The GDPR: Ghastly, Dumb, Paralyzing Regulation It's Hard To Celebrate
from the if-you-like-privacy-and-the-Internet-demand-better dept
Happy GDPR day! At least if you can manage to be happy about a cumbersome, punitive, unprecedentedly extraterritorial legal regime that hijacks the resources of businesses everywhere without actually delivering privacy protection commensurate with the enormous toll attempts to comply with it extract. It's a regulatory response due significant criticism, including for how it poorly advances the important policy goals purportedly prompting it.
In terms of policy goals, there's no quarrel that user privacy is important. And it's not controversial to say that many providers of digital products and services to date may have been… let's just say, insufficiently attentive to how those products and services handled user privacy. Data-handling is an important design consideration that should always be given serious attention. To the extent the GDPR encourages this sort of "privacy by design," it is something to praise.
But that noble mission is overwhelmed by the rest of the regulatory structure not nearly so adeptly focused on achieving this end, which ultimately impugns the overall effort. Just because a regulatory response may be motivated by a worthwhile policy value, or even incorporate a few constructive requirements, it is not automatically a good regulatory response. Unless the goal is to ruin, rather than regulate, knotty policy problems need nuanced solutions, and when the costs of complying with a regulatory response drown out the intended benefit it can't be considered a good, or even effective, policy response. Here, even if all the GDPR requirements were constructive ones – and while some are, some are quite troubling – as a regulatory regime it's still exceptionally problematic, in particular given the enormous costs of compliance. Instead of encouraging entities to produce more privacy-protective products and services, it's instead diverted their resources, forcing them to spend significant sums of money seeking advice or make their own guesses on how to act based on assumptions that may not be correct. These guesses themselves can be costly if it results in resources being spent needlessly, or for enormous sums to be put in jeopardy if the guesses turn out to be wrong.
The rational panic we see in the flurry of emails we've all been getting, with subject lines of varying degrees of grief, and often with plaintive appeals to re-join previously vibrant subscriber communities now being split apart by regulatory pressure, reveals fundamental defects in the regulation's implementation. As does the blocking of EU users by terrified entities afraid that doing so is the only way to cope with the GDPR's troubling scope.
The GDPR's list of infirmities is long, ranging from its complexity and corresponding ambiguity, to some notably expensive requirements, to the lack of harmonization among crucial aspects of member states' local implementations, to the failure of many of these member states to produce these local regulations at any point usefully in advance of today, and to the GDPR's untested global reach. And they fairly raise the concern that the GDPR is poorly tailored to its overall policy purpose. A sound regulatory structure, especially one trying to advance something as important as user privacy, should not be this hard to comport with, and the consequences for not doing so should not be so dire for the Internet remaining the vibrant tool for community and communication that many people – in Europe and elsewhere – wish it to remain being.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: eu, gdpr, innovation, regulations
Reader Comments
Subscribe: RSS
View by: Time | Thread
To begin with, requisite
And...it seems he got it all right.
[ link to this | view in thread ]
Privacy first, income second
I have gotten a bunch of those emails about changes in different organizations privacy policy. The problem, as I see it, is that they basically all want to tell us about what they collect and how they use it. The problem with that is that they collect it and use it.
I understand that there are many free functions available on the Internet, and that those functions are funded by making use of information collected. That information goes to advertisers, companies that want to advertise, and other groups with possibly more nefarious motives.
I don't have an answer, but I bet someone will...eventually. Private information should remain private. Just because you connect to some website, they should not be able, or willing, to vacuum up every tidbit they can. I understand that this was the most available and lucrative source for income, to date, but there has to be a better way, or better ways. If we take away the ability to collect personal data, and here I am not talking about just the internet, but also those loyalty cards at the grocery stores, and your credit card data, and your phone data, etc., then the economy will change... a lot. But, I bet that 'they' will find a way to fund their operations.
Yes there will be fallout in the process of changing over to some new way to fund some sites, a.k.a creative destruction. But I bet, in the long run, there will be fewer scam sites and more quality in the things we see on the Internet as those organizations find ways to 'connect with fans and give them reasons to buy' or maybe, even maybe more importantly, they find advertisers who value the message or service and THEY support the sites, which would be sending the 'buy' part in another direction, a supporter rather than a user. I don't pretend to know the final answer. I do know that I don't appreciate all this collecting.
Do I use sites that, at least in theory (I do do things to block them), use my private information? Yes. Will I continue to? Yes. Do I want them to change. Also YES.
[ link to this | view in thread ]
Privacy first, income second
I have gotten a bunch of those emails about changes in different organizations privacy policy. The problem, as I see it, is that they basically all want to tell us about what they collect and how they use it. The problem with that is that they collect it and use it.
I understand that there are many free functions available on the Internet, and that those functions are funded by making use of information collected. That information goes to advertisers, companies that want to advertise, and other groups with possibly more nefarious motives.
