The GDPR: Ghastly, Dumb, Paralyzing Regulation It's Hard To Celebrate
from the if-you-like-privacy-and-the-Internet-demand-better dept
Happy GDPR day! At least if you can manage to be happy about a cumbersome, punitive, unprecedentedly extraterritorial legal regime that hijacks the resources of businesses everywhere without actually delivering privacy protection commensurate with the enormous toll attempts to comply with it extract. It’s a regulatory response due significant criticism, including for how it poorly advances the important policy goals purportedly prompting it.
In terms of policy goals, there’s no quarrel that user privacy is important. And it’s not controversial to say that many providers of digital products and services to date may have been? let’s just say, insufficiently attentive to how those products and services handled user privacy. Data-handling is an important design consideration that should always be given serious attention. To the extent the GDPR encourages this sort of “privacy by design,” it is something to praise.
But that noble mission is overwhelmed by the rest of the regulatory structure not nearly so adeptly focused on achieving this end, which ultimately impugns the overall effort. Just because a regulatory response may be motivated by a worthwhile policy value, or even incorporate a few constructive requirements, it is not automatically a good regulatory response. Unless the goal is to ruin, rather than regulate, knotty policy problems need nuanced solutions, and when the costs of complying with a regulatory response drown out the intended benefit it can’t be considered a good, or even effective, policy response. Here, even if all the GDPR requirements were constructive ones ? and while some are, some are quite troubling ? as a regulatory regime it’s still exceptionally problematic, in particular given the enormous costs of compliance. Instead of encouraging entities to produce more privacy-protective products and services, it’s instead diverted their resources, forcing them to spend significant sums of money seeking advice or make their own guesses on how to act based on assumptions that may not be correct. These guesses themselves can be costly if it results in resources being spent needlessly, or for enormous sums to be put in jeopardy if the guesses turn out to be wrong.
The rational panic we see in the flurry of emails we’ve all been getting, with subject lines of varying degrees of grief, and often with plaintive appeals to re-join previously vibrant subscriber communities now being split apart by regulatory pressure, reveals fundamental defects in the regulation’s implementation. As does the blocking of EU users by terrified entities afraid that doing so is the only way to cope with the GDPR’s troubling scope.
The GDPR’s list of infirmities is long, ranging from its complexity and corresponding ambiguity, to some notably expensive requirements, to the lack of harmonization among crucial aspects of member states’ local implementations, to the failure of many of these member states to produce these local regulations at any point usefully in advance of today, and to the GDPR’s untested global reach. And they fairly raise the concern that the GDPR is poorly tailored to its overall policy purpose. A sound regulatory structure, especially one trying to advance something as important as user privacy, should not be this hard to comport with, and the consequences for not doing so should not be so dire for the Internet remaining the vibrant tool for community and communication that many people ? in Europe and elsewhere ? wish it to remain being.
Filed Under: eu, gdpr, innovation, regulations
Comments on “The GDPR: Ghastly, Dumb, Paralyzing Regulation It's Hard To Celebrate”
To begin with, requisite
https://xkcd.com/1998/
And…it seems he got it all right.
Privacy first, income second
I have gotten a bunch of those emails about changes in different organizations privacy policy. The problem, as I see it, is that they basically all want to tell us about what they collect and how they use it. The problem with that is that they collect it and use it.
I understand that there are many free functions available on the Internet, and that those functions are funded by making use of information collected. That information goes to advertisers, companies that want to advertise, and other groups with possibly more nefarious motives.
I don’t have an answer, but I bet someone will…eventually. Private information should remain private. Just because you connect to some website, they should not be able, or willing, to vacuum up every tidbit they can. I understand that this was the most available and lucrative source for income, to date, but there has to be a better way, or better ways. If we take away the ability to collect personal data, and here I am not talking about just the internet, but also those loyalty cards at the grocery stores, and your credit card data, and your phone data, etc., then the economy will change… a lot. But, I bet that ‘they’ will find a way to fund their operations.
Yes there will be fallout in the process of changing over to some new way to fund some sites, a.k.a creative destruction. But I bet, in the long run, there will be fewer scam sites and more quality in the things we see on the Internet as those organizations find ways to ‘connect with fans and give them reasons to buy’ or maybe, even maybe more importantly, they find advertisers who value the message or service and THEY support the sites, which would be sending the ‘buy’ part in another direction, a supporter rather than a user. I don’t pretend to know the final answer. I do know that I don’t appreciate all this collecting.
Do I use sites that, at least in theory (I do do things to block them), use my private information? Yes. Will I continue to? Yes. Do I want them to change. Also YES.
Re: Privacy first, income second
The problem with most of these updated privacy statements in service of the GDPR is that they miss the most important component of GDPR: That we be given an easy way to opt out of “how they use it”. They’re suppose to explicitly ask for our consent, not just tell us what they collect, how they use it and who they share it with. And then we should have an easy way to opt out of that collection, use and sharing. I’ve not seen one updated policy yet that provides that.
There are already lawsuits in progress. Some started day 1 of GDPR.
Re: Re: Opt-out in EU only, I assume.
If websites are resisting providing an opt-out switch in the European Union, it doesn’t speak well for the chances those of us outside the European Union are going to get the no button.
Re: Re: Lawsuits In Progress [was Privacy first, income second]
“GDPR attacks: First Google, Facebook, now activists go after Apple, Amazon, LinkedIn”, by David Meyer, ZDNet, May 29, 2018
Privacy first, income second
I have gotten a bunch of those emails about changes in different organizations privacy policy. The problem, as I see it, is that they basically all want to tell us about what they collect and how they use it. The problem with that is that they collect it and use it.
I understand that there are many free functions available on the Internet, and that those functions are funded by making use of information collected. That information goes to advertisers, companies that want to advertise, and other groups with possibly more nefarious motives.
