I'm living in France, and "just" sharing the WIFI password is a very common practice in bars, coffee-shops, etc..
I only know of few places that actually use a compliant captive portal that requires some PII (name, email, phone...) to let you use the free WIFI.
My problem with these kind of laws is that they get ignored most of the time and then allow for selective enforcement when the police/local-gov has issues with you.
I think this is used as an intentional strategy of control, at least somewhat. Make a jillion tiny little laws that are impossible to keep track of or follow, that way you know everyone is a criminal if you want them to be.
Then if someone is acting up, it's only a matter of figuring out which unrelated laws they are already breaking.
It feels like this is the defining premise of the US tax code.
This is mentioned in the famous "Don't talk to the police" youtube video (from this point[0] and a minute on): there are just enough laws that even lawmakers and experts don't have an actual count, can't keep track of all of them, and they can say nearly anything.
(These are my words, not the video:)
In the bigger scheme of things, you're likely to be guilty of something almost at all times. Whether or not people know, care, or come down on you depends on a variety of factors.
This is pretty much true in any country, it's just that the richest ones have codified it to give the madness more legitimacy.
This is why I think our legal system is not really compatible with the world of surveillance. Everyone has something to hide, therefore everyone has something to fear.
That's why the universal panoramic panopticon is desirable for society's weak. When all can spy on all, everyone's crimes are public and whether you're the homeless man on the streets of SF or celebrated lawyer Jeff Adachi, the programmatic police will come for you.
Fair, just, unbiased. And therefore a scary situation for people like me who willfully violate the law but are generally safe from prosecution. This is power and advantage I don't want to give up.
Lets. Any model that depends on intentional evil at every level is likely wrong.
The more likely reality is that politicians think they are doing what their constituents want by passing laws to address what they are currently complaining about. And constituents rarely complain about existing laws so the only natural way for the government to go is more laws and more regulations.
When’s the last time you heard a politician run on the platform of getting rid of laws? Even the Republicans who run on less regulation generates far more legislation than repealed.
> Any model that depends on intentional evil at every level is likely wrong.
This is unfounded (do you have any sort of backing for this ridiculously bold claim?), historically inaccurate (in nearly every generation, there's at least one mass-murdering regime born), and isn't actually relevant to the question (evil at every level discounts those who aren't involved, those that are victims, and those that are powerless to stop the evil).
The rest of your comment is spot on. The unfortunate truth is that people who are elected have the skills required to be elected, not the skills required to lead. Our legislative system is designed to encourage childish bickering, which is attractive to people with old faces and childish personalities. The system is built around the idea that the president will be the "adult in the room" and apply a considered direction to the children to mediate their bickering; it seems that doesn't work well.
You think evil requires intention? I have no idea what "model" you might be talking about.
On HN we are often downvoted for cautioning against unwarranted assumption. Meanwhile elaborate theories that just happen to affirm how great life is for everyone we care about in this best of all possible worlds are quite popular. In 2020. Good grief.
The fact that no politicians campaign in a way that would appeal to most citizens is no surprise. Our congress passed the trillion-dollar covid bailouts (that contained nothing to help normal citizens get health care) nearly unanimously.
Evil is ironically done with the best of intentions.
For the record - the federal bailout helped many business owners I know personally keep people on the payroll, and many unemployed friends (from food service and travel industry) able to keep paying their rent. With COVID’s 99% survivability rate for most of the working population, I think those benefits took priority over a healthcare stipend. Not trashing the idea of fixing healthcare at all, but given a limited bag of cash and choices to make, keeping people housed and fed en masse is arguably higher on the priority list than a healthcare half measure (if that).
I begrudge no small business anything they got. What they got, however, pales in comparison to the "open the Fed" measures that gave all the big guys access to trillions of dollars of "free" capital. Just as in the last recession, this giant transfer from the public to the assholes will destroy small firms and reward 2B2F firms.
It's actually worse for selective enforcement. That allows essentially prosecution for nothing against anyone currently out of favor with the powers that be. It obscures this deliberate corruption by hiding it behind a veneer of legalism, and allows apologists to claim "if they didn't want to be arrested, they shouldn't have done X". It erodes the idea of laws being backed by justice, and makes them simply another tool of the powerful against the powerless.
I’d agree but then there will just be an annual law that blanket renews all the laws that would expire in the upcoming year.
How about laws without cute names and that began by describing the problem they intend to solve? I have been told they are written that way in russia though I have no way to verify.
> I’d agree but then there will just be an annual law that blanket renews all the laws that would expire in the upcoming year.
maybe so, but every so often you get a happy accident. the patriot act missed its most recent deadline for renewal and is still not in effect (though not for a particularly good reason).
How about law as a subscription service? The maxim is if it has value in people’s eyes, then people should be willing to pay a monthly fee for it, voluntarily and without coercion.
A big part of government function is managing externalities (pollution, food safety, roads etc) -- things that are not economic when purchased individually. They suffer from a free rider issue: I benefit from clean air whether I pay for it or not.
In addition I don't know enough about traffic safety to figure out what the best speed limit is for certain roads, nor how the road should be constructed (especially given local environmental conditions, estimated use etc). It's cheaper overall to outsource it to people who know. Otherwise how can I decide if I want to subscribe to that safety rail at the edge of a certain roadway?
>A big part of government function is managing externalities (pollution, food safety, roads etc) -- things that are not economic when purchased individually.
Says you.
Damn near every government (from local to national) has a charter more along the lines of "do these specific mostly administrative things that we agree are best done at this level".
Taxes are pretty much that, but I suppose "with coercion".
Otherwise, if it's truly pick and choose... how much thought did we give to this? :)
Will everybody pay equally for each law, or rich people pay more?
If rich people pay more, and they decide they don't like the tax avoidance laws, will they be disproportionally funded?
If everybody pays the same, this will be proportionally harsher for poor people.
Most people will not pay for 97% of the laws which may be overall important but don't impact them directly - e.g. I live in Toronto so don't car about fisheries laws, etc.
Some people will not pay for laws they personally don't want to abide buy - from speeding tickets to financial regulations to fitness of goods and services etc.
I don't think this would work, but it does remind me of an idle thought I sometimes have. some nonprofits allow donors to make conditional donations. for example, you might donate to a school, but stipulate that the money can only be spent on the theater program. I wonder what would happen if taxes worked the same way. you have to pay the same amount no matter what (and maybe some gets preallocated towards nondiscretionary spending), but you would get to pick from a few broad categories where your tax dollars go. would probably be a disaster, but interesting to think about. from a certain perspective, it might increase the "legitimacy" of government programs.
I think "just give it to the feds instead" should be a checkbox on everyone's state taxes. It would give the states a clear monetary reason to make their inhabitants not resent them.
That would be nice if you could also elect to give your fed monies to the local gov’t. That way the different governments could compete for the provision of good government.
> think so too. The government has to pass a budget every year. Would it really be too much to ask of them to reaffirm old laws every 10-20 years?
You realize the federal government shuts down every so often fro days to months because they cant get there act together on the budget. can you imagine the chaos that would insue in the current political climate if one party or the other thought they could hold a major law hostage to what ever cause they want.
Most governments manage to pass a budget every year. The American government's exceptional incompetence should not be treated as a foregone conclusion -- and their inability to pass laws speak more to the innate unfairness of unaffirmed laws than anything else! Imagine if they would simply have to defend every law like the Assault Weapons Ban. We'd have fewer laws. Fewer by FAR.
> Most governments manage to pass a budget every year.
Not exactly. Two things are going on here that makes the US "special". I would argue they're both design mistakes in the US government, its proponents will doubtless chime in that it's supposed to be like this, and presumably they are proud of the results...
1. Appropriations bills. In most countries it is seen as a foregone conclusion that the government should continue to operate. Politicians steer, but in their absence the ship of state continues onwards on auto-pilot. The US has never entirely worked that way, and last century the GOP intentionally destroyed some of the mechanisms to let it keep running in their absence, because of course they did. So, Congress must explicitly pass bills at least once per year that say the government will pay for things, or else important government functions just stop. Nothing like these Appropriations Bills exists in most countries.
2. Separate Executive. In most democratic countries there is ultimately a single elected power, even if it looks on the surface as though there are two or more political power centres, one of them is actually running everything. In this situation there is no conflict between policy and budget, so of course a "government budget" will pass.
