Example - the GDPR is so ridiculously easy to maliciously comply with - just say you need the data for security reasons, and you need all the data all the time - otherwise you can't catch the bad guys. There are several data harvesting companies built on this loophole.
At the same time if you were trying to comply with the spirit of it - meaning you can't reverse engineer customer identity based even on data sources, basically all standard logging practices - server logging, customer telemetry etc. is off limits, even properly anonymized, as you can reverse engineer what people were doing from time stamps, access patterns, and corellation ids.
Removing all these renders all logging useless. And the fun part of it is that even if we were hell-bent on complying with the GDPR, and dropped all logs, once some failure or security incident hit, we'd be on the hook for not doing at least due diligence logging to at least reassure customers or users that we know what went wrong and how to fix it.
rubendev•1h ago
If you say you need the data for security reasons that’s all well and good, but then you can only use the data for that specific purpose. So you cannot suddenly start using it for targeted advertising just because you already have the data.
signal11•36m ago
The EU’s tech regulation has always been a bit “off”, like they don’t really understand tech or how to encourage improved behaviour. Eg cookie popups, those are a blight and it’s the EU’s fault — to the point they’re working to roll them back[1] after all these years, because informed consent is impossible at the scale at which cookie popups hit users.
Then there was the whole “pay or okay” controversy around paywalls or tracking ads.
My observation is: saying no to tech rarely works. Building a more compelling alternative does. But the EU would rather regulate than build.
torginus•1h ago
Example - the GDPR is so ridiculously easy to maliciously comply with - just say you need the data for security reasons, and you need all the data all the time - otherwise you can't catch the bad guys. There are several data harvesting companies built on this loophole.
At the same time if you were trying to comply with the spirit of it - meaning you can't reverse engineer customer identity based even on data sources, basically all standard logging practices - server logging, customer telemetry etc. is off limits, even properly anonymized, as you can reverse engineer what people were doing from time stamps, access patterns, and corellation ids.
Removing all these renders all logging useless. And the fun part of it is that even if we were hell-bent on complying with the GDPR, and dropped all logs, once some failure or security incident hit, we'd be on the hook for not doing at least due diligence logging to at least reassure customers or users that we know what went wrong and how to fix it.
rubendev•1h ago
signal11•36m ago
Then there was the whole “pay or okay” controversy around paywalls or tracking ads.
My observation is: saying no to tech rarely works. Building a more compelling alternative does. But the EU would rather regulate than build.
[1] https://www.politico.eu/article/europe-cookie-law-messed-up-...