If your needs exceed the data analyzed by it then you should consider rethinking your "analytics model".
I don't have analytics yet on my site (it's a very recent side project). I didn't want to go the Google route because ethics, now I don't even have the choice (I'm French).
I looked at the self-hosted options but it seems overly complicated (I'm afraid installing them on my VPS will kill perfs), so now I'm considering just writing a script to parse Apache's logs.
It takes a few minutes to complete and you can start tracking visits in a privacy friendly manner quickly.
https://developers.google.com/analytics/devguides/collection...
Big tech companies don't park servers in the EU. Is it THAT difficult? Of course it is not, and they just don't want to do it.
On the other hand, big tech companies are happy to park their IP in Ireland (a EU country) in a phony company, simply to avoid paying taxes.
What's the logic?
The issue isn't where the servers are. The issue is what parties can compell them to hand over information. As far as I've read on it at least. And if there is US ownership you have US courts that can demand information they aren't legally allowed to hand over according to EU law.
We entered the market recently with Wide Angle Analytics https://wideangle.co. But there is plenty alternatives. Depending on your needs.
Some focus on visuals, we focus on filters and soon attribution. There is more on the list: https://european-alternatives.eu/category/web-analytics-serv...
Competition is a healthy thing. You DON'T HAVE TO use Google Analytics :)
And if you wonder, yes, the fines are real. Enforcement of GDPR is picking up the pace: https://wideangle.co/blog/you-might-be-facing-gdpr-fine
You mention you store anonymised IP's "Unlike some other vendors, our anonymization process is not reversible.", what is the methodology here?
We mentioned "Unlike some other vendors" because we noticed that not everyone is (or was, at the time of our research) adding a random component. Without that component, salt if you like, you cannot guess the IP, but knowing the user IP and agent, you could find their historical traffic, hence attribute the traffic to an individual.
Our solution can't do it.
This practice has been used and documented in software engineering for now.
Now if they could only declare GMail to be another kind of a racket we would really get somewhere :-)
Send you ad traffic to a unique form per campaign so you know what campaign is generating leads.
This isn't rocket science.
Also, Google Adwords counts conversions for visits for 30 days. Which means on the 1st visit from the ad campaign, there can be no immediate conversion (and that's OK). But if the same person returns to the website (not from the ad) and downloads/signs up that would be counted as conversion attributed to the ad.
It also happens that the CNIL is notoriously more and more lenient on a lot of things.
[1] https://news.google.com/search?q=Cnil&hl=fr&gl=FR&ceid=FR%3A...
Yes I'm a bit pessimistic about this. Let's all hope I'm wrong.
In one of my previous jobs the marketing department complained about Google Analytics not working on one of our pages. GA hadn't been working for about 10 months when they raised the incident. It was such a low priority that it took another 4 months for someone to fix it.
While I get that someone people are slightly foaming at the mouth because of GDPR (and this starts an entire debate about an aging political population that doesn't understand technology AT ALL) going overboard, my question is - do we actually use all the analytics that are provided by GA?
How many marketing teams/sales teams/etc actually use ALL the information provided by these tools. Aren't there other better ways to measure your campaign and product performance? Do you just want to see time on site/page? Abandon rate? I mean, most of these tools feel like they concentrate the Western mentality of "I need an SUV because I might have to put in more than 2 bags in my car".
/endRant
Who are these people foaming about GDPR?
The random component prevents that. And yes, there is a trust component. You have to trust that we discard these salts after 24h. We operate in Germany in a legal framework that allows you to sue us if we mislead you. So at a certain point, technology must make place for the legal system.
Because salt is rotated every few hours, never more than 24h, we can, with sufficient probability, determine that two requests are from the same visit/session. So have indication of new/unique visit in short window. Not days, but hours.
If you were to transmit a parameter that additionally attached Personal Data (email, User ID) to that session, then that becomes identifiable and is no longer anonymous. But that is strictly AT YOUR DISCRETION. And we NEVER share it with anyone but you. You will also need to inform your guest, that you associate personal data and ask for consent. But until you do, we cannot identify anyone after the salts cycle.
Track hits on a post-download URL
> signups
Count signups in your DB with a source from a hidden field on the form
> Also, Google Adwords counts conversions for visits for 30 days
This stuff is mostly meaningless.
It will be mixed with downloads that come from organic search.
>This stuff is mostly meaningless.
I disagree.
Use a different page/form to track the two separately.
As an EU citizen: Thank you Mr. Snowden, sir! <3
Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
Yes, that's happening, and it's a good one. Privacy Shield was cancelled because of Schrems II. The US simply don't care (intentionally?) to protected any data of people not living in the US. With FISA (Foreign Intelligence Surveillance Act) or "Executive Order 12333" they can get every data they want, even silently. Disclosing that a company had to handover any data will get them prison time.
This is against the intention and protection the EU set for european people. So if a company is violating these terms, it's good to take action.
If Google can't protect user's tracking data (and they can't - the US law won't let them) then they shouldn't be allowed to hold it.
No, Germany is a big leader in the EU. They are very sensitive to issues around privacy, from the DDR era.
They don't want private corporations having DDR-like folders of information on citizens.
Well, of course, tech companies, especially Google, Facebook, Amazon (and this one doesn't even respect basic work and union regulations and rights) are getting out of hand, making their life harder (if not dismantling them) is the legislator's job.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies.
Again, yes, of course, so what ? The US (tech and government) has been prying on the rest of the world with its tech advance and has been using it to spy and gather data it could not get otherwise. France, the EU, are just defending their citizens' rights and their interests, especially economical, against another threat to civil liberties.
Anyone who's concerned about salmonella, hormone levels or animal welfare, can just not buy any products that could potentially contain animal products from countries with weak animal welfare or sanitary laws. The rest is just making life of farmers/shops/wholesalers harder.
Especially with these European intentions, I frankly believe that one single country's laws should be universal and no other country may implement or enforce laws that protect their consumers. The onus to protect themselves from harm must lie with the individuals and governments should not dare inconvenience anyone just to protect their citizens' interests.
What percentage of the general population do you estimate a) will know enough to want to do this and b) will know how to do it?
This requires a level of access and technical skill which most people don’t have. If you have ever tried doing this, think about how many sites break because they have code which assumes GA calls always succeed and then ask what percentage of the population would be able to identify and work around those problems.
So what ? The right to privacy is more important than a select few having an easier time doing business, end of story.
Seriously? People spend tons money and time to track users. If you want to be GDPR-compliant, simply don't save unnecessary userdata and if you still feel the urge to do so, give users the option to control it. It's that easy. Any problems you get from it are of your own making.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies
We created the GDPR, but then knee-capped it with safe harbor. Then Schrems sued and the courts dropped it, but the EU simply reinstated it under the name privacy shield. Then Shrems sued again and after having to have a legal battle again, it unsurprisingly turns out that it's still illegal. I can't see how you think of the EU as anything but overly lenient.
I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
It's not GDPR making life harder for companies, it's the shadowy practices of businesses that are finally being brought to light.
Source: US Citizen, living in EU.
It didn't go that far. But when I saw people plastering Facebook like button everywhere I knew exactly what that meant. That one random corp now can know everything about everybody's behaviour everywhere.
Then Google put out Google analytics and I just switched my sites to this thing. I didn't mind all that much because it was Google and do no evil was still a thing.
But GDPR is something that reminds me of how ridiculous things we accepted as if they were normal just because they were technically feasible.
Imagine going into a travel agent to inquire about a flight. The moment you step through the door 50 people attach themselves to you. Some start recording your every action in a notebook, others flash torches in your eyes, two of them start showing you a video at the same time. And the rest follow you around holding up large ads. And they carry on following you around even after you leave the store!
You might say that it's up to the UK government to fix that, and I agree, but as an individual with no direct influence on the implementation of this service, it's also clearly not the case currently that:
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains
Or at least, they can, but they may be excluded from civic services they are entitled to avail themselves of, which their taxes go towards paying for.
Google knew they were making an illegal business and still went ahead. IMO they should be charged for being a criminal ring defrauding small businesses for SEO as part of a global scheme... if not for helping genocidal regimes surveil/censor/imprison/murder their population as they have been doing for years.
The GDPR is not limited to the internet. So say you go to make a blood test to check your health, GDPR will apply there too, you don't need to go with a fake ID and with a mark on your face, the law protects you from greedy companies so you and your family don't have to use weird workarounds to protect yourself.
IMO it's the other way round: data collection and lack of respect for privacy got out of hand and has been like that for a long time now. It's finally coming under control, albeit slowly. This is not the end of it. And I'm super happy about GDPR.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
Why is it on the victims to protect themselves against illegal practices? We have courts and authorities for a reason.
If it stopped at Google, this would be easy. But GA is just tip of the iceburger.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
I don't believe that at all. But ultimately what I believe does not matter. I'm just happy that right to privacy online is finally becoming a thing.
Got a grandmother?
Yes, you can always avoid the bad behavior of corporations by living in a tent in the wilderness. No, that doesn't mean we shouldn't regulate them.
there are hundreds of alternatives to Google Analytics, developers/admin/companies should just choose wisely. That's what the GDPR is about: end of free lunch for everybody at the expenses of people's privacy, choose your shit carefully.
And what about Chrome?
This is different from going on the site of your local company and feeding data into Google analytics involuntarily.
The relevant legislation is about whether or not you agree to data being collected and shared, and the issue is that US companies are essentially data funnels for NSA & co.
They are the same.
[1]: If you clicked on "Password forgotten" on the log in page, they'd just send you your password unencrypted by email.
I guess it's a matter of luck.
Google are the ones spying. The aggregate put on GA dashboard are a minute of the personal info they collect.
>In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
By getting their companies off GA, European governments are weakening their industry.
This probably holds true for many SAAS products. Many of the best are from the USA. Forbidding European companies to use them is a desaster for the European internet industry.
There are many niche systems that fit specific purposes. Sure GA can benefit from scale and existing profiles with user data gatherer in other context, which a self-hosted solution would not have acces to. But does it address every need better than specific systems? And is the added benefit worth sacrificing your users' data to google?
Yes, if you only want to count visits and don't have a problem having all bot traffic included. For everything a bit more advanced you need a proper analytics tool.
There is a load of hyperbole in the EU privacy business, and it s coming from the german side which is super sensitive to it. But germany is a worldwide exception, their laws for censorship and privacy exist for specific reasons, and they shouldn't be propagating them everywhere.
Specifically in the analytics space, i don't think a lot of people are going to pay for analytics. A free verson makes sense because a lot of websites dont make money. Google provides it for free because they have a monetary incentive to keep marketers in their ecosystem, other companies don't. (Unless the other companies choose to monetize them just as google did)
I think the biggest loser however is going to be the decentralized open web.
No, but we could ban ISPs from being allowed to log DNS requests. There's lots of things the ISPs are doing that should not be allowed. It's done completely without our consent. If regulating DNS would have as consequence "to legislate DNS out of existence", then be it.
This was the case before da interwebz as well: Your attending physician/doctor, your local grocery store, your local post office, your employer, your school - they all have a bunch of your private information, and should really not propagate it to the evil US empire, or anywhere for that matter.
> Are we going to legislate DNS out of existence too?
Apparently we haven't legislated straw men out of existence, as you seem to be using one very publicly.
Or to everyone, by leaving it in a giant publically exposed database enabling massive financial fraud. Thanks equifax
It's their responsibility to include or not google analytics, though.
IMO we should break away Google entirely and trial their execs for crimes against humanity. They're cooperating with USA, China, Saudi Arabia... by helping murderous regimes deploy their techno-police, how many million people have they helped imprison/murder?
This is a link I often check before traveling abroad regarding photography, and what is described is indeed illegal in France.
Unless your argument is "but how would they know about it", in which case that applies to any other crime.
Wrong. Google Analytics (at least v3 by default) tracks IP addresses, which are considered personal information. [1]
[1] https://www.cookielawinfo.com/anonymize-ip-in-google-analyti...
The problem is that we made collecting user data the easy task while ignoring privacy protection. The fact that Google spend billions to make spying easy does not mean it should be legal. And it's really easy to be compliant - don't collect data. You don't need it to host your website, you really don't.
> I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
And you're absolutely free to ask people for consent for collecting their data or to simply block visitors from the European union. You can also not collect data or do so in compliance with the GDPR, by the way. All ways are perfectly viable.
But just because I opened a link in my browser does not mean I consent to anything - by that logic, ransomware is perfectly fine, because you visited their website and downloaded their software. This is ridiculous.
But if there's one thing we've learned from the GDPR, what matters is consumer perception, not the underlying tech. A web site isn't a browser.
My way of disagreeing is GA domains in the HOSTS file.
Depending on your userbase, the regular traffic data can be off by significant proportions. I've seen pages where the number of logged-in interactions are higher than the number of Google Analytics hits.
We use server-side stats and for last month I get 30.1% Chrome, 28.8% FF. Now when I compare that to GA: 40% Chrome, 16% FF…
I doubt American companies wouldn't comply with American law, European law is no less important than the American one and I don't see a reason why we should be accommodating towards foreign businesses, especially, again, those of a country which is a threat. Big companies shouldn't serve as a model to follow.
A basic example: government of my country requested all data and payments to/from PayPal to be controlled by them, PayPal naturally rejected it, and they got banned from my country.
Now who is affected? Us! The whole world can use PayPal to send/receive money pretty much everywhere, but we can't.
These regulations and "needing to follow local rules" itself is alone a reason for a completely decentralized-countryless web to succeed.
Apart from “a natural person in the course of a purely personal or household activity” I don’t know of any size exemptions.
There is often no clear dividing line between government and corporations. You give one freedom to abuse privacy and it will be used by the other.
This harms companies, website owners trying to use services, and users (someone using my free site, I need to monetize it, targeted ads was a nice way, now I can't).
I see no upsides of actually protecting privacy.
My kids cannot opt out of Microsoft Teams - it’s a school requirement. People applying for jobs are gonna have to apply online these days.
1. Legal: It's the site owners integrating GA and therefore taking on the liabilities just like they do with every other supplier. When a part in your car fails immediately after you bought it, it's the manufacturers job to fix it even if they acquired the parts from a third party (e.g. Bosch).
2. Practical: A website 100% located in France and catering to 100% french customers is much more likely to fix the problem than the international anonymous machine that is Google.
And the manufacturer can go after Bosch, who is responsible in the end.
> than the international anonymous machine that is Google.
Except the law applies to Europe as a whole, and it's really not that much to ask one of the biggest technology companies in the world to use European servers and anonymize European traffic by default. They just don't want to or don't care. Which both should be reason enough to stronger regulate them.
I think we will see a two pronged approach to the Problem.
On the EU level, the commission and the states will engage Google directly while on a national level individual companies will be "encouraged" to find alternatives.
Uber, Google etc really wants this to be true.
However, it is trivial for a nation state to shut down Google's commercial interest in the country.
Just have the police lock the door to their office and blacklist a bank account or two. If doing business with Google becomes illegal, they will lose almost all revenue except some indirect shell company ads.
Seems way less work to make Google compliant than to figure out which sites in French are actually French jurisdiction.
And the current privacy laws in EU make the free services illegal. How is that any better than the scenario where paid services did not exist?
Isn’t it the other way around? FF by default blocks GA.
They regularly try to do this, as with working from home monitoring, or insurance companies profiling individuals.
Governments can also be governments in name only, see corporatocracism.
Comparing that with what governments can do with data gathered about me, I know which ones I want to be protected from. Unfortunately they are the ones writing privacy laws and they leave huge loopholes for themselves.
Free services may exist perfectly well:
- They must not invade privacy without obtaining consent
- They must not transfer personal information to jurisdictions with privacy controls which are too lax.
If a business relies on doing either of those two things, it deserves all the problems it has.
So much evil was done in the name of pretending to know what people want better than people themselves.
But if you want to contribute to a privacy-violating network that tracks individual users, then that goes far beyond wanting "just to put up a website somewhere".
They are only tryin to keep their monopoly on government oversight which is reasonable for a governing body (our citizens = our control).
... you also have to ask for permission first.
The main difference is that for a data processor in France it seems possible to get all the right contracts in place, while a US based data processor is incapable of doing that thanks to FISA and similar US initiatives.
While that's not the issue being discussed here, you should by default only collect & process the minimum amount of data needed for the product/service to function. Analytics aren't part of that and would need to be opt-in.
