Yev here from Backblaze -> the company started by providing unlimited online backup, and that's a great industry for us. About 4 years ago we released Backblaze B2 Cloud Storage, which allows developers or sysadmins or enthusiasts to directly upload/retrieve data to/from our data centers. Our core competency is data storage - so while most folks do use us for a backup (either of their Mac or PC on the consumer side or servers/NAS devices with B2 Cloud storage) - what we really do is store and retrieve data.
Sort of, but not really, we just wrote APIs that let people talk to our pods directly. You can read about our architecture here (https://www.backblaze.com/blog/vault-cloud-storage-architect...) and check out the APIs and how we built them here (backblaze.com/b2/docs/).
I have data that is important to me (family photos, etc.) on my hard drive. I have a backups of that data running on a Raspberry Pi with an attached drive. If my house gets broken into, or burns down, or hit by a tornado, basically something Really Bad, Backblaze has a copy of my data offsite.
It is tempting to use Backblaze as my only backup, but like they describe on their site, their primary value is as a backup of your backups. Normally you should never have to use them, and if you do, it will be slow. Now if you are in a hurry they offer a service to ship you your data on a thumb drive or hard drive, but that gives you an idea of their primary use.
GDPR: A well-intentioned EU measure that unfortunately hurts the smallest and weakest and fails to have an impact on the big ones that it should target.
Noble in thought, weak in action
Being honest, some of the most egregious handling of PII is by small companies who don't have the resources to understand that it is PII, or how to store it, or how to be in compliance. I don't think it's failing in that case. A small company wouldn't google how to build a bridge then DIY it, but that's what's happening with storing PII. If I had a dollar for every article I read where a doctor's office had records on an un-restricted FTP server...
Its funny how we let this all slide when it comes to tech. Imagine if someone said "Food safety regulations only hurt the small businesses, they don't have the resources to wash a cutting board after cutting chicken while McDonalds serves unhealthy but legally safe food"
But that's exactly what happens in the world though. In some poorer countries like China, street vendors are literally using gutter oil to make food.
If you want rules to be respected then you must be able to enforce them. Poorer places just can't afford to enforce those rules. If rules aren't enforced equally then people won't follow them, because if they have additional costs that their competition doesn't then they'll likely be outcompeted.
But I don’t think McDev above was talking about a software startup in the poorest part of the world. I have implemented GDPR in a small non profit open source SaaS business. A funded startup should have no issue doing the same.
> Imagine if someone said "Food safety regulations only hurt the small businesses, they don't have the resources to wash a cutting board after cutting chicken while McDonalds serves unhealthy but legally safe food"
But that's exactly what we do. The health inspector doesn't come to your home to verify that you wash your cutting board, even on the day you have a dinner party to entertain business clients. Depending on local law you may or may not be expected to follow the same rules as McDonalds (getting a food service license etc.) when you hold a high school bake sale, but people commonly don't actually do it and governments commonly don't actually enforce it in those circumstances.
Because it's more important, and justifies a higher compliance burden, to ensure that the company serving billions of hamburgers isn't giving people food poisoning than the individual serving four.
I believe your being down voted because it is common knowledge that food service legislation only applies to those selling food, and therefore intentionally doesn’t apply to dinner parties.
If your European friend tells you their phone number and you write it down on your refrigerator (or your public blog for that matter), the French government isn’t going to come fine you for violating GDPR.
Is that what it says, or are you just saying they're not likely to enforce it in that way, and now we have a rarely enforced law that everybody violates and therefore the government can use it as a pretext to undemocratically destroy anybody that government officials don't like?
Wait, so you're saying it allows anyone to store and publish the personal information of Europeans? Without doing anything like have some way for people to contact you and request what information you have on them?
Which would also likely be perfectly legal under GDPR, assuming the phone number was given freely to you, we can reasonably assume informed consent.
As it's really hard to use a phone number for anything else than phoning someone, we can also reasonably say that the data is only used under the originally stated purposes.
And then the phone number is not shared with the public, but stored at a secure location (fridge) having organizational (family rules) and technical (locked doors, windows) policies in place to secure the information.
Given the required security level for a __single__ phone number I would say this would be a reasonable level of caution.
> Which would also likely be perfectly legal under GDPR, assuming the phone number was given freely to you, we can reasonably assume informed consent.
So what happens if you got the phone number from your friend's sister? Or off of caller ID?
> As it's really hard to use a phone number for anything else than phoning someone, we can also reasonably say that the data is only used under the originally stated purposes.
There are lots of things you can do with a phone number other than phoning someone. There are services that effectively use phone numbers as usernames, you could give it to them to see if your friend is on that service. When your new girlfriend asks who this number on the caller ID is you can tell them who it is (disclosing it to them). You could store it on your computer which gets backed up to some random cloud service in the US. That's all common human behavior.
