Why not give the user control and have things such as crash reporting be opt-in?
We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Suggesting that XMPP federation isn't compatible with GDPR seems like an over-reaction, isn't that like saying that SMTP isn't compatible?
Indeed and TBH when the part about Crashlytics made me glad about GDPR (although the rest of the message does indeed sound like an overreaction). I do not like when applications i use try and do things that are irrelevant to what the application is all about, especially when these "things" involve communicating through the internet and even more so when i am not informed about it.
I think it's a weak argument to suggest that crash reports are not "what the application is about" it contributes to the ongoing development and stability of an application which you use.
That said I do think there should be an expectation that your participation in crash reporting would be voluntary and explicit.
For example, IP addresses are considered personal information but what that means is you just can't blindly collect them. If the service you use relies on IP addresses as a basic point of operation then its fine.
> that means is you just can't blindly collect them
Genuinely curious, what about all of the web servers that log every request which usually by default includes the client IP? Not doing anything special with the IP, they are just there in log files and archives.
Personally, I'll activate anonymization of ip addresses in my logs coming next week. There are various solutions for that available.
I think you can also log the ip, you just have to get your user's explicit consent.
I will also remove Google Analytics, and switch AdSense to contextual ads. I am a bit worried about the latter step, but if the losses are too great I can still try to get consent from my visitors and switch to personalized ads again. As for Google Analytics, I never did get that much out of it, but perhaps I should have used it more. I never activated the "deep personalization" options in GA to begin with.
It bothers me to pester my visitors with consent popups. On the other hand, looking at what Google proposes for compliant AdSense, it also bothers me that apparently multiple companies get to track my users if I enable personalized ads. I wasn't really aware of that, and just accepted Google as tracking because they know everything anyway.
So much as I dislike the new privacy laws, at least the made me reconsider my AdSense settings.
It's fine to collect this information in your logs as it's part of the normal operation. I log them for security reasons and the logs do not persist for more than a week or two, which is less than the month I'd have to comply within. Provided you're not logging IP addresses for non-legitimate reasons and you're not keeping the data for longer than you reasonably need to, you have nothing to worry about.
Also the section of the GDPR that talks about pseudonymization using a token how should my user DB table be GDPR compliant? Contains ID (primary key), username, password hash, email, etc and the ID is also in other DB tables for obvious reasons (such as user posts/actions).
I think it can simply be GDPR compliant if you inform your users that you are saving that data in your database, and they give you the explicit OK to do to. Explicit consent meaning they tick a checkbox saying "I understand that page x is saving the data y in a database and I am OK with it".
If you have a site where users can make posts, I'd say they pretty much give you consent by signing up. IANAL, though.
The consent has to be explicit. Of course, you can always just require consent in order to sign up. Just as long as it's clear what's going on and you can remove/anonymise the data if the user decides to revoke their consent and leave the service.
OK, but explicit in what sense? Does it have to refer to the GDPR, as in "I agree my dta will be stored according to GDPR"? I must admit I have trouble understanding it - how could anybody sign up anywhere without data being stored?
>We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls
We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation (to this degree at least). Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time.
The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it.
> We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation (to this degree at least)
So someone having a copy of my data that I wish be removed is trampling on a webmaster's rights? That makes no sense whatsoever.
> Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers
This isn't even true. They have _a tiny bit more_ control of what you can do _with their_ data. That's it.
Buckle up because this type of regulation is only going to happen more frequently and in large part because of your attitude that it is "your" data versus the user's data.
But it's not "their" data. It's the webmaster's data. It rightfully belongs to the webmaster. It just happens to pertain to the user. There is no justification for that information still belonging to the user after the user surrenders it to the website.
> But it's not "their" data. It's the webmaster's data.
No
> It rightfully belongs to the webmaster.
No, you are completely wrong here. The basic point of the legislation (and other privacy legislation in the EU that came before GDPR) is that a users personal data absolutely does not belong to the someone else once collected.
Your personal info, username, account settings, marketing anayltics, etc. are definitley you're data and you should be free to have them deleted.