Imagine that you run a workplace where floor space is relatively expensive. To avoid increasing the floor space, you determine exactly how wide each hallway must be, exactly how much space is required, and build everything to that specification. Your hiring decisions take the weight of an applicant into account, so that nobody will be too large for those hallways. Then a law comes along saying that your coal mine is dangerous, and your use of child labor is unethical. "But look at the cost!", you cry, "I can't afford to enlarge every tunnel to accommodate full-grown adults!" But there was no reason the tunnels couldn't have been built larger in the first place.
There was no reason why the web and the internet could not have chosen to respect privacy by default, and thereby avoid the current costs of changing their software and business models. If it is true that the default apache configurations violate privacy standards, just as any configuration of Google Analytics violates privacy standards, then that is a sign of just how much the regulation is needed.
Collect people's data (and that's what a user analytics system does) and then you're responsible for it, and you have to follow the rules.
Only things like tracking, ads, and sending data to areas without equivalent privacy laws are forbidden. The intent and usage of the collected information is a big part of what is and isn't allowed.
I have a collection of small, US-focused websites.
I'm investigating low-effort ways to geo-fence the EU. At some point it just becomes easier to ban Europeans, rather than keep up with whatever they'll come up with next. I saw in this thread that the Google fonts on my website are now a problem as well!? That's the first I heard of it.
This is the perfect example of why government oversight is needed. You run a bunch of websites and aren’t aware that you are inadvertently involved in violating the privacy of the people who visit your sites. How are non-technical people supposed to deal with this?
A bureaucrat on the other side of the planet comes to a conclusion and I, who never voted for this person or knew about their existence, am legally bound by their decision.
On pain of who knows what fines or penalties. I’m nearly overwhelmed by the amount of work on my core product, I can’t add “keep up with European legal opinion” to my todo list as well.
As I said, it’s simpler to just geofence everything.
Yes, I think we're in a vastly better place, where there is a cost to doing bad things.
(Also, the GDPR is not responsible for cookie banners)
Do virtually any business that involves user registration at some point, and now you need to be sure that you're compliant with all those rules, spending limited resources on that to avoid ridiculous fines.
It benefits only the big players who has lawyers to know exactly what to do and not, and a nightmare for anyone who tries to grow a small business or have a small website.
It's exactly the opposite.
It forces technology to be developed in a way that protects human rights (specifically the right to privacy).
Innovation is not automatically good if you're innovating in the wrong direction. Think of it as a vector, not a scalar.
If someone pointed a gun and forced me to go to a website, enter my personal data and give my data to trackers that would be something else (still not website's fault but anyway).
"Hey Google and Facebook is doing so well let's make harder for everyone using their services."
I neither have sympathy for those companies and never been to US, but adter all these GDPR regulations I actually started to sympathize.
https://law.stackexchange.com/questions/42438/do-default-apa...
It would appear public IP addresses are PII. Apache (and most web servers) log those by default.
A case can be made, on a site-by-site basis, that those are necessary for providing the functionality of the site. But that's a hard case to make if the logs are never actually read, and then if they're collected for that purpose, timely deletion is important (and unless your host also configures log rotation and disposal, timely deletion isn't happening).
I'm pretty sure all of this has to be declared in a privacy declaration anyway, even if they are collected for site operations purposes and deleted in a timely fashion. With all these constraints, probably safer to run in a privacy-configured Docker in one of the big Cloud hosts than to stand up one's own apache install.
In addition, that there is an exception allowing the collection of personal data for legitimate interests without prior consent. While that has been erroneously argued to enable a business model (e.g. Facebook's ongoing collection), server security by applying IP address bans would be be a more solid case [1].
[0] https://www.whitecase.com/publications/alert/court-confirms-...
[1] https://law.stackexchange.com/questions/28603/how-to-satisfy...
Good for Europe, they are just going to law themselves out of the internet. Up to the point were your ISP doing hops to send your TCP packet will be illegal unless you approve them sharing that info with all the shops.
/s
Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.
However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.
[0] https://sheep.horse/2018/6/the_eu_general_data_protection_re...
I, for one, would not like to argue this in court. I heard many lawyers advising against storing IP addresses.
And yes, long-term analytics are a no-no. So good luck comparing your website performance year to year or even detecting seasonality.
192.168.1.122 - - [10/Feb/2022:11:32:35 +0000] "GET /audio/pop.wav HTTP/1.1" 206 28366 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0" "-"
The market responding to the law with billions of cookie banners was as predictable as prohibition leading to bootlegging.
And now the regulators are responding to it.[0]
[0] https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-europe...
The predictable outcome from that ruling is a decentralized solution: a few libraries attempting to build frameworks that are compliant, everyone implementing their own one-off versions of permission-granting and cookie consent using those frmeworks as a basis, and the Authority chasing mom-and-pop sites that are out of compliance until the sun goes cold.
In a sense, that may satisfy the goals: the data will be decentralized, stored widely, and harder to aggregate. On the other hand, what we learned from the virus era and the Windows OS monoculture is thousands of nodes running the same software (but not centrally maintained; maintained by people who have a job other than maintaining a website and are therefore slow to patch security holes) will be vulnerable to scripted attacks against frameworks.
My prediction is a net increase in stolen PII and, while individual site-runners will get screwed, the number of sites collecting the data won't go down. It's just too valuable, and the odds you will get hit by a hacker are too low.
In any case, it'll be a hell of a ride.
I feel for my European brothers and sisters these days. As an American, I hardly ever see these banners. Went to an EU country for work and... Holy cow. Y'all get these banners every site. How do you tolerate it?
Thanks to GDPR, we have a much more private web. /s
Also by the EU users losing access to ad-supported free services.
But a fundamental issue with freedom is that sometimes freedoms conflict with each other. Here the freedom to do whatever you want conflicts with the right to privacy of others and the EU has decided that in this instance the right to privace takes precedence.
I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
The right to privacy is not a freedom. I am not sure it's even a real right. But it was easily accessible even before the current privacy laws, even if it needed a little technical competence. It wasn't the default though. And the current laws do not provide me the privacy I actually need: from EU government(s).
Those companies are free to not to do business wit you but it is not the EU privacy laws making that decision. Those companies can provide their service in a privacy-respecting way and many will - the EU is not a small market to give up on. You can also use a VPN.
> I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
You think users should need to be technically competent to block cookies but don't want to be technically competent to install an extension like https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...
And don't forget that hose consent popups are likely specifically designed to be annoying in order to get you mad at the privacy laws. Don't fall for it - the EU privacy laws do not required websites to be user-unfriendly.
> The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
I am not going to pretend the EU is a perfect democracy, but ultimately, those decisions are made by those elected by the peole - directly or indirectly.
> The right to privacy is not a freedom. I am not sure it's even a real right.
It is a real right that has historically been enforced in many EU countries. The recent laws do nothing more than update that enforcement to the digital age.
> But it was easily accessible even before the current privacy laws, even if it needed a little technical competence.
No, it really wasn't. You can block cookies but you cannot stop companies from tracking you via the 10 million other ways they have available or to trade information about you with third parties. You cannot use technical means to find out what information companies have collected about you. You cannot use technical means to compel companies to delete information they have already collected. THAT is why we have new laws.
Says who?! I have zero problems sending my private data to the US. I did it for years and I still think is one of the better places to send my private data to. Definitely better than my own country.
> Free content and services. What do you lose in exchange?
Privacy. What I do shouldn't really be anybody else's business.
An ad-targeted web. IMO ads are a plague on useful content, because everything is about getting views and clicks. This makes actual content less useful and more annoying to consume. It incentivizes posting low effort, watered down content rather than smaller amounts of great content. It also means content creators are trying to please the advertiser, and not me.
Risk of manipulation. Lots of effort has gone into figuring out how to best manipulate people, and when you know who somebody is and how to best tailor any given message to them, you can get pretty far. I'm quite sure that I also have buttons that can be pushed if somebody knows how, and I don't particularly like the thought of that.
And why the heck would I want to give my data to a bunch of random companies? What's the benefit in it for me, anyway?
EU bureaucrats are effectively prescribing how the web should work for everyone. Ridiculous.
Free content and services. What do you lose in exchange?
It will take forever to build up a similar ecosystem in Europe and I think most successful European entrepreneurs will just end up starting companies in the US instead.
There must be some reasonable middle ground before we fragment and destroy the entire Internet. Why not start by making a general exception for temporary storage of less sensitive data like IP-addresses for efficiently and cost effectively delivering a web service.
If there is one thing they could start looking in to it would be handling of personal information by governmental organisations. I work a little bit with a few municipalities, and the number of documents with deeply personal information that are just emailed around over unencrypted email is shocking.
We're not fragmenting the internet by looking after our own interests. This wouldn't be an issue if Americans viewed rights (and in this case privacy rights) as belonging to human being as opposed to Americans citizens. The US's policy is what led to this:
> Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information
We had PII on Azure. We wanted to do business in France. We had to fork our services, and run a full stack on a crappy provider in France. They charged a lot more, would take weeks of vacation with zero support for us. It was a freaking nightmare.
EDIT: I love the responses I'm getting. People are in absolute denial that this does in fact fragment the internet. You may believe that's a good thing, and that's a rational discussion we can have. But don't lie to yourself, or to me, that this doesn't fragment the internet.
Looking at it from this angle, it seems perfectly reasonable for the EU to dislike the specifics of the analytics use case while still being ok with something like Google Docs.
I, for one, would really like to have more fragments to explore.
Of course you are. This is the only possible outcome of any attempt to impose national rules on an international network. Instead of one global network, we'll end up with several local ones.
The internet is among the most incredible achievements of humanity. I'm glad I got to experience it before they destroy it. By now it's only a matter of time.
At the end of the day we should be doing what is good for the People and somehow its always assumed that they will/should be the ones impacted when policies like these are enacted.
But Europe has leverage here - I don't think Amazon would want to miss out on a giant market base out of some moral principle and there are probably other levers to be pulled here to encourage that.
Anyway, not adding much to your comment other than kudos.
All the big cloud providers have presences in Europe. What am I missing here?
If the EU has this much power to regulate operations that happen in America, then imagine how much worse it's going to be if you relocate your operations to the EU? In that case you actually become one of their subjects, rather than simply recording information about their subjects.
> Agencies can snoop on non-US citizens but shouldn’t snoop on US citizens
and they went and snooped on US citizens anyway.
I think the only solution would be for them to not collect and store data from GDPR jurisdictions that would violate the GDPR if they were forced to hand it over to the parent American corp.
another 20 years and companies simply won't bother with it at all
[1]: https://fullfact.org/europe/eu-less-important-world-economy/
It’s interesting to see the pattern here: if you can’t innovate, regulate.
Maybe an unpopular opinion, but imho AWS, GCP and Azure are popular with startups because of their generous free credits, not because they are good tools for startups. As a startup you are typically better served by a DigitalOcean-level of complexity, and there are plenty of such offers in the EU (Hetzner Cloud, Gridscale, OVH, etc)
For Mailchimp you have plenty of competition, some of it in the EU (SendInBlue and Mailjet come to mind).
For payment processing there are also plenty of offers, Adyen is probably the biggest European alternative but there are countless smaller ones.
Microsoft Office 365 can be replaced by (shocker) Microsoft Office (the offline version). But most of your documents probably don't even contain PII and would be fine in Office 365 or Google Workplace. The exception is obviously email, but the market is flooded with E-Mail services from any country you like (and your preferred Hoster probably offers an email package too).
So I'm not really sure what part of the ecosystem we are missing here? European companies often have the smaller advertising budget and mindshare, but it isn't like they don't exist.
As an actual startup founder who started as a 1 man startup, strongly disagree.
Spent maybe $200 a month on Google Cloud, got an actual production ready cluster. Scaled up to Millions in revenue, never had to deal with any Linux Server admin BS.
More time on business, less time on Linux Sysadmin.
Also, the offline version of Office is going away, to my knowledge. I think the current boxed version is the last boxed version they plan to sell.
That’s a complete misunderstanding of the cloud’s value proposition. The point of the cloud is to have things “just work” so you can spend more time shipping features and innovating. When I see startups not using it and “rolling their own cloud” by being their own sysadmin I question the strategic decision. To me it’s generally a sign that they failed to raise the appropriate amount of capital and are therefore trading velocity and agility for cost savings.
> So I'm not really sure what part of the ecosystem we are missing here? European companies often have the smaller advertising budget and mindshare, but it isn't like they don't exist.
Also because they can’t scale within a mostly unified 300 million market like US companies can, they have to special case and deal with all special snowflake regulations in every small European country they want to serve.
Plus, that’s not even touching on the engineering talent gap.
I know we've had a lot of issues with an European company we bought; we're both using Microsoft 365 but they're set up in France. I don't think the IT folks ever figured out how to merge them (even though we probably pay a shitton to MS for support), so those folks keep using their old domain (but we can share documents and whatnot, so at least that's set up).
I would call fragmenting these things rebuilding the internet. Not sure how consolidating everyone on a few Mailchimp type services is in anyone's interest.
Recent European judgements seems to make it illegal to embed content from YouTube or Vimeo for example.
I don't see how dividing services up by region will help me anyway. I'd rather be able to choose from a few (I imagine there are more than a few at the moment) international Mailchimps than one in EU.
I have enough things to worry about, I don't want to consider 10 different cloud computing options, 10 different database options, 10 different analytics services. I want to just go with the big popular option.
Heck I'm willing to bet even if more options come up, the most popular option will be some aggregator site that tells you which one to use.
Could this not also be said about US regulations such as CLOUD act, Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333.
I don't think it's accurate to solely blame the EU when this is in response to legislation that gives/gave the US access to all types of personal data on European citizens.
I would argue that the Americans getting better privacy protections and working with other countries instead of forcing American companies to behave illegally abroad would be a much better solution than the Europeans watering down their privacy laws.
American companies will set up independent shell companies or subsidiaries to serve European customers anyway. Microsoft and Amazon are never going to voluntary leave a market of 400M customers. Doing so would leave too much room for a competitor to grow and then threaten them. So if fragmenting the web means that Europeans get the same services as Americans, but with better privacy, then I am all for it.
Europeans are to blame for the flaws in the GDPR, not for doing their thing without the blessing of the Americans.
I’m Danish and as we’re a notorious Microsoft country I have the most experience with everything Azure, but the fact that Amazon was so quick to ensure that 100% of the workers who ever come near the services they sell within the EU are EU citizens is something that we still looks somewhat envious toward. It’s actually an area where Microsoft might eventually run into some trouble if they don’t work on their compliance but I can certainly understand how it’s hard when one of their key selling points to Enterprise is that we can call Redmund.
I don’t think the EU will get into much trouble over this, however, and I don’t think it will have too much of an impact on our tech industry. I do agree that it’s not likely to help European alternatives to Microsoft or Amazon, but that’s not exactly the point or the legalisation is it? It’s there to prevent EU citizens and our personal information from becoming the primary commodity that is sold between giant companies.
Advertisement companies like Google will no doubt struggle with this going forward, but is that really a loss for anyone?
Uh not sure what you're referring to but that's not true. The only airgapped region w/ enforced citizenship was for US citizens in GovCloud.
Building satisfactory alternatives to Office, Workspaces etc. isn't a monumental task by any stretch. With the sudden demand that you predict, they'll spring up like weeds.
This might be ham-fisted and crude, but in the end I see a lot of positives.
Elsewhere "fragmentation" is called diversity and competition. It's sad that it has to come about due to regulation, but it's a good outcome nonetheless.
The familiarity and precedence of current offerings becomes a kind of Stockholm syndrome for people. More options mean more chance of valuable improvements, and geographical diversity means different mentalities and points of view, instead of more "me too" options.
I'm so looking forward to that.
We can create a middle ground. When ever information about a EU citizen that get transferred to the US, a similar information about a US citizen get transferred to the EU as hostage in case there is a data violation. A list of IP-addresses accessing usa.gov in return for a list of IP-addresses that accessed europa.eu. Surely a deal can be made that give both sides equal power.
Privacy abuse on such a massive scale, never before seen in human history, requires action.
And it does not matter how normalised this has become for the people in the valley of the clueless.
Popular video conferencing solutions weren't allowed due to privacy issues. The official "Lernraum" platform that have been used for this did not work most of the time.
I understand where these laws come from, but it's sad that there often is no European alternative
The EU can build it itself when the US player are not able to not send data to their US data centres.
