37 comments

[ 3.0 ms ] story [ 82.3 ms ] thread
If nobody can profit from it, it doesn't exist. Even in europe.
The Nine Most Terrifying Words: "We're from the government and we're here to help"
I don’t agree with this sentiment entirely, but I’m starting to wonder if we long ago hit an inflection point between what we can mandate/criminalize and what we can effectively enforce in a consistent or meaningful manner.

It’s been on my mind lately, but it seems reasonable to think the thicker our codes of law with all the added complexity, the less useful the law might actually be. If that’s the case, it might be worthwhile to actually reconstitute our laws into a more useful system.

The barriers to doing so would be:

1. Maybe it isn’t actually worthwhile, as of right now I cannot meaningfully make the case that it is worthwhile.

2. Even if it is worthwhile, there are many wealthy and/or rich interests that would run a counter-campaign to protect the status quo as it pertains to them.

3. Even if there wasn’t a counter-campaign, refactoring the law just isn’t a sexy endeavor, and in fact runs counter to some very entrenched traditions in Anglo-American law.

Even opening this door for discussion would provide an opening to attack and place new limits on the natural rights of men which have been under a disgusting amount of strain as it is in the past few decades.

That said, we can mandate things like recycling and composting, but it is a dead letter unless you have recycling facilities or people willing to take the compost. You can mandate privacy and use a heavy handed enforcement mechanism, but that isn’t actually a solid guarantee to your own privacy, and there isn’t really anything that can guarantee your privacy and information security anymore. Even living in the middle of nowhere puts you under the thumb of reconnaissance satellites, airplanes and drones.

I'm here to help.

> [..] the government is the one institution that people can change... the one institution that you can affect without institutional change. That's exactly why all the anger and fear has been directed at the government. The government has a defect - it's potentially democratic. Corporations have no defect - they're pure tyrannies. So therefore you want to keep corporations invisible, and focus all anger on the government.

-- Noam Chomsky

The flaw in Chomsky's argument is that the check on corporate power is competition. A corporation is a tyranny internally but as long as nobody has to work for that company or buy its products over a competitor's or is restricted from starting a new company to compete with them, they have no dictatorial powers. The way you change a corporation is by not patronizing it until it changes.

If you do that alone nothing happens, but if you vote alone nothing happens either. If the majority does that with you then the corporation changes or there is a huge market opportunity for a competitor who will. And that even works when there is only a significant minority on your side, unlike voting.

The problem with governments is that they don't work that way, so the opinion of anyone not in the majority is invalid. You're still subject to any laws passed over your objection, without any alternative short of leaving everything you've ever known and moving to another country. Or, in this case, not even if you do that, because the EU asserts that people can be subject to this law even if they don't live there. It's tyranny of the majority-of-a-place-you-don't-even-live.

> The way you change a corporation is by not patronizing it until it changes.

Unless it's a monopoly or companies colluding, which is prevented by enforcement of regulation, not any goodness on behalf of corporations. And unless it's a conglomorate, in which case, "just switch the channel" can sound kind of hollow. E.g. https://www.youtube.com/watch?v=ksb3KD6DfSI

In theory, we could change companies by abstaining, if they magically knew why you don't patronize them, and took that into acount. In practice we now have fewer consumer OS than in the 90s, the return of walled gardens, and people who avoid them don't affect anything, the walled gardens care less about what people want, than what the walled gardens want.

> The problem with governments is that they don't work that way, so the opinion of anyone not in the majority is invalid.

So why are their any laws, at all, protecting minorities, why are things like access to disabled regulated, why is not legal to just lynch a person "most people don't like", and so on?

How long has Comcast been the worst thing since soaked bread, how is that possible, how have they not either changed or gone the way of the dodo? And why does Facebook keep regressing its UI even though anyone who cares hates it, "as long as most people don't mind"? How's YouTube shitting all over creators working out? Captured audiences and network effects wherever you look.

For companies, "If the majority does that with you then the corporation changes" is apparently good enough, with governments you claim anyone but the majority gets outright ignored, when that's not even the case.

