Prepping up for GPDR

As you have probably been made aware by the flurry of privacy policy updates in your mailbox, GPDR is coming.

While I am not convinced GDPR will not turn into a perfect showcase for “the road to hell is paved with good intentions”, this is also a good opportunity to update BeginEnd.net to use the 64bit version of DWScript and add a few missing features.

BeginEnd.net has now been running for a few weeks with the 64bit DWScript sample/simple web server, without crashes so far 🙂

In the updated account page (click on your alias once logged in), you have access to

  • The list of your votes
  • The list of your “quieted” blog feeds
  • The list of current active sessions, with a button to drop them
  • A link to delete your account

In terms of cookies, BeginEnd.net uses the following cookies:

  • Session cookie, once you have logged in
  • CloudFlare security cookie, not sure what will happen with that one, I do not see how CloudFlare could provide security convenience without it, but they may have some technological surprises.
  • Google Analytics cookie, the data retention has been set to 14 months and the ip anonymization is active, but there are still cookies, so in theory explicit opt-in consent is required.
  • The current/old cookie notice’s cookie.

Interestingly enough, GDPR Recital 42 requires a demonstration of consent (aka proof) of both acceptance and rejection of cookie consent. While poorly defined, such a proof can only be a form of personally identifiable information… Meaning that even if you say “no” to cookies, the website has to keep a record of you saying “no”, as well as any subsequent change of heart. Orwell would be proud.

Direct consequence is that at the moment, the only way to fully comply with all GDPR recitals seems to either

  • have a static website with no persistent user interaction, as you cannot really do without cookies for bot abuse.
  • require users to register an account (or social login), ie. make consent and social tracking compulsory.

In particular, for websites financed through advertisement, this may to be the only option as “tracking walls” are not allowable under GDPR, and no advertiser will be willing to return to the days of click-abuse-by-robots era. The social login requirement nicely defeats AdBlockers and other browser-based privacy features.

If you use a social login on the other hand, then consent can be gathered only once for all (rather than once per site), user experience stays friendly, the social networks gather more data, and they do not need to share personal data to take advantage of it on its own ad network. Everything is fine from a GDPR point of view.

Thus my contrarian point of view is that the GDPR will turn out as a big boon for the Big Four:

  1. social logins will become a requirement for merely browsing the web from the EU
  2. people will be locked-in once they are using their social logins everywhere
  3. regulatory barriers ensure no EU-based social login or advertisement alternative will emerge

So depending on how strictly the GDPR gets applied on May 25th, a social login may be required for EU users to access BeginEnd.net and DelphiTools.info, or I may block them entirely from EU users if fines start falling around.

But hopefully, sanity will prevail…

6 thoughts on “Prepping up for GPDR

  1. Like many others, you misread the GDPR. Don’t collect personal identifiable information, and you don’t need consent. So your assertion “social logins will become a requirement for merely browsing the web from the EU” is false (https://gdpr-info.eu/art-4-gdpr/).

    A lot of FUD is being spread about GDPR, because of course it makes the unrestricted collection of personal data, and its sharing and processing much harder, which is exactly the aim of the GDPR.

    PS: requiring a name and email for each post falls under the GDPR – and you have to inform the user about its data rights and ask consent.

  2. @KMorwath GDPR classification for what constitues PII is very broad: it includes IP addresses for instance, and when you collect them (even just for a comment or voting system), then you fall under it. Anonymized IPs are too broad to prevent comment spam, and this is no joke: on this blog alone I see on average a thousand spam attempts per day.

    GDPR requires being able to list all the data you collected on a person to that person, but you first need to ensure that the person that is asking is really the person whose data you collected, which means you need to keep enough PII for that (fail that and it’s a data leak under GDPR).

    Collecting no PII means no comment system, no voting/polls, not even non-personalized ads (these still require cookies and PII to prevent cheating and click spam). Even analytics become complicated: use Google Analytics, you need agreement and consent, keep analytics on your server, then you need to be able to prove you properly anonymize them.