I think you are overestimating the problem. Before Facebook decided that it wanted the European market we had hundreds of similar services. We will have local replacements the moment these US companies with their near unlimited war chests finally fuck off and give European companies room to breathe again.
That's not exactly a great argument here, given that this French court has objectively made the right legal decision here in terms of EU privacy law, and the rights of their citizens.
Will this enable them to comply with the requirements?
I have first hand experience of this, migrating between their global PaaS and the contained German one. The bulkheads are quite air-tight (much to my personal detriment).
But, companies like AWS claim that they voluntarily bind them selves to to provide much stricter privacy safeguards than the US law requires[0].
[0] https://aws.amazon.com/blogs/security/aws-and-eu-data-transf...
For quite a lot of business data, the "do not export data out of region" thing is nothing new. Which is why it is not actually unusual to be able to select where the servers are located.
That being said, if this made Microsoft Teams impossible to use, it would made a lot of us happy. That thing is crap.
It is also silly to tolerate techs incessant fuckery.
If these companies end up banned in Europe, that's not really a problem from Europe's PoV. Europe may end up deciding that US companies not coming is a problem in itself, but that is already the case imo.
Honestly, if this policy is actually enforced, it's very hard to imagine how the landscape would shift. Maybe Europe would be brought to its heels, and be forced to remove the law. On the other hand, maybe the US would be forced to renounce their cloud act, which is a large part of Europe's privacy issues with US companies. A third path could be companies reverse-incorporating in some place that would let them keep in business.
It's a bit hard to predict honestly.
With these various data locality regulations, i wonder if a standard operating approach could be to split tech companies into 3 legal entities, a technology licensing company, a US registered operations company and a Europe registered operations company and hand the shares in all three companies to the current shareholders. This would insulate the Europe entity.
This other post has more comments: https://news.ycombinator.com/item?id=30284820
I love that the plaintiff in this case is the "NOYB Association", as in None Of Your Fucking Business, Google.
The organisation has been involved in nearly all of the last privacy related rulings in the EU and is a real blessing for consumer rights.
0: https://meta.wikimedia.org/wiki/Data_retention_guidelines
The user's browser makes a request to a US server, including the user's IP address.
I legit do not understand how to make French people happy with these laws.
From the article: > "It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily."
I am really looking forward to seeing how this will play out in the rest of the EU, and which practical consequences it will have.
And, as usual, fellow EU citizens, support NOYB work, if you care about data protection: https://noyb.eu/en/support-us
I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data. For their defense, their budgets and prerogatives have been cut so many times they probably couldn't investigate/fine anyone if they wanted to.
Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.
Also is it illegal because there is an anonymised id number created when you send data. If that's the case then it's not just GA that's a problem but any tracking system i.e. Plausable.
Furthermore given that a randomised unique id is personal data then there would appear no way to use any websites analytics on any website as you have to store this in a DB which will require a unique id per row by design.
What about other data for example a webserver log will contain similar data is that not allowed? If it's not allowed how can I ensure my site is protected as I need those logs to identify and ban hackers.
A French website can not use any American service, right?
Because any American services "are not sufficient to exclude the accessibility of this data for US intelligence services".
For instance, any service that handles health data absolutely cannot have the data be accessible in a way, shape or form by american-owned entities, for any reason.
It's not hard to imagine that, as time goes on, these same limitations will be expanded to other types of decreasingly sensitive data.
And honestly, that's perfectly reasonable. The US government gives itself the right to systematically spy on everything going through US cloud companies. Precedent has shown it can and will use that data against the interests of its supposed allies, even for industrial espionage.
If the US says "every US company must give over european data to the government", then at some point europeans have to say "US companies can't have european data".
That is irrespective of any legislation or court rulings, it's just common sense.
So unfortunately just moving hardware locations may be insufficient, even forming a new entity won't suffice.
In my humble opinion we are witnessing the nationalization of the Internet, in the name of good intent, but eventually the risk vs reward calculation of doing business across the Atlantic (for either side) will tilt in the direction of avoiding the risk.
Although it could be argued that "good, laws are made for people not for businesses" I'd counter that a great deal of the free information published by US companies and non-profits will become unavailable in the EEA.
I'm hopeful that the DPAs and courts in Europe will decide to balance these concerns.
FWIW: I run one of the more popular data privacy platforms, Osano, so this is an area we track very closely and which is near and dear to my heart. I built Osano as a Public Benefit (and certifeid B-Corp) to try and prevent the nationalization of the Internet by giving businesses an easy way to respect the rights of their customers & visitors.
We aren't in this mess because the EU somehow wants to nationalize the internet, we are because with current legislation, US companies can be forced to hand over whatever data they posess, no matter where it's stored.
Not a lawyer, but my current understanding of the current events is more or less the EU saying "if it's subject to the CLOUD act, it violates the GDPR". That's a pretty clear indication of what's wrong.
I've already offloaded Google Fonts due to the German ruling. I'm happy to self-host piwik if needed, but could that fall foul of regulators?
From my experience, there are several thousands of people/companies using UXWizz and so far no one has requested this feature yet.
But now that you mentioned, it seems like a pretty useful feature, especially if you can see top performing pages/articles.
I think one reason why people don't care about the specific analytics for a page is that they usually write pages/articles for SEO purposes. To see how well a page is performing SEO-wise, you usually go to Google Search Console (or Bing Webmasters) and see search terms/click-through-rates for that page.
Also, time spent on a specific page is not that useful, typically you want to see: if people are buying stuff, where do people that buy stuff come from and what page do they land on.
To give a concrete example, a such query would be, which would show all pages and the average time-on-page, ordered descending by time:
SELECT MIN(page), AVG(TIME_TO_SEC(timediff(last_activity, date))) as avg_time
FROM ust_clientpage
GROUP by page_hash
ORDER BY avg_time DESC;1. Since 2020, it's illegal to send personal data to the US because of the invalidation of the Privacy Shield [2]
2. Google said it was okay in the EU to use anonymized IP addresses
3. The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
4. The Data Protection Authority of The Netherlands followed by implying that the use of Google Analytics might be banned in the future [4]
5. Now, the Data Protection Authority of France (CNIL) followed
This is a sound decision, but not a new one. It's a confirmation of what has been ruled in July 2020, but now it seems to have more impact.
PS: I'm the founder of Simple Analytics [5] - the privacy-first analytics tool that, unlike other privacy tools, does not use any identifiers.
[1] https://blog.simpleanalytics.com/will-google-analytics-be-ba...
[2] https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-t...
[3] https://www.data-protection-authority.gv.at/
[4] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)
[5] https://simpleanalytics.com/
EDIT: changed "PII (personally identifiable)" to "Personal Data"
https://support.google.com/analytics/answer/2763052
I don't understand how this can be construed as tracking users.
I'm not exactly sure what the right way to go about it is (obviously we shouldn't and cannot force every company online to publish whatever anyone wants to say), but fact is that right now you are at the mercy of private companies if you want to communicate online, and restricting freedom of speech to the proverbial "free speech zone" where discussion isn't actually happening is not a healthy state of affairs.
I'd probably at least advocate for something like net neutrality.. ISPs and hosting providers should not work as censors and arbiters of good taste. They should be more like utilities; as long as you're not doing anything illegal, what you do or say is none of their business. Unfortunately this isn't a solution for the common person whose communications are limited to platforms like facebook and twitter.
My Fourth Amendment rights could absolutely be violated by a private website, as they could hand my potentially incriminating private data over to the US authorities, without a warrant and without my consent, and there's literally no opt-out or recourse for me if that data is then used against me by the government.
If you’re not a corporation or a professional who has an office address, you’ll have to supply your own personal data. Visible to anyone on the internet.
Huge opportunities for French tech entrepreneurs.
Huge opportunities for immigrant tech entrepreneurs to France.
Gets the ball rolling for other countries to implement this. And more advanced regulations.
Finally, once US big tech intl influence is on a steep decline, maybe, just maybe, Google will be policed by the US government.
Switching to another solution for analytics might be ok, but losing the ability to automatically optimize ads based on conversion data is a big pain.
Targeted ads pay loads more than untargeted, and you're essentially saying all those companies paying more are in the wrong. Some campaigns even manage 10-25% click through conversions, when well enough targeted.
It’s almost like a more subtle version of china or russia’s firewall
Within EU government and diplomatic circles, there's actually a term for this: the "Brussels Effect". People who use the term "Brussels Effect" believe that by imposing aggressive rules first, the EU software industry will have a first-mover advantage and a kind of partial "firewall" against some foreign competitors.
In my experience, the potential downsides of the "Brussels Effect" are rarely considered by these people (e.g., reduced competition within the EU, leading to increased costs for other businesses; overseas web service providers being forced to block EU customers, leading to reduced availability of services, etc.).
Another area where you see the same "Brussels Effect" in EU policy/legislative circles are recent moves towards rather aggressvie regulation of "artificial intelligence". Not just the recent proposal that was tabled, but also the CAHAI work towards a binding international instrument.
Users on the web love / demand free and aren't willing to pay for a lot of this stuff...
Also what are the implications of cross eu-us chat apps where a person’s name is visible? Doesnt it mean that when a recipient in the us sees the name, the eu person’s data has been transferred to the us?
Apologies if this comment is ignorant, i am not well versed in the topic, but to me it sounds like this is quite an issue for us-eu chat and email apps.
Consent is always a valid legal basis for the processing, or transfer, of data. But it has to be freely given, specific, informed and unambiguous.
Each jurisdiction is going to be slightly different, depending on what the law regarding data protection is like in each place.
Russia hasn't been deemed adequate by the Commission under the GDPR, but it is a member of the Council of Europe (and is thus bound by the ECHR) and it has ratified Convention 108 (and has signed, but not ratified, the modernised Convention 108).
Of course Russia is a deeply authoritarian regime which has no problem violating human rights and international treaties at will so...
These regulations are the only way to dismantle US big tech monopolies. The US government won't do anything about it on its own accord because it's too profitable. Other countries need to neuter the influence of US big tech first. Then the US can police their own better to encourage intl competition if they want to.
The EU combined is the largest economic region in the world. With backdrop the other huge one China where doing business has become increasingly difficult and volatile.
Tech giants cannot afford to pull out of the EU. Call their bluff, they won't. They can't even if they wanted to, as shareholders will skin them alive.
It's not 2011 anymore. The GDP of the US has surpassed the GDP of the EU.
[1] https://blogs.microsoft.com/eupolicy/2021/12/16/eu-data-boun...
It is crazy to me so few realize it is really not much, if at all, harder to run a business without involving US surveillance capitalism corporations.
Tools like Nextcloud, Matrix, Jitsi, have turn-key SaaS providers or you can self-host them easily as well. Same for many many analytics solutions.
I honestly think every company would be better off having more sovereignty in their tech stacks and data, and it is much better for consumers who may not realize they are -also- sharing their data with third parties like Google who use it sell targeted behavior changes to the highest bidder.
PaaS and IaaS providers all have a presence in the EU or is that still not good enough to pass the regulation that's in place?
SaaS I get it, they'd have to create a presence in the EU but I don't think that's a bad thing. They will, at least the big ones you mentioned. And if that's a problem for smaller SaaS providers then the market will have a solution for that emerge over time.
Wait until you see the result of the green revolution: you'll pay your energy 3 times more than now.
We'll need decades to recover (if we recover) from this ideological move from people that lives in la la land and have no idea of the consequences of their acts.
It already has started with natural gas prices skyrocketing. The Russians are holding us by the balls and our politicians are spitting at their faces...
I wish!
I still don't think laws against specific software is helpful though.
And then they will not be able to serve the european market, nor profit off the european economy. Good luck competing with each other for that US market.
And even then it seems risky the EU will deem the business model entirely in violation of privacy laws. It's very chilling
When the EU finally completes their utopian/dystopian ideas of privacy from foreign Internet services, the great firewall of Europe, perhaps then EU regulators will look inward and do the same things?
But for now it all has the appearance of disfavoring International Internet services, as if to encourage regional tech companies to advance.
Which seems reasonable, Europe seems to have lost most of it's Tech companies, and that's a problem that needs to be fixed. It's just weird to go about the problem by claiming International companies are in violation.
It's not Europe who blocks anybody, but plenty of US websites just blanket-block EU visitors because they can't be arsed to create a GDPR compliant website.
Which, as a European, in practice feels like running into a great American firewall.
For that simple reason the EU has to step in. There is no other way.
This is what you are wrong about. It would be true if you were from a small country like Sri Lanka or similar but for EU many European companies will smell an opportunity to fill the void.
I support their work to protect the privacy of EU citizens. But I'm also aware that their goal is to replace Microsoft, Google, Facebook etc. with state-owned European enterprises.
European state enterprises can be surprisingly efficient. However keep the Germans out of it. German government IT is still in the Middle Ages. Let countries like Denmark and Estonia build the future of European IT.
In fact this is how most of the companies operate already to cheat on taxes.
The way microsoft did it for a while here in Norway was to license azure cloud stuff to a sub operator (EVRY) that is completely insulated except for the licensing agreement.
As it stands, the US part can be owned by a EU company. Or, probably more realistically, both EU and US parts could be owned by a mail box in the Caimans.
Is this true for ownership by individuals too?
If I, an American citizen & resident, owned and operated a company registered to a European nation to serve my European customers (with European hosting), does that make me compliant? Does an American solo founder have a path to compliance at all, or would I be required to collaborate with a completely separate workforce that has no ties to America?
[1]: https://nextcloud.com/blog/microsoft-and-telekom-no-longer-o...
E.g. Amazon already bills me through some Norwegian entity of some kind, to get VAT done right etc.
If they had servers in Norway, I suppose it would have been possible to proxy everything - not just billing - in AWS Norway through this sub operator?
Yes, this is what will happen with a setup of 3 entities, b/c FANG will not want to miss EU revenue.
And let's be explicit here: The entire purpose of the CLOUD Act is to bypass EU data protection laws. The incident that led to the creation of this law is that Microsoft didn't hand data over to the FBI because the data was on a server in Ireland. This isn't an unintended consequence, this is what the law is supposed to do.
If you make it a EU based public company and give control to your own shareholders, it's no longer a subsidiary and your shareholders are holding shares in a European company.
If someone is running a global web site and wants analytics, which of the 2 entities, or both, would he reference in HTML? Even if we're going to region-lock Europe to the European Analytics servers, analytics today often involves some computation done over the entire data set, including both US and the EU, done on the backend. Which backend would that be?
The privacy aspect has become something of a "think of the children" reason for a sort of "Internet xenophobia", as well as creating huge barriers to entry for small companies which cannot comply.
It's easy to do things online as a company of any size, post-GDPR: Don't scrape user data. Done - no compliance required, because the law is not about you in that case.
They gain big benefits by having a single pool of datacenters able to serve users from anywhere in the world. If they needed to guarantee that an EU user would always be served with a machine in the EU, I can imagine it would add at least 20% to their operating costs.
They'd need more equipment both inside and outside the EU to handle failover, maintanance, etc. They'd also have more complexity slowing development down (they can no longer have small services 'mastered' in just one region). And there is substantial extra complexity in application design (what when a tweet from an EU user is retweeted by a US user, but then replied to by an EU user. Where will the text of the tweet be stored? How will deletion be handled?).
For example, will HN have to have seperate databases for "comments by EU users" and "comments by US users"? And will they need a process to migrate your account from one to the other?
"It would be so easy if companies could just pay their taxes in one country. Think of how much they could scale their finance department."
The same applies for start ups : "book keeping is such a hassle for start ups, why impose that on them? All these financial regulations are really anti business".
Why is everybody working on the assumption that all this data has to sit in the US?
Keep it in a country with the strict-est possible privacy laws, say Switzerland, and noone would complain.
Yes but they are even more reluctant to lose all EU revenue.
The regulations don't ban collecting IPs (nor any PII). They just regulate it to the point that it must be deemed necessary according to certain criteria. I would imagine linking an image may be fine in 95% of cases, but what it would mainly depend on is the logging practices of the image hosting company. Their business would be bound by EU regulation if they are choosing to sell service to an EU-based website, and it's likely that image host that would be liable for compliance.
It's worth adding quite a lot of the regulation here is tied to company size, revenue and scale of data sharing in general, so if you are for example a small business/non-profit you're very likely to be fine either way.
if the purpose is to collect PII and build advertising models like it was with the google fonts or the 1 pixel images then it is not ok.