One of the few upsides to another US civil war is it's likely that there would be an opportunity to redesign the US government in the aftermath. We've learned a lot about how to design governments since the 18th century.
This is a moot point anyway; laws can be overwritten with new laws. Perhaps requiring a supermajority (2/3) to remove would be useful, but even still, _having_ the laws put into question would be a remarkable use of time, keeping law orderly. I suppose the US Code might help with that effort; in the UK it's a tad more disorganised.
I have thought this for a long time. I also think they should have to be voted in by the public, with a higher percentage required as the geographical area expands.
This is why I always liked the idea of automatic sunsetting of laws. If it worked as expected, pass it through again. If it had loopholes, patch and reissue (better than applying patch to patch to patch). If it didn't have the effect you wanted, let it slip by. It is always beneficial to review your work and analyze it. There needs to be a good mechanism for this to happen within a government and automatic sunsetting forces this issue on lawmakers. Of course, there are other things that can help too.
Also lawmakers have pretty much put sourced their jobs to unelected committees. They realized they don’t know anything about a topic and also can’t be bothered so they appoint these committees Who put into place “regulations” instead of laws that are basically the same thing but without oversight or accountability - they don’t get voted out if people don’t like it, and most don’t even know who these people are.
> They realized they don’t know anything about a topic and also can’t be bothered so they appoint these committees
It is literally impossible for any single elected official to know enough about every topic they need to legislate in order to make good laws. This isn't because they "can't be bothered", but because there are only so many hours in a day. They have to delegate.
Now, we can argue they do a poor job of delegating, but the problem isn't in the act itself.
Anyone have a rough estimation of the laws made vs laws repealed? This is what I wonder and worry sometimes. It seems we're constantly making far more laws than repealing and slowly but surely caging ourselves in. Our parties seem to be in a blind race downhill to see who can implement the most laws to block the other parties but I feel we're just "cleaning" ourselves into a corner.
Well, since regulations are created by the executive branch and not Congress, which makes law and to which the President can't dictate rules, the proposed rule is meaningless, so enforcing it is a non-issue.
Also, “a regulation” is not a particularly useful unit of size.
What's even worse is it's disturbingly easy to not just break the law, but it's surprisingly easy to commit a felony. That's a situation that just shouldn't be. In my opinion, a felony should almost universally be something either egregiously reckless or done with nefarious intent, and it should be something that people can universally agree is an obvious problem. (And by that, I mean an ACTUAL problem, not a side-target of the thing that's really of interest.)
Laws are source code. Currently it's all spagetti and applying even simplest proven tricks from software domain would yield immensely good results. Like, duh, removing goto.
I went to tech school with a couple of State Policemen.
First, I should qualify that I had nothing but respect for these guys. Real professionals, and they were serious about the spirit, as well as the letter, of their vocation. The State Police, in that state, are quite powerful. They have (at least in the early 1980s) complete jurisdiction, throughout the state.
I also think they would have written their own mothers jaywalking tickets, for going across the street to borrow a cup of sugar.
One of them explained to me, how the state code was written, so that everyone is breaking some law, at any given time, and a lot of their training involved learning all these little violations, so they could pretty much justify pulling someone over, at any time.
I suspect these bar owners did something to piss off someone in some authority. It could have been as mild as their main clientele.
Honestly just curious, but how can you describe them as complete scumbags but still have "nothing but respect for these guys"? Is it just a platitude or do you really respect them even though they are bad people?
Look, I appreciate the current political situation, but I DID NOT describe them in that fashion. That was a value judgement that you imposed on a couple of gentlemen that I went to school with, in 1981. You did not meet them or interact with them; I did. They were insular, and I cannot call them "friends." That's fairly typical for police, but they were incredibly polite, and everyone in the class liked and respected them (it was an extremely mixed class, in a very tough town).
The people that engineered that scenario (and are probably still engineering it, to this day), were the state legislature. The officers that commanded that barracks were the ones that established the model for their officers.
These were two electronic technicians. They happened to be trained and uniformed officers, but were not particularly interested in the "pithier" aspects of their field. In fact, they had volunteered to spend their careers in a basement, fixing radios.
In that particular state, there is a giant world of difference between the State Police, and the various county and municipality cops. The State Police held themselves, and were held to, a much higher standard than regular cops. I know of at least one county in that state, where the cops were renown for rather gratuitous violence; especially against minorities. The State Police had nothing to do with that.
As for me, and my views...seriously, dude, you have no idea. If you thought that you learned something untoward about me, you are wrong. Dead wrong.
This world is missing something fundamental: basic, human respect. That goes for people in authority, that abuse that authority; whether for personal gain, animus, or to be a "team player." It also goes for people that have appointed themselves "Guardians of 'The Truth'" (Whatever happens to be the flavor of the day).
We might want to consider that not everyone in the world is an evil person.
Some unsolicited feedback on your communication style below. Read no further if you're not interested in it.
> One of them explained to me, how the state code was written, so that everyone is breaking some law, at any given time, and a lot of their training involved learning all these little violations, so they could pretty much justify pulling someone over, at any time.
> I suspect these bar owners did something to piss off someone in some authority. It could have been as mild as their main clientele.
In colloquial speech, like that used on this forum, these sentences in combination imply:
* My friends, state policemen, knew how to pull over people at any point
* This was an act that was commonly performed
* My friends also participated
It isn't explicit in the text, but that is the natural inference in colloquial speech.
I only mean this in a descriptive fashion. There are all sorts of reasons you may want to continue communicating the way you do, but it will get you into situations like this where you feel compelled to respond in outrage to someone else who has made that inference. Up to you how you act, but if you weren't already informed, you are now.
Some unsolicited feedback on your communication style below. Read no further if you're not interested in it.
In no way is that a natural inference in colloquial speech. Those are your own (incorrect) inferences that you're justifying post-facto, and you are (not so) subtly implying that your interpretation is the correct one and in the majority, even though it:
a) Might not be
b) Involves you making an interpretation and inferential leap that isn't contained in the text of the original poster.
In a similar fashion, you may want to continue making inferences that go beyond what people actual say or write, but it will get you into situations, like this, where you feel compelled to put things into the speaker's mouth that were not written, things that were not said, that will put you in opposition to the original speaker/author unjustifiably and based on your own interpretative error, and which generally make people less inclined to share their opinions in the future.
Additionally, your writing style appears to be one of passive-aggressive condescending superiority. This does not influence the person on the other side round towards adopting your view-point, but actually makes them bristle up and more likely to reject participation in the conversation.
Up to you how you act, but if you weren't already informed, you are now.
> so they could pretty much justify pulling someone over, at any time.
But didn't clarify that your associates did not do that. In human language, people make inferences from what is said to natural extensions, in order to make utterances more compact.
Sometimes those inferences are in error.
Yeah, those sounds like thugs, not good people, maybe thugs who were convinced by some authority that what they are doing is right,but that's true of most of the evil in history.
Replacing the arbitrariness of the monarch with the arbitrariness of institutions is a step forward in terms of diluting responsibility. Next up: machine driven decision making.
Our current representative system is a land line way of thinking in a mobile phone world. This fixed number of representatives and seasonal elections is nonsense. I should be able to change representatives with the same ease I can change my cell phone carrier. Once we get there, then let's worry about whether the representative I choose is a human or an AI.
We already have that when you buy something and a security alarm goes off as you leave the store. You are assumed to be a criminal because a machine said so.
>You are assumed to be a criminal because a machine said so.
Not really. At least where I live, the false positive rates are high enough that people would walk right past, or the employees would wave them through because they're holding store branded bags. A more egregious example would be the algorithmic bail systems that some states are deploying.
What is the functional difference from the “law” being the whims of a king, and the “law” being an incompressible mess where you are always guilty, but selectively prosecuted?
In the former case, there's only one person and a court to please, in the latter case, there's millions of people who can violate you. (Not intending to argue for monarchy here, ha, just came out that way.)
>What is the functional difference from the “law” being the whims of a king, and the “law” being an incompressible mess where you are always guilty, but selectively prosecuted?
Marketing, plausible deniability and the ability of the higher levels of the system to tell the lower levels of the system to knock it off when they're being jerks under the color of law.
