GDPR Discussion

[flash2015]

I am not sure where to start because there is so much confusion, FUD and talking points written here. Let's clear one thing up first. The original EU cookie directive is NOT from the GDPR so making that the poster child is just wrong. That dates back to 2009. I agree it was not an ideal attempt to start to get people to realize how much tracking is actually done. But if you weren't clearing cookies regularly you would see it once per website. I don't see this as a crazy imposition.

GDPR, however, requires websites to get explicit approval for tracking or keeping PII data. So at least when it comes to a GDPR compliant website, instead of just the plain cookie notification I can now go and choose if I want to be tracked or not which is a great thing! Whilst you can use more and more elaborate technical countermeasures (blocking clearing cookies, randomizing fingerprinting, clearing browser caches, use Firefox or Brave and avoid Chrome because it is spyware, VPNs, Tor, blocking images/html by default in email, configuring your own recursive DNS, etc., etc.) it is somewhat a losing battle as the tracking methods become more and more elaborate.

I don't understand the need for "lawyering up" for a simple privacy statement. Perhaps I am missing something here. Can you point to an example of a website writing up a privacy statement in good faith racking up a fine? The GDPR directive asks websites to define in plain english how the data may be used and how long it will be kept. That's it. As webdip isn't in the business of harvesting and selling PII where the lawyers need to obscure the data collection in a web of dense legalese, I don't understand what there is to be afraid of.

The internet may have been designed for information sharing, whatever that means, but it was certainly not the original intent to be a tool of overbearing surveillance. Sure there is no 100% way to secure data but that is true of **anything**. Just because a smart thief can pick the lock on my home, doesn't mean I shouldn't have a lock at all and leave my door wide open (if I did that and I got burgled, my insurance company likely would deny my claim).

And data security is an evolving field. What we saw as designed for security in the 1990s (e.g. GSM vs. analog TDMA as Australian politicians Jeff Kennett/Andrew Peacock are well aware) is seen as woefully insecure by today's standards. GDPR will not fine companies for data breaches if they make them public within 72 hours of finding out...and you don't virtually "leave the door open". I don't see what is unreasonable about that.

Just to dwell on the security cannot be 100% thing a little more. Note that it is also not possible to build a building or a bridge that will 100% never fall down...or an airplane which will never crash (**cough** Boeing 737 MAX **cough**). We don't give architects/engineers/companies involved in this work a special pass for shonky work because "nothing is 100%". The computer industry should be no different.

I work for a major BPM/CRM firm and we have had to build GDPR compliance into the product (I personally had to make some of the changes). At least to my understanding the belief that you need to delete customer records AS WELL from every single backup to be GDPR compliant is not based in reality. Where are we getting this information from?? And backups eventually age out. If you are having to rebuild systems from backups from weeks/months ago, GDPR is likely the least of your company's problems. IMHO this backup concern is complete and utter FUD.

Note that GDPR also replaces a patchwork of individual country privacy laws providing a consistent legal framework across Europe which means more legal certainty for big tech, not less. All except one of the fines against Facebook/Google (e.g. like the tiny UK Cambridge Analytica fine or the Italy $11.5 misleading Facebook signup fine) were pre-GDPR.

Of the 91 GDPR fines that I know of so far, I know of only the one which has affected a non-European company (the $60M French fine of Google). There have been over 60K data breaches reported yet funnily enough very few of those have resulted in any fine. Whilst it is still early days yet, I would expect the trend to continue, that almost all fines will be for European companies (though some of the biggest ones will go to US companies because they are bigger) and almost all data breaches when reported promptly will not result in a fine. Whilst there may be other EU regulation that may seem to unfairly target US companies, at least so far, I don't believe the GDPR belongs in this set.

I don't accept that as a society we should have to say we have no control of our personal data, that it can be bought or sold on a whim and we can say nothing. Ultimately modern societies are built on trust and big responsibility of government is creating this trusted environment. We have a functional banking system because of the regulatory framework built up over many decades. We have trust in going out to restaurants because of the legal framework built up around food preparation and inspection. We can trust that when we buy a gallon of gas/litre of petrol that we are actually getting what we paid for because of the weights and measures legal frameworks. Whilst it may not be perfect the GDPR is a good first attempt in building that trust in data security.