I don’t have an answer, but I bet someone will…eventually. Private information should remain private. Just because you connect to some website, they should not be able, or willing, to vacuum up every tidbit they can. I understand that this was the most available and lucrative source for income, to date, but there has to be a better way, or better ways. If we take away the ability to collect personal data, and here I am not talking about just the internet, but also those loyalty cards at the grocery stores, and your credit card data, and your phone data, etc., then the economy will change… a lot. But, I bet that ‘they’ will find a way to fund their operations.
Yes there will be fallout in the process of changing over to some new way to fund some sites, a.k.a creative destruction. But I bet, in the long run, there will be fewer scam sites and more quality in the things we see on the Internet as those organizations find ways to ‘connect with fans and give them reasons to buy’ or maybe, even maybe more importantly, they find advertisers who value the message or service and THEY support the sites, which would be sending the ‘buy’ part in another direction, a supporter rather than a user. I don’t pretend to know the final answer. I do know that I don’t appreciate all this collecting.
Do I use sites that, at least in theory (I do do things to block them), use my private information? Yes. Will I continue to? Yes. Do I want them to change. Also YES.
Any regulation is bad
As espoused by the AC’s here, any regulation is horrible. (Except that which promotes copy-monopolies.)
/s
Re: Any regulation is bad
“Ghastly, Dumb, Paralyzing Regulation” — is there any other kind.
Apparently there are GOOD government-regulations (laws) and BAD government-regulations. But even regulatory-enthusiasts (the majority of people here) have much difficulty discerning the good from the bad … in the messy details.
Of course, one could apply one’s abstract ideological/political core principles to this problem — but most people don’t have any … instead relying upon gut feel, on a case by case basis.
The EU GDPR is quite sensible overall if you embrace the general principle that government experts SHOULD widely intervene in private business, commerce, and private voluntary exchanges among peaceful people; those government experts may make some mistakes along the way, but they are the most competent people available to direct economic activity. This is core principle of most Europeans, the many liberal-progressives here in US… and even most American conservatives.
There are other viewpoints, but those other principles should not be discussed in polite company.
Re: Re: Any regulation is bad
Or, maybe it all boils down to:
– Don’t Be A Dick –
How’s that for an abstract ideological/political core principle?
Re: Re: Re: Any regulation is bad
… then why do you blatantly reject your own cited principle?
Re: Re: Re:2 Any regulation is bad
Alright – fine, go be a dick then.
Re: Re: Bundling
I think the matter here is that some bad ones got bundled with the good ones.
Bundling, commonly, is a means to force bad stuff with good stuff.
So we’re not talking about the GDPR and if it is good or bad. Now the conversation is to talk about what in the GDPR is good or is bad.
And purge the good (id est those regulations that serve the public, with the bad, id est, those regulations that serve corporate interests.)
Ummm... No....
Ms. Gellis,
Unfortunately, articles like this are part of the reason that companies are in a needless panic.
The GDPR provides guidance in a number of areas that limit the obligatons that entities will have to abide by. Every entity isn’t subjected to every requirement.
Let’s focus on the ‘notably expensive’ requirement that you refer to for a moment – the appointment of a Data Protection Officer. This is required under 3 specific circumstances which the vast majority of companies would not fall into.
Even if they did, think about the position that you are taking. You are advocating that if you do process personal data that it’s NOT reasonable to have someone on staff to advise you as to how to do that properly? Does that mean that you don’t feel any company should have specialists in various fields to guide them on important strategic decisions? No specialists in HR, Health and Safety, CISOs, CFOs or even Legal Counsels needed? Your logic comes down to “It’s unreasonable to expect companies to understand the laws that apply to them”. Really?
Note that GDPR specifically allows this function to be outsourced in much the same way that companies hire outside legal counsel or auditors to guide them through various certifications, audits, or important business decisions. If a company isn’t willing to engage the resources necessary to understand how to do a task properly, should they be doing it in the first place?
This article also seems to forget that the previous Data Protection Directive was entirely left up to 28 member states to implement in their own laws which lead to a significant number of inconsistencies. While there are still a number of items left to the member states, much of the GDPR is applicable as is and not up to the member states. (That’s the difference between a Directive and a Regulation in the EU…)
I will agree with you that there is a lot of misunderstading and ‘terror’ out there. The blocking of access to websites from EU addresses is very sad, especially because the vast majority of companies doing this would likely not be covered under the GDPR anyway. I will also agree that there are some companies that appear to have received spectacularly bad advice from many “Certified GDPR specialists” or consultants with similarly serious sounding but meaningless credentials.
If we want to talk about high cost of regulatory initiatives, have we forgotten the field day that many of the big auditing companies had when SOX came into effect? How about the cost of complying to PCI DSS? Or the costs of navigating all the different state and federal level and sector specific breach notification and privacy laws in the US?
The GDPR – and frankly any law that manages to pass in any parliament or congress – has warts. There are some elements that are problematic, but there is much good in there as well.
I would suggest that companies should actually take a different approach. Read the document carefully. Walk away. Come back and read it again. Read all the recitals at the beginning of the GDPR and understand what the drafters were trying to accomplish. If you do this and analyse the regulation carefully you will find that there are many exclusions and many points that will guide companies that wish to do business with the EU on how to do it safely.
Most North American companies that take this approach would likely find that the GDPR doesn’t apply to them anyways.
The drafters of GDPR gave a 2 year window for companies to prepare. Yes, they probably should have insisted that the member states pass any required laws a year or more ago. That would have been helpful. But I’m not sure most companies would have prepared much before the last minute even if they did.
I’d also point out that most of the panic over direct marketing and cookies is actually a case of companies not following the previously established e-Privacy Directive rules. If companies did follow those rules, then they would have almost nothing to do when GDPR came in.
(Let’s not forget a fairly sizable number of companies blasting out “Please confirm your subscription” type emails to people who had never subscribed…. Received a few of those over the past few weeks.)