Monarchy worked so well for so long because the king didn't want to see his resources pissed away using the government to prosecute crap that didn't actually matter in the grand scheme of things.
I'm not a Rand fan at all, but if the quote fits...
“There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws.”
This seems like a very pointed view of a certain kind of government, not government as a concept. If the people are willing and willingly choose a government, it's most certainly possible to govern them as long as that government actually listens to the population, doesn't indulge in corruption and earns the respect of people, not demands it.
Whether this type of government will ever come about in our modern world... Let's not get depressing.
There are so many laws because what started out as rule usually gets expanded out into detailed regulations that cover vastly more than just illegal behavior. Perfectly legal things that fulfill the spirit and letter of the law are nonetheless outlawed to achieve the goal of the law. A law that employees must pay withholding taxes on their pay, gets extended into a regulation that contracting is banned because in some cases this might hide sources of income and be used to dodge the law. Enough layers of this going on and no one except major corporations with teams of lawyers can keep up with the "right way" to operate. Despite everyone having good intentions.
> as long as that government actually listens to the population, doesn't indulge in corruption and earns the respect of people, not demands it.
Charitably, I think Rand's point would be that such a case is only possible if that government is not actually ruling the people, but merely providing services. (Not sure how much charity is actually justified, though, given what I've read of hers.)
No, the US tax code is not that hard to follow at the macro level. The complexity of the tax code comes from the thousands of potential write offs and exceptions that favor certain industries as a result of lobbying.
Well, even for an individual, optimizing their tax burden is ridiculously complex if you just take the IRS forms and code in hand. For a price (e.g. TurboTax) you can probably get to 80%+, especially if you live a simple life of a rental and a w-2. The process certainly favors those with the time and resources to understand the nuances of the tax code and most people don’t/can’t prioritize that. So it makes money off the “lazy” and non-confrontational in the same way that a car salesman does. That such a comparison makes even a bit of sense doesn’t speak highly of our system.
We all rely on the herd defense to protect us from minor math mistakes and code violations. Lord knows you don’t want to end up on the wrong side of the IRS. All my interactions with them have thus far been easy but if you listen to some stories during testimony in the nineties about IRS reform they weren’t always that way.
I like to think a simple flat rate would be better across the board. Many smart people disagree though.
Complexity is complexity. If the write offs exist and you think you qualify so you take them, and then it turns out that there was an exception on page 28,274 of the amended tax code that meant you didn't quality but you took the write off anyway, welcome to jail.
Not if they claim the violation was intentional. Which, whether or not they can prove that, means they can arrest you, and deplete the money you'd have used for your defense as bail. And they do so enjoy that trick where "intentional" generally applies to whether you intentionally did a thing that was against the law, even if you didn't know that it was against the law.
Let's also not so easily dismiss as unproblematic a conclusion that you owe five times more money than you actually have in back taxes plus penalties and interest, which someone wouldn't have who filed the same tax return as you but didn't raise the ire of anyone in power.
> Due to the complexity of the tax code, there is a very high bar for criminality.
If only all of the complex laws actually worked that way.
A prosecutor wanting to give someone a hard time would choose tax law as the mechanism only if the amount in contention was large, e.g. it was against a business owner. You don't think a judge would issue a warrant in a case alleging million dollar intentional tax fraud?
No, because charges for violating tax laws must originate from the tax authority, i.e., the IRS for federal taxes. Prosecutors don't have the authority to file charges for tax law violations on their own.
My suspicion is that felony tax fraud would not have been charged there, or maybe even investigated, if he hadn't been implicated in the death of George Floyd. They had their man so they found his crimes.
Obviously nobody is going to feel sorry for him, but only getting charged with something because you became a political target over something else entirely is exactly the problem in general. Registering your car in a lower tax state may not be legal but it's not exactly uncommon, and plenty of people probably don't even realize it's illegal.
What world do you live in where you think that someone who hasn't filed 3 straight years of tax returns wouldn't be charged with a crime?
Also, to note: the filing of these charges is unrelated to the Floyd case. Based on the article you linked, there were years of financials that the investigators would have had to go through in order to substantiate the charges they filed. They had to investigate ownership of multiple homes, multiple cars in multiple states, and correspond with tax authorities in several states.
This isn't an investigation that they just trumped up because of the Flloyd case; just the correspondence part alone would have taken months, and these charges were filed less than 8 weeks after the Floyd incident based on a substantial record of tax violations.
Chauvin was already on their radar for tax fraud. Politics had nothing to do with it.
Registering your car in a lower tax state may not be legal but it's not exactly uncommon, and plenty of people probably don't even realize it's illegal.
True, but they're not charged with tax fraud because they failed to pay use taxes. RTFA. They were charged with tax fraud for falsely changing their state of tax residency so that they could avoid Minnesota sales/use taxes despite all evidence showing they were still Minnesota residents.
TLDR: Chauvin was not a political target. He was just a bad apple, and in addition to beating suspects was also a tax fraud.
The IRS generally just asks for the money back. You would have to ignore their requests before any criminal prosecution. If that is not the case your doing something more than just making a mistake when it comes to a deduction.
How would you corner the market? There are thousands of tax preparers who have already made that observation and are already helping clients take advantage of those loopholes.
> Then if someone is acting up, it's only a matter of figuring out which unrelated laws they are already breaking.
Rand was writing about this in 1957:
"Did you really think we want those laws observed? ... We want them to be broken. ... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt."
In Belarus the Regime/Authorities jailed 12.000 People by simply giving them the "Did not listen to the Authorities" fine, you can just use that one on every citizen once it exists.
The irony of course is that it leads to more situations where there are too many laws to track. Not saying your comment is wrong or anything, it’s just a funny side effect.
not sure I understand the logic here but Europe, despite having twice the population of the US, has about as many deaths. The region overall has responded well.
I believe their point was that the response proved disunity exists, not any value judgement on whether disunity is a good or effective thing in itself.
And then somebody emails you with a request to all of their data you have on them. Now you must respond to this email and you must figure out a way to find out whether they are who they say they are. Then you have to either refuse the request or extract the data and send it to them. Now repeat this x amount of times depending on how many people want to mess with you at the time.
What happens when spambots start using these requests?
If you find it hard to do that (have a defined way to recognise a customer; make a db lookup to get their data) then it's very simple you don't acquire nor keep that data. This means you have to have a level of competence - across your organisation (including how you store, retrieve data, and how you recognise customers) - before you start storing their data.
Really if you can't established a way to recognise customers how can we (as customers) expect you to competently do 2FA and competently store data without losing it.
It's like complaining that your kitchen shouldn't have to keep track of expiry dates of meat; if that's too onerous for you then you're showing you're not competent to run a kitchen.
ISTM the system you describe could lead to more data collection. I.e., a site like HN knows emails, pseudonyms, and posting history. What if they got a request like this from someone who claimed not to have access to the email they used to sign up? HN couldn't possibly comply.
Maybe that doesn't matter because posting history is public. One could easily envision another site that had some non-public data associated with email address, pseudonym, and no other PII. That site definitely violates the requirements you describe.
> ISTM the system you describe could lead to more data collection.
It really doesn't. What it does is attempt to gatekeep data (which these days is a huge risk) collection to organisations that are competent. You always have the option of not collecting data if you don't want to take that responsibility.
> What if they got a request like this from someone who claimed not to have access to the email they used to sign up? HN couldn't possibly comply
They wouldn't have to. If you're requesting your data from a company, you have to burden of proof that you are in fact the person about whom you're requesting the data. If you cannot prove it, you cannot get the data.
>Really if you can't established a way to recognise customers how can we (as customers) expect you to competently do 2FA and competently store data without losing it.
This is an insanely hard problem to do well. The recognition of customers is literally through which phishing attacks work. This is one of the most common avenues that people get access to systems and data they shouldn't. GDPR mandates that virtually every site needs to deal with this problem now.
Also, I'd say that reprieving all data on someone is not a trivial problem. Imagine you had a forum and somebody requests all of the data on them. However, another user has made a copy elsewhere on the forum with some notes about that user's personal data. Does the requester get access to that copy?
And now keep in mind that you complying is based on your understanding of a regulation that companies have spent millions on lawyers to figure out and still aren't entirely sure. And you have to follow this regardless how big or small your website or business is.