[jmo1121109]

Flash I have no interest in making the site GDPR compliant and it would take to long to explain why you're wrong about it being absurd for small sites. If you don't like it go find another site or make a github PR rectifying what you see as the problem here.

But as for your assertion that all we'd have to do is add a privacy policy, that's completely incorrect. Which you can find if you go the https://eugdpr.org/the-regulation/gdpr-faqs/ which brings up issues about age confirmation for anyone under 13, which would require changes to how the site registration works, building in "I agree I'm 13".

Then there's the " Demonstrating strong data rights management is important to both customers and employees; they should understand why the data is collected and how it is handled on a legal basis."

Which is the reason for "lawyering up". I will not write a privacy policy explaining how we handle data on a legal basic when I don't have the slightest clue about legality in the country I'm in, much less in Australia where the site is owned, and in a cloud somewhere in the world where the site is hosted. I'm sure this is all easy when you work for a big company that buys an out of the box package solution or pays people a salary to make a site compliant, but searching for how to make your site compliant for free brings up very little useful content

In fact doing a quick search the top result is this article https://www.hipaajournal.com/make-a-web ... compliant/

Which opens with:

"While most website owners explain in a privacy policy about information that is collected and how it is processed, under GDPR that is not sufficient. It is no longer possible to state that continued use of the website constitutes consent and agreement with the site’s privacy policy.

Consent must now be explicitly obtained through a clear, decisive action. If your website does not collect any personal data (including IP addresses) and does not use cookies and you do not have contact forms or newsletters, you will not have to do anything to be GDPR compliant. All other sites will need to obtain consent.

Under GDPR it is not acceptable to use pre-checked boxes when obtaining consent to collect and process personal data. Users must provide clear consent and if checkboxes are used, they must be manually checked by users."

So if the top rated article on google about compliance isn't wrong, and I'm inclined to believe it'd be correct, then everything you posted is a pile of rubbish. I have way more important bug fixes and issues to code for on this site instead of trying to play a guessing game on how to code "consent" into the site. If it ever becomes an issue I'll just put up a landing page telling Europeans to go away and be done with it. If they choose to ignore that, that'll be consent.

Then let's get into "It must be easy for visitors to make contact should they wish to exercise their right to be forgotten, request a copy of any data that is collected and processed, and check their personal data for accuracy."

I don't have time to build tools to let mods pull data for everyone who comes asking what we have on them. That would require a tool to pull every game message ever, every pm message they ever sent, and a variety of other things. If the EU wants to pay me to do that then fine, otherwise it's delusional to think free sites have the budget for this bullshit.

[bo_sox48]

Flash, if I may, webDiplomacy isn't involved in any of the things that you listed in your post. I don't think you mean to group webDiplomacy with all of those other groups, but you are. This thread is about webDiplomacy's status under the new GDPR legislation, not what your feelings are about Facebook's use and sale of your data or Google's struggles to come up with a coherent security plan to meet the new standards prior to the deadline set for them by EU investigators. If you would like to debate the merits of the GDPR legislation's existence and content, you should direct that debate to the politics forum, and the same is true for anyone else interested in having that debate, including site contributors and administration. It doesn't belong here as our opinions of the legislation are not what drive our decisionmaking process.

Regarding webDip in particular -

As jmo pointed out, the requirements imposed by the GDPR legislation are not as simple as you make them out to be and carry rather extensive expectations for a small site that operates exclusively on donations, none of which go toward paying site help. I could go to some other website, copy their privacy statement word for word, create a box that floats around until you click the checkbox, log that the user in question has clicked that box to ensure it never displays again (or, perhaps, use the cookies that webDiplomacy collects to hide the box for your current session), and effectively do what everyone else does, but does that make webDiplomacy technically compliant? The answer is I don't know, and the answer will always be I don't know until webDiplomacy spends some of the donation money that is intended to be used on server costs, improving development, and generally extending the reach of the site on a lawyer from the EU with an expertise in these new laws. For obvious reasons, we aren't going to do that.

