Security quotes of the week
Would definitely write another security vulnerability into my code again if I knew that Larry would report it. ;)
These twin factors -- expensive compliance and liability for publishers with out-of-compliance ad-brokers -- has enhanced Google's business at the expense of its smaller competitors. The massively profitable, dominant Google can easily afford best-of-breed compliance, while the little competitors (including the scrappy Made-in-Europe competitors to Google) don't have the same kind of resources. Some of these little guys just go out of business (or exit the EU market), and the remainder struggle to drum up business as publishers ask themselves whether they're willing to risk costly penalties if their little-guy ad-broker turns out to be out-of-compliance.
Posted Oct 25, 2018 5:19 UTC (Thu)
by Yorhel (subscriber, #91403)
[Link]
Posted Oct 25, 2018 7:25 UTC (Thu)
by mjthayer (guest, #39183)
[Link]
Posted Oct 25, 2018 11:57 UTC (Thu)
by patrick_g (subscriber, #44470)
[Link] (15 responses)
There is a good answer to this.
This law was written with the express purpose to rein in some of the worst violations of the privacy of EU citizens during their online activities. If becoming compliant with the law will cause your business to go under that is more or less the same as saying that your business is built on gross privacy violations. So if that’s your business model then good riddance to you and your company. However if that is not your business model then most likely you will be just fine.
Posted Oct 25, 2018 12:24 UTC (Thu)
by pizza (subscriber, #46)
[Link] (11 responses)
Beware of the law of unintended consequences.
The biggest, supposedly most aggregrious players will be just fine; they have the resources to adapt and fully comply. The smaller players -- including individuals who maintain any sort of self-hosting -- will not fare so well, and that's even before the very real problem of bad-faith actors is factored in.
Posted Oct 25, 2018 12:56 UTC (Thu)
by niner (subscriber, #26151)
[Link] (4 responses)
2. This Regulation does not apply to the processing of personal data:
Posted Oct 25, 2018 13:20 UTC (Thu)
by pizza (subscriber, #46)
[Link] (3 responses)
That "purely personal or household" bar is a threshold set so low that it is difficult to not overstep it.
For example, if my blog or online presence has advertisements to offset operating costs. Or I talk about my commercial consulting or photography efforts. Or host open-source software, including mailing lists and git repositories -- a "public service". Or indeed, host anything myself (making me the "publisher" instead of just the "author" using someone else's platform).
None of those are "purely personal or household activities."
Posted Oct 26, 2018 11:14 UTC (Fri)
by anselm (subscriber, #2796)
[Link] (2 responses)
But many of them don't require you to deal with other people's personal data at all, and even those that do generally won't involve your building up massive Facebook-style profiles of your users or sharing their personal data with third parties.
For example, if you operate a mailing list then all the personal data you need to deal with are people's e-mail addresses and possibly one string per user that they designate as their “name”. You don't need to share that data with anyone else. This means that your mandatory privacy statement etc. will be quite brief.
If you operate a web site where you “talk about your commercial consulting or photography efforts”, then unless you have some sort of commenting facility for users the only thing to watch out for are client IP addresses which your web server might log. Again, not a big deal; most web servers support a facility that will truncate or otherwise de-personalise client addresses in their log files.
(If your “photograpy efforts” include publishing portraits of people then you need to make sure that the people in question are OK with this, but that would be required even without the GDPR.)
And so on. Of course if you deliberately invite other users to contribute to your site in some fashion then there are more i's to dot and t's to cross, but even that is not exactly rocket science.
Posted Oct 26, 2018 13:26 UTC (Fri)
by pizza (subscriber, #46)
[Link] (1 responses)
It doesn't matter if I have no intention of sharing data, or how much "personal" data I (intentionally or otherwise) accumulate. The threshold is *any* data, and the simple fact of the matter is that running any sort of public-facing service will result in accumulating at least some "personal" data (even if just incidental in the process of providing the service) that falls under the purview of the GPDR.
This doesn't include the likes of email logs/archives, and bug tracking -- where "personal data" is routinely sent to me (unsolicited!) by random folks, many of whom do reside in the EU.
Don't get me wrong, I generally agree with the stated intent of the GPDR, but the devil is in the details.... And there are a *lot* of details.
