GDPR feels useless
Disclaimer, this page uses cookies. But a disclaimer does not make you GDPR compliant.
Who am I to make such a claim? I started working in a big data startup called Qunb. We created a tool that used Google Analytics data to make slides. Basic. We then got acquired by another startup that does eCommerce optimisation. There I helped them to identify you on thousands of websites with cookies. Yep, I’m one of the “bad guys”. Go share that on Facebook you hypocrite. I’m working for my own now so I’m defending no one’s particular interest.
Maybe you should start reading GDPR because if you think it protects you and your privacy, you might want to look back at what protection mean. GDPR is pretty much useless in the long run. Nearly impossible to implement correctly.
I will try to limit text law to keep you reading.
Let’s start with your data. Do you know what is your personal data according to GDPR ?
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This is so broad and vague that basically if I generate a random number to identify you on my website it becomes your personal data.
But do you know what data I have access to when you come on my website ? Well only your IP and some information about your computer and browser. That’s all. Any other data you need to give it to me or I need to ask for permission but not because of GDPR. Because of technical limitation for security. Because developers worked on protecting your privacy way before lawyers even thought about it.
Now about cookies (I know you’re waiting for cookies). It’s true I can create an ID and save it on your browser (I can do much more but we will stay focus). Your browser, not your computer. So when you come back on my website with the same browser I know it’s the same browser. But that’s all. Unless you told me who you are and gave me other personal information to put in a database and linked it to that ID the only thing I know is that you came back on my website.
So the very first thing you need to understand about data privacy is that YOU protect your own data by not giving it away without thinking. Not GDPR by stating that it is your data and not mine.
We will come back to cookies. But first we need to talk about consent. Because an ID has no value unless you give me information about yourself. And apparently typing your name, age and other information is not consent. How is this supposed to work by the way? I give you my name but I don’t consent to you using it or remember it? Why giving it in the first place? Anyway, let’s see what GDPR says about consent.
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. […] The data subject shall have the right to withdraw his or her consent at any time. […] It shall be as easy to withdraw as to give consent.
So to create you a random ID, I need to have a proof that you clicked a “consent” button on a page where I say what I’m going to do with that ID or personal data. For the non technical people here, this is very much impossible. The only way to make 100% sure is to block access to any web page or service where I use “personal data” to redirect you to a page where I explain what I’m going to do with your personal data. Believe me, no one wants that kind of implementation. And that’s probably why nearly no website is doing it and nobody seems to care.
Funny enough. The only way to NOT redirect you on the “consent page” AGAIN next time you come on my website is to use a cookie and identify your browser so I know you already gave me your consent.
Also, I gave you the opportunity to consent in one click without searching for the consent page. So I guess you should not have to search for the “withdraw page” and make it happen in one click. Maybe I should put a little switch on every page of my website for you to withdraw when you want.
[…] the processing of the personal data of a child shall be lawful where the child is at least 16 years old. […] The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Yep, every website is a porn website thank’s to GDPR. I need to add some text on my consent page to ask you if you are 16 or older, otherwise I need consent from your parents. Such protection and again no wonder why NOBODY is doing that consent thing.
Let’s go back to cookies. Right now I only spoke about first party cookies. They are the cookies that I use on my website to identify you. The other kind of cookies are the third party cookies. Cookies used by other websites to identify you on any website that uses their services.
Well, GDPR is completely useless concerning third party cookies. Don’t be shocked, this law has nothing technical in it so it cannot and will not protect you in the real world.
Why is it useless ? Let’s say that I use Google Ads to publish ads on my website. If I say to Google that you gave me your consent, they have no way to make 100% sure. I could simply lie. In fact I could be lying from the very beginning. You will have a very very hard time proving that I did not ask for your consent.
It’s exactly like if I started to write a list of people emails on a spreadsheets. The spreadsheet cannot know whether I’ve got the consent of all these people. And even if the software asked me whether I did have that consent I can simply say yes. What? You don’t remember me asking your consent to use your email? Weird. Well you can withdraw that consent anytime you want and I will delete your email from my spreadsheet. Maybe. I don’t know. What spreadsheet?
Another example, try asking your ex to delete these nudes of yours. In theory GDPR protects you in this situation as much as in the the spreadsheet situation or the Google Ads situation.
What about the people getting caught right now then? It’s the very big issue of a non technical law. Right now some companies are getting punished for not respecting GDPR purely on people statement and point of view on what is “clear and plain language”. While the majority of websites can’t and will not respect GDPR and nobody will care because at the end of the day, “personal data” is a big word but your personal data is worth shit. It’s worth a few cent when you click on an ad once in a while.
Companies will get punished because from some data privacy maniac point of view you did not gave consent with a full understanding of a situation. While you will be posting stuff on Facebook.
Other companies will pay a lot of money to be GDPR compliant while getting personal data. But they won’t be compliant because it’s nearly impossible and the only thing that changes will be you clicking on a popup.
The best part about all this? Developers made sure to protect your so precious personal data long before someone started to think about GDPR. At least since 2010 every browser allowed you to block third party cookies.
If you are really concerned about data privacy, just use a VPN, navigate in incognito mode or on an open source browser and block third party cookies so the only personal data outside is the one you will give willingly. And if you did not understand that part about VPN, incognito mode and open source well you just made my previous point. Because it’s “clear and plain language” to me and a lot of people. Go do your research, don’t wait for GDPR or Governments to protect you.
By the way, about Governments, here is a little bonus read : Article 9 Processing of special categories of personal data
There is a list here of 10 situations where GDPR doesn’t apply. Most of them relate to governments using your personal data (Remember the nudes? It’s research data now). But the best of them is: processing relates to personal data which are manifestly made public by the data subject;
You can argue a lot about what is “manifestly made public” (again non technical text …). But from what I read, it means that I can use any information about you that you’ve published on the internet.
Here we are. GDPR is technically impossible to implement in a smart way. Consent is purely subjective to the users understanding (and technical knowledge?). And if you consent once and some data goes public then you’re not protected anymore (unless you know how to make internet forget something)?
So nothing changed and GDPR feels useless.
GDPR protects your privacy as much as the law protects you from getting robbed. You already GOT robbed. They already sold your stuff. They MIGHT be punished later.
If you want protection against robbery you need a lock and an alarm. If you want Data Protection you need technical enforcement.
Could it be better? Yeah! If only the GENERAL DATA PROTECTION REGULATION was about protection and regulation it could be much better. It could be more technical. It could enforce browsers and operating systems to provide a way for websites and services to block third party data gatherings. It could make it mandatory for internet providers to ask you if you want to hide your IP …
Think about all the smart people that got paid (a lot) to think about this law. Only to end up with some very inappropriate shit. I don’t say it’s easy. And I don’t say we don’t need regulations. But right now the issue is probably not on “personal data processing” but on people being dumb enough to share on social media how evil companies are using their data instead of actually looking for ways (that exist for years or decades) to protect their worthless data.
Thank you for reading.
If you need a CTO as a service for your project. Checkout Quanted Square and feel free to send an email at contact@quantedsquare.com
