1998: "GDPR"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

Raidri
Posts: 47
Joined: Wed Dec 21, 2016 10:39 am UTC
Location: Germany

Re: 1998: "GDPR"

Postby Raidri » Mon May 28, 2018 2:01 pm UTC

Eternal Density wrote:Who's Rohan?

Rohan_(Middle-earth) from The Lord of the Rings

rmsgrey
Posts: 3457
Joined: Wed Nov 16, 2011 6:35 pm UTC

Re: 1998: "GDPR"

Postby rmsgrey » Mon May 28, 2018 2:35 pm UTC

Eternal Density wrote:Who's Rohan?

Also I had no idea this was a thing until the onslaught of emails a few weeks ago. I have a tiny website which technically people can create profiles on but no one actually uses it. Maybe I should switch some or all of it off?


You're probably okay - with the usual caveat that I'm not a lawyer, not an expert, and you should really check for yourself, or consult an expensive professional. The main things that might trip you up are that you have to tell people how to get removed from your database, and you have to be able to justify continued storage of their details, with a process for deleting data you no longer have a reasonable use for.

You should also have something that tells people that you will store their profile information and use it for whatever it is you use user profiles for, much like you should have a notification that your site uses cookies to keep track of whether someone's logged in...

User avatar
Eshru
Posts: 146
Joined: Thu Jun 10, 2010 3:51 am UTC

Re: 1998: "GDPR"

Postby Eshru » Mon May 28, 2018 2:42 pm UTC

ucim wrote:
sardia wrote:What is xkcds privacy policy?
https://www.xkcd.com/792/

Jose

Relevant more than ever after recending that pledge to not do evil.

User avatar
Flumble
Yes Man
Posts: 2075
Joined: Sun Aug 05, 2012 9:35 pm UTC

Re: 1998: "GDPR"

Postby Flumble » Mon May 28, 2018 9:55 pm UTC

Eebster the Great wrote:And this is the intended effect of the bill?

I'm curious as to what the intended effect is.

So far, it seems to have the same outcome as the 'cookie law': all sites* fucking over the users by blocking you if you don't agree with their 3rd-party advertising and data mining, rather than changing their 3rd-party advertising and data mining habits. :x
And with all these updated terms all at once, people become desensitized and will accept anything if it means they can continue liveblogging their opinions about cat videos.

We should start an actual Evil Corp that fully complies with privacy laws, then collects/asks about all personal info and finally publicizes personal information of random users and sends database dumps to various shady companies. I hope GDPR allows to store and share personally identifiable information without justification if the terms (clearly) state that the user makes it public. People still have a right to make their PI information public domain, right?

Interestingly, I just came across this, stating that under GDPR websites should allow unconsenting users to the website in general and only require consent for particular parts of the site.



*except those that didn't use third parties or analytics to begin with, like this neat little forum. Then again, this forum may violate it by users embedding external images which can be used for tracking.
Does GDPR say anything about user content violating it?

User avatar
Eebster the Great
Posts: 3106
Joined: Mon Nov 10, 2008 12:58 am UTC
Location: Cleveland, Ohio

Re: 1998: "GDPR"

Postby Eebster the Great » Tue May 29, 2018 4:07 am UTC

What was the point of the cookie law though? All it does is require sites to notify people that they use cookies. But nearly all websites use cookies, and the ones that don't notify you are simply not following the law. Is there more to it than that?

User avatar
ucim
Posts: 6566
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1998: "GDPR"

Postby ucim » Tue May 29, 2018 4:46 am UTC

I think the idea was to raise awareness of what cookies are, and what they can do. This is subverted by the truthful declaration of what they are ("they are just little text files"), but eventually people started to realize what they could do. However, that requires understanding a lot more about the structure of the internet, the difference between first party and third party cookies and how cookies are shared among other sites, the fact that the actual damage magic is done on the server, not on the client, and stuff like that.

They are pretty much necessary for lots of good stuff (shopping carts, logging in), but are also weaponized for tracking you throughout your web browsing, and you can't tell which is which.

The bottom line is "take it or leave it".

