My latest #LocusMagazing column is "Don't Be Evil," a consideration of the forces that led to the Great Enshittening, the dizzying, rapid transformation of formerly useful services went from indispensable to unusable to actively harmful:
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
When Google contemplates adding anti-adblock to its web viewers, the dissent might say, "Processing users' data in order to ad-block them will violate Europe's #GDPR."
How could this happen? Owners of #Chamberlain#MyQ automatic garage door openers just woke up to discover that the company had confiscated valuable features overnight, and that there was nothing they could do about it.
--
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Competition, regulation, constraint and self-help measures all backstop one another, and while one or a few can make a difference, they are most powerful when they're all mobilized in concert. Think of the failure of the #EU's landmark privacy law, the #GDPR. While the GDPR proved very effective against bottom-feeding smaller ad-tech companies, the worse offenders, #Meta and #Google, have thumbed their noses at it.
Banks are gradually removing features from their websites in a progression toward complete elimination of the website. Some banks have already taken that step. They impose an app whilst also closing their over-the-counter service.
Unlike the US, 1-factor authentication by banks is illegal in Belgium. So for web access banks typically hand out devices for 2FA. Some banks avoid that cost by imposing a smartphone app in lieu of a card reader or RSA token (BYO smartphone).
There are many problems with bank apps in Belgium:
You must buy smartphone hardware (the apps detect when they are executed inside a virtual machine & deny service [tested with Ing’s app])
You must patronize a surveillance capitalist (create a Google or Apple account)
2.1. You must subscribe to mobile phone service in order to satisfy Google’s unreasonable demand for a mobile phone number as a precondition to obtaining an account
2.2. You must trust Google with your mobile phone number, IMEI number, and inventory of apps & versions you download (thus a reconnaissance risk)
2.3. When Google records your place of banking, you must trust Google not to share that info (with debt collectors, for example)
All bank apps in Belgium are closed-source, so you must trust the apps not to carry spyware and to work in your interests
3.1. The bank’s privacy policies are written to allow your realtime location to be tracked via the app.
You must chronically upgrade your hardware every few years because the bank apps are upgraded with reckless disregard to the lockstep-coupling of hardware to software on all phone platforms that are supported by Belgian banks. You cannot run a VM to prevent irresponsible electronic waste (see point 1)
The #GDPR possibly (and only symbolically¹) protects from some of that, such as Google sharing your place of banking with debt collectors. But the GDPR does not prevent criminal exfiltration of data that cavalier consumers trustingly agree to the collection of.
Footnotes:
I say “symbolically” because consumers only have two pathways for remedy under the GDPR: article 77 & direct lawsuit. Article 77 has no teeth. When the DPA ignores/mothballs an art.77 complaint, there is no mechanism for action against the DPA. So DPAs are largely neglecting to treat art.77 reports. That leaves direct lawsuits. The EU has decided that GDPR plaintiffs are not entitled to compensation for legal fees. So that kills that option. You can get a symbolic win in court but you still lose because lawsuits are costly and the damages you can prove are negligable. So the GDPR boils down to an honor system.
Think of everything that makes you miserable as being caught between two opposing, irresistible, irrefutable truths:
"Anything that can't go on forever eventually stops" (#SteinsLaw)
"Markets can remain irrational longer than you can remain solvent" (Keynes)
--
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
This can't last forever, but how long until Zuck's reality distortion field runs out of battery? That's the $46.5B question.
The market can certainly remain irrational for a hell of a long time. But the market isn't the only force that regulates corporate outcomes. Regulators also regulate. Europe's #GDPR is now seven years old, and it plainly outlaws Facebook's surveillance.
For nearly a decade, Facebook has pretended that this wasn't true, and they got away with it.
Yesterday I we talked about #advertisement and #GDPR compliance and it's just worth a shoutout to @gamingonlinux for their stellar approach:
Pictures are embedded as-is
YouTube is embedded but with behind a button to activate that feature - Thunderbird is a sponsor which is just a static image with a link that's not distracting at all
And there's no #cookie banner. Because there's no need.
I see some shady things with #GDPR cookie banners, but it's the first time I see a banner which silently links to google.com when one clicks on "reject".
