Speaking as a European: I think this is a very important topic for us. I don't think Americans and American companies understand how little trust rest of us have for the American government. Working with a company that is not subject to the whims of the American government is a huge privacy win. If a company pitches me a product, they start 1 points ahead if they are based on Switzerland, Netherlands or somewhere similar.
I'm an American and I have next to zero trust for governments in general. "Absolute power corrupts absolutely" and humanity has given too few entirely too much "absolute power". I feel much the same about most of the massive corporate entities as well.
The difference is Europe is better at restricting corporate overreach than the US is, regardless of how similar their governments have become. That said, I'd take almost any European government over any US government of my entire lifetime, especially when it comes to actually enacting privacy legislation.
I couldn't care less about web fonts though. I'm not downloading them from Google or "bunny.net" or anywhere else. My computer has some of the nicest-looking fonts around as system defaults, and websites can either work with that or get put into reader mode.
Yep, and also the whole EU... Every few months, they either want to make encrpytion illegal, scan more private data, scan files on end user devices, outright ban e2e encryption, or worse.
And we can thank EU for the extremely annoying cookie pop-up’s on every website. Every site has a slightly different UI and the options/button labels always vary. Declining is always a multi-step process with various checkboxes.
They are never geo-filtered either so everyone is forced to see them.
I’m usually a big advocate for privacy and this was obviously done with good intentions but there were so many better ways to do it and I doubt 99% of people do anything but click okay without reading it.
At least if the browsers did it the UI would be standardized and you could have default persistent settings.
Now that there has been a massive effort to implement it I doubt it will ever get fixed or go away. Even though the decline of supercookies and Firefox’s new 3rd party policy has largely made it obsolete.
>And we can thank EU for the extremely annoying cookie pop-up’s on every website. Every site has a slightly different UI and the options/button labels always vary. Declining is always a multi-step process with various checkboxes.
No we can't. We can think of scummy adtech companies who feel entitled to their business model.
The GDPR very specifically says that the option to decline tracking must be at least as easily accessible as the option to accept.
The only way the EU is to blame for the pop-ups is that the regulation hasn't been enforced strictly enough.
In this case the problem with GDPR is not how it's written but how it's enforced (or rather, how little it's enforced). Most of the cookie popups that appear while browsing are already blatant violations of the law, but the violators get away with them because the relevant authorities are overwhelmed/underfunded/dysfunctional.
>If they asked anyone with atleast a minimal technical knowledge, they'd get a lot better solutions.
This sentence implies that: (1) Nobody with even minimal technical knowledge was consulted when writing GDPR. (2) The problem of websites tracking their users can be solved through technical means. (3) One or more of the solutions are so trivial anyone with minimal technical knowledge could come up with them.
> And we can thank EU for the extremely annoying cookie pop-up’s on every website. Every site has a slightly different UI and the options/button labels always vary. Declining is always a multi-step process with various checkboxes.
I don't understand this line of thinking. You are declining the cookies, so obviously you prefer not to be tracked. And it's obvious that it's not the EU who made the varying, annoying, and often purposely misleading dialog boxes to decline the cookies, but the companies who want to force their tracking on you. Without the EU law, they would just do it without asking for permission. So why blame the EU?
Of course the outcome of random unfriendly and annoying UIs is the only predictable outcome... so why wouldn't the EU responsible? Who else would be?
Would some design guidelines be helpful? Maybe but it's still fundamentally flawed and I doubt it'd be enforced.
As I said the only possible option where there could be design cohesion is via the browsers (or maybe a EU-controlled open source JS plugin but that's even worse).
I don't ever use the cookie popups because fine-tune control of cookies doesn't have much privacy ROI. I want to use cookies on most sites and ublock does the rest.
I highly, highly doubt the tiny percentage of people not using an adblocker but are still technical enough to uses cookie popups regularly and effectively is really worth the cost.
I get the impression people want this to be a good idea, because it sounds like one, instead of considering whether it is.
Has the ever been a study that shows the real-world utility of forcing sites to use cookie popups?
> Of course the outcome of random unfriendly and annoying UIs is the only predictable outcome... so why wouldn't the EU responsible? Who else would be?
"Of course burglars choosing less protected houses is the only predictable outcome... so why wouldn't the makers of security systems be responsible? Who else would be?"
I still don't get it. Without the EU laws, it wouldn't be magically easier to block tracking cookies, they wouldn't offer a choice at all? What are you arguing for?
> As I said the only possible option where there could be design cohesion is via the browsers (or maybe a EU-controlled open source JS plugin but that's even worse).
> I don't ever use the cookie popups because fine-tune control of cookies doesn't have much privacy ROI. I want to use cookies on most sites and ublock does the rest.
The cookies for functionality/session are not affected by the cookie popup.
