When I need to fill out webforms I regularly fill in nonsense or rants in fields that are not needed for what the form is for. This then ends up in databases, and sometimes comes back to me in surprising ways.

Such as yesterday, when I received this letter. I had to fill in my address some time ago while buying a book (it was a VAT invoice), but also a range of mandatory fields that were completely unnecessary, and some running afoul of the GDPR. Hence this letter addressed to the ‘read the GDPR, this form sucks‘ department of my company 😀

This form sucks

Some links I thought worth reading the past few days

  • Peter Rukavina pointed me to this excellent posting on voting, in the context of violence as a state monopoly and how that vote contributes to violence. It’s this type of long form blogging that I often find so valuable as it shows you the detailed reasoning of the author. Where on FB or Twitter would you find such argumentation, and how would it ever surface in a algorithmic timeline? Added Edward Hasbrouck to my feedreader : The Practical Nomad blog: To vote, or not to vote?
  • This quote is very interesting. Earlier in the conversation Stephen Downes mentions “networks are grown, not constructed”. (true for communities too). Tanya Dorey adds how from a perspective of indigenous or other marginalised groups ‘facts’ my be different, and that arriving a truth therefore is a process: “For me, “truth growing” needs to involve systems, opportunities, communities, networks, etc. that cause critical engagement with ideas, beliefs and ways of thinking that are foreign, perhaps even contrary to our own. And not just on the content level, but embedded within the fabric of the system et al itself.“: A conversation during EL30.mooc.ca on truth, data, networks and graphs.
  • This article has a ‘but’ title, but actually is a ‘yes, and’. Saying ethics isn’t enough because we also need “A society-wide debate on values and on how we want to live in the digital age” is saying the same thing. The real money quote though is “political parties should be able to review technology through the lens of their specific world-views and formulate political positions accordingly. A party that has no position on how their values relate to digital technology or the environment cannot be expected to develop any useful agenda for the challenges we are facing in the 21st century.” : Gartner calls Digital Ethics a strategic trend for 2019 – but ethics are not enough
  • A Dutch essay on post-truth. Says it’s not the end of truth that’s at issue but rather that everyone claims it for themselves. Pits Foucault’s parrhesia, speaking truth to power against the populists : Waarheidsspreken in tijden van ‘post-truth’: Foucault, ‘parrèsia’ en populisme
  • When talking about networked agency and specifically resilience, increasingly addressing infrastructure dependencies gets important. When you run decentralised tools so that your instance is still useful when others are down, then all of a sudden your ISP and energy supplier are a potential risk too: disaster.radio | a disaster-resilient communications network powered by the sun
  • On the amplification of hate speech. It’s not about the speech to me, but about the amplification and the societal acceptability that signals, and illusion of being mainstream it creates: Opinion | I Thought the Web Would Stop Hate, Not Spread It
  • One of the essential elements of the EU GDPR is that it applies to anyone having data about EU citizens. As such it can set a de facto standard globally. As with environmental standards market players will tend to use one standard, not multiple for their products, and so the most stringent one is top of the list. It’s an element in how data is of geopolitical importance these days. This link is an example how GDPR is being adopted in South-Africa : Four essential pillars of GDPR compliance
  • A great story how open source tools played a key role in dealing with the Sierra Leone Ebola crisis a few years ago: How Open Source Software Helped End Ebola – iDT Labs – Medium
  • This seems like a platform of groups working towards their own networked agency, solving issues for their own context and then pushing them into the network: GIG – we are what we create together
  • An article on the limits on current AI, and the elusiveness of meaning: Opinion | Artificial Intelligence Hits the Barrier of Meaning

Some links I thought worth reading the past few days

Does the New York Times see the irony? This article talks about how US Congress should look much less at the privacy terms of big tech, and more at the actual business practices.

Yet it calls upon me to disable my ad blocker. The ad blocker that blocks 28 ads in a single article, all served by a Google advertisement tracker. One which one of my browsers flags as working the same way as cross site scripting attacks work.

If as you say adverts are at the core of your business model, making journalism possible, why do you outsource it?
I’m ok with advertising New York Times, but not with adtech. There’s a marked difference between the two. It’s adtech, not advertising, that does the things you write about, like “how companies can use our data to invisibly shunt us in directions” that don’t benefit us. And adtech is the reason that, as you the say, the “problem is unfettered data exploitation and its potential deleterious consequences.” I’m ok with a newspaper running their own ads. I’m not ok with the New York Times behaving like a Trojan horse, pretending to be a newspaper but actually being a vehicle for, your own words, the “surveillance economy”.

Until then my ad blocker stays.


My browser blocking 28 ads (see the address bar) on a single article, all from 1 Google ad tracker.