Ditto client side scripting. Great for pop-up calendars, weaponized for ad delivery and tracking how your mouse moves and where it hovers. Bad web designers started employing client-side scripting to add "ooh, shiny" when plain HTML would do as well, but I don't think I call them "bad" any more. I call them "devious", and I'm sure they don't think of themselves as devious because it's just what they do. So sure, you can block them with an add-on (noscript, for example) but then the website breaks where it shouldn't, and you have to try to figure out which script (called by which other script, called by which other other script... is safe to enable. Most users, including those who hire web designers, have no clue of how broken their site is without scripts. But they want analytics, and weaponizing scripts accomplishes this.

Take it or leave it.

And don't get me started about service workers. They are parts of a website (client-side scripts) that run even after you leave the web page that attacked you with them. Sure, I'm told the user will be able to turn them off. But how is the user supposed to know to do so, and which ones to disable, and what they are doing? I have no illusions that they won't be weaponized too, just like the "harmless little text files" were.

That's the galling thing about all these privacy policies. They often amount to:

1: You agree that you want our nonstop surveillance of your activities, including reading your emails, analyzing your photos, and anything else we do.
2: You agree that you want us to correlate what we learn from your activities with what we learn from all other sources,
3: You can disable some of this info gathering by going to lots of confusing settings. But we'll still gather information other ways.
4: If you do this, the website probably won't work.
5: Any information we already have remains ours.
6: If we merge with anyone else, they get that information too. You will be assimilated.
7: Take it or leave it.

And you can't leave it without losing everything you've built in the past.

Take a look at Oath's privacy statement, and imagine you have umpteen years with any combination of the companies that got together to form it. If you don't like it, there's nothing you can do. Even if you stop using their products (which include plain old telephone!), they have your data already.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
Eebster the Great
Posts: 3106
Joined: Mon Nov 10, 2008 12:58 am UTC
Location: Cleveland, Ohio

Re: 1998: "GDPR"

Postby Eebster the Great » Wed May 30, 2018 9:44 am UTC

But like, if you don't want tracking cookies, write legislation about tracking cookies. Requiring a declaration regarding cookies on every single website is clearly useless. It does the exact opposite of the intended purpose.

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7507
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: 1998: "GDPR"

Postby Zamfir » Wed May 30, 2018 1:32 pm UTC

The EU is not some emperor laying down his own cookie preferences on everyone. It tries to create a balance that works for people who are OK with tracking and people who are not. With the 'not OK' as default unless permission is given.

The GDPR is much larger in scope than tracking cookies. It says that if companies want to store information on people, they have to ask permission while giving the purpose. They cannot use the information for other purposes, they have to delete the data if it no longer serves the purpose, show people (on request) what data they have collected already, and wipe that data if the person retracts their permission later on.

While industry practice is that once you have given permission, the company is in control, no transparency and no backsies.

AFAICT, it's that last aspect that's giving companies headaches. They are used to throwing data over the fence to third party companies in the messy advertisement ecology. They don't have a clue where it ends up, let alone how to remove it again.

rmsgrey
Posts: 3457
Joined: Wed Nov 16, 2011 6:35 pm UTC

Re: 1998: "GDPR"

Postby rmsgrey » Wed May 30, 2018 1:44 pm UTC

Zamfir wrote:It says that if companies want to store information on people, they have to ask permission while giving the purpose.


You don't need to ask permission unless you're relying on (explicit, informed) consent to justify your use/retention of their data.

What you do need to do is make sure they know what data you're storing/using, and for what purposes (including who it gets shared with).

Anyone providing targeted ads should also make sure that the individual being targeted knows what data is being used, and who the company is providing those ads (either notifying the target themselves, or relying on the host site to do so).

Mikeski
Posts: 1039
Joined: Sun Jan 13, 2008 7:24 am UTC
Location: Minnesota, USA

Re: 1998: "GDPR"

Postby Mikeski » Wed May 30, 2018 8:17 pm UTC

Eebster the Great wrote:But like, if you don't want tracking cookies, write legislation about tracking cookies. Requiring a declaration regarding cookies on every single website is clearly useless. It does the exact opposite of the intended purpose.


