proportionally harsher for poor people.

Most people will not pay for 97% of the laws which may be overall important but don't impact them directly - e.g. I live in Toronto so don't car about fisheries laws, etc.

Some people will not pay for laws they personally don't want to abide buy - from speeding tickets to financial regulations to fitness of goods and services etc.


I don't think this would work, but it does remind me of an idle thought I sometimes have. some nonprofits allow donors to make conditional donations. for example, you might donate to a school, but stipulate that the money can only be spent on the theater program. I wonder what would happen if taxes worked the same way. you have to pay the same amount no matter what (and maybe some gets preallocated towards nondiscretionary spending), but you would get to pick from a few broad categories where your tax dollars go. would probably be a disaster, but interesting to think about. from a certain perspective, it might increase the "legitimacy" of government programs.


I think "just give it to the feds instead" should be a checkbox on everyone's state taxes. It would give the states a clear monetary reason to make their inhabitants not resent them.


That would be nice if you could also elect to give your fed monies to the local gov’t. That way the different governments could compete for the provision of good government.


Incorrect. If everyone else pays for it and I don't, then I benefit. Tragedy of the commons. My winning strategy is never to pay.


[flagged]


Please don't take HN threads further into ideological flamewar. We're trying for something different here: https://news.ycombinator.com/newsguidelines.html


I think so too. The government has to pass a budget every year. Would it really be too much to ask of them to reaffirm old laws every 10-20 years?


> think so too. The government has to pass a budget every year. Would it really be too much to ask of them to reaffirm old laws every 10-20 years?

You realize the federal government shuts down every so often fro days to months because they cant get there act together on the budget. can you imagine the chaos that would insue in the current political climate if one party or the other thought they could hold a major law hostage to what ever cause they want.


Most governments manage to pass a budget every year. The American government's exceptional incompetence should not be treated as a foregone conclusion -- and their inability to pass laws speak more to the innate unfairness of unaffirmed laws than anything else! Imagine if they would simply have to defend every law like the Assault Weapons Ban. We'd have fewer laws. Fewer by FAR.


> Most governments manage to pass a budget every year.

Not exactly. Two things are going on here that makes the US "special". I would argue they're both design mistakes in the US government, its proponents will doubtless chime in that it's supposed to be like this, and presumably they are proud of the results...

1. Appropriations bills. In most countries it is seen as a foregone conclusion that the government should continue to operate. Politicians steer, but in their absence the ship of state continues onwards on auto-pilot. The US has never entirely worked that way, and last century the GOP intentionally destroyed some of the mechanisms to let it keep running in their absence, because of course they did. So, Congress must explicitly pass bills at least once per year that say the government will pay for things, or else important government functions just stop. Nothing like these Appropriations Bills exists in most countries.

2. Separate Executive. In most democratic countries there is ultimately a single elected power, even if it looks on the surface as though there are two or more political power centres, one of them is actually running everything. In this situation there is no conflict between policy and budget, so of course a "government budget" will pass.

One of the few upsides to another US civil war is it's likely that there would be an opportunity to redesign the US government in the aftermath. We've learned a lot about how to design governments since the 18th century.


How often does a civil war lead to a better constitution?

China? Vietnam? Korea?


the obvious answer would be the 13th, 14th, and 15th amendments to the US constitution after the american civil war.


So once? Or twice (counting the USian revolution)? There have to be more examples than that!


That is an acceptable outcome.


This is a moot point anyway; laws can be overwritten with new laws. Perhaps requiring a supermajority (2/3) to remove would be useful, but even still, _having_ the laws put into question would be a remarkable use of time, keeping law orderly. I suppose the US Code might help with that effort; in the UK it's a tad more disorganised.


The amount of grifting you’d end would put up some really deep pocketed defenders of the current system.


That's not going to happen.

https://en.wikipedia.org/wiki/List_of_Acts_of_the_Parliament...

I'll leave it to someone else to tot up how many laws we're considering here.


I have thought this for a long time. I also think they should have to be voted in by the public, with a higher percentage required as the geographical area expands.


This is why I always liked the idea of automatic sunsetting of laws. If it worked as expected, pass it through again. If it had loopholes, patch and reissue (better than applying patch to patch to patch). If it didn't have the effect you wanted, let it slip by. It is always beneficial to review your work and analyze it. There needs to be a good mechanism for this to happen within a government and automatic sunsetting forces this issue on lawmakers. Of course, there are other things that can help too.


Also lawmakers have pretty much put sourced their jobs to unelected committees. They realized they don’t know anything about a topic and also can’t be bothered so they appoint these committees Who put into place “regulations” instead of laws that are basically the same thing but without oversight or accountability - they don’t get voted out if people don’t like it, and most don’t even know who these people are.


> They realized they don’t know anything about a topic and also can’t be bothered so they appoint these committees

It is literally impossible for any single elected official to know enough about every topic they need to legislate in order to make good laws. This isn't because they "can't be bothered", but because there are only so many hours in a day. They have to delegate.

Now, we can argue they do a poor job of delegating, but the problem isn't in the act itself.


Anyone have a rough estimation of the laws made vs laws repealed? This is what I wonder and worry sometimes. It seems we're constantly making far more laws than repealing and slowly but surely caging ourselves in. Our parties seem to be in a blind race downhill to see who can implement the most laws to block the other parties but I feel we're just "cleaning" ourselves into a corner.


I'm not american, but I listened to this Planet Money podcast[0] and they talked about how Trump planned to enforce the following rule:

>If congress wants to add a new regulation, they have to find two outdated regulations and remove them.

I have no idea how it went.

[0] episode including transcript: https://www.npr.org/transcripts/659049880


Well, since regulations are created by the executive branch and not Congress, which makes law and to which the President can't dictate rules, the proposed rule is meaningless, so enforcing it is a non-issue.

Also, “a regulation” is not a particularly useful unit of size.


Supposedly it helped a bit according to the below: https://www.forbes.com/sites/waynecrews/2020/06/29/how-donal...


That would have to include a rule about scope, so that it doesn't end up as two old laws concatenated into one new law

...this would be good for other reasons too, like unrelated riders tacked onto appropriations bills


Funny I think I internalized that rant from that video, because I had forgotten about that video but I'd definitely seen it before.


What's even worse is it's disturbingly easy to not just break the law, but it's surprisingly easy to commit a felony. That's a situation that just shouldn't be. In my opinion, a felony should almost universally be something either egregiously reckless or done with nefarious intent, and it should be something that people can universally agree is an obvious problem. (And by that, I mean an ACTUAL problem, not a side-target of the thing that's really of interest.)


Laws are source code. Currently it's all spagetti and applying even simplest proven tricks from software domain would yield immensely good results. Like, duh, removing goto.

Software is crap, law is so much worse.


I went to tech school with a couple of State Policemen.

First, I should qualify that I had nothing but respect for these guys. Real professionals, and they were serious about the spirit, as well as the letter, of their vocation. The State Police, in that state, are quite powerful. They have (at least in the early 1980s) complete jurisdiction, throughout the state.

I also think they would have written their own mothers jaywalking tickets, for going across the street to borrow a cup of sugar.

One of them explained to me, how the state code was written, so that everyone is breaking some law, at any given time, and a lot of their training involved learning all these little violations, so they could pretty much justify pulling someone over, at any time.

I suspect these bar owners did something to piss off someone in some authority. It could have been as mild as their main clientele.


Honestly just curious, but how can you describe them as complete scumbags but still have "nothing but respect for these guys"? Is it just a platitude or do you really respect them even though they are bad people?


