The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Posted Apr 22, 2023 2:42 UTC (Sat) by Vipketsh (guest, #134480)In reply to: The Python Software Foundation on European cybersecurity by pbonzini
Parent article: The Python Software Foundation on European cybersecurity
1, Take a real problem that is a real problem for EU citizens
2, Make some regulation that is the worst possible thing for the individual
3, Threaten with some ridiculous sky-high fines if regulation is broken
Point 2 usually means that EU regulations amount to "as long as the two parties agree". Which sounds great, full of freedom and all sorts of warm fuzzies, but when there is a huge disparity between the parties (e.g. individual v.s. multi-billion conglomerate) every agreement turns into "the smaller entity does what the large one says". Not great for individuals at all.
Point 3, the more important one, pretty much means small entities will have little motivation to setup a business because there is such a huge risk in doing so. And then the EU wonders why it has an ever decreasing share of global trade and why pretty much no-one takes it seriously anymore.
Two examples of what I mean with the three points above:
The GDPR/Cookie laws. A great idea and something pretty much everyone wants. The problem however is that in practice it seems to have become "do whatever you want with data, as long as you can coax the individual into clicking an 'I agree' button". In the end you have two choices: don't use the internet or agree to everything -- not much of a choice these days. We all know the huge threats of fines here.
This "great" regulation that online stores (even outside of the EU) need to pay VAT directly. This makes sense because it doesn't give businesses abroad unfair advantage of skipping VAT payments. This could also be wonderful for the individual because less bureaucracy when receiving a package. However in great EU wisdom custom duties are not covered. The end result is that smaller (mostly individuals) simply refuse to sell stuff to the EU because they don't want to take part in EU bureaucracy (who can blame them?) and you, the individual, you can keep filing paperwork and paying customs agents just like you always did. It doesn't help that when the seller doesn't do the paperwork correctly (or at all) I am told that I can not correct it, only the seller. Leaving two options open: either pay the VAT twice (technically against the law) or give up on the item. Wonderful.
Posted Apr 22, 2023 3:18 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link] (8 responses)
Those are two different laws that work in two different ways, but I will focus on GDPR because it is the more comprehensive and important of the two. GDPR *expressly forbids* what you describe. Consent can be a valid basis for data processing under GDPR, but it must be "voluntary" within the meaning of the law - a rather narrow exception that's frankly quite hard to fit into. You can't say to the user "click agree or else you can't use our service" and call that "consent."[1] You would instead have to investigate one of the other valid bases for data processing, and every single one of them has strings attached.[2] There is, quite intentionally, no straightforward way to force a user to provide arbitrary PII in exchange for some arbitrary service - that is simply not a transaction you can enter into in the EU. Anyone who claims they can do this is either lying or unknowingly violating the law.
[1]: https://gdpr-info.eu/art-7-gdpr/
Posted Apr 22, 2023 9:47 UTC (Sat)
by Wol (subscriber, #4433)
[Link]
Compare that to American arbitration. Can't speak for Europe, but in the UK arbitration is never binding on the individual. Companies don't get to write their own law. And the UK definition forbids a conflict of interest for the arbitrator. Companies don't get to appoint their own judges to interpret their own laws.
Cheers,
Posted Apr 24, 2023 3:37 UTC (Mon)
by Vipketsh (guest, #134480)
[Link] (4 responses)
Let me tell you a little story. Whenever we have government elections candidates need to show some minimal support to be put onto the ballot, which comes in the form of collecting peoples signatures -- personal data that falls under GDPR (or so they claim). So, they make everyone who signs the support thing also sign some GDPR thing, allowing them to handle your data. It's all voluntary of course. What then happened then is that half the country started receiving some weird SMS's relating to the election they definitely didn't want. Turns out:
This is what I meant by "practically" and "coax": no-one forced any of these people to sign anything -- it was all voluntary and no pressure was applied, yet I'm sure you can understand that it is not a very life-like scene that in an underpass hundreds of people are standing around the booth of some political party meticulously going through dozens of pages of dense legalese. Also realise how the enterprise was setup to make it as difficult and expensive as possible to try to get any sense of justice.