I have just finished guiding my company through preparing for the GDPR, and there is a fair number of process improvements and insight that we gained from it. And just to be clear, we are an international company not based in the EU, so yes, it takes a bit of getting used to.
One of the more onerous tasks was building a data map of where we processed data, and what data was where. That took some time. But that’s also required in almost all Information Security management standards. Understanding what is impacted in a data breach is one of the hardest things to do when responding to a breach, but if you already have your data and systems mapped out, then it is significantly easier. So there is a lot of business sense to doing that – regardless of if you are covered by GDPR or not.
As for the impact of multiple possible national regulations… There are ways to minimize that as well.
Also look at the guidance by the “Article 29 Working Party” at http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358. The WP is comprised of the heads of the Data Protection Authorities in each member state and they have published a number of guidance documents on areas that they will take common approaches on. (Technically as of today that is replaced by the Data Protection Board, but the content is still up and valid.)
So yes, there are warts, but there is also a lot of good.
P.S. from a complexity standpoint, the GDPR is waaaaayyyyyy shorter than the last US Federal Budget….
Re: Ummm... No....
I have to second that.
Most of the things in the GDPR were already law beforehand; but there was no fine attached for violating them. So the main thing that has changed — and the reason companies now scramble — is that they were already violating privacy laws, but now they’re afraid of getting fined because of it.
One of the better parts of the GDPR is that now opt-in instead of opt-out is needed; which actually has been demanded by the internet-community since the 90ies (spam, newsletters and so on)
But the best-thing: The opt-in to have your data used for non-essential uses may not be coupled to the access to the service itself. That means, you can’t make me opt-in to allow you to sell my data by otherwise disallowing me access.
Re: Ummm... No....
TLDR
Seriously when your response is longer than the article, hire an editor.
Re: Re: Ummm... No....
When I read the headline, I was actually expecting a much more in-depth dissection and no four-paragraph rant. Don’t blame a commenter for writing a more in-depth analysis than the article.
Re: Re: Re: in-depth dissection
… it’s a Blog post — not a PhD dissertation.
Concise is nice.
For commenters here: if you can’t make your point in the first couple of sentences — you’re floundering and wasting others time.
Re: Re: Re:2 in-depth dissection
I rather find Ms. Gellis’ posts to be the time-wasters. Why read anything she writes if it’s always a case of “dump and run”? Even Tim Cushing, obnoxious as I find him to be at times, is available to question in the comments once in a while.
I’ve yet to see Cathy set one toe in her own comments section.
Re: Re: Re: Ummm... No....
When I read your post, I was actually expecting a much more in-depth dissection and not a two sentence excuse for some other post.
Re: Ummm... No....
Bet you she won’t reply.
Re: Ummm... No....
I usually post here under a name, but going AC for this one.
My wife and I run a company in the US. It employs 28 people, including us. Our customers are other businesses. It’s not an internet company. We make physical things and sell them, and receive physical things and do stuff to them. For other companies.
But we do correspond with customers by email all the time. And we have a website. Which doesn’t collect any personal info, and doesn’t even use cookies.
You seem to think it’s reasonable to ask me to
It’s hard for me to express my dismay at your arrogance and naivety.
Do you have ANY idea how much legislation is produced in the US alone? Let alone EVERY COUNTRY IN THE GOD-DAMMED WORLD?
Just because a legislature in Brussels passes some law, you think it’s reasonable that EVERY COMPANY ON THE ENTIRE PLANET, large or small, one person or 100 people, or 1000 people, is supposed to drop what they’re doing and
Really?
For EVERY PIECE OF LEGAL SHIT that EVERY legislature in EVERY country ANYWHERE cares to pass?
Just to see if it MIGHT apply to us?
I can’t think of a better example of why out-of-control overbroad, thoughtless legislation is hated by every entrepreneur I know.
Yes, some regulations are needed. Most have local scope, and make it clear from the outset who needs to pay attention to them – so that the rest of us can ignore them and go about our business.
But this kind of thing? Go fuck yourself.
Re: Re: Ummm... No....
This is a cool straw man which compares a giant regulatory framework from a huge geographical market with international implications with “every law in every country.”
But now it makes sense why you’re so angry at the thought of reading a document.
It’s about fucking time. Now the shoe’s on the other foot. I certainly won’t shed a tear for these corrupt Internet entities’ sudden need to spend resources protecting our privacy rights.
Annoyance to the large incumbents, death to small enterprises
The wonderful Scotland-based hexgrid wargaming site hexwar.net has been killed by the GDPR.
Evidently the “private information” that must be rigorously protected includes the state of games being transmitted back and forth between players in an internet analogue of play-by-mail. Somehow the same company’s e-commerce side that sells play-against-AI hexgrid games and deals with things like credit card numbers, actual names and addresses and actual money has managed to comply, but the “private data” of where my virtual Marshal Ney, Marshal Grouchy and Napoleon, along with the various divisional-sized groupings of the Grande Armee are located on a hexgrid a map of the Belgian countryside couldn’t be brought up to snuff for the EU’s regulators.
And yes, those of us who played games there would have all opted-in to have that data shared with the company and the other players — heck I wouldn’t care if it were published for the whole world to see.
Re: Annoyance to the large incumbents, death to small enterprises
The wonderful Scotland-based hexgrid wargaming site hexwar.net has been killed by the GDPR.
I very much doubt it. This sounds more like their fear and their misreading of the GDPR killed it.
Re: Re: Annoyance to the large incumbents, death to small enterprises
Well it’s a good thing there’s a long track record of legal precedent for this company to use as a basis for their decision making. But maybe they couldn’t find the outcome of previous GDPR legal actions. Have you thought about forwarding those rulings to this company?
But if there’s even a 0.1% chance of a 20M Euro fine (what can be assessed for mishandling user data), that means the expected cost of GDPR to that company is 20,000 Euros.
Therefore if they don’t have 20,000 Euros sitting around then it’s a perfectly sane, rational, and economic decision to shut down.