> describe them as complete scumbags

Look, I appreciate the current political situation, but I DID NOT describe them in that fashion. That was a value judgement that you imposed on a couple of gentlemen that I went to school with, in 1981. You did not meet them or interact with them; I did. They were insular, and I cannot call them "friends." That's fairly typical for police, but they were incredibly polite, and everyone in the class liked and respected them (it was an extremely mixed class, in a very tough town).

The people that engineered that scenario (and are probably still engineering it, to this day), were the state legislature. The officers that commanded that barracks were the ones that established the model for their officers.

These were two electronic technicians. They happened to be trained and uniformed officers, but were not particularly interested in the "pithier" aspects of their field. In fact, they had volunteered to spend their careers in a basement, fixing radios.

In that particular state, there is a giant world of difference between the State Police, and the various county and municipality cops. The State Police held themselves, and were held to, a much higher standard than regular cops. I know of at least one county in that state, where the cops were renown for rather gratuitous violence; especially against minorities. The State Police had nothing to do with that.

As for me, and my views...seriously, dude, you have no idea. If you thought that you learned something untoward about me, you are wrong. Dead wrong.

This world is missing something fundamental: basic, human respect. That goes for people in authority, that abuse that authority; whether for personal gain, animus, or to be a "team player." It also goes for people that have appointed themselves "Guardians of 'The Truth'" (Whatever happens to be the flavor of the day).

We might want to consider that not everyone in the world is an evil person.

Just a thought.


Some unsolicited feedback on your communication style below. Read no further if you're not interested in it.

> One of them explained to me, how the state code was written, so that everyone is breaking some law, at any given time, and a lot of their training involved learning all these little violations, so they could pretty much justify pulling someone over, at any time.

> I suspect these bar owners did something to piss off someone in some authority. It could have been as mild as their main clientele.

In colloquial speech, like that used on this forum, these sentences in combination imply:

* My friends, state policemen, knew how to pull over people at any point

* This was an act that was commonly performed

* My friends also participated

It isn't explicit in the text, but that is the natural inference in colloquial speech.

I only mean this in a descriptive fashion. There are all sorts of reasons you may want to continue communicating the way you do, but it will get you into situations like this where you feel compelled to respond in outrage to someone else who has made that inference. Up to you how you act, but if you weren't already informed, you are now.


Some unsolicited feedback on your communication style below. Read no further if you're not interested in it.

In no way is that a natural inference in colloquial speech. Those are your own (incorrect) inferences that you're justifying post-facto, and you are (not so) subtly implying that your interpretation is the correct one and in the majority, even though it:

a) Might not be

b) Involves you making an interpretation and inferential leap that isn't contained in the text of the original poster.

In a similar fashion, you may want to continue making inferences that go beyond what people actual say or write, but it will get you into situations, like this, where you feel compelled to put things into the speaker's mouth that were not written, things that were not said, that will put you in opposition to the original speaker/author unjustifiably and based on your own interpretative error, and which generally make people less inclined to share their opinions in the future.

Additionally, your writing style appears to be one of passive-aggressive condescending superiority. This does not influence the person on the other side round towards adopting your view-point, but actually makes them bristle up and more likely to reject participation in the conversation.

Up to you how you act, but if you weren't already informed, you are now.


Interesting. I did not consider that it might be taken that way. I wrote it in the style that I would appreciate. Thanks for the feedback.


Not outraged. More bemused.

And I will continue to communicate the way I do. I'm a real stubborn S.O.B., and don't respond well to being pushed.

BTW: I never called them "friends." I guess half of communication is reading it properly.


You communicated ambiguously. You wrote

> so they could pretty much justify pulling someone over, at any time.

But didn't clarify that your associates did not do that. In human language, people make inferences from what is said to natural extensions, in order to make utterances more compact. Sometimes those inferences are in error.


It takes a lot of restraint to work for an organization with that kind of power and not turn into a total dickhead.

The state cops here have that kind of power yet they are way more professional and do a hell of a lot less fishing than the locals.


Yeah, those sounds like thugs, not good people, maybe thugs who were convinced by some authority that what they are doing is right,but that's true of most of the evil in history.

Curious how you justify this.


“For my friends, everything; for my enemies, the law.” —Field Marshal Óscar R. Benavides, former president of Peru (attributed)


Replacing the arbitrariness of the monarch with the arbitrariness of institutions is a step forward in terms of diluting responsibility. Next up: machine driven decision making.


They don't want to use the word 'arbitrariness'. Instead, they say "discretion". Discretion helps institutions make right decisions, they say.


Our current representative system is a land line way of thinking in a mobile phone world. This fixed number of representatives and seasonal elections is nonsense. I should be able to change representatives with the same ease I can change my cell phone carrier. Once we get there, then let's worry about whether the representative I choose is a human or an AI.


> Next up: machine driven decision making.

We already have that when you buy something and a security alarm goes off as you leave the store. You are assumed to be a criminal because a machine said so.


Other way around for me. I'm going to home depot regularly for various home projects and the alarm goes off almost every time when I exit.

I have never gotten anything more than a bored looking sales associate casually waving at me to keep walking out.


Try walking out of the Manhattan store without their goon insisting on a receipt check after you've been forced to operate the register yourself.


That's illegal so you might get a nice settlement if you press your rights and the "goon" assaults you.


>You are assumed to be a criminal because a machine said so.

Not really. At least where I live, the false positive rates are high enough that people would walk right past, or the employees would wave them through because they're holding store branded bags. A more egregious example would be the algorithmic bail systems that some states are deploying.


Bail has been algorithmic for many years, based on previous offenses and seriousness of crime.

The new horror is machine learning algorithms that make decisions based on hidden inappropriate discriminatory factors.


What is the functional difference from the “law” being the whims of a king, and the “law” being an incompressible mess where you are always guilty, but selectively prosecuted?


In the former case, there's only one person and a court to please, in the latter case, there's millions of people who can violate you. (Not intending to argue for monarchy here, ha, just came out that way.)


>What is the functional difference from the “law” being the whims of a king, and the “law” being an incompressible mess where you are always guilty, but selectively prosecuted?

Marketing, plausible deniability and the ability of the higher levels of the system to tell the lower levels of the system to knock it off when they're being jerks under the color of law.

Monarchy worked so well for so long because the king didn't want to see his resources pissed away using the government to prosecute crap that didn't actually matter in the grand scheme of things.


Lots of things that are the same in some outcomes are very different in process.

A totalitarian dictator and democratic judicial system could come to the same decision on any given ruling.


That's why both are described as "rule of man" rather than rule of law.


I'm not a Rand fan at all, but if the quote fits...

“There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws.”


This seems like a very pointed view of a certain kind of government, not government as a concept. If the people are willing and willingly choose a government, it's most certainly possible to govern them as long as that government actually listens to the population, doesn't indulge in corruption and earns the respect of people, not demands it.

Whether this type of government will ever come about in our modern world... Let's not get depressing.


There are so many laws because what started out as rule usually gets expanded out into detailed regulations that cover vastly more than just illegal behavior. Perfectly legal things that fulfill the spirit and letter of the law are nonetheless outlawed to achieve the goal of the law. A law that employees must pay withholding taxes on their pay, gets extended into a regulation that contracting is banned because in some cases this might hide sources of income and be used to dodge the law. Enough layers of this going on and no one except major corporations with teams of lawyers can keep up with the "right way" to operate. Despite everyone having good intentions.


> as long as that government actually listens to the population, doesn't indulge in corruption and earns the respect of people, not demands it.

