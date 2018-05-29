Shockingly, Streaming Providers Are Dominating... >>
<< Daily Deal: MCSE Data Platform Certification...
 tdicon 

Failures

by Mike Masnick

Tue, May 29th 2018 10:45am


Filed Under:
eu, eu parliament, gdpr, regulations, tracking, vera journova



EU Parliament's Own Website Violates The GDPR

from the whoopsy dept

We've been pointing out for a while that, however well-intentioned the GDPR may be, and however important the general concept of protecting user's private data is, that still doesn't make the GDPR any less ridiculous. Indeed, we've pointed out that the setup of the GDPR is such that it's becoming a regulatory nightmare because the compliance costs are high, and the setup of the rules are so vague that the liability risk remains high. I know that some people keep insisting that the requirements to be compliant aren't actually that difficult. Indeed, EU Commissioner Vera Journova recently claimed that complying with the GDPR was so easy that even she could do it.

Upon hearing that, software engineer Matthias Gliwka wondered if the EU was actually complying with its own "so easy" GDPR rules. Turns out, not so much. As Gilwka noted, the EU Parliament's own website appears to violate the GDPR.

It took me less than five minutes to spot a violation: on the website of the EU Parliament Google Analytics is being used to track the visitors without the neccesary anonymizeIP flag, which in turn causes Google to store the complete IP address without anonymizing the last octet. You can take a look for yourself by checking the source code of this page (archived version in case it gets fixed in the meantime).

This is a violation of the GDPR, since the personal data (IP address) in conjunction with analytics data is being stored on Google’s servers without consent or any other legal basis.

Oops. This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about -- and the GDPR is a case in point. Over the past couple months, nearly every startup company I've spoken to has discussed the GDPR, and for nearly every single one they have no idea if they're actually in compliance. Many have spent ridiculous sums on lawyers and self-described GDPR experts, but still are working almost entirely blind on how the GDPR will play out in practice.

That is not a good recipe for innovation. Nor, frankly, is it a good recipe for protecting your data. No matter how much you think that the GDPR means that websites will better protect your data, it is not particularly helpful when complying with the rules is both expensive and unclear. That the EU Parliament's own website couldn't figure this out is just a shining example of why the GDPR is such a problem.

Related to that, the fallout from the GDPR is already being felt -- and it's not being felt by Google and Facebook and the other internet giants that everyone celebrating the GDPR often point to. Instead, it's hitting smaller sites really, really hard. Google and Facebook are fine. They can handle the GDPR. Everyone else is freaked out.

37 Comments | Leave a Comment

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 29 May 2018 @ 10:57am

    No, Madnick, problem is GOOGLE! Is NO need for it to be everywhere!

    Storing ALL that it can, forever.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 29 May 2018 @ 10:59am

    "innovation" is not an end in itself. Google is innovating at SPYING, yes.

    It's monetizing the privacy of "natural" persons. Just as Nazis monetized the death of millions. Evil goals cause evil innovation.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 11:51am

      Re: "innovation" is not an end in itself. Google is innovating at SPYING, yes.

      "Nazis monetized the death of millions"

      While it's conceivable that nazi concentration camps could have been turned into profitable slaughterhouse operations converting human bodies into numerous value-added products, from leather to soap to Braunschweiger, such stories, despite being spread far and wide, were simply not true.

      https://www.ihr.org/leaflets/soap.shtml

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 12:51pm

      Second comment and you went full Godwin. Never go full Godwin.

      reply to this | link to this | view in chronology ]

  • icon
    Gary (profile), 29 May 2018 @ 11:06am

    Krap Legislation

    Bad rules don't fix much of anything. It's kinda strange how some are pushing this thru to "punish" Google when the opposite is true.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 12:33pm

      Re: Krap Legislation

      Give the GDPR a read. It wasn't written to "punish Google" even if there are camps who would try to use it for that.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 11:29am

    Masking one octet is a pathetic excuse for "anonymization"

    Legally, discarding the last octet might satisfy the anonymization requirement. Practically, that is generally insufficient. If the law says discarding one octet is sufficient, then that is yet another way in which the law is badly written.

    reply to this | link to this | view in chronology ]

