Maciej Cegłowski on gdpr

The plain language of the GDPR is so plainly at odds with the business model of surveillance advertising that contorting the real-time ad brokerages into something resembling compliance has required acrobatics that have left essentially everybody unhappy.

The leading ad networks in the European Union have chosen to respond to the GDPR by stitching together a sort of Frankenstein’s monster of consent,a mechanism whereby a user wishing to visit, say, a weather forecast page 4 is first prompted to agree to share data with a consortium of 119 entities, including the aptly named “A Million Ads”network. The user can scroll through this list of intermediaries one by one, or give or withhold consent en bloc, but either way she must wait a further two minutes for the consent collection process to terminate before she is allowed to find out whether or it is going to rain.

This majestically baroque consent mechanism also hinders Europeans from using the privacy preserving features built into their web browsers, or from turning off invasive tracking technologies like third-party cookies,since the mechanism depends on their being present.

For the average EU citizen,therefore, the immediate effect of the GDPR has been to add friction to their internet browsing experience along the lines of the infamous 2011 EU Privacy Directive (“EU cookie law”) that added consent dialogs to nearly every site on the internet.

The GDPR roll out has also demonstrated to what extent the European ad market depends on Google, who has assumed the role of de facto technical regulatory authority due to its overwhelming market share. Google waited until the night before the regulation went into effect to announce its intentions, leaving ad networks scrambling.

It is significant that Google and Facebook also took advantage of the US-EU privacy shield to move 1.5billion non-EU user records out of EU jurisdiction to servers in the United States. Overall, the GDPR has significantly strengthened Facebook and Google at the expense of smaller players in the surveillance economy.

The data protection provisions of the GDPR, particularly the right to erase, imposed significant compliance costs on internet companies. In some cases,these compliance costs just show the legislation working as intended. Companies who were not keeping adequate track of personal data were forced to retrofit costly controls, and that date is now safer for it.

But in other cases, companies with a strong commitment to privacy also found themselves expending significant resources on retooling. Personally identifying information has a way of seeping into odd corners of computer systems (for example, users will sometimes accidentally paste their password into a search box), and tracking down all of these special cases can be challenging in a complex system.The requirements around erasure, particularly as they interact with backups, also impose a special burden, as most computer systems are designed with a bias to never losing data,rather than making it easy to expunge.

Here is the full Senate testimony, there are many interesting points in the piece.  I thank an MR reader for the pointer.

Comments

If you pop open the hood of the today's modern internet, the sheer amount of surveillance is mind-boggling. Both nation-states and multi-national corporations understand that good intelligence is priceless. If the wall of separation between the two should ever crumble, you will have the stuff of sci-fi dystopias. Note the similarity of language. To the surveillance economy, you are a financial asset. To the surveillance state, you are an intelligence asset.

'If the wall of separation between the two should ever crumble'

Umm, when did you think that wall was ever built in the first place?

Hi, mouse!

Respond

Add Comment

Respond

Add Comment

Yes, be careful about giving tech companies your data. That is like giving them your crown jews

“That is like giving them your crown jews”

Hi Thiago!

Respond

Add Comment

Respond

Add Comment

Respond

Add Comment

Wait, B-B uses a business model of surveillance advertising?

'is first prompted to agree to share data'

Or you just go somewhere else. I tend to use SWR for my basic weather forecast/traffic report needs - and as a typical example of European public broadcasters, there are no ads, and not too much incentive to practice surveillance advertising. The same applies to WFMU - no ads, no need to practice surveillance.

'This majestically baroque consent mechanism also hinders Europeans from using the privacy preserving features built into their web browsers'

No it doesn't.

'Overall, the GDPR has significantly strengthened Facebook and Google at the expense of smaller players in the surveillance economy.'

Quelle surprise.

Respond

Add Comment

Much appreciated post.

Respond

Add Comment

The internet is every major market's little playground now. China has its own Great Firewall, the EU has its GDPR, the US has the surveillance model, and the rest of the world is split between varying degrees of censorship to an outright free for all. Let a thousand flowers bloom and may the best model win.

Respond

Add Comment

Please consider a Conversation with Tyler with him.

Yes, please do. Ceglowski is always insightful. Entertaining too.

Respond

Add Comment

Respond

Add Comment

Micropricing. If I want to read your post, I will click you a few pennies with my Penny Clicking Mouse. No bank clearance needed, digital point to point pennies.

Respond

Add Comment

Bureaucrats can’t predict the effects of laws they dream up to regulate complex processes which are beyond their comprehension?

Mild shock.

Respond

Add Comment

You think it was bureaucrats that 'dreamed up' these laws? Really?