Charitably, I think Rand's point would be that such a case is only possible if that government is not actually ruling the people, but merely providing services. (Not sure how much charity is actually justified, though, given what I've read of hers.)


I don't see any point in quoting Rand quoting common wisdom.


Selectively enforced laws are a source of great evil. Here’s a quote you might find interesting.

“For my friends, everything. For my enemies, the law.”

https://en.m.wikipedia.org/wiki/Óscar_R._Benavides


It’s also a way of collecting revenue. Oh, you followed 99% of the law but not this obscure piece. You now owe 5MM as a penalty.


No, the US tax code is not that hard to follow at the macro level. The complexity of the tax code comes from the thousands of potential write offs and exceptions that favor certain industries as a result of lobbying.


Well, even for an individual, optimizing their tax burden is ridiculously complex if you just take the IRS forms and code in hand. For a price (e.g. TurboTax) you can probably get to 80%+, especially if you live a simple life of a rental and a w-2. The process certainly favors those with the time and resources to understand the nuances of the tax code and most people don’t/can’t prioritize that. So it makes money off the “lazy” and non-confrontational in the same way that a car salesman does. That such a comparison makes even a bit of sense doesn’t speak highly of our system.

We all rely on the herd defense to protect us from minor math mistakes and code violations. Lord knows you don’t want to end up on the wrong side of the IRS. All my interactions with them have thus far been easy but if you listen to some stories during testimony in the nineties about IRS reform they weren’t always that way.

I like to think a simple flat rate would be better across the board. Many smart people disagree though.


Complexity is complexity. If the write offs exist and you think you qualify so you take them, and then it turns out that there was an exception on page 28,274 of the amended tax code that meant you didn't quality but you took the write off anyway, welcome to jail.


That's completely false.

At worst you would owe a penalty.

Due to the complexity of the tax code, there is a very high bar for criminality.


> At worst you would owe a penalty.

Not if they claim the violation was intentional. Which, whether or not they can prove that, means they can arrest you, and deplete the money you'd have used for your defense as bail. And they do so enjoy that trick where "intentional" generally applies to whether you intentionally did a thing that was against the law, even if you didn't know that it was against the law.

Let's also not so easily dismiss as unproblematic a conclusion that you owe five times more money than you actually have in back taxes plus penalties and interest, which someone wouldn't have who filed the same tax return as you but didn't raise the ire of anyone in power.

> Due to the complexity of the tax code, there is a very high bar for criminality.

If only all of the complex laws actually worked that way.


Everything you've just started is wrong.

I do this for a living. I know how tax penalties and tax crimes work better than you do.


You're presumably dealing with ordinary tax investigations, motivated by ordinary tax investigators and not politics.


You're presumably dealing with ordinary tax investigations, motivated by ordinary tax investigators and not politics.

Those are the only kind of tax investigations in the US.

None of the politically motivated tax investigations you speak of has resulted in criminal sanctions.


A judge wouldn’t give an arrest warrant for a deduction issue like that.


A prosecutor wanting to give someone a hard time would choose tax law as the mechanism only if the amount in contention was large, e.g. it was against a business owner. You don't think a judge would issue a warrant in a case alleging million dollar intentional tax fraud?


No, because charges for violating tax laws must originate from the tax authority, i.e., the IRS for federal taxes. Prosecutors don't have the authority to file charges for tax law violations on their own.


Can you name a single case of it ever happening?


https://www.kare11.com/article/news/crime/former-officer-der...

My suspicion is that felony tax fraud would not have been charged there, or maybe even investigated, if he hadn't been implicated in the death of George Floyd. They had their man so they found his crimes.

Obviously nobody is going to feel sorry for him, but only getting charged with something because you became a political target over something else entirely is exactly the problem in general. Registering your car in a lower tax state may not be legal but it's not exactly uncommon, and plenty of people probably don't even realize it's illegal.


What world do you live in where you think that someone who hasn't filed 3 straight years of tax returns wouldn't be charged with a crime?

Also, to note: the filing of these charges is unrelated to the Floyd case. Based on the article you linked, there were years of financials that the investigators would have had to go through in order to substantiate the charges they filed. They had to investigate ownership of multiple homes, multiple cars in multiple states, and correspond with tax authorities in several states.

This isn't an investigation that they just trumped up because of the Flloyd case; just the correspondence part alone would have taken months, and these charges were filed less than 8 weeks after the Floyd incident based on a substantial record of tax violations.

Chauvin was already on their radar for tax fraud. Politics had nothing to do with it.

Registering your car in a lower tax state may not be legal but it's not exactly uncommon, and plenty of people probably don't even realize it's illegal.

True, but they're not charged with tax fraud because they failed to pay use taxes. RTFA. They were charged with tax fraud for falsely changing their state of tax residency so that they could avoid Minnesota sales/use taxes despite all evidence showing they were still Minnesota residents.

TLDR: Chauvin was not a political target. He was just a bad apple, and in addition to beating suspects was also a tax fraud.


The IRS generally just asks for the money back. You would have to ignore their requests before any criminal prosecution. If that is not the case your doing something more than just making a mistake when it comes to a deduction.


It sounds to me that if this were true, you could corner the tax preparer market. That's a strong hint that it's not true.


How would you corner the market? There are thousands of tax preparers who have already made that observation and are already helping clients take advantage of those loopholes.


> It feels like this is the defining premise of the US tax code

See also, drug laws


> Then if someone is acting up, it's only a matter of figuring out which unrelated laws they are already breaking.

Rand was writing about this in 1957:

"Did you really think we want those laws observed? ... We want them to be broken. ... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt."


> Make a jillion tiny little laws that are impossible to keep track of or follow, that way you know everyone is a criminal if you want them to be.

Reminds me of Alex Kozinski and Misha Tseytlin's classic essay "You're (Probably) a Federal Criminal" – http://alex.kozinski.com/articles/Youre_Probably_a_Federal_C...


In Belarus the Regime/Authorities jailed 12.000 People by simply giving them the "Did not listen to the Authorities" fine, you can just use that one on every citizen once it exists.

It's really hard to criminally break the tax code; usually you have to break it willingly.

If you just make a mistake you'll owe a penalty, but it won't be a crime.

Other laws are much easier to break.


I think this frog is still in the early stages of boiling.


Except you are the president.

Then its:do whatever you want.


I always felt the GDPR was this kind of law. I'm not sure if it's even possible to be fully compliant.


Not to mention the EU thinks they can police the world.


I'm all for someone else trying to police the world... I've had enough of one country having too much influence worldwide...


The irony of course is that it leads to more situations where there are too many laws to track. Not saying your comment is wrong or anything, it’s just a funny side effect.


Ok, so how do you police a super-power like China ?


Who though? The alternatives are just as bad or worse ...


I'd prefer to be in a battle of multiple world-policemen.

I'd like local law and international laws from foreign states to conflict sometimes.

I'd then like my local government to protect me from the foreign government when I (inevitably) break one set of laws.

In turn, that reduces the effectiveness of world-policing


It's a pipe dream: they're weak (no army) and disunited (as COVID response showed).


>disunited (as COVID response showed).

not sure I understand the logic here but Europe, despite having twice the population of the US, has about as many deaths. The region overall has responded well.


The US is not the bar you want to compare with here. The response was essentially “let each of the 50 states decide what to do”.


No unified response, every country had to fend for itself.


Not sure what unified response would change. It's not diplomacy.


I believe their point was that the response proved disunity exists, not any value judgement on whether disunity is a good or effective thing in itself.


Don't use information for any purpose you have not gotten explicit permission for.