    • identicon
      Ben, 30 May 2018 @ 4:32am

      Re: Masking one octet is a pathetic excuse for "anonymization"

      IP addresses have been demonstrably shown time and time again to not map to a natural person anyway, so why on earth are they even included in the GDPR definition of 'personal data'.
      Yes, it's a badly written law, written by people who don't have a technical bone in their or their staff members' bodies.
      (Mind you, of course, if we let 'technical people' write the technical legislation, we'd all be screaming about regulatory capture)

      reply to this | link to this | view in chronology ]

      • identicon
        Pete Austin, 30 May 2018 @ 5:06am

        Re: Re: Masking one octet is a pathetic excuse for "anonymization"

        It's a reasonably good law, well worth reading, but they screwed up in a few places. The IP address thing is one of them. A bigger issue is the lack of real exemptions for micro-companies.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 11:35am

    Not a good example

    when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about

    Google Analytics is perhaps the prototypical example of user-tracking. This is not something that just appears on a website without the owner's involvement; they made the conscious decision to track their users, and did not turn on the option to track them in a slightly less identifiable way.

    In this instance, compliance actually is easy: don't add a user-tracking service to your site.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 29 May 2018 @ 11:48am

    Sadly, as far as I could grasp there is a lot of good and some of the bad is actually goodwill gone bad. Companies abused their free reign so much that now we are swinging towards the other extreme. I do hope the GDPR is revised as soon as possible to polish what's good and rebuild what's bad but I generally think that some regulation is going to be needed. The industry can't help screwing things up.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 29 May 2018 @ 11:51am

    What's that saying about glass houses...?

    This, of course, is not to mock the EU Parliament for screwing up, but rather to highlight the fact that when politicians and regulators insist that certain regulations are "easy" to comply with, they often have no idea what they're talking about -- and the GDPR is a case in point.

    No, I do believe they're due for some hefty mockery here. As people have pointed out these changes have been in the pipes for two years, and yet during that time the very ones pushing it couldn't be bothered to check if they themselves were in compliance with their own rules?

    If nothing else this provides perfect cover for any companies/sites who are still working on getting 'compliant'. If the EU Parliament couldn't be bothered, then it's rather hard to blame others for not getting on it ahead of time.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 12:30pm

      Re: What's that saying about glass houses...?

      If nothing else this provides perfect cover for any companies/sites who are still working on getting 'compliant'.

      No, it might provide some "whataboutery" but it won't shield anyone from their own compliance.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 29 May 2018 @ 1:04pm

        Re: Re: What's that saying about glass houses...?

        I didn't mean to imply it would be a good excuse, merely that it would be an easily used one.

        'They didn't care enough to check and they wrote the rules, why are you going after us for not being 100% compliant right out the gates if even they couldn't be bothered?'

        reply to this | link to this | view in chronology ]

    • icon
      wereisjessicahyde (profile), 29 May 2018 @ 1:29pm

      Re: What's that saying about glass houses...?

      "Never through garden furniture at one whilst drunk" Or maybe that's just for me.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 30 May 2018 @ 1:13am

      Re: What's that saying about glass houses...?

      "during that time the very ones pushing it couldn't be bothered to check if they themselves were in compliance with their own rules?"

      You make the mistake of assuming that those responsible in both areas were the same people. The people making the rules will not have been implementing them - that job will be done by people who were more than likely telling why things were a bad idea in the first place. If a hammer falls, it will be on the poor admin who was ordered to achieve what he was warned was impossible, not the politician who demanded it be done anyway.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 11:51am

    From the digiday article: “Revenues and [ad demand] volumes [are] expected to fall dramatically across the board,” said one publishing executive, under condition of anonymity.

    Is this really a bad thing? Less ads? I see that as a win. The internet was and should still be ad free!

    reply to this | link to this | view in chronology ]

    • identicon
      bob, 29 May 2018 @ 12:21pm

      Re:

      Except that running, owning, and hosting a website is not free. I support some advertising. But the crap pile that was allowed to proliferate on the web as we see today is th3 reason I use an ad-blocker.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2018 @ 12:47pm

        Re: Re:

        While they don't have "web site" hosting per se, archive.org will host files (even huge, popular ones) for free, and they don't track their users.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2018 @ 1:38pm

        Re: Re:

        But to force ads, specially the horrible ones, onto your users just so you can have your little space on the internet?