> And then the phone number is not shared with the public, but stored at a secure location (fridge) having organizational (family rules) and technical (locked doors, windows) policies in place to secure the information.
The scenario is that it's also being posted to a public blog.
> Given the required security level for a __single__ phone number I would say this would be a reasonable level of caution.
Is it more common for a person to know a __single__ phone number, or have an address book full of them?
You're looking for the case where by coincidence it happens to not be a violation. Even if you find it, that doesn't help anything if accidental violations remain widespread.
My experience with startups lately is if it’s a greenfield project that started within the past 3 years then they’ll do everything by the book: sometimes even down to storing email addresses as hashes in the database, requiring a user to login first for the software system - and the company - to know their email address).
Older systems which depend on having PII and even financial information as cleartext in the database are the problem - and its essentially technical debt with far-reaching consequences, so no-one will fix a system that uses tenants’ customers’ SSNs as a primary-key (yup).
I am aware of a legacy system powering a local business which runs on Rails 1 on a version of debian from 2012 and stores users passwords in plaintext, downcased.
I have tried to explain so many times that this system needs to be replaced urgently not for security reasons but because no one actually knows how to use rails 1 anymore.
I have a Rails 1 product making $10K a year but I don’t have even the ability to log into the box anymore so if even the tiniest thing falls over that revenue is permanently gone for me.
You're right, but they probably can't afford to do it right. And since enforcement on this is lackluster it makes sense for the companies to just ignore it altogether, because if they get caught then it probably doesn't really matter if they took some steps to help privacy or none at all.
I think there should be some exceptions to it for small companies based on the impact of the PII. Eg if the company handles email addresses or first names then that should be far less strict than if a company handles medical information, home addresses or credit card information.
On the other side, we should have audits in companies to see how the personal data is handled. Particularly in ones that deal with sensitive information.
The simplest way to comply is to not obtain and store personally identifiable information at all. Luckily this is also the cheapest. So I don't really buy that you "cant afford to do it right".
If you want to obtain and store personally identifiable information, then you have to mange it properly, just like selling food, medicine, financial services etc. need to follow certain regulation.
Note that all the competitors in the space will have to follow the same regulation, so it is not like it put you at a disadvantage.
I don't want to live in a world where inviting people over for dinner is practically illegal because of food safety regulations. And I don't want to live in a world where I'm not allowed to write down my friends' birthdays and phone numbers.
I'm not sure if we have passed the line of too many regulations, but I know it's out there.
1) it's a cost of doing business. Costs of doing business change over time. Step changes as a result of regulation are typically introduced with windows to allow businesses time to respond. If you can't reasonably cover the cost of the change then...capitalism. You will fail and someone else will succeed. No one is guaranteed a profit.
2) Sounds like a business opportunity? GDPR/Privacy as a Service. e.g. https://privaon.com/ (first search hit).
> here should be some exceptions to it for small companies
This would effectively become a get out of jail for companies that want to outsource their (lack of) privacy with sufficient arms-length plausible deniability.
>1) it's a cost of doing business. Costs of doing business change over time. Step changes as a result of regulation are typically introduced with windows to allow businesses time to respond. If you can't reasonably cover the cost of the change then...capitalism. You will fail and someone else will succeed. No one is guaranteed a profit.
Except that foreign companies won't have this same limitation. The end result is that all of your online services will be provided by foreign companies, which ironically is already the case in the EU.
A foreign company that's beyond the jurisdiction of the EU can abuse GDPR as much as they want. If they get caught then they'll just lose their business. The EU can't actually fine them, but that same company likely outcompeted EU companies for years.
>This would effectively become a get out of jail for companies that want to outsource their (lack of) privacy with sufficient arms-length plausible deniability.
They can do the same thing with foreign companies though. If you can set up a system where you would use your small companies to escape regulation, then the same can be done with companies run by foreigners.
>2) Sounds like a business opportunity? GDPR/Privacy as a Service. e.g. https://privaon.com/ (first search hit).
And said business opportunity is additional inefficiency on businesses in the EU that their global competitors don't have to follow.
You're getting downvoted because you're incorrect: it doesn't matter where a company is from, if they're conducting business with people in the EU, they're bound by it. Which is why several non-EU companies have paid fines and plenty are implementing GDPR-based privacy measures (and I speak from experience here).
Foreign companies paid fines because they still wish to operate in the EU. If they were willing to give up on that then they wouldn't have to pay anything. Eg a Chinese company could collect and abuse as much data as they wanted. Once they get caught the EU can levy fines on them, but the company can just choose not to pay, because the EU can't reach into China.