That assumes the laws were written strictly for the protection of the end user, and were not corrupted for the purposes of the advertisers and other data-leeches.

Rather, it assumes that the end users have any lobbyists to buy politicians with. I'm sure TPTB made out quite well on this legislation...

(And this is why you want as little government as possible, and as little money in government as possible. The chances of government writing useful legislation about tracking cookies is effectively zero. Let the gov't stick to things it needs to do.)

User avatar
Eebster the Great
Posts: 3106
Joined: Mon Nov 10, 2008 12:58 am UTC
Location: Cleveland, Ohio

Re: 1998: "GDPR"

Postby Eebster the Great » Wed May 30, 2018 8:21 pm UTC

No, it doesn't assume any of those things. It points out that the law is flawed, whatever the reason behind the flaws. This isn't a struggle between good and evil, it's just a really ineffective piece of legislation.

x7eggert
Posts: 92
Joined: Tue May 13, 2014 6:55 pm UTC

Re: 1998: "GDPR"

Postby x7eggert » Sun Jun 03, 2018 5:24 pm UTC

Eebster the Great wrote:But like, if you don't want tracking cookies, write legislation about tracking cookies. Requiring a declaration regarding cookies on every single website is clearly useless. It does the exact opposite of the intended purpose.


That's what's in the law: You may not set cookies for tracking users, also not for "improving your site" by tracking users, without consent nor assume consent nor enforce consent-or-no-service. (TL;DR: No cookie banner will comply with that law).

You may set login cookies, and after the user informedly opted to allow you to do so, you may store tracking cookies or store information that isn't necessary for operating your site or granting your service.

If you store personal information, you are responsible for keeping it personal.

User avatar
ucim
Posts: 6566
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1998: "GDPR"

Postby ucim » Sun Jun 03, 2018 7:59 pm UTC

x7eggert wrote:after the user informedly opted to allow you to do so
Ah, there's the devil. What counts as "informedly"? What counts as "opting in"? How deep can you bury the naughty bits? How much can you hint (without saying) that your experience "won't be optimal" if you don't?

If you wear users down, they will agree to anything. That's how one coerces (false) confessions out of people. So, it really has to be pro-active in saying "You don't have to do this. If you don't do this, nothing bad will happen to you, and you'll still get all the good stuff. But if you do agree to this, we will have more power over you and will use it against you at our first opportunity. Do you still want to allow this?

[yes, I'm stupid] [Hell no!]

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
Eebster the Great
Posts: 3106
Joined: Mon Nov 10, 2008 12:58 am UTC
Location: Cleveland, Ohio

Re: 1998: "GDPR"

Postby Eebster the Great » Sun Jun 03, 2018 11:06 pm UTC

You can't opt out of cookies. You can, if you like, choose to simply disable them on your end, a feature every browser provides. The problem is third party tracking cookies, which the "cookie bill" was certainly not specific to. Now, hopefully those banners are no longer necessary (because they were 100% pointless in the first place), but that and other former international internet legislation set the bar pretty low for the next one.

Also, how exactly do you think sites like Facebook "use [personal information] against you"?

User avatar
ucim
Posts: 6566
Joined: Fri Sep 28, 2012 3:23 pm UTC
Location: The One True Thread

Re: 1998: "GDPR"

Postby ucim » Sun Jun 03, 2018 11:25 pm UTC

Eebster the Great wrote:You can't opt out of cookies.
I was really speaking more generally about all the other methods sites use to track and profile you. (And I don't know what "banners" you are talking about.) Thing is, you can disable {tracking feature} in your browser, but then the web site probably won't work. So, take it or leave it.
Eebster the Great wrote:Also, how exactly do you think sites like Facebook "use [personal information] against you"?
I don't know what each site actually does or with whom, but potential ways include profiling me and reporting their findings to commercial entities, political entities, financial entities, investigative entities... whatever. None of these has my best interests in mind. Larger aggregation sites use this information to determine what I am permitted to (easily) see, and what they will make more difficult for me to find. Whoever controls what you read, controls what you think. Even if you and I are completely immune, the rest of the internet surely is vulnerable to this kind of manipulation. Editorial content can also be rewritten to better appeal to "me and my kind". I don't know if this is happening yet (I'm kind of surprised I haven't seen it), but it's certainly been possible for years. Word98 had a pretty amazing (and creepy) feature called "summarize"; you feed it a long document and it spits out a condensed Readers Digest version. It was quite impressive, and that was twenty years ago. Google Translate, with a few tweaks, could easily translate between, say, "type A personality English" and "type B personality English", to make certain articles and points of view more appealing to its target.

