You are probably subscribed to a number of email newsletters. No doubt you have been receiving emails saying that the system is changing the way that they are handling their mailing lists and that if you want to continue to receive the emails, then you need to re-subscribe. If you have logged into Facebook or Twitter recently, you probably got told that they are revising their security policies. You might even have received a so-called "wake the dead" email from Cadence asking you to re-subscribe so that we know that both the email is still valid, and that you want to continue to receive emails. I hope you are already subscribed to Sunday Brunch , the weekly email that I send out that has links to the Breakfast Bytes posts from the week before, with an image and the opening paragraph to pique your interest. If you are not, then just click on SIGN ME UP or at the end of any Breakfast Bytes post. It's one email a week and that way you won't miss anything. There is a reason for all this mailing list and security cleanup, and it goes under the name GDPR. This is the General Data Protection Regulation of the European Union. Today, May 25th 2018, is the day GDPR comes into effect. The first obvious question is why should you care if you are not in Europe? GDPR is actually extra-territorial in the sense that it covers any data held on Europeans anywhere in the world. Many (most?) companies, such as Cadence, have taken the approach that it is easier to use the rules of GDPR across the board, than try and segregate Europeans for special treatment. There are also special rules already in place in some other countries, such as Canada and Japan, that companies have used as special cases, that can just be subsumed into the GDPR. Another reason that has everyone's attention is that the penalties for violation are draconian. Some cynics have said that this is the European Union's way of taxing the US internet giants. Failure to comply can result in significant penalties of up to €20M or 4% of a company’s global revenue, whichever is greater. If you are a small company, €20M is a huge number. If you are Apple, 4% of global revenue is about $10B. Who Does It Affect? Almost everyone is running any sort of online business, or business with a website that is more than just a static catalog. If you have people register on your website, or collect emails so you can send out newletters, or use cookies to track return visitors, then it affects you. However, I'm not going to tell you what you need to know if part of your job is to make your company compliant. If you are reading about this here today, the day it comes into effect, you are months behind schedule. Panic. As a user, you will see many of the following changes: You have the right to ask for what data a company holds on you, and what they can do with it, and a right to rectify mistakes Companies have to make it easy to port your data. So in principle, it should be easy to export your social graph from Facebook to a competitor You have the "right to be forgotten". It is unclear how this works with the legal requirement in some cases for retaining records for years, or with the blockchain that can never forget. The default on any form has to be for more privacy, so you will find that boxes that obviously need to be checked often will not be, and you have to check them manually You have the right not to be tracked (ironically, to do this, there has to be a cookie placed on your device to track that you don't want to be tracked) You will see a lot of quasi-legal stuff like "By clicking 'Subscribe' you are opting in to receive Breakfast Bytes emails weekly. You can unsubscribe at any time" You will have to re-subscribe to everything every year. Including Sunday Brunch. You have probably seen lots of these in the run-up to today You will see lots more in the future. One problem with GDPR was pointed out at the recent RSA security conference (see my post, RSA Cryptographer's Panel ) where Moxie Marlinspike said he thinks that GDPR will entrench the biggest social media companies, especially Facebook. GDPR requires companies to get permission to do things with your data. Small companies might not be able to get that. But Facebook is so entrenched in people's lives that they can probably just refuse to do business with you if you don't give them the permission that they want. After all, to many people, "Facebook is the internet." Click-Thru EULAs: a Lesson? I think there is probably another problem. Nowhere in the world have click-through EULAs (end-user license agreements) been tested in court. Way back in 2005, a company called PC Pitstop put a paragraph in their EULA offering money to a limited number of customers who contacted them. Eventually, they gave $1,000 away, but it took 7 months and 3,000 sales before they were contacted. You probably have clicked on the iTunes EULA, which means you promised not to use iTunes to design nuclear weapons. There are plenty of other ridiculous paragraphs. Nobody reads these EULAs, and it is unclear whether they are enforceable. Nobody reads the full page of small print on the back of a car rental agreement too, and no court is going to enforce any unreasonable terms. The previous European rule that was annoying is the insistence that websites tell you that they are using cookies and what for. Of course, most people don't even know what a cookie is, and they just click on the "accept" button. To make it worse, the sites seem to be terrible at keeping track of the fact that you accepted this, and regularly you have to accept it again (I guess they don't use cookies well enough to record that you already accepted). I'm sure that many people who refused cookies because they heard they are bad or something, wonder why websites won't keep them logged in. But I suspect that we will be inundated by agreements about how our details will be used, and we will all learn to click and accept them all the time, like the cookies. A lot of these types of regulation seem good, but the unintended consequences make them rather less useful. Here's an example from another area. People shouldn't unknowingly be exposed to cancerous chemicals, so California has a proposition that says the public must be told. But there are no thresholds on whether the amount is significant, nor a requirement to say which chemicals are involved, nor a directive that you can't say there might be chemicals if you are clean. As a result, anywhere that there is alcohol, cigarettes, maybe coffee, and maybe fried food, there is the warning sign. In fact, it is easiest for every establishment to simply put up the sign. That's easier than being, say, a notary and wondering if some chemical in the fingerprint ink causes cancer at 1 part per billion. Expect a lot more agreements of what companies can do with your data, and don't expect to bother reading any of them. After all, every time you visit a new doctor you get given a whole HIPPA declaration about the treatment of your medical data (your medical data!) and you signed all of them without reading them. And Facebook has probably been tracking the people you call and text if you are on Android (iOS doesn't allow it)...because you clicked without noticing and gave them permission to do so. Find Out More The web is full of information about GDPR, and if you want a consultant to help you then they are everywhere. The best thing I've come across is the Andreesen-Horovitz (a16z) podcast " What to Know about GDPR? " which will give you a great overview in just over half-an-hour. Sign up for Sunday Brunch, the weekly Breakfast Bytes email.![]()
↧