Re: Re: Re: Annoyance to the large incumbents, death to small enterprises
How do you know there’s any chance of them being fined for transmitting game data? You can’t use lack of precedent as an argument in one part of your post, and then ignore lack of precedent in the other.
Also, your idea of $20m.1%=20k is a bit silly. For one thing,having 20k on hand wouldn’t help if they *are fined, and on the other hand, that 20k would probably be instantly reinvested. If there is a .1% chance of them being fined, they need to look at risk management and good-faith compliance to reduce that risk further, not arbitrarily decide that if they have 20k in the bank, they’re good to roll. The entire argument is bizarre and misleading.
Re: Re: Annoyance to the large incumbents, death to small enterprises
Hexwar.net redirects to hexwar.com which appears to be functioning just fine. This does not appear to be an example of regulatory overreach shutting down a useful web site.
Re: Annoyance to the large incumbents, death to small enterprises
Not surprising. The e-commerce site have big profits at stake and can thus afford to make the changes. The game site have small profits at stake thus can not afford the changes.
Re: Re: Annoyance to the large incumbents, death to small enterprises
None of the small e-commerce sites I worked on, as a software developer, ever required, that people dealing with that site, hand over the detailed data that the big players ask for, nor did they ‘surveil’ people with tracking cookies, and tracking pixels, or any of those other things the big corporates do.
They gathered in only as much data as was necessary for the customer to purchase goods, and receive emails (that they could opt out of). Consequently I don’t see much, if any, problems for them.
The big corporates, like Google, Amazon, eBay, Facebook, PayPal, Microsoft, Apple etc, I hope they choke on the GDPR.
It’s not defects in the regulation.
Surveillance capitalism in incompatible with human rights and democracy.
It’s the internet business model that’s defective.
The goal is to ruin that.
It will cause some pain, including to some people that don’t deserve it, but if we can’t have an internet without deceptive, exploitative theft and abuse of personal data then we don’t deserve one.
Surveillance capitalism
… that’s a very new term — has anyone ever criticized capitalism before? (was it Groucho Marx or Harpo ??)
‘Surveillance Democratic Government’ is unheard of…
Re: Surveillance capitalism
Are you suggesting that capitalism and democracy are synonymous and interchangeable terminologies?
Historical Note
GPDR came about because of a few well known sleazes (looking at you Zuckerberg) who believed any user data they can get and use is theirs for the taking. The problem was the usage. Many were not using it to possibly benefit the user but to benefit themselves first. There is a big difference between an email from a retailer you have bought from in the past and a targeted ad based on a user profile generated by combining personal data together.
When an idiot like Zuckerberg says there is no reason for privacy one has to wonder if really knows what the issue is. The problem is most people do not share all their personal details to everyone they come into contact with. This is normal as certain relationships require a very limited sharing of personal information. And when their are children involved most parents try to limit who, what, where of their children’s information which almost always limiting the parents’ information. Those of us who have been around the block a couple of times have learned the painful lesson not to willy-nilly trust anyone with personal information as will often come back to hurt you if you are not careful.
Thus, amoral idiots like Zuckerberg create a serious problem by hiding behind shysterly EULAs. This often triggers an overreaction from the politicians, hence GPDR or the equivalent.
It should be noted most of the wailing-and-gnashing-of-teeth is from companies who are not used to a very strict privacy regime. Those who are in industries like healthcare are already under stringent legal obligations very similar to GPDR when comes to personal information and its use. Not to say it is not overkill for most situations.
The interesting part is the fine structure which is unusual. The fines are set up to give a balance sheet a real hurt. This will make the C-suites and other pointy-hairs take notice and actually do something. Also, it could expose them to investor wrath when maximum fines hit a couple of times. I think this deliberate; make the fines steep enough that a couple of hits will anger the stockholders enough that they will intervene and replace the current mismanagement.
With a little find/replace, this opinion piece could have come straight out of the PR playbook of mid 20th century car manufacturers fighting against seatbelt regulations.
Tech companies now have several decades of history proving that they can’t be trusted to voluntarily act ethically when it comes to the security and privacy of individuals’ data. They brought this on themselves. They’ll reap what they’ve sown.
It convoluted..
The internet would LIKE to have 1 set of rules, but this ISNT GOING TO HELP.. Each Country can state their own rules, WHICH is already happening.
Then comes Multi National Policing.. JUST cause 1 nation dont like it, they can force it in other nations.. Thats like Russia and China creating Laws/rules in the USA and Canada.
Then there is RTBF..
AND humans UNDERSTANDING that we are all idiots.. If anyone was perfect, he would be a GOD.. I only ask our Gov. be as smart or Smarter then myself..
The only ones wishing to use this Clause would be the Crooks, trying to BURY A PAST..
Is there any part of this that says, we can TELL the ISP and OTHER SITES NOT TO SHARE OUR INFO??
Fb has demanded that Every person use Their REAL NAMES.. Which makes it EASY to raid FB for real names.. And I get Emails, because of this, from my DEAD FRIENDS AND FAMILY..
Does this matter to FAKE NEWS SITES?? in FB?? it dont look like it..
Techdirt’s just totally captive to the “platforms”, isn’t it?
No kidding
“I’m from the Government, I’m here to help.”; says it all.
Further Complaints Planned
“GDPR: noyb.eu filed four complaints over ‘forced consent’ against Google, Instagram, WhatsApp and Facebook”, 25 May 2018
(Via The Register.)
Uncertainty
“European Union’s new privacy law made some websites go dark today. Here’s what else has changed”, by Rick Noack (WaPo), Los Angeles Times, May 25, 2018
(Emphasis.)
Re: Uncertainty
In other news, regulations against dumping toxic waste in rivers made some companies close down.
Good riddance. I’m not currently in the EU, but I’m considering using an EU-based VPN, just to see which websites are basing their profit off of criminally mishandling user data.