> Unless it's a monopoly or companies colluding, which is prevented by enforcement of regulation, not any goodness on behalf of corporations.

The other way to prevent that is greed on the part of other corporations, who want to come in and get a piece of that pie by undercutting the monopolist.

> In practice we now have fewer consumer OS than in the 90s

We have fewer consumer OS because Android and other free software ate them by being more of what consumers wanted. Creating a new OS has never been easier -- you can fork Android -- but first you have to find something to change about it that people actually want but it doesn't already have.

> the return of walled gardens, and people who avoid them don't affect anything, the walled gardens care less about what people want, than what the walled gardens want.

The walled gardens are propped up by laws that e.g. prevent third party clients from interoperating with the Play Store without Google's permission.

> So why are their any laws, at all, protecting minorities, why are things like access to disabled regulated, why is not legal to just lynch a person "most people don't like", and so on?

Because the majority of people want laws protecting minorities etc. The problem with democracy isn't that the majority can't be right, it's that it can be wrong without recourse. As was the case in the past when there were overt laws oppressing minorities and allowing anyone to lynch a person "most people don't like" with no legal repercussions etc. All of that happened in a democracy.

> How long has Comcast been the worst thing since soaked bread, how is that possible, how have they not either changed or gone the way of the dodo?

Because there are laws that make competing with them difficult and expensive. You may want to start a small ISP which is only serves your neighbors on your street, but the law requires you to serve the whole city. And if you try to do that, expect the incumbents to sink you with lawsuits.

> And why does Facebook keep regressing its UI even though anyone who cares hates it, "as long as most people don't mind"? How's YouTube shitting all over creators working out?

Because people don't actually care. It takes five minutes to switch from Facebook to anything else, and you can use two social networks at once until Facebook dies. But the fact is that most people just don't care -- and the people who do care already don't use it, and alternatives to it exist. Which is the thing that governments don't allow.

And it's the same with YouTube. If the creators stopped using it, it would be a ghost town. And some of them have, and the rest of them don't care. There is no law forcing you to use YouTube instead of one of their competitors or self-hosting your own videos.

> For companies, "If the majority does that with you then the corporation changes" is apparently good enough, with governments you claim anyone but the majority gets outright ignored, when that's not even the case.

If you don't like Facebook, Twitter exists, and Reddit and Signal and email and Mastodon. Even if 90% of people use Facebook, you have the option to not. You don't have the option to opt out of a law.

Of course in reality the government is "us", both constituted of people some good, some bad, some competent, some not, etc.

Second the government (slowly) responds to the expressed needs of those who do and can make their wishes known (which is not necessarily the same set as voters/citizens/residents/interested parties, of course). Because of its size, feedback is often involved; the only damping is just a dashpot (i.e. lagging rise time).

Currently the government is getting strong signals of paranoia, fear, mistrust of bad news, et al, so is is implementing a lot of crazy and bad shit. But I do believe that's the message it's getting/amplifying.

Don't forget that (at least in the OECD) you can still drive on a reasonable road, send a letter, buy something via the Internet and probably receive it in working order, drink water from the tap, etc. Most of the government is still operating fine, even in response to a heavy autoimmune reaction.

My statement should not be interpreted to imply any set of political views, or even which country I am from/work in/live in etc. I am talking about the OECD for which the factors above are broadly applicable, even if to varying intensities.

> Don't forget that (at least in the OECD) you can still drive on a reasonable road, send a letter, buy something via the Internet and probably receive it in working order, drink water from the tap, etc.

Note that most of that is local rather than federal/EU government, and even to the extent that it involves interstate commerce (e.g. UPS deliveries), it would still basically work without any central government involvement in the same way that packages are fairly reliably delivered from China to the US or EU even though multiple independent jurisdictions are involved.