Provide a way to get and delete user data.

Bang, you are now GDPR compliant.


And then somebody emails you with a request to all of their data you have on them. Now you must respond to this email and you must figure out a way to find out whether they are who they say they are. Then you have to either refuse the request or extract the data and send it to them. Now repeat this x amount of times depending on how many people want to mess with you at the time.

What happens when spambots start using these requests?


If you find it hard to do that (have a defined way to recognise a customer; make a db lookup to get their data) then it's very simple you don't acquire nor keep that data. This means you have to have a level of competence - across your organisation (including how you store, retrieve data, and how you recognise customers) - before you start storing their data.

Really if you can't established a way to recognise customers how can we (as customers) expect you to competently do 2FA and competently store data without losing it.

It's like complaining that your kitchen shouldn't have to keep track of expiry dates of meat; if that's too onerous for you then you're showing you're not competent to run a kitchen.


ISTM the system you describe could lead to more data collection. I.e., a site like HN knows emails, pseudonyms, and posting history. What if they got a request like this from someone who claimed not to have access to the email they used to sign up? HN couldn't possibly comply.

Maybe that doesn't matter because posting history is public. One could easily envision another site that had some non-public data associated with email address, pseudonym, and no other PII. That site definitely violates the requirements you describe.


You are allowed to require proof of identity before you hand out data.

That might be as simple as requiring someone to log into their account (as you can already do on HN) to sending them a confirmation email, or other.

> What if they got a request like this from someone who claimed not to have access to the email they used to sign up? HN couldn't possibly comply.

No, and nor should they.

> One could easily envision another site that had some non-public data associated with email address, pseudonym, and no other PII.

"Dear requester, please log into you account and use the "request my data" link on your account page"

There's a few things written about this around the web:

https://law.stackexchange.com/questions/28998/right-of-acces...

> ISTM the system you describe could lead to more data collection.

It really doesn't. What it does is attempt to gatekeep data (which these days is a huge risk) collection to organisations that are competent. You always have the option of not collecting data if you don't want to take that responsibility.


> What if they got a request like this from someone who claimed not to have access to the email they used to sign up? HN couldn't possibly comply

They wouldn't have to. If you're requesting your data from a company, you have to burden of proof that you are in fact the person about whom you're requesting the data. If you cannot prove it, you cannot get the data.


>Really if you can't established a way to recognise customers how can we (as customers) expect you to competently do 2FA and competently store data without losing it.

This is an insanely hard problem to do well. The recognition of customers is literally through which phishing attacks work. This is one of the most common avenues that people get access to systems and data they shouldn't. GDPR mandates that virtually every site needs to deal with this problem now.

Also, I'd say that reprieving all data on someone is not a trivial problem. Imagine you had a forum and somebody requests all of the data on them. However, another user has made a copy elsewhere on the forum with some notes about that user's personal data. Does the requester get access to that copy?

And now keep in mind that you complying is based on your understanding of a regulation that companies have spent millions on lawyers to figure out and still aren't entirely sure. And you have to follow this regardless how big or small your website or business is.


It's best effort. No regulator is going to fine you massively if you miss some data in an edge case like this. Worst case scenario, they'll tell you to do better in future.

I do see your point though, the intersection with phishing attacks is not something I'd considered in the context of GDPR.

However, as long as you provide a way for users with an account to download their data, you're 90% of the way towards compliance.

Again, unless you are FB or Google, the regulators will cut you some slack (just look at the lack of bankruptcies caused by GDPR).


Unless the text of the law is "the company shall try very hard (but if they miss a weird edge case they shall be merely sent a warning letter)", the GDPR allows selective enforcement. You note that it's already one rule for FB and Google, another for smaller companies. To what extent do you trust the courts to selectively apply the law in a sensible way, vs selectively applying the law in a harmful but legal way?


It's mostly the regulators who interpret the law and determine the remedies, as specified in the laws. In general, European regulators are aiming for compliance rather than fines, and I don't see that changing any time soon.


Yea sure buddy, that's easier said than done. Good luck running a business of any noteworthy capacity and getting requests like this:

https://www.reddit.com/r/hearthstone/comments/df0zx5/upset_a...

Most server applications are not designed for invasive laws like this. Think of all the HTTP servers that save IP addresses in log files, or all the mail servers that save user messages, IP addresses, and what not. Think of all the other kinds of software that save "personal data". Now think of the way companies backup this data. Do you think most companies out there have the infrastructure to automatically pull all information about a specific user from all of these sources? No way!!

Sure, a company the size of Activision-Blizzard can maybe pull it of, but the little guy has no practical way to be compliant. Not until GDPR compliance becomes a standard in server applications and backup solutions, and when is that going to happen? This is a serious problem that a few people among the elite have thrown at society without understanding the consequences, or caring about them.

And if you don't comply? Well, then this law is just another set of mines in the minefield.


I'm not really seeing the issue here. If the requestor is a user of your services, you presumably have some kind of id for them (like email).

Given that this is not a new law (2018 it became active), you would hopefully have some list of tables with information on users. From there it's select * from tables where user=blah.

Deletion requests are where you'll normally have more issues, but it's best effort. Again, look at how Facebook handle this. They explicitly state that it will take 90 days for all backups to be rolled out, and this is totally fine.

And if you are a small service, the likelihood of you having large amounts of PII on people across multiple services is pretty low.

It's worth noting that IP addresses which can't be matched back to a user are not covered by GDPR, so unless you've been storing every IP from which a user's logged in, then you'll be fine.

But, the real solution here is to only store data for which you have a need, and get consent for the processing which your service requires. Sure, this is harder than the normal YOLO store all the things, but it's probably better both from a storage and liability point of view.

Also, your argument segues from running a business of noteworthy capacity (who may have a problem complying) to small businesses (who won't have the capacity, but also don't store enough data to have a problem complying).

And to be fair, GDPR was npt imposed by elites, it was demanded by an awful lot of consumers in Europe. Maybe you don't like that, but I personally think that breast-feeding mothers shouldn't be censored. So cultural differences are going to cause both of us problems.


I don't agree that GDPR compliance is possible for the small guy. Let me explain why with the example of a small ecommerce business, consisting of one Wordpress site, a server host, a payment service and a delivery service. The user will interact with these 4 in some way. Now let's say a customer "Drek" decides to send support a message like the one I linked to, what are the implications for the company if they want to comply with GDPR using the current infrastructure? (Btw, all "Drek" ever bought was a pair of glasses, a purchase which he immediately regretted and asked a refund for after the purchase was finalized).

What happens? You say we need a (couple of) SELECT-statement(s)? I say we need more than that. Also, I'll tell you right now that doing a SELECT-query isn't something customer support can handle, this is something you ask from a developer or server administrator (== more wasted $$$$). So think about that while we go through the information retrieval process:

(1)-(3) You'll need select-statements, retrieval from log-files (such as access_log and error_log). Text explaining the data and explaining what it is used for. The data should be categorized and machine-readable in a common format. These requirements require a deeper understanding of the systems than just running a Wordpress site with a few plugins.

(4) "the recipients or categories of recipient to whom the personal data have been or will be disclosed;", that includes the payment, hosting and (possibly) delivery services.

(5) "where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;". Again, this requires extra knowledge.

(6) Since we haven't mentioned analytics services or any other privacy invasive service that knows more about the user than what they explicitly provide, this is not applicable in this example. However, it is still applicable for many real-world websites.

(7) Not relevant.

