The GDPR is now the law across Europe. I don’t like it. I think it’s seriously misguided.

It gives me rights and freedoms that I don’t want or care about. Viscerally as a human I’m not concerned what data others have about me. I don’t presume to know or change it, any more than I could reach into their minds and change their thoughts. If some evil magician gave me that power, I would recoil in horror.

I’m now uselessly informed of every way businesses use data. I can’t read a privacy statement any more. Can you? I can withdraw consent, but the other side can withdraw the service or whatever is their side of the deal. The law doesn’t give me anonymity, or discretion, consumer rights, or anything that I care about.

CCTV is everywhere. The phone company tracks me and my calls are logged. My provider knows where I go on the internet. The law does nothing whatsoever to stop state surveillance. It’s privacy theater.

Abusing the law will be fun. Every time I buy something firms ask for my details. I can immediately serve them a notice to erase the data or face millions in fines. I’m sure it’ll be great for European businesses if everyone does that.

Global firms may decide it’s not worth the risk and cut their services from us. Suddenly I face discrimination because of my citizenship, and there’s nothing I can do about it. Good job!

It’s massive jurisdictional overreach and hugely intrusive to enforce. So is copyright and other “worthy” censorship laws, but we need fewer of these not more.

Terrible legislation. Misguided, and I think miss-sold. The GDPR is last century politics, fighting the STASI, or big bad Google whom citizens don’t want fought on their behalf.

23 better things than Right to be Forgotten

The recent EU legislation called “Right to be Forgotten” is idiotic. The legislators who drafted it are clueless about digital matters, and this as well as the previous “cookie alert” fiasco reduces the EUs standing in any substantial debate. Who is even going to listen to the EU negotiator’s arguments if we’ve just passed such farcical laws. Just to put this in perspective, here’s 23 better things the EU could be legislating in the digital domain. There’s probably many more but 23 was a good number to think of.

Consumer rights:

  • One copyright region: Treat the EU as one region with respect to book, music, movie, etc. rights so that buying across member states is allowed, all products are available everywhere, and people can keep their purchases and subscriptions when they move.
  • One communications region: Treat the EU as one with respect to mobile, land phone, and internet providers. No roaming charges, no long distance pricing per country, no other per-country differentiation.
  • Net neutrality: Treat all data equally irrespective of content or source. The same principle that has long been held in the US, and is currently under threat, should be legally guaranteed also in the EU.
  • Open data standards: Products that achieve significant market share in consumer markets (such as office, photo management, etc) must allow import and export of the customer’s data in a format not controlled by any vendor.
  • Own your data: Online services, including ones that are provided free, must allow each user to delete or migrate (download, upload) their data in a format not controlled by any vendor.
  • Buy means buy: Vendors of digital rights such as books, music, movies etc. must use words such as “rent” or “subscription” to indicate rights that are time limited. Words like “buy” or “own” must apply only to permanent and transferrable rights. The selling of other kinds of rights such as “lifetime subscription” must be approved by regulators and labelled on a case by case basis.
  • Commitment for loyalty: Providers of online services that achieve broad market share (such as gmail, facebook, online games, music streaming etc.) must at any time provide a public guarantee that the service will remain available for a minimum of 5 years, or must set a binding date for termination of the service within 5 years.
  • After we’re gone: Providers or permanent, lifetime, or other long-term digital rights (such as iTunes, Google Play, Kindle, Steam) must provide a transition plan in case of service termination, where a customer’s rights either become DRM-free data or are transferred to an equivalent provider free of charge.

Identity, anonymity, and pseudonymity:

  • Open identity: Services that provide a digital identity to the general public (such as facebook, google+, twitter, etc.) must interoperate so that a person can use the identity provided by one service to participate fully in any other service. Log in to facebook with google+ and vice versa, merge feeds, post across services, etc.
  • Pseudonymity: Services that provide an online identity must allow members to register without revealing their true identity to the provider. Services must display whether an identity is verified but otherwise the service treats identities equally (what google+ does).
  • Straight privacy: Online services must display prominently in plain language and less than 1000 words whether the service provides the following guarantees: No revealing the member’s identity; no tolerance for “outing” by a third party; a mechanism to stop impersonation; a means to block unwanted contact; and no revealing a member’s identity or contact details indirectly through pictures, location, social links, etc. Once set, privacy guarantees may never be reduced, even after the service is discontinued.
  • Proper names: Services that provide an online identity must accept member’s names according to the same criteria, if any, accepted by society and must not impose length, word number, format, or other arbitrary restrictions.