Many things are theoretically possible that Coase showed are vastly inferior in practice. He got a Nobel for it.
Couldn't have happened to nicer supporters of government meddling into people's lives!
"GDPR is an identity thief's dream ticket" would require that the GDPR somehow permits companies to hand over personal data without reasonable identity verification. The Register seems to be making this assumption in their editorialized headline.

However, as far as I can tell, these companies have done the opposite and _breached_ the GDPR by failing to keep personal data safe, as the GDPR itself requires, in the process of handling a data access request (as happens to be mandated by the GDPR).

I don't see how this is a problem with the GDPR itself. It _is_ a problem with how some companies have implemented it.

According to the article, the researcher says that "lawmakers need to set a standard for what is a legitimate form of ID for GDPR requests".

I'm not sure I want this. I want companies to remain liable for data breaches even if they come from illegitimate data access requests. A single standard won't suit all situations.

Presumably it has to do with data subjects' right to request corrections to incorrect data.
That's why the companies had to respond, yes. But by responding with personal data without first verifying the identity of the requestor, they breached the GDPR by exposing that personal data.
So what are they supposed to do if they have no satisfactory way to verify your identity? They may have all kinds of information on you but not your passport number. Some people eligible to file requests may not even have a passport number. They may not even have your name (and multiple people share the same name anyway).

Without any reasonable way to distinguish between legitimate requesters and attackers, their options are to not provide the information to someone who may be the right person or to provide it to someone who may be the wrong person. If both of those are illegal that implies it's impossible to comply with the law.

What they are supposed to do is to set up their system so this problem does not exist.

If you need identity data than verify identity. Most companies dont and then they should not store it.

This is already the case in banking i dont see a reason why other companies think they shouldnt need to do this.

> If you need identity data than verify identity. Most companies dont and then they should not store it.

The problem is that there is data which is personally identifying and yet not useful to authenticate the user, and that information may be necessary for the operation of the service.

> This is already the case in banking i dont see a reason why other companies think they shouldnt need to do this.

What banks do is to know the identity of all their users. Requiring sites to do that is the exact opposite of the apparent purpose of this law, so it would be a massive farce if that was the only way to comply with it.

If you lack the means to comply with the law, you must not collect the data!

The article also jumps to the same troubling conclusion: That the law is deficient because it failed to make provision for greedy data hoarders to continue without changing their business.

In my opinion the law is working as intended, and requiring extreme security precautions around the hoarding of personal data. If a few companies with abusive business models become non-viable in the process, that's a side benefit

Except that there are other laws requiring them to collect certain data, or it may be necessary for the operation of the service, so they can't just not collect it either.
Would the downvoters please explain why you think I'm wrong? Or is this just the typical GDPR hate that seems to infest HN such that I defend the GDPR ergo I'm automatically downvoted?
I don't get this either. You are on point.

Giving out data to someone other than the data subject is a data breach.

If you can't identify the subject positively you don't give out the data.

You document this - it is not like you get an instant fine without anybody asking you about what was going on.

This is not YouTube or PayPal or Twitter banning your account without a chance to talk to someone. Before you get a fine someone will talk to you. If you get a fine you can appeal. It is not instant 4% of you income decucdet automatically from you account.

(comment deleted)
It's the theory-practice divide. In theory, GPDR is supposed to prevent this. In practice it was companies trying to comply with GPDR that caused this.

Maybe things will improve with time as people learn from episodes like this. Or maybe not.

Bad headline by The Register, the problem is not GDPR as the headline might try to convince you, the issue is identity validation and lack of security controls.

The attach described is similar to "password reset", which gives an adversary access to everything and companies that don't have strong security in place, or users with weak passwords are likely subject to exploitation.

I'm not sure why GDPR requires companies to provide data subjects with actual copies of the data (Article 15 section 3). In most cases, providing the actual data doesn't really give any more information than just telling the data subject that the company has the data.

For instance, I already know my mother's maiden name, so a response of "We know your mother's maiden name" would be just as useful to me as "We know that your mother's maiden name is <NAME>", but would be much less useful to someone pretending to be me.