The two year old IPs in a server log sitting in backup, or a chance occurrence of your username in a random call stack for some web exception is not your data, and you shouldn't force a business to have to dig through that mound of digital noise to satisfy your deletion needs
I obviously wasn't talking in a legal sense, I was talking in a "what's actually right and good" sense. The law doesn't make something right. Rightfully, the information belongs to the webmaster. Under GDPR, users get to put a leash and muzzle on webmasters.
Well, I'd say it's also not at all rightful in a "what's actually right and good" sense.
And as others have pointed out, no the users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do with personal information about their users. But feel free to argue that it is your moral right to sell user's e-mail addresses to some spammer or whatever.
"users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do"
I'll let that excerpt speak for itself.
And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary.
> And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary
Views like this are exactly why we need the GDPR.
I find it utterly ridiculous - disgusting even - that you really believe you have the right to do whatever you want with someone else's personal information. When you provide an email address, physical address, name or other PI, it's with the expectation of it being used for a specific purpose - you should absolutely not give you the right to sell that information to the highest bidder.
The Equifax breach was already illegal - I assume you mean you think that websites shouldn't keep user information to prevent future data breaches.
This is a bad solution to that problem. So many people's data was stolen that preventing future data from being stolen isn't the most important thing we should be doing. Last I heard it was 150 million people - that's enough that it no longer really matters to the average person if their data is leaked in the future because there's such a high change it already has.
The real solution is to change our systems so that data leaks aren't a big deal. If people didn't ask for a 9 digit number to identify me, as if that's a reasonable thing to keep secret, then it wouldn't matter if everyone in the world knew it. That's the problem with data breaches like this. That's what we should be fixing in response to it.
Holy shit man, did you come right out of "Atlas Shrugged"?
This isnt even users feelings, this is data that can a:have monetary value and b:can be plain wrong and damage a user.
Do you think that merely by observing data you have right to it? Do you not believe in any IP law? If you agree with any type of IP law then you are just being hypocritical by insisting that webmasters get to take and use whatever data they come across
>Do you think that merely by observing data you have right to it?
Yes, with some exceptions for actual copyright and the like.
>Do you not believe in any IP law?
IP law, yes, but I don't feel a user's entries into a website automatically qualify as IP owned by the user. The terms of many websites actually say that whatever you upload to them is owned by the website, unless a prior IP applied to it. I've only ever heard the claim that your name et al. are your inherent IP from "Sovereign Citizens" before.
IP law is not a natural right. It's been encoded into existence by laws. The GDPR is encoding new rights into law in regard with personal data.
I don't see a way to declare one bad and not the other unless you're just saying that new things are bad.
Additionally the terms of websites can say whatever they want but it doesn't mean they are legally defensible. I could put into my terms "by finishing this sentence you agree to be enslaved by Lovich LLC" but that doesn't make it happen
A bunch of 3rd party trackers collecting every move you make with your cursor probably won't fit most people's definition of 'voluntarily entered into a website'.
As a webmaster, I have an absolute right to carve '192.0.2.7 requested /foo.html from me' into stone and store it for posterity.
The GDPR prohibits me from doing that, and in fact requires that I have the ability to rewrite history by removing that fact if the user who had 192.0.2.7 ever requests it.
Some people, on hearing this, say, 'well, that's fine, you can just store 192.0.2 or 192.0 instead.' That seems pretty silly to me, since the whole point of logs is that they contain full information.
The GDPR tries to do the right thing, but it's broken. Immutable logs are a fundamental right.
I also would prefer more clarity in the area of logging IP addresses, and would like to have a clearer consensus on what is allowed here. I think we will get a clearer picture after a bit of time.
It appears to me that as long as you don't use the logs for nefarious purposes you'd at least have legitimate interest in processing them (including the IP addresses), and so could keep them. This is the stance I am taking with respect to my personal webserver (together with a time limit after which logs are deleted); if a regulatory body informs me to change my approach, I'll gladly adapt.
