Posts by Pseu Donyme 409 publicly visible posts • joined 10 May 2011
I like doing ssh -X for various things so will hold on to X11 as long as I can. For one thing this allows running a browser under a different user account so that I can e.g. run the web version of Telegram keeping its cookies so that I don't have to log in every time while the regular browser can be set to work in a sane way as far as privacy goes (i.e. not to keep cookies and like / delete them at the end of each session).
Also, 3rd party resources are suspect data-protection-wise: the 3rd party gets the user's ip-address and the URL of the referring page (at least).
There is even a German court decision against this: https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/
In a nutshell: since a resource can be hosted locally it is not necessary to hand information about a visiting user to a 3rd party and therefore this isn't lawful in the sense of the GDPR Article 6(1), where all subsections (b-f) begin with 'processing is *necessary* for ...' (except the subsection for consent (a), which wouldn't be valid if made a requirement for using a site (Article 4(11), Article 7(4)). (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679)
If you are interested in Noyb's take on why this is patently illegal under the GDPR, see:
https://noyb.eu/en/noyb-urges-11-dpas-immediately-stop-metas-abuse-personal-data-ai
A detailed look in legal terms can be found in Noyb's complaint to the Irish DPC (chosen from the links included in the above because it is in English):
https://noyb.eu/files/meta_ai/complaint_ie.pdf
By now it should be abundantly clear that the US Big Tech companies not only don't care about data protection but are built around a business model that make them actively hostile to it; anyone taking data protection seriously can't but ditch them. Instead of fraternizing with the enemy (of data protection) the Commission should be busy looking for and pushing alternatives* which would also have the benefit of increased strategic independence: it is hardly ideal to depend on a de-facto monopoly, much worse if that is a foreign one ultimately under the thumb of an unpredictable government that may very well turn hostile (at the next election).
* The obvious ones would be the existing free / open source projects; a practical policy example would that public monies in the EU could only be used to buy hardware that can run a free & open source OS (such as Linux for PCs or AOSP for phones and tablets)
Similar experience with my wimpy 11.6" netbook (Celeron-4M RAM): small, light, runs 10 hours on a charge (so ideal to lug around) also cheap (was 200€ish, which is an advantage in general and also while away from home in that the financial hit wouldn't be too bad if it was nicked or suffered damage while being subject to the tender mercies of luggage handling). This would be practically useless for browsing without ad blocking, but works surprisingly well with with that in place (with a lighter weight Linux such as Xubuntu or Mint XFCE, natch, I wonder how it is even legal to sell these for Windows use).
... is what is sorely needed to replace ad revenue. Thinking of which I seem to recall some Guardian bigwig years ago suggesting an internet tax collected by ISPs where the monies thus obtained would be divvied up by those providing content for profit. It seems to me that this could be improved by a) making it a voluntary extra fee (say 10 $/£/€ /mo or so) which the ISPs would collect and for which the subscriber would get access to paid sites and b) strictly banning all unsolicited ads on the net. An illustrative, simplistic scheme would be giving paying subscribers an odd IP address and everyone else an even one from which a server could instantly tell if revenue from a particular visitor can be expected or not and decline to serve paid content in the latter case. The real problems, of course, lay elsewhere, such as on what basis the money would be divvied up without too much opportunity to game the system, who'd keep the tallies (the ISPs probably?) and how to make sure that only the tallies and not everyone's complete internet access history is collected (and these are merely technical problems as opposed to those on the wider scheme of things). At any rate, some such scheme would provide income from content while - by cutting out the ad-pushers as middlemen - dealing with much of what seems to be at the root what is currently wrong with the internet: the business models based on ad revenue - where the user is the product, not a customer.
Indeed, GDPR Article 7(4)*: "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
GDPR enforcement has been lacking though, the worst offender (as far as the impact goes) is Ireland's DPC** (where Google, Facebook, etc. are domiciled for EU purposes). :(
* https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1694602882952#d1e2001-1-1
** see e.g. https://noyb.eu/en/just-eu-55-million-whatsapp-dpc-finally-gives-finger-edpb
The fine is kind of minuscule considering the scale of the breach and that it is a rounding error in Meta's finances. There is a provision in the GDPR for increased fines for repeated violations though, so maybe this can be considered an initial slap on the wrist. What worries me more is that the appeal will probably take years to get through the courts while Meta does its best to make it so and continues as they were; I suspect the order to change their ways within three months is put on hold on appeal as well as the fine (?). Fortunately there is a parallel case by NOYB / Max Schrems on its way to the CJEU already: https://noyb.eu/en/breaking-austrian-ogh-asks-cjeu-if-facebook-undermines-gdpr-2018
An Ltd is a bit too convenient for deliberate liability avoidance and other shenanigans. Perhaps only publicly traded companies should be allowed to be Ltds i.e. they'd need to be something like limited partnerships (at least some partners with personal liability, crucially) until an IPO and listing at which point the partners would become shareholders of the new Ltd. This might also chill schemes by private equity (and other) masters-of-the-universe as the reverse would need to happen when taking an Ltd private.