If given the chance, a likely (and likely quite large) majority of Europeans would have the GDPR go even further - not many people in Europe are dedicated to ensuring that Google or Facebook can continue to make money from surveillance capitalism.

Why not have people make their own decisions as to the level of security they require? If there were really people concerned about Google and Facebook then they could simply not use them - there are plenty of free alternatives. Or they could even start their own "secure" company to offer such services to like minded people. I would even support the EU subsiding such companies, that would be better than this nonsense.

'Why not have people make their own decisions as to the level of security they require?'

Well, that is an interesting point. According to this (German language) link, less than half of Germans, Austrians, and Swiss are on Facebook at all - https://allfacebook.de/zahlen_fakten/offiziell-facebook-nutzerzahlen-deutschland

'If there were really people concerned about Google and Facebook then they could simply not use them '

See above.

'Or they could even start their own "secure" company to offer such services to like minded people.'

Why have a centralized data base at all, or a company? Though it is a twitter replacement, Mastodon (https://joinmastodon.org/) is not a company, it is software, just like bittorrent - no company need to be involved at all. (And such peer to peer technologies tend to make surveillance and censorship much more difficult).

So what's the problem? Why dream up poorly thought through regulation?

The only plausible reason is for the aggrandizement of the regulators. They love their guns, and they want to use them.

'The only plausible reason is for the aggrandizement of the regulators.'

Well, maybe for you. But much like European opposition to GMOs, it is not the regulators in charge, but the voters. Odd how that works, actually - it is not the regulators that want data privacy, but normal citizens.

Respond

Add Comment

Respond

Add Comment

Respond

Add Comment

Respond

Add Comment

Respond

Add Comment

Still Maciej Cegłowski's finest work: https://idlewords.com/2007/04/the_alameda_weehawken_burrito_tunnel.htm

Fantastic read. Thank you.

Respond

Add Comment

Respond

Add Comment

like the look of the tool, looks very similar to pitchbox but way cheaper. I’ll have to compare the 2 side by side.

Respond

Add Comment

I think the coming period is very good for GDPR growth in European market.Some Asian countries also the financial system has turned around and it is gradually increasing.

Respond

Add Comment

The law is a bureaucrats dream come true. It is written vague enough that you can threaten providers with big fines or years of litigation, but you can hint that there are ways to avoid such unpleasantness. For example by blocking all populist or anti-EU voices as fake news.

Respond

Add Comment

'For example by blocking all populist or anti-EU voices as fake news.'

GDPR has zero to do with blocking content, and the quid quo pro seems quite the opposite, actually. Just ask Orban how that works.

And as for blocking anti-EU voices - that is truly hilarious.

You haven't yet realized that you are being brain-washed?

Well, if you would just let me know if the brainwashing is being done by the pro-EU or anti-EU side, that would undoubtedly be helpful. Or maybe both present sides less than an accurate picture?

But if you speak German, this link might be entertaining to watch - and then you can decide who is brainwashed. The ending is pretty fun too, considering that this appears to be a clip from a German public broadcaster - and yes, they do know pretty much where Germans with Internet access live, actually. https://www.youtube.com/watch?v=zvgZtdmyKlI&feature=youtu.be

Respond

Add Comment

Respond

Add Comment

Respond

Add Comment

What would Ayn Rand think of the surveillance economy? Her acolytes don't seem to object; indeed, many of her acolytes in Silicon Valley are the creators of the surveillance economy and are billionaires because of it. If selfishness is a virtue, altruism is a sin, and capitalism is a deeply moral system that allows human freedom to flourish, then the surveillance economy liberates us to recognize greed as the path to self-fulfillment and prosperity.

Respond

Add Comment

Ayn Rand would have likely said something to the effect that people are free to enter into contracts and voluntary transactions. Some people want to imagine that they should get all of the benefits of a provider's business model, without there being a cost. 30 years ago it was lots of ads. Now it's ads with tracking.
I think a more interesting question would be Ayn Rand's take on China and its "patriotic" tech compznies that support state oppression and propaganda efforts. I suspect she would ultimately connect it back to the collectivist ethics accepted by the Chinese people which leaves them with a rights-violating government.

Respond

Add Comment

This is simply not true. I go to European based or GDPR regulated sites all the time, and it takes a few seconds to hit "deny all". There is no 2 minute wait. If I didn't wipe my browsers history every time I exit I would only have to do it once per site. We could use that here in the US, but of course capitalist fundamentalists will scream "Regulation!" and do all they can to block it.

Respond

Add Comment

Respond

Add Comment