It's best effort. No regulator is going to fine you massively if you miss some data in an edge case like this. Worst case scenario, they'll tell you to do better in future.
I do see your point though, the intersection with phishing attacks is not something I'd considered in the context of GDPR.
However, as long as you provide a way for users with an account to download their data, you're 90% of the way towards compliance.
Again, unless you are FB or Google, the regulators will cut you some slack (just look at the lack of bankruptcies caused by GDPR).
Unless the text of the law is "the company shall try very hard (but if they miss a weird edge case they shall be merely sent a warning letter)", the GDPR allows selective enforcement. You note that it's already one rule for FB and Google, another for smaller companies. To what extent do you trust the courts to selectively apply the law in a sensible way, vs selectively applying the law in a harmful but legal way?
It's mostly the regulators who interpret the law and determine the remedies, as specified in the laws. In general, European regulators are aiming for compliance rather than fines, and I don't see that changing any time soon.
Most server applications are not designed for invasive laws like this. Think of all the HTTP servers that save IP addresses in log files, or all the mail servers that save user messages, IP addresses, and what not. Think of all the other kinds of software that save "personal data". Now think of the way companies backup this data. Do you think most companies out there have the infrastructure to automatically pull all information about a specific user from all of these sources? No way!!
Sure, a company the size of Activision-Blizzard can maybe pull it of, but the little guy has no practical way to be compliant. Not until GDPR compliance becomes a standard in server applications and backup solutions, and when is that going to happen? This is a serious problem that a few people among the elite have thrown at society without understanding the consequences, or caring about them.
And if you don't comply? Well, then this law is just another set of mines in the minefield.
I'm not really seeing the issue here. If the requestor is a user of your services, you presumably have some kind of id for them (like email).
Given that this is not a new law (2018 it became active), you would hopefully have some list of tables with information on users. From there it's select * from tables where user=blah.
Deletion requests are where you'll normally have more issues, but it's best effort. Again, look at how Facebook handle this. They explicitly state that it will take 90 days for all backups to be rolled out, and this is totally fine.
And if you are a small service, the likelihood of you having large amounts of PII on people across multiple services is pretty low.
It's worth noting that IP addresses which can't be matched back to a user are not covered by GDPR, so unless you've been storing every IP from which a user's logged in, then you'll be fine.
But, the real solution here is to only store data for which you have a need, and get consent for the processing which your service requires. Sure, this is harder than the normal YOLO store all the things, but it's probably better both from a storage and liability point of view.
Also, your argument segues from running a business of noteworthy capacity (who may have a problem complying) to small businesses (who won't have the capacity, but also don't store enough data to have a problem complying).
And to be fair, GDPR was npt imposed by elites, it was demanded by an awful lot of consumers in Europe. Maybe you don't like that, but I personally think that breast-feeding mothers shouldn't be censored. So cultural differences are going to cause both of us problems.
I don't agree that GDPR compliance is possible for the small guy. Let me explain why with the example of a small ecommerce business, consisting of one Wordpress site, a server host, a payment service and a delivery service. The user will interact with these 4 in some way. Now let's say a customer "Drek" decides to send support a message like the one I linked to, what are the implications for the company if they want to comply with GDPR using the current infrastructure? (Btw, all "Drek" ever bought was a pair of glasses, a purchase which he immediately regretted and asked a refund for after the purchase was finalized).
What happens? You say we need a (couple of) SELECT-statement(s)? I say we need more than that. Also, I'll tell you right now that doing a SELECT-query isn't something customer support can handle, this is something you ask from a developer or server administrator (== more wasted $$$$). So think about that while we go through the information retrieval process:
(1)-(3) You'll need select-statements, retrieval from log-files (such as access_log and error_log). Text explaining the data and explaining what it is used for. The data should be categorized and machine-readable in a common format. These requirements require a deeper understanding of the systems than just running a Wordpress site with a few plugins.
(4) "the recipients or categories of recipient to whom the personal data have been or will be disclosed;", that includes the payment, hosting and (possibly) delivery services.
(5) "where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;". Again, this requires extra knowledge.
(6) Since we haven't mentioned analytics services or any other privacy invasive service that knows more about the user than what they explicitly provide, this is not applicable in this example. However, it is still applicable for many real-world websites.
(7) Not relevant.
To be fair, the information retrieval can be automated, and a template can be used to compose a GDPR response. However, this does require the company to hire someone competent to do it, and also keep this process up-to-date so that it doesn't conflict with newer versions of Wordpress/plugins. And there WILL be newer versions because exploits are found on a regular basis. The developer will also have to make sure that the data is retrievable, and isn't stored offline or in an inconvenient format (such as the case with compressed logfiles). All of this costs money, and different solutions must be prepared for different systems. If the owner decides to move away from Wordpress to another CMS, he will have to hire someone to also replace the GDPR automation process.
This is not practical for a start-up, or a small business. Unless the infrastructure adapts (again, when?), people will have to write custom scripts/solutions to automate the process.
> And to be fair, GDPR was npt imposed by elites, it was demanded by an awful lot of consumers in Europe.
People are rightfully worried about their privacy, of course we are! But that doesn't give the elites the right to willy nilly impose (because that's what they have done) any solution without at the very least making sure it doesn't infringe upon other rights, and consult experts before writing the law. If they would've bothered to consult a seasoned and non-partisan server administrator, I think GDPR would've looked very differently.
I personally believe that the current infrastructure must change to respect user privacy, but this is not the way to do it.
And aaallll of this doesn't directly address the main issue, which is that the accumulation of laws has caused everyone to become a criminal in one way or another.
4 and 5 should already be covered by your privacy policy, which you can point at or copy paste from. Yes, you need to have thought about this once, but you've done that once and not when a customer asks hopefully! Ecommerce even has easy answers for why and how it is processing data most of the time.
The logfiles argument is generally overblown: the process for someone to establish a valid request for that isn't that typically that easy, and in most cases has the simple solution to not keep logfiles with personal data for long if at all (e.g. many webhosts already will by default or as an option anonymize IPs in logs, and it's not all that difficult to implement in other cases).
For business data, yes, you need to be able to look up customers and what data they've given you - but which business application doesn't allow that already?
I don't want to say it's trivial, but small operations tend to also have a small surface for this, easy oversight over everything, and can get this in order with an initial effort to design privacy policies (and identifying and cleaning up places they maybe were negligent before) and prepare checklists that make handling requests easy. I know plenty small shops that have done this just fine.
You know, you probably have a point on some of this.
Thanks, I may actually start building a WP plugin to help with all of this, as if it's the kind of problem you mention here, then I could probably make a whole bunch of money.
What makes you think that Reddit post actually created a significant burden for Blizzard, or that posts like this present a realistic threat to smaller businesses?
Not maybe. Same thing was proposed as a retaliation against other game companies as well. But Activision will just respond to all those emails with "Go to https://support.activision.com/gdpr"
Yes, it may be tricky. It requires some investment in the process. But unless you earn your money by exploiting user data, it's really not that hard to comply. The less data you keep, the easier it is. And the cost of compliance really scales with the company - for the wordpress with accounts from another comment you can do this manually on request. (likely you'll never need to)
> Not until GDPR compliance becomes a standard in server applications and backup solutions, and when is that going to happen?
> CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it.
> The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Which risks are “high risk”? They can always come after you for not consulting them and waiting 8-14 weeks for any feature launch.
> Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate[…]
No organization can objectively measure whether they’ve complied with this, much less prove it to hostile regulators.
> Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons...
I find it strange that you didn't quote the important part of the text here (high risk to natural persons).
Like, this doesn't apply to almost anyone. This applies to things like facial recognition or automated systems that track people's health data, not almost anything that one does in most CRUD/tech applications.
If you are subject to this requirement, then you almost certainly have both a legal team, and a data protection officer. Can you give me an example of what you think would be high risk but should not be?
Secondly, you're missing something here. I'm going to assume that you are US-based, based on your theory of regulation.
The US and EU differ wildly on how regulation works. What you would normally do, if your legal team/DPO says that what you're doing is high risk, is write an assessment (which your legal team has already done) and run it by your regulator. They'll say this works, or you'll need to do something different, you'll comply and get on with your life.
