Comments

Who?February 13, 2020 10:55 AM

In my —I would say— not so humble opinion (I am european citizen) data protection agencies are useless.

kiwanoFebruary 13, 2020 10:58 AM

I twitched when reading the first link, where it praises how GDPR "puts consumers back in control", not because I have any problems with GDPR (apart from concenrs that it might not be enforced as thoroughly as I'd hope), but because in the context of any work I've done around GDPR compliance, "consumer" was generally taken to mean the consumer of the data (e.g. an advertiser, or in the case I was working with, a financial institution consuming statistics to help it assess money laundering risks), and the word people usually used to refer to the people identified as "consumers" in EPIC's statement, was "subject".

That said, I don't think that "subject" would really have gone over that well in that context, but I still kinda wish it had said "people" or "individuals". Also, if the data subjects are identified as people rather than consumers, it clarifies that data collected on an individual does not have to have been collected in a relationship involving consumption, for the data subject to enjoy the regulatory protections. Surveillance covering the public realm being an obvious case that I think may be wrongly overlooked. (I suppose it also stops people from using confidentiality of data that an employer has about its employees from being used as a "but people already enjoy protections" straw man. Regardless, the choice of words -- particularly in the context of GDPR -- made me twitch.)

MikeAFebruary 13, 2020 11:35 AM

I find it odd that anyone who has not been asleep the last few years would expect that somehow, a Federal Data Protection agency would actually protect the data of individuals, no matter what the official charter. One need only look at, say, the EPA and FCC to get a preview of what would actually happen. As for the "Tech industry support", that seems mainly to enable a de-facto toothless federal agency to nullify the California law. Much as the EPA protects energy industries from state or local meddling, and the FCC protects carriers from state and local attempts to protect their citizens.

As the various mutations of a programming parables ends: " ... now you have two problems"

ObviouslyFebruary 13, 2020 2:35 PM

In fact the US does have a world-famous and very prominent Data Protection Agency, that being the one that is so keen on protecting everyone's Data so that it goes to great lengths to obtain every last bit of interest from everywhere around the globe just to ensure its safety back home in good old Utah:)

Intelligence Community Comprehensive National Cybersecurity Initiative Data Center

https://upload.wikimedia.org/wikipedia/commons/e/ed/EFF_photograph_of_NSA%27s_Utah_Data_Center.jpg
https://en.wikipedia.org/wiki/Utah_Data_Center

lurkerFebruary 13, 2020 3:12 PM

One of the links in the epic.org BREAKING story, [https---medium.com/@gillibrandny/] popped up a dialog inviting me to sign in to medium.com with Google, the dialog pre-filled with my First & Last Names, and email address. This is the first time in my life I have visited medium.com, and this browser flushes cookies and local storage at the end of each session. Senator Gillibrand may be out of her depth, or is she just using a smart trick to demonstrate how bad the problem is?

HimdeeFebruary 13, 2020 5:14 PM

@Who?
"In my —I would say— not so humble opinion (I am european citizen) data protection agencies are useless."

Is window dressing useless? Not if you like to eat broken glass in your salad.

Clive RobinsonFebruary 13, 2020 5:15 PM

@ kiwano,

still kinda wish it had said "people" or "individuals".

Firstly "people" are only "individuals" in the biological or physical sense[1] a point most don't consciously realise even though they behave otherwise all the time...

Secondly have you ever heard the expression "any person legal or natural"?

The EU love it for one reason or another and it pops up all over the place. If you have not read the defining articles of the EU then you are going to misinterpret what the Directives actually mean[2].

Yes it's a legalistic conceit to make an organisation such as a limited liability company equivalent to a real flesh and blood person "in the eyes of the law". Whilst that might work with civil law where harms are equated to money, it only works partially under criminal law, where the punishment tariff is a fine only. At the end of the day there is no meaning in "locking up a company" as it is at the end of the day nothing more than a contract (articles of association). Thus if a company is wilfully negligent and somebody dies, "Who goes to jail?". Well crudely the law works on the notion of "A directing mind" so if there is a piece of paper with a name on the bottom in theory it should be them. But whilst soldiers nolonger have the "acting under orders" defence, nearly all employees in a company still have it (unless officers of a company or of professional standing). The lower down the greasy pole the more that defence works for you. Company law and case law have put the onus on officers of a company to be "all seeing and all knowing" which is again another legal conceit. Which is why senior company officers never make original decisions as individuals[3]. They instead have a meeting and it's the consensus decision "of the board" and they delegate to one or two individuals who were preferably not present who then expand on that consensus decision as given in the minutes or other brief writen note. With care --and thats what the big bucks are for-- legaly you can demonstrate that there was no individual directing mind... So nobody to go to jail just a bank balance to lighten... Even sociopathic control freeks like one or two big Silicon Vally Corps know how to play this game, whilst absolutly being the directing mind. One such trick is to start a meeting say in agreed terms what you want then be called away before the meeting gets to the decison and delegation phase (on paper at least).

[1] From the non physical viewpoint a person is "the sum of their experiences" but we have many facets to our lives we are some peoples children we may also have our own children we have social lives that involve others who may have no relationship to others we socialise or work with. These are best described as "roles" that is as physical individuals we have many roles in life many of which are unrelated. It is a conceit of governments, organisations and software engineers to think of people as "physical bodies with identiry tags" because each role in our life realy is a seperate identity. Try treating your boss as you would your child and you will fairly quickly see that the role relationship is wrong (even if you are the bosses dad or mum).