The EU can't force a foreign company to pay, just like China can't force an American company to pay. Or am I mistaken and there's some international agreement that allows the EU to force them to pay up?
I recently did a stint as a contractor at one of Australia's "big 4" banks. I can assure you that they are so active in the privacy space, and foresee more and more GDPR-like regulations, that they've created their own privacy framework based on GDPR plus likely similar frameworks to come in other jurisdictions. It is one of the biggest funded projects in that bank (it helps that Australia recently had a negative spotlight on the banks' behaviour. Thanks Royal Commission!).
The point I'm trying to make is that if you have European customers, then the GDPR applies. Therefore, "foreign companies" competing for EU customers, definitely do have this limitation. Fines have been issued for companies that don't comply, and the sizes vary immensely (e.g. over 200 million euro for British Airways down to 118 euros (not millions, 118) for the Data Protection Authority of Saarland).
GDPR might apply and the EU can levy fines on foreign companies, but that doesn't mean that a foreign company has to pay like a European one. The EU can't force a Chinese company to pay if they are willing to give up their EU business. That's the problem - you can't enforce it where you have no legal jurisdiction.
Or do I have it wrong and that there is an enforcement mechanism that can make a Chinese company do things the EU says?
Google has so far only received a 50M euro fine from France, and a tiny one from one of the other countries. Depending who you ask, there are different stories for why Google hasn't suffered larger fines. One story is that the law is toothless and we need something stronger. Another story is that enforcement in complex situations takes time, and we'll see bigger Google fines down the line. And then the final story is that Google is actually complying with the law.
AFAIK Google has gone to great pains to attempt to comply, at least within the advertising and analytics space. I've seen significant product updates in Google Ad Manager, Google Analytics, AMP, BigQuery, etc to allow for consent, right of removal, designating a DPO and more.
Are users any better off now because those companies got fined? Did those companies stop collecting user data? Has online privacy improved because of those fines? Nope!
I think there's an argument to be made that GDPR had some effects. For example, you can now enable or disable ads personalization on Google at https://adssettings.google.com. I don't think that was there before GDPR. Google also presumably did explicit opt-in for EU users, since otherwise they'd have already faced some pretty massive fines.
It may be that most users consented, but I think the take away from that should be that most users do not consider ads personalization a significant violation of their privacy.
>Are users any better off now because those companies got fined?
Yes
>Did those companies stop collecting user data?
Maybe not google so much, but other companies certainly stopped or collect a lot less. And it's still early, and there is plenty of low hanging fruit for GDPR enforcement to hit.
>Has online privacy improved because of those fines?
The full effects remain to be seen, but yes, it has improved. Maybe not for you, but for me it certainly has, in particular with German businesses I use.
Aside from regulations, it also fueled and still fuels public discussion, especially in the tech space. Where half a decade back everybody would have ignored e.g. GitLab's email informing users and customers that they are going to roll out third party tracking, but this time around the backslash was so swift and hard GitLab went back to the drawing board (goof for them!).
On top of that, the EU inspired similar laws around the world including most the (somewhat lenient) California Consumer Privacy Act that comes into effect next year.
The GPDR is a large compliance burden. The bigger your company is the less this hurts you because it’s very approximately a fixed cost. So the GPDR kneecaps small companies while being a painful but bearable expense for large ones. On net it helps the internet giants by reducing competition.
This is no different than anything else. All sorts of unethical and exploitative arrangements are helpful for small firms’ bottom line, but easier to handle properly with larger scale.
Dumping toxic byproducts in the river. Forcing employees to work unpaid overtime. Keeping fraudulent books and evading taxes. Selling illegally dangerous products. Not following local building codes. Facilitating third-party fraud or money laundering...
Being a small business should not be license to do whatever you want, irrespective of the harm to customers, business partners, or others in the society.
In the case of data protection specifically, companies (perhaps especially small companies) are very cavalier with all sorts of data including personally identifiable information, financial information, communications, ...., and this causes serious harms when that data is misused directly or stolen by/leaked to/sold to someone who misuses it.
If a company cannot afford to stay in business while treating data carefully, then perhaps they should not be in business.
You're assuming that treating data carefully and complying with the law are the same thing. You can easily do the former and not the latter. More to the point, you can easily have already been treating data carefully and still have the compliance burden of paying lawyers to verify that fact put you out of business.
So what you're really saying is, if a company cannot afford to stay in business while navigating a legal framework designed for companies the size of Google, then perhaps they should not be in business. The result of which would be to have only companies the size of Google.
The same goes for any other kind of regulatory compliance.
