Michael Eriksson's Blog

A Swede in Germany

EU’s General Data Protection Regulation (and WordPress’ handling of it)

leave a comment »

Roughly a week ago, EU’s General Data Protection Regulation (GDPR) went into force, as many EU citizens have noticed in form of various emails from businesses* keeping their data, and a more global group in form of more, or more intrusive, alerts concerning use of cookies and whatnot. WordPress bloggers have probably also noticed a notification in their admin areas:

*While I will speak of “business” through-out, seeing that much of the discussion is in a commercial context, the regulation is not limited to businesses in the strictest sense, and replacing “business” with “organization” might be appropriate in some cases.

To help your site be compliant with GDPR and other laws requiring notification of tracking, Akismet can display a notice to your users under your comment forms. This feature is disabled by default, however, if you or your audience is located in Europe, you need to turn it on.

Below, I will briefly* discuss the GDPR, some of points relating to the Web, and why I will not follow the demand of the WordPress message.

*This is a very wide topic and a more complete discussion would require a considerable amount of both research and analysis.

GDPR:
By and large, the GDPR is a good thing, including a much needed change of philosophy (quoting the above Wikipedia page):

Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately.

This quote alone addresses much of what troubles me with data handling, including that data security is often an afterthought and that users have to run through various settings (or even send a letter) to reduce data use. However, how much it will bring is yet to see, bearing in mind the difference between expectations on paper and their realization in real life, as well as various exceptions and softenings of the rules.

Unfortunately, this change of philosophy is also, indirectly, the source of much of the legitimate* criticism from the business world: Because existing software and procedures were built with a very different philosophy in mind, sometimes decades ago, the transition costs are enormous. On the positive side, while the costs after the transitional period** will be increased compared to the past, it will be by nowhere near as much as during the transitional period.

*As opposed to illegitimate criticism of the “you are spoiling our data party” kind. Other legitimate criticism includes unclear or delayed information from government institutions that have made it harder to implement the GDPR (see also the following footnote).

**In theory, businesses have had several years for this transitional period, implying that much of the cost should be history; however, from news reporting, it does not appear that this period has been used very well on average, implying that there likely will be an additional transition over the coming months. To boot, there are likely very many issues that will need resolution over the coming years, for reasons like later clarifications of regulation, upcoming court cases, and unforeseen practical obstacles.

At the same time, there are reasons to criticize it from a consumer point of view. For instance, the Wikipedia page also says:

Recital 47 of the GDPR states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

This* is very unfortunate, seeing that direct marketing is one of the greatest sources of abuse of data and something many consumers are more upset with than sloppy data treatment per se.** More than that: If there had been stronger and more severe restrictions on various form of marketing, especially direct marketing, much of the reasons for data use and abuse of today would disappear, and we would almost automatically have a considerable reduction.

*This section of the Wikipedia page simultaneously and confusingly deals with both B2C and B2B marketing, and I must make some reservations for the correctness of my understanding.

**Say, when they give an email address in confidence to complete one purchase and are then spammed with unsolicited and unexpected offers to perform another on a regular basis. This is grossly unethical and should by rights be illegal; however, looking at Germany, the otherwise strong laws against spam were artificially weakened by the legal fiction that someone who had once bought something could be assumed to be keen on buying more, making the unsolicited messages quasi-solicited. This is of course an incorrect reasoning on at least three counts: Firstly, very many customers buy something once and never come back (and have no interest in coming back). Secondly, those who are interested in coming back will usually want to do so on their own terms, e.g. when they see a need. Thirdly, it makes an extremely customer hostile assumption about all those who strongly dislike such messages. As an aside, ethical marketing should always work on an opt-in basis, which is not the case here.

Looking at the German Wikipedia page, which differs considerably in content, there is a very odd claim:

Den Mitgliedstaaten ist es sonst grundsätzlich nicht erlaubt, den von der Verordnung festgeschriebenen Datenschutz durch nationale Regelungen abzuschwächen oder zu verstärken.

(Gist: It is not allowed for the member states to reduce or increase [sic!] the protection offered by the regulation.)

That no reduction is allowed is very positive, but the ban on an increase seems extremely ill-advised. Barring the influence of industry lobbyism, the only plausible seeming reason is to reduce complications when consumers and/or businesses from different (EU) countries are involved. Even so, there must be a better way*, because this way there is an artificial upper limit on consumer protections. Indeed, this could be a contributing factor to the existing protection in Germany being lowered in some cases, including criteria for the consumer’s acceptance of data use**.

*What, in detail, goes beyond the scope of this post, but an obvious step would be to allow stricter rules when both parties are situated in the same country.

**“Prinzipiell sind die Anforderungen an eine wirksame Einwilligung gegenüber dem deutschen BDSG reduziert: Die Schriftform ist nicht mehr die Regel, auch eine stillschweigende Einwilligungserklärung ist nach Erwägungsgrund (32) zulässig, wenn sie eindeutig ist.”