In any case, the whole process is really, really slow before any fines are administered. As an example, the ECJ basically said recently that data transfers from the EU to the US are illegal because of the NSA. The Irish regulator has just sent a letter to FB asking them to comply. FB are fighting this in court (with some ludicrous arguments), but as of yet their processing has not been impacted at all.
This legal fight has been going since 2011, and yet FB are still sending data to the US. I'm not sure if that fits the model of crazy regulators.
And let's be clear, as of yet there have been no GDPR cases fining companies for anything less than absurd violations. Ad tech still exists in Europe (and it's arguable that it shouldn't), FB and Google have continued on their merry way.
The second part is pretty much consult your lawyers/DPO and be able to make a case for whatever you're doing. In that sense, it's very similar to HIPAA, which doesn't seem to cause the same level of upset here.
I still stand by my original statement. If you have consent for your data processing, all will be OK (as long as it's not forced consent). If you don't have consent, or a legitimate interest in the data analysis/processing then maybe you shouldn't be doing the analysis or processing?
As an example, Facebook turned off automatic facial recognition in photos in the EU following an outcry. They re-introduced it when GDPR came in, because they asked for consent. You'll note that there have been no court cases on this, because it's totally fine.
tl;dr - get consent for your data processing, make it easy for people to get their data, and GDPR compliance is pretty easy. If you're in an industry where this is difficult/impossible, then lawyer up and be prepared to spend a bunch of money (and probably lose eventually).
> I think this is used as an intentional strategy of control, at least somewhat. Make a jillion tiny little laws that are impossible to keep track of or follow, that way you know everyone is a criminal if you want them to be.
It doesn't have to be intentional for the effect to be real.
Most laws are ignored most of the time and selective enforcement is essentially the corner stone of modern policing, there are many more laws that can be effectively enforced and which laws exactly are at any given time is based on available resources and public policy.
- Cultural, political, racial grievances of police.
- Cultural, political, racial prejudices. That is, maybe no ill will per se toward a citizen who looks a certain way -- but assumed guilt by association.
- Personal ambition, to be pursued by making lots of arrests, on maximal charges.
- Fear. End of month approaching, and beat officer is behind on quota of citations/arrests. Punishment expected from chief or DA, if revenue from fines, or prestige from high-profile arrests are lacking.
So, it's the selection of offenders, rather than of offenses due to resource constraints, that makes selective punishment so ethically offensive.
These technically fall under public policy, poorly aligned incentives and or insufficient judicial/executive oversight.
If officers feel that they need to make their quota or even have an arrests/infraction quote then that's a clear failure of policy, if they feel that they can settled their own grievances by abusing their power it's again a failure of policy.
I remember watching this interview segment with some retired cop from Baltimore - he's now using his time to advocate stricter rules on law enforcement, or something like that - he got fed up with what he saw during his time in BPD.
But, to the point: He drove the interviewer through the streets in Baltimore, and argued that it was close to impossible for any driver in Baltimore to simply drive down a street, without breaking some kind of law - or at the very least giving police probable cause for checking your vehicle.
*“Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it...
There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws.
Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with.”
My problem with these kind of laws is, they are a violation of privacy. Pervasive surveillance is worrisome all on its own, without worrying just how it's enforced.
I spent 3 months cycling all over france back in 2013, and long trips in subsequent years - pretty much every campsite I stayed at used captive portals. A handful handed out password cards to guests only, but those ones were almost always <place name>2013. Back then I didn't have much choice as mobile phone reception in the Alps was non-existent. The campsite owners were aware of the law, they'd often mention that they weren't happy about it.
Last year I was in Paris, but didn't have to fight the system any more, 4G reception was fine. So, no idea what it was like in cities, but in the countryside they followed the law.
Why would someone with malicious intentions ever provide their real details? Why would someone provide their real details anyway when they will most likely be used for advertising/marketing tracking and spam?
They might have been interested in having the MAC addresses to check some suspects alibi, or even to find some links between groups of persons, not specifically PII.
Grenoble is under scrutiny for some time now, it has a bad reputation regarding drug trafficking and the government uses it to show its "strength" with police operations covered by the media. This might be linked.
> I only know of few places that actually use a compliant captive portal that requires some PII (name, email, phone...) to let you use the free WIFI.
Cost is about 15€/month for a compliant off-the-shelf solution.
I understand that there can be some tolerance in the beginning, but at some point, you can't look elsewhere, especially when the log is actually needed in an investigation.
The idea that asking someone to provide their name and phone number (where they can enter anything they want) is going to somehow aid terror investigations seems naive at best, and more likely disingenuous.
But it's not really 15€/month. You still have to pick a solution that is actually compliant and then learn to use and manage it. Making a website is free, if you know how.
Chances are that you'll buy this software as the bar owner. You are promised that everything is compliant. Years later it turns out that the software itself collected and sold PII and you're liable for the damage or that the software simply wasn't compliant after all.
Picking out cheap and subplot software that needs to adhere to nebulous requirements is not easy for a layman.
a bar owner isn't a layman but a business owner, and in fact one who already has to navigate regulations around media in particular. For example if you don't get a TV license if you put a TV in your bar and show say, soccer games, you're in hot water too and everyone knows this.
If you act as a service provider in a business I honestly don't know why people would be surprised that there's some caveats.
Doesn't necessarily matter if what they're actually doing is tracking an IMEI or SIM connection to the area and are
fishing for evidence of shady intent via entering false information. MAC addresses from a device that doesn't do MAC randomization are also good for that sort of thing. Android devices can also be tracked via advertising id's if the user doesn't reset it and you haven't pissed off Google. I draw the line at assigning what are effectively UUID's to people specifically because they are so often abused in that manner.
Across the pond, things work a bit differently, and the criminal justice systems are a bit lower friction for the authorities as I understand it. Not that I'm criticizing mind. The American System has not endeared itself to me as of late.
SIMs are out of the question for public wifi hotspots - to authenticate a SIM (via EAP-SIM or EAP-AKA) you need an existing relationship with the mobile carrier.
When it comes to MAC addresses, 1) there isn’t a central registry of addresses anyway so having the MAC address alone won’t help much in an investigation, 2) it can be set by the user so malicious users will fake their MAC address and 3) for privacy reasons most devices nowadays will generate unique MAC addresses for each network.
That's why I caveated the MAC, but if you managed to catch a non randomizing device or a randomizing device that hasn't disconnected (dumped in trash outside for instance) or which was powered down on network and not powered on until after arrest, you can still hit paydirt.
The IMEI and advertising ids are the more pressing ones though. Never underestimate the deanonymyzing power of someone else's UUID you aren't even aware you have.
Another angle is that devices that randomize will “reuse” the random address for the same SSID, afaik. So even the random Mac may be of value over time.
Look at the Silk Road investigation. They collected circumstantial evidence by linking the originating IP address, where the suspect lived and when DPR was logged in.
I really don't think so. There was an externally verifiable chain of evidence created by Ulbricht through random tidbits of sloppy opsec on a few occasions, enough of them for him to eventually be identified and caught. So if these existed (and they did, because they could be clearly pointed to), there was no need for parallel construction, and if there was no need for it, it presumably wouldn't have been used just because. Furthermore, if they were going to use it anyhow, why wait so long to do so when they had the needed formal evidence anyhow?
I understand your position, but the judge is probably going to answer that it's not a bar owner's job to decide which laws are good enough to be respected.
Due to the cost and risk involved, few cases go to jury trial... BUT if it's anything like the US a jury technically could consider things like this and refuse to render a guilty verdict.
In France, if I recall, isn't it usually a panel of judges? I don't think they use a jury.
Quick perusal indicates Cour d'assises is the only court with a jury analog, and it only deals with matters where the penalty would result in a >10 year sentence if I'm reading it correctly.
Living in America, this is all too often a problem. One segment of society says “there should be a law” often enough that we have more laws on the books in the federal space alone than the GAO can count. Now we add on state and municipal laws and we’re probably all guilty of something each day. Not having enough resources to enforce all of the laws we get the situation you describe exactly - selective enforcement and too often an unjust distribution of enforcement.
Add to that the fact that all laws are ultimately enforced with physical force and we get situations like Eric Garner - a situation instigated by the enforcement of a stupid municipal law - selling untaxed cigarettes. A state interest hardly worth exposing someone to a beatdown or in Eric’s inexcusable case, death.