I don't have an answer, but I bet someone will...eventually. Private information should remain private. Just because you connect to some website, they should not be able, or willing, to vacuum up every tidbit they can. I understand that this was the most available and lucrative source for income, to date, but there has to be a better way, or better ways. If we take away the ability to collect personal data, and here I am not talking about just the internet, but also those loyalty cards at the grocery stores, and your credit card data, and your phone data, etc., then the economy will change... a lot. But, I bet that 'they' will find a way to fund their operations.
Yes there will be fallout in the process of changing over to some new way to fund some sites, a.k.a creative destruction. But I bet, in the long run, there will be fewer scam sites and more quality in the things we see on the Internet as those organizations find ways to 'connect with fans and give them reasons to buy' or maybe, even maybe more importantly, they find advertisers who value the message or service and THEY support the sites, which would be sending the 'buy' part in another direction, a supporter rather than a user. I don't pretend to know the final answer. I do know that I don't appreciate all this collecting.
Do I use sites that, at least in theory (I do do things to block them), use my private information? Yes. Will I continue to? Yes. Do I want them to change. Also YES.
[ link to this | view in thread ]
Any regulation is bad
/s
[ link to this | view in thread ]
Ummm... No....
Unfortunately, articles like this are part of the reason that companies are in a needless panic.
The GDPR provides guidance in a number of areas that limit the obligatons that entities will have to abide by. Every entity isn't subjected to every requirement.
Let's focus on the 'notably expensive' requirement that you refer to for a moment - the appointment of a Data Protection Officer. This is required under 3 specific circumstances which the vast majority of companies would not fall into.
Even if they did, think about the position that you are taking. You are advocating that if you do process personal data that it's NOT reasonable to have someone on staff to advise you as to how to do that properly? Does that mean that you don't feel any company should have specialists in various fields to guide them on important strategic decisions? No specialists in HR, Health and Safety, CISOs, CFOs or even Legal Counsels needed? Your logic comes down to "It's unreasonable to expect companies to understand the laws that apply to them". Really?
Note that GDPR specifically allows this function to be outsourced in much the same way that companies hire outside legal counsel or auditors to guide them through various certifications, audits, or important business decisions. If a company isn't willing to engage the resources necessary to understand how to do a task properly, should they be doing it in the first place?
This article also seems to forget that the previous Data Protection Directive was entirely left up to 28 member states to implement in their own laws which lead to a significant number of inconsistencies. While there are still a number of items left to the member states, much of the GDPR is applicable as is and not up to the member states. (That's the difference between a Directive and a Regulation in the EU...)
I will agree with you that there is a lot of misunderstading and 'terror' out there. The blocking of access to websites from EU addresses is very sad, especially because the vast majority of companies doing this would likely not be covered under the GDPR anyway. I will also agree that there are some companies that appear to have received spectacularly bad advice from many "Certified GDPR specialists" or consultants with similarly serious sounding but meaningless credentials.
If we want to talk about high cost of regulatory initiatives, have we forgotten the field day that many of the big auditing companies had when SOX came into effect? How about the cost of complying to PCI DSS? Or the costs of navigating all the different state and federal level and sector specific breach notification and privacy laws in the US?
The GDPR - and frankly any law that manages to pass in any parliament or congress - has warts. There are some elements that are problematic, but there is much good in there as well.
I would suggest that companies should actually take a different approach. Read the document carefully. Walk away. Come back and read it again. Read all the recitals at the beginning of the GDPR and understand what the drafters were trying to accomplish. If you do this and analyse the regulation carefully you will find that there are many exclusions and many points that will guide companies that wish to do business with the EU on how to do it safely.
Most North American companies that take this approach would likely find that the GDPR doesn't apply to them anyways.
The drafters of GDPR gave a 2 year window for companies to prepare. Yes, they probably should have insisted that the member states pass any required laws a year or more ago. That would have been helpful. But I'm not sure most companies would have prepared much before the last minute even if they did.
I'd also point out that most of the panic over direct marketing and cookies is actually a case of companies not following the previously established e-Privacy Directive rules. If companies did follow those rules, then they would have almost nothing to do when GDPR came in.
(Let's not forget a fairly sizable number of companies blasting out "Please confirm your subscription" type emails to people who had never subscribed.... Received a few of those over the past few weeks.)
I have just finished guiding my company through preparing for the GDPR, and there is a fair number of process improvements and insight that we gained from it. And just to be clear, we are an international company not based in the EU, so yes, it takes a bit of getting used to.
One of the more onerous tasks was building a data map of where we processed data, and what data was where. That took some time. But that's also required in almost all Information Security management standards. Understanding what is impacted in a data breach is one of the hardest things to do when responding to a breach, but if you already have your data and systems mapped out, then it is significantly easier. So there is a lot of business sense to doing that - regardless of if you are covered by GDPR or not.