This is why I say that any law which allows "voluntary consent" to nullify parts or all of it (pretty much all EU things) just means that those parts are, in practice, nullified by default.
Posted Apr 24, 2023 9:57 UTC (Mon)
by edeloget (subscriber, #88392)
[Link] (2 responses)
That should ne be the case. All the various uses of your PII should be stated in a clear and understable language.
> 2, The "data controller" turned out to be some foreign entity on the other side of the EU
This is not relevant. The data controller must follow the rules, whereever it is, as long as it is handling PII from European citizens.
> 3, To do anything, in a legal sense, you would need lawyers and courts in that small foreign country
This is not true. You have to signal the problem to your local authorities (in France, this is the CNIL; in Gerrmany, the BfDI; all European countries have a similar authority). They will act on your behalf. The GDPR never expected individuals to start legal challenges against large companies.
Posted Apr 24, 2023 11:14 UTC (Mon)
by Vipketsh (guest, #134480)
[Link] (1 responses)
> That should ne be the case. All the various uses of your PII should be stated in a clear and understable language.
We are talking politics here and in politics there is always lots of money and legal expertise on how to screw your opponent over any sliver of wrongdoing. Yet despite the high-profile scandal, *nothing happened* and because of the political angle I can only presume because there was no case. Tell me all legal theory you want but the fact remains that quarter to half a country's worth of people had their data used in a way they did not want and the GDPR did nothing to prevent it. This is a failure however I try to look at it.
>> 2, The "data controller" turned out to be some foreign entity on the other side of the EU
> This is not relevant. The data controller must follow the rules, whereever it is, as long as it is handling PII from European citizens.
In theory maybe not, in practice it very much is. If you believe they are doing something wrong, your first point of contact to even try to figure out what it is, is the entity itself. You may complain to your local authorities but they won't do anything without any evidence (they definitely don't have the capacity to investigate everyone's feelings) -- and one place to even try to get it is that entity you can't communicate with.
Posted Apr 24, 2023 14:47 UTC (Mon)
by edeloget (subscriber, #88392)
[Link]
I think you lack some important knowledge about how the GDPR works and how it's enforced by local authorities. The procedure is only two steps:
1/ send a letter stating the issue at hand to the data controller; most national authorities will provide you templates and/or tools to adapt the template to your needs.
2/ if you do not receive any answer after the legal delay (1 month IIRC) you can mandate your local national authority to handle the issue. Of course, it won't be as fast as you want it to be. The point is: if it's difficult or near impossible to discuss with the data controller, they are the ones who are at risk.
Of course, you can have your own grudge against the GDPR. But maybe you can test the procedure before telling the world that it does not work. See https://www.enforcementtracker.com/ for further references.
Posted Apr 24, 2023 13:47 UTC (Mon)
by kleptog (subscriber, #1183)
[Link]
With bigger companies like telcos, energy providers, ISPs, etc their terms of service are generally lodged with the chamber of commerce and consumer organisations are all over them making sure there's nothing crazy in there.
In your story, if all they were doing was collecting signatures to be able to demonstrate support, then they wouldn't need to ask permission under GDPR, because you only need to ask permission for processing that is not required for the service being provided. So the fact they're asking permission is a big red flag saying they're going to do dodgy stuff with your info.
So really, we need to teach people that if someone on the street is trying to get you to read pages of legalese, WALK AWAY! If you're at the checkout of a supermarket and suddenly they pop-up a form agreeing for them to use your payment info, that's a big fat red flag.
With respect for enforcement, I think the EU Small Claims procedure[1] would be appropriate here. It's a purely written procedure, though might get a bit cumbersome if translations are required.
[1] https://europa.eu/youreurope/business/dealing-with-custom...