Blokowanie dostępu do YT dla osób mających Ad-Blocka jest w EU nielegalne, bo nie wyraziły one zgody na dostęp do swoich danych(info o zainstalowanych rozszerzeniach w przeglądarce). Google musi poprosić o możliwość sprawdzenia czy mamy ad-blocka i możemy odmówić. Wszystko dzięki #GDPRhttps://eupolicy.social/@thatprivacyguy/111261130799704016
I'm consternated to see that most American companies, even privacy-focused ones like @purism and Private Internet Access (PIA VPN), don't bother answering GDPR requests...
My GDPR request to the Belgian gov was refused because the ID card copy that was included with the request was not printed in color. Can anyone confirm whether that’s a legit #GDPR requirement? Color prints are like €1/page these days, which would add up and make all my GDPR requests a bit costly. #askFedi#lawFedi#Belgium
“Facebook has already shifted users’ agreements for UK users away from the EU to its US terms, does not allow UK users to opt-out of personalised advertisements, nor do they plan to switch to a consent-based model of advertising like is happening in Europe.
It's more than obvious that Facebook doesn't believe the Information Commissioner's Office will enforce UK data protection standards."
23 years of illegal data transfers due to inactive DPAs and new EU-US deals.
The highest European court sent a strong message for better data privacy, when it invalidated the data transfer deals "Safe Harbor" and "Privacy Shield" in 2015 and 2020 respectively.
The logical consequence of this decision was that almost all transfers between the European Union and United States since the year 2000 were illegal.
In reality, companies didn’t stop the practice though. This was largely made possible by to the inaction of European data protection authorities (DPAs), which mostly failed to implement the CJEU’s rulings. In combination with new (and void) deals, we are therefore lookig back on 23 years of illegal data transfers.
Amazon Web Services (AWS), Microsoft and Google are the heavyweights when it comes to global cloud services, owning 65 percent of the market. Smaller European providers are looking to build their own systems to not only compete with Big Tech, but to also protect the data of European consumers from less strict U.S. laws.
So, I'm moving to a self hosted version of @classicpress soon, thanks to @viktor offering managed hosting! Fully managed! We're working out some transfering hickups right now but I'll get to do so much more with this new website that I wasn't able to before because of the .com version of #Wordpress actually making things inaccessible. So, privacy questions.
I don't want to collect anything. I don't even want my site to collect data, but I do want to enable comments. Is this possible? I've been looking into #GDPR but I don't understand all of it. Like, I honestly don't want your cookies, I don't even want your email to go into my system. Now for the questions.
Can anyone point me to a privacy policy generator?
If I use the #ActivityPub plugin, can people leave comments on my blog from multiple #Fediverse services/things?
If I actually have people emailing me replies instead of commenting openly on the website, am I still in violation of GDPR?
The flagship #Misskey instance is experiencing growing pains, but is also discouraging #Fediverse residents in #Europe (or rather the #EuropeanUnion 🇪🇺) from signing up due to #GDPR issues.
👉🏾 Misskey (https://misskey.io) signing up 20,000 new users per day
👉🏾 After consulting lawyers, Misskey.io will now discourage Europeans from signing up
👉🏾 #Firefish could fill in the vacuum in Europe
So #Facebook just asked me if I wanted to create a post with some photos I had downloaded onto my phone. It was album artwork I had uploaded to use with some music tracks, they weren't even in my main DCIM album, but evidently, good ol' #Meta has scoured my entire phone looking for pictures. That's not creepy at all! And people are falling over each other to join #Threads SMH :blobcatglance: #DataPrivacy#DataSecurity#GDPR#DataProtection
A potential customer asked for my app’s privacy policy, when I pointed them to https://obsidian.actions.work/privacy they replied with “thanks, but I’m not going to read 9000 words”, so I added a TL;DR section to the top — 4 sentences of plain language. HTH!
In 2020, the EU-level judiciary decreed #SchremsII whereby customers of US cloud service providers must themselves verify the data protection laws of the recipient country, document its risk assessment and confer with its customers.
In 2021, various French-state-level authorities stated that #MSOffice365 did not conform (to doctrine and #GDPR) or that secondary education schools should avoid it. 👇
Storing data in "the Cloud" legally constitutes data processing.
#MicrosoftOutlook: "Synchronisation with the Microsoft server" transfers your data to Microsoft.
The German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, described the data collection as "alarming" and announced his intention to pursue at European level: https://social.bund.de/@bfdi/111381793883035665
Do any ATMs in Belgium support balance inquiries?
ATMs I’ve checked:...