As for the impact of multiple possible national regulations... There are ways to minimize that as well.
Also look at the guidance by the "Article 29 Working Party" at http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358. The WP is comprised of the heads of the Data Protection Authorities in each member state and they have published a number of guidance documents on areas that they will take common approaches on. (Technically as of today that is replaced by the Data Protection Board, but the content is still up and valid.)
So yes, there are warts, but there is also a lot of good.
P.S. from a complexity standpoint, the GDPR is waaaaayyyyyy shorter than the last US Federal Budget....
[ link to this | view in thread ]
Re: Ummm... No....
Most of the things in the GDPR were already law beforehand; but there was no fine attached for violating them. So the main thing that has changed -- and the reason companies now scramble -- is that they were already violating privacy laws, but now they're afraid of getting fined because of it.
One of the better parts of the GDPR is that now opt-in instead of opt-out is needed; which actually has been demanded by the internet-community since the 90ies (spam, newsletters and so on)
But the best-thing: The opt-in to have your data used for non-essential uses may not be coupled to the access to the service itself. That means, you can't make me opt-in to allow you to sell my data by otherwise disallowing me access.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Ummm... No....
Seriously when your response is longer than the article, hire an editor.
[ link to this | view in thread ]
Annoyance to the large incumbents, death to small enterprises
Evidently the "private information" that must be rigorously protected includes the state of games being transmitted back and forth between players in an internet analogue of play-by-mail. Somehow the same company's e-commerce side that sells play-against-AI hexgrid games and deals with things like credit card numbers, actual names and addresses and actual money has managed to comply, but the "private data" of where my virtual Marshal Ney, Marshal Grouchy and Napoleon, along with the various divisional-sized groupings of the Grande Armee are located on a hexgrid a map of the Belgian countryside couldn't be brought up to snuff for the EU's regulators.
And yes, those of us who played games there would have all opted-in to have that data shared with the company and the other players -- heck I wouldn't care if it were published for the whole world to see.
[ link to this | view in thread ]
It's not defects in the regulation.
Surveillance capitalism in incompatible with human rights and democracy.
It's the internet business model that's defective.
The goal is to ruin that.
It will cause some pain, including to some people that don't deserve it, but if we can't have an internet without deceptive, exploitative theft and abuse of personal data then we don't deserve one.
[ link to this | view in thread ]
Re: Annoyance to the large incumbents, death to small enterprises
The wonderful Scotland-based hexgrid wargaming site hexwar.net has been killed by the GDPR.
I very much doubt it. This sounds more like their fear and their misreading of the GDPR killed it.
[ link to this | view in thread ]
Re: Any regulation is bad
Apparently there are GOOD government-regulations (laws) and BAD government-regulations. But even regulatory-enthusiasts (the majority of people here) have much difficulty discerning the good from the bad ... in the messy details.
Of course, one could apply one's abstract ideological/political core principles to this problem -- but most people don't have any ... instead relying upon gut feel, on a case by case basis.
The EU GDPR is quite sensible overall if you embrace the general principle that government experts SHOULD widely intervene in private business, commerce, and private voluntary exchanges among peaceful people; those government experts may make some mistakes along the way, but they are the most competent people available to direct economic activity. This is core principle of most Europeans, the many liberal-progressives here in US... and even most American conservatives.
There are other viewpoints, but those other principles should not be discussed in polite company.
[ link to this | view in thread ]
Surveillance capitalism
'Surveillance Democratic Government' is unheard of...
[ link to this | view in thread ]
Re: Re: Ummm... No....
[ link to this | view in thread ]
Historical Note
When an idiot like Zuckerberg says there is no reason for privacy one has to wonder if really knows what the issue is. The problem is most people do not share all their personal details to everyone they come into contact with. This is normal as certain relationships require a very limited sharing of personal information. And when their are children involved most parents try to limit who, what, where of their children's information which almost always limiting the parents' information. Those of us who have been around the block a couple of times have learned the painful lesson not to willy-nilly trust anyone with personal information as will often come back to hurt you if you are not careful.
Thus, amoral idiots like Zuckerberg create a serious problem by hiding behind shysterly EULAs. This often triggers an overreaction from the politicians, hence GPDR or the equivalent.
It should be noted most of the wailing-and-gnashing-of-teeth is from companies who are not used to a very strict privacy regime. Those who are in industries like healthcare are already under stringent legal obligations very similar to GPDR when comes to personal information and its use. Not to say it is not overkill for most situations.
The interesting part is the fine structure which is unusual. The fines are set up to give a balance sheet a real hurt. This will make the C-suites and other pointy-hairs take notice and actually do something. Also, it could expose them to investor wrath when maximum fines hit a couple of times. I think this deliberate; make the fines steep enough that a couple of hits will anger the stockholders enough that they will intervene and replace the current mismanagement.
