Em 
If you could magically make
everyone everywhere instantly understand and integrate one concept related to data privacy,
which one would it be? 
👀
James M.@Em0nM4stodon that in our social world, when you're careless with your own data privacy, you're endangering all your friends too.
Tim Lavoie@Em0nM4stodon Frankly, I'd have to go with that it is important at all. If they don't get that, nothing else will seem to matter.
Sieva 🚴🚇🏙️🌹@Em0nM4stodon That software companies share and use our information without our consent really, and there's no good way around it.
Kevan@Em0nM4stodon When data leaves your device, it's not private unless protected from unauthorized access.
RixPGP\GPG\S/MIME
At least something so that even if someone is using Gmail for email Google can't rely on reading everyone's emails to train their AIs with.
There is not enough email encryption anywhere.
Cyasymmetric encryption
andrei!@Em0nM4stodon I want you to imagine anyone who says “if you have nothing to hide you have nothing to fear” as a fat creepy old dude in a police uniform holding a video camera following you 24/7.
Shoo! Stop following us and all our kids around. Get off me and stop trying to turn the tables on me making me explain myself about why I don’t want your and your buddies’ sleaze all over me.
Tindra@Em0nM4stodon data is nuclear waste.
You do NOT want to have to deal with safe and secure storage
Jens Bannmann ⁂@Em0nM4stodon
That EU law does not require a #CookieBanner unless the web site wants to track your clicks or sell your data.
Because people do not understand this, they think "stupid EU law" instead of...
- "website owner has no respect for consumer rights"
- "website owner has no solid business plan and just hopes for a few bucks from the advertisement industry"
Chester Wisniewski 🇨🇦@tynstar @Em0nM4stodon GDPR is unrelated to the cookie banners. The ePrivacy directive is at fault. https://news.sophos.com/en-us/2023/12/14/arrested-intimidation/
crlf@tynstar in many cases (small sites) the website owner don't understand it, either. So they end up installing a generic and obnoxious banner which was not needed. Or they are just for some analytics they don't really look at.
Big companies have resources to do these things properly, though (even if they are often as clueless).
I would wish they understood however that they MUST make the options equally accessible. So, if they want to put some tracking 🍪 for a non-essential purpose (like sharing my whereabouts with their hundreds of partners so they can build a better profile which they then sell to more "partners"), they cannot promote "their" preference for the acceptance.
So, if they put a one-click Accept-all button, I must be able not to accept any of them in one click as well. Not five, not three, one as well (or alternatively, make the acceptance as longer as the other).
And let's not get started with those considering that it's legitimate to require a subscription for not getting tracked...
Cc: @Em0nM4stodon
Jeremy Burgess@crlf @tynstar @Em0nM4stodon I get SO annoyed with the one click 'Accept all' versus expanding several sections to find all the 'legitimate interest' options and disabling then one by one.
And that's why I use Brave...
Ash_Crow@tynstar @Em0nM4stodon you can track clicks without necessarily needing a cookie banner. Plausible or a properly configured Matomo will do just that.
On the other hand, if you need to embed contents from sites such as YouTube, Twitter or Facebook, whose embeds have trackers, you need to ask for consent before loading those embeds, and a cookie banner is a common way to do that.
Szymon Nowicki@Ash_Crow @tynstar @Em0nM4stodon de jure plausible actually needs consent when done on the frontend. Not because of GDPR but because of telcom laws in most if not all EU countries. Theres need for consent to send anything from a customer device unless it’s required for requested functionality. Analytics is not one of them and in this case there’s no “legitimate interest” like in GDPR.
In general backend tracking is a future for all law abiding companies.
@hey @Ash_Crow @Em0nM4stodon
Hmm, what does "backend tracking" mean? If it's about individuals' actions ("user journey" based on user IDs or pseudonyms), I'm pretty sure it counts as data processing as defined by GDPR, for which you would need explicit consent.
(Disclaimer: I'm not an expert.)
@tynstar @Ash_Crow @Em0nM4stodon I’m an expect (from tech PoV) and I work on this topic heavily with a legal team that are actual experts.
I’ll give you an example KPI: how many users use „add to fav” that is below the „add to cart” button, per region, per language used.
Frontend tracking: custom event, sent via JS with some GA dimensions.
Needs consent not because GDPR (as long it’s anonymous), but becase telco laws.
1/2
@tynstar @Ash_Crow @Em0nM4stodon Backend: controller gets „add to fav” sends an event with explicitly anonymised data further. No consent needed, it’s a side effect of already given data.
Event: action: fav_add, item_id, language, region
Then to be fully compliant we need to ensure we aggregate all regions in a GDPR compliant way, e.g. if a region has just 2 users, we need to remove it or bundle into „others” so it’s impossible to deanonymise the user.