Is the image hosting company really _choosing_ to sell service to an EU-based website if someone adds <img src="http://blah.us"> to their (French) website? It seems like it'd be an unreasonable expectation upon a company (especially one in a completely different country/jurisdiction) to e.g. ensure their existing logging practices _also_ comply with French, Austrian, etc laws.
Surely the user who adds/posts the image on a French site would/should be liable here, not the host of the US-based image (service?), no?
We have a very different view of the CNIL.
Every time I hear about them, they're either giving GDPR fines or signalling illegal government activity, eg: https://www.vie-publique.fr/en-bref/278140-drones-de-surveil...
They don't have political power in itself, but they do use what power they have enthusiastically.
Yes, now think about all the times we don't hear from/about them. It seems that they are doing more as time goes, but they have done little to stop dragnet surveillance, racial/religious/political profiling by the authorities, the deployment of CCTV all across France, (il)legal ⁽⁰⁾ obligations for ISPs to track their users, school restaurants requiring fingerprints to get a meal (yes that's a thing), public services using Google Analytics / Zoom / Microsoft / Doctolib, stingrays operated by police for political repression, and the list goes on and on...
In "digital freedom" (LQDN, FFDN, April, Framasoft, etc) the CNIL is (or at least used to be) rightly regarded as a joke when it comes to human/user freedom, despite having very noble goals. The fact that the press only talks about them when they're doing their job doesn't change that they've clearly failed their mission to protect civil rights in the computer era, despite very good and reasonable legal guidelines dating from 1978.
⁽⁰⁾ French data retention laws are illegal by european standards.
IIRC, They got massive funding with GDPR
Quite the contrary, those associations have to survive on 'donations', and probably not very high salaries for their staff.
Yes, because you're still passing personal data to the USA, which means US intelligence services can access it.
If this doesn't cut the internet in two, I don't get where the line goes.
So if I hosted my servers in any of the AWS US regions that too would be illegal if they have any personal data in them. In this case personal data is a randomised unique id. So say I have a table of users and all I have is a username and a password and a unique id for the record that's personal data and the customer is not allowed to give their permission for me to store that in a US data center ?
This is incompatible with your data being kept by a US business in the US, which is not subject to that law.
Server logs are allowed as "technically necessary" as long as you show "good will" (I'd call it that way) in keeping the saved data to a minimum. 14 days of log keeping? Fine, that's cool for technical reasons. 14 weeks of log keeping? That's excessive and could get you in trouble.
You can also collect that identifier if 1) you have a legitimate reasons to do so and 2) don't share it with third parties.
If you've sought the visitors consent then yes it's legal
From what I can tell: If you ask your users for permisssion ("informed consent"), then no, it is not illegal. The way I understood the court case in Austria, the disputed point was whether or not the use of GA falls under the GDPR. If it does fall under it, then you are obliged to ask your users for consent ("opt-in"). If it does not, you can use it freely without consent.
Because analytics data isn't worth that much if you collect only part of the data, most collectors of data do not want to ask users for their consent, because most users would reject this.
But IANAL. In any case, please stop using Google Analytics, and self-host your analytics using Matomo, Plausible, or something similar. Matomo can also be configured to use server-side analytics, in which case your analytics become both less invasive (no client-side JS needed) and more complete (can't be blocked by ad-blockers).
I've heard that if you do a non-modal cookie banner, 75% of people just ignore it rather than go into it to deny cookies. About 12% (half of remaining) click accept all cookies. The rest close it again without taking action if they can.
I realize there are folks who go into things and customize everything on every website - most users I think don't care enough.
What's funny -> your ISP might be selling your browsing history. Your TV is selling your watching history and no one cares. But cookie pop-ups everywhere is all these privacy idiots can think about. It's performative privacy, that annoys the heck out of a lot of users and wastes a ton of time.
The basis of regulations is that citizens are too stupid to consent to things even if they are fully informed. Whether that is a good or bad approach is up for debate.
* Is there a list of these "things" if not how is anyone to know?
* Who is policing this ?
* How do you get advice in your own language (not French google translate does a terrible job at translating lawyer speak)?
* What are the consequences if you don't comply ?
We even disabled the cookie based tracking inside Matomo at the cost of not linking different visit sessions. Same session visits are fully tracked though. Saves us a cookie warning.
They're a US company, so you can't use their cloud service, but it's designed to be self-hosted and they have a list of EU cloud providers so you can do 100% EU-based self-hosting if you want: https://posthog.com/docs/self-host/deploy/hosting-in-eu
Based on an open issue[0], it's suggested to run a server with 32GB+ of memory to handle hosting Clickhouse but that would mean self hosting Plausible would end up being $160 / month on DigitalOcean which would make it 10x more expensive than hosting my custom app that I want to see analytics for.
I know you can use less memory but it sounds like using less can result in an unpredictable environment where everything can stop working at any given moment depending on what Clickhouse wants to do. This happened to someone who replied in that issue. Their production set up stopped working because it ran out of memory.
Someone else wrote about it using close to 8GB of disk space to track ~8k page views at https://cyberhost.uk/plausible-3-month-review/. That was only written back in March 2021 too. They said they are going to look for an alternative solution because the the storage costs are too high.
1: https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-anal...
(I wonder why they need to collect analytics information for this page at all.)
People don't have to opt in for you to keep the data for technical reasons, for instance if you keep IP addresses for while to find and block abuse, but you can't keep data longer than strictly necessary and can't use the data for other purposes than you declared beforehand.
Write down your policies and put them in an (again, easy to read, understand and find) privacy statement and you should be pretty much GDPR-proof.
I track page view counts as simple sums, and it's not feasible to drop an individual user's page counts because I don't have enough info to identify a unique user. In fact, I put no cookies on the user's machine (but that means I have no way to identify a specific user for opt-out purposes for these aggregated page counts).
It doesn't have the goal conversion metrics and other advanced features of GA, so obviously not a drop-in replacement for all use cases.
No privacy issues to worry about using trackers.
It is not really a replacement for GA though, it collects much less data. We've decided it is enough for us.
[0] - https://umami.is/
Is the EU going to drag them all into court?
This is like saying you never jay walk because you want to avoid the legal hot water. The water isn’t even lukewarm!
Why would they need to? Just hand out fines, like you do with traffic tickets, no courts required.
I'm now wondering if I can scale this for profit.
Not the EU itself... but your competitors, who can not just complain at your respective data protection agency but also file for c&d letters, court injunction orders or penalties.
Well... if you self-host Piwik or Matomo, you're relatively safe and you can avoid a lot of the bureaucracy bullshit that you'd have with external services.
However, check with a lawyer before setting it up, and definitely get user consent for detailed tracking. There are basically two camps of thought how much is allowed without explicit user consent: the more strict camp (which I belong to) believes that it is illegal to even use technically required data (like IP address, browser agent, date/time of visit, URL/query parameters) for analytics of any kind. The other camp is more relaxed and believes that it is OK to conduct basic analytics on that data (justified as "legitimate interest" of the site operator to provide a good experience to the user), but don't set anything like cookies or localStorage that could allow detailed tracking.
It is not yet clear by a supreme court decision which school of thought is going to win out - personally, I follow the requirement of data minimization per Art. 5 Nr. 1 lit c) EU-GDPR. Data that you do not have cannot be stolen, seized, abused or used as justification for fines, after all.
If the web-page's javascript ONLY stores and processes data stored in the client's localStorage to generate the local page, and sends nothing back to the server, so the web-site operator never sees that data, then is the web-site operator processing that data, or is it only the user-agent's operator ?
The web-site operator certainly wouldn't be a "data controller" since it isn't collecting or storing the data. And it's hard to see how the web-site operator would be a "data processor" in that circumstance.
Don't be coy. Call it what it is - an analytics service.
And as such it falls largerly in the same bucket as GA, because if someone's using Simple Analytics, my surfing data - against my wishes - is being shared with some random third party. Whether it's less, more or comparably evil as GA is secondary.
It's disingenuous to have problems with websites collecting entirely anonymous browsing data -- that goes beyond any arguments for privacy and just steers into "yelling at clouds" territory.
There is a big difference between "a person's surfing data" or "surfing data of all visitors combined". That's what we promise with Simple Analytics.
[1] https://blog.simpleanalytics.com/why-simple-analytics-is-a-g...
In this case, Google is non-compliant but the gp's service/tool does appear to be. I think you're underplaying the distinction here quite severely.
TL;DR this is about what's illegal, not what's "evil".
Matomo is the privacy-friendly analytics tool that comes to my mind anyway.
(I have nothing to do with Matomo other than I used PhpMyVisites a few years ago. It had time to change its name twice since then)
If you walk into a grocery store, and cameras record which aisle you walk down, which items you stop to look at and which things you buy. Is that legal?
What if the cameras block out your face and all identifying features. Is that legal?
Do you own a blob of a person walking down an aisle? Does the grocery store?
Google Analytics generates a visitor ID by rolling a random number and storing it in a first-party cookie. This is how GA tells that two visits a week apart came from the same user. This value has been ruled to constitute Personal Data. This is a very big deal, and only a little bit surprising.
Can you cite a reference for that? I fully believe that Google is using cookies for this, but that doesn't mean that the legal authority here isn't making the judgment on IP address alone. I believe a recent GDPR decision against Google Fonts was based on IP address alone. [0]
This sounds like some great politicized naming. Removal of the "Privacy Shield" seems to be increasing privacy in this case.
Peace mission.
Why are anonymised IP addresses still considered "Personal Data"? Is it because Google is doing the anonymisation?
The ruling on Schrems II (the court case that struck down Privacy Shield) did not state that SCCs on their own would be sufficient. It said that SCCs + "additional safeguards" would be allowable. There have been several rulings already that SCCs on their own are not sufficient.
The "additional safeguards" must include a risk analysis of US access to EU residents' data. Every court case I've seen from Schrems II onward identifies the US CLOUD Act as the privacy risk to address. CNIL is basically ruling that you cannot transfer data to a US company subject to the CLOUD Act, and an SCC cannot deal with that. This still leaves open the possibility of using US services that are not subject to the CLOUD Act. This is consistent with all rulings to date.
Minor nit - "PII" really isn't the right term to use, because it suggests the info itself must be personally identifiable to an individual. The GDPR covers much more than this, and uses the term "Personal Data".
e.g. Google could make Google Analytics compliant (likely by, as you say, housing EU data in Ireland), but it seems that currently they are not.
Also, beyond the physical colocation of data, there are ancillary issues around data being readily accessible (either by internal engineers/agents or external authorities) from outside the EU to consider as well.
The only people still moaning are Americans and hold-outs like Google refusing to move data.
I still remember arguing about bloating a web app with a 1mb package from AWS so it could use their serverless authentication offering.
Common theme as using those lambda function - sometimes paying quite a lot of them - to serve requests that would be twice as fast on the proverbial $5 linux instance.
So yeah, looking from the sidelines it feels like a huge amount of added complexity for small teams, "just in case" they need to scale. Which given how fast modern hardware is way further off than they think.
(unless they use lambda functions for every API request. in which case they better learn to scale in a hurry)
If you can read German, you can look at the Austrian decision directly, the complainant has uploaded it at [1] and the relevant section is D.2 b) starting at page 27.
[1] https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Goog...
> In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
This is an accurate description of GA's pseudonymous identifier. It is not accurate as a description of an IP address. And if CNIL meant the IP Address, they would have said so, as they did in other rulings.
0: https://support.google.com/analytics/answer/2763052?hl=en
If the GUID is related to the user (like user ID), then it is Personal Information - EVEN if the GUID is random. The distinction that is easy to miss is that a User ID GUID might be very low risk (compared to, say actual User Id or user name) - but is is still Personal Information.
If the GUID is for the document (and anyone can edit the document), then it is no longer PI.
Of course, all of this ignores things like the contents of the doc. If the doc is "SSNs of my customers", well... don't do that
In the latter (hotlinking) case the French website would almost certainly be entirely responsible if they operate at scale (excepting user generated content). In the former, it's obviously less clear cut (and also as mentioned revenue & scale are going to be very relevant).
Practical example: a private individual posts a hotlinked image on a French forum. Relevant questions:
- is that user profiting at large scale from data logged on the image server? No.
- is the forum website owner? No.
- is the image host deriving revenue directly from proactively collecting, analysing and profiling user data from readers of that forum post who are based in the EU? Possibly.
- is the image host doing so at large scale? Maybe.
3 & 4 are definitely true of Google Analytics, but broadly won't be true of many image hosts, so your image linking example won't be an issue most of the time.
In the EU/EEA or in a jurisdiction that has adequate level of data protection.
Google has made sure that analytics for Google Ads works best within their own walled garden. Same with Facebook and Twitter with their Pixel products.
Instead of using the Referer header or utm parameters as intended, these large corps send obtuse random IDs (gclid, t.co/<id> links) which only they can correlate to an ad, search query or tweet using their internal database.
So until there is anti-trust action in this space towards more oppenness and competition, you're stuck with the ad provider if you want tight integration between ads and analytics.
If you're rich enough, be sure to donate some money to LQDN/EFF and others to protect human rights in the digital realm.
The production environment that crashed due to Clickhouse OOM was our hosted product a while ago :) After that, we haven't had any downtime on our Clickhouse DB for over a year.
The issue with disk space stems from a bad default configuration. Clickhouse used to have EXTREMELY noisy debug level logging enabled by default with no rotation. This has been fixed in our hosting repo[1] so you get sensible defaults.
If you don't want to worry about downtime, planning disk space or compute capacity, then that's exactly what we offer at https://plausible.io. We process and keep the visitor data on our Hetzner servers in Germany.
[0]: https://render.com
> I don't have enough info to identify a unique user
If it is not user identifying information, then it should not be an issue.
But that's not what CNIL is basing their decision on: "The CNIL concludes that transfers to the United States are currently not sufficiently regulated...Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services."
I probably don't understand the legal issues fully, but it seems the worry is that US intelligence services may be tapping the lines and databases of Google, may have agents working at Google as badged employees, or may be able to subpoena Google (or any US service provider). [for the record, I wouldn't doubt if all the above are true]
I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
> "CNIL recommends that these tools should only be used to produce anonymous statistical data"
So the tools are not anonymous because the request headers of the client are being logged and used to identify a session, along with what resources on the site were accessed in that session.
Any site operator has this data on their visitors.
CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly? What's the solution? A site builder can't let web clients make direct calls to any resources in the US? That seems... sweeping, profound, surprising, impactful. Have fun with that.
No need to dig so deep: IP addresses are considered private information under the current EU law, meaning that just opening a client-side connection somewhere leaks that data to that somewhere.
> I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
There is none. The difference is that the website studied in the ruling was not including resources hosted at Google Docs, and hence no mention of it. If the site embedded or directly linked to a google docs document the same reasoning would have been applied.
> CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly?
Almost. They don't want any calls prior to explicit user acceptance.
> What's the solution?
For fonts/images required to load the page, use EU-based hosting facilities. If you want to link to a google docs document, a youtube video or something like that, ask the user before following that link.
> That seems... sweeping, profound, surprising, impactful. Have fun with that.
It is, I don't think anyone is denying that. There are several things that may happen here:
1. US tech companies take it as common practice to spin-off EU-based companies that are not subject to US law and store everything in EU soil. When they don't, EU competitors pop up and EU companies use those.
2. The US passes laws that offer EU-level protections to both their own citizens/companies and (at least) EU-based citizens/companies.
3. The EU backtracks on this by adjusting their current laws.
You can't just delete nuclear, coal and natural gas power plants and think the invisible hand will provide. There is no secret plan behind: we're gonna crash then our politicians will blame the Russians and / or COVID but certainly not their incompetence.
Don't get me wrong, I don't want to live in a polluted world more than anybody else, but I also want to take a hot shower daily without it being a luxury expense. We needed to think the transition and do it progressively before. Too late.
They're working on it, but still not everything is entirely regional.
People's ideas about how their technology should serve them will change over time. I don't want to have to overthrow the old internet before we can try something new, I want it to grow with us--the parts that aren't serving us die off, the parts that address new challenges flourish. If its all one thing, subject to one set of rules, that doesn't happen.
Lucky you.
We need more Western education, not less, which is why fragmentation is a bad thing. My country of birth - in Africa - is aligned with the formerly communist nations; if they had to opt-in to a fragment, it wouldn't have been to the Western one. I might have never been able to emigrate.
Fragmentation seems like a leap backwards in time and a slap in the face of the promise inherent in the free flow of information.
I agree with you though.