[ link to this | view in thread ]
Re: Annoyance to the large incumbents, death to small enterprises
[ link to this | view in thread ]
Tech companies now have several decades of history proving that they can't be trusted to voluntarily act ethically when it comes to the security and privacy of individuals' data. They brought this on themselves. They'll reap what they've sown.
[ link to this | view in thread ]
It convoluted..
Then comes Multi National Policing.. JUST cause 1 nation dont like it, they can force it in other nations.. Thats like Russia and China creating Laws/rules in the USA and Canada.
Then there is RTBF..
AND humans UNDERSTANDING that we are all idiots.. If anyone was perfect, he would be a GOD.. I only ask our Gov. be as smart or Smarter then myself..
The only ones wishing to use this Clause would be the Crooks, trying to BURY A PAST..
Is there any part of this that says, we can TELL the ISP and OTHER SITES NOT TO SHARE OUR INFO??
Fb has demanded that Every person use Their REAL NAMES.. Which makes it EASY to raid FB for real names.. And I get Emails, because of this, from my DEAD FRIENDS AND FAMILY..
Does this matter to FAKE NEWS SITES?? in FB?? it dont look like it..
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Annoyance to the large incumbents, death to small enterprises
But if there's even a 0.1% chance of a 20M Euro fine (what can be assessed for mishandling user data), that means the expected cost of GDPR to that company is 20,000 Euros.
Therefore if they don't have 20,000 Euros sitting around then it's a perfectly sane, rational, and economic decision to shut down.
[ link to this | view in thread ]
No kidding
[ link to this | view in thread ]
Re: Ummm... No....
[ link to this | view in thread ]
Further Complaints Planned
“GDPR: noyb.eu filed four complaints over ‘forced consent’ against Google, Instagram, WhatsApp and Facebook”, 25 May 2018
(Via The Register.)
[ link to this | view in thread ]
Uncertainty
“European Union's new privacy law made some websites go dark today. Here's what else has changed”, by Rick Noack (WaPo), Los Angeles Times, May 25, 2018
(Emphasis.)
[ link to this | view in thread ]
Re: Re: Re: Annoyance to the large incumbents, death to small enterprises
Also, your idea of $20m*.1%=20k is a bit silly. For one thing,having 20k on hand wouldn't help if they *are* fined, and on the other hand, that 20k would probably be instantly reinvested. If there is a .1% chance of them being fined, they need to look at risk management and good-faith compliance to reduce that risk further, not arbitrarily decide that if they have 20k in the bank, they're good to roll. The entire argument is bizarre and misleading.
[ link to this | view in thread ]
Re: in-depth dissection
Concise is nice.
For commenters here: if you can't make your point in the first couple of sentences --- you're floundering and wasting others time.
[ link to this | view in thread ]
Re: Ummm... No....
I usually post here under a name, but going AC for this one.
My wife and I run a company in the US. It employs 28 people, including us. Our customers are other businesses. It's not an internet company. We make physical things and sell them, and receive physical things and do stuff to them. For other companies.
But we do correspond with customers by email all the time. And we have a website. Which doesn't collect any personal info, and doesn't even use cookies.
You seem to think it's reasonable to ask me to
It's hard for me to express my dismay at your arrogance and naivety.
Do you have ANY idea how much legislation is produced in the US alone? Let alone EVERY COUNTRY IN THE GOD-DAMMED WORLD?
Just because a legislature in Brussels passes some law, you think it's reasonable that EVERY COMPANY ON THE ENTIRE PLANET, large or small, one person or 100 people, or 1000 people, is supposed to drop what they're doing and
Really?
For EVERY PIECE OF LEGAL SHIT that EVERY legislature in EVERY country ANYWHERE cares to pass?
Just to see if it MIGHT apply to us?
I can't think of a better example of why out-of-control overbroad, thoughtless legislation is hated by every entrepreneur I know.
Yes, some regulations are needed. Most have local scope, and make it clear from the outset who needs to pay attention to them - so that the rest of us can ignore them and go about our business.
But this kind of thing? Go fuck yourself.
[ link to this | view in thread ]
Re: Re: in-depth dissection
I've yet to see Cathy set one toe in her own comments section.
[ link to this | view in thread ]
[ link to this | view in thread ]
Using a VPN for that purpose does not break US or EU laws
I think the VPN business is about to boom, and this may well be the time to start a VPN business, as European users will start using VPNs to get around blocking of IP addresses in the EU
[ link to this | view in thread ]
Re: Re: Ummm... No....
But now it makes sense why you're so angry at the thought of reading a document.
[ link to this | view in thread ]
Unauthorized Access To US Computers [was Re: ]
18 USC § 1030
[ link to this | view in thread ]
Re: Uncertainty
In other news, regulations against dumping toxic waste in rivers made some companies close down.
Good riddance. I'm not currently in the EU, but I'm considering using an EU-based VPN, just to see which websites are basing their profit off of criminally mishandling user data.