To be fair, the information retrieval can be automated, and a template can be used to compose a GDPR response. However, this does require the company to hire someone competent to do it, and also keep this process up-to-date so that it doesn't conflict with newer versions of Wordpress/plugins. And there WILL be newer versions because exploits are found on a regular basis. The developer will also have to make sure that the data is retrievable, and isn't stored offline or in an inconvenient format (such as the case with compressed logfiles). All of this costs money, and different solutions must be prepared for different systems. If the owner decides to move away from Wordpress to another CMS, he will have to hire someone to also replace the GDPR automation process.

This is not practical for a start-up, or a small business. Unless the infrastructure adapts (again, when?), people will have to write custom scripts/solutions to automate the process.

> And to be fair, GDPR was npt imposed by elites, it was demanded by an awful lot of consumers in Europe.

People are rightfully worried about their privacy, of course we are! But that doesn't give the elites the right to willy nilly impose (because that's what they have done) any solution without at the very least making sure it doesn't infringe upon other rights, and consult experts before writing the law. If they would've bothered to consult a seasoned and non-partisan server administrator, I think GDPR would've looked very differently.

I personally believe that the current infrastructure must change to respect user privacy, but this is not the way to do it.

And aaallll of this doesn't directly address the main issue, which is that the accumulation of laws has caused everyone to become a criminal in one way or another.

"Every law is an excuse for violence."


4 and 5 should already be covered by your privacy policy, which you can point at or copy paste from. Yes, you need to have thought about this once, but you've done that once and not when a customer asks hopefully! Ecommerce even has easy answers for why and how it is processing data most of the time.

The logfiles argument is generally overblown: the process for someone to establish a valid request for that isn't that typically that easy, and in most cases has the simple solution to not keep logfiles with personal data for long if at all (e.g. many webhosts already will by default or as an option anonymize IPs in logs, and it's not all that difficult to implement in other cases).

For business data, yes, you need to be able to look up customers and what data they've given you - but which business application doesn't allow that already?

I don't want to say it's trivial, but small operations tend to also have a small surface for this, easy oversight over everything, and can get this in order with an initial effort to design privacy policies (and identifying and cleaning up places they maybe were negligent before) and prepare checklists that make handling requests easy. I know plenty small shops that have done this just fine.


You know, you probably have a point on some of this.

Thanks, I may actually start building a WP plugin to help with all of this, as if it's the kind of problem you mention here, then I could probably make a whole bunch of money.


What makes you think that Reddit post actually created a significant burden for Blizzard, or that posts like this present a realistic threat to smaller businesses?


> Activision-Blizzard can maybe pull it of

Not maybe. Same thing was proposed as a retaliation against other game companies as well. But Activision will just respond to all those emails with "Go to https://support.activision.com/gdpr"

Yes, it may be tricky. It requires some investment in the process. But unless you earn your money by exploiting user data, it's really not that hard to comply. The less data you keep, the easier it is. And the cost of compliance really scales with the company - for the wordpress with accounts from another comment you can do this manually on request. (likely you'll never need to)

> Not until GDPR compliance becomes a standard in server applications and backup solutions, and when is that going to happen?

https://blog.quantum.com/2018/01/26/backup-administrators-th...

> CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it.


> The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Which risks are “high risk”? They can always come after you for not consulting them and waiting 8-14 weeks for any feature launch.

> Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate[…]

No organization can objectively measure whether they’ve complied with this, much less prove it to hostile regulators.


Here's Article 35: https://www.privacy-regulation.eu/en/article-35-data-protect...

> Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons...

I find it strange that you didn't quote the important part of the text here (high risk to natural persons).

Like, this doesn't apply to almost anyone. This applies to things like facial recognition or automated systems that track people's health data, not almost anything that one does in most CRUD/tech applications.

If you are subject to this requirement, then you almost certainly have both a legal team, and a data protection officer. Can you give me an example of what you think would be high risk but should not be?

Secondly, you're missing something here. I'm going to assume that you are US-based, based on your theory of regulation.

The US and EU differ wildly on how regulation works. What you would normally do, if your legal team/DPO says that what you're doing is high risk, is write an assessment (which your legal team has already done) and run it by your regulator. They'll say this works, or you'll need to do something different, you'll comply and get on with your life.

In any case, the whole process is really, really slow before any fines are administered. As an example, the ECJ basically said recently that data transfers from the EU to the US are illegal because of the NSA. The Irish regulator has just sent a letter to FB asking them to comply. FB are fighting this in court (with some ludicrous arguments), but as of yet their processing has not been impacted at all.

This legal fight has been going since 2011, and yet FB are still sending data to the US. I'm not sure if that fits the model of crazy regulators.

And let's be clear, as of yet there have been no GDPR cases fining companies for anything less than absurd violations. Ad tech still exists in Europe (and it's arguable that it shouldn't), FB and Google have continued on their merry way.

The second part is pretty much consult your lawyers/DPO and be able to make a case for whatever you're doing. In that sense, it's very similar to HIPAA, which doesn't seem to cause the same level of upset here.

I still stand by my original statement. If you have consent for your data processing, all will be OK (as long as it's not forced consent). If you don't have consent, or a legitimate interest in the data analysis/processing then maybe you shouldn't be doing the analysis or processing?

As an example, Facebook turned off automatic facial recognition in photos in the EU following an outcry. They re-introduced it when GDPR came in, because they asked for consent. You'll note that there have been no court cases on this, because it's totally fine.

tl;dr - get consent for your data processing, make it easy for people to get their data, and GDPR compliance is pretty easy. If you're in an industry where this is difficult/impossible, then lawyer up and be prepared to spend a bunch of money (and probably lose eventually).


Cool. I've never been downvoted this much before. Thanks for the new experience :)


> I think this is used as an intentional strategy of control, at least somewhat. Make a jillion tiny little laws that are impossible to keep track of or follow, that way you know everyone is a criminal if you want them to be.

It doesn't have to be intentional for the effect to be real.


Most laws are ignored most of the time and selective enforcement is essentially the corner stone of modern policing, there are many more laws that can be effectively enforced and which laws exactly are at any given time is based on available resources and public policy.


>based on available resources and public policy

You missed a few criteria:

- Cultural, political, racial grievances of police.

- Cultural, political, racial prejudices. That is, maybe no ill will per se toward a citizen who looks a certain way -- but assumed guilt by association.

- Personal ambition, to be pursued by making lots of arrests, on maximal charges.

- Fear. End of month approaching, and beat officer is behind on quota of citations/arrests. Punishment expected from chief or DA, if revenue from fines, or prestige from high-profile arrests are lacking.

So, it's the selection of offenders, rather than of offenses due to resource constraints, that makes selective punishment so ethically offensive.


These technically fall under public policy, poorly aligned incentives and or insufficient judicial/executive oversight.

If officers feel that they need to make their quota or even have an arrests/infraction quote then that's a clear failure of policy, if they feel that they can settled their own grievances by abusing their power it's again a failure of policy.


I remember watching this interview segment with some retired cop from Baltimore - he's now using his time to advocate stricter rules on law enforcement, or something like that - he got fed up with what he saw during his time in BPD.

But, to the point: He drove the interviewer through the streets in Baltimore, and argued that it was close to impossible for any driver in Baltimore to simply drive down a street, without breaking some kind of law - or at the very least giving police probable cause for checking your vehicle.

edit: https://www.youtube.com/watch?v=4HyKlFUMBiA

Starting around 4.05


>"Most laws are ignored most of the time and selective enforcement is essentially the corner stone of modern policing"

In this case it is not a law, not in spirit. Rather a tool for "law" enforcement to nail inconvenient people.


*“Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it...