2. Assuming you're referring to the Telemediengesetz, there's a second law (Medienstaatsvertrag) which mandates an imprint for anything that's not strictly for "personal or family purposes". Depending on who you ask, those two terms also require a rather narrow reading, so anything beyond a strictly private family diary (careful not to make references to any outside persons or businesses, though, because those entities will then have a legal interest in being able to identify you in case you malign them!) or family pictures or your private Dropbox replacement (ideally all the above should be password-protected and therefore not accessible by the general public anyway) might again already be in a grey area.
2b. Additionally, blogs can enter another grey area where depending on what and how you're blogging about, they might be classified as a journalistic service offering and therefore require an extended imprint, too.
No. What is the EU going to do, besides nothing? If you do business in the EU they will take your business away, and if you don't there's nothing they can do. I'm sure we all break some foreign countries laws every day and there's nothing they can do about it.
I do expect fines to be handed to EU companies and I expect them to pay them though.
> I would venture most of the internet is not hosted in the EU
Most content isn't made in the US, and the US somehow still forced its copyright system on the world.
It might be.
You mean what the SEA people tell you? Yeah, we'll all probably be out of business tomorrow, if we don't run the whole Google stack.
https://www.linkedin.com/pulse/advertising-does-create-deman...
"Internet Service Providers on the European market cannot sell the browser history of their users, without their explicit and informed consent". So they add another paragraph in the sign up screen you have to click yes on to get your discounted service.
This is the failing of the EU model. Users will provide consent to access a service in most cases. To work around that no the EU is jumping through all sorts of highly subjective hoops around what is explicit consent (it's usually pretty darn explicit), coming up with ideas of legitimate interest (talk about subject to interpretation) etc
Me: "Effectively, in my case, the user is adding 'post-it' notes of their own devising that remain 'sticky' so the next time they visit the same page they'll see their own notes - but those notes are never sent to the server"
Me: "It's effectively the same circumstance as a classical computer program being downloaded by the user, and then used (locally) to create/save files on their local device. In that case you wouldn't consider the author of the computer program to be the data controller, surely?"
ICO (Flynn): "Flynn: Okay that sounds reasonable." ICO (Flynn): "So if your product/service is not dependant on personal data and you are not processing it then you appear to not be captured by data protection legislation."
The logic is understandable. Surely, if you just get rid of the abusive American monopolies the home-grown companies will take their rightful places... right?
The only reason the privacy shield agreement was thrown out was due to lack of safe guards from US intelligence.
Even without the privacy shield, US companies would still be able to store EU data in a country with an adequacy decision if it wasn't for the CLOUD act. This seems more to do with US law wanting access to EU data.
The US does not have to give anything in return to get all the private data from EU they want.
The EU in return gets...nothing.
If you are a politician this is not a great position, you get no money, no jobs and no data.
If they equalize data access, "data sharing" (on an intelligence and on a commerical level) could be a valuable component of future negotiations.
It doesn't matter that the third party storage provider is not under US jurisdiction because the US government isn't trying to compel the third party storage provider to do anything. They are trying to compel the US company to access its own documents that it stored with that third party, using the same mechanisms the US company normally uses when it wants to access its data.
From the third party storage provider point of view there is no difference between the US company retrieving the data because it wants to do something with it itself or the US company retrieving the data because they are being compelled to by law enforcement.
This is really just clarifying that the rules for electronic documents are not very different from the rules for physical documents. If I am in the US and own a document that a US court orders me to produce a copy of I'm not going to be able to get out of that by telling them that the document is in a filing cabinet in a storage unit I rent in Canada or Mexico. No, they are going to order me to either go get that document or have someone go get it for me and give it to the court.
If it didn't work this way every US company that has any documents they think might get them in trouble if they are ever investigated would rent some storage space outside the US, physical space if the documents are on paper and cloud storage space if they are electronic, and store everything there. Boeing for instance would have all its information about the 737 MAX outside of the US. Tesla would have everything related to full self-driving outside the US. Everyone would keep HR records outside the US to make it harder for plaintiffs if the company is ever sued over alleged discrimination.
US law doesn't distinguish these scenarios very much because of the Third Party Doctrine, where data given to a third party has no expectation of privacy. But this is a view rather particular to the US not shared by much of the rest of the world, and certainly not by GDPR (or its predecessors). One way or another, the CLOUD Act is still basically saying that US legal doctrine applies to data stored in other jurisdictions. And GDPR is stating, correctly, that this doctrine is not compatible with EU data privacy obligations. EU policy is very much the opposite of the Third Party Doctrine (and the winds are slowly turning against it in the US as well), and third-party data controllers have positive obligations to safeguard the privacy of data given to them.
Given this scenario, I don't see the nightmare scenario you're posing actually manifesting. EU data protection laws do nothing to curtail Microsoft handing over Microsoft's data. There's just data that Microsoft physically stores which they is not legally theirs.
I'm teasing. I accept your new data, but I don't think it fundamentally changes my point.
I know you are just joking, but the sheer irony of a money printer joke in this context was just too much for me to not react :')
The US parent company could not compel the subsidiary to violate the law of the region it was located in.
But what happens when senior data scientists at Google want to do some analysis? Each dataset for each global region can't remain fractured from each other. The subsidiary may not have to hand it over to the US government but does the GDPR prevent data from leaving the EU zone? If not, then local copies in the US would be exposed.
I think there would be a lot of loopholes that needed to be closed. "Will be" a lot might be the better choice if words if France's decision becomes guiding legal doctrine in the region.
I don't think Google would willing give up that data either so they could be forced to change their practices to at least get that which allowable under EU law. And I don't want to get too slippery slope in this, but that could mean privacy-minded services begin using servers in the EU as an added layer of user privacy.
And yes, GDPR prevents data from leaving the EU zone if there is then a possibility that GDPR could be violated. That's the crux of the recent court cases in Austria and France. You may not collect GDPR protected data if as a consequence of that collection there is a reasonable prospect GDPR will eventually be violated by ANYONE.
For your example case, all initial data processing would have to physically occur within Europe, performed by a subsidiary not subject to US law, and only after they had reduced it to aggregate data that could not be reverse engineered to get GDPR protected data would they be permitted to export it to America.
In the EU, this would fall under the same data protection regulation as websites, and other local regulations regarding camera surveillance. In short, a store owner can't just secretly record customers.
Do they have to get explicit consent from each customer and save that info for audits?
It’s similar to the UK’s pornography laws being more about surveillance and censorship rather than protecting children.
That's how the internet has been. That's how I feel about US tech giants getting all my data. They write their privacy policy, they dictate their terms, they follow US laws. I have absolutely no choice or voice or vote, unless one considers "yo dawg just build your own internet" a realistic choice.
I don't feel like the purpose is to drive out foreign competition. I feel like the purpose is to enforce privacy as a right, and I fully support it. I also fully support the right to transmit data across borders as long as the destination country also respects my privacy and rights instead of treating me as an alien and potential terrorist. Is that too much to ask for?
And in general, is following the rules of the country you offer a service in too much to ask for? Local laws apply to brick and mortar business; if Walmart wants to come to my neighborhood, sure go ahead, but please respect our laws. I don't see why internet companies should be above the law either.
GDPR is replacing rules dictated by US corporations with democratically established rules written by our representatives. It's unfortunate that there's now a clash between US laws and EU laws, but it's not the end of the world.
imo it's just a thinly veiled protectionist law that will fracture the internet all for the sake of propping up EU incumbents who can't innovate.
...when convenient.
https://jnslp.com/wp-content/uploads/2020/05/Defining-the-Sc...
More like the European Commission did this in an attempt to protect European citizens from having their personal data exfiltrated against their will to the US on order of US law enforcement agencies.
> The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.
So, if you feel brave you can challenge some courts on this.
While the people doing the spying are already doing something ethically very questionable, the person deciding what data is collected on a webservice can still make the decision to contribute to the problem, or be vigilant about data protection.
It's not the DNS calls or phone companies that are more to worry about?
Best thing you can do is not to make use of GA in the first place, so that no such data of visitors of your websites exists in Google infrastructure.
As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.
Another way to be compliant is to not collect PII.
The GDPR extends far beyond the US notion of PII. As I understand it, it covers basically all user-submitted or user-related data if it's possible for that data to be hypothetically tied to an individual in the EU (even if that can be done without your service holding traditional PII).
> As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.
Yeah, a federal agent with a wrench can do anything they want to me (https://xkcd.com/538/), but I'm trying to figure out my options.
That's a good thing. The US notion of PII is ridiculously naive.
And Switzerland is not part of the EU.
When I think "Swiss", "Germany" and "government intelligence agencies" then the things that come to my mind are Crypto AG [0], how the BND started out as a CIA OP [1] and how the very same BND seems to be more interested in pleasing American interests than protecting Germans [2].
Which is btw the same BND who cooperates with the NSA [3] to help them tap directly into one of the world's largest IXP De-CIX, completely legal in Germany [4].
The US made sure of that by pressuring the West German government into watering down the G-10 law [5] during the cold war.
So whatever "delusions" you are referring there to, you have to be a bit more concrete about them.
[0] https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-ci...
[1] https://en.wikipedia.org/wiki/Gehlen_Organization
[2] https://en.wikipedia.org/wiki/ECHELON#Examples_of_industrial...
[3] https://en.wikipedia.org/wiki/Operation_Eikonal
[4] https://www.spiegel.de/netzwelt/netzpolitik/de-cix-betreiber...
[5] https://www.europarl.europa.eu/document/activities/cont/2014...
I don't think it's delusion, I think it is literally correct.
I’d almost rather just give a French company control over some section of the US warehouse if I’m Amazon.
I've often found the slippery slope 'Fallacy' to not be so much of a fallacy in reality when it comes to power.
[Edit] for clarity
And though hacker news likes to be extreme and say "good" to things like this, there is an unbelievable amount of freely available information on the internet. If you had to pay a subscription by site, how many sites would you be willing to pay for? More importantly, how many would the average person pay for?
For other websites, they can ask their community for support. Then maybe we will learn, that we need to pay for good services, or they disappear. That would be better in my opinion than unconsensually becoming the product as the user of the service, because of companies siphoning off personal data and selling to the highest bidder.
Somewhere along the way, we might also realize, that democracies have an interest in having some kind of good news coverage and information pages online. Countries can pay for that. There can be a general tax for maintenance of websites, which are important for the public. I guess this already exists indirectly, because people pay taxes and that money is used to pay people, who work for cities, states and so on and for paying for servers.
I have been running a server for a year or two. Paying for that myself. I get a wage every month from the job, so I can pay for a server. Theoretically I could run lots of services on that server and still only pay the same amount every month. For dedicated people in IT sector wages are often good and they can afford to run a few things out of their own pocket. My guess is many people would do that. Not every website needs to be "financing itself". It is not always about the money. Some people simply want to make a nice thing and are OK with paying for it.
So there are many ways, in which websites can exist without the incessant ads spam and bloat, that we see today.
Besides all of that, ad business is often make-believe by the big players, giving wrong impression of how much an ad actually helps your business and improper conclusion drawing from statistics by marketing departments, instead of data analysts. Funny ones are things like "conversion rate", which doesn't work for a huge percentage of people visiting the website with standard ad blocking solutions. They are not even aware of all those people, because their frontend JS-based tracker wasn't even loaded. In one of my own projects, I saw a block rate of close to 60%. Granted, the targetted audience was quite technical in nature, so they were more likely to have ad blocking solutions in place. But this can show you how far off you can be by just looking at some analytics stats. How many marketing departments are capable of running a proper A-B-test? How many of them have the necessary statistics background to run any study properly and then draw correct conclusions?
This does not scale. At some point, you need to make money somewhere.
>Besides all of that, ad business is often make-believe by the big players, giving wrong impression of how much an ad actually helps your business and improper conclusion drawing from statistics by marketing departments, instead of data analysts.
>How many marketing departments are capable of running a proper A-B-test?
Again your just digging deeper, further calling out a trillion dollar business for being wrong. Besides that you would likely need thousands of sources to accurately back up such a claim (since there's people paid much more than you, with access to many more resources than you have, have decided this is worth it). You are literally calling out entire departments that likely have a payroll 1000x your salary.
Different reasons would entail different retention times.
But we may observe that some practices are easy to justify, while others are more challenging. Some attempts at justification have been rejected, which means that trying to rely on them in the future is a bad plan.
Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.
The vague, uncodified "intent" is my biggest problem with GDPR and GDPR-like laws, especially when it comes to small businesses. Even with the best intent, I've seen startups in my community get into "real" trouble trying to comply with mixed results. Not every company can afford to allocate the time/money necessary to comply with sudden deadlines and/or new technical requirements. Not every company can afford to take the risk of "I think this PII is absolutely necessary, but... could I prove it in court? Can I even afford the lawyers to try?" If I didn't read HN, I doubt I'd even know laws like this new French one even existed; I can't afford to dedicate someone to monitor changing laws around the world.
Saying "it's important for businesses to allocate sufficient resources toward researching evolving law in every country they might do business in, and it's okay if businesses fail if they can't afford to do so" is reasonable.
Saying "if you're trying to do the right thing, you'll be fine" is, quite frankly, the complete opposite experience I've seen from most well-meaning companies in my sphere trying to accomodate GDPR rules with limited budgets.
Of course, I am located in the US so maybe this is the intended result.
The EU gets the services they use....
However from a political standpoint that's as good as nothing.
I did try to click on the top page lists, but those weren’t links. I found "Add segment" eventually, but at least on the demo page it’s not working (for the pages I tried, eventually I found a page with stats), and the interface is atrocious [0] for finding anything and breaks the site [1].
Our website is not posting articles to get people to buy other stuff, but the actual main part of the website (articles, and free or paid product tests; money is made both by selling tests and ads, with the ads not just being generic but specifically bought by companies with often contextual targeting). So my boss usually wants to know what articles do well (and not just from SE’s, we have a lot of repeat visitors), how soon interest drops, etc.
I will add the per-page stats to the Roadmap, as I think it's a useful feature.
I agree, the UI can be greatly improved, and it is something that I will be working on soon, especially making sure all the edge-cases are covered.
Regarding the screenshots, the long page-name indeed breaks the UI, but normally you wouldn't search for a specific page including all the query parameters, you would add something like "/pricing*" (so it matches all visitors that visited the pricing page, regardless of the query parameters). I am still not sure whether I should separate query parameters from URL path, I did consider it but many pages use query parameters to display a different page/content (e.g. /article?id=5, where changing the id of the article leads to a completely different page, maybe I could by default exclude all query parameters and then have the option to keep custom an allow-list).
You can already see sessions count for a specific page using the current segment feature, just add that page name to a new segment, and you can see the count of sessions that saw that page and the referrer (for that specific visitor though, not necessarily that specific page).
Also, there's no reason that collaboration tools must be hosted on a US cloud. Especially Microsoft traditionally provided tools for their customers to host their own infrastructure -- it's only a recent phenomenon that everything is hosted by the vendor themselves.
No need to go cloud everything. I think you can even buy the whole azure pack to run on-site.
I think we underestimate just how difficult it is just to replicate existing services, let alone keep up with the innovation.
It's like the Argentinian effort to stimulate its own computer manufacturing by banning Apple products.
In the end they profit from telling everyone, that they must use GA (or similar tool) to track what is going on on the website and most marketing people will happily jump on that train, because it gives them any kind of data, which they can use to justify things, even if that data is only half the story and cannot be relied upon to give a true picture. "The data tells us so!" makes the job much easier, unfortunately often at the cost of user privacy. And so the make believe, that you must track your users with third party trackers continues and propagates. Then on the development side of things, developers or their higher ups eschew the work needed to implement first party tracking. They want that cake at no cost. Without strong ehics, the website of such an organization is doomed to disrespect the privacy of its visitors.
But anyway, I think even that is beside the point. I think the point is that there are things Europe considers fundamental rights. And the concept of a "right" doesn't.. really.. make much sense if someone can go "btw we'll just violate it, click to agree."
According to Wikipedia, it was struck down by the CJEU, not by a US court:
"The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping."
https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield#L...
That is completely unrelated though. The only thing this ruling confirms is that you can not process data of EU residents when you can not be adequately protect them due to local laws i.e. the CLOUD act. If your laws allow you to keep the data safe, you can offer your cloud services to the EU market as much as you want. If they wanted to, the US could easily allow companies to guarantee those protections too.