2/2
@tynstar @Ash_Crow @Em0nM4stodon in big corp I work for we did this as an experiment to a website I own and it was a big success. We got rid of any client side analytics, got rid of consent prompt. Users are free of this shit and yet we still get all the KPIs the product management needs. Some of them we had to design better tho to make it possible without a consent.
Now we spread it all over the place and perhaps some day most of our websites will be consent free.
@tynstar @Ash_Crow @Em0nM4stodon it will be hard tho if marketing is heavily relying on stuff like remarketing and whatnot. Then we need to ship data to third parties anyway so consent needed.
@hey @Ash_Crow @Em0nM4stodon
Right, that totally makes sense. I just asked 'cause your short sentence about "backend tracking" might have referred to a naive, seemingly better but still illegal approach ("get rid of cookies, but still track individuals within the backend based on their user IDs"). Glad to hear your org really understands all this and takes care to implement it properly!
Thanks for the explanation! If I understand it correctly, one record of that table/log you mentioned could look something like:
- time frame: 2024-09-08 17:00 to 18:00
- item id: 742828
- language: English
- region: UK
- count of "favorite added" events: 11
As you mentioned, one has to make sure that each region has enough users (e.g. at least 5) so that using the records above, one cannot figure out who it was.
For example, if you expand to Ireland and have exactly 1 Irish customer, you would count their actions together with those of people in other countries as a region called "Other". Correct?
@tynstar @Ash_Crow @Em0nM4stodon yeah so in our exact implementation we aggregate the regions only if they have enough events. In our case it's 5 users per region.
For a favorite list it wouldn't be that relevant (if you don't share data with third parties you are allowed to look at the data still based on legitimate interest), but we track something more private so we need to really ensure we don't leak that kind of easy to deanonymise stuff. Even if it's only within the same organisation.
@hey @Ash_Crow @Em0nM4stodon
Interesting! So what happens if in one particular region in one time frame you only have one event that has a certain language, e.g. German? Logging that would make it pretty easy to correlate this with other info, e.g. the sole German customer who ordered that item on that day. So I guess you also include the "language" field in the "are there enough events to avoid de-anonymisation" logic, right?
Interesting! So what happens if in one particular region in one time frame you only have one event that has a certain language, e.g. German? Logging that would make it pretty easy to correlate this with other info, e.g. the sole German customer who ordered that item on that day. So I guess you also include the "language" field in the "are there enough events to avoid de-anonymisation" logic, right?
@tynstar @Ash_Crow @Em0nM4stodon sure, depending on your use case you need to design it in a way that it's impossible to whoever looks up the data to correlate actual users with other meta data.
But again, this one we do this way for more "private" stuff than some favorite list items.
I didn't ask my legal team but I guess they would say it's totally ok for the website operator to see what actual people have in their lists.
Diogo Constantino@Ash_Crow @tynstar @Em0nM4stodon something being technically possible and something being legal it's not the same.
@Ash_Crow @tynstar @Em0nM4stodon you need to ask consent, if you include those, and don't care or want users to be tracked. It's the website developer/owner who wants to do that. That is the point being made.
Tim Ward ⭐🇪🇺🔶 #FBPE@tynstar @Em0nM4stodon I hate cookie pop-ups. So I've never put one on my site. Nobody has ever complained. (There's just one cookie, and all it does is remember the user's preferences for any future visit. It's a cookie because I don't want user data cluttering up my server and needing managing - there's no concept of "login" or "account".)
Andrew@TimWardCam @tynstar @Em0nM4stodon then good news: your website is fully compliant with the EU law, which does not in fact require consent for this kind of purely functional cookie
StarkRG@tynstar @Em0nM4stodon It's not a great law because it puts almost all the burden on the consumer, only requiring that the website put up a banner, though, yes, it is the website owners that have decided to continue doing unethical things.
Install the EFF's Privacy Badger and do away with all that tracking crap.
Force of Habit@StarkRG @tynstar @Em0nM4stodon Yup, any nerd would have put a mechanism in the browser (mb with a whitelist for the rare exception), not on every website. Still, a great post.
Julian Andres Klode 🏳️🌈I went shopping on bike24 and it was like:
"Cannot remember your session because you did not accept the cookie, do you want to change your cookie setttings?"
"Cannot remember your shopping cart you did not accept the cookie, do you want to change your cookie setttings?"
🐧na|\/|3@juliank yeah like for a shopping cart cookie you dont need a cookie banner. Cause like it sounds kinda necessary to me, unless of course you want to idk sell the shopping cart information to all 678 "service improvement" and advertisement partners.
@tynstar @Em0nM4stodon
@tynstar @Em0nM4stodon
Kevin Karhan 
@tynstar @Em0nM4stodon +9001%
My own website requires 0 banners or popups or consent because I don't run (invasive) ads nor track visitors at all...
- It's a CHOICE said websites did.
Remember that...