But does the law actually require PII? 'Logging' might just require a record of source IP/MAC address and destination IPs. So, just having a wifi password that is shared might still be OK.
It definitely feels like a pretext for something else going on, who knows what -- whether it's a police racket or something shady going on in the restaurants they're sending a warning about.
This is what these obscure, rarely-enforced laws seem to exist for in the first place.
If the police were really interested in enforcement over this, they'd send a letter to every restaurant, bar, and cafe owner in the country that they have 3 months to comply and it will become part of regular inspections.
Targeting 5 individual restaurants (through arrests) is definitely not about simply enforcing this regulation.
Note: I'm NOT defending this as a legitimate law enforcement tactic. Just describing what seems to be happening.
- the Charlie Hebdo attack is currently on trial, and during the trial it was revealed that the weapons were sold by a police informant who had sent a report on the sale to his handlers, and that they did nothing. In particular the sale happened in a place chosen to give the police the option to either monitor or interrupt the sale.
- there is a current increase in the monitoring and criminalisation of muslim activities in France, my guess is that the police wanted to spy on someone and found out that the logs had not been kept.
> weapons were sold by a police informant...handlers...did nothing.
Yowza! Hadn’t heard that in my neck of the woods. Very tragic. Recurring problem in defensive systems though. Logging but nobody is reviewing/acting on logs.
>there is a current increase in the monitoring and criminalisation of muslim activities in France, my guess is that the police wanted to spy on someone and found out that the logs had not been kept.
Inconveniencing the police is a surefire way to get prosecuted to the fullest extent of the law.
Only in some EU countries. I have never seen such a WiFi captive portal in Slovakia or Czech Republic. But I remember these captive portals when I was in Germany - of course I would just generate a random disposable email (through 4G) and enter fake data. It really has no impact on the real bad guys.
Germany I think is exceptional in this, though. They had basically no public WiFi in the decade that it was booming in similar countries, allegedly because of crazy liability laws. I never dove into it but that's what I was told when asking German techies. It should have changed a few years ago but by now mobile data is much more ubiquitous than it was in 2012 or so and while WiFi is an order of magnitude cheaper per gigabyte than mobile data, most people aren't power users and don't need more than checking their email and so it remains virtually nonexistent. You're most likely to find it in foreign companies like McDonald's, and of course hotels but that's a different type of place. There are also "public hotspots" from Telekom built into old phone booths (yep Germany still has those) but that's as expensive as mobile data.
When I was a young lad, it was standard practice for many internet apps to work on the principle of local caching. You'd connect to the internet, refresh your local copy, disconnect, and then work from the local copy. NNTP worked this way, POP3 worked this way. There were even apps that grabbed the current news and stock prices in the brief minutes that you were connected.
It's a good model, and it would work well here, and for any circumstance when your connectivity is intermittent.
Which goes to show how ineffective these attempts are for the stated goal. If anything, keeping logs of the mapping of ip to MAC addresses would be enough for the case where they want to connect a suspect they have on custody to their navigation history on a given place and would be way more effective than trying to connect their identity to catchme@ifyou.can.
There has to be more to the story here. With the law starting in 2006, why are authorities just now going after these bars? Did something specific start this, or is it just the growing authoritarianism that comes with these endlessly long national emergencies?
You're probably right. There must have been some activity that drew the attention of law enforcement. It is a de facto obligation for cafés to offer free internet, so it's surprising to see such a law enforced in Grenoble of all places. My friend's café in Paris just has a password protected network, and I know for a fact they do not log traffic. I have seen other cafés with a registration system, and I'd bet those networks maintain logs. For the smaller cafés, even if they knew they had to, I'm not sure they would have the technical know-how to maintain logs. They've had some problems with piracy in the past, so perhaps that might have something to do with the arrests in Grenoble.
If torrenting or some other form of piracy happens on a network, ISPs send letters to that IP's customer, giving them a warning. Perhaps these café owners were repeatedly warned to enact stricter measures against piracy (i.e. logs), and, failing that, they were arrested for failing to comply with other regulations that are actually enforceable. I can't imagine a café owner could ever be charged with piracy for maintaining an open network.
For what it's worth, I looked around Le Monde and some other news sites to find more information, but there isn't much info to expand on the fact that these people were arrested.
Possibly they annoyed the mayor or something. I've heard a similar story from France before, business doesn't stay on the right side of the right people and suddenly they're shut down for violating some obscure law. I'm sure it happens elsewhere too (uk planning laws seem ripe for this sort of thing)
> For the smaller cafés, even if they knew they had to, I'm not sure they would have the technical know-how to maintain logs.
There are cheap off-the-shelf solutions marketed specifically for bars to setup public wifis.
> If torrenting or some other form of piracy happens on a network, ISPs send letters to that IP's customer, giving them a warning. Perhaps these café owners were repeatedly warned to enact stricter measures against piracy (i.e. logs)
The thing that happened here is not related to HADOPI, the worst that can happen to you with hadopi is losing your internet service or having to pay a fine.
The likely thing that happened is that some patron did something illegal enough to warrant a court order asking the ISP to provide logs, the logs led to the bar which couldn't provide their own logs. ISP rates for court orders are expensive, so the police is unlikely to enjoy this dead end.
The "garde a vue" was probably unnecessary, but this kind of overreach is common in France.
well these are anti-terorism laws, so i doubt theyd go arrest someone if it was just being used for piracy purposes. which is probably why this is so uncommon that its newsworthy.
Less so in France: virtually everybody that would sip 2-3EUR coffees has a 19EUR cellular plan with unlimited data. And that's the price if you're not bundling and not playing off providers off eachother.
Can confirm. Having dropped my mobile in the bath (...) I needed wifi yesterday and only the fifth café I tried in provincial France had wifi available. (And that didn't work until I adjusted my settings to use the DHCP server's provided DNS...)
Now I wonder if it's this law that made it not worth the effort for them.
Many EU tourists as well, here you can still get sub GB plans, and unlimited is twice what it is in France, and if you're not savvy, four times is possible too.
> There has to be more to the story here. With the law starting in 2006, why are authorities just now going after these bars?
The law states that businesses must keep some log in case an investigation about patrons' net usage requires it. It's not checked every day, but when an investigation happens and you got nothing to show, you get prosecuted.
Pretty similar to accounting, the minute details of your accounting won't get checked every year, but you must keep them available for the tax service.
The difference being that you maintain your own accounting records, and any discrepancy is a result of your own failings, whereas WiFi logs can be expected in practice to contain entirely fictitious information for the majority of ordinary users due to no fault of the cafe. Which makes them totally useless and any requirement to keep them a wasteful burden and a trap for the unwary with no countervailing benefit.
Probably someone did “something” from this cafe’s wifi network, the judge asked for the logs, and the owner said he didn’t have them, which is a violation of the law.
Keeping logs seems like a high bar for a non expert with a commodity home ap/router. A $US40 WRT54G only has 4mb of flash, for example. Are they expecting lay people to spend 10x that or more to set up an external log aggregation server with DPI and audit trail?
Or rather, subscribe to commercial providers who will log contents. Along with the other shopowner’s joys (mandatory yearly electricity inspection €200 even if you didn’t change anything; €140 aircon inspection; fire inspection; etc.)
Of all the things to complain about, fire inspections should be near the bottom of the list. All of those regulations were written in blood. I'm sympathetic to the problem of established businesses lobbying governments for more regulations to impede the rise of competitors, but that's not the origin of all regulation. Many rules exist for damn good reasons.
Remember that guy that died over bootleg cigarettes?
Everyone loves to say their pet favorite law is lItErAlLy WrItTtEn In BlOoD but laws are enforced in blood too. If someone isn't dying for lack of a law (at scale) then someone is gonna die when the police go to enforce it (at scale). It's important to remember this when deciding what issues are important enough that we feel like forcing other people to behave how we want under threat of state violence.
Neither of those prices you quoted seem particularly high for having someone turn up and do an inspection.
Given that you're operating a public area, and things like aircon and electrics can be deadly when failing or operated incorrectly it doesn't seem too onerous a requirement.
If you're a landlord in the UK (I'm not) you need a current gas safety certificate if you've got gas appliances (most houses do, eg heating) and plumbers cost a reasonable amount of money. It's just the cost of doing business.