Note also that IP addresses can be personal data, but do not have to be. Most claims here seem to relate to a ruling, where the IP address was deemed personal data in the hands of an ISP, who would be able to resolve it to a real person [1]. If you hold an IP address, but can't connect it to a real person (e.g. by having legal means to convince the ISP to give you that name based on the address), then it seems the IP address would not even be personal data in the first place. In the particularly ruling, the operator of the webserver was the German government, which presumably has more legal power to make an ISP turn over identifying data on a customer than a random website would have.
In any case, I hope some more clarity about this will emerge soon. But what you are talking about here would at best be a borderline infraction (and probably just be covered under legitimate interest). OTOH, what the person starting this thread had in mind seems to be that all the data he might collect on his users is fair game to do with as he pleases.
I absolutely agree. If you feel a law is wrong, it is your absolute right to say so and demand change. This is the basis of all law and civilisation. The consensus of what is right-or-wrong is what makes a society.
I'm sure the person you're replying to is also talking in the 'rightful' sense. While the data collected technically belongs to you, it can still be a privacy violation. This is extremely important on the web where it's very easy to share that data, make it public or accidentally leak it.
It can be a privacy violation but the idea of a fundamental right to privacy is not universally supported like free speech.
If it is a fundamental right, how far does it go? Should I be able to sue you for watching me walk in a public place? Photographing me? Video taping me? What about a privately owned but still public place?
There are a lot of questions here that I think people tend to skip over about users owning information about them and being able to control it.
There are lots of laws against following someone and observing/recording every move they make.
Making some observations out your window of cars passing by is something no one ever had a problem with. Taking down every single identifier you could and coordinating with others to track that person, for a profit, is something that would not be kosher in meat space.
Why this different just because it's on a computer?
The laws you talk about are, I think, laws about stalking. I'm not aware of any laws that apply to that kind of thing if it happens on a massive scale. Singling someone out is an important part of stalking.
Keeping detailed information about everyone that enters your store isn't illegal, as far as I know. Especially not information that is gained from observation (what color shirt they're wearing, their IP address) and information that is submitted willingly (their name given for a reservation at a restaurant, their username).
I wasn't trying to say it was - I was simply saying that when you base an argument on free speech, you don't have to explain why free speech is a good thing because it's generally accepted by everyone to be a good thing.
In this case, a lot of people base their argument on a fundamental right to privacy which is not generally accepted by everyone and therefore it has to be explained because it's an important part of the discussion.
> Rightfully, the information belongs to the webmaster.
What? Because you just decided that it does?
It's people like you why we need GDPR-like laws. I'm curious, what's your stance on the Equifax data breach? They had data that belongs to them and they could do with and treat it as they pleased, right?
If I get nude picutures of you, or your mother, daughter etc. is it then "my data"?
Am I therefore allowed to do with that data as I wish?
I think most people agree that unless those pictures are gathered with very specific consent, subject to many restrictions, they are not "my data". This is obviously an extreme example, but the reasoning extends to more data that is considered sensitive. The point being that "data ownership" is a complicated issue.
The credit card example was already illegal by other, more targeted legislation.
Nobody likes getting a lot of junk mail, but it's not the end of the world. I actually got my first credit card from a pre-approved offer found in junk mail.
> [...] Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time.
You are saying that's a bad thing?
Services that require you to sign up, should provide the possibility for users to look at, modify and delete their user data - that's all. Where's the problem?
Yes, I'm saying that's a bad thing. Someone shouldn't have a right to come into my house and tear up a piece of paper in my drawer if I happened to write something about them on it.
The problem is that there's no justification for having the right to coerce other people just because they have information you gave them. If users enter names into your website, you're not allowed to run a statistical analysis of what names are most common on your website without asking. If people named Jane are more likely to eat ice cream, you can't target ice cream ads at them and help keep your site free, without asking them. Worse than just this kind of coercion of what you're not allowed to do, users can coerce you into taking time out of your day to expunge records about them. It's all entirely backwards.