If anyone, you included, has any questions about the use of data on webDiplomacy, you are welcome to make a forum thread with a specific question, which I, or someone that can explain it more effectively than I can, will answer. If for whatever reason we can't answer it, we will tell you that we can't answer it. Regardless of our technical compliance with GDPR law, we are an open source site and we do not hide behind some 50-page long, carefully worded privacy policy in order to explain how we operate.

That said, please do not trivialize the work that we do by acting as if GDPR legislation is some simple matter that anyone can and should read, understand, and follow. That is just not appropriate in this context.

[flash2015]

@bo - Lots of strawmen here. Let's get the confusion out of the way. I really don't care whether webdip is strictly GDPR compliant or not. I did not start this thread!

jmo was arguing that a privacy statement would put the site in legal jeopardy, that somehow providing more information would be worse than providing less. This is all I was arguing about here.

And the only reason why I bothered commenting at all was because of jmo's rant about how the GDPR was not technically sound and it was some sort of EU conspiracy against US companies. I will stand by my claim that this is FUD and not based in reality. If you don't want people to respond to stuff like this it is best if these claims are not made in the first place.

[flash2015]

Again I don't understand where I was trivializing the amount of work done on the site. How many times to I have to repeat how much respect I have for the time put in? And I am a donator too.

Do I have to put a disclaimer around every single comment?

[bo_sox48]

Perhaps you just come off poorly, flash. I'm not here to help you figure out why I feel the way I do about what you said or parse through your response bit by bit and tell you where I think you went wrong. In fact, my response to you was designed to a) avoid doing so, and b) guide you and anyone else here toward questions, and answers, that are actually relevant to the matter at hand.

In that spirit, I will answer your question, though I think jmo answered adequately and you might find my answer similar. A privacy statement that is incorrect, incomplete, or noncompliant quite obviously puts the site in legal jeopardy. As far as our everyday business on webDiplomacy goes, we don't often worry about being in legal jeopardy in any respect. Our decisionmaking process is conservative by design to avoid such matters as we are not equipped to deal with them, and even if we had a revenue stream in the traditional sense, we wouldn't make enough off of this site to invest in legal assistance for matters such as this one. That is the crux of jmo's issue with this matter - small sites like webDiplomacy are not properly equipped to adjust to these laws.

As for your final statement, you have effectively baited me, so I'll state my piece and then refrain from doing so again and defer to the politics forum. The European Union is a union of European nations and by definition is interested in the economic, political, and diplomatic stability and improvement of said European nations. It is not interested in said traits of the United States. There are numerous instances in which the EU has seen an opportunity to penalize a non-European organization - most recently, the EU preemptively grounded all Boeing 737 MAX airlines prior to the completion of the investigations into the accidents that spawned controversy. Boeing, an American company, is a direct competitor to Rolls Royce, a European engine manufacturer headquartered in the UK, and Airbus, a European aerospace agency and airplane manufacturer. It may seem conspiratorial to say it, but I find extremely unlikely that the EU would have reacted so strongly and immediately were Rolls Royce or Airbus under international scrutiny. Boeing share prices dropped dramatically, and both Rolls Royce and Airbus, which is already heavily subsidized by the EU in a manner that the World Trade Organization has deemed to cause "adverse effects" to the United States, saw dramatic increase in their share prices. The EU profited both financially and in the worldwide public relations battle dramatically. I'm not uninformed enough to think that the EU was solely interested in grounding 737 MAX airliners prior to any real investigation taking place simply out of altruism and for the public good, but if you hold onto the same logic that you did in your retort to jmo, you might be.

The same can be said for their handling of GDPR compliance, but jmo already made that case and you either disagree or chose to ignore it - I cannot tell which. Regardless, I'm not going to make it again. I have absolutely no doubt that American governmental organizations would - and do - play the same games with European industrial giants that happen to be competitors of domestic American business and am not trying to establish some moral high ground here, but thinking that the EU would not is naive as can be.

If you want to reply to me, do so by private message or open a thread in the politics forum. I may wade in if I get a few beers in me first. This aspect of this conversation is done here. As before and as always, feel free to ask any questions that are directly related to webDiplomacy's GDPR stance or webDiplomacy's usage of the data we collect.

[jmo1121109]

How many times to I have to repeat how much respect I have for the time put in?

