GDPR: A Waste of Time
Once upon a time, long ago in the summer of 2014, I felt the compulsion to check out every single IFTTT channel. I had become infected with the Internet of Things bug and had been working on my Productivity section of the 100,000 Tips, and I was determined to make my life as fully automated as possible.
Though I had veered into a “productivity paradox”, where I had spent a few dozen hours of time trying to improve tasks that took me a collective total of a few seconds every day to perform, it was an enriching experience learning about how to integrate various systems together. Unfortunately, it left me with 450 passwords.
About half a year ago, around the time the Experian company showed up in the news for a small inconvenience for their product beloved customers, I determined in myself to change all of my passwords. LastPass or Keeper or KeePass are all excellent tools for protecting your data, but only if your passwords aren’t all “password1” or contain your first name or use the last nine digits of your social security number.
Dozens of unoptimized hours later, I was able to say that my passwords are safely non-repeating alphanumeric codes that only LastPass can rightly enter, and I was able to shave my passwords list down to about 270.
However, this GDPR has been a tremendous nuisance. Every single large company with a website I have ever logged into has harrassed me with at least one email about changes to comply with the GDPR, including the near-hundred passwords of accounts that I couldn’t figure out how to delete.
In light of this, and knowing that you have likely been given little to no information about how a law created for the EU matters to you, I’d like to express it here.
The GDPR (General Data Protection Act) is a legal attempt by government officials in the EU to legislate how companies can collect personal information. The full details of how it applies are here, but the executive summary is:
- Companies that collect data are required to give notice when they might collect data
- The data must be kept secure
- If the individual asks, they must delete that data as much as is reasonably possible
- They can only use the data for the reason they specified collecting it, and then they must delete it
The tech sector is freaking out about this, and that’s the cause of millions of people receiving emails from services they forgot they had.
The trouble with this entire concept is a two-pronged issue.
A. Security is already hard to enforce for companies
If you’re familiar enough with computers, keeping data “safe” is a strange concept to bring into a legal environment. At best, it’s highly relative to the context, and at worst it is arbitrarily constricting.
I’ll explain. Imagine your house for a minute. If you’re not there right now and nobody is home, you’ve probably locked the door. Your house is effectively “safe” in your mind. However, anyone with a decently-sized brick can take out your window and render it “unsafe”. The same goes for if that individual had a motor vehicle they could ram through the side of the house, power tools to dismantle the door or break through a window, and so on.
Safety is a philosophical concept we abide by, but we usually create arbitrary constraints of what would likely happen to compensate for how things aren’t as “safe” as we would want.
Unfortunately, the costs of turning your house into an impregnable fortress aren’t worth it. You’d have a safe home if you sealed all the windows with brick walls, install a heavy steel door with fingerprint locks, reinforce your garage door with rebar and require a 15-key combination to open it instead of a garage door opener, and so on. These security measures would come at the tremendous cost of inconvenience.
Computer security works a bit like real-life security. There is no way to deter a sufficiently determined and talented individual universally, but there are plenty of ways to slow or stop them. A lock, barrier, or vicious dog can be subverted with enough time and determination, even if it slows down the intruder. A video surveillance system gives the idea that the intruder might be caught later, even though the stolen goods will likely not be returned.
Even if a company were to implement facial recognition, registered voice commands, fingerprint authentication, and a 20-digit non-sequential series of letters and numbers requiring changing every 3 days, someone could still maliciously hack into the system and steal the data (and they will if the incentive is great enough). A good keylogger and IP tracer will find them long after the data is sold to an interested party.
All that security mentioned above comes at a tremendous cost: productivity. With that kind of system, every employee would be spending a cumulative total of an hour a day merely logging into their computer. Taking the work remotely becomes impossible. The work would slow to a crawl, the company would lose a competitive edge, and the workers would be sending out resumes to not die of food deprivation.
Slapping a fine of up to $20,000,000 on a company is not going to help them. Many of the companies with data breaches already suffer massive PR nightmares and don’t recover quickly from them. This recent data breach has led to Facebook, of all companies, to make TV commercials to improve the public’s faith in them!
B. It’s hard to enforce a motivation
On top of the difficulties of legislating computer security, it’s also a bit difficult to enforce “intended use” of data.
Some uses of data can be enforced, such as selling address data, but this entire concept presumes that the average individual is thinking intimately about the use of their data.
Anyone born after 1985 will remember using social media for the first time. There were text boxes that indicated input for age, birthdate, address, etc. Anyone that young is naive about how others could misuse data, and the feeling of “filling in the blanks” will be too tempting to pass up.
The collection of data in computers is a much more formal version of what we do in our own minds, so it only magnifies what we are doing already.
If someone walks into a room and you see them, you’re already collecting data about them. You’re forming judgments and creating secondary and tertiary data that you will use. If they pass your “security check”, you’ll go over to them and talk to them or permit them to talk to you. If they are considered an “intruder”, they will be rejected until they have authenticated themselves.
Computers are performing the same concept, but it is now becoming legally difficult to create secondary data with the GDPR, and companies are having a hard time coping with it. It’s effectively light a form of “thought police”.
C. GDPR won’t stop anything
You can’t legislate morality. No amount of legal action will take away from people doing what they want to do. To quote a proverb: “Rebuke a wise man and he’ll become wiser; rebuke a fool and he’ll become more shrewd.”
This will legally destroy many industries in the tech sector, but it will create more demand for attorneys and will drive many individuals to make the hard decision to either change their entire way of doing business or move into an illegal marketplace.
As an individual, it doesn’t matter to you outside of the placebo effect that your data is safe. Unfortunately, harming the private sector sacrifices the benefits of freely consuming what it has to offer. One of the easiest ways to comply with GDPR, for example, is to ban everyone in the EU from using the website.
Greg is also known as the Philosopher Accountant, a blog about random and useful things.