The point of GDPR is to switch collecting users’ personal data from being a benefit to being a liability. That will absolutely cause short term pain to some companies that hadn’t expected this, but it ends up as a long term benefit to society, the same as most legislation.
Do you have a source for most legislation being a long term benefit to society?
If forcing low-earning EU citizens off the internet because every website requires a subscription is a social good to you, then sure, it's a long term benefit.
Is the internet even a net benefit with this current trend towards turning everything into clickbait or some other psychological experiment to get traffic and harvest data off of it? How useful is the average website now compared to what the internet was like in the 2000's?
Even if it would all be a net benefit, why is it ok for all of these companies to be so misleading about it. No one out a simple EULA, for what is happening with the data. Hell half the agreements just say that the companies can do whatever with the data, but an average person does not have the ability to parse the output of the legal teams of every company they interact with every day. The only way this could get even close to an equal footing between users and companies is if every single person was a lawyer
The rate of high-quality content being added to the internet has surely been on the increase as the adoption of the web increased, even if the likes of clickbait and spam grew faster, shifting the "average" quality down.
I don't agree with that at all. In the 2000s I frequently could find new and useful websites for learning on every Google search. Now I have to wade through hundreds of sites that only host clickbait or repackage other sites content so they can deliver ads that end up containing malware. The internet has given me a commodity in the form of constant good data that is unequivocally an improvement, but the signal to noise ratio on the web has gotten worse every year
I'm not seeing exactly where you disagree there. There's more bad information now, and a higher ratio of bad to good, but I'm saying despite that, there's still more good than there used to be, and probably a higher rate of good being added.
For example, with small numbers for the argument's sake, say in 2000 there were 5 good webpages and 4 bad webpages added to the internet every day. Now there are 10 good webpages and 50 bad webpages added every day. That would mean we're getting more good information per day than before, but the signal to noise ratio has gotten worse, as you said.
I'd agree that the total amount of good information has increased but if bad infi is being added at an accelerating rate compared to good info then I wouldn't say the rate of good information is increasing in anything but the most technical sense.
For all intents and purposes the information doesn't exist if you can't find it, you can only find information as a certain rate, and a larger and larger chunk of that information bandwidth every day is bad information. The practical result is that the rate of good information someone has access to has decreased even if the total system has a nominally higher rate
>Oh no, that's a real pity. Oh no, poor webmasters.
Why are the rights of people who own websites less important to you than the rights of other people?
Regardless, you might not still be saying this once half the websites smaller than Google become subscription-based in the EU or just block the EU altogether.
I didn't really realise it until the GDPR got into full swing but I'd much rather pay with money than with data.
What you're describing is a good thing. If you're going to treat my data like an almost stale slice of pie selling it off cheap to anyone who will buy it - Please do block my access!
> Someone shouldn't have a right to come into my house and tear up a piece of paper in my drawer if I happened to write something about them on it
They don't have that right. GDPR only applies to business. If you mean you wrote it in your house for some business reason then yeah they have the right to know you've done so and why and the right to ask you to remove it if you don't need to have that information.
In no situation do they have the right to come into your house. That's a touch too far into the absurd.
As it seems that we are making society-wide sweeping statements here, I'll add mine:
In a society where the webmasters have shown that they can't uphold their duty to secure PII (or any kind of data really), as evidenced by ~monthly high-profile data leaks, they deserve to be restricted in their "rights to the fruits of their labor".
I find your view very interesting. You have a very capitalist and US law based perspective on it. For one, not everything in a society needs to allow to "collect the fruits" of individual work (which is essentially capitalism). Europe has much more socialism mixed into their understanding of their societies than the US.
Further, the US law is based on risks of heavy punishments but few regulations, while the law in many parts of Europe is based on strict regulations but less high fines. It looks like the EU has too many rules, but that is a subject of perspective.
Problem here: The internet gives a shit about borders and society.
Please don't just say this is a US perspective. This is a sociopaths perspective that the current US legal system promotes due to the machinations of the same group of sociopaths.