    It is much, much simpler to just require a social login or host your content in the walled garden of a social network: it solves all the above. It gives a clear path for agreement, ensuring identity, being able to fulfill right to erasure requests, etc. And the social network is likely to take care of all of that. Even better, should trouble arise, the social network is the one that will get fined.

    The Big Four can shrug off millions of dollars of fines or multiple percents of income. On the other hand, a 1 million dollar fine will be enough to obliterate any small company or budding website.

  3. Do you think it’s really better?

    https://www.theregister.co.uk/2018/04/19/facebook_third_party_site_login_security_leak/

    And no, not only the social network will be fined – you will be still under the GDPR, don’t believe you can pass all responsibilities to the “social provider” – you could still be the data controller, and FB just the data processor.

    GDPR doesn’t forbid you to store PII – just they need to be needed for the service, and you have to manage them properly. Even a small site can cause big damages to people if it collects far more than it needs, and it’s sloppy to protect that. Running a site and collecting personal data implies responsibilities, sorry.

    Even for the big four a 4% fee calculated on *revenues* – not profit -, runs into the billions. Shareholders may not be happy at all… and depending on the non-compliance, smaller companies will not be fined a million dollar – unless they are being run criminally. That’s again just FUD.

    I’d suggest you to ask a GDPR expert, before finding yourself in troubles (I can’t do consulting outside the company I work for sorry).

  4. No what FB did is not right, and most damaging data leaks originated from large companies or government institutions (even FBI leaked employee databases). But GDPR is not addressing that risk, it might have meant to at some point, but final text is more about concentrating control of data. A few percent of revenues would anger Big Four stakeholders, sure, but it would still just be a fraction of their growth, and they have armies of lawyers to mitigate it. For a small company, it’s instant death.

    If you require social login, you gain a simple way to id users and comply with GDPR in case of requests. You can also drastically limit PII you need for spam defense. Without it, you need to collect and manage it all, plus the UX will be poor, and messy. More passwords, more accounts, more risk to leak that critical data.

    If I require a social login, I no longer need to defend comment forms or polls myself, only data I keep are comments and votes. All unambiguously attached to an account, easy to list, easy to delete. Not really critical PII since comments are public, and votes can also be made public at end of poll. Highly qualified analytics come as a bonus.

    And if you host your whole content on a social network, the GDPR bucket entirely stops with them (like for YouTube or Facebook walls). If you host in your own WordPress or whatever, you’re under GDPR. So if it’s just a non-commercial blog or site for which you just want feedback and interaction ? Social network are the only practical solution under GDPR. Doing otherwise is taking million euro risks, not a choice really.

    Heck, that companies need or seek counseling on GDPR is a harbinger of things to come: they are and will outsource their compliance… And guess who’s got the best UX and market dominance for that?

  5. We’ve had similar law in the Netherlands for a long time. It’s actually not that hard to comply, but yes, you’ll have to be careful about how you treat sensitive user data. Nothing bad about that.

    My prediction: no small weblog or forum is going to get any fine. Some warnings will be sent out which will reach headlines. The EU will probably pick some high profile company that refuses to cooperate in a case that the EU is sure to win. That should scare anyone else off enough to get a maximum effect.

    As a blogger, you probably don’t need to fear unless you deliberately do crazy stuff, and refuse to comply after receiving warnings.

  6. @Wouter also had one in France, but what changes with GDPR is the required opt-in for cookie consent (along with legal proof of consent), plus the fact that data controllers are liable rather than just data processors, ie. in case some disgruntled user did not want FB to know he was on site X, then owner of site X will face the fine because while not making an FB account required, he/she allowed FB cookies at some point when X visited, and/or did not properly forward a subsequent request for erasure for that visit to FB (or could not prove he forwarded it).

    The bottom line is that even if such a complaints are rejected by judges, merely having to lawyer up or deal with inquiry is already a lot of trouble for an individual or small company.

Leave a Reply

Your email address will not be published. Required fields are marked *