Posted Nov 1, 2018 9:14 UTC (Thu)
by richard77 (guest, #117898)
[Link]
Posted Oct 25, 2018 13:02 UTC (Thu)
by patrick_g (subscriber, #44470)
[Link] (4 responses)
Please read the link I provided.
Posted Oct 25, 2018 13:24 UTC (Thu)
by pizza (subscriber, #46)
[Link] (3 responses)
The point it, it's an additional burden, and that burden is _heavily_ front-loaded.
...and it explicitly applies to non-EU citizens/residents/businesses/entities.
Posted Nov 2, 2018 10:41 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (2 responses)
(a) the "legitimate" spammers, and
(b) people whose security model is "who cares".
In other words, companies that most Europeans would like to see wiped off the map, anyway.
My real problem with the GDPR, is GDPR officers who don't actually know what they're doing - as a charity volunteer I've already seen screw-ups from people who should have known better ...
The GDPR can be summed up pretty simply as
And isn't that good customer service, anyway? I know a lot of companies have made their way on to my personal "don't buy" list because I've been repeatedly spammed with junk I just do not want.
How many of these database personal details heists in the last what, 20 years, would have been stopped if companies had been following the GDPR? A hell of a lot of them, because the data would just not have been there to be stolen.
Cheers,
Posted Nov 5, 2018 11:24 UTC (Mon)
by tao (subscriber, #17563)
[Link] (1 responses)
Posted Nov 10, 2018 2:14 UTC (Sat)
by flussence (guest, #85566)
[Link]
Posted Oct 25, 2018 14:33 UTC (Thu)
by nim-nim (subscriber, #34454)
[Link]
Google is winning market share, because it provides this security and others just plain didn't.
Concentration is a completely different problem and GDPR was not about concentration, there's antitrust laws for that.
And if you say "but now a hole in Google would make the situation that much worse like Cory just wrote" → you just make GDPR penalties proportionate to the amount of mismanaged data. So much that even a giant like Google needs to segment its data store to avoid hitting the worst-case maximum penalty.
Posted Oct 29, 2018 10:18 UTC (Mon)
by mina86 (guest, #68442)
[Link]
Posted Nov 1, 2018 9:41 UTC (Thu)
by davidgerard (guest, #100304)
[Link] (1 responses)
I wrote something on practical GDPR compliance for the working sysadmin, based on what I've actually had to do in this regard.
The threat model here is "querulous past user trying to make your life hard."
I routinely see the loudest complainers about the onerous nature of GDPR compliance suddenly get vague or stop posting when you ask for details of precisely what bit is so hard. So far, it seems a safe assumption that they're abusing personal data, and they know they're abusing personal data. Perhaps one day a clear exception will show up.
Posted Nov 2, 2018 10:23 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
When we sent out our last pre-GDPR shot (actually, I think it was post-GDPR because everything personal-wise went pear-shaped and we ran out of time) the email simply had the attachment, and a message saying "if you want to keep receiving the newsletter, please hit "reply", "send" or these emails will stop".
I then just built a new distribution list based on these replies. Perfect. I have a documented opt-in for everyone on the list. Actually, that's not quite true because people will be people, but never mind ... :-(
Cheers,
Security quotes of the week
Security quotes of the week
Security quotes of the week
Extract from https://jacquesmattheij.com/gdpr-hysteria/
Security quotes of the week
Security quotes of the week
(c) by a natural person in the course of a purely personal or household activity;
Security quotes of the week
Security quotes of the week
None of those are "purely personal or household activities."
Security quotes of the week
> personal data at all, and even those that do generally won't involve
> your building up massive Facebook-style profiles of your users or
> sharing their personal data with third parties.
Security quotes of the week
The purpose is not to punish random small websites.
Or, if you prefer, you could look it this way: lwn.net has not big resources and they process for sure a lot of personal data of EU nationals and it looks like that there were no notable issues with GPDR.
On the other hand, multiple US newspapers websites blocked traffic from EU because their business model is heavily relying on data harvesting.
Security quotes of the week
The burden on a small company holding small amounts of non-sensitive data will be very low or even none.
Security quotes of the week
Security quotes of the week
1) If you don't have a permission paper trail, DELETE IT.
2) If you don't need it, DELETE IT.
Wol
Security quotes of the week
Security quotes of the week
Security quotes of the week
Security quotes of the week
Security quotes of the week
Security quotes of the week
Wol