I would not be surprised when, if no solution is found, some of the major cloud providers in the EU end up being e.g. japanese, israeli or canadian.
Careful, there is such a thing as network effect for knowledge. More fractured systems mean more different approaches means less aftermarket documentation means less people being able to work for you.
And that totally fine, if you think European companies have no competitive disadvantage on the global market to being forced to use traditional VPS providers or build and set up everything themselves. But I imagine it'd be very challenging if other companies outside the EU can go to market faster, deliver better services for lower cost, etc. than their European counterparts because they can use American cloud providers like GCP or AWS.
The US is "allowed" to offer whatever it wants for people to move there.
https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_Stat... (2016) and https://en.wikipedia.org/wiki/CLOUD_Act (2018).
If so, it might end up in court again, and we'll have to see how that precedent gets set out. Will be curious to see how this plays out.
I suspect the issue is rather that Google Ireland are not in fact exclusively housing EU data within Ireland (or the EU in general).
Developing the product itself isn't the reason.
Also, the competing EU-based service might be strong competitors to the ones in the U.S., among people like me who are privacy conscious. I don't use Google services, but I'd be happy to consider using GDPR-compliant services based in Europe.
Libre office is a third option, but does it have much usage? Why or why not?
Could you sustain a development team capable of creating this with a limited market and revenue stream?
Market wouldn't be limited and potential revenue streams would be huge. So yeah. Just as a reminder, this is still assuming that there is a significant window where the big options aren't available for Europeans.
First, it is exaggerated, which is not surprising in today's media and outrage climate. Second, things have changed since Snowden and the congressional oversight had been rolled out. Third, GA is not that valuable compared to other sources.
Your chief complaining would be better spent about how Google uses the data rather than intelligence agencies.
Also note that Google fights against overly broad intelligence / police requests and publishes data on how many they get and comply with.
I think I wrote about the US intelligence thingy, because it was closer to the topic. The question, why the court ruling went this way and what it rests on. If there was no possibility for the US to access the data, then Google could probably simply pinky finger swear, that they are not doing anything evil with the data and EU law might be fine with it.
Does it matter, whether the scenario is "exaggerated"? If it is possible, it needs to be considered by the law. Otherwise it might soon become less exaggerated and more reality than we would wish.
To make this more obvious, the EU is essentially saying that you can create a post service that routes all their letters through the US where they can be opened by the FBI, without any legal recourse.
I'm always amazed how people (even very technical) argue that things are perfectly fine for electronic data when they would completely oppose the same thing for physical things, e.g. letters. I guess years of propaganda have worked
I fundamentally disagree. You can't come to my house with a red hat then demand I never tell anybody you have a red hat and forget I saw it. That's absurd.
* Amazon
* Netflix
* Microsoft
* Uber
I mean the list goes on but these are a really big part of the internet.
So any US company cannot store PII on an EU citizen? If someone from the EU comes to my site to make a purchase, I can't allow them to do that?
The US government won’t honor deletion requests for any IPs it requests from GA, therefore you can’t comply with GDPR if you use GA.
If you don’t share data it’s much simpler. You collect just what you need to do the processing the user consented to. And you delete it when a user asks.
Edited to add: I should say the 2nd paragraph seems to be the regulator's position. It seems a bit extreme to me and I don’t fully endorse it. But my main point was to try to highlight why most essential and consented processing is unaffected by this ruling.
You know any other US based companies? They have to follow the same reasoning.
It might even be if you are a US based company, you have to follow the same reasoning.
As a US company, you are not allowed to store or transfer data considered personal by GDPR of EU citizens, as your company can be compelled by the US government to hand over that data through an opaque/secret order where the EU citizen is not notified nor has the option to challenge this.
It is true that both the EU and China are swiftly heading away from this unprecedented era of technology companies being able to act as they please abroad without impunity. It is an era that the US, which benefits from this arrangement greatly, understandably does not want to leave.
But what matters is why they are doing this, not that they are doing it. And in that regard it is much harder to find similarities.
Just like your name is personally-identifying information and (usually) required to provide medical service.
But being required for service doesn't automatically mean that it can be shared with third parties. You can't share names with third parties. Why would you share IP addresses?
And the act of connecting to a server hosted in another jurisdiction (e.g. America) would require sharing your IP. This could be directly (the entire web service hosted in the USA), or indirectly (some of the web service's assets are hosted in the USA).
If you put a CDN in-front of your web service, then that CDN will most likely be sharing your IP with the host server too. Especially if the web service wants to do something non-cacheable that they can't offer from behind the CDN.
This is how promising companies are swallowed by the market leaders.
Basically the US can’t be trusted to keep its word, so why make it easy for US companies to operate in Europe?
The only problem that I see is that it's hard(er) for US companies to collect data about EU customers. That's hardly a problem for the EU customers; they can just buy from EU importers (if there's no equivalent EU product) or rely on EU service providers.
I don't really see a problem.
So the US needs to move here or it can not happen.
The EU parliament have the people in mind, so they don't think it works and drove the GDPR. The EU courts look at the law and see it's not possible to create contracts, so shot down Safe Harbour and Privacy Shields. The EU courts say standard clauses could work in principle, but see above.
Incompatible laws problem
The internet has multiple visits too. They're just called packets instead.
I don’t like that smaller countries have to rely on larger countries that don’t have their best interests in mind. Not only should France buid its own tech infrastructure but so should every other country that can build it.
In the post-NSA age this is vital if you want your country and its population to be secure against cyberattacks and mass surveillance by great powers.
The big difference between France and the USA is that the French people usually either passively or actively support them and do not see any problem with what they are doing and would much rather look at the evil Americans. It's not even a political issue, it's almost seen as a divine right.
That's literally one of the main reason macron has been popular: his wannabe bonapartist "great France" mindset (and even those who dislike him don't usually criticize him on that front) that involves crushing the ennemies of France, and a whole lot of illusions of grandeur.
It's also a country where the literal neonazi FN still gets 40% of the votes, but people still laugh about dumb Americans because they voted for trump. Keep in mind, the only reason we don't see more french droning in Africa is because they lack the ability to do so.
And I'm not American or French, but I've had a lot of first hand experience with the damage France is causing in Africa and I'm very familiar with French culture. Yet I'm almost always amazed by the extent of French grandstanding online.
The USA, because, at least in principle, every individual has some manner of influence over his own government.
Because I do not live in the West but in one of the great majority of countries with a corrupt, abusive government. The democratic governments of the West are the exception, not the rule.
Well, if I may nitpick, it's a federal republic rather than a democracy...
More to the point though, there was this study at Princeton U about the correlation between US government policy and popular opinion on a variety of subjects which found that public opinion correlates very poorly with government policy / legislation passed, but opinions among the very-rich correlate well. Can't remember the exact reference right now.
> and (mostly) obeys laws.
Oh, definitely not. It can well be argued that there is constant mass violation of the constitution. And regardless of this, the US is such a notorious outlaw on the international level that not only does it refuse to accept jurisdiction of the international criminal court, but has in fact threatened action against court staff if the court hears any case against it:
https://www.hrw.org/news/2019/03/15/us-threatens-internation...
Corporations have no defect - They're pure tyrannies."
- Noam Chomsky
And I did live under communism, with absolutely zero corporations. Then I knew tyranny every day. And shortages.
Did Noam Chomsky live under communism by any chance?
I'm OK with websites using self-hosted tools such as Matomo as long as the data never leaves their servers. Analytics is important to any business. But I choose to do business with said business, not with Shopify, not with Google, not with Facebook or Twitter (I'm looking at those "sign in with" widgets that run social media code in my browser) or whatever 3rd party "SaaS" service the website is outsourcing my data to for ease of development or convenience. I don't consent to my data being shared with people I don't know about and did not consent to give a single shred of my information to.
What you're asking for would require a fundamental restructuring of the internet, and of software business models, and a lot of other stuff. I can't see that happening any time soon.
In the meantime you can try using Tor, but good luck not getting blocked on half the websites you want to visit - and you can't blame the website for that (they need DDoS/spam defence).
[1]: https://europa.eu/youreurope/citizens/consumers/internet-tel...
This is kind of ridiculous in the cloud era, isn't it?
The analogy with external accountant up this thread is a good one. It's not about where data are processed, it's about how it's used.
But I agree with your conclusion: what matters is how it's being used. In this case - whether you share/sell it to others or not.*
[*] But not only: it also matters if you take adequate care in protecting personally identifiable information or not.
So do you want “we want to load JS from a CDN like literally everyone does, is that okay” popups on every website?
- reduces the number of TCP connections - reduced the risk of failure if the relevant edge node can't be reached
Browsers don't support cross-site caching of 3rd-party content so whatever limited benefits there might have been of using a library CDN are long gone
Well, carry on and load it, it's your server.
Oh, wait, you mean you want ME to load it, into MY browser? That's a problem - my browser only loads JS from the origin server, and only if I give it explicit permission.
As a developer, I deplore the use of CDNs to serve javascript libraries; you don't know what the CDN is going to serve to your users, it could change without warning and break your site.
Arguably, they provide code that can be run in your browser, but your browser chooses to run it. And since your browser is a user agent, you choose to run the code by way of installing and configuring a browser that makes that choice by default.
You might never know that they backfeed data into external analytics services. Under this assumption, wouldn't you need to stop using _any_ website, at all?
It's not an "also" analytics service. It _is_ an analytics service.
If a website poped a question saying "Do you consent to your visit data being passed to Simple Analytics for processing?", how many people would say Yes? Close to zero. Just look at the stats on 3rd party cookie refusals - when done easily, the refusal rates are in high 90%. People may be lazy, but they sure as heck know they don't want to be tracked IF it's actually mentioned.
So what you offer is a GA alternative that makes website operators feel better about themselves for not using the GA. The situation with the visitors remains exactly the same - the still getting shafted with something that none of them wants.
The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
This is an argument taken to a naive extreme. You can't expect every business to also be in the business of analytics, it's not realistic. There's a reason companies have business partners who specialize in certain services.
It's why you have accountants, lawyers, marketers, etc.. Not every company can afford to have all these specialists on payroll, so you work with a service provider that lets you afford the services in a fractional way. You give them access to your data, including customer data sometimes, and in return they provide you with insights and information from that data.
Analytics is just another service provider like that.
You should of course work with a reliable and trusted partner that treats your customer data appropriately and has strong privacy guarantees.
The problem with GA is not "third party", it's "third party that uses my data for its own purposes" because that's the actual cost of using a free service.
Saying "no third parties at all" is not how businesses have operated since forever.
Privacy-respecting analytics should be self-hosted. No one's arguing against an average business using an analytics service, but that shouldn't be bundled with any "privacy" monickers.
If Simple Analytics were pitched as "not a Google Analytics", this would've been perfectly fine. But they insist on the privacy angle and it just demonstrates they don't grok what tracking concerns are about.
The difference with GA is that GA offers to fill this need of website owners for free while it actually processes and sells the visitors data for immoral ends. The whole "the customer is the product" deal.
I don't understand why simply sending data from one server to another is seen as such a big deal, the problem with Google and Facebook and the rest is how they build extremely detailed personal profiles that they use to cause social harm. Surely that is very different from tracking which pages get the most views or how much time - on average - people spend on your website?
The only real advantage Simple Analytics has here is that they aren't Google, so they aren't as much of a political target and don't have deep pockets to attract legal predators on the lookout for an oversize payout—which is a pretty thin justification for treating them any differently.
How is that more respectful? I can fingerprint you pretty much the same with server logs (IP, user-agent, ...), don't I? I can even use cookies without any JS.
Why did you move there in the first place, raising a kid there, when just learning the language is apparently a hurdle too big to take?
The problem with Google Analytics here is not that it's a third-party but that it's under US control.
As a US citizen I've contemplated getting my wife residency down there and it's simply ridiculous - as are the hoops I'd have to go through to relinquish my US citizenship and that only matters because the US feels entitled to own me even though I haven't resided there for nearly a decade at this point. US immigration, from the working visa angle, is extremely unpredictable and only really estimable if you've got a large corporation with a whole bunch of lawyers to get your back - spousal visas aren't terrible but most come with some seriously onerous lifetime costs to execute (like taking a year off working).
I know there are a bunch of European countries and they've all got their quirks to immigrate into but you can really trivially get an EU passport and then move around within the EU.
On the other hand Italy denied my application once already, after my great grandparents basically left the country because Italy was not defending their town from Germany. They rejected my application because they say my great grandparents were not Italian but Austro-Hungarians. The lady at the consulate was super racist to my grandmother about it, in my face. After that now there's another way I could get my Italian citizenship by birthright by suing the government because of another racist thing they use to do where women were not transferring citizenship.
Again the US is not great but a lot of this things make me feel whatever "racial tensions" I may be a victim of in the US are mostly the media blowing stuff out of proportion, when most of the "racial tensions" I felt dealing with the EU are actual racial violence or discrimination that either me or my family where victims of.
What does that mean? Are you suggesting that countries should control where their citizens choose to work/live?
If free market were effective, we wouldn't have needed labour laws to keep people from dying in factories where they work 16 hours a day, we wouldn't need laws to make vehicles safe, we wouldn't be desperately looking for agreements to curb pollution and climate change, we wouldn't need laws to protect minorities against discrimination.. hell, I don't think we'd need laws at all because everyone would just rationally and effectively choose good actors & displace bad actors.
It's a nice fantasy, but it's not one we live in.
Even the US knows rules for markets - it’s never entirely free. European laws just set more rules and give the consumers more rights - something I consider useful where there’s a strong imbalance in knowledge and power between the consumers and the companies offering a service.
TikTok was nearly forced to sell parts of its operation so it could continue operating in the US, in India it's actually banned.
> DuckDuckGo's success is an example of that.
As good as DDG is, it's not that great of an example as all the background tech there still relies on Microsoft's Bing, which means there is very much a US-centric search engine monopoly in place.
> that will fracture the internet
Maybe the Internet needs fracturing, we've reached a point where a handful of US corporations control the vast majority of the web traffic [0], that kind of massive centralization is the absolute antithesis to what the web is supposed to be and presents a massive filter bubble in-itself.
[0] https://staltz.com/the-web-began-dying-in-2014-heres-how.htm...
Yes, that's a great example of protectionism that was reversed.
> As good as DDG is, it's not that great of an example as all the background tech there still relies on Microsoft's Bing, which means there is very much a US-centric search engine monopoly in place.
DDG is not the only privacy focused search service. There are others with their own homegrown search engines. I believe some of them are French. This also reflects consumer demand. DDG only able to evolve and grow based on how many people want to use the service.
The US could coordinate and work with the EU to try and craft laws that span both regions in a unified manner so that businesses can operate more freely but instead they're choosing to subsidize a protectionist agenda by levying a cost on the privacy information of its residents.
The advantage of a service like Simple Analytics remains; it does not store or process any user data.
I love your wording. Regulation mixed with "operating more freely" is oxymoronic. The same can be said with your argument of "subsidizing a protectionist agenda" when you're referring to the lack of regulation and legislation.
> As a counter point - I think it's fair to view the extreme lack of consumer protection laws in the US as protectionism for domestic tech companies. T
The spat between US tech companies and France's ancient media companies is not new. It's very disingenuous to pretend that the purpose of these laws is just to protect consumers.
Regulation is a firm requirement to a free market, without regulation of any kind you will pretty quickly descend into authoritarianism as whoever has the biggest stick will just take everyone else's stick. While there definitely are dangers at the other end of the spectrum if you're fanatically at either end you've got to ignore a whole bunch of pretty well known issues.
Common regulation between jurisdictions allows businesses subjected to the regulatory oversight of multiple involve jurisdictions to operate more freely than if the jurisdictions did not coordinate and instead adopted regulations where it was impossible to comply with one without violating the other.
You shouldn't just pick one word from one part of a statement and a two-word phrase in another part and ignore the rest of the statement in order to create your own argument to respond to.
This doesn't sound like a crazy requirement to me. The giving up other nationalities would be a deal breaker for me thought.
The core of the issue is about fundamentally transnational transactions, and who has jurisdiction in that matter.
In this scenario, I feel like the US company would be better off blocking traffic from the EU.
National regulation is a form of centralized economic planning. Is it always bad? No. Is it always good? No.
The internet is just not designed for privacy at a technical level.
The Internet is A-Ok.
The issue lies with various slimy companies that exploit web developers ignorance, laziness and negligence with free and easy shortcuts in exchange for the private data of said developers' clients.