There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws.

Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with.”


Atlas Shrugged, by Ayn Rand


It must be. The passage does not mention orcs.


My problem with these kind of laws is, they are a violation of privacy. Pervasive surveillance is worrisome all on its own, without worrying just how it's enforced.


I spent 3 months cycling all over france back in 2013, and long trips in subsequent years - pretty much every campsite I stayed at used captive portals. A handful handed out password cards to guests only, but those ones were almost always <place name>2013. Back then I didn't have much choice as mobile phone reception in the Alps was non-existent. The campsite owners were aware of the law, they'd often mention that they weren't happy about it.

Last year I was in Paris, but didn't have to fight the system any more, 4G reception was fine. So, no idea what it was like in cities, but in the countryside they followed the law.


Why would someone with malicious intentions ever provide their real details? Why would someone provide their real details anyway when they will most likely be used for advertising/marketing tracking and spam?


They might have been interested in having the MAC addresses to check some suspects alibi, or even to find some links between groups of persons, not specifically PII.

Grenoble is under scrutiny for some time now, it has a bad reputation regarding drug trafficking and the government uses it to show its "strength" with police operations covered by the media. This might be linked.


Don’t people scramble with MAC address every day anyway?


iOS and I think Android are randomly changing the MAC address in recent versions and this is enabled by default.


Win10 does this on open networks and maybe even protected but Public networks as well unless you override it or your hardware doesn’t support it (e.g. old). Source: https://www.ietf.org/proceedings/93/slides/slides-93-intarea...


MAC addresses are easily falsifiable...


Just sharing the password is common practice also in Italy, and I would guess in most of Europe.


> I only know of few places that actually use a compliant captive portal that requires some PII (name, email, phone...) to let you use the free WIFI.

Cost is about 15€/month for a compliant off-the-shelf solution.

I understand that there can be some tolerance in the beginning, but at some point, you can't look elsewhere, especially when the log is actually needed in an investigation.


The idea that asking someone to provide their name and phone number (where they can enter anything they want) is going to somehow aid terror investigations seems naive at best, and more likely disingenuous.


But it's not really 15€/month. You still have to pick a solution that is actually compliant and then learn to use and manage it. Making a website is free, if you know how.

Chances are that you'll buy this software as the bar owner. You are promised that everything is compliant. Years later it turns out that the software itself collected and sold PII and you're liable for the damage or that the software simply wasn't compliant after all.

Picking out cheap and subplot software that needs to adhere to nebulous requirements is not easy for a layman.


>not easy for a layman

a bar owner isn't a layman but a business owner, and in fact one who already has to navigate regulations around media in particular. For example if you don't get a TV license if you put a TV in your bar and show say, soccer games, you're in hot water too and everyone knows this.

If you act as a service provider in a business I honestly don't know why people would be surprised that there's some caveats.


There are so many rules. It's as though the rules are specifically set up to discourage you to provide something for the community.

But my point is that the €15/month solution is not actually €15/month because of the reasons I outlined.


People won't enter their real info, especially if they are doing shady stuff worthy of investigating.


Doesn't necessarily matter if what they're actually doing is tracking an IMEI or SIM connection to the area and are fishing for evidence of shady intent via entering false information. MAC addresses from a device that doesn't do MAC randomization are also good for that sort of thing. Android devices can also be tracked via advertising id's if the user doesn't reset it and you haven't pissed off Google. I draw the line at assigning what are effectively UUID's to people specifically because they are so often abused in that manner.

Across the pond, things work a bit differently, and the criminal justice systems are a bit lower friction for the authorities as I understand it. Not that I'm criticizing mind. The American System has not endeared itself to me as of late.


SIMs are out of the question for public wifi hotspots - to authenticate a SIM (via EAP-SIM or EAP-AKA) you need an existing relationship with the mobile carrier.

When it comes to MAC addresses, 1) there isn’t a central registry of addresses anyway so having the MAC address alone won’t help much in an investigation, 2) it can be set by the user so malicious users will fake their MAC address and 3) for privacy reasons most devices nowadays will generate unique MAC addresses for each network.


That's why I caveated the MAC, but if you managed to catch a non randomizing device or a randomizing device that hasn't disconnected (dumped in trash outside for instance) or which was powered down on network and not powered on until after arrest, you can still hit paydirt.

The IMEI and advertising ids are the more pressing ones though. Never underestimate the deanonymyzing power of someone else's UUID you aren't even aware you have.


Another angle is that devices that randomize will “reuse” the random address for the same SSID, afaik. So even the random Mac may be of value over time.


Look at the Silk Road investigation. They collected circumstantial evidence by linking the originating IP address, where the suspect lived and when DPR was logged in.


I understood that Silk Road was a case of parallel construction, the Feds had a way to directly break the veil of TOR but didn't want to let on.


I really don't think so. There was an externally verifiable chain of evidence created by Ulbricht through random tidbits of sloppy opsec on a few occasions, enough of them for him to eventually be identified and caught. So if these existed (and they did, because they could be clearly pointed to), there was no need for parallel construction, and if there was no need for it, it presumably wouldn't have been used just because. Furthermore, if they were going to use it anyhow, why wait so long to do so when they had the needed formal evidence anyhow?


I understand your position, but the judge is probably going to answer that it's not a bar owner's job to decide which laws are good enough to be respected.


Due to the cost and risk involved, few cases go to jury trial... BUT if it's anything like the US a jury technically could consider things like this and refuse to render a guilty verdict.


In France, if I recall, isn't it usually a panel of judges? I don't think they use a jury.

Quick perusal indicates Cour d'assises is the only court with a jury analog, and it only deals with matters where the penalty would result in a >10 year sentence if I'm reading it correctly.


Man, this is the french justice system, not the US. Jury trial (assises) doesn't happen for anything short of blood crimes.

On the other hand, plea deals are not a thing either, so if the state decides to press charges, you're definitely going to see a judge.


> selective enforcement

Living in America, this is all too often a problem. One segment of society says “there should be a law” often enough that we have more laws on the books in the federal space alone than the GAO can count. Now we add on state and municipal laws and we’re probably all guilty of something each day. Not having enough resources to enforce all of the laws we get the situation you describe exactly - selective enforcement and too often an unjust distribution of enforcement.

Add to that the fact that all laws are ultimately enforced with physical force and we get situations like Eric Garner - a situation instigated by the enforcement of a stupid municipal law - selling untaxed cigarettes. A state interest hardly worth exposing someone to a beatdown or in Eric’s inexcusable case, death.


But does the law actually require PII? 'Logging' might just require a record of source IP/MAC address and destination IPs. So, just having a wifi password that is shared might still be OK.


Unfortunately, it seems that one purpose of the law is to make sure every citizen is always breaking at least one law a day.

Then when you are in power, you can yield the law and do what you will to your enemies.


Why now, and why these specific 5 restaurants?

It definitely feels like a pretext for something else going on, who knows what -- whether it's a police racket or something shady going on in the restaurants they're sending a warning about.

This is what these obscure, rarely-enforced laws seem to exist for in the first place.

If the police were really interested in enforcement over this, they'd send a letter to every restaurant, bar, and cafe owner in the country that they have 3 months to comply and it will become part of regular inspections.

Targeting 5 individual restaurants (through arrests) is definitely not about simply enforcing this regulation.

Note: I'm NOT defending this as a legitimate law enforcement tactic. Just describing what seems to be happening.


There are currently 2 local factors:

- the Charlie Hebdo attack is currently on trial, and during the trial it was revealed that the weapons were sold by a police informant who had sent a report on the sale to his handlers, and that they did nothing. In particular the sale happened in a place chosen to give the police the option to either monitor or interrupt the sale.