One of the more interesting changes from the English Wikipedia page is that “A right to be forgotten was replaced by a more limited right of erasure”. This is to some degree a limitation of consumer/user/whatnot rights; however, not one that I consider a bad thing: The original “right to be forgotten” always seemed disproportional to me, looking at gains for the individual and efforts needed from others, and also carried a risk of destroying/hiding knowledge, distorting history, …

Web:
The sheer amount* of “cookie warnings” and similar poses a considerable problem to comfortable surfing. This especially since the people who surf without cookies and JavaScript are often unable to get rid of them**; while even the rest will have a number of extra clicks to perform over the course of a day. A positive thing is that it becomes obvious how many sites actually use cookies et co, for no legitimate reason: If I enter an online shop to buy something, using cookies for the shopping cart is legitimate, but why would a cookie be needed when I am passively browsing a forum? Using a search engine? Looking at a static site with no means of interaction? My hope is that the mixture of this revelation, in combination with the increased annoyance for the visitors***, will force businesses to reduce their use of such technologies to some degree for fear of losing the visitors. Then again, if a sufficient proportion of the sites give such warnings, the users will have few alternatives and might remain anyway, taking a hit in usability on the way.

*I doubt that the amount will lessen over time, except as mentioned above, seeing that an earlier increase a few years ago, likely related to the original passing of the GDPR, did not.

**Somewhat paradoxical, seeing that these are normally not affected by the data use that necessitated the cookie warning.

***The negative effects of e.g. hidden user profiling do not hurt in such an obvious manner as the warnings: A pin-prick hurts worse than clogged arteries.

In a twist, keeping these warnings from re-occurring will require some way to keep tabs on the users, most likely through cookies… This can cause paradoxical situations where the warnings increase the amount of cookies, tracking, … performed.

A further complication is that the degree of tracking, the needed content of the warnings, whatnot, will not necessarily be under the control of the individual site, possibly necessitating a vagueness that makes the warnings misleading or unhelpful. Consider e.g. a site that uses a tracking network or that allows external content (notably advertising) that can on its pull in tracking functionality. Frankly, what we need are restrictions against user tracking, profiling, …, that goes considerably further than the GDPR—not just warnings.

WordPress:
I will not comply with the notification from WordPress (cf. above):

I do not actively gather or track any user data, except what is provided through e.g. comments and subscriptions*; I do not use cookies, JavaScript, …; I have no access to data excepting fully pre-anonymized read-only access statistics provided by WordPress (and the aforementioned comments etc.) To boot, I am blogging in a private capacity, as a natural person, with no monetary interests involved, which makes it likely that the GDPR does not apply to me in the first place (in this particular context).

*And even here the “actively” is typically limited to me passively accepting e.g. a comment through the wordpress software, reading (and possibly answering) it, and then forgetting that it is there.

Should* WordPress choose to engage in such practices in a manner exceeding the reasonable minimum, this is simply not my problem, not within my control, and contrary to my preferences**. WordPress, not I, has the responsibility to inform people correspondingly—better yet, it should cease these activities. An attempt to roll the responsibility over to the bloggers is unethical and amateurish. This especially seeing that the notification contains no reason whatsoever why it would be my duty to comply. Almost certainly, there is no such reason.

*Going by the privacy notice provided together with the notification, it appears that WordPress is abusive. This includes unethical over-tracking of user data, e.g. “browser type, unique device identifiers, language preference, referring site, […], operating system, and mobile network information” as well as potentially (depending on details unknown to me) unethical over-communication to e.g. “Independent Contractors” and “Third Party Vendors”. Cf. also an older analysis of WordPress’ privacy policy—a very similar document.

**If I had the power, I would explicitly forbid them to do certain things in relation to my WordPress blog. I definitely recommend readers to surf with cookies, JavaScript, …, off to the degree realistically possible, as well as to user various forms of anonymizers, in order to minimize their exposure.

To boot, if the responsibility were to reside with the bloggers, the means of communication chosen is entirely insufficient, and WordPress would have exposed its bloggers to an unnecessary period of involuntary law violation…

I note that the restriction to Europe* is somewhat arbitrary: The ethics of data economy, respect for user privacy, etc., does not end at borders, even should the law do so. It also raises so many questions and caveats that the typical blogger will not be able to make an informed decision without consulting an independent expert. For instance, what if a non-European blogger has an European following that he is not aware of? What if he blogs while spending time within Europe? Is this different for a one-week vacation and one-year period as an exchange student? Etc. With very few exceptions, he would have to activate these notifications in a blanket manner to be on the safe side.

*Of course, the GDPR does not apply to all of Europe to begin with, again making the notification too vague and poorly thought through.

What I will do is to add an extra page, giving fair warning that WordPress might be engaging in dubious practices outside of my control.

Disclaimer:
Note that the external pages quoted are unusually likely to undergo changes over time. The quotes reflect the state of the page at the time of my visit.

Advertisements

Written by michaeleriksson

June 3, 2018 at 11:20 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s