Skip to content

Top Best Ask Show New Jobs

Consent, GDPR and Google Analytics (opens in new tab)

(cunderwood.dev)

113 pointsfenier4y ago96 comments

96 comments

45 comments · 5 top-level

shoto_io4y ago· 30 in thread

I’m not the biggest fan of Ben Evans, but he’s right on “privacy fanatism”:

> At a certain point EU privacy regulators will realise: When an EU citizen requests a US internet resource, they provide a US server with their IP address; An IP address is PII; The CIA could record that; Therefore it is illegal to provide any internet resource to anyone in the EU

Source: https://twitter.com/benedictevans/status/1492102034409066504

PS: saying this a German citizen…

pjc504y ago

Extraterritorial jurisdiction + global nature of the internet causes these problems. We've already seen lots of the reverse: it's illegal to provide gambling to Americans. https://en.wikipedia.org/wiki/United_States_v._Scheinberg

It's also legally difficult to provide bank accounts to Americans: https://www.thelocal.fr/20210924/why-americans-are-finding-i...

Then there was the whole incompatible court orders in re Azure: https://www.theverge.com/2018/4/5/17203630/us-v-microsoft-sc...

Really the only workable outcomes are a global agreement on internet-touching governance (which the US will never accept on principle) or Balkanization. Or I suppose an eternal chasing into new as yet unbanned services.

Thanks, that’s was really insightful. I wonder if global agreements are really unimaginable. There have been quite a few from the old days, e.g. international marine conventions. What do you think?

madrox4y ago

I suspect there's a third outcome within crypto many are quietly pursuing. Looked through the lens of "what if the internet were its own country" a lot of web3 makes a bit more sense.

Or maybe I've read too many Neal Stephenson novels.

There’s no issue with that. If a person manually takes their information and mails it to the CIA, that’s also fine.

The issue is if a person visits a resource from a company in the EU, they should be able to expect that that information won’t be passed along to any third party that’s not absolutely necessary. Especially not to foreign governments.

You wouldn’t expect a visit to latimes.com to leak your information to the Chinese Party either.

shadowgovt4y ago

Maybe I'm just old-school, but I expect when I visit a site I'm leaking some PII (my IP address) to every router between my client and latimes.com to do with as they will.

I wouldn't necessarily expect the CCP to be involved unless Internet routing is having a very bad day, but I'd expect the American government to be involved when hitting an American server.

throwhauser4y ago

> The issue is if a person visits a resource from a company in the EU

Does it have to be a company in the EU? I thought the GDPR covered any website an EU citizen, resident, or visitor might use, in which case US-based websites might have contradictory obligations to the GDPR and US law.

nr2x4y ago

Do they have a TikTok?

tsimionescu4y ago

Well, the obvious responses here are that (1) the law does no such thing, and (2) even if it did, the right target for public concern should be the CIA and the government theoretically controlling its behavior, not the EU.

Even if it came to a point where the EU decided that the only for to keep its citizens safe from US intelligence monitoring were to cut out all access between EU and USA internets, the problem would be the US intelligence framework, not the EU.

Angostura4y ago

Nope. Because legitimate interest kicks in there - you can’t provide the requested service without the IP address. At all.

Turn off Google analytics and you can still provide the service.

pinephoneguy4y ago

Really you should just stop using Google analytics. I know all the data is really fun to look at and can even be useful but it’s a bit like poisoning people just for walking into your business.

tssge4y ago

You most definitely can provide a service without having a US IP address. Many services have IPs and servers in the EU instead of the US.

shafyy4y ago

He is not right. Does anyone really think that EU regulators don't know that every request provides the server with an IP address?

Will they start sueing every US company that doesn't comply with GDPR? Of course not. The EU is doing this to build pressure against the US and their surveillance fetish. And it's good that they are, because otherwise, who will?

The US government has proven time and over again that they do not care about their citizens' privacy and straight up lie to their faces. And then there is the CLOUD act, which now starts to affect non-US citizens, too.

IP address by itself is not considered PII (at least not yet).

Context matters. IP address along with other information could be considered PII.

rndgermandude4y ago

There were rulings finding IP addresses by themselves are already PII[0], because an IP address might be tracked back to a person. E.g. an IP address can potentially be used to go to an ISP and request the subscriber information, and the subscriber information potentially identifies the user of the IP address at a given time, if the subscriber cannot name anybody else who could have reasonably used used the IP address at a given time. Courts found that this abstract risk is enough to qualify IP addresses as PII, as they can potentially identify people indirectly.