[ link to this | view in thread ]
Re: Unauthorized Access To US Computers [was Re: ]
That said, I personally would love to see something like this show up on a non-EU website (or, equivalently for any country that likes to think their laws apply to the entire internet): "We aren't an EU company. We don't care about the EU's laws. If you're in the EU and you visit our site, do so knowing that your visit will be in compliance with our country's laws. If that happens to also be in compliance with your laws, great. If not, too bad. If you're not OK with that, go somewhere else."
[ link to this | view in thread ]
Cathy, I respectfully disagree.
The GDPR is not Ghastly, Dumb nor Paralyzing, and it is definitely being Celebrated in this household.
These Corporate entities have have made Billions off of the privacy of individuals, individuals who have litte to no power in the relationship. Individuals who are offered a take it or leave it "Free" Service, that they eventually pay for with lost privacy.
Like a great many people I have received a large number of emails explaining to me what data is collected (way too much) and how it is used. I am then requested to give them blanket access to exactly the same data, as they have already collected... data I don't want them collecting, and which I see no need for them to collect, over and above what is needed for me to be a registered user.
At no time am I given a choice, so far these sharks are attempting to maintain the Status Quo.
Hopefully these Corporate entities will eventually be called to account, because of the GDPR. I hope it costs them dearly.
[ link to this | view in thread ]
Re: Re: Unauthorized Access To US Computers [was Re: ]
“Net Results: Many US tech firms still dismissive of GDPR”, by Karlin Lillington, Irish Times, May 10, 2018
Many Americans have ancestors —parents, grandparents, great grandparents, even farther back— who fled Europe. And so today, it's awfully easy for an average European to quietly blend into the population here…
… As long as they don't make trouble.
[ link to this | view in thread ]
Re: Cathy, I respectfully disagree.
Just to address this point: it's the exact opposite. Script blockers and ad blockers make your internet connection faster.
How, you ask? They block tens (sometimes even hundreds!) of megabytes of auto-playing videos, animations, crypto-currency miners, and other bloat that exists solely to drain a few cents off of your visit, in exchange for hundreds of times as much in your bandwidth and electricity costs.
[ link to this | view in thread ]
You never gave a fuck about your fucking customers' data, always wanting to get that "extra income", even if that meant your users being inconvenienced by some fuck trying to sell them some shit at strange hours, getting spam mail or whatever other shit you can imagine.
And that's the least: as shit progresses, and as it's been shown in TD, that fucking "anonymous metadata" isn't so anonymous, so some fuck might end up collecting/having whole listings of people's browsing history.
Visited sites related to cancer? You might have one. I bet that insurance companies will love having that information. You visited sites regarding pregnancy for your family? Here you have, some nice baby clothes/chairs/food/diapers ads.
Point is, most of this shit hasn't even been informed, or if it has, it's been buried in a lot of legal mumbo-jumbo that no fucking lawyer would even get it right (not sure if the GDPR solves this, but if it doesn't, here is the next task).
You know why this whole shit happened and now you're crying around scared because you don't even bother to read the whole text?
a) Because you don't give a fuck about your customers. They are just wallets for you.
b) Because your customers are the product, even if they PAY for the products that you're supposedly selling.
c) Because your customers still are the product, EVEN AFTER IT HAS PASSED A LONG TIME SINCE THEY STOPPED USING IT.
d) Because people has started to get pissed off that their whole life is in the hands of some crooks that only give a fuck about themselves, and will sell it whether they like it or not.
e) All of the above.
And no, the whole "if you don't like it, then don't use that service" is wrong here. That's like saying "if you don't like a non-neutral internet, then don't use it".
The internet brings a lot of advantages, and some of the services you offer too. But that should never come at the cost of fundamental rights (privacy is one).
It's like with ads. People don't care much about a banner or some shit. But when ads start loading videos that slow down your browsing (and eat bandwidth) or there is the risk of getting something nice from them (like a virus), things change a lot. And that's when ad-block comes into play.
GDPR is one of the Ad-blocks. It isn't perfect, but at least it's a clear message telling you that you're a fucking virus for our privacy.
And to fuck you.
Shit, it was about damn time.
PS: oh, btw. To those Americans complaining about your companies having to abide by EU laws...
How does it feel getting done to you what you have been fucking doing for a long time to other countries?
Fuck you. And fuck 'murica.
[ link to this | view in thread ]
'Violating a ToS WAS a terrible act, now it's fine.'
For most of these companies, none of these things will relieve them of compliance obligations, and they are setting themselves up for possible fines.
If 'we refuse to offer service in the EU' and/or 'anyone from the EU is blocked from using our service' is not enough to keep them from being liable then yeah, the law is nuts. That would be a company deliberately making it clear that people from a given area are not welcome, and are in fact prohibited from using the services according to the TOS, and the company still being held accountable for it when they do it anyway.