No one's forcing you to use CDNs in place of a properly setup caching. No one's stuffing Google Fonts down your designer's throat, they are just lazy to add local resources. An analytics service is not required and there are simple self-hosted options. And so on and so forth.
And the most infuriating part is that these companies, Google being the offender, know perfectly well that they are exploiting the ignorance and they are willingly facilitating and encouraging the spread of practices that would've been viewed as wildly unethical not 10-15 years ago.
Just look at the level of general erosion of privacy and nearly universal lack of concern for it in general population. If you reflect on it for a moment, it is plain fucking scary.
> Regulation is a firm requirement to a free market, without regulation of any kind
I agree, but there are lines that when crossed either negates or greatly lessens the overall benefit for most people outside of vested interests.
> you will pretty quickly descend into authoritarianism
Moreover, historically speaking - centralized economic planning tends into devolve into tyranny vs systems with primarily free markets.
This is also much less about protecting consumers than it is about protecting old French incumbents who are unable to evolve.
It's about getting jquery physically closer to your users. And sure upload it to your "own" CDN that you pay Azure or whoever for.
I be willing to bet that most web developers don't know about how the browser cache is partitioned
And most people don't know that it never really worked (apart from perhaps a few Google fonts)
Germany is both a federal republic and a democracy and I would argue the the USA are too. Both countries ultimatively derive their legislation from the general populace and are representative democracies.
I've seen the claim you made several times, but every time I try to look it up I fail to understand it.
What is your reason to think a federal republic would exclude democracy?
A republic essentially means, the state doesn't have a king (head of state by inheritancel, but some sort of president which gets elected in some way (not necessary by the population). A democracy is a category of how decisions get made, i.e. by some vote of the people (demos).
Is there some subtlety I'm missing or is this thing about "federal Republic not democracy" something just always repeated, without properly understanding it. .
However if you do not believe that this is an issue that we have to work against i suggest you get out and develop some principles. You seem to only have issues with these things if done by communist governments.
However, communist governments have done that to millions. If you don't see the difference, I suggest you reexamine your principles.
There's a difference between it being a concern for everyone and everyone being concerned by it.
With drone strikes and disappearings?! Wow! Do you have an example?
It was US Military leaks via WikiLeaks that first got Julian Assange onto the USA's hit list, and if and when they get their hands on him, they will make him disappear into a gruesome privatized prison system where he will have no right to be heard, because he published things the government didn't want people to know about.
I don't care if I, personally, will fall victim to this. Trusting the USA is a stupid thing to do, and you have to accept that they are capable of doing a great deal of harm to anyone they want to, regardless of nationality.
Again, do you have an actual example of "good people" being drone striked or disappeared by the US?
You're clearly a tech person so maybe it feels self-evident or easy for you to do that, just like taxes and law seem self-evident to accountants and lawyers, but the average business owner doesn't have time or money - or the skills - to figure all that out on their own, so they hire a service provider.
Do you think accountants and lawyers come to the business and work on their computers exclusively? No, they receive copies of the confidential business data and work on it within their own business environment.
And do you think accountants and lawyers don't include "privacy" in their pitch?
How is that different from analytics saying "we will keep any data you share with us private, and for your use only".
Based on your argument, as a business owner I should purchase and co-locate my own server, because even if I self-hosted my analytics, I'm storing that data on a third party server owned by my hosting provider!
Does US law require accountants and lawyers to give the NSA access to their customers' data upon request, with an automatic gag order attached? If it did, would it still be OK for non-American companies to a US-based accountant or lawyer?
No, and that's the point I was making! It's a fallacy to say "all analytics providers are selling my data". That's not true, it's Google.
OP was claiming that any third-party analytics are unacceptable, simply because of how Google operates.
That's the discussion in this subthread.
https://developer.mozilla.org/en-US/docs/Web/Security/Subres...
Neither is widespread. Leaving users, especially vulnerable ones, to the whims of businesses.
Privacy isn't a "technical matter".
Better to protect the people from all the bad companies, not just the ones who do business in the EU, right?
Note: I'm only spreading rumors :)
Oh, you just had to deal with a different flavor of BS. Or you was lucky and everything just worked out for you (but why Google Cloud and not some PaaS like Heroku, so you don't have to deal with cloud infrastructure/servers BS altogether?)
I've been both a system administrator, managing GNU/Linux and FreeBSD servers in the ancient ages, and DevOps guy doing all sort of stuff in the clouds. The complexity is still there, it hadn't disappeared in some magic cloud pixie dust, even though sales would wanna tell you that fairy tale. But here's the thing - you never get to dive into those waters (or hire someone to do it for you, be it an employee, contractor or paid support) unless shit hits the fan and forces you to.
You must've cheerfully walked through a minefield and haven't stepped on and even seen any mines. Honestly, I'm happy it worked that way. And hopefully, this minefield is sparse enough those days so you're a rule not an exception - I don't have meaningful statistics. It would be actually interesting to run a poll or something. I just happen to have seen a few companies/people for whom clouds weren't all unicorns and rainbows.
And as for the flavors - it just happened that you knew how to set up stuff in Google Cloud. Would you happened to know how to spin a simple instance on Digital Ocean instead and went that way, and be lucky to not encounter any serious issues, it would've been the same painless experience, just different flavor.
The big cloud providers have a variety of offerings of different complexity. Using GCP as an example: want k8s with all it's flexibility and complexity? You have GKE. Want to still run containers, but abstract away all the cluster resource management? CloudRun. Abstract away the container itself? CloudFunctions. AWS has EKS, ElasticBeanstalk, etc.
I understand people get overwhelmed the first time they're dropped into the console of these cloud providers but really it just takes a bit of reading to figure out what you should/shouldn't care about. And the benefit of doing so is enormous.
Privately I host nearly everything on a shared host in Germany (that is everything I can host without sudo) [1].
For company policy reasons I must absolutely use AWS or GCE.
For an internal project I need to setup Matomo. Something I did thrice in the last few month on [1].
OK login through SSO into AWS. Look around, ask Google, find the bitnami image, click few buttons. Done. OH shit. Now I need to somehow make it publicly available. OK. Google again. Ah this is the way. Few hours of reading and clicking later I have a publicly reachable Matomo instance. Oh hey. It warms me that it is not ssl encrypted. OK. How to do let's encrypt? Google again with my second batch of coffee (or was it the third). Found an easy way, just enter a command in the shell. Oh hey, how do I get my ssh pub key into my EC2 instance?
Damn the day is nearly gone and I have yet to deliver this tangential asset to an internal project while killing my CCI (how much I am booked on client work) for something that the first time took me 30 minutes with the great documentation from [1].
To me as a meager Data Analyst the complexity of cloud offerings is a nightmare. And the documentation is written for other echelons of tech understanding most of the time.
[1] uberspace.de
Managed K8s. Openstack.
When we started paying for it, it was still cheaper than AWS.
Just because AWS is the default, does not mean you should use it.
Disaster recovery planning is practice we should all adhere to. Hindsight is 20/20. Not trying to be a smartass. I know it was painful for a lot of folks.
At the same time, unless you paid for managed service with clear SLAs, then responsibility is yours.
Cloud is just someone else's computer.
FYI: we started with OVH before the fire
Still prefer Google, as they are the OG for k8s.
Today circumstances have changed. You need hassle free scalable DB, then AWS RDS might you best choice. Maybe.
You need open standard IaaS, well, there is ton of options.
Even before K8S, you had and option of Openstack with Ansible. Yes, very different beast, but still much _simpler_ and _cheaper_ than stocking on large number of IT professionals.
We might spend more time messing around with AWS than our colocated servers.
Whichever one let me pay rent at the end of the month
Might I ask you what kind of product your 1 man startup have?
Pros and cons to being in a crowded market.
From day 1, you KNOW there is demand for your product. You can look up Channel Advisor and see the revenue. And 20 smaller companies under fighting for the rest.
Cons of course being, you have to figue out how to compete with all of these guys ;)
But I can always be wrong, so I am open to examples.
No, I’m pointing to the exact subject of discussion, the suggestion that the US and EU, who currently do regulate and do so independently, could coordinate regulation.
That seems like a very reasonable requirement. How can you expect to participate in society, especially elections, without a decent command of the local language?
By hiring a local accountant and paying a small fortune in taxes? If I learn the language then yeah cool maybe I'll get into their politics thing but it's not that if I don't vote I'm not going to be a productive citizen. A lot of countries let you become a citizen without learning their language, most notably the US.
Being a part of society is a lot more than working and paying your taxes.
> A lot of countries let you become a citizen without learning their language, most notably the US.
An English test is required to become a naturalized US citizen. https://www.uscis.gov/citizenship/learn-about-citizenship/th...
And no: the GDPR isn't just about GA, and it isn't just about the internet; it's about any personal information.
Don't put words in my mouth. I was not claiming that.
Third-party analytics _that bill themselves "privacy-first"_ are still not what any user would consent to voluntarily, so the "privacy" angle is largely irrelevant. What they should be billing themselves as is "not Google Analytics", which will be factually correct and somewhat relevant.
> Don't put words in my mouth. I was not claiming that.
You stated that only self-hosted analytics were acceptable. Your exact words were:
> The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
This implies - to me - that in your view all third-party analytics are unacceptable from privacy perspective.
I'm not sure how else I was supposed to parse that statement?
Either way, I disagreed with that, and said it's certainly possible to work with third-party service providers, of many kinds including analytics, while still respecting your customers' privacy.
And I was talking about my government, not yours.
This isn't a case of doublespeak at all - it's just that the world isn't a simple place.
> regulations often help to make free markets more free.
No. They do not. That's nonsensical. The whole point of regulation is to exert control over something for better or for worse, depending on the situation. That's the exact opposite of freedom regardless of the consequences.
Your analogy is poor because it doesn't mirror the original quote. A better analogy that mirrored the original quote would be, "We need to murder people in order to save their lives." It makes about as much Orwellian sense as saying, "There's freedom in slavery."
I’m specifically addressing how the statement which branched this sub thread off was, itself, a non-sequitur to the statement it pretended to rebut.
There are many good arguments in favor of regulation, but that is not one of them, despite all the mental gymnastics being done to pretend that it’s a good argument.
It's not against the law to just walk in; or rather, it's the civil offence of trespass - you can sue the trespasser for damages, e.g. causing wear on your expensive carpet (but you'd have to produce evidence of monetary damages). And you can physically remove them, perhaps with the help of a bailiff. But the police won't help with common trespass - it's not a crime.
[Edit] At least, that's how I understand the law here. IANAL.
In what way? I agree that personally tracking an individual and using psychology tricks and whatnot to trick them into buying stuff is bad, but if it's just a company knowing what works well for them, I don't see the argument.
> when you go shopping and pay with cash in a store with no surveillance, your shopping habits are being shared against your wishes with a random third party
Retail stores also use your shopping data to target you with ads. Credit cards also obviously sell your purchase data to anyone willing to pay for it. I wouldn't be surprised if retail stores even sell your cash purchase data to any third party willing to pay for it.
Information is valuable, but it is not holy.
Analytics isn't that. Analytics is tracking a customer walking into the store and looking for which store they came from. Analytics is noting down how long a customer spent holding a blue item, if they looked at a big red item, and noting it down because it might matter. Analytics is seeing how the customer went back and forth between one aisle and another. Whether looking at one item made them less inclined to look at the next. Analytics is hoarding all of that information and keeping it even if the customer doesn't make a purchase.
Of course stores have been looking at how and why and when customers shop for years, but through consensual studies. They learnt to put the fruit at the entrance and the sweets at the exit. They learnt to put their high value items at eye level. And they didn't do it through spying and analysing the behaviours of everyone walking through their doors. They didn't keep years of CCTV with the sole excuse that they might want to see how long you lingered between deciding on diaper brands.
The web has no excuse.
How, you don't enter your name when you pay with cash.
Also in EU is illegal to share any personal info in physical world too, say you go and make a subscription to a gym they can't share your data with a third party unless they make you sign a paper first.
Edit:typos
You don't need to be identified by name, just by a "fingerprint". If you go there regularly you will be identified by your "fingerprint".
"Oh, it's that one privacy nut again who always wears sunglasses and a hoodie and only pays in cash"
And the store person will then what? Open excel wnd write "a dude with glasses was ehre at 12:51"? and then send the file to 100+ partners?
>You don't need to be identified by name, just by a "fingerprint". If you go there regularly you will be identified by your "fingerprint".
So the physical stores have some shady dudes attempting to lift fingerprints from money then some statistics guy try to put probabilities on which fingerprint matches which anonymous guy?
here in my country you still pay with cash and the store people put it in a machine combine it with money from other people, it will be a lot of work and risk for some shitty nano reward.
Edit typo
(By the way, a gym can and usually does share contract data including personal information with numerous third-parties such as external bookkeepers. This is legal under the GDPR without explicit consent.)
Why is it legal, does the gym need those 100 contractors to know my data for it to work? What are those for 100 different accountants? How did gyms or other businesses worked before the internet, did a guy walked to 100 different locations with papers in hand so those "partners" take a quick look?
GDPR requires data sharing to be done for a defined purpose.
The purpose of sharing data with an external company bookkeeper for bookkeeping is not remotely connected to any purpose an analytics service fulfills. So while the shared data is capable of the same insights, it's explicitly illegal for it to be processed that way without a defined purpose (which is it's own can of worms).
>entirely anonymous browsing data
It's never entirely anonymous, because how useful data is, is inversely related to how anonymous it is.
ergo it would only be truly anonymous if it was truly useless.
Can you ask your bookkeeper to tell you the top 3 best selling products for your top 5 customers without declaring that the purpose of the data transfer to the external bookkeeper is also to run sales analytics?
This is very unlike the accounting firm, which never receives any identifying for cash transactions and thus couldn't store it even if they wanted to.
It's still a difference between not having data and not storing it. The later needs trust, the former doesn't.
I think you are wrong. What they receive is a set of purchases in a given period of time that allow them to make many important decisions (when people buy most, what purchases are more likely on a given date etc.) but there is no way of finding out my shopping habits.
Extreme case: you are the only person that ever buys product X around time Y, so that fact can be used as an anchor to build a profile.
You need to be way more paranoid if you want to be a true privacy warrior.
I think the element you're missing is - of course this is OK, it happens all the time. What the comment you were responding to before wasn't making clear is that when it's done, there must be contractual provisions limiting the service provider's use of the data, so they can't use it for their own purposes.
> top 5 customers
You probably have to declare that the data is processed for that purpose in general terms but I don't see why consent would be necessary. Anyway, this analytics service claims it doesn't do this kind of analysis.
The issue with all the tracking is that most consumers have no choice, no functional UI to interact with the tracking systems, and no clear idea of who they are ultimately transacting with.
With enough good data (so probably not in all sectors) you can also identify people out of the system.
There are not that many bits of entropy in (contextualized) human behavior.
Sure, it's technically possible. But if you would actually do that, you run afoul of the GDPR requirements for informed consent: retroactively identifying people in a dataset requires the same consent as targeted data hoovering, so if an individual has only consented to being included in anonymized statistics that practice is sure to get flagged down as unlawful.
We didn't fork our code, we forked our services. We ran everything on Azure. Then we had to configure our kiosk devices to either talk to Azure, or to talk to our servers in France.
"Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity"
I'm sorry, do you have any idea of the cost of doing these things?
If you have 6 developers, total, how many of them are you willing to allocate to rewriting your stack, so that you can sell your product in Europe?
Oh indeed yes, which is why for years now I've been warning people to not write to proprietary APIs in the first place. It's a faustian bargain and sooner or later the bill is going to come due! If not because of legal requirements, then because MS or Amazon saturates the market, and has to increase revenue somehow. This is an example of where an ounce of prevention is worth a pound of cure. The upshot is that ignoring the warnings of people like me was a mistake.
(It's funny how people have moaned for years about "vendor lock-in" WRT Oracle. "They charge for every core!" But the cloud providers charge for every invocation, which is infinitely worse. And yet no-one seems to worry about it. It's really odd.)
Nothing comparable to AWS/GCP/Azure.
The colo/managed provider they chose and had been working with for years was nigh incompetent. I was positive that being able to spin up infra in any of the clouds would have been a ton more reliable.
Imposing byzantine regulations on every webmaster on the planet isn't helping anyone, least of all the European user, who will increasingly be locked out from the rest of the planet.
I see very little advantages from these privacy laws but I use and appreciate US businesses every day.