The recent German ruling about loading Google Fonts without prior consent explicitly mentioned these rulings and made them a core part of their own conclusions.

[0] The most important ruling is the Breyer ruling (C‑582/14), that found, answering question one, that "dynamic" IP addresses are PII. Further rulings have regularly found that "static" IP addresses are PII, and that you cannot really know what is a "dynamic" and a "static" IP address with reasonable certainty anyway.

"Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person."

https://curia.europa.eu/juris/document/document.jsf?text=&do...

shadowgovt4y ago

Do we have a ruling that IP address alone isn't PII? I thought the opposite was true.

https://www.fieldfisher.com/en/services/privacy-security-and...

Exactly right.

marcosdumay4y ago

Yes, taking it literally at the extreme case, the rule is unreasonable.

But Google Analytics is the kind of thing the Law was created to stop, it's not an unreasonable unintended effect.

> ... When an EU citizen requests a US internet resource, they provide a US server with their IP address; An IP address is PII; The CIA could record that; Therefore it is illegal to provide any internet resource to anyone in the EU

Forget that. An EU user visiting an EU site might have their packets routed through an entity outside the EU anyway, without their intent and certainly without their explicit consent.

An IP address is personal data, it’s only PII in combination with other data. Don’t collect the other data if you don’t need to.

> it’s only PII in combination with other data

It’s always PII for static IPs, and together with a timestamp it’s also PII for dynamic IPs...

MauranKilom4y ago

Providing the IP address for the communication channel is quite obviously necessary and does not require explicit consent.

https://gdpr-text.com/read/article-49/#para_gdpr-a-49_1_1b

> In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, [...] a transfer [...] of personal data to a third country or an international organisation shall take place only on one of the following conditions:

> [...]

> (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request

> [...]

GDPR does not forbid providing internet resources to EU users, that is simply a lie. All it requires is that data handling happens in the best interest of the user.

tremon4y ago

True, but storing the IP address server-side for purposes other than serving the HTTP request doesn't fall under (b).

Diagnostic logging (e.g. apache logs) is probably okay as long as the organization can show that these logs are destroyed in a reasonable timeframe, but FAFAIK even that is legally a gray area (in the sense that it isn't explicitly forbidden nor allowed).

nickpp4y ago

Recent court orders in Germany and France beg to differ.

fleddr4y ago

Well, the other side of the coin is US intelligence agencies monitoring and collecting all traffic, far outside its jurisdiction.

What's next, Twitter geniuses realizing it's also not legal for the CIA to poison people in foreign countries? Supply weapons to militias? Trade narcotics?

That seems a ridiculous interpretation. US companies liable for actions performed by the CIA? Forget GDPR, the entire population of the USA is guilty of war crimes.

If the CIA required web sites to explicitly include a privacy invading snippet, even then it is dubious since it is under duress. And in any case, exactly the sort of stuff you would want laws like GDPR to hinder.

yobbo4y ago

That is false. Businesses outside EU are not bound by GDPR.

The problem is when websites in EU, which are expected to follow GDPR, randomly leak information to businesses outside EU.

> Businesses outside EU are not bound by GDPR.

Business outside the EU, interacting with users in the EU are bound by the GDPR. There might not really be a way (currently) to impose penalties on those businesses for violations, but they are certainly bound by them.

This is such a weird argument. Let's say those things are true (and I think they are reasonably true).

- When an EU citizen requests a US internet resource, they provide a US server with their IP address

- An IP address is PII (well, personal data as far GDPR is concerned, but that's a nitpick)

- The CIA could record that

I don't think how you would go to a conclusion from those that "it is illegal to provide any internet resource to anyone in the EU".

First, it's worth noting that GDPR only applies to companies that specifically target its services at individuals in the EU. Targeting means having an EU office, using an EU domain, providing EU languages such as Polish or allowing payments in EU currencies. If your service makes no effort to provide service specifically for European users there is no need to worry about GDPR - even if you are in the US.

Second, while US services targeting individuals in the EU are legally problematic, this doesn't affect other countries - so I see no reason to say "any" here. For example, a Japanese server is free to provide services at individuals in the EU provided they comply with GDPR as EU has an adequacy decision for Japan.

Also, I would like to point out you can replace US with North Korea in this argument. I think it would be ridiculous to say that if European Union were to disallow sending personal data to North Korea (including IP address) then it would mean that it's illegal to provide any internet resource to anyone in the EU.

> Targeting means having an EU office, using an EU domain, providing EU languages such as Polish or allowing payments in EU currencies.