> I highly, highly doubt the tiny percentage of people not using an adblocker but are still technical enough to uses cookie popups regularly and effectively is really worth the cost.
I use an adblocker and still decline on the cookie popups. I assume you are doing, too, otherwise you wouldn't complain about popups you don't see?
> Has the ever been a study that shows the real-world utility of forcing sites to use cookie popups?
Me able to decline them is real-world utility. If a majority or at least significant portion of users is successfully tricked into accepting the cookies, then that calls for a refinement of the law along with better enforcement, not for retraction of the law. "Let them have it", what a bleak, defeatist thing to suggest.
You are blaming the makers of the law for what is very obviously the fault of the perpetrators, who are trying to get around the law in profoundly shady and just downright shitty ways.
I am glad the EU law exists, without it there wouldn't even be the option.
Client side blocking (by that I mean removing them after the tab/page close)? First for third party cookies, then for all of them, and add a "button" next to the url bar, to enable cookies for that specific site (to allow logins).
This breaks multiple desirable uses of cookies, unless they're explicitly allowed on a per-site basis. It doesn't help if a site uses cookies for both desirable and undesirable purposes. If this solution became ubiquitous, I'd predict websites would start showing popup banners nagging you to click the "enable cookies" button from next to the URL bar. Finally, even if this did work to stop websites from tracking users via cookies, the data harvesters would simply keep using non-cookie tracking methods like browser fingerprinting.
In contrast, the GDPR does not place requirements for cookies if they're not used for storing or processing personal data (the ePrivacy directive which I'm less familiar with might require a notification about them). It does not even require a popup or user's confirmation if personal data is processed on a legal basis other than consent (though these uses may need to be listed in some kind of available privacy policy document). Finally, as GDPR is mostly technology agnostic, its requirements remain the same regardless of whether the data collection is done using cookies or any other means.
Feigning ignorance. People in or adjacent to the tech surveillance industry (either working in it or having a substantial portion of their net worth invested in the industry) whine about cookie consents constantly, but nobody else gives a shit.
Are you telling me that you have no financial or professional stake in the matter? You haven't worked for or invested in a company that profits from tracking people online? Nor any of your friends or family?
My understanding of privacy international privacy stuff is if a European gov wants to spy on their own citizens, but the law prevents them, they phone up the USA and have the USA do the spying(hacking?) and get the data from them.
European countries do the same for USA gov on US citizens.
> In the US at least, any spying is illegal when both parties are within the US
And no doubt it must be even more illegal to then perjure yourself in front of congress about not having engaged in such illegal spying, when in fact you have.
And, who ever got executed for spying domestically? Who ever got a prison sentence in line with the rough prison sentences the US happily gives out for much lesser offenses? Wo ever got so much as a bad performance review?
People are talking about the possibility of being spied on by governments. I think if you’re targeted by government or intelligence agencies, then even self hosting most likely won’t save you from them.
What is important here, and why these laws matter, is how trivial it is to get access to your data, or for companies to sell your data. That’s why I appreciate the European’s effort to have better laws for our privacy.
If you really want to be government proof, then you better host everything in a server in a remote secret location out of their reach.
Goverments and intelligence agencies can't target everyone. But they can gather data for future use. So if you don't give them your data you won't be targeted in the future.
This goes both ways, the lack of the usual amount of data about you is a data point in itself.
`SELECT * from citizens where data_points < 50;`
And then somebody aims a botnet armed with zero-days in your direction. But yeah, that requires dedicated adversaries that actually notice you -- which is not a given, I'll agree.
This is a good point. I would say we shouldn’t make it easy for the governments to access the data as well as private interest or companies. These are not mutually exclusive.
EU privacy laws are a step in the right direction. It’s progress. We can build on it.
Surely you realize that if a modern sophisticated government wants to see your data, they are going to be able to access it, even if it’s stored in the Netherlands? What threat are you protecting yourself against?
If the government wants to go after you in specific? You might be screwed. If the government wants to identify "criminals/degenerates" by checking against sexualPreference="gay", semitic="yes", numAbortions > 0. Then you at least wont turn up because that would require a lot more effort.
> What threat are you protecting yourself against?
Against modern sophisticated governments who are busy, lazy, distracted to ask Netherlands to give them my data. I'm not exactly a high priority target. All I have to do is to make it a little harder for them to access my data.
Why not? Make encrypted backups with `borg` and use `rclone` to distribute them to a number of free cloud storage services -- this is what I and many others do. One of my destinations is Yandex Disk. They all only see an encrypted Borg repo. And in the next few weeks or months I'll make sure they won't even be seeing that. Just a few opaque files several tens of megabytes big each. I wish them luck cracking it, lol.