        I remember what it was like the first times I was online. Somewhere around 1993. I cant remember seeing a single ad and yet there were more sites to visit and spend time on than I had free. I would never have seen it all.

        Hosting a site at someone elses expense was not even thought of. It was a place to share your ideas, your creations. Then the business man got a hold of it....

        reply to this | link to this | view in chronology ]

        • identicon
          bob, 29 May 2018 @ 5:01pm

          Re: Re: Re:

          True it got worse with time but there was always some source of money to fund the website. Could be ads, donations, Subscription, self-funded, or backed by some other entity. I'm sure there are others but you

          You can also show ads without tracking or annoying visitors.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 29 May 2018 @ 5:26pm

            Re: Re: Re: Re:

            You can also show ads without tracking or annoying visitors.

            "Without annoying" is difficult. But if we look back to the early days of targeted advertising, we know it can be done without tracking. There's one piece of information that's powerful on its own: the page on which the ad appears. Originally, Google would show an ad based on your search term. Techdirt's recent boardgame campaign worked because it was shown to users of this site and relates to things the site talks about (FOIA, spying), so we can assume some people reading TD will be interested.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 May 2018 @ 4:56am

          Re: Re: Re:

          1993?

          What, when there were only a few thousand actual internet users? And many of the "sites" were actually used for other things than just serving pages? And/or they were affiliated with universities.

          Mosaic, the first "graphical" browser came out in 1993, and for quite awhile very few sites had actual WWW (web) server capabilities. Lynx & Gopher didn't provide any kind of advertisement capabilities that I recall.

          Once the actual Mosaic & Netscape WWW browser capability starting taking off, and people started getting on the internet, commercial investment started coming along. This investment actually helped grow the internet into the massive, ubiquitous state it maintains today. AOL, Yahoo, MSN, and others actually did have advertisements, and they were "the internet" for most people back in the mid-1990s or so. (AOL and Compuserv actually existed before the web).

          reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 29 May 2018 @ 1:35pm

      Re:

      I am surprised we haven't heard more from the online news organizations in the EU. Or are they expecting Google to make up for additional loss of ad revenue?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 11:52am

    but, like all countries and all govts, that doesn't matter! the only thing that matters is to make doubly sure that the ordinary citizens are stopped by any and all means necessary from being able to stand up for themselves, able to learn about what these fuckers are up to and never again able to defend themselves against the tyranny of those who are doing everything possible to enslave the human race!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 1:19pm

    I'm no expert, but it sounds like it will need to go to the European Court of Justice, where it will be confirmed to be more or less what people think it is, a nuke on the targeted ad revenue model (surveillance capitalism).

    This was always going to happen. The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles.

    The Europeans will not back down on this. Rather than futily drawing it out for years these companies should "innovate" and move to one of their other revenue options.

    It collecting personal data is essential for providing a service that people actually value then they will happily opt in to it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2018 @ 1:32pm

      Re:

      archive.org is "free" in that it is supported by donations. Are you proposing that all commercial content providers follow the same model?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2018 @ 1:51pm

        Re: Re:

        Sorry, replied to the wrong post.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2018 @ 2:40pm

        Re: Re:

        It's just an example showing hosting does not require tracking, and people posting their own media have choices other than Youtube etc.

        Their FAQ says it costs them about 2.00 USD/GB to store data forever. They're not going to object to the EU Parliament posting laws, minutes, etc. there, with or without a donation. An individual could easily get their fans to donate enough to cover those costs, without any intrusive PBS-style fund drive.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 May 2018 @ 7:44pm

          Re: Re: Re:

          without any intrusive PBS-style fund drive.

          Not sure about this one. Wikipedia, at least, appears to require this kind of fundraising, and it is funded largely by individuals, in contrast to archive.org which is mostly funded by much larger institutions.

          reply to this | link to this | view in chronology ]

    • icon
      TripMN (profile), 29 May 2018 @ 6:27pm

      Re:

      Call me a little daft or even a bit uninformed, but please explain to me your statement of "The data harvesting free-for-all that the big players depend on is in flagrant violation of basic human rights principles."