Re: Re: Uncertainty
Just install uMatrix (Firefox or Chrome) and you’ll see all the third-party trackers and web-bugs some websites employ.
“It’s Hard” -> “Is Hard”
With major us websites blocking European users, that can be circumvented using a non EU VPN
Using a VPN for that purpose does not break US or EU laws
I think the VPN business is about to boom, and this may well be the time to start a VPN business, as European users will start using VPNs to get around blocking of IP addresses in the EU
Re: Unauthorized Access To US Computers [was ]
18 USC § 1030
Re: Re: Unauthorized Access To US Computers [was ]
The US companies aren’t going to go after any EU visitors for CFAA violations. The block that they put up is a defense against potential fines from the EU. “Your honor, we put a block up because we knew our website wasn’t yet compliant with the GDPR. It’s not our fault if an EU citizen bypassed that block and gave us personal data.”
That said, I personally would love to see something like this show up on a non-EU website (or, equivalently for any country that likes to think their laws apply to the entire internet): “We aren’t an EU company. We don’t care about the EU’s laws. If you’re in the EU and you visit our site, do so knowing that your visit will be in compliance with our country’s laws. If that happens to also be in compliance with your laws, great. If not, too bad. If you’re not OK with that, go somewhere else.”
Re: Re: Re: Unauthorized Access To US Computers [was ]
“Net Results: Many US tech firms still dismissive of GDPR”, by Karlin Lillington, Irish Times, May 10, 2018
Many Americans have ancestors —parents, grandparents, great grandparents, even farther back— who fled Europe. And so today, it’s awfully easy for an average European to quietly blend into the population here…
… As long as they don’t make trouble.
Re: Re: Re:2 'Violating a ToS WAS a terrible act, now it's fine.'
For most of these companies, none of these things will relieve them of compliance obligations, and they are setting themselves up for possible fines.
If ‘we refuse to offer service in the EU’ and/or ‘anyone from the EU is blocked from using our service’ is not enough to keep them from being liable then yeah, the law is nuts. That would be a company deliberately making it clear that people from a given area are not welcome, and are in fact prohibited from using the services according to the TOS, and the company still being held accountable for it when they do it anyway.
Barring any user connecting via VPN or Tor would be just the starting response if a court in the EU ran with that interpretation I suspect, and it would probably ramp up from there.
Re: Re: Re:3 'Violating a ToS WAS a terrible act, now it's fine.'
A decade, during the Lori Drew kerfuffle, over at the old Volokh Conspiracy, the well-known Professor Orin Kerr posted—
Is the law nuts? If there’s a rational basis for a US website’s TOS to exclude all EU visitors, combined with technical controls blocking their visits…
Re: Re: Re:4 'Violating a ToS WAS a terrible act, now it's fine.'
That’s not the same thing. If my middle name was Ralph and I visited the site, it wouldn’t be the site that was liable.
Re: Re: Re:4 'Violating a ToS WAS a terrible act, now it's fine.'
However, when Britain leaves the eu and british IP addresses can one again visit the sites, VPN servers in Britain could facilitate access to these sites, and owners of those servers Wil be not subjects to U.S laws
A VPN in Britain is ONLY subject to BRITISH laws.
Re: Re: Re:5 'Violating a ToS WAS a terrible act, now it's fine.'
Indeed, “BRITISH laws” such as the Data Protection Act of 2018, which is a copy of the GDPR – just as a British law instead…
Re: Re: Re:6 'Violating a ToS WAS a terrible act, now it's fine.'
So before this gets too far off track, let me get this straight. After you use a British VPN to read the NY Daily News, without authorization, then what?
You walk into some court somewhere and say, “Hi, my name is John Doe. I hacked the New York Daily News website using a British VPN. Now I have a complaint about those New York arseholes.(*)”
Is that how it works? Under "BRITISH laws"?
(*) I changed the speeling to humour youse.
Re: Re: Re:7 'Violating a ToS WAS a terrible act, now it's fine.'
It won’t get that far. I probably could have shown my reasoning in the first post.
As GDPR is being copied into the UK’s DPA (2018), the same rights will still be available for UK citizens after Brexit (if it happens).
If a company / website blocks UK users because of GDPR, I would fully expect them to block because of the DPA as well (It’s the same rules, and if the UK is being blocked now, they don’t even have to do any extra work).
As the UK will still be blocked, a UK based VPN won’t allow access. (So the court case in your question wouldn’t exist in the first place).
The parent to my initial post seemed to be of the impression that the GDPR won’t apply in the UK post-brexit, and is sadly mistaken.
Re: Re: Re:7 'Violating a ToS WAS a terrible act, now it's fine.'
Using a VPN to bypass geo blocking is not hacking
Re: Re: Re:8 'Violating a ToS WAS a terrible act, now it's fine.'
Depends on who you ask, there are certainly groups that would like you to think that it is.
Re: Re: Re:8 'Violating a ToS WAS a terrible act, now it's fine.'
If you’re from the EU bloc, then you know that you’re not authorized to access the computers hosting the New York Daily News website. Those computers are private property, and the owners have good reason to refuse you any authorization. Yet despite knowing that you were prohibited, you intentionally took action to wrongfully gain access to those computers.
Why? What’s the matter with you?
You did that in order to obtain some kind of standing to bring a complaint against them — to shake them down for money in court?
Re: Re: Re:3 'Violating a ToS WAS a terrible act, now it's fine.'
The problem, in my opinion, stems from a legal interpretation designed to give jurisdiction to courts that want greater reach than they should have: a website operates in a town/state/country (and is therefore bound by its laws) simply if someone living in that location accesses it.
In terms of brick-and-mortar businesses, we generally don’t have countries claiming that their laws apply to a store in another jurisdiction just because their citizens visit it. I don’t see why that should be any different for virtual locations. A website should be considered by default to operate in either the location of the company that runs the site, or in the location of the server on which the site is hosted.
But, even if a non-EU company chooses not to comply with the GDPR and is fined, how exactly is said fine going to be recovered if the company has no EU presence?