What are they going to do, fly to my fringe country, knock on my door and politely ask me to stop storing encrypted blobs on their servers? No, they will not. First, their TOC does not forbid it and second, they are way too lazy to scope me out of the crowd, and third, they will only start shutting users down if their free plan starts costing them too much. I've been doing this for years and nobody seems to give a frak (Google included).
And I am just a regular guy who wants to make sure his code and passion projects (and personal / family photos) are never going to get lost even in a case of disaster. I never in my life did anything to warrant government attention.
Contrary to the weird Cold War sensibilities that rule a lot of HN's collective mindset for some reason, to me using Yandex Mail is no worse than using GMail.
Let's be honest: all those big players sing all our data to whoever they like, any moment they like. Pretending one is better than another is dishonest.
Have you considered that Switzerland and Netherlands might just, you know, hand other agencies your data without telling you?
At this point we're supposed to believe what amounts to feel-good talk.
But I keep asking: "How do we know for sure?"
I haven't done anything illegal nor do I need to protect some mega-important knowledge but I still dislike giving easy access to my data so I automated parts of my workflow to double-encrypt my most important data and send it to several off-sites plus an own self-hosted server.
Sure, they likely know remote Linux network zero-days but the odds of them wanting to target me in particular are minuscule so... ¯\_(ツ)_/¯
The internet culture's understanding of Swiss privacy laws are laughable at best. Switzerland has existing laws to any and everything for records.
You are trusting them just as much as a server in any other country. Saying "Switzerland" is all marketing for privacy enthusiasts who aren't going to do anything on their own.
Between the joke of an energy policy in Germany this year and Douglas Murray’s books I have no confidence in European governments either. I used to feel Europe’s system was more competent but the illusion has been shattered.
To add to that now every other website has an annoying and useless cookie dialog I have to dismiss, as if that's forward progress in privacy protection.
That is the website owners implementing the rules in the worst way possible, either through incompetence or through deliberately trying to annoy (or fool) you into accepting everything.
Can I be angry at both? Legislation is only required to regulate bad behavior by some set of entities. As such, legislation should be written assuming that those entities will exploit any loopholes. Malicious compliance is exactly what the EU should have expected and planned for.
Well, not quite. They are forced to stop hiding what they were doing. They could make everything opt-in, and it could be simple single checkbox or button, they are not forced to do any of what they are currently doing.
And if it makes people angry at the legislation, the lying back-stabbing “your privacy matters to us” arseholes in marketing are successfully making that goal backfire.
> Malicious compliance is exactly what the EU should have expected and planned for.
It usually isn't compliance, malicious or otherwise.
It is malicious “we know we are breaking both the letter and the intent, but we know they don't have resources to properly enforce against everyone, so we are going to chance it for as long as we can”. The vast majority of these consent systems are not compliant with any of the relevant regulations (ePrivacy Directive, GDPR, CCPA, …). They will fix it when they get a slap on the wrist. If they get anything it will be a slap or a warning because while anyone in their right mind is pretty sure that the non-compliance is deliberate, that is nigh-on impossible to conclusively prove.
> I don't think Americans and American companies understand how little trust rest of us have for the American government.
Have you... have you seen our politics? What makes you think that we think other people trust our government? We don't trust our government. Hell, it's trusted so little that one of our large political parties is basically entirely devoted to making sure that the government can't get anything done.
That political party's actions are about weakening the federal government so as to make it easier for large corporations to behave abusively, not because of trust. States have less resources, and can be played against each other.
The public-facing excuse for Joe Q Public is "they can't be trusted!", "less taxes on your hard-earned money" (when corporate share of taxes has plunged from the 50-50 split it used to be, increasing individual taxes), "the government is not efficient" (usually because of lots of onerous regulations and reporting and oversight that, ahem, a certain political party insisted on to fight "abuse")
> That political party's actions are about weakening the federal government so as to make it easier for large corporations to behave abusively, not because of trust.
Can you think of a reason people would do that if they didn't trust those corporations more than the federal government?
... and, at the same time, to radically increasing government spending literally everywhere except where there might be a possibility of benefit for an individual who needs help (just because said individual could possibly be ("a") black).
I’m surprised you emphasized government wrt. privacy here. Sure, despite the fact that the US government institutions have more mechanisms for oversight and transparency after 20 or 40 years, etc., they are certainly the most profligate in their use of surveillance and hacking, etc., and US three letter agencies are the most adept at completely side-stepping those publicized limitations — so it’s not like the government isn’t an issue, and the US government most of all.
But when it comes to surveillance on this quotidian level, I think private/corporate surveillance it’s far more relevant and problematic. In that regard, I’d slightly prefer a European country with good privacy laws like those you listed, because (probably) Bunny is not itself at the level of a panopticon such as Google, and the likelihood it has or would avail of avenues for resale to panopticon capable data brokers is less than it would be for US companies.