One of my pet peves is software developers of muti-tasking programs like web browsers assuming that the person at the physical interface is an "individual, with one identity" not a "multi-roled entity with each role having one or more identities". That is if you like there is you, customer of bank1 with A, current account, B, savings account C, credit card account. The bank treats the three accounts almost entirely seperatly for good reason so why oh why should some code cutter decide otherwise?.. The same notion applies to services that you have, mostly they are entirely seperate from each other for good reason, but apparently not good enough for a code cutter. In essence the code cutter is forcing a model for their convenience that does not exist in the real world. Most security faults can be traced back to some code cutter forcing their convenience on a world where it realy is a gross mismatch.

[2] They are written this way because each Directive has to be translated into 27 languages as well as having exactly the same meaning under 27 different legal system (EU members plus EFTA members). Few ordinary people actually get their heads around this even in EU member states.

[3] Hence the joke/truism of "A good manager ensures they are never in the same room as a decision". A point others would be wise to follow.

Mushroom CloudFebruary 13, 2020 7:39 PM

https://epic.org/dpa/

Europe has surpassed the United States in protecting consumer data. The General Data Protection Regulation, which took effect last year, strengthens the fundamental rights of individuals and puts consumers back in control of their personal data. It gives European data subjects rights ... American data subjects have none of these rights.

From a conservative or, say, libertarian, if you will, point of view, we have a fundamental political disagreement.

  1. We already resent the demotion from citizen to subject. Our nation fought a bloody and brutal Revolutionary War over two hundred years ago for that, which the Europeans now so ardently desire to take away from us by military force.
  2. The idea that more and more onerous government regulations will strengthen the fundamental rights of individuals is absurd, when the government refuses to respect our fundamental rights as they are already laid out in the Constitution, particularly our right to be secure in our persons, houses, papers, effects against unreasonable searches and seizures, and against warrants issued on false information or without probable cause.
  3. The insinuation that our basic or fundamental (Constitutional) rights are not natural or God-given, but derive from the minutiae of government regulations, decided on and passed by a law-making body of one or another petty or local jurisdiction, is deeply unsettling to sovereign citizens.

MarkFebruary 13, 2020 9:54 PM

This is the continued magical thinking that government can reconcile two functions: domestic mass surveillance and digital privacy.

The government has no incentive to increase digital privacy, because it wants access to everything.

We've tried it in Australia:

"The call for more government involvement in digital privacy is nonsensical. A “cyber security tsar” cannot — and can never — effectively balance national security concerns over citizens’ privacy. More government cannot solve an issue caused by government. What’s more, Australia has even attempted this ridiculous concept through Alastair MacGibbon — former “cyber security tsar” — who famously defended the government’s right to compel companies to weaken their systems’ security for easier government access to Australian’s data.

MacGibbon’s actual title whilst in government was, “National Cyber Security Adviser”, yet he defended the government’s right to weaken cyber security in Australia. This is the irreconcilable clash of the two primary functions (listed above) of governments involved in digital privacy."

I've written about this issue, and I'm writing a book to debunk the idea that more government is needed to protect data.

https://www.melbournelibertarian.com/2020/01/government-involvement-hurts-digital-privacy-government-cannot/

To US readers: Don't waste your time thinking the government can a) even understand technology, b) write a law that isn't obsolete by the time it's published, and c) actually write law that is workable in reality.

WinterFebruary 14, 2020 8:59 AM

@Clive
"Secondly have you ever heard the expression "any person legal or natural"?"

The GDPR only applies to natural persons. Legal persons and the demised are not protected by the GDPR.

1&1~=UmmFebruary 14, 2020 10:22 AM

@Mushroom Cloud:

"Our nation fought a bloody and brutal Revolutionary War over two hundred years ago for that, which the Europeans now so ardently desire to take away from us by military force."

Have you sanity checked what you wrote?

eireoldeboyFebruary 14, 2020 11:02 AM

GDPR actually works in dealings with companies. A company was messing about and delaying the issuance of a credit to my credit card. I dropped off a copy of my initial complaint letter to them along with a new letter stating if this matter was not sorted within 14 days, the national data protection commission would be notified. Voila, the credit was issued seven days later.

1&1~=UmmFebruary 14, 2020 3:22 PM

@MarkH:

"Sufficient answer to your question reposes there."

Yes I see what you mean, potentially echos of things past.

SpaceLifeFormFebruary 14, 2020 6:40 PM

In the olden daze, this may have been called

Security Theatre.

Admission apparently still low price.

RealFakeNewsFebruary 14, 2020 11:52 PM

GDPR is a joke, as is the wider EU Data Protection racquet.

GDPR, as originally intended, had teeth, but it was too effective so following its introduction ammendments were passed to quickly neuter it in order to allow data collection and sharing to continue.

Chief among those complaining about its efficacy were allegedly the online ad industry, as they collected data in multiple countries across borders - something the original GDPR pretty much prevented.

It's nothing more than a joke now; a paper exercise for lawyers who change handsomely for nothing more than a "consent" form, which is really a loaded gun held at the head of end-users.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.