- there is a current increase in the monitoring and criminalisation of muslim activities in France, my guess is that the police wanted to spy on someone and found out that the logs had not been kept.


> weapons were sold by a police informant...handlers...did nothing.

Yowza! Hadn’t heard that in my neck of the woods. Very tragic. Recurring problem in defensive systems though. Logging but nobody is reviewing/acting on logs.


>there is a current increase in the monitoring and criminalisation of muslim activities in France, my guess is that the police wanted to spy on someone and found out that the logs had not been kept.

Inconveniencing the police is a surefire way to get prosecuted to the fullest extent of the law.


Well... Sending out a letter can get lost in the junk mail,. I'm sure the other establishments got this message though.


Well put.


“register with your email to use this wifi” seemed very common in the EU the times i’ve been there in the last 5 years.

All i have to say is that butts@butts.com logs in with the password “butts” at a truly surprising number of cafes across europe!


Only in some EU countries. I have never seen such a WiFi captive portal in Slovakia or Czech Republic. But I remember these captive portals when I was in Germany - of course I would just generate a random disposable email (through 4G) and enter fake data. It really has no impact on the real bad guys.


Germany I think is exceptional in this, though. They had basically no public WiFi in the decade that it was booming in similar countries, allegedly because of crazy liability laws. I never dove into it but that's what I was told when asking German techies. It should have changed a few years ago but by now mobile data is much more ubiquitous than it was in 2012 or so and while WiFi is an order of magnitude cheaper per gigabyte than mobile data, most people aren't power users and don't need more than checking their email and so it remains virtually nonexistent. You're most likely to find it in foreign companies like McDonald's, and of course hotels but that's a different type of place. There are also "public hotspots" from Telekom built into old phone booths (yep Germany still has those) but that's as expensive as mobile data.


Sounds like it's time to bring back BugMeNot.


Access BugMeNot to get a password to connect to the internet, you say?


When I was a young lad, it was standard practice for many internet apps to work on the principle of local caching. You'd connect to the internet, refresh your local copy, disconnect, and then work from the local copy. NNTP worked this way, POP3 worked this way. There were even apps that grabbed the current news and stock prices in the brief minutes that you were connected.

It's a good model, and it would work well here, and for any circumstance when your connectivity is intermittent.


Integrate it into KeePass or 1Password. I'm sure Yahoo will pay a billi for that.


I once had a similar issue with a hotspot, that required email confirmation but didn't let me access my email.

It's possible to work around when you have a phone connection with limited bandwidth and a low monthly cap, but meh.


Yes I've never entered a real address and it's never been an issue.


Which goes to show how ineffective these attempts are for the stated goal. If anything, keeping logs of the mapping of ip to MAC addresses would be enough for the case where they want to connect a suspect they have on custody to their navigation history on a given place and would be way more effective than trying to connect their identity to catchme@ifyou.can.


Maybe there should be a "butts was here" sticker.


Have you heard of "warchalking"?


And this is how mr Butts will get arrested (kinda like mr Buttle in Gilliams Brazil movie)


There has to be more to the story here. With the law starting in 2006, why are authorities just now going after these bars? Did something specific start this, or is it just the growing authoritarianism that comes with these endlessly long national emergencies?


You're probably right. There must have been some activity that drew the attention of law enforcement. It is a de facto obligation for cafés to offer free internet, so it's surprising to see such a law enforced in Grenoble of all places. My friend's café in Paris just has a password protected network, and I know for a fact they do not log traffic. I have seen other cafés with a registration system, and I'd bet those networks maintain logs. For the smaller cafés, even if they knew they had to, I'm not sure they would have the technical know-how to maintain logs. They've had some problems with piracy in the past, so perhaps that might have something to do with the arrests in Grenoble.

If torrenting or some other form of piracy happens on a network, ISPs send letters to that IP's customer, giving them a warning. Perhaps these café owners were repeatedly warned to enact stricter measures against piracy (i.e. logs), and, failing that, they were arrested for failing to comply with other regulations that are actually enforceable. I can't imagine a café owner could ever be charged with piracy for maintaining an open network.

For what it's worth, I looked around Le Monde and some other news sites to find more information, but there isn't much info to expand on the fact that these people were arrested.


Possibly they annoyed the mayor or something. I've heard a similar story from France before, business doesn't stay on the right side of the right people and suddenly they're shut down for violating some obscure law. I'm sure it happens elsewhere too (uk planning laws seem ripe for this sort of thing)


> For the smaller cafés, even if they knew they had to, I'm not sure they would have the technical know-how to maintain logs.

There are cheap off-the-shelf solutions marketed specifically for bars to setup public wifis.

> If torrenting or some other form of piracy happens on a network, ISPs send letters to that IP's customer, giving them a warning. Perhaps these café owners were repeatedly warned to enact stricter measures against piracy (i.e. logs)

The thing that happened here is not related to HADOPI, the worst that can happen to you with hadopi is losing your internet service or having to pay a fine.

The likely thing that happened is that some patron did something illegal enough to warrant a court order asking the ISP to provide logs, the logs led to the bar which couldn't provide their own logs. ISP rates for court orders are expensive, so the police is unlikely to enjoy this dead end.

The "garde a vue" was probably unnecessary, but this kind of overreach is common in France.


well these are anti-terorism laws, so i doubt theyd go arrest someone if it was just being used for piracy purposes. which is probably why this is so uncommon that its newsworthy.


Everything is terrorism if the police want it to be.


> It is a de facto obligation for cafés to offer free internet

What do you mean by this?


If you're a cafe, you offer free internet or your business dies.


Less so in France: virtually everybody that would sip 2-3EUR coffees has a 19EUR cellular plan with unlimited data. And that's the price if you're not bundling and not playing off providers off eachother.

Free wifi is for the non-EU tourists.


Can confirm. Having dropped my mobile in the bath (...) I needed wifi yesterday and only the fifth café I tried in provincial France had wifi available. (And that didn't work until I adjusted my settings to use the DHCP server's provided DNS...)

Now I wonder if it's this law that made it not worth the effort for them.


Many EU tourists as well, here you can still get sub GB plans, and unlimited is twice what it is in France, and if you're not savvy, four times is possible too.

Free, please conquer the rest of Europe too!


It might depends on the bars, but those where I've been in France usually don't have it


People expect places like this to have free WiFi.


I see. The word "obligation" threw me off because it is generally understood to mean the actions you're legally or morally bound to.

This sounds more like market forces, competition.


Thanks for the clarification.

I'm much obliged.


> There has to be more to the story here. With the law starting in 2006, why are authorities just now going after these bars?

The law states that businesses must keep some log in case an investigation about patrons' net usage requires it. It's not checked every day, but when an investigation happens and you got nothing to show, you get prosecuted.

Pretty similar to accounting, the minute details of your accounting won't get checked every year, but you must keep them available for the tax service.


The difference being that you maintain your own accounting records, and any discrepancy is a result of your own failings, whereas WiFi logs can be expected in practice to contain entirely fictitious information for the majority of ordinary users due to no fault of the cafe. Which makes them totally useless and any requirement to keep them a wasteful burden and a trap for the unwary with no countervailing benefit.


Probably someone did “something” from this cafe’s wifi network, the judge asked for the logs, and the owner said he didn’t have them, which is a violation of the law.


Probably just somebody decided they didn't like him, and found some BS to charge him with.