But even there, it does seem like a quite incremental improvement. The door is still wedged open, but now probably less wide, and probably with a stronger doorstop. It would be nice to not leave the door open at all.
Fair enough, and in a sense I don't even really disagree, but my point is essentially that self-hosting eliminates the class of problems almost entirely, meaning there would be no need to rely on this kind of 2nd order competition at all.
I always had the suspicion that the (seemingly higher) interest in privacy/FOSS in Europeans is fueled partly by anti-Americanism. In America, even if you don't trust the government, at least it's your government, so I don't feel like that plays as big a role, and any interest in privacy/FOSS (like mine) is untempered by the anxiety of an alien government's interference. :p Regardless, I love how much more Europeans seem to value privacy.
> I always had the suspicion that the (seemingly higher) interest in privacy/FOSS in Europeans is fueled partly by anti-Americanism.
Of course it is. After American Wars in the Middle East killed and displaced millions, there is good reason to be wary of Americans and the American government.
How do the laws play out in practice? If bunny.net started storing user agent and IP address information indefinitely, and someone complained, how likely is it enforcement action is actually enacted on them? It seems such a low-impact privacy violation would be a waste of time for a GDPR/etc agency to focus on compared to things like ad companies selling location data.
I think this is important to consider. In practice, it's difficult to have any recourse with an American company. In Europe it's more expected and common that government and consumer orgs take an active role. Both legal culture and culture-culture (?) are just very different, leading people to preferring to steer clear of this expensive and adversarial (compared to EU climes) environment.
That's the exact scentiment the parent to my comment is suggesting; I'm saying that GDPR agencies probably aren't going to care at all about the type of data sent to a web host when all they're doing is serving fonts for 3p websites.
Unless you're under a totalitarian government, spies aren't really interested in most people's data. Data brokers, on the other hand, are willing to sell anything they can profit from.
You can't use the internet without risk. All you can do is measure relative risks and decide which are acceptable. Means, motive, and opportunity matter. Someone who is missing the motive portion is less of a concern than someone who has all three.
No one expects zero risk, it's about reducing risk. I choose to avoid American companies in favour of non-American competitors because the American government is hostile to privacy and is a warmonger.
90%+ of governments are more hostile to privacy than the US. It might make sense to prefer countries with GDPR, but the vast majority of "non-American countries" have even worse protections for your data.
> and is a warmonger.
This is flamebait unrelated to data privacy risk. If you don't want to use American companies because you have an political opposition to supporting US companies, that's also a valid opinion. You don't have to twist it into a data privacy argument.
> This is flamebait unrelated to data privacy risk.
It's not flamebait, it's a legitimate reason. A country who has been killing people in various wars/invasions is unlikely to behave ethically when it comes to privacy.
If you behave unethically in one area, I have every reason to assume that you'll also behave unethically in another area.
The number of governments that have not had to deal with ethics concerns is exactly zero.
Rather than drawing a broad hand-wavy link between ethics concerns and respect for privacy, you'd be much more accurate in measuring privacy by directly considering their practical legal frameworks that protect privacy.
> A country who has been killing people in various wars/invasions is unlikely to behave ethically when it comes to privacy.
This doesn't hold up. There are many countries that will straight up man-in-the-middle internet traffic with no oversight that have been at peace longer than Germany.
This is simply not factual, it is an information availability bias. America is one of the most publicized nations, and sunlight is one of the best disinfectants. By any academically rigorous measure, the US ranks high in ethics, along with most other western style democratic systems.
Tell that to the people that were killed by American military in Iraq, Afganistan, Libya, Syria, Pakistan, Yemen and probably other places I am forgetting.
A country like America that has been murdering people in many wars around the world without hesitation is unlikely to take my privacy seriously. They don't respect my right to live, do you think they will respect my right to privacy?
Maybe, but that doesn’t have any relation to the state of data privacy in a particular country. Most of the countries with almost no data protection at all (or laws that require your data to be compromised) don’t even have drones.
Can you please stop posting unsubstantive and/or flamebait comments to HN? You've unfortunately been doing it a lot lately. It's not what this site is for, and it destroys what it is for.
I can understand why people have strongly held views about foreign policy but this sort of political flamewar is repetitive and predictable, and therefore off topic here. It has veered particularly extremely off topic in a "Bunny fonts" thread. And I'm afraid you've been posting flamebaity/unsubstantive comments in other threads too.
or any government, especially our own, for that matter. Some just have a better track record at being bound by the rules they give themselves than others.
Speaking as a European: I think this is a very important topic for us. I don't think Americans and American companies understand how little trust rest of us have for the American government. Working with a company that is not subject to the whims of the American government is a huge privacy win. If a company pitches me a product, they start 1 points ahead if they are based on Switzerland, Netherlands or somewhere similar.