Well, Google not so much, not directly, as they apparently haven't tried the same blatant abuse of contract as legal basis as Facebook / Meta. The general gist of the decision (or what is allegedly known about it; it hasn't been actually published yet) seems to be against anybody's advertising based on profiling without consent though; this is still the core of Google's (Alphabet's) business model and the only plausible rationale for their extensive data collection with Chrome* and Google Analytics** (which is hardly based on consent in the GDPR-sense).
* https://contrachrome.com/
** https://noyb.eu/en/update-cnil-decides-eu-us-data-transfer-google-analytics-illegal
"Meta has the option to appeal both the EDPB finding and Irish DPC ruling, whenever that appears."
Actually, the CJEU General Court has just found that EDPB binding rulings cannot be appealed as such; an appeal may only be made against the DPA decision based on such a ruling. (https://curia.europa.eu/jcms/upload/docs/application/pdf/2022-12/cp220196en.pdf).
This could actually have benefits if done right. Consider a stock market where buy and sell bids are paired at the end of the day so that the highest buy bid would be paired for the lowest sell bid at (buy+sell)/2, the pair is removed from the pool and this goes on until either buy or sell bids are exhausted. This would eliminate short term (<= 1 day) trading which destabilizes the market* and leaches money to the short term traders from the rest of the market for no discernible general benefit**. There is no real reason to run the market on a shorter timescale than a day (never mind a microsecond one): it is, after all, closed down during nights and weekends***.
* potentially resulting the rest of the economy going pear-shaped for no good reason (screwing up even those who don't participate in the market)
** except, allegedly, providing liquidity, which this scheme would do as well if not better
*** actually 1-3 times / week seems enough and would result in more stability and effective liquidity (for a stock or bond market, forex might need a shorter timescale (a couple of times / day, maybe))
Actually, there should be no need to read these as all processing of personal information should be under fine-grainded opt-in: if you don't opt-in only minimal, strictly necessary processing may take place; in theory the GDPR requires just this, practice (enforcement) is unfortunately another matter. :(
What on-line advertising really needs is banning except maybe when it is strictly opt-in: the user should be the customer, not the product. Advertising doesn't even really pay for any services as the cost of it ends up in the price of the products and services we pay for. With the current arrangement we not only ultimately pay in those higher prices, but also pay with a loss of privacy (which is the result of the snooping needed for targeted advertising), not to mention having to endure commercial propaganda (i.e. advertising), being manipulated, misled and misinformed by it. The sane way is paying for the services we use directly, cutting out a bunch of middlemen and restoring a market with competition to the services 'paid' for by advertising - any other claim is just meta-advertising.
The intense neutron flux causes significant amounts of radioactive isotopes to be created by neutron capture in atoms making up the reactor and its surroundings. Orders of magnitude less of a problem than fission products, of course, but still a problem that has to be dealt with.
The EU would do well with something similar. A supported version of AOSP (with its own app store and possibly other key services) wouldn't go amiss either. The idea with these would be that all software and hardware bought with public monies in the EU would have to support these not that they'd be mandatory to use. Creating some competition like this would be good, as would the strategic independence in case of Trump mk II (i.e. someone not only malevolent but also competent with it) especially considering the cost of a relative pittance.
Indeed, stopping data transfers from the EU to the US seems like the only solution (until there is decent data protection legislation on the US federal level - which doesn't seem entirely impossible as the attitude towards Big Tech has soured quite a bit on both sides of the relevant US aisles; moreover, California's attempt toward this seems promising).
This is just an entirely transparent ploy for the benefit the US-based data slurpers (commercial and otherwise) designed to delay a proper solution: decent US data protection legislation (or the more pragmatic one of not sending any personal data to the US in the first place).
I fear the key idea here is to add cost and delay (both approaching infinity) by miring any complaint in the US court system; before a Schrems III case could even be filed in the EU all appeals must probably be exhausted in the US to demonstrate that the this new system is useless (as it is designed to be).
I do hope the EU parliament gets a say and kills this forthwith.
It is difficult to see any credible rationale* for the attack. How the Ukrainians have rised to the challenge has been absolutely awe-inspiring though. Also on the bright side: this could bring the reign of Putin to an end which would mean a fresh start for the Russians in their relation to the West and in general - the not-so-bright side is of this the extremely high price of this potential improvement falling on Ukraine.
* there is the Russian propaganda, but the only thing it tends to convince one of is that it is propaganda
Having waded trough the decision via the link provided I was surprised to see that it did not rely on the Schrems decsions. Instead, since there wasn't consent the defendant tried to rely on legitimate interest but the court ruled that it doesn't apply as the font could have been self-hosted and therefore there was no need to Google to get the IP-address; Google being well-known data hoarder was also mentioned. I'd think the use 3rd party resources might still be legal on legitimate interest grounds if there isn't a straightforward alternative and if the 3rd party could be trusted not to use the IP-address for its own purposes; a contract preventing such use or the 3rd party merely being in the EU or another jurisdiction with sufficient data protection legislation making such use illegal could suffice (in any case 3rd parties located in the US are out though because of the Schrems decisions).