Every business owner here who would complain about how the GPDR is taking their rights to their personally earned data away would be the same people who launch a lawsuit because one of their competitior's products had a typeface that was vaguely similar to theirs
There are regular people here, they just don't go starting businesses that have abusing their customers as a business model because they couldn't sleep at night if they did that
Targeted ads hardly qualify as abuse to me. Getting to use a website for free in exchange for your browsing data being analyzed is a great deal and a win/win for everybody.
Surely anyone who disagrees with your feelings on this matter must be a sociopath, though.
It's not just targeted ads. We see a new data breaches every week that leaks customer data and is used in identity theft that causes actual, quantifiable damages to users. The entire internet, and increasingly physical goods in our homes, has become the equivalent of a ghetto where every single person has to have bars on their doors and look over their shoulders constantly to avoid having shit stolen from them or their privacy violated.
The GDPR didn't arise out of some feeling that companies we're making too much money. It arose out of the fact that the industry refused to self regulate. They were given years to do this and the standard operating procedure for security around data right now is to lol because who cares if you have a breach, that's a problem for the people you harvested data from, not you.
The bad side effects from this data harvesting are called negative externalities. A similar set of negative externalities is pollution.
Do you think it's immoral for regulations to make certain business model that rely on dumping poison into the water or air unprofitable, just because those companies could have made some money if only they could do what they liked regardless of the harm to others?
You're not allowed to "degrade the service" or allow access contingent on consent to targeted ads/tracking, so the practice isn't going to be sustainable for websites when only a tiny percentage of users give consent, seeing how they get to use the site one way or the other - have their cake and eat it too.
Implying that the majority of user's wouldn't just instantly click the largest button that says "make this annoying wall of legal text go away" whether that is agreeing to tracking or not?
While the inability to target ads based on data about you and your search history searches removes some amount of advertising income. Websites would still be allowed to show ads, and I would imagine that those ads can be specific to the article currently being viewed.
This is exactly how conventional TV advertising works, just because you don't know the gender, race, political views and entire life story of a website user, doesn't mean you can't get almost the same effect. You can target ads in general at specific content and hit most of the correct users anyway rather than targeting specific users and the content they have viewed in the past.
"The study, which looked at ads run on member networks during 2009, showed that among users who clicked on a behaviorally targeted ad, 6.8% converted. That compared with only 2.8% of those who clicked on a run-of-network ad."
No one's arguing that the targeted ads don't make more money. We are arguing that the extra value from the ads is not worth violating everyone's privacy.
A quote I heard recently is "Some of you may die, but it's a sacrifice I'm willing to make." That's what the tone towards small businesses/websites in relation to GDPR sounds like to me. I can't understand valuing this right to the "privacy" of not having your (often anonymized) identity tied to a marketing profile so much that you'd rather some free small websites no longer exist and others move to subscriptions.
I am sorry if I formalized it too general. Like you say, it is purely focused on the law system and unrestricted capitalism, which as an individual you either use or not.
Sociopath is a tough word, but in the original non insulting meaning of deviation from the common society, I think the word is right.
"We used to live in a society where webmasters' rights to the fruits of their labor weren't trampled on by inane regulation"
We still do. Nothing has changed on that front.
"Now if you run a website in the EU, any user who signs up to it has control over the contents of your servers and you have to ask in extremely specific detail to do anything with some of that content, and that "consent" can be revoked at any time."
As it should have been from the beginning. Having the standard being that the company hoovers up all your data all the time without telling you what they're doing with it or why they need it was a terrible, terrible thing.
"The EU has shot themselves in the foot and more and more companies are going to refuse to do business with them because of it."
> We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Government intelligence organizations like the NSA and foreign equivalents will now have a monopoly on unsolicited data collection. Which, combined with selective enforcement to prevent disruption of gov cartels, is one of the few reasons it went through.
We sleep-walked into a society where the expectation is that any and all data is scooped up and sent off remotely without adequate controls and I think it's great that the EU GDPR is making people wake up to the scale of it.
Suggesting that XMPP federation isn't compatible with GDPR seems like an over-reaction, isn't that like saying that SMTP isn't compatible?