Once per yeah time you come off as a jackass to the people doing the free work on the site should suffice.

[flash2015]

How many times to I have to repeat how much respect I have for the time put in?

Once per yeah time you come off as a jackass to the people doing the free work on the site should suffice.

Last comment. I won't comment in this thread again, I promise! (probably)

I disagree. I don't think I was a jackass for calling you out for mixing in political stuff with responses to questions, which coming effectively from a site mod, feels like you are speaking for the site as a whole. What makes it worse is bo casting aspersions (i.e. saying that I don't have respect for those that work on the site - I don't think I said anywhere "this site is s**", "the devs are lazy" etc. - I have ALWAYS emphasized the opposite) merely for questioning those "authoritative" political opinions.

I personally don't think this is a good look, especially since a portion of the members (which I don't agree with but respect their right to voicing an opinion) already believe that the site has a political bias. Please don't prove them right.

[jmo1121109]

I don't feel I mixed in politics. I know nothing of European politics behind the law, or why they did what they did. What I did here was explain in detail why the requirements of this law are:

1. unclear to the point that dozens of paid companies have appeared offering services to make your site compliant
2. ineffective for overall privacy
3. require legal assistance for small sites to write a legally correct policy per the FAQ of GDPR
4. Would require coding work to become complaint

This isn't political bias, this is frustration with absurd old people imposing laws about a technology they don't fully understand in a way that impacts everyone on the planet using technology and expecting everyone to jump to their whims in a way that would cost millions of small sites money in development while they rake in money from fines.

My political view is that we desperately need privacy advancements in a number of places because most people don't understand anything about privacy online and get taken advantage of. But that has nothing to do with this thread, and I'd be happy to have a discussion in the politics thread about my political views. However in this thread it's amazingly simple. This site is kestasjk's, and on this topic we are not unbiased because we're negatively impacted by expectations of unclear laws. You can see the site creator agrees and that's about all there is to say.

Final note about how you came off, this isn't the first thread you've had multiple people on the site telling you that you come off badly towards the site developers and people volunteering their time here. Just think on it before insisting you don't come off badly.

[flash2015]

A non-political response is:
(1) webdip is not and will not be gdpr compliant. We believe there too much work involved.
(2) We keep data only to run the site. The code is open source.
(3) Here is a summary of what we do do with data.

Anything over and above that (e.g. GDPR is ineffective for privacy, GDPR is technically deficient, GDPR is there just to fine Google and Facebook etc.) IS a political opinion. Many, many technical and non-technical people will strongly disagree with you on this. When you make such broad claims, you should expect a response. It isn't in any way meant to be an attack on you or the site - it is a response to what I regard is a one-sided political opinion presented as irrefutable fact.

My lesson in all of this is just that you are really, really touchy and sensitive. I have to accept anything you say without question, whether this be political, whether it be aspersions on my character or mocking my technological choices that you don't agree with. Even the slightest response from me to any of this will be seen as "disrespecting the developers" irrespective of how many times I say how much I am thankful for all the time put in to make the site what it is. Message received loud and clear.

[flash2015]

I am not sure there is a point continuing from this thread as it became very toxic. Continuing on with discussion here will probably continue to bring up these toxic points...which aren't really helpful in truly trying to understand where everyone is coming from.

To continue it would probably be best to start new threads on specific topics:

(1) A thread specifically devoted to GDPR - is it technically good/bad? Will it be helpful to privacy? Is it all just yet another way for the EU to tax US companies because they don't have big search engines/social media companies of their own?

(2) Perhaps a second thread to either discuss general European company/competition policy (e.g. include link tax, antitrust etc.)...or something specific to the Boeing 737 MAX case that bo discussed.

(3) Potentially a third meta discussion on when mods become political in non-politics threads. Is it OK to challenge those political opinions? The original GDPR thread was very political, saying it wasn't at the end doesn't change the reality that it was. It certainly feels like political statements by mods (which have nothing to do with the TOS of the site) in other threads cannot be challenged. If that is the case perhaps make that rule explicit? Or suggest a better way to handle it in the future.

I am not going to rush to create these threads...as I would prefer the bad blood to settle down a bit.