      I'm just not sure what you mean because that is a very bold statement but you don't explain it or back it up in any way.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2018 @ 1:30pm

    ...So, does that mean that the EU lost 4% of its Gross Revenue in fines to itself?

    reply to this | link to this | view in chronology ]

  • identicon
    Max, 29 May 2018 @ 2:59pm

    NOPE

    Is it perfect? Hell no. But I'll take it ANY TIME over the traditional alternative of "hahaha, let me mop the floor with you precious 'personal data', snowflake..."

    reply to this | link to this | view in chronology ]

  • identicon
    tracyanne, 30 May 2018 @ 1:36am

    The problem, then, is not so much the EU Website

    as the EU website using a 3rd party for it's analytics.

    reply to this | link to this | view in chronology ]

  • identicon
    Éibhear, 30 May 2018 @ 4:17am

    Podcast suggestion

    Hi,

    Living in Europe, and having a serious amount of skepticism regarding the motives of the EU Commission and the EU Council, I'm still more of a fan of the GDPR than not.

    However, I don't know everything, and I work only tangentially with matters relating to data protection.

    I would love to hear a discussion or debate on the Techdirt podcast, say, regarding the GDPR between Mike or Cathy and someone from the east of the Atlantic. My personal recommendations would be someone like Simon McGarr (@tupp_ed on Twitter) or T.J. McIntyre of Digital Rights Ireland (@tjmcintyre), both of whom were involved in the Schrems case that took down Safe Harbour.

    Other people I would trust to give an informed, EU-based, perspective on GDPR would be Rowenna Fielding (@MissIG_Geek), Sarah Clarke (@trialbytruth), Pat Walshe (@PrivacyMatters) or Daragh O Brien (@CBridge_Chief).

    I would expect all of these to have considered analyses on the concerns that Mike and others have with GDPR (I don't like the RTBF portion of it, either!), and would give alternative perspectives. It would be excellent to hear it covered in one of the podcasts.

    Éibhear

    reply to this | link to this | view in chronology ]

  • identicon
    Pete Austin, 30 May 2018 @ 5:00am

    It says it doesn't comply, on the legal page ¯\_(ツ)_/¯

    Do you mean this site?
    https://europa.eu/european-union/abouteuropa/legal_notices_en

    If so, it's totally obvious that it doesn't comply with the GDPR. It even says so in plain text...

    The policy on "protection of individuals with regard to the processing of personal data by the Community institutions" is based currently on Regulation (EC) N° 45/2001 of the European Parliament and of the Council of 18 December 2000 (and not on the "GDPR" Regulation 2016/679 that repeals the Directive 95/46/EC). The new version of Regulation 45/2001 is currently being adopted. The legal notices on Europa will be updated in accordance with the new version.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Shockingly, Streaming Providers Are Dominating... >>
<< Daily Deal: MCSE Data Platform Certification...
 tdicon 
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Wednesday

06:16 ESPN Analysts Routinely Told Execs Not To Worry About Cord Cutting (1)
03:18 Apple's Latest Transparency Report Shows Gov't Still Not All That Interested In Seeking Warrants (1)

Tuesday

19:53 New Organization Formed In South Africa To Promote The Rights Of Creators And Support Intelligent Copyright Reform (11)
15:31 Stupid Patent Of The Month: Facebook Joins The Online Dating Arms Race (9)
13:30 Techdirt Podcast Episode 168: Rob Reid's Mind-Bending Podcast (0)
11:58 Shockingly, Streaming Providers Are Dominating Cable At Customer Satisfaction (28)
10:45 EU Parliament's Own Website Violates The GDPR (37)
10:40 Daily Deal: MCSE Data Platform Certification Exam Prep (0)
09:29 DOJ, FBI Issuing Corrections To Statements, Testimony Containing Bogus Uncracked Device Numbers (22)
06:01 Charter Claims NY Lawsuit Over Crappy Broadband Speeds Just An Evil, Netflix 'Cabal' (41)
More arrow
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.