Re: Re: Re:4 'Violating a ToS WAS a terrible act, now it's fine.'
Sounds like a great way toget every major website to relocate their business or servers to the most company-friendly country. You’d be creating the server equivalent of tax havens – privacy-violation havens.
We can’t treat websites like brick and mortar stores, because they aren’t brick and mortar stores. We have ti adapt laws to fit the technological reality.
Re: Re: Re:5 'Violating a ToS WAS a terrible act, now it's fine.'
The LA Times and the Chicago Tribune, among others, operate their servers in a free-speech friendly country.
Or have you forgotten that part?
Re: Re: Re:6 'Violating a ToS WAS a terrible act, now it's fine.'
Freedom of speech is not freedom to harvest personal data without disclosure. Why is freedom of speech coming into this?
Re: Re: Re:7 'Violating a ToS WAS a terrible act, now it's fine.'
You forgot?
Re: Re: Re:8 'Violating a ToS WAS a terrible act, now it's fine.'
Oh, that bit. Eugh… Yeah, I have no defense for that article – it’s extremely problematic.
That said, the argument proffered here to treat them like brick and mortar stores is still faulty, and overall, I still think the GDPR is a step in the right direction, although I will admit that’s a pretty ghastly wart on it.
Re: Re: Re:5 'Violating a ToS WAS a terrible act, now it's fine.'
That already happens with brick-and-mortar businesses. How many US companies are "a Delaware corporation" even though they have no real Delaware presence? How many companies outsource their production to other countries with cheaper labor?
Your point is valid, and I’m sure there would be countries that set themselves up in that way. But then, any company that set up servers there would be basically advertising their shady nature.
I still think it’s more logical than a website trying to comply with laws from every country on the planet.
Re: Re: Re:6 'Violating a ToS WAS a terrible act, now it's fine.'
…uh. The same thig COULD be said of companies usig tax havens to avpid paying taxes… but it isn’t, because companies don’t care about looking shady, and tax havens are best practices. Nearly every major corp funnels money through tax havens now, and nearly every major corp would immediately move their servers because that would also be best practices, even if they weren’t being shady.
And then where are you at? Everyone appears shady, everyone can harvest your personal data indiscriminately without notifying you… and we’re right back to where we are now. It’s not like we don’t KNOW they’re shady, it’s that data harvesting is UBIQUITOUS and UNAVOIDABLE. Your proferred solution here is to do nothing, wrapped up in fancy language; you would at most briefly, mildly inconvenience some companies as they reshuffles their assets to sidestep laws as efficiently as possible.
Re: Re: Re:7 'Violating a ToS WAS a terrible act, now it's fine.'
I don’t have a perfect solution. I’m also not saying that the GDPR is a bad thing. I just don’t think the EU (or any other country) should expect its laws to apply globally.
Re: Re: Re: Unauthorized Access To US Computers [was ]
And if the VPNs keep no logs, the access cannot be traced
And if they use, say, a VPN server in Australia, American law enforcement has no jurisdiction over a server in Australia.
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
Go tell that to Kim Dotcom.
Re: Re: Unauthorized Access To US Computers [was ]
That dems not apply to using a VPN to bypass geo blocking. If. If t did, all the VPN companies would have been out of business long ago
Re: Re: Re: Unauthorized Access To US Computers [was ]
Professor Kerr’s views have evolved since 2003-4, when he published “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes”.
But maybe try asking him how various authorities have actually interpreted the law over the past couple decades. Not how he personally thinks ‘authorized access’ should be read these days, but how, for instance, Judge Charles Breyer has read the text of the statute lately.
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
However, if the VPN server is not in the USA then it is not subject to American law
I am a U.S./Austrailia dual national. I could start a VPN service with the severs all in Australia and I would only have to comply with Australian laws.
U.S. laws do not apply to VPN servers and companies with no u.s. presence.
Re: Re: Unauthorized Access To US Computers [was ]
That only applies you use hacked ie stolen password under both California and CFAA law
Some state laws are more broad, but doubt if, the state of indiana is going to go after someone in Europe for breaking state,laws.
Re: Re: Unauthorized Access To US Computers [was ]
Protected computer means protected with a password. If the info is not password protected, then it does not fall under that, so using a VPN to bypass geo blocking is not illegal.
Re: Re: Re: Unauthorized Access To US Computers [was ]
18 USC § 1030
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
If it is not password protected, the law does not apply
Some state laws are broader than California or the cfaa. When I go to my favorite campground in Nevada to see the stars, I have to drive 65 miles to eureka to find the nearest wifi, which is at the sundowner motel. With my 10 watt wifi adapter I can park at the chevron station down the road, and access their Wi-Fi which is is not password protected
While that does not violate the CFAA, I am not sure about Nevada law, so I connect to an offshore VPN, so they cannot identify me by seeing where I go. The only thing the router logs at the sundowner will show is that I made a connection to a VPN in cuernavaca, Mexico.
I also use anti camera license plate covers that hide my number from any surveillance cameras. These prevent the plate from being seen at an angle, but the human eye can see it from straight in.
I also use those when driving into Canada or Mexico so the cameras that record plate numbers of those departing the USA do not record. I don’t think that is any of the government’s business, as long as I am not committing any crime, and CBP does not like that, they can KISS MY ASS.
Re: Re: Re: Unauthorized Access To US Computers [was ]
Go look up Weev and see his story. No passwords involved.
Re: Re: Unauthorized Access To US Computers [was ]
From the 2002 through 2012 Olympics when Eurovision had streaming rights to the Olympics and I used proxies and VPNs to bypass their geo blocking I was not breaking either the CFAA, the California computer crime laws, or any EU laws bypassing their geo blocking to get what was way bettee Olympic coverage than NBC had.