I'd think a packet bearing a destination address in a private ip block would have trouble getting routed over the internet. Moreover, any decent NAT implementation is likely to take a dim view on (drop) packets coming in from the WAN interface with a LAN destination address.
The privacy concern is why I make sure to disable IPv6 on all kit. Automatic fiddling with the local part of the address doesn't cut it as the network part may well be static and Google etc. are certainly smart enough to figure this out; with IPv4 I can at least force a new dynamic address on a regular basis by presenting a different MAC for the ISP's DHCP server or hide behind CGNAT. Come to think of it, CGNAT or a similar arrangement should really be the legally mandated default for consumer connections, especially with IPv6.
This is all well and good, but as we have seen with the GDPR good legislation doesn't matter in practice if it is not vigorously enforced: with GDPR there is something deeply wrong with the Irish DPC which has turned into an advocate and ally of US Big Tech*, which has seriously hampered enforcement as the European HQs of the worst offenders (i.e. Facebook/Meta and Google/Alphabet) are in Ireland and so the Irish DPC is supposed to be the lead authority to rein them in.
* case in point: https://noyb.eu/en/irish-dpc-greenlights-facebooks-gdpr-bypass
One has to wonder about Google's rationale for offering GoogleAnalytics as a free service; the obvious one, of course, would be collecting data for their own use. For a page with GoogleAnalytics Google gets the URL of the page and ip-address* of the user and there is a unique per site (first-party) id-cookie expiring in 2 years from last visit. Assuming Google uses these for its own purposes it essentially has everyone's browsing history for the pages using GoogleAnalytics; this works somewhat subtly: as long as your ip-address stays the same it is a perma-cookie in its own right, when it changes, the id-cookies can be used to re-identify an user as soon as a previously visited page with GoogleAnalytics is re-visited within 2 years of the last visit.
* Google can always store this as is for its own purposes regardless of ip-address obfuscation
The premise is that there is an inescapable monopoly i.e. no competition to begin with so all that can be done is to regulate the monopoly to limit its abuse. Ideally, perhaps, competition could be brought to the user-facing part resulting from the split suggested above, but the core part would still have to be a regulated utility completely independent from Meta.
The sort of thing Facebook is ends up as a monopoly because of the network effect where, in essence, users attract each other and where a competing upstart wouldn't get anywhere as the people you want to aren't there; as a natural monopoly of a sort it ought to be run as a public utility.
An ideal approach could be splitting Facebook itself into two parts:
- a regulated utility providing the technical core of the service on a common carrier basis, and
- an user facing part operating under competition
i.e. the former would used trough a well-documented API by the latter which would be just one of competing implementations paying fees to the regulated part. In practice, I suppose, regulating the existing monolith will have to do. Also, there is obvious opportunity to improve competition by cleaving off Instagram and WhatsApp.
What is more it seems to have gotten worse and worse over the years. A few decades back this wasn't an issue at all, then I started to notice that I need to bring these under a bright light and lately it has gotten so bad that I had to add a pair of reading glasses to the toolbox in case I run into these. No doubt this is because the molds or whatever the metal tips made with are crude Nth generation copies of the originals.
Come to think about it, 'legitimate interest' has no business being mixed with cookie consent: the EU 'cookie law'* requires consent for storing cookies on user devices, there is no alternative to consent such as legitimate interest or other GDPR Article 6(1) lawful basis.
* ePrivacy Directive (2002/58/EC) amended by Directive 2009/136 with the CJEU Planet 49 (C-673/17) decision (with the latter bringing in GDPR consent; as such the ePrivacy Directive predates and is distinct from the GDPR)
Quite, as long as this is framed as opt-out instead of opt-in; with opt-in the cookie would be needed to store the fact that the user has in fact opted in (including to storing the opt-in cookie itself). Opt-in, of course, is the proper, GDPR way of doing things. Besides, most anything really necessary can be done with session cookies which don't fall under the EU 'cookie law' / ePrivacy Directive as they are by definition not stored on user devices (this, of course, hangs on the exact meaning of 'store' in this context; given that the legislator's intent here is protecting privacy by preventing tracking allowing session cookies without consent seems reasonable as they aren't much good for tracking).
The 'cookie law' is actually EU Directive 2009/136, an amendment to the ePrivacy Directive (2002/58/EC) so it dates back to 2009. However, at the time it was - unfortunately - left open what exactly consent for storing cookies on a user device means and so the likes of Google and Facebook came up with the aggressive interpretation that things like 'consent' banners with only an ok-button would do.
Eventually (01OCT2019) there was the CJEU Planet 49 (C-673/17) decision though: GDPR consent rules apply to cookie consent. So it seems it took about two years from that to a decision by the CNIL. This doesn't seem too bad given that Google and Facebook have likely worked hard to delay it; now, of course, they will appeal and will no doubt work even harder to drag that on as long as possible.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