It’s the aggregate cost of doing business that’s being criticized though, not the reasonable cost of one or two things in isolation. Like saying this new municipal bond will only cost homeowners the price of a latte a day. You can afford that, right? Yeah, but the thing is I don’t buy twenty lattes a day which may be what the current bond obligations add up to. Now you want to make it twenty-one. The aggregate cost is what’s crushing. It’s where we get the idiom of straws breaking camels’ backs.
I guess I don't see the scale of the issue. Yes, in aggregate the costs are higher than each individual charge, and that works out at some visible % of your revenue, but it seems like all the things we've mentioned so far are necessary (inspections and such, I don't know what a "municipal bond" is). I'd be genuiently interested in hearing people's ideas to lower those costs though, as I am sure many business owners might be.
However, it seems like lowering the costs by allowing businesses to skip certain currently required things (at least of the ones mentioned) isn't going to work, as I said before, unmaintained air conditioning is dangerous (I know of at least one case where it tragically killed most of a family in a hotel, and it can make you generally sick https://patch.com/california/saratoga/dangers-badly-maintain...) and it doesn't take much to imagine how badly maintained electrics could be a problem.
Given that we can't rely on some people to maintain these things (even if they are trying to do it right) without checking up on them, and because we don't know who those people are in advance means we need to check up on everyone. It seems to me that this is just the cost of doing business, and let's face it, lots of businesses are still going despite the costs involved.
If you've got some examples of unecessary or silly things costs that governments impose on shops/cafes/businesses then I'm all ears but so far I've not heard any.
I didn't appreciate the difficulties, complexities, and inanities until I became a business owner. I would suggest you don't see it because you're not in it.
I'm not saying it's simple, I'm saying that 1) Those prices don't seem particularly steep for the work and 2) it doesn't seem like it's a good idea to cut them, so complaining about those specifically seems pointless especially as it's probably a good idea to make sure premises aren't dangerous.
In a decade there will be threads wondering why only big chain restraints are left. And they'll blame capitalism and cry for more regulation never realizing how their regulations are what made it impossible for independent shop owners to compete.
Hiring an actual IT person to set it up would be a very difficult expense for many small businesses. Cafes usually operate on very tight margins. I just find this law completely ridiculous and an obvious result of hysteria. It is not a rational response to the very tiny risk of the dastardly and scary terrorists using free wifi.
As all businesses require it the chances that ISPs don't offer a service that includes that feature seems extraordinarily low. Seems like knowingly selling a service that wasn't capable of logging, under a legislative background that requires it, would also likely be unlawful.
I don't intend to make it sound cheap or expensive, I simply point out that people without the knowhow can access out of the box solutions if necessary.
For comparison, the internet access itself is usually around 30€/month.
And then monthly or yearly fee for GDPR review/handling too. Don't forget handing over GDPR form to your customer together with latte.
Europe becomes tough place to make any activity, not even talking about business.
GDPR does apply. You do not need any agreement from your guests or another reason, because the data collection is required by law. But you still have to deal with GDPR requirements around deletion (after you don't need it anymore), access (give it to the wrong person without the appropriate paperwork and you are on the hook), security (have a breach or a unhappy employee and...), notification, data protection officer, inquiries etc.
But you are required to collect user info for them to use WiFi, so that implies you also have to deal with related GDPR compliance hassle for that data
When entering fake information into captive portals from bar owners who actually comply with bs laws like these, please take care to use something like a `.invalid` tld so that some unsuspecting third party isn't suddenly subject to your emails. <your_handle>@gmail.invalid works basically everywhere.
I'm sorry, but if you have a valid email address of butts@butts.com, then you deserve the spam. Also, if you do actually own that address, thanks for hosting it so that bounce tests don't fail immediately!!
>[...] so that some unsuspecting third party isn't suddenly subject to your emails
why not something like byfmupajzmvdaxef@{gmail.com,outlook.com,yahoo.com}? I doubt that large email providers are going to be inconvenienced by the spam. Your solution is likely to get rejected by overzealous form validation (for good reason!).
Nah, it will pass many validators even with semicolons (like http://emailregex.com, which yours would fail btw). You are right though about better leaving spaces verbatim and adding the hyphens.
The standard is followed so infrequently that quoting it is basically an exercise in needless pedantic detail mongering. It's just not very relevant, probably because the rules to check valid email are so ridiculously complex (how long was that regex, 200+ characters?).
The email address standard is hilarious and should be made fun of at every opportunity.
The whole quoted-string commented multiline business (seriously, why?) is rightfully ignored by anyone who's ever made or used a mailserver, but it's still there.
Not an example from France, but I've experienced captive portals elsewhere that give temporary access for 10-30 minutes which gets extended when you click on a verification link they email you. I don't expect bar owners to develop such a system, but if too many people do fake info, the government might lean on the providers of the off-the-shelf solution to which the bar owners subscribe to add that functionality.
> The bar owners were arrested under a 2006 law that technically classifies WiFi hotspot providing establishments as ISPs, and requires them to store one year’s worth of logs or connection records for anti-terrorism purposes.
I was under the impression that the European Court of Justice held data retention laws to be a violation of fundamental rights, and thus illegal:
Just because the ECJ deems something illegal, it doesn't mean that local legislation is updated. It sounds a bit like that 2006 law has not been challenged in courts.
Also, the media mafia in France is particularly strong and French politics are firmly in their pockets, a bit more so than in the rest of the world. Which means that they will hold on to as strict a suppression of free internet as possible, as long as possible.
Don't know about France, but in Germany similar rules were of course introduced for the usual pretend reasons of child porn and terrorism. A short time later, minor crime investigations and then civil matters were added as reasons to access ISP data. So even if the law currently isn't used like that, it very soon will be and that was most probably always the intent. In Germany, accesses for copyright prosecution far outnumbered everything else, serious crime was only ever a very minor amount.
Lint doesn't have to be perfect, especially when faced with a "code base" that's chaotic and full of dubious legacy. "Code review" in the form of constitutional cases and legislative attempts at reform are a severe bottleneck. Automation that flags egregious smells and incompatibility seems valuable.
A state that claims a "cleaner" code base could use that to attract business looking for lower legal overhead.
Living in this particular french city, I actually need these WiFi access to work, be it logged or not. Many independent workers resort to bars and café as cheap coworking space and this may just going to lead owners to stop offering WiFi (which is often quite necessary). SO again I'm not sure why this one city is targetted but surely it has to do with he recent feud with the ministry and the city mayor.
Randomized MAC addresses is a neat idea, it also helps bust through the time limits of free WiFi that only give you something like 30 minutes per day (because they use the MAC to identify if you've used up your 30 minutes).
The observed behavior on my Pixel is that it generates a new, random MAC whenever you connect to a new network. It reuses that MAC for that network going forward. It does not ever use the "real" MAC unless you specifically select that in the settings.
But practically when I do this in the UK I can leave any information I want including my neighbour’s name and then start Googling for “bomb design at home without getting caught”
I'm confused. Aren't these registrations on wifi usually (almost always?) tied to a spoofable mac address? In that case, can't any competent bad actor simply record traffic to pick up mac addresses of others on the network, then impersonate them?
It's still useful for all sorts of things. Knowing when connected/disconnected, so you can check surveillance cams for people going in and out of the cafe, or nearby on the sidewalk, around those times. Checking if the same spoofed MAC address reconnected at other times, or in other nearby cafes. Maybe you can figure out what VPN they connected to. And so on.
It's just a tool that can sometimes be useful in a multitude of ways, even if the MAC address is spoofed.
"public WiFi users in France need to make sure they never connect without a VPN." There is probably a law which says VPN vendors need to keep logs otherwise their anti-terrorist laws are short sighted.
When they say the law requires "logs," precisely what information are the referring to? MAC address of the connecting device? Personal info of the device owner? Websites visited? SSH sites connected to? DNS queries? All of the above?
Any place (country, city, you name it) where people have high trust in government is authorized to develop a lot of laws to "protect" citizens. Part of the trust comes from the fact that laws are not enforced (the more you have, the less anyone knows them all) and most voters feel like they are on the "good" side of the law.