Eurovision was not protected by any password, so their Olympic coverage did not fall under the definition of accessing a “protected”
The same thing applies when I go on road trips to Mexico or canada. I use my VPN on my home computer to be able to access the US netflix library when I am in Canada or Mexico. Bouncing the traffic off my home computer to do this does break either the CFAA or any law in California (where the netflix servers are)
The same thing when I am driving and want to listen to iHeart, Pandora, or Sirius. Connecting my phone to the VPN on my home computer to access these services, while in Mexico or Canada does not break any Canadian, Mexican, or U.S. laws.
To these services, it will look to them like I am connecting from my home, and that does break any Canadian, American, or Mexican laws
Re: Re: Re: Unauthorized Access To US Computers [was ]
Never mind whether NBC agrees with your stated position. Does the assistant US attorney (AUSA) agree with you?
Actually, maybe better mind whether NBC agrees with you. They views have a bit of influence.
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
I would have posted bail then fled the country
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
However, when I an outside the u.s. and bounce my traffic off my home computer to the us netflix library, I am not breaking American, Canadian, or Mexican laws.
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
If the VPN you use keeps no logs, is my does not matter.
I read the logging policies on VPNs I and use only those that keep no logs.
And if the CFAA did outlaw bypassing geo blocking, there would be so many criminals in this country we would not have enough jails to hold them all. There are likely more people than you think that do this.
And I know it is not a CFAA violation, because of one troublesome user I had on my website that kept getting back in when I would ban him. And I was told there was no law, including the CFAA, that could use to take legal action
I was told the only thing I could was to just block whatever new IP addresses he found to get back on. I was told there was no criminal or civil action I could take against him.
Re: Re: Re:3 Unauthorized Access To US Computers [was ]
Via Orin Kerr’s more recent article, which I mentioned in passing earlier—
Craigslist v 3Taps (N.D.Cal. 2013)
Incidentally, Wikipedia’s article on the case mentions criticism by Eric Goldman, phrased in terms of “wish lists”.
Re: Re: Re:4 Unauthorized Access To US Computers [was ]
This guy did access any password protected part of my site when he did this 10 years ago, so the CFAA did not apply to him.
The only thing I could do was keep smack a mole with him. I was told at the time that there was no criminal statute I could have him prosecuted under.
He did not attempt to break in to any password protected resources on my network, so the CFAA did not pay to him, that is what I was told 10 years ago
Re: Re: Re:5 Unauthorized Access To US Computers [was ]
Who told you this? Ten years ago, the US Attorney for the Central District of California’s position was that someone could be prosecuted under the CFAA for accessing a website with the middle name ‘Ralph’.
No matter. Whether access is conditioned on a password is at best a heuristic. The base principles of trespass haven’t changed all that much in maybe well over a century. At bottom level, they’re pretty simple.
Ownership is a bundle of sticks. Perhaps the central stick in the bundle is the right to exclude. Where an owner has a right to exclude, and where the owner excludes a person — if that person has notice — then stay out!
Re: Re: Re:6 Unauthorized Access To US Computers [was ]
This guy also used proxies all over the world, which complicated matters even more
A proxrmy, for example, in Italy, is only subjec. t to Italian law. Some teenager in Italy running a server in his bedroom only has to comply with Italian laws. American law would not apply to his server under any circumstances
Just like I, as a U.S/Australia dual national could move to Australia and open up a VPN business and American laws, other than taxes, would not apply to me as long as I did any severs or offices in the United States. I would only have to comply with Australian laws
Re: Re: Re:6 Unauthorized Access To US Computers [was ]
Of course logging to the VPN on my home network to bypass geo restrictions when I am outside the country, does not violate the CFAA, nor any laws in Canada or Mexico.
So doing this to access the US netflix library when I am in Mexico or Canada does break American, Canadian, or Mexican laws. It merely appears to netflix that am watching from home. Netflix would never know that I was watching from a hotel room in, say, Mexico.
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
The VPN I used during that period was in Germany, so anything coming through that VPN was only subject to German law. Bypassing geo blocking did not break German law.
The operators of that VPN were only required to comply with German law. U.S. law did not apply to then, even if U.S customers were using their service.
And the server that Eurovision used for their Olympic was in Paris. U.S. laws do not apply to a server in Paris.
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
When I go to Mexico or canada and connect to the VPN on my home computer to access the U.S. netflix library, I am not breaking Canadian, American, or Mexican laws.
It is not a CFAA violation to log in to my own network, even if it is to bypass geo blocking.
Re: Re: Re:2 Unauthorized Access To US Computers [was ]
However, the Eurovision server for that was in Paris France, so us laws did not apply. The us had no jurisdiction over that server even if someone in the USA did gain acceess.
A server in France is only subject to French law.
Cathy, I respectfully disagree.
Speaking as someone who has spent considerable time and effort (and lost contact with people over it) attempting to keep my privacy, either by lying on forms, using numerous script blockers, and cookie eaters, and Add blockers (all of which, no doubt, slow down my already slow and miserly Internet connection)
The GDPR is not Ghastly, Dumb nor Paralyzing, and it is definitely being Celebrated in this household.
These Corporate entities have have made Billions off of the privacy of individuals, individuals who have litte to no power in the relationship. Individuals who are offered a take it or leave it “Free” Service, that they eventually pay for with lost privacy.
Like a great many people I have received a large number of emails explaining to me what data is collected (way too much) and how it is used. I am then requested to give them blanket access to exactly the same data, as they have already collected… data I don’t want them collecting, and which I see no need for them to collect, over and above what is needed for me to be a registered user.
At no time am I given a choice, so far these sharks are attempting to maintain the Status Quo.
Hopefully these Corporate entities will eventually be called to account, because of the GDPR. I hope it costs them dearly.
Re: Cathy, I respectfully disagree.
Just to address this point: it’s the exact opposite. Script blockers and ad blockers make your internet connection faster.
How, you ask? They block tens (sometimes even hundreds!) of megabytes of auto-playing videos, animations, crypto-currency miners, and other bloat that exists solely to drain a few cents off of your visit, in exchange for hundreds of times as much in your bandwidth and electricity costs.