Barring any user connecting via VPN or Tor would be just the starting response if a court in the EU ran with that interpretation I suspect, and it would probably ramp up from there.
[ link to this | view in thread ]
Re: Re: Annoyance to the large incumbents, death to small enterprises
They gathered in only as much data as was necessary for the customer to purchase goods, and receive emails (that they could opt out of). Consequently I don't see much, if any, problems for them.
The big corporates, like Google, Amazon, eBay, Facebook, PayPal, Microsoft, Apple etc, I hope they choke on the GDPR.
[ link to this | view in thread ]
Re: Re: Uncertainty
[ link to this | view in thread ]
Re: Re: Any regulation is bad
- Don't Be A Dick -
How's that for an abstract ideological/political core principle?
[ link to this | view in thread ]
Re: Re: Re: Ummm... No....
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Annoyance to the large incumbents, death to small enterprises
[ link to this | view in thread ]
Re: 'Violating a ToS WAS a terrible act, now it's fine.'
A decade, during the Lori Drew kerfuffle, over at the old Volokh Conspiracy, the well-known Professor Orin Kerr posted—
Is the law nuts? If there's a rational basis for a US website's TOS to exclude all EU visitors, combined with technical controls blocking their visits…
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: 'Violating a ToS WAS a terrible act, now it's fine.'
In terms of brick-and-mortar businesses, we generally don't have countries claiming that their laws apply to a store in another jurisdiction just because their citizens visit it. I don't see why that should be any different for virtual locations. A website should be considered by default to operate in either the location of the company that runs the site, or in the location of the server on which the site is hosted.
But, even if a non-EU company chooses not to comply with the GDPR and is fined, how exactly is said fine going to be recovered if the company has no EU presence?
[ link to this | view in thread ]
Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
[ link to this | view in thread ]
Re: Re: Re:
Go burn a flag.
[ link to this | view in thread ]
Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
We *can't* treat websites like brick and mortar stores, because they *aren't* brick and mortar stores. We have ti adapt laws to fit the technological reality.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
The LA Times and the Chicago Tribune, among others, operate their servers in a free-speech friendly country.
Or have you forgotten that part?
[ link to this | view in thread ]
Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
That already happens with brick-and-mortar businesses. How many US companies are "a Delaware corporation" even though they have no real Delaware presence? How many companies outsource their production to other countries with cheaper labor?
Your point is valid, and I'm sure there would be countries that set themselves up in that way. But then, any company that set up servers there would be basically advertising their shady nature.
I still think it's more logical than a website trying to comply with laws from every country on the planet.
[ link to this | view in thread ]
Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
[ link to this | view in thread ]
Re: Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
You forgot?
[ link to this | view in thread ]
Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
And then where are you at? Everyone appears shady, everyone can harvest your personal data indiscriminately without notifying you... and we're right back to where we are now. It's not like we don't KNOW they're shady, it's that data harvesting is UBIQUITOUS and UNAVOIDABLE. Your proferred solution here is to do nothing, wrapped up in fancy language; you would at most briefly, mildly inconvenience some companies as they reshuffles their assets to sidestep laws as efficiently as possible.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
That said, the argument proffered here to treat them like brick and mortar stores is still faulty, and overall, I still think the GDPR is a step in the right direction, although I will admit that's a pretty ghastly wart on it.
[ link to this | view in thread ]
Re: Unauthorized Access To US Computers [was Re: ]
[ link to this | view in thread ]
Re: Unauthorized Access To US Computers [was Re: ]
Some state laws are more broad, but doubt if, the state of indiana is going to go after someone in Europe for breaking state,laws.
[ link to this | view in thread ]
Re: Unauthorized Access To US Computers [was Re: ]
[ link to this | view in thread ]
Re: Re: Unauthorized Access To US Computers [was Re: ]
Professor Kerr's views have evolved since 2003-4, when he published “Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes”.
But maybe try asking him how various authorities have actually interpreted the law over the past couple decades. Not how he personally thinks ‘authorized access’ should be read these days, but how, for instance, Judge Charles Breyer has read the text of the statute lately.
[ link to this | view in thread ]
Re: Re: Unauthorized Access To US Computers [was Re: ]
18 USC § 1030
[ link to this | view in thread ]
Re: Unauthorized Access To US Computers [was Re: ]
Eurovision was not protected by any password, so their Olympic coverage did not fall under the definition of accessing a "protected"
The same thing applies when I go on road trips to Mexico or canada. I use my VPN on my home computer to be able to access the US netflix library when I am in Canada or Mexico. Bouncing the traffic off my home computer to do this does break either the CFAA or any law in California (where the netflix servers are)
The same thing when I am driving and want to listen to iHeart, Pandora, or Sirius. Connecting my phone to the VPN on my home computer to access these services, while in Mexico or Canada does not break any Canadian, Mexican, or U.S. laws.