Lots of loaded assumptions there, of course, starting with the first conditional clause.
It's not fragmenting the internet; fragmentation is the whole point of the internet. It's (re-)decentralizing something that has been decentralized the whole time, until these gluttonous whales decided try to eat the whole pie.
And you're convinced that embodies "the whole point of the internet"?
Decentralization of the cloud is a good thing for so many reasons. I think you're deliberately confusing it with your PII issues and not grasping the larger picture.
Heh. Somethings tells me a devops engineer in France has way better work-life balance.
So then Hacker News has to launch servers in France.
And then French HN users are in an island, and only see other French HN users' posts and comments.
And, to be clear, you think that's a good thing?
Maybe this decision makes France toxic/favorable to certain kinds of business--much like how many privacy companies operate in Switzerland because the Swiss government is less likely to snoop than certain others, or how advertising companies operate in the US because they'll let you do whatever you want to their citizens. So yeah, fragments.
But you as a user are free to opt-into any fragment of the internet that will have you. If your government wants to stop you from doing so you should either take it up with your government or circumvent those limitations.
I don't particularly like the kind of fragment that France is creating here, the notion that data has a physical location in space strikes me as a rather shaky one, and I think policies following therefrom are likely to create convoluted architecture that exfiltrates the benefits of access without exfiltrating database instances (I've written enough code that tap-dances around the GPDR to know). Since I'm not trying to start an ad supported business in France, though, I'm happy to respect their right to come up with whatever weird policies they want.
I love hackernews, but there’s way more world out there to discover.
This is protecting EU citizens from EEUU companies having a free lunch on their data.
Or was it before Azure had that? Looks like they’ve had it for awhile, at least back to 2009 or 2010.
This was impacting us in 2014 to 2016, as I remember.
I'm sorry your business was impacted during the period where the regulations came into effect and the big platforms did not have compliant services ready. It would have been better if the negative externalities of these regulations would be entirely carried by the big platforms who are responsible for consumer privacy in the first place.
But in any case, the point is that the issue is solved without changing the laws or people having to switch cloud providers, as simply the global cloud providers have started offering compliant services.
In the past people said that the Internet was made for porn. Today the Internet is seemingly made for advertisement and surveillance. It not strange that so many people who worked in this industry for decades are feeling a bit lost in this new horrifying industry, which if the Internet really is made only to do advertisement and surveillance, I honestly think humanity is better off without it.
You should support companies with the best behavior.
I worked at a company that enabled a radiologist in over country to do a preliminary read of a CT scan performed in another country.
Cutting the amount of time for a CT scan, and even connecting a CT scan with a radiologist who specialized in that particular kind of scan, we saved lives.
And yes, there's also furry porn.
It's a tool.
I feel like I'm trying to convince you that BOOKS are good, despite the existence of hentai.
So why didn't you use Azure resources in Europe instead of "some crappy provider"? Sounds like you made a rod for your own back. If our clients are happy with Azure (in the right region) then I can't imagine many in the EU (other than perhaps national security services and their suppliers) reasonably refusing to allow use of it.
We host in Azure for some pretty significant financial organisations, mostly UK based but spreading our area. Some companies are requiring us to fully host in Azure DCs in their region, and some of those are Eastern, not UK/EU, based companies. At least one US interest that a friend's employer supplies demands data about its employees be hosted over there rather than over here, presumably so they can be assured it is kept to standards they are locally required to follow. Is it wrong that way around in your book too?
It isn't as easy as having everything in one region of course, but not much harder nor massively more expensive (caveat: most likely, as far as I know, I have the luxury of ignoring the bits that don't interest me and money is often one of those things, but I'm also senior enough that if there was something expensive happening, or something not happening due to expense, I'd catch wind as it would affect things I need to plan around) and it can't be as faffy/costly as using different providers in each territory.
If you are correctly following relevant regulations everywhere this does not fragment things any more than other rules that already existed. Aside from the fact things are being enforced this time, forcing companies handling PII to not quietly do things wrong because it is inconvenient to do things right. As an individual I'm perfectly fine with this.
https://news.microsoft.com/europe/2020/09/30/our-commitment-...
It took some doing which was the whole point. The local provider even got a chance to match the offer.
If they want to send you a letter, they have to give your data to the postal service. Again, no consent needed.
This is legal because our whole economy is based on devision of labor. Privacy laws account for that.
My problem is with the 100+ partners that are OBVIOUSLy not partners and not required to have my data.
Before the internet, the owner took a shoe box of receipts to their bookkeeper every month. Those receipts had your name, date, etc. on them.
How, when I buy stuff in real world and pay with cash I don't ask for an Id Card, so why do you think the store needs names on the receipts? Is this something that happens in your country? For buying cars,land you need an Id, if I buy even an expensive electronics no Id is needed I just return the product and the receipt that has no name on it back.
I remember when my grandfather was doing accounting for a bar before Internet days, they papers were about the stuff not about people, like how many bear was bought, how much was sold stuff like that.
I enjoy communicating with all HN users, across the world.
If we each had to use only our own country's fork of HN, we wouldn't communicate with each other, and that would be a bad thing.
False equivalence, no online stalking company actually works like that (that would require a server-side hook). They all make the visitor go to the third party's desk and increase the tally themselves (via http request), giving the tracker company access to all the contact details of the visitor.
Still, the "please let us track" popups can be fixed by policy or law, and I hope they are.
The EU consumer will end up with strictly worse solutions and all the rest of the world will “gain” will be the crappy trade-barrier-supported Euro versions of Google and Facebook.
The company failed - it is what it is, and it sucks for the team - but you can't blame the EU protecting privacy/rights for bad business.
You are raising the barrier to entry, limiting competition.
Competition is good for so many reasons. I think you're deliberately ignoring the impact on small companies and not grasping the larger picture.
What's a very long time to you might not be a very long time to me. GDPR wasn't a draft when the product I'm talking about first launched.
The Azure offering did not exist when my small team needed it.
Basically the US government says it gets free access to all data stored by any US company or its international subsidies anywhere and that non-us-citizens have absolutely no right to any data privacy at all.
However european citizens do have such a right, and as such, companies can not process personal information using american subprocessors, because those can not guarantee to respect the citizens rights.
For a long time this was all about some contractual clauses between processor and sub-processor: the american subprocessor guarantees by contract to respect the data subjects fundamental right to data privacy.
And then the USA made the CLOUDA and FISA and all those contracts are no longer worth the bits they are encoded in. American companies are by law required to not respect the right to data privacy and can not guarantee to respect it in good faith, as they are themselves subjects of a surveillance state.
Now look at how AWS reacted to this problem: they added new clauses to the contract with their european customers, in which they promise to challenge law enforcement requests, especially those that are overbroad.
When EU goes after FAANG like this, it pushes them to position themselves against mass surveillance and in favor of a global basic human right to data privacy. In my honest opinion this fight is very necessary and i can only hope that humanity wins against surveillance capitalism in the end.
But thanks for lecturing me that "vendor lock in" was what killed our 6-developer team that was developing hardware, and computer vision, and 3D computer graphics, while developing a health care product under the tons of regulation that comes with that.
Your arrogance is just stunning.
I think it's important to warn "parents" (or future parents) to avoid this particular tragedy, which I think is quite avoidable. I want to encourage people to question the orthodoxy around cloud, that everyone is doing it so its fine, and worse is better anyway, yada yada. It may be insensitive to use your situation to illustrate the downside of cloud vendor lock-in, but my motivation is not to look down on you, but to warn others about this very real, very painful outcome that they court when they make the popular choice.
We happened to not use any vendor-specific APIs.
And it still killed us to fork our stack, and to teach our kiosks to be able to talk to the right server, and the extra cost of the servers in France, and the lack of support we saw from the provider in France...
Sorry if I don’t follow your reasoning, I’m still stuck at this piece of USA policy you seemed to have glossed over:
> Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
https://www.govinfo.gov/content/pkg/FR-2017-01-30/pdf/2017-0...
Just as France accords its own citoyens rights that foreigners aren't entitled to.
"We're not fragmenting the internet."
???
Ok, let me make a simple “marvel comics” example: what if all your calls were funneled through “Putin servers” or “Iran cloud” or “ People's Liberation Army computers”? Would you mind?
I hear you arguing “but we’re the good guys! We’re USA, flag bearers of Democracy!” but no. Really according to EU law, under USA jurisdiction Pricacy Rights are fair game for people like Zuck. The guy that said “ I have over 4,000 emails, pictures, addresses, SNS. People just submitted it. I don't know why. They "trust me". Dumb fucks.”
Now, granted: our politicians likely want to stay on top of the consensus forming media, and make sure it’s within reach of their network. Annoying to see all the action moving to a different platform after all the years spent building relationships with the old media, but that’s the business.
When I found out Parler was being hosted on Russian servers, I immediately informed everyone I knew who was thinking about switching to Parler that it was a really bad idea. And it's their choice whether to use Parler or not.
I think it's great if companies can't hide that they're doing something like routing data through Russia. I think it's pretty stupid to not let someone use a product that routes data through Russia.
I also think that if Facebook stands up servers in France, it'll still be just as problematic as it is today.
Then there’s the cost of your devs implementing the same feature azure and aws already has, which is usually forgotten about.
Also the icing on the cake for oracle was a contract termination fee. No cloud provider comes close to the oracle billing nightmare.
It's always a tradeoff between racing to the bottom and stagnating. Both are bad, both hurt consumers, and this seems like a good balance between them.
Does that seem like a good balance of needs to you?
The technical difficulties seem so entirely solvable, in time (and with that competition you mentioned). Right now it's easy to deploy servers across tons of instances. In the future, if we need to, we can build analogous solutions to the problems you're talking about.
And where we can't build our way to easy solutions, that's fine. Those cases are probably the ones where there are legitimate local differences in what's acceptable, and I want locals to be able to decide that for themselves. It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.
We helped manufacture medical devices. We sold a device that took medical images, and then sent the images to a server. The server would do tons of processing on the images, and help manufacture a medical device custom to the patient.
We ran our servers in the United States.
We could not sell our product in France, until we stood up servers in France to store and process the data.
Why would we do such a thing? To provide excellent healthcare to people. Even ungrateful French people. Our product was lower cost and higher quality than our competitors, with better patient outcomes.
What monsters we were for running our servers in the U.S., right?
Other people exist and have rights. It's about time that people assert their rights over data that is absolutely consequential to their lives, instead of being tiny pawns of companies who treat them like a highschool science experiment with live ants.
The idea that storing your data, encrypted at rest, on spinning rust platters inside your country somehow makes it safer than storing that same data, encrypted at rest, on spinning rust platters inside my country, is bizarre to me.
But that's fine. I think giving you the choice makes tons of sense. I'm not saying France should have a law forcing all data to be kept in the US. I'm saying it's bonkers that I cannot offer a product in France that happens to store data and process data on a server in the US. Even with a waiver. French citizens do not have the right to let their health care information be stored on a server in a different country. (As I understood the laws, at least - perhaps our legal representatives were misinformed.)
If you want control over your medical data, then I'm sorry, none of the existing tooling does what you should actually want it to. It should be stored on systems you designate. Not on some lowest-bidder French server that has unknown security practices.
It's amazing to me that you're lecturing me about other people's rights, when you're literally denying French people the right to buy my product, unless I meet some ultimatums. I'm not denying them, you are.
And you talk about consequential to their lives? My product lowered costs and had better patient outcomes, and we couldn't sell it. Maybe try a different argument.
At some point in your project there seems to have been a time, when such basic questions of consent were overlooked and later you paid the price. Your intentions may have been nothing but good, but I for one am glad, that such practice was not allowed to happen.
Walk me through exactly what you would like to happen.
If you think the best outcome is that only radiologists who live in country X can look at your medical images, then please really think about what that means for under-developed countries.
Please also think about the fact that people have medical imaging exams 24 hours a day, and think about where radiologists live and sleep.
The next time you get a CT scan and have to wait 4 days for the results, you'll know that your hospital system doesn't have teleradiology.
We absolutely understand patient consent, and then France started establishing laws that denied patients the right to consent to having their data transferred to the US. (As I understood our legal representatives, at least.)
(For the record, in case it's confusing to anyone following along, I worked on half a dozen different medical products in my career, in different companies, in different parts of the body, in different modalities, etc.)
Tell me you were at least running anonymisation software in hospitals before you transferred?
We don't do it for fun. This is a part of patient care.
Radiologists awake in Australia can read images from the United States. It saves lives.
The radiologists are licensed and certified in the hospitals and states.
And by the way, if I get a CT scan of your head, I can trivially reconstruct your face. Might even recognize you with it.
If you want to freak out, medical records are sent by fax machine ALL THE TIME.
I am truly interested in this since I am in EU and use Azure for similar processing.
So blaming the GDPR and new rules, seems a bit weird in this case.
Now, consumer protection regulation is always a balancing act. And most consumer protection laws will hurt some companies that didn't actually do anything bad. That doesn't mean I don't want any regulations. Particularly when it comes to healthcare.
And my real concern was people who want that cake, and also want to pretend they're not "fragmenting" the Internet. I wish people would call it what it is.
It's embittering, hardens the heart, and makes you want to give up, but you've gotta redouble and bust through it.
And by all means, shame the provider if they didn't live up to their end of the bargain.
My guess is, that they want to avoid the situation entirely, in which a doctor (or other people in the hospital or other institution) has to ask the patient for their consent for such a thing. It would come down to things like framing, for example: "The best people for x are in country y.", which might be true or just opinion of that doctor. There are issues with this:
(1) Usually the doctor is not informed about these data protection issues themselves. Usually the doctor did not also graduate in some mathematical / statistical / data science subject or following along the various data protection scandals. Most of the doctors probably have other things to do. Just like the rest of the population is mostly not well informed.
(2) We probably don't want a situation, in which the doctor dangles a carrot (the best people are in country x) in front of the patient, luring them into consenting.
(3) Doctors want to get their work done. They don't want to have to ask every patient for consent for things outside of their own expertise. Even if you transfer the paperwork to someone else, who will want that additional workload? Also the people going to a hospital might not want to have to deal with that stuff.
(4) What is the legal side of this? For example say you send data to the best experts in another country and you get a misdiagnosis and operate based on that. How does this work?
I think it is possible to keep data generally in France for example and only have the experts look at the data via conferencing tools. Then the experts can be made aware, that obviously they may not share any of that data with anyone and that they can only look at it, while it resides in France. For that we need a secure conferencing system, which is not run by big corp living off selling data directly or indirectly. We need capable tech people in the right place to set things up. We might also need Computer literacy on higher levels for the experts.
In the end, though, there is a high-tech solution here, and that's to migrate to 100% asymmetrically encrypted messaging, at the application level, regardless of underlying transport. This would force nation states to risk large scale hacking of devices, but that's more visible and easier to combat, as long as we remain free to make (and buy) the compute hardware we want to make.
His whole comment was about how he want to let traffic route through Russia even though he doesn't like it... but it's really Americentric? Could you explain that point please?
That's an interesting assertion. As counter-example to that assertion, [gestures at huge amounts of the internet as we know it, which was started by small teams.]
And I'm not talking about scaling to 7 billion users. I'm talking about scaling to all of _my_ users, even though they live in dozens or hundreds of countries.
If that means I don't get your business and I'm worse off for it, I'm happy to have my laws changed. Or maybe someone else will come up with the same service who does follow the local law.
You're basically discovering something that physical stores have had to deal with forever. Gary's International Store of Chainsaws and Weed knows that it can't sell chainsaws in jurisdictions where chainsaws are illegal to sell from stores. The people of that jurisdiction made the decision that chainsaws should not be sold from stores; Gary doesn't get to ignore that. Instead he has to incorporate the fact that not all stores get the same inventory in his logistics.
If that means Gary refuses to open his stores in such jurisdictions at all, that's fine. The people of the jurisdiction can decide whether they're happy with the outcome and change their laws if they're not.
Forcing me to run servers in France is absurd.
If anything, it increases the attack surface and makes it more likely that private data is exposed.
Hence my original comment: The internet has spoiled us by making it so easy for a while.
He has the right to object in any case. That's free speech. But despite all his objections, he either does his business respecting the law or doesn't do business at all.
It's funny that you think that such a law would be absurd, when laws that require a store to sell locally-produced goods over imported ones also already exist in the real world.
>Forcing me to run servers in France is absurd.
You're welcome to think that. Don't run servers in France then.