However the more obscure laws and rules are out there by different agencies, the more the legal profession becomes a power. Those wealthy enough to afford multiple lawyers or tax experts also become unscathed. So government starts burdening its regular citizens far more than the most powerful. If the government, or a corrupt official, or a really bad dictatorial newly elected official ever has beef with you, or is short on money because of uncontrolled spending, they can always find a rule to convict you by to extract whatever you have they need (a decision by your company, or a vote, or your money, etc). So leftover regulatory debt needs some kind of mechanism to be cleared, or a system needs to be created that allows you to thoroughly evaluate your standing with all rules. Or you do a civic test every year and if majority of people don't know about a rule in it, the government has to drop that rule (so it puts an onus on the government to not only clean up its laws, but communicate them better, and fix/reduce them if it cant be clear about the rule).
The fact that the article states that this happened to several bars, all in Grenoble suggests that there is probably more than meets the eye. There is a lot of mafia activity in Grenoble and bars (as well as pizzerias and night clubs...) are notorious for being fronts and for whatever other dodgy activities.
I would not be too surprised if the bars in question have links to the criminal world and the police simply used whatever hard evidence of wrongdoing they could find to bring them down or perhaps as a way to gain further access to documents, etc. I'm pretty sure that a bar owner "unknown to police services" (as they say) would simply receive a warning that logs must be kept, at least at first.
This seems like a just world hypothesis rationalization of the civil rights abuse that's going on. It's basically saying "they must be guilty, otherwise they wouldn't have been arrested!". Maybe this time they really are The Bad Guys, but the problem is that if this behavior is tolerated, it's very possible for the police to do the same for dissidents, activists, or someone who pissed off the mayor.
I must say I do not understand the hostile replies to my previous comment.
Like it or not, the law mandates something and thus that must be complied with.
Now, despite what some people might like to think, the police do not barge in and arrest people as soon as they notice that they are not keeping logs. If they do arrest someone for this that person is a repeat offender or someone who's in police's sight for serious criminal activity.
That's simply the mundane reality. Of course reality does not lend itself well to outrage....
In other words, taking Al Capone down for tax evasion.
But as I understand it, taking down Al Capone in that way was only necessary because at the time the laws now used to attack organized crime (RICO for instance) didn't yet exist. If France doesn't presently have laws that allow the government to attack these sort of organizations [doubt], they really should be writing such laws instead of leaning on selective enforcement of chickenshit violations.
S'funny because a few months ago, before I was robbed of my job, one of the big question in the tourism field was "what should we do about GDPR and logging regarding WiFi access in rented cottages and the like ?". No experts had any answers and it all came down to a laissez-faire attitude.
My stance was: just rent out a WiFi portal for 5 bucks a month to offload the responsibilities on a third party. Just in case.
The fact that the UMIH hides behind a mention of this problem in a newsletter speak volumes of how well informed they are and what services they bring to adherents.
I can't answer to the comment that got flagged so here's what I wrote (sorry for the murder of the English language):
> I was working for a regional public agency but as a contractor not as a civil servant. My job was budgeted and paid for by a a higher up federal/state agency (country level).
> This job was part of a broader state program to bring some specific skills to some lower agencies and ease the connection between agencies (on a networking level and on a per project basis level).
> This year, that regional public agency was supposed to be absorbed and merged into a sister regional public agency. All those agencies are managed and run by politicians (public sector). So I got my end of employment paper at the beginning of the year, kept on working for three months and then I was supposed to be transfered/rehired - still as a contractor - to the new agency (which is in the same building, do the same work, with the same people, it's just label shuffling).
> Except one week before that I got a call from one of the cronies to let met know that they had budgetary problems and rather prefer to use the budget to pay someone who is already there. That person being - ohohoho - the best friend of our new agency director. It's a public agency, they don't bump into budget problems in march. I cost them 0 bucks because it's financed by another state agency. And yes, that person was severely lacking the necessary skills to do my job and to follow up with the current projects.
> I alerted the higher up agency, they didn't take it well at all because the budget was also used to pay for certifications (which the friend of the director should retake), there were some projects at their level where I had the networking and relationships needed and really they didn't like that the lower agency got rid of one of their element like that and that the lower agency thought they could whatever they wanted with `my ` budget. They don't like ton invest into people for years and see them go, whatever the reasons.
> To be honest, that program was on shaky legs but I was one of the good elements. From the people at the top of the chain (remember I am talking public sector, I went to the highest point) I was told that they had done everything so that our team wouldn't be unemployed in the middle of a pandemic. They had budgeted things so that we didn't lose our job in very difficult times. That's why I use the word `robbed`.
> So now the whole program is scraped, that director's friend is still on half time and the lower agency has a hard time getting their project's budgets approved by the higher up agency.
> And I find a new job, half time though, and I am starting tomorrow so I got that going for me.
> But I am really bitter because I loved that job and the projects were really specific and I was fast tracked at some point to be fully employed as a public servant by the higher up agency which would have meant a much stable life and perspective to buy/build a house, have a baby, etc.
It's a valid use of the word. Just like in these sentences:
Joan was robbed of the use of her legs after the car accident.
Or
John was robbed of the opportunity to live a normal life when he was falsely convicted of murder.
Something was taken from OP, Joan, and John. In OP's case, probably his job due to the collapse of the tourism industry during this ongoing pandemic. Nobody needs to have gained something in return for this to be true.
I tend not to begrudge folks the right to be bitter or feel disenfranchised at the world. We all get the butt end of things in our own time, and it's never fun losing it.
The market shifting, leaving one high and dry, while inevitable, should not obligate someone to be chipper and happy-go-lucky about it.
What else do you call a fluid market change in reaction to a obstruction in the form of collective action undertaken by the State? The State doesn't exist separate from the Market, nor does the Market exist separate from the State. Both underpin the others existence. To see it any other way is folly, or at least the least conceivably useful way of trying to forecast probable outcomes on any scale appreciably large.
You see a market failure, I reject your perception of a particular vein of economic activity remaining worthwhile in perpetuity as an accurate understanding of a Market to fail, and instead accept that all economic activity is fluid and necessarily reactive to physical and political constraints.
Just look at Turnips or Onions to break yourself of a mistaken belief that Markets don't inherently rely on the State to price in what's practical; and hell, half the point of a State is to make the effective price of something so high, people don't do it.
Sure thing, but wouldn't it be better to then just say "I feel sad, angry or bitter about the job I thought I could have for an indeterminate amount of time"?
Using words like 'robbed' just hides both facts (no the job was not robbed, yes you are sad/angry about the situation). And by hiding facts like that we end up with populism and lies.
I feel like it would be vastly easier to just not offer WiFi.
Many coffee shops turn it off on weekends , to "encourage socialization"( as in stop people from sitting around for hours ).
French bars and cafes desperately could use VPN services that secures DNS, thus the logs would be MAC addresses and a single endpoint, with time stamps/ durations only.
If only they'd used Alcatel routers, then 'authorities' could have monitored everything through the back door, and there would be no need for private logs.
At my first job we were developing a huge enterprise app in J2EE, where clean build times were around 15 minutes. We also had tons of issues with the toolchain for which the “solution” was “mvn clean install”. So I made a small program which printed snippets of pre-recorded Maven build output in an infinite loop, and launched it on my second screen whenever I wanted some time off from coding that enterprise crap. Nobody would complain that I’m browsing Facebook or swiping in Tinder, as I was clearly waiting for the “build” to finish :)
So only a government office would be exempt in those matters, not a private organisation, except when seen as performing a government function. That is somewhat up to interpretation, so maybe, maybe not.
It’s also a statement that sometimes requirements conflict. As a business owner, I’m required to keep proper books. That means every invoice needs to be on the book for at least 10 years. But invoices contain personal info - a name and address at least, possibly other data. You can’t require me to delete those invoices on GDPR grounds and violate the bookkeeping requirements.
And unlike data collection by random companies, data collection required by law is subject to public and judicial review. Laws are known - what data companies collect not necessarily.
That comment was not inspired by mistrust of the State. (I would trust the average European government far more than I trust my own.) I'm saying that private firms will use this ready-made excuse to intentionally exceed the limits placed by a straightforward reading of GDPR.
I only know of few places that actually use a compliant captive portal that requires some PII (name, email, phone...) to let you use the free WIFI.
My problem with these kind of laws is that they get ignored most of the time and then allow for selective enforcement when the police/local-gov has issues with you.