To these services, it will look to them like I am connecting from my home, and that does break any Canadian, American, or Mexican laws
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
I am a U.S./Austrailia dual national. I could start a VPN service with the severs all in Australia and I would only have to comply with Australian laws.
U.S. laws do not apply to VPN servers and companies with no u.s. presence.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
[ link to this | view in thread ]
Re: Re: Unauthorized Access To US Computers [was Re: ]
Never mind whether NBC agrees with your stated position. Does the assistant US attorney (AUSA) agree with you?
Actually, maybe better mind whether NBC agrees with you. They views have a bit of influence.
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
Some state laws are broader than California or the cfaa. When I go to my favorite campground in Nevada to see the stars, I have to drive 65 miles to eureka to find the nearest wifi, which is at the sundowner motel. With my 10 watt wifi adapter I can park at the chevron station down the road, and access their Wi-Fi which is is not password protected
While that does not violate the CFAA, I am not sure about Nevada law, so I connect to an offshore VPN, so they cannot identify me by seeing where I go. The only thing the router logs at the sundowner will show is that I made a connection to a VPN in cuernavaca, Mexico.
I also use anti camera license plate covers that hide my number from any surveillance cameras. These prevent the plate from being seen at an angle, but the human eye can see it from straight in.
I also use those when driving into Canada or Mexico so the cameras that record plate numbers of those departing the USA do not record. I don't think that is any of the government's business, as long as I am not committing any crime, and CBP does not like that, they can KISS MY ASS.
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
[ link to this | view in thread ]
If the la Times, they could break in that EU and ERASE it, then that would be the end
Some people there certainly own a boat. They could take the computer used to erase that fine a send it to the bottom of the ocean where the evidence would be gone for good, and investigators would never be the wiser. Taking the computer used to do it and throwing it in the ocean would, at worst, only bring a charge of violating pollution laws, and that is only they caught. And if you go out far enough, you won't
[ link to this | view in thread ]
A number of lawyers who get positive press on this site have an attitude towards 230 which is cavalier, a symptom of the larger weaponization of an immunity that was designed as a shield not a sword.
You reap what you sow. Anyone who is okay with a few people's lives being ruined for the "greater good" of the internet can have it happen to them if they think it's so innocuous.
[ link to this | view in thread ]
Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
A VPN in Britain is ONLY subject to BRITISH laws.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Bundling
I think the matter here is that some bad ones got bundled with the good ones.
Bundling, commonly, is a means to force bad stuff with good stuff.
So we're not talking about the GDPR and if it is good or bad. Now the conversation is to talk about what in the GDPR is good or is bad.
And purge the good (id est those regulations that serve the public, with the bad, id est, those regulations that serve corporate interests.)
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
I read the logging policies on VPNs I and use only those that keep no logs.
And if the CFAA did outlaw bypassing geo blocking, there would be so many criminals in this country we would not have enough jails to hold them all. There are likely more people than you think that do this.
And I know it is not a CFAA violation, because of one troublesome user I had on my website that kept getting back in when I would ban him. And I was told there was no law, including the CFAA, that could use to take legal action
I was told the only thing I could was to just block whatever new IP addresses he found to get back on. I was told there was no criminal or civil action I could take against him.
[ link to this | view in thread ]
Re: Re: Cathy, I respectfully disagree.
And bypassing technological measures to block those who use ad blockers does violate either the CFAA or DMCA.
On some sites it is as easy as blocking all jQuery scripts at the firewall level, preventing the scripts that check for ad blockers use from loading or running.
Bypassing ad block detection by doing this does break either the CFAA or dmca. Some other other sites have said it does, but it does not, at least for personal use
While it is probably illegal for filtering software providers to include it in their filter lists, because they are doing it for commercial gain, bypassing drm for personal non commercial use is not a felony under the Roca
And bypassing measures to block measures to detect and block those who use ad blockers do not violate the CFAA because you are not using any illegally obtained password.
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
The operators of that VPN were only required to comply with German law. U.S. law did not apply to then, even if U.S customers were using their service.
And the server that Eurovision used for their Olympic was in Paris. U.S. laws do not apply to a server in Paris.
[ link to this | view in thread ]
Re: Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
Via Orin Kerr's more recent article, which I mentioned in passing earlier—
Craigslist v 3Taps (N.D.Cal. 2013)
Incidentally, Wikipedia's article on the case mentions criticism by Eric Goldman, phrased in terms of “wish lists”.
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
It is not a CFAA violation to log in to my own network, even if it is to bypass geo blocking.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
The only thing I could do was keep smack a mole with him. I was told at the time that there was no criminal statute I could have him prosecuted under.