Re: Re: Cathy, I respectfully disagree.
Also blocking ads keeps malware out.
And bypassing technological measures to block those who use ad blockers does violate either the CFAA or DMCA.
On some sites it is as easy as blocking all jQuery scripts at the firewall level, preventing the scripts that check for ad blockers use from loading or running.
Bypassing ad block detection by doing this does break either the CFAA or dmca. Some other other sites have said it does, but it does not, at least for personal use
While it is probably illegal for filtering software providers to include it in their filter lists, because they are doing it for commercial gain, bypassing drm for personal non commercial use is not a felony under the Roca
And bypassing measures to block measures to detect and block those who use ad blockers do not violate the CFAA because you are not using any illegally obtained password.
To the companies that are crying like bitches because of this: fuck you.
You never gave a fuck about your fucking customers’ data, always wanting to get that “extra income”, even if that meant your users being inconvenienced by some fuck trying to sell them some shit at strange hours, getting spam mail or whatever other shit you can imagine.
And that’s the least: as shit progresses, and as it’s been shown in TD, that fucking “anonymous metadata” isn’t so anonymous, so some fuck might end up collecting/having whole listings of people’s browsing history.
Visited sites related to cancer? You might have one. I bet that insurance companies will love having that information. You visited sites regarding pregnancy for your family? Here you have, some nice baby clothes/chairs/food/diapers ads.
Point is, most of this shit hasn’t even been informed, or if it has, it’s been buried in a lot of legal mumbo-jumbo that no fucking lawyer would even get it right (not sure if the GDPR solves this, but if it doesn’t, here is the next task).
You know why this whole shit happened and now you’re crying around scared because you don’t even bother to read the whole text?
a) Because you don’t give a fuck about your customers. They are just wallets for you.
b) Because your customers are the product, even if they PAY for the products that you’re supposedly selling.
c) Because your customers still are the product, EVEN AFTER IT HAS PASSED A LONG TIME SINCE THEY STOPPED USING IT.
d) Because people has started to get pissed off that their whole life is in the hands of some crooks that only give a fuck about themselves, and will sell it whether they like it or not.
e) All of the above.
And no, the whole “if you don’t like it, then don’t use that service” is wrong here. That’s like saying “if you don’t like a non-neutral internet, then don’t use it”.
The internet brings a lot of advantages, and some of the services you offer too. But that should never come at the cost of fundamental rights (privacy is one).
It’s like with ads. People don’t care much about a banner or some shit. But when ads start loading videos that slow down your browsing (and eat bandwidth) or there is the risk of getting something nice from them (like a virus), things change a lot. And that’s when ad-block comes into play.
GDPR is one of the Ad-blocks. It isn’t perfect, but at least it’s a clear message telling you that you’re a fucking virus for our privacy.
And to fuck you.
Shit, it was about damn time.
PS: oh, btw. To those Americans complaining about your companies having to abide by EU laws…
How does it feel getting done to you what you have been fucking doing for a long time to other countries?
Fuck you. And fuck ‘murica.
Re: Re:
Why not tell us how you really feel.
Re: Re: Re:
Actually, except the bit at the end there (am American), I fully agree 100% with the AC’s sentiment.
Re: Re: Re: Re:
Go burn a flag.
Re: Re: Re:2 Re:
Apotheosis! We have found the very GOD of deliberately-misleading quoting!
Re: Re: Re: Re:
Well – good for you, your parents must be proud
Re: Re: Re:2 Re:
What did my parents have to do with any of this?
Those fines are kept on computers
If the la Times, they could break in that EU and ERASE it, then that would be the end
Some people there certainly own a boat. They could take the computer used to erase that fine a send it to the bottom of the ocean where the evidence would be gone for good, and investigators would never be the wiser. Taking the computer used to do it and throwing it in the ocean would, at worst, only bring a charge of violating pollution laws, and that is only they caught. And if you go out far enough, you won’t
Re: Re:
You wouldn’t happen to be the ‘flee the country to get out of a court date’ guy would you?
Re: Re: Re:
However, if the evid3nce were dumped into the Pacific Ocean there would be no way to.prove anything. Even using Sarbanes-Oxley would not be possible, since they would not be able to recover anything to prove you tried to tamper with evidence
Re: Re: Re:
Depends on the situation. If it is a stupid or unjust prosecution then fleeing the jurisdiction is called for.
30 years ago, in college, I helped a girlfriend I helped flee an unjust prosecution for recording a professors lecture without his permission
She was from Mexico so drove her to Mexico because I was going there for spring break. I merely go out and covered up my license plates before crossing the border and I adjusted the sun visors so any cameras on the us side would record our faces when we went across, so there would be no evidence that could be used for aiding and abetting. I also paid for gas, meals, and lodging, while driving her down there, with cash, so there would be money trail. I also used a different border crossing coming back, to avoid suspicion.
Paying for everything with cash on the way down would have made it impossible for any investigator to have ever found out I helped her flee the country
I loved her and would have done anything for her.
Don’t kid yourselves. This is blowback against Section 230.
A number of lawyers who get positive press on this site have an attitude towards 230 which is cavalier, a symptom of the larger weaponization of an immunity that was designed as a shield not a sword.
You reap what you sow. Anyone who is okay with a few people’s lives being ruined for the “greater good” of the internet can have it happen to them if they think it’s so innocuous.
The government of a country that is not a member of the EU is emailing me because of GDPR. This has gone beyond a joke.
Thats not how this works
Some companies are getting very….persuasive….about the permissions they are after.
My brother has just had his pension company ask him to confirm they are allowed to use his data for all sorts of reasons not directly related to his pension, or he is “at liberty to move his pension”. He is pretty certain that is not how it is supposed to work so he is tempted to say no just to see how far they will push it.
Tech”dirt” hearts surveillance capitalism.