Nope. There's only a single requirement: having EU users.

nonrandomstring4y ago· 3 in thread

What a tangled web of legal niceties and hypothetical interpretations we've woven here. But the moral arithmetic, toward which European thought is tending, is more brutal and something to which American corporations had better pay serious attention to if they want to keep playing this game.

In general; we hold that "ignorance of law is no excuse", yet in contract law _capacity_ is a key construct, and ignorance very much _does_ play a part. It's not just minors, the mentally-ill, or those incapacitated by drugs or alcohol, discombobulated or bamboozled by other means, who cannot give consent in a contractual relation. In an age where most lawyers and judges, like everyone, mindlessly click-through "agreements" and shrink-wrap EULAs, there's a strong and growing argument to be made that non-expert adults lack genuine capacity to understand technologically mediated relations.

In other words, it's the contract law that underlies this stuff that's coming up for revision, not the surface interpretations. The important matter now is not deliberating whether the letter of the law creates "consent" on this or that occasion, but whether the spirit of the law allows for consent even in principle, given societal standards of digital literacy and the complexity of modern digital interactions.

> In an age where most lawyers and judges, like everyone, mindlessly click-through "agreements" and shrink-wrap EULAs ..

That's an interesting problem. I'm a little disappointed that the route we've gone is having courts decide that this or that bit of EULA isn't binding, but people are still expected to read them and be somehow bound by them. It's kind of difficult for the common man to find out which parts of an EULA are or can be legally binding, so why should they ever be read?

For a while now I've been thinking that EULAs should also be made simple and clear and understandable, kinda like they're forced companies to do now with consent dialogs. No walls of text, no small print, no legalese, and definitely no tons of obviously unenforceable but chilling terms (that the poor reader might think are enforceable).

It does not feel right that people are "agreeing" to something they didn't read anyway (and which if they did, most people wouldn't really understand anyway), and they can only find out what their rights are after the fact.. so maybe we should just say that such agreements are not okay, stop it. It should be easy to understand exactly what you are agreeing to (or possibly we could just have the terms in law and stop this silly game altogether).

trasz4y ago

Rather than making EULAs simple and clear, how about simply making them void? They don't serve any valid purpose.

Agentlien4y ago

For a while I tried to actually read EULAs because I wanted to know what I was agreeing to and felt which parts are overly generic gave a good indication of what a company might want to do without explicitly stating it.

But it's just too much and too overwhelming and most of it is just completely cookie cutter legal babble which I can't waste my time with. I recently bought a video game to play for fun and when I first started it I was asked to sign off on a ridiculously long legal text followed by five(!) revised versions of it from various updates. What am I to do? Spend a few evenings reading and comparing those instead of playing the game I'd bought? Realize that I couldn't play the game I'd bought and ask for a refund? Or just scroll through, click to make it go away and enjoy my game without thinking more about it.

adithyasrin4y ago· 3 in thread

This is going to be a hot topic in Germany once the German courts rule it out. Should it say it's illegal to load, we have got loads of work in front of us. One simpler solution that I have seen Zaraz by Cloudflare, which seems to solve this issue. Has anyone had experiences with this?

https://blog.cloudflare.com/keep-analytics-tracking-data-in-...

cassianoleal4y ago

Still an US corporation, subject to the CLOUD Act.

fenierOP4y ago

The author of the blog apparently also wrote about Zaraz in this post:

https://cunderwood.dev/2022/01/30/tag-management-is-no-longe...

speedgoose4y ago

Cloudflare is from USA so it’s a quick decision to take.

EtienneK4y ago· 2 in thread

Good article. We need more of these. GDPR and integrating with 3rd party services can be quite a legal minefield.

I would like to see an article regarding Google Recaptcha. I am currently considering Recaptcha during a login process as a means of protecting against credential stuffing and password brute forcing. But I do not know if this counts as "legitimate interest" as defined by GDPR. And if it doesn't, there really isn't any way to ask for consent in this case, because "denying" consent sidesteps the entire security measure...

> I am currently considering Recaptcha during a login process

Please don't, think about your users. Just use normal rate limiting instead of forcing me to select more god damn street signs.

Spivak4y ago

That makes no sense, one is not a replacement for the other. Spam bots can be slow, and human users can hammer your API. You need both.

anothernewdude4y ago· 2 in thread

Just don't opt in to Google Analytics. I don't.

SquareWheel4y ago

There's an opt-out, but not an opt-in for Google Analytics. Unless you're referring to simply blocking it via a content blocker script.

tremon4y ago

Content blocking is also opt-out, in the sense that no browser blocks this by default.

j / k navigate · click thread line to collapse