Keeping logs seems like a high bar for a non expert with a commodity home ap/router. A $US40 WRT54G only has 4mb of flash, for example. Are they expecting lay people to spend 10x that or more to set up an external log aggregation server with DPI and audit trail?


Yes.

Or rather, subscribe to commercial providers who will log contents. Along with the other shopowner’s joys (mandatory yearly electricity inspection €200 even if you didn’t change anything; €140 aircon inspection; fire inspection; etc.)


Of all the things to complain about, fire inspections should be near the bottom of the list. All of those regulations were written in blood. I'm sympathetic to the problem of established businesses lobbying governments for more regulations to impede the rise of competitors, but that's not the origin of all regulation. Many rules exist for damn good reasons.


Remember that guy that died over bootleg cigarettes?

Everyone loves to say their pet favorite law is lItErAlLy WrItTtEn In BlOoD but laws are enforced in blood too. If someone isn't dying for lack of a law (at scale) then someone is gonna die when the police go to enforce it (at scale). It's important to remember this when deciding what issues are important enough that we feel like forcing other people to behave how we want under threat of state violence.


The UK parliamentarian in me: “Hear, hear!!” bangs on table


Excellent point. 100% agree.


Neither of those prices you quoted seem particularly high for having someone turn up and do an inspection.

Given that you're operating a public area, and things like aircon and electrics can be deadly when failing or operated incorrectly it doesn't seem too onerous a requirement.

If you're a landlord in the UK (I'm not) you need a current gas safety certificate if you've got gas appliances (most houses do, eg heating) and plumbers cost a reasonable amount of money. It's just the cost of doing business.


It’s the aggregate cost of doing business that’s being criticized though, not the reasonable cost of one or two things in isolation. Like saying this new municipal bond will only cost homeowners the price of a latte a day. You can afford that, right? Yeah, but the thing is I don’t buy twenty lattes a day which may be what the current bond obligations add up to. Now you want to make it twenty-one. The aggregate cost is what’s crushing. It’s where we get the idiom of straws breaking camels’ backs.


I guess I don't see the scale of the issue. Yes, in aggregate the costs are higher than each individual charge, and that works out at some visible % of your revenue, but it seems like all the things we've mentioned so far are necessary (inspections and such, I don't know what a "municipal bond" is). I'd be genuiently interested in hearing people's ideas to lower those costs though, as I am sure many business owners might be.

However, it seems like lowering the costs by allowing businesses to skip certain currently required things (at least of the ones mentioned) isn't going to work, as I said before, unmaintained air conditioning is dangerous (I know of at least one case where it tragically killed most of a family in a hotel, and it can make you generally sick https://patch.com/california/saratoga/dangers-badly-maintain...) and it doesn't take much to imagine how badly maintained electrics could be a problem.

Given that we can't rely on some people to maintain these things (even if they are trying to do it right) without checking up on them, and because we don't know who those people are in advance means we need to check up on everyone. It seems to me that this is just the cost of doing business, and let's face it, lots of businesses are still going despite the costs involved.

If you've got some examples of unecessary or silly things costs that governments impose on shops/cafes/businesses then I'm all ears but so far I've not heard any.


I didn't appreciate the difficulties, complexities, and inanities until I became a business owner. I would suggest you don't see it because you're not in it.


I'm not saying it's simple, I'm saying that 1) Those prices don't seem particularly steep for the work and 2) it doesn't seem like it's a good idea to cut them, so complaining about those specifically seems pointless especially as it's probably a good idea to make sure premises aren't dangerous.


In a decade there will be threads wondering why only big chain restraints are left. And they'll blame capitalism and cry for more regulation never realizing how their regulations are what made it impossible for independent shop owners to compete.


Apparently. Laws being divorced from reality isn't a new thing.


If you're a lay person you have the option to hire someone. Let's not forget, we're talking about businesses here (bars), not individuals.


Hiring an actual IT person to set it up would be a very difficult expense for many small businesses. Cafes usually operate on very tight margins. I just find this law completely ridiculous and an obvious result of hysteria. It is not a rational response to the very tiny risk of the dastardly and scary terrorists using free wifi.


As all businesses require it the chances that ISPs don't offer a service that includes that feature seems extraordinarily low. Seems like knowingly selling a service that wasn't capable of logging, under a legislative background that requires it, would also likely be unlawful.


No-one is forcing you to offer free wifi. Like with any business decision, you need to weigh the cost of the investment versus the expected return.


The law created a market, so there are 15€/month off-the-shelf solutions to this issue.


You make it sound like that's cheap, but it's equivalent to having to replace the router every 3 months.


What til you hear how much these places spend on soap for mandatory cleanings.


I don't intend to make it sound cheap or expensive, I simply point out that people without the knowhow can access out of the box solutions if necessary.

For comparison, the internet access itself is usually around 30€/month.


And then monthly or yearly fee for GDPR review/handling too. Don't forget handing over GDPR form to your customer together with latte. Europe becomes tough place to make any activity, not even talking about business.


GDPR doesn't apply to this storage of data since it's regulatory. Besides, these services are all-inclusive, you're sold a GDPR-compliant solution.


GDPR does apply. You do not need any agreement from your guests or another reason, because the data collection is required by law. But you still have to deal with GDPR requirements around deletion (after you don't need it anymore), access (give it to the wrong person without the appropriate paperwork and you are on the hook), security (have a breach or a unhappy employee and...), notification, data protection officer, inquiries etc.


You could not sell your users data, then you don't need to collect it, then you barely need to worry about GDPR.

You are allowed to sell coffee without invading your customer's privacy. Shocking I know /s.


But you are required to collect user info for them to use WiFi, so that implies you also have to deal with related GDPR compliance hassle for that data


Mildly off topic:

When entering fake information into captive portals from bar owners who actually comply with bs laws like these, please take care to use something like a `.invalid` tld so that some unsuspecting third party isn't suddenly subject to your emails. <your_handle>@gmail.invalid works basically everywhere.


I'm sorry, but if you have a valid email address of butts@butts.com, then you deserve the spam. Also, if you do actually own that address, thanks for hosting it so that bounce tests don't fail immediately!!


>[...] so that some unsuspecting third party isn't suddenly subject to your emails

why not something like byfmupajzmvdaxef@{gmail.com,outlook.com,yahoo.com}? I doubt that large email providers are going to be inconvenienced by the spam. Your solution is likely to get rejected by overzealous form validation (for good reason!).


You've probably meant: ';drop+table+users;@gmail.com


Not technically a valid email, although you could try "';DROP TABLE USERS;--"@gmail.com

Weirdly enough it's the semicolon that isn't allowed, not the single quote.


Nah, it will pass many validators even with semicolons (like http://emailregex.com, which yours would fail btw). You are right though about better leaving spaces verbatim and adding the hyphens.


I can't help it that most email validators aren't following the standard ;-)


The standard is followed so infrequently that quoting it is basically an exercise in needless pedantic detail mongering. It's just not very relevant, probably because the rules to check valid email are so ridiculously complex (how long was that regex, 200+ characters?).


The email address standard is hilarious and should be made fun of at every opportunity.

The whole quoted-string commented multiline business (seriously, why?) is rightfully ignored by anyone who's ever made or used a mailserver, but it's still there.


Little Bobby Tables, we meet again.


Not an example from France, but I've experienced captive portals elsewhere that give temporary access for 10-30 minutes which gets extended when you click on a verification link they email you. I don't expect bar owners to develop such a system, but if too many people do fake info, the government might lean on the providers of the off-the-shelf solution to which the bar owners subscribe to add that functionality.


I always use f*ck@you.too


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: