Not nearly as liberal as the US though. Afaik you are very much limited where you are allowed to have ammunition loaded into the rifle, concealed carry isn't a thing at all and the police can ban you from owning guns
And how do you address the massive injustice in wealth and opportunity distribution already present because of centuries of capital and power sharing the same bed? I'd be all for your proposal if it included a way to nationalise all capital above a certain threshold, bring everyone to that threshold and then distribute the rest based on merit. But I don't think that is possible. But your proposal assumes not just a just world, but that the world already has been just for 100s of years
Ah yes, I have a solution for that. Link tax breaks to having children, and penalise the childless wealthy. Eventually society will be mostly comprised of the descendents of the successful, and inequality will be reduced.
Millionaire parents having one child concentrate their wealth into a small part of society. They should instead be having multiple. Success and intelligence has a genetic component, so you're improving the overall health of society through such measures as well.
Otherwise there are far less radical things than breaking up and dividing wealth (which has worked horribly in the past - look at the USSR). Simply breaking up large monopolistic tech companies such as Valve, Google and Amazon for example, as was done for Bell Telecom.
I'm often amused looking into simple solutions for complex problems. Sometimes though I'm tired reminding about the pitfalls on this path.
What you propose is not particularly well supported by explanations. There are examples in the past (I'm omitting them) when such an approach lead to bad things.
Sure, but the EU is not an insignificant market and to be honest, this could have a similar effect to anti trust laws. Have European companies build up competition against the US behemoths.
China is an unfree hell hole that I don't want to live in (social score) but you can't argue that from the position of developing a domestic industry their selective blocking/worsening of services allowed the ecosystem to grow intstead of sharecropping on Google's "platform"
> This may be an edgy and rebellious sentiment that makes me a radical anti-privacy activist, but unless you're storing levels of information on me that are similar to facebook/google/etc., I do not give a damn whether you're soft-deleting or hard-deleting my IP address and my user account. If your web app is just a web app, and not one component of a vast surveillance octopus which puts tentacles on almost every website using social media buttons and GA.js, I don't think it matters in the slightest.
> It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.
If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights
> There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.
I think it's mainly a difference in viewpoint: this is my data for me. Not yours. GDPR makes it easier for me to enforce that. From my perspective I don't care about you violating my rights "in good faith", just like most people don't cares if you trespass on my property and steal something "in good faith".
If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights
The problem is not the work that the GDPR requires, the problem is the work I'll have to put into understanding the GDPR.
I think it's mainly a difference in viewpoint: this is my data for me. Not yours.
This is the part that I don't understand. If I own a shop, and you come in and buy something, you have absolutely no right to demand that I forget your face and your purchase. In the real world, it's not your data, it's my memory. If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I don't understand the concept of data ownership, because it does not align with how I understand the real world to work.
> In the real world, it's not your data, it's my memory.
This is where there's been a divergence on thought. In the real world you have limited capabilities to collect and store the data that is currently being collected. You're physically limited in how much you can retain and retrieve. In your old timey example I assume the diary to be sitting there in the back of the shop just being a record of my name and what I bought, but that's not how a lot of data is being used or being collected online.
The equivalent would be you making the diary automatically write down a potential unlimited amount of data on me and then using it to sell advertising the moment I enter the shop.
If I went past your store and it automatically retrieved physical details about myself, what I'm wearing, my interests, hobbies, location and you then built a profile and then sold this information to advertisers there absolutely would be regulations regarding this in the real world.
Privacy limits
As retailers trial such tech they are well aware there is a risk of a privacy backlash.
Clothes store Nordstrom recently cancelled a scheme which tracked customers' movements through its stores using their phones' wi-fi signals after complaints.
"Are we willing to accept our everyday movements being monitored and analysed, not to keep us safe but purely to allow advertisers to target us? I think people will start to say no, our privacy is worth more than a few advertising dollars."
--
You say shop with a diary to present the most innocent of examples but for every shop with a diary there's billions of stalkers following people everywhere they go to learn as much about them as possible in order to sell them products and influence how they think which they never agreed to.
I totally agree, but that's an argument against some specific practices, while the GDPR is a scattergun approach that legislates much more than behavioural profiles and advertising. Barely-profitable or loss-making services acting in good faith are now under the same requirements as odious billion-dollar advertising companies, and some of the former are going to go under because of the GDPR, while all of the latter are going to be fine.
If I go home and write in my diary that today hekfu bought lots of broccoli, you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I asked this question in a comment [1] here on HN a few weeks ago. There were affirmative responses that yes, the shopkeeper should in fact be held to account for keeping notes on who came into his store.
This is largely because the law doesn't care about implementation details. If a grocery store had a system which meticulously logged every customer that came into their store, when, and what they bought (i.e. loyalty card profiles) then we have to deal with issues related to privacy and data protection. Doing the same thing with pen and paper won't be seen as a meaningful difference.
If you're using the data to make money, and the user is generating that data, why do you just get to keep and sell it? How is that any different than you owning some forest land and I just come in and take some animals from the land to sell for meat?
You might call it poaching, but that only became a crime when society made it one, and that's what the GPDR is doing now with personal data
It does apply to everyone, but since data is so valuable now, I would think the ethics still apply.
Data about users has become a valuable asset, and taking it from people now is depriving them if that value, whether or not you personally use it to make a profit.
The problem is that I can't afford the services of a lawyer, or a data protection officer, for a non-profit project. Especially not to satisfy regulations made in a foreign land far away from my own. So the only option left on the table is to block the EU.
> you don't have the right to come to me in five years and demand that I remove all mention of you from my diary at my own cost.
I hate to break it to you but yes I do: by doing business within the EU market you're accepting that. In fact you're accepting that the very same way that you're accepting that you can't store all your clients' credit card/cvv numbers that are used on your store.
See, to me, that looks like an intolerable imposition onto my basic humanity. It's legal for me to remember you, but not to write down anything about you in my diary? Does that not seem unsound to you? Does it not seem to trample all over common decency and common sense, to in some way cause harm to older people who can't just rely on their grey matter?
I freely admit that keeping a diary is not the same as keeping customer details, but that's the point here: why are they treated the same?
There is a qualitative difference between degrees of data collection. What you can see and remember is a different category from what you can write down; what you can write down is a different category from recorded audio/video; what you can record with conventional equipment is a different category from what you may capture and store using all available technology e.g. DNA sequencing. In general, the more powerful the technological aid, the stronger the regulation.
Even just the first two, seeing and writing down, are legally distinct. Supermarket checkout staff handle hundreds of credit cards a day. How do you think the law would react to such an employee writing all of them down?
It's not discriminatory against old people, because even a completely amnesiac person armed with a notepad can permanently capture vastly more information than all but a photographic memory.
They are treated the same because you are collecting data about others and GDPR regulates how this should happen.
If you want to collect the data, then it must relevant for your business and that warrants you should treat it properly.
Upon request to erasure you should go use reasonable measure to remove it. Wiping your memory is absurd and is never considered reasonable – no need for a lawyer to rule that out.
> If you don't store PII, you don't have to do any work. Done. If you need to have PII for your webapp to function, you barely have to do any work besides giving the that care people their rights
A server 'processing' (which seems to include using it in any way, not just storing [1]) your IP address appears to fall under the GDPR[1], and said server would be in violation of the law unless its processing falls under one of the exemptions.
The main exemption appears to be getting the user's explicit consent, though there's also this super vague exemption: "for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted." [2]
In general, it seems very hard to avoid the GDPR because what is considered 'personal data' is extremely broad.
Yeah, you're putting too much emphasis on consent. It's only one of six lawful bases for processing data, and in fact the one with the most stringent rules.
I used "legitimate interest" as my lawful basis for logging IP addresses and website usage information. From the UK ICO's guidelines [1]:
"It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing."
There's a three part test:
1. Identify the legitimate interest: ensure the security and stability of my systems.
2. Show that processing is necessary to achieve it: need to know when and how the site is used in order to troubleshoot problems and detect abuse
3. Balanced against individuals' interests: We pseudonymize logins so usage information is not obviously related to specific individuals. There is no sensitive data on the site that can be revealed by usage data. The retention period is short which further limits what can be revealed.
Now, people here on HN might nitpick my logic, but fortunately they're not the regulators. I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.
> I'm confident that, in the very unlikely event that a regulator even notices my little businesses, that I'll be able to correct any mistakes before fines come into play.
Every business owner in Romania knows two things:
- the IRS equivalent will investigate them periodically, usually every few years
- they will ALWAYS find something to fine the company for
Sure, you will have to correct the something, but that doesn't mean you don't have to pay the fine anyway.
Also, incidentally, the company I was branch manager for has been once investigated by the police for credit card theft (they received a complaint). They couldn't find anything (because we didn't steal any credit cards - we just had a lot of computers because we were programmers, working for the main company in the US) but, in order not to have wasted the raid, they decided to prosecute us for copyright violations (they found a few pirated games).
So, at least in Romania, there is no such thing as "correcting mistakes before fines come into play".
If your business was in the UK, the ICO can and would be able to stop you processing data, and get a search warrant for your business address. This is because they report directly to the government.
I doubt you'd be able to fix any issues before they get involved.
2. There's a comment elsewhere in the thread to this effect, but short-term logging for the usual purposes of managing stability/security of a system almost certainly qualifies as legitimate interest. Don't keep the logs indefinitely, but I figure nginx's defaults with a week's retention period is quite reasonable.
The relevant authorities also have a track record of giving people warnings and time to fix things, so especially for something so trivial, I'd basically just make a good faith effort and not stress about it.
I agree, we should also get rid of copyright and property laws in the name of not "stifling innovation". It is absolutely ridiculous that I can't just walk into a peoples homes and install my 'adtreckr' eye tracking cameras on their TVs, even though that has the potential to revolutionise the amount of engagement and make sure that they only receive the most engaging, most relevant ads for their tastes./s
Less satirically, you are free to innovate by coming up with new tech, then selling to people who care enough to deal with regulations. The 'stifling innovation' copout is so utterly overused by people who want to ignore negative externalities like pollution or the surveillance state we are building up. I am starting to think of it as a type of rent seeking: "I am currently in the privileged situation of having the technology and network effect necessary to exploit this unguarded treasure of X without dealing with the fallout. Please don't pass any regulation requiring me to actually pay my dues"
I think there's a very specific motivator behind people who build tech with the intent to sell, and that motivator doesn't cover every reason behind other people who build tech. If I want to start a project and think, "cool, if this works out, i'll sell it 6 months from now so it can actually do cool stuff", I'm just not going to work on that project at all.
Honestly though, I would _love_ to live in a world where you could walk into my home and install your 'adtreckr' eye tracking cameras on my TV. What you're describing is "trust", and I think the amount of it that each person has (for people in general, but also for companies) is a big influence in how they view GDPR (and other regulations that some might argue are unnecessary). Obviously, we're very far away from that world, so this isn't consent for you to come waltzing into my home in the near future. :)
In my eyes, the satirical representation of what's happening here (from a consumer's point of view) is me placing an order for your awesome new eye tracking cameras, looking forward to the delivery and installation, and then seeing delays and delays as you repeatedly come back with, "well, are you sure you want this? are you sure I can enter your home? are you sure I can touch your TV? are you sure I can modify your TV?" I signed up, I paid for it, I told you I want it, just do whatever you need to do to give me it.
From a business POV, I already treat user data with utmost regard, and my users know that. Similarly, I trust that the companies I willingly give my data to do the same. There are probably some bad actors in the mix, but I doubt they're going to bother with compliance anyway. Having to go out of my way to prove that data trust is there to a third party completely uninvolved with the contract I have with my users, and to spend hours and hours implementing new workflows and pipelines for out of scope functionality that needs to be maintained indefinitely -- this is not good for a business. It's bad for small businesses because it sucks up time, money, and other resources, and it's bad for big businesses because it opens up such a huge area for litigating non-issues. It might have some value to users, as I said elsewhere, but it's a heavy-handed regulation that is too overreaching in its implementation, in my personal opinion.
> Honestly though, I would _love_ to live in a world where you could walk into my home and install your 'adtreckr' eye tracking cameras on my TV. What you're describing is "trust", and I think the amount of it that each person has (for people in general, but also for companies) is a big influence in how they view GDPR (and other regulations that some might argue are unnecessary). Obviously, we're very far away from that world, so this isn't consent for you to come waltzing into my home in the near future. :)
Anarchy is always ruined by all those people! (I'm a big fan of trust, and not a big fan of Hayek,but Hayek had an insight when he talked about the micro and the macro cosma. People are to diverse that we can rely on "trust" to solve things, we need agreed on official rules)
> In my eyes, the satirical representation of what's happening here (from a consumer's point of view) is me placing an order for your awesome new eye tracking cameras, looking forward to the delivery and installation, and then seeing delays and delays as you repeatedly come back with, "well, are you sure you want this? are you sure I can enter your home? are you sure I can touch your TV? are you sure I can modify your TV?" I signed up, I paid for it, I told you I want it, just do whatever you need to do to give me it.
No. If you opt into buying my camera, since it is explicitly necessary to do all of that stuff, the consent is given as part of the buying contract. I just need to clearly state and explain that. If you had to gain access Facebook or instapaper via a huge opt in order form (let's say a pop-up detailing exactly what happens to your data), then it is equivalent...and that is exactly what GDPR requires
> From a business POV, I already treat user data with utmost regard, and my users know that. Similarly, I trust that the companies I willingly give my data to do the same. There are probably some bad actors in the mix, but I doubt they're going to bother with compliance anyway. Having to go out of my way to prove that data trust is there to a third party completely uninvolved with the contract I have with my users, and to spend hours and hours implementing new workflows and pipelines for out of scope functionality that needs to be maintained indefinitely -- this is not good for a business. It's bad for small businesses because it sucks up time, money, and other resources, and it's bad for big businesses because it opens up such a huge area for litigating non-issues. It might have some value to users, as I said elsewhere, but it's a heavy-handed regulation that is too overreaching in its implementation, in my personal opinion.
If you already do everything that is commonsense data protection, which is the bulk of what is required by GDPR, then all you have to do is documen that. If you cannot guarantee that the data is not shared, then the third party isn't uninvolved in the contract you do with your users.
Honestly, think of my data as something I own, like my house or my car, and GDPR becomes easy. Think of it as something you "create" by tracking me on your site, and your point of view becomes easier. I like my world better
I have a hard time seeing any justification for your view. Why would you own data about yourself? Do you own your name? Do you own the fact that you went to taco bell for dinner last night? Can you sue someone else for knowing you went to taco bell last night? Should it be a crime for someone who knows your name to tell someone else your name? What if they do it for money?
"Owning" data about yourself is a very strange concept to me.
Welcome to the real world. If your little hobby project leaks the personal information of a real person, then they don't care how much of an unimportant side project it was to you.
For purely personal use "hey guys, this is just a hobby use at your own risk" you won't get hit with gdpr
Imagine if you were building cars for a hobby then selling them. Would you complain about all of those onerous regulations like seatbelts, crunch zones etc when all zou really want to do is tinker with some cool engine tech?
I don't see what leaking personal information has to do with collecting crash data, or using Google's infrastructure to store my data. Why should I have to be on the hook for what is most definitely much safer than trying to safeguard the data myself?
Like I said, all it will accomplish is discouraging projects like mine that aim to provide utility to some people. One of my released hobby apps is no great commercial success (I don't show ads or collect revenue), but it's one of the top rated apps in its category on the Play Store, and I have about 20k DAU.
If the GDPR ever came after me for it, I'd just take the app down. Bam, 20k people a day affected because of over regulation.
Also, I wouldn't equate personalized ads with the life and death regulations involved in the auto industry.
You don't really though? Unless I missed the bit on how you want to get payed. All I see is 'building a great open source infrastructure', which while I applaud and is noble, is not widely accepted to pay rent so far
Ha, you're right, sorry. We think we'll be able to sell value added services to our ecosystem (for example, consulting services, insurance, data feeds, etc.).
We will also investigate token models to see if there is a way to make the underwriting process less trustful, and this token model may be a revenue generator as well.
>You would do much better job by first learning what the world outside your country has to say about those simple ideas of yours.