Posted May 2, 2023 18:50 UTC (Tue)
by immibis (subscriber, #105511)
[Link]
It would be neat if, like, every website with only an "I agree" button and no "I disagree" could get a $1000 fine (commercial sites) or $50 (personal sites) with just a few minutes of paperwork, let's say, upon report and maximum once a week. I suspect that would fall afoul of some rules against summary punishment. Now, no Apple or Netflix is going to care about a $1000 fine, but those ones can be fed through the big lumbering bureaucracy... meanwhile, say, Stack Exchange's CEO having to personally respond to a court order every week would be a significant motivation to fix the problem. (just an example - Stack Exchange recently fixed this problem)
Posted May 10, 2023 23:05 UTC (Wed)
by callegar (guest, #16148)
[Link]
Apparently, at least to some extent, cookiewalls are legal and you can say "click agree or else you can't use our service unless you buy a long term subscription to it", because as long as you are offering an alternative, that is consent (even if the alternative is not really equivalent. Maybe you want to use the service just once and not in continuity for a long time as the cost of a subscription assumes). Many online newspapers in Europe use this business model, see https://www.repubblica.it/tecnologia/blog/cyber-law/2022/... (in Italian, Google translate works well enough with it) and https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/... (in French). Key document appears to be the Conseil d’État decision taken on June 2020 https://www.cnil.fr/fr/cookies-et-autres-traceurs-le-cons...
Posted Apr 22, 2023 10:37 UTC (Sat)
by tialaramex (subscriber, #21167)
[Link] (15 responses)
It's like when you break apart a C program and find all the linked lists. Is this a sophisticated concurrent data structure which has been optimised to hell? Nope, it's just the first growable data structure this C programmer learned so they've used it everywhere. The answer to far more questions than you expect is "I don't know, I just copied what everybody else was doing".
Posted Apr 22, 2023 19:28 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (8 responses)
Which is why nearly all my C programs simply malloc'd an array ... :-)
Cheers,
Posted Apr 23, 2023 4:49 UTC (Sun)
by adobriyan (subscriber, #30858)
[Link] (7 responses)
Posted Apr 23, 2023 8:52 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (5 responses)
It may sound weird to you, but I have yet to come across a problem where I need a linked list.
What on earth is "stbds_arrput()"? A google search threw up precisely NO hits, although there were several libraries mentioned that probably contained it. No documentation whatsoever. And the libraries looked like a key-hash library, with which I am VERY familiar - I could write one pretty easy I suspect.
Maybe the problem domain I was working in was different to you, but the only problem I had with C arrays is you can't malloc a 2-dimensional one. Why do I want something super-complicated, to solve a simple problem? I don't subscribe to the "ooh! Shiny!" philosophy that seems to pervade so much tech :-(
Cheers,
Posted Apr 23, 2023 9:14 UTC (Sun)
by adobriyan (subscriber, #30858)
[Link] (4 responses)
> but I have yet to come across a problem where I need a linked list.
They are somewhat cool, Linux is full of linked lists:
Observable C programmer quickly learns that allocating memory and dealing with errors is painful and unergonomic,
Until... he learns that the fastest way to process data is to put it in memory contiguously.
Posted Apr 23, 2023 9:15 UTC (Sun)
by adobriyan (subscriber, #30858)
[Link] (1 responses)
ehh, in the sense that linked lists are less prone to allocation failures on fragmented systems.
Posted Apr 24, 2023 9:40 UTC (Mon)
by geert (subscriber, #98403)
[Link]
Posted Apr 23, 2023 12:54 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (1 responses)
Observable C programmer quickly learns that - PROVIDED you are careful about object lifetimes! alloca is the way to go. :-)
Cheers,
Posted Apr 23, 2023 15:24 UTC (Sun)
by adobriyan (subscriber, #30858)
[Link]
They took it from us, VLAs too.