The more that networked computers know about you, the more they can shape your environment. But to whose benefit? Not yours, for sure. You'll get "oooh, shiny" and while they've distracted you, they'll pick you clean. And if they distract you well enough, you might not even notice until election results are in.

Jose
Order of the Sillies, Honoris Causam - bestowed by charlie_grumbles on NP 859 * OTTscar winner: Wordsmith - bestowed by yappobiscuts and the OTT on NP 1832 * Ecclesiastical Calendar of the Order of the Holy Contradiction * Please help addams if you can. She needs all of us.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 3665
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1998: "GDPR"

Postby Soupspoon » Mon Jun 04, 2018 12:38 am UTC

ucim wrote:(And I don't know what "banners" you are talking about.)

"This site uses cookies to enhance your user experience. Click here to continue viewing our site. By viewing our site you agree to our cookie policy. To see our cookie policy click here."

Or something similar generally on a "width=100%, height=(10%, 50px) align=top/bottom" popover that for my part I tended to ignore (not clicking on the "continue viewing our site" link, but instead just continuing to view the site with the perpetual banner, if I still wanted to, because I'm no worse off and yet arguably they haven't been given cart blanche to do what they're going to do anyway). One supposes they disappear if one clicks that bit, and a cookie-bit is set that you have explicitly complied with whaterthehellonesignedupfor. Never tested that theory, though.

Looked at some of the places that I'm sure did this (to me, in Europe, even if not you - also with whatever popover-blockers/noscript-defences you might have), and they're not doing it. Maybe GDPR has forced them to stop that, and what they're doing instead isn't actually as annoyingly in-my-face.

In sharp contrast, npr.org is suddenly (at least for me) now forcing me to make a choice (I assume you get that, via that link, even if you don't normally do on general npr browsing), which so far I've dealt with by choosing to go to the text-only site. Which I'm happy with, because it's the text I want to read, on any linked story, although I'm fairly certain this is an unnecessarily spartan approach even for die-hard refuseniks. (And which could be cookieing me up regardless. Which is ironic as I wouldn't mind the original "silent but useful" approach, yet if proven to "deny but do" I might feel less charitable.)

(Oh, and I note that Washington Post has hardened up their Freemium/Paywall entryway, even on Google-presented links, , meaning that I've so far not followed through on reading anything anyone might have linked from a political thread (here or elsewhere) and neither leached off their news nor taken up their offer to get more than the nominal views per month.)

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 3665
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1998: "GDPR"

Postby Soupspoon » Wed Jun 06, 2018 1:07 am UTC

Double-post 'cos I found an extant (and probably GDPR-aware) example.

Vox.com gives an entire-bottom-half-of-page-covering popver (that you can scroll that page behind it) stating:
We use cookies and other tracking technologies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audience is coming from. To find out more or to opt-out, please read our Cookie Policy. In addition, please read our Privacy Policy, which has also been updated and became effective May 23rd, 2018.

By choosing I Accept, you consent to our use of cookies and other tracking technologies.


<buttony link>I Accept</buttony link>


(This may or may not be a geofenced feature of the site. If you haven't yourself banished it by local or server-side deactivation.)

JeffDG
Posts: 7
Joined: Mon Sep 08, 2014 3:27 pm UTC

Re: 1998: "GDPR"

Postby JeffDG » Mon Jun 18, 2018 1:11 pm UTC

Eebster the Great wrote:Yeah, I'm sure this creates a barrier to entry, but it has also created multi-billion euro lawsuits immediately against large companies. It's bad for the big guys and worse for the small guys and a pain in the ass to consumers. It remains to be seen if it will do anything for protecting privacy.