1. This sounds a bit condescending
2. E.g.: Switzerland just voted to keep theirs. Seems to be seen as desriable
3. OPs problem wasn't that they are an outlet for a political faction, but that they struggle to finance themselves and are almost forced to pander to an audience to attract advertisement
4. Living in a country where the state financed media is heavily status quo biased (germany) but also produces and finances some of the most scathing criticisms of the same (Boehmerman), I feel we need to be wary of false equivalences. State financed media isn't a perfect panacea to political pandering, but it's definitely better than the cesspool that comes from having only private media sources (or depending on the 'good will' of billionaires)
The Swiss voted to keep it but a huge minority voted to scrap it - a much larger chunk of the vote than the Swiss establishment had expected. I think they only won the vote in the end by promising some reforms.
The UK funds the BBC in a similar way. I used to think it led to better results, but frankly I don't see much difference in quality of output between BBC, ITN and Sky News - they all suck in exactly the same ways. It's not surprising given that journalists all a pretty homogenous lot. If the BBC license fee came up for vote I'd be tempted to scrap it.
BBC News Online in particular feels like it's degraded significantly over time. It used to be hard news, all the time. Now half the stories are lightweight human interest stories, and it's absolutely flooded with feminist / identity politics virtue signalling crap. I feel like the last 10 times I went there, probably 8 of them had multiple "why women are wonderful" / "about an inspiring woman" stories on the front page. Maybe they're being driven by click volumes or something, I don't know, but if they are they may as well just be a fully commercial entity.
They argued that the BBC was using its guaranteed income from the licence fee (originally for just TV and Radio) to crowd out the competition in the UK, by being too good...
Their website still has just as much content on it as before, it's just differently focused. I don't really believe anyone in the newsrooms there said "hmm we have a lower budget this year, all we can afford is feminism!".
> BBC News Online in particular feels like it's degraded significantly over time. It used to be hard news, all the time.
Last year the BBC had a story about how their own news website has changed over time [0]. It concentrates on the format rather than the content but the screenshots do seem to show a higher density of 'hard' news info per page.
My gut reaction is to agree with your comment about lack of hard news. However, I decided to check for myself, looking at the first screenful of today's front page [1 - unfortunately not a permanent link]. It has 13 distinct topics (on my large monitor), and the main topic (N Korea and Trump) has two pictures, one short sentence, and three sub-story bullets. I was pleasantly surprised to see that most of the headlines are in fact informative statements (e.g. "1,600 skilled workers denied UK visas") although one ("Celebrating mixed-race identity") needs you to click through and isn't news as such. Whether these stories do in fact represent today's real issues, or have been picked to conform to the BBC's own agenda (whatever that may be), though, remains an open question
(Hmmm. I'm accessing the BBC website from the UK (the clue is in the '.co.uk'). What does the rest-of-world facing site (bbb.com) look like? I used Google Translate to check the non-uk version [2] and this seems also to have 'hard' headline statements although there is a different mix of stories.)
That first link is pretty damning. You're right, the older images are almost all of hard news.
Here are some of the stories I see on BBC News currently:
- N Korea threatens to cancel Trump summit
- Italy's populists plan to defy EU rules
- Body clock linked to mood disorders
- Controversial Russia-Crimea bridge opens
- Row over World Cup flirting manual
- New Girl bids bittersweet farewell
- Bank chief sorry for menopausal gaffe
- Anne Frank's dirty jokes uncovered
- Meghan's dad may miss wedding over surgery
- Celebrating mixed race identity
- Why is Spanish ham so expensive?
- Ghana shoe seller takes on ex-dictator
I'd say that the vast majority of these are lightweight human interest stories, several of them are just ID politics masquerading as news and some are both. Why is stuff about TV show New Girl on the BBC News front page?
The story about the "menopausal" gaffe turns out to be that a Bank of England governor described some economies as "menopausal, past their peak, and no longer so potent". This apparently is a gaffe worthy of being in the business news section. It's not clear to me why it's even a gaffe to begin with. Do feminists now argue the menopause isn't a biological event at all? Apparently they do, according to some random economics professor at some random university (the BBC loves quoting academics) - "It conveys a rather derogatory view of women. I've never thought of the menopause as not productive".
It's really pretty trashy. Very different to how it once was.