Posted May 2, 2023 18:51 UTC (Tue)
by immibis (subscriber, #105511)
[Link]
Posted Apr 24, 2023 3:55 UTC (Mon)
by Vipketsh (guest, #134480)
[Link] (5 responses)
I'm not so sure. My impression is more that they are doing things in a way that abides by the letter of the law but still applies as much psychology as possible to increase the chances of you just hitting the "Agree to all" button, which is what the operator would generally like, instead of unchecking any of the unnecessary stuff. Just a few observations:
1, When you first visit, they pop up some box where you must agree to *something* before being able to use the site. There is seldom a button saying "I don't allow anything" (I have mostly seen such an option only on government run sites, but there are some others).
This is why any legislation that allows "voluntary consent" simply changes the game, as it were, such that the bigger party tries as hard as they can to make you "voluntarily consent". Usually it is successful.
Posted Apr 24, 2023 5:45 UTC (Mon)
by mathstuf (subscriber, #69389)
[Link] (2 responses)
You didn't agree to the cookie that stores your preferences to not store data. It's probably toggle number 23 (today; it probably moves around).
Posted Apr 25, 2023 16:42 UTC (Tue)
by NYKevin (subscriber, #129325)
[Link]
Posted May 2, 2023 18:52 UTC (Tue)
by immibis (subscriber, #105511)
[Link]
Posted Apr 24, 2023 15:12 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
> I'm not so sure. My impression is more that they are doing things in a way that abides by the letter of the law but still applies as much psychology as possible to increase the chances of you just hitting the "Agree to all" button, which is what the operator would generally like, instead of unchecking any of the unnecessary stuff. Just a few observations:
Which is a pretty blatant breach of "informed consent". If the website is deceptive, which shouldn't be too hard to prove, then legal consent was not obtained. I've never come across websites like that. (Not nowadays. A lot of the shareware sites were like that, demanding to install PUPs, I still see the odd site which looks - shall we say - "wrong".)
The other thing is, UK legislation in particular often mandates what information is "most prominent". You're allowed to make other stuff equally prominent, but hiding the "minimal consent" button will probably fall foul of that sort of legislation ...
Cheers,
Posted Apr 27, 2023 8:46 UTC (Thu)
by anton (subscriber, #25547)
[Link]
* At least I think so. Even after several years with "material design", which replaced checkboxes (a staple in GUI design since its introduction in the 1980s) with something that takes more space and is much less intuitive, I am not sure whether a switch is on or off in material design.
Posted May 2, 2023 18:45 UTC (Tue)
by immibis (subscriber, #105511)
[Link] (3 responses)
I understand that the EU - de facto if not de jure - has separate bodies to represent the corporations and the people, and the corporate part seems to come up with most of the proposals which are quickly shot down by the actually democratic part.
Seems like a stupid system, but if this is really how the system works, then it's not the end of the world every time the corporate-money-making-ideas-machine spits out a really stupid idea. It's only the end of the world if the democracy-machine does not shoot down the stupid idea.
A similar effect can be observed with the fines (point 3). Sometimes the maximum possible fine is set very high to give significant room for the judge's discretion. Yet everyone expects the maximum possible fine to be given in all cases, possibly because previous laws had a maximum that was too low. I observe that the high maximum fine really makes a difference because corporations cannot just say: "we have enough money, we can absorb the maximum fine so let's keep doing the illegal thing forever." No, they have to negotiate, and possibly get the fine lowered if they stop doing the illegal thing, and lowered even more if they compensate previous victims.
Posted May 2, 2023 23:03 UTC (Tue)
by Wol (subscriber, #4433)
[Link]
Problem is, the American democracy-machine seems to have pretty crap aim under these circumstances.
> A similar effect can be observed with the fines (point 3). Sometimes the maximum possible fine is set very high to give significant room for the judge's discretion.
EU maximum fines aren't that high. For a first offence! Thing is, if it's not a first offence, the maximum fine has a habit of doubling every time ... that makes repeat offenders rare ...
Cheers,
Posted May 3, 2023 9:17 UTC (Wed)
by paulj (subscriber, #341)
[Link] (1 responses)
I guess you mean the Commission with the "corporate part" and the EP with the "democratic part". It's not de facto, it's de jure - the EU is constituted such that the Commission is the body that introduces proposals. The EP has no power to initiate legislation - though it can formally request the Commission to do so. There is talk of giving the EP the right to initiate.