No small company has to pay lawyers to validate that they are complying with GDPR. It’s just that if it turns out they weren’t, the fines for violations can be quite steep, so a risk-averse company is going to be proactive about it.
There are many types of regulations which are much stricter with more up-front costs than GDPR, which companies of every size manage to cope with (or sometimes don’t, and go out of business). The technology industry has just gotten used to not being held accountable when it harms people, so now that some sensible consumer protection regulation comes down (some) people are freaking out.
> The same goes for any other kind of regulatory compliance.
I don't think anybody disagrees with that. All regulatory burdens harm small businesses -- which is why they should all be minimized to the greatest extent possible.
> No small company has to pay lawyers to validate that they are complying with GDPR. It’s just that if it turns out they weren’t, the fines for violations can be quite steep, so a risk-averse company is going to be proactive about it.
And investors are risk-averse, so investors want to see compliance, so they're forced into the choice between going out of business due to the compliance burden or going out of business as a result of an inability to get investment without showing compliance.
> There are many types of regulations which are much stricter with more up-front costs than GDPR, which companies of every size manage to cope with (or sometimes don’t, and go out of business).
Two wrongs don't make a right. Nor do a hundred.
> The technology industry has just gotten used to not being held accountable when it harms people, so now that some sensible consumer protection regulation comes down (some) people are freaking out.
The technology industry is Intel and Samsung. Chips rather than bits. Plenty of regulation there -- environmental, patents, government contracts, etc.
But now we're talking about regulating information. It's not a particular industry, it's a thing all people do all day long. It's regulating people talking and writing stuff down. The number of people subject to whatever burden you impose is effectively everybody, so the burden inherently has to be small or when you multiply it by everybody everywhere it becomes an absurdity. If it's too complicated then either nobody complies with it and it's useless (and dangerous) or you crash the world by making everybody try to.
Not what I would call a kneecapping, or even a burden.
Compliance cost at the place I work in the UK was negligible. We have personal data on every customer, had to make some one time code changes, and ongoing costs are essentially zero. Frankly, compliance was trivial and little different to Data Protection - which was also trivial to comply with.
If you're data mining everyone to death and selling it off to multiple unnamed third parties, compliance may well be more challenging. Hardly surprising as that's one of the things it's trying to constrain.
Fines for larger companies are either too small to matter or will be negotiated down.
Larger companies also have a much easier time gaining consent (like Google and Facebook) that clears their usage while smaller companies struggle. This can be seen by the constant consent popups on every website. Users click yes on the major sites, then deny the rest.
> Larger companies also have a much easier time gaining consent (like Google and Facebook) that clears their usage while smaller companies struggle.
I feel the opposite may be true. When the law came to pass, I took some time to review my privacy options on Google and Facebook, since they are a big impact for me.
On the other hand, when I click on a link on HN to some random news paper, and get presented with a five-step process to start to see my options, I don't usually bother and dismiss it as soon as I can, probably with some 'opt-in' consent. Since I'm not planning on viewing the site again, I consider it a minor annoyance.
Just because they're small and weak doesn't mean bad data policies can't cause harm. If you have 100 customers you're the little guy, but if your 100 customers are political activists in authoritarian states, it's kind of a big deal if you leave a .csv file containing their personal info on your http server, isn't it?
In the end whether a penalty is just depends on the significance of the offense and whether the bad actor has reformed. The GDPR does give regulators discretion over whether to issue fines or take legal action, they don't immediately wreck people.
People need to remember that while laws are very rigid in drafting, they typically grant a lot of flexibility to the humans that enforce them... and humans often just opt to ignore them. So you can't just look at the law in terms of what it appears to read as, you have to also look at how it's applied in the real world. That can of course mean that a law like the GDPR has unintended negative impact, but it also means that sometimes the impact is not the negative you'd assume from reading it.
No, fuck small companies playing fast and loose with other people's data.
The smallest and weakest is not the small company or website operator, but the individual consumer, aka me and you.
Complaining that your small startup cannot collect and sell data nillywilly is like complaining that you can cannot run a startup from your garage that sells homemade miracle cancer vaccines you have vicariously tested, but only on stray cats in your neighborhood.
On top of that, the actual big fines so far for the most part targeted big and/or well-established and/or serial abusers. The small companies only have been "inconvenienced" in so far that they now have to think about what data to collect, about how to collect it and how to get consent, about whom to share it with and about how to store it reasonably secure. Something they should have done in the first place.
"A well intentioned" is a complete miss of a description. The bill is doing exactly what intended. It's evident a bigger corp. can pay bills easier than smaller.
At the time, everybody who pointed out that this was exactly what was going to happen got flamed hard. I hate that cynicism usually proves the correct stance.