#GDPR #BDSG #Privacy #ConsumerRights #DataProtection #EU #USA #tracking #cookies #ads
Christoph Schmees@PC_Fluesterer @tynstar @Em0nM4stodon and for anyone woundering if it's even possible to make good #Webdesign without #Tracking & #JavaScript:
- Yes, there are options - see any decent #OnionService on @torproject / #Tor!
@kkarhan @Em0nM4stodon
Same here. Also, my website is hosted by statichost.eu, and they don't even log IP addresses.
Same here. Also, my website is hosted by statichost.eu, and they don't even log IP addresses.
@tynstar @Em0nM4stodon tho AFAIK webserver logs are exempted as they are generated unavoidably and serve a "legitimate interest" in helping to investigate cyberattacks and enable counter-actions against them...
I.e. being DDoS'd...
The creators of TikTok caused my website to shut down
@richh has moved@kkarhan @tynstar @Em0nM4stodon Collecting/processing server logs for service management/security are an easy legitimate interest (could even be considered fulfilment of contract since they’re an essential part of providing the site/service). Of course just bc you have them isn’t a Carte Blanche - *further* processing for user tracking/analytics purposes would need consent. A case of dual-purpose data we all have to be careful of.
Winter Jo 
❄️@tynstar @Em0nM4stodon and even then, the cookie banner needs to be NON-INTRUSIVE
consent popups are illegal, full stop. they cannot exist under current EU law, they MUST be non-obtrusive
so its less "stupid EU law" and more "predatory and deceitful capitalistic practices"
Hanneke
Wyatt (🏳️⚧️♀?)@tynstar @Em0nM4stodon true but imo the idea that websites need to be profit-centric is dumb anyway and should be discouraged
I miss personal web sites
I miss personal web sites
Theriac@tynstar @Em0nM4stodon
I've been running a strict policy of not enabling cookies or javascript by default for a few years now. It that breaks anything on a site I've never been to and/or they only use css to open nag alerts. I'm gone and never coming back.
I've been running a strict policy of not enabling cookies or javascript by default for a few years now. It that breaks anything on a site I've never been to and/or they only use css to open nag alerts. I'm gone and never coming back.
QCATOPR 
@tynstar @Em0nM4stodon Prop 65 warnings are the same way. There's no penalty for crying wolf so lazy management puts stickers on everything.
Loy@tynstar @Em0nM4stodon its malicious compliance, more or less.
Tane Piper ⁂@tynstar @Em0nM4stodon @westbrook what Americans also don't see is that for a lot of Europeans - we are just blocked from accessing many sites because they refuse to put up a cookie banner. What are those sites doing with all those people's data...
Manos Pitsidianakis@tynstar @Em0nM4stodon Maybe this "stupid EU law" should add taxing for every cookie banner that shows up on its own
Trillion Byter@Em0nM4stodon Constellation mapping: all the tiny bits of location data that can be linked together to de-anonymize anyone.
Which then gives bad actors, including malicious or overzealous government, all they need to accuse a person of "crime".
Aaron@Em0nM4stodon How easy it is to deanonymize someone with enough easily collectable, possibly even public, data that otherwise seems harmless.
( Date of birth and zip code uniquely identities approximately 70% of the US population, for example. )
( Date of birth and zip code uniquely identities approximately 70% of the US population, for example. )
Cat 🐈🥗 (D.Burch) 
@Em0nM4stodon Care (or not caring) about privacy effect not only you, but the ones you know and love.
⠵⠻⠷⠕⠭ 🍥🍉⚪🌹@catsalad @Em0nM4stodon This. Attacks on individual privacy have damaging effects on civil society that may seem diffuse to you if you don't care... yet
Alex Russell@Em0nM4stodon Security threat models do not begin to address risks from data at rest as reidentification is inevitable.
Lu-Tze@Em0nM4stodon
That privacy and information security aren't some arcane form of knowledge, and most people can understand the basics, as long as they have a little competent help and put in a little effort.
That privacy and information security aren't some arcane form of knowledge, and most people can understand the basics, as long as they have a little competent help and put in a little effort.
@Em0nM4stodon sending your DNA for a fun ancestry test expose very private information for you and your entire past, present and future family. No level of individual action can undo this.
https://www.sciencenews.org/article/family-tree-dna-sharing-genetic-data-police-privacy
https://www.sciencenews.org/article/family-tree-dna-sharing-genetic-data-police-privacy
Crazy Pony@Em0nM4stodon That asking for safety and anonymity is a valid value of itself
Or more focussed: That "end to end encryption" is a nice thing, but a entirely different thing than (and in no way a surrogat for) creating metadata and linking together everything that one does in life
Strypey@Em0nM4stodon
> If you could magically make
everyone everywhere instantly understand and integrate one concept related to data privacy
Privacy and security are not the same thing. Boosting one doesn't automagically boost the other.
Världens bästa Kille™@Em0nM4stodon that “data” (contrary to what the industry claims)really isn’t very useful for advertising/marketing.
loucovey@Em0nM4stodon don’t click on links you haven’t asked for