Commission: The political executive of the EU's civil service; the formal point of introduction for new legislation - but this is in a facilitating role.
Posted May 4, 2023 12:48 UTC (Thu)
by kleptog (subscriber, #1183)
[Link]
Hence right from the beginning the process was that the Commission, which represents each member state equally, initiates the proposal on behalf of all the members of the Commission. It ensures a minimum level of support across the Union before committing significant resources.
Additionally, EU legislative instruments are severely limited in scope, bound by treaty. Someone has to decide whether something is a regulation or a directive. If you let MEPs submit something, does the Commission get to reject it on the basis of it being outside of the scope of the treaties? How do you handle the question of subsidiarity? Does this open up the possibility of an MEP taking the Commission to the ECJ because they disagree whether something should be a regulation or a directive? Is this something we want?
Finally, EU legislation is hard work, requiring lots of translations, explanitory memoranda, etc. The MEPs don't have the time to write all that, but the Commission has a civil service who job it is to do these things. So the current process where the EP asks the Commission to make a proposal on the topic, and the Commission directing the EU Civil Service to work with the relevant MEPs to create a proposal seems like a more efficient use of everyone's time. (There's a reason the MEPs are mostly in Brussels rather than Strasbourg).
I know there's a lot of people saying the EP must be able to submit legislative instruments directly otherwise it's not democratic (enough). My position is that it's not that simple and we need to think carefully before twiddling that knob. Sure, we could require proposals to come from EP committees, give the EP a shadow civil service branch and assign a branch of the ECJ to judging whether EP initiated proposals are within the bounds of the treaties, but you need to seriously think about whether this would actually improve the resulting legislation (and inter-institutional relations).
The Python Software Foundation on European cybersecurity
[2]: https://gdpr-info.eu/art-6-gdpr/
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
1, That GDPR thing people signed contained a little more than they thought
2, The "data controller" turned out to be some foreign entity on the other side of the EU
3, To do anything, in a legal sense, you would need lawyers and courts in that small foreign country
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
https://github.com/nothings/stb/blob/master/stb_ds.h#L543
https://youtu.be/0woxSWjWsb8?list=PLU94OURih-CiP4WxKSMt3U...
* less memory fragmentation (not relevant to usespace, but very relevant to kernel)
* allocate object once, never realloc again. All references/pointers to the object are valid for the its lifetime.
Linked lists of never-moving objects is the simplest thing in the Universe.
therefore allocating and freeing something once is the way to go.
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
therefore allocating and freeing something once is the way to go.
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
2, The button saying "I agree to everything" is always the single most prominent. So much so that the "configure/choose" option often masquerades as an inconspicuous tiny hyperlink.
3, When/if you get to the configure window there are usually 10-30 individual options to uncheck. Again, seldom is a "nothing" option available. This takes a while and is a pain in the ass. In an extreme case I have witnessed 30+ options, each of which took you to some site where you had to click to disable and then again to confirm it. Quite un-user friendly.
4, In the selection window the "Confirm Choices" button is *never* where you would usually expect it. Instead that location is prominently occupied by a "Agree to all" button.
5, If you decide to take the pain of deselecting something a few weeks later the website makes you go through the same dance. Strange that when clicking the "Agree to everything" button you never get reminded again.
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
It's against the law to make it harder to only get the necessary cookies than to agree to everything. So many sites now have a button "Only necessary cookies". Even for those that don't, the usual experience is that I click on "configure" and get a page where all (typically 2-4) optional cookies are disabled*, and I just need to click on "confirm".
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
European Parliament: Generally a scrutineering body. Can take out the Commission, by 2/3 majority vote, can propose amendments to legislation, can block legislation the Council is trying to put through, but this requires an absolute majority.
Council: The governments. Here lies the power, tempered by the EP.
The Python Software Foundation on European cybersecurity