He did not attempt to break in to any password protected resources on my network, so the CFAA did not pay to him, that is what I was told 10 years ago
[ link to this | view in thread ]
Re: Re: Re: Any regulation is bad
[ link to this | view in thread ]
Re: Surveillance capitalism
[ link to this | view in thread ]
Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
Who told you this? Ten years ago, the US Attorney for the Central District of California's position was that someone could be prosecuted under the CFAA for accessing a website with the middle name ‘Ralph’.
No matter. Whether access is conditioned on a password is at best a heuristic. The base principles of trespass haven't changed all that much in maybe well over a century. At bottom level, they're pretty simple.
Ownership is a bundle of sticks. Perhaps the central stick in the bundle is the right to exclude. Where an owner has a right to exclude, and where the owner excludes a person — if that person has notice — then stay out!
[ link to this | view in thread ]
Thats not how this works
My brother has just had his pension company ask him to confirm they are allowed to use his data for all sorts of reasons not directly related to his pension, or he is "at liberty to move his pension". He is pretty certain that is not how it is supposed to work so he is tempted to say no just to see how far they will push it.
[ link to this | view in thread ]
Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
So before this gets too far off track, let me get this straight. After you use a British VPN to read the NY Daily News, without authorization, then what?
You walk into some court somewhere and say, “Hi, my name is John Doe. I hacked the New York Daily News website using a British VPN. Now I have a complaint about those New York arseholes.(*)”
Is that how it works? Under "BRITISH laws"?
(*) I changed the speeling to humour youse.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
As GDPR is being copied into the UK's DPA (2018), the same rights will still be available for UK citizens after Brexit (if it happens).
If a company / website blocks UK users because of GDPR, I would fully expect them to block because of the DPA as well (It's the same rules, and if the UK is being blocked now, they don't even have to do any extra work).
As the UK will still be blocked, a UK based VPN won't allow access. (So the court case in your question wouldn't exist in the first place).
The parent to my initial post seemed to be of the impression that the GDPR won't apply in the UK post-brexit, and is sadly mistaken.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
A proxrmy, for example, in Italy, is only subjec. t to Italian law. Some teenager in Italy running a server in his bedroom only has to comply with Italian laws. American law would not apply to his server under any circumstances
Just like I, as a U.S/Australia dual national could move to Australia and open up a VPN business and American laws, other than taxes, would not apply to me as long as I did any severs or offices in the United States. I would only have to comply with Australian laws
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
So doing this to access the US netflix library when I am in Mexico or Canada does break American, Canadian, or Mexican laws. It merely appears to netflix that am watching from home. Netflix would never know that I was watching from a hotel room in, say, Mexico.
[ link to this | view in thread ]
Re: Re: Unauthorized Access To US Computers [was Re: ]
And if they use, say, a VPN server in Australia, American law enforcement has no jurisdiction over a server in Australia.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
A server in France is only subject to French law.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
Depends on who you ask, there are certainly groups that would like you to think that it is.
[ link to this | view in thread ]
Re: Re:
30 years ago, in college, I helped a girlfriend I helped flee an unjust prosecution for recording a professors lecture without his permission
She was from Mexico so drove her to Mexico because I was going there for spring break. I merely go out and covered up my license plates before crossing the border and I adjusted the sun visors so any cameras on the us side would record our faces when we went across, so there would be no evidence that could be used for aiding and abetting. I also paid for gas, meals, and lodging, while driving her down there, with cash, so there would be money trail. I also used a different border crossing coming back, to avoid suspicion.
Paying for everything with cash on the way down would have made it impossible for any investigator to have ever found out I helped her flee the country
I loved her and would have done anything for her.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: 'Violating a ToS WAS a terrible act, now it's fine.'
If you're from the EU bloc, then you know that you're not authorized to access the computers hosting the New York Daily News website. Those computers are private property, and the owners have good reason to refuse you any authorization. Yet despite knowing that you were prohibited, you intentionally took action to wrongfully gain access to those computers.
Why? What's the matter with you?
You did that in order to obtain some kind of standing to bring a complaint against them — to shake them down for money in court?
[ link to this | view in thread ]
Re: Re: Unauthorized Access To US Computers [was Re: ]
[ link to this | view in thread ]
Re: Re: Re: Re: Any regulation is bad
[ link to this | view in thread ]
Re: Privacy first, income second
There are already lawsuits in progress. Some started day 1 of GDPR.
[ link to this | view in thread ]
Opt-out in EU only, I assume.
If websites are resisting providing an opt-out switch in the European Union, it doesn't speak well for the chances those of us outside the European Union are going to get the no button.
[ link to this | view in thread ]
Lawsuits In Progress [was Re: Re: Privacy first, income second]
“GDPR attacks: First Google, Facebook, now activists go after Apple, Amazon, LinkedIn”, by David Meyer, ZDNet, May 29, 2018
[ link to this | view in thread ]
Re: Re: Re: Unauthorized Access To US Computers [was Re: ]
[ link to this | view in thread ]
[ link to this | view in thread ]