23 September, 2020

Triggered

Somebody pointed me to a research article about how many app developers fail to comply with the GDPR and data requests in general.

The sender suggested that I could use it in marketing for Nextcloud.

I appreciate such help, obviously, and often such articles are interesting. This one - I read it for a while but honestly, while I think it is good this is researched and attention is paid for it, I neither find the results very surprising NOR that horrible.

What, a privacy advocate NOT deeply upset at bad privacy practices?

Sir, yes, sir. You see, while the letter of the law is important, I think that intentions also are extremely important. Let me explain.

Not all GDPR violations are made equal

If you or your small business develops an app or runs a website to sell a product and you simply and honestly try to do a decent job while being a decent person, the GDPR is a big burden. Yes, the GDPR is good, giving people important rights. But if you run a mailing list on your local pottery sales website, with no intention other than to inform your prospective customers and followers of what you're up to, it can be a burden to have people send you GDPR takedown and 'delete me' requests instead of just having them, you know - unsubscribe via the link under your newsletter!

The goal of the GDPR, and of my personal privacy concerns, isn't at all related to such a business. If anything, their additional hardship (and we at Nextcloud have this issue too) is at best a by product of the goal. That byproduct isn't all bad - we all make mistakes, and being more aware of privacy is good, even for small businesses. The GDPR has forced many small businesses to re-think how they deal with private data, and that isn't a bad thing at all. But it isn't the main benefit or goal of the GDPR in my eyes. There are big businesses who totally COULD do better but never bothered, and now the GDPR forces them to get their act together. While that's a real good thing, even THAT is not, in my opinion, what the GDPR is about.

Privacy violation as a business

You see, there are businesses who don't violate privacy of people by accident. Or even because it is convenient. There are businesses who do it as their core business model. You know who I'm talking about - Facebook, Google. To a lesser but still serious degree - Microsoft and yes, even Apple, though you can argue they are perhaps in the "side hustle" rather than "it's their primary revenue stream" category.

For these organizations, gathering your private data is their life blood. They exploit it in many ways - some sell it, which is in my opinion definitely among the most egregious 'options'. Others, like Google and Facebook, hoard but also aggressively protect your data - they don't want to leak it too much, they want to monetize it themselves! Of course, in the process of that, they often leak it anyway - think Cambridge Analytica - that was in no way an incident, hundreds of apps get your private data via Google, Facebook, Microsoft and others. But by and large, they want to keep that data to themselves so they can use it to offer services - targeted ads. Which in turn, of course, get abused sometimes too.

My issue with this business model, even without the outright sale of data, is two-fold.

Ads work better than you think

First, in principle - while people might feel ads don't effect them, there is a reason companies pay for them. They DO effect your behavior. Maybe not as much or in the way marketing departments think or hope, but the effect exists.

How bad is that? Depends, I guess. To some degree, it is of course entirely legitimate that companies have a way to present their product to people. But modern targeting does more, including allowing companies to charge specific people different prices, and of course a wide arrange of sometimes nasty psychological tricks is used. The example Facebook once gave to potential advertisers, of targeting an insecure youth "at their most vulnerable" with an ad is... rather disgusting.

This gets worse when we're not just talking about product ads but political ads, either from political countries or, of course, from foreign non-democratic adversaries trying to influence our freedoms in a rather direct and dangerous way. And again - this is more effective than most people realize or are willing to admit and has swayed elections already, making is all less free.

Centralization is bad

Second, there is simply a HUGE issue with all-our-eggs in one basket. Especial when that basket is in a foreign country and not protected by privacy and security laws compatible with those in your own country. Having a single point of failure, how well protected - is just not smart. Things WILL fail, always. Better have slightly more breaches that each are just a single provider, than one breach of all private data of everyone in a country...

And that's not even talking about the fact that this data helps these companies get incredibly huge and then allows them to suppress or kill competition (or just buy it) - think Amazon, Microsoft. These tech molochs are just plain bad because of many reasons. They are anti-competitive, which raises prices, decreases choice, and the much lower innovation-per-dollar they produce is of course a worse deal for society too. They are too easy to control by law enforcement and censorship, impacting our freedoms - even when they're not 'foreign' to you. Yes, it is harder to censor 50000 private servers than one Google server farm!

Triggered

 So, as you notice, this question triggered me. Not all privacy violations are equal. Intentions matter. As does market power. And the GDPR is not a golden bullet. It has downsides - compliance is often easier for big companies than small ones, a serious issue.

Luckily, our judicial system tends to look at the intentions behind law, and I would expect a judge to fine an organization heavier for truly bad business models than for honest mistakes. I hope I'm not too optimistic here.

From my side, I don't want to bang on people's head for mistakes. I want to attack and challenge bad business models and bad intentions. A local, small app maker who fails to respond quickly enough to GDPR requests - not my target. Facebook - yes.

And by the way. Maybe it doesn't need to be said to most of you, dear readers, but of course - our open source world is, I still believe, a huge part of solving this problem. KDE, openSUSE and other Linuxes and desktops - and of course Nextcloud, Mastodon, Matrix and other decentralized and distributed and self-hosted platforms. We have ways to go, but we're making progress!


As I concluded to the person who triggered me - I know, this is far too long a reply to what they said


But it triggered me ;-)


Best reply over twitter, (twitter.com/jospoortvliet) or so, this awful Google platform makes commenting nearly impossible. And I know, the irony, replying on twitter, and I still have not moved away from blogger.com... Some day, some day. When I find time.