There are situations where you do need to see the actual data so it should still be available, but getting that data should require a much more robust proof that you are the data subject than is required for just getting the existence data.

Subjects have a right for the information to be correct. So they need to see what you've got, not just the claim to know my mother's maiden name (actually a matter of public record in many countries) but the fact you think it's SMITH (it isn't so you will need to fix that).
Point of fact: it's not the GDPR, per se, that causes companies to hand over personal information to duplicitous individuals. It's those companies poor verification and security practices.

The GDPR does create a new attack surface, in that companies now have a legal obligation to provide information. The article did not say whether or not there is a legal obligation to properly verify the identity of the requestor.

It isn't really a new attack surface because GDPR is only a refinement of previous rules. Companies inside the EU already were subject to previous iterations of this "Ask permission, don't keep stuff you don't need, tell subjects what you know, fix mistakes on request" model.

Back when I first worked for a start up, Richmond Informatics (subsequently Garlik, which was then bought by Experian) it began by doing subject data access requests for key personnel just to see what was out there. That's well over a decade ago.

And yes, they have a responsibility to ensure they only give the actual subject the data, which is tricky but if it's too hard then probably "don't keep any data" was the correct answer. "Thank you for your letter. We do not keep any data whatsoever about our users". Done.

At Experian the main theme of the training in this area was "Do not try to help, don't respond in any way except to forward everything to the special department that handles these requests".

I think it is a new attack surface for any company that had the policy to never give out a user's information and is now required to give out the information.
Surely this isn't a new problem given that credit bureaus, hospitals, and so on already had to turn over information on demand?
But for any other industry, there would be no existing infrastructure to support this.
They all used authentication systems though don't they? The problem is any bad actor can exploit GDPR to get information on anyone else.
That's not true. You are only allowed to give out information to the data subject. You have to verify that you are giving the information only to the subject.

If you can't verify you don't give out information.

There are so many ways to verify. Public Data is not a shared secret, thus not something to verify identity with.

If you have the home address of the subject, send it to that address, don't allow recent changes without thorough investigation. A postal letter is more secure than sending an email to the subjects email address.
I notice the pattern that any opinions stating that this is not a GDPR issue, it is a end-company issue, get downvoted. Oh how much would the US companies like to get rid of GDOR and go back to a system where everything is up for grabs, with zero accountability and rampant abuse. I think GDPR is one of the best things that have happened to Europeans/European consumers since the inception of internet, in the data ownership and privacy space.

What Pavur managed, is a wake up call for companies to further clean up their act, and that is positive step to making GDPR stronger but not to remove it.

One cannot blame the whole system for some/many bad actors. If improvements are needed in the identifying mechanisms, so be it, but as a system, it is built to work FOR the people.

Also (without reducing the effort and results of Pavur) anything you read on UK media condemning anything EU-made, take it with a pinch of salt, a no-deal Brexit may be coming and some media will do their best to demonize all-things-EU. Agendas will be served.

Right, so slap the largest fine on each one. They had 2 years to prepare and obviously didn't.

Before the GDPR this would have been stamped "identity theft" putting the company in the clear. As if you were somehow responsible for the company not verifying the identity of their customers.

[Edit]

I should mention that around here there is an established 2FA solution used by banks and the government so verification has been de facto standardized.

>"Privacy laws, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the law was enacted, we could pick up on them."

Okay, now let's relate it back to what Hacker News knows about

> "Software, like any other infosecurity control, have exploitable vulnerabilities," he said. "If we'd look at these vulnerabilities before the Software was deployed, we could pick up on them."

It's correct to say that you can limit the number of vulnerabilities you ship, but it's always going to be non-zero and you're always going to need to deploy security patches.

I'm not sure poor implementation and compliance with a new law is a particularly huge threat. Over time best practices will emerge and this will essentially be a low success rate attack vector. Compare that to the counter-factual, before GDPR the number of companies with your data was far higher, the data they held was far more in depth, and they often had little to no security procedures. The underlying message here is that the fundamentals of GDPR make your data safer, not less safe.