Transparency and data security:

  • No back doors: Vendors of digital equipment such as computers, system software, mobile devices etc. guarantee the equipment is free of back doors that would allow a vendor, government authority, or other party to gain access to the user’s data. Vendors must offer return and refund of all affected equipment regardless of age, and may be liable to damages.
  • No recording: Vendors of consumer equipment that can record or transmit audio, video, location, or other data in its vicinity must include physical switches, visual signals, or simple software controls to ensure any recording has the consent of the owner and people nearby.
  • Know your spy: Providers of online services such as cloud computing, social networks, etc. must clearly indicate one country or jurisdiction that a particular user’s data is legally subject to. Surveillance, censorship, etc. may be carried out by that country only. Providers must publish a quantitative anonymised report of such incidents within 31 days.
  • Competent security: Vendors of digital equipment and providers of communication or online services must exercise competent care to ensure that user data is not intercepted by personnel other than those with a technical need to know, by other users of the service, or by outsiders. Providers must inform the public of any data breaches within 3 days and publish a record of all past breaches.

Public service education, self-help, and awareness of limitations:

  • Encrypt it: Governments and telecommunications providers must inform the public that communications, especially email, may be under surveillance and allow and encourage the use of encryption for all communications. Public authorities should educate people, especially young adults, on basic encryption and password discipline.
  • Do not track: Authorities, employers, ISPs, and system software vendors must inform the public that web activity is typically tracked and provide opt-outs such as private browsing. The limitations of these opt outs must be made clear (like Google does).
  • Insecurity questions: Banks and online services must not use demographic information (such as date of birth, mother’s maiden name) or non-secret personal information (such as pet’s name, first school) to unlock customer accounts. Such information is easily captured by attackers. In-person identification with government-issued ID, or strong passwords must be used.
  • Smell the fish: Corporations,and other entities that deal with the public must publish, within one link of their front page, a complete list of web addresses (domains), phone numbers, brand names, or any other channels through which they interact with the public. Authorities must educate the public to check all communications against this list to recognise phishing attempts.
  • Sharing is forever: Authorities and online services such as facebook, blogs, forums, etc. must educate the public, especially young people, that any material posted online is effectively permanent and may be seen by people beyond the intended audience. Everyone has a moral right to renounce their past opinions or behaviour and a legal right to be protected from discrimination on that basis, but people have no right to erase their past from the public record.
  • No suppression: Governments and online services must inform the public that once data such as pictures, recordings, facts, etc. is published online, rightly or wrongly, there is no way to suppress such data. Authorities may pursue a few criminal or politically significant cases, and individuals and rights holders may have civic recourse to “take down” data from specific sites, but there isn’t and there should not be a mechanism of total suppression.
  • Delete is not enough: Vendors of digital devices such as computers, mobile devices, cameras, etc. must provide a simple and usable method to erase unwanted data from the device securely (like Macs do). Authorities and device vendors must educate the public that “delete” is not enough and they must use the secure erase option whenever dealing with sensitive or embarrassing data.

Legislators, in the EU or elsewhere, could perhaps concentrate on a modern and realistic set of digital principles like these instead of retrograde efforts such as fearing cookies and abetting the “reputation management” industry.

There is no “privacy”

I tend to disagree with the common public expectation of “privacy”. I respectfully disagree with the privacy laws common in Europe that put limits on collecting and keeping data on people. Although professionally I greatly respect medical privacy rules, I personally wish we had a different set of rules that put the focus of protection elsewhere. When some court or civil rights organization in some country accuses Google of a privacy breach I tend to think that they bring an outdated, basically wrong, idea of privacy to the debate.

The reason I disagree with privacy is that there’s no such thing. It doesn’t actually exist.

When we think loosely about privacy, in fact, we think about three distinct things:

Continue reading