That barrier to entry is why the big guys (Google, FB, etc.) absolutely love this type of regulation. They have the economy of scale to write off the time necessary to comply, and it keeps new market entrants from popping up due to compliance costs that are prohibitive for start-ups.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 3665
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1998: "GDPR"

Postby Soupspoon » Wed Jun 20, 2018 4:03 pm UTC

Whether or not entirely GDPR related, I've just learnt how pervasive Facebook is. Just helped sign up someone of my acquaintance (I'm computer savvy, she isn't, and until now neither of us had wanted a Facebook login but she now 'needs' one, according to people in a society she's a member, to see information organised on the FB group) and we registered her with a plausible-but-fake pseudopseudonymical name, as per advice.

The shock she got (and me too, though I should know better) when it suggested possible friends to add who mostly were actual people we knew. There was no previous link with the (fake) name. We used a mobile number to register, not an email address that might have been in other people's scraped address-books. The links must have been made through machine profiling (web-bug footprints, etc) unless that mobile number was more widely available(/scrapable) than we thought. And, yet it was people from a whole different side of her social life than the one in which she was actually registering for.

Locked the account down to the max (a load of "Only me" settings, where possible, and "Only friends" where that is the most private option and one "Only friends of friends" for that one option that this is the most restrictive setting - still without yet defining any Friends) and sent a request to join the group, which I may need to unlock something slightly back open again when the request is approved.

Frankly, though, it made her extremely nervous of what was known about her (and convinced me that I'm doomed to be known about, anyway, but not enough to push me into making it official myself), and I'm going to have a good poke around in the "tell me what you know about me" options next time I'm given time to look at it and understand it all.

Indeed!

Raidri
Posts: 47
Joined: Wed Dec 21, 2016 10:39 am UTC
Location: Germany

Re: 1998: "GDPR"

Postby Raidri » Thu Jun 21, 2018 10:01 am UTC

Soupspoon wrote:Whether or not entirely GDPR related, I've just learnt how pervasive Facebook is. Just helped sign up someone of my acquaintance (I'm computer savvy, she isn't, and until now neither of us had wanted a Facebook login but she now 'needs' one, according to people in a society she's a member, to see information organised on the FB group) and we registered her with a plausible-but-fake pseudopseudonymical name, as per advice.

The shock she got (and me too, though I should know better) when it suggested possible friends to add who mostly were actual people we knew. There was no previous link with the (fake) name. We used a mobile number to register, not an email address that might have been in other people's scraped address-books. The links must have been made through machine profiling (web-bug footprints, etc) unless that mobile number was more widely available(/scrapable) than we thought. And, yet it was people from a whole different side of her social life than the one in which she was actually registering for.

Locked the account down to the max (a load of "Only me" settings, where possible, and "Only friends" where that is the most private option and one "Only friends of friends" for that one option that this is the most restrictive setting - still without yet defining any Friends) and sent a request to join the group, which I may need to unlock something slightly back open again when the request is approved.

Frankly, though, it made her extremely nervous of what was known about her (and convinced me that I'm doomed to be known about, anyway, but not enough to push me into making it official myself), and I'm going to have a good poke around in the "tell me what you know about me" options next time I'm given time to look at it and understand it all.

Indeed!

Facebook naturally knowns your acquaintance's mobile phone number from all her "friends" that are on Facebook and have her number in their phones' address books. I think a new one-use email-address would be the only "safe" (for some definitions of safe) option for an anonymous sign-up.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 3665
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1998: "GDPR"

Postby Soupspoon » Thu Jun 21, 2018 10:50 am UTC

Soupspoon wrote:unless that mobile number was more widely available(/scrapable) than we thought.

User avatar
Eebster the Great
Posts: 3106
Joined: Mon Nov 10, 2008 12:58 am UTC
Location: Cleveland, Ohio

Re: 1998: "GDPR"

Postby Eebster the Great » Thu Jun 21, 2018 12:35 pm UTC

As long as anyone has her number in their contacts list and also has their contacts linked to facebook, facebook can figure it out. Most likely, a lot of her friends did that.


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: No registered users and 29 guests