Some links I thought worth reading the past few days

  • On how blockchain attempts to create fake scarcity in the digital realm. And why banks etc therefore are all over it: On scarcity and the blockchain by Jaap-Henk Hoepman
  • Doc Searl’s has consistently good blogposts about the adtech business, and how it is detrimental to publishers and citizens alike. In this blogpost he sees hope for publishing. His lists on adverts and ad tech I think should be on all our minds: Is this a turning point for publishing?
  • Doc Searl’s wrote this one in 2017: How to plug the publishing revenue drain – The Graph – Medium
  • In my information routines offline figures prominently, but it usually doesn’t in my tools. There is a movement to put offline front and center as design principle it turns out: Designing Offline-First Web Apps
  • Hoodie is a backendless tool for building webapps, with a offline first starting point: hood.ie intro
  • A Berlin based company putting offline first as foremost design principle: Neighbourhoodie – Offline First
  • And then there are Service Workers, about which Jeremy Keith has just published a book: Going Offline
  • Haven’t tested it yet, but this type of glue we need much more of, to reduce the cost of leaving silos, and to allow people to walk several walled gardens at the same time as a precursor to that: Granary

Some links I thought worth reading the past few days

To celebrate the launch of the GDPR last week Friday, Jaap-Henk Hoekman released his ‘little blue book’ (pdf)’ on Privacy Design Strategies (with a CC-BY-NC license). Hoekman is an associate professor with the Digital Security group of the ICS department at the Radboud University.

I heard him speak a few months ago at a Tech Solidarity meet-up, and enjoyed his insights and pragmatic approaches (PDF slides here).

Data protection by design (together with a ‘state of the art’ requirement) forms the forward looking part of the GDPR where the minimum requirements are always evolving. The GDPR is designed to have a rising floor that way.
The little blue book has an easy to understand outline, which cuts up doing privacy by design into 8 strategies, each accompanied by a number of tactics, that can all be used in parallel.

Those 8 strategies (shown in the image above) are divided into 2 groups, data oriented strategies and process oriented strategies.

Data oriented strategies:
Minimise (tactics: Select, Exclude, Strip, Destroy)
Separate (tactics: Isolate, Distribute)
Abstract (tactics: Summarise, Group, Perturb)
Hide (tactics: Restrict, Obfuscate, Dissociate, Mix)

Process oriented strategies:
Inform (tactics: Supply, Explain, Notify)
Control (tactics: Consent, Choose, Update, Retract)
Enforce (tactics: Create, Maintain, Uphold)
Demonstrate (tactics: Record, Audit, Report)

All come with examples and the final chapters provide suggestions how to apply them in an organisation.

The Washington Post now has a premium ‘EU’ option, suggesting you pay more for them to comply with the GDPR.

Reading what the offer entails of course shows something different.
The basic offer is the price you pay to read their site, but you must give consent for them to track you and to serve targeted ads.
The premium offer is the price you pay to have an completely ad-free, and thus tracking free, version of the WP. Akin to what various other outlets and e.g. many mobile apps do too.

This of course has little to do with GDPR compliance. For the free and basic subscription they still need to be compliant with the GDPR but you enter into a contract that includes your consent to get to that compliance. They will still need to explain to you what they collect and what they do with it for instance. And they do, e.g. listing all their partners they exchange visitor data with.

The premium version gives you an ad-free WP so the issue of GDPR compliance doesn’t even come up (except of course for things like commenting which is easy to handle). Which is an admission of two things:

  1. They don’t see any justification for how their ads work other than getting consent from a reader. And they see no hassle-free way to provide informed consent options, or granular controls to readers, that doesn’t impact the way ad-tech works, without running afoul of the rule that consent cannot be tied to core services (like visiting their website).
  2. They value tracking you at $30 per year.

Of course their free service is still forced consent, and thus runs afoul of the GDPR, as you cannot see their website at all without it.

Yet, just to peruse an occasional article, e.g. following a link, that forced consent is nothing your browser can’t handle with a blocker or two, and VPN if you want. After all your browser is your castle.

Some links I thought worth reading the past few days

Today I was at a session at the Ministry for Interior Affairs in The Hague on the GDPR, organised by the center of expertise on open government.
It made me realise how I actually approach the GDPR, and how I see all the overblown reactions to it, like sending all of us a heap of mail to re-request consent where none’s needed, or taking your website or personal blog even offline. I find I approach the GDPR like I approach a quality assurance (QA) system.

One key change with the GDPR is that organisations can now be audited concerning their preventive data protection measures, which of course already mimics QA. (Next to that the GDPR is mostly an incremental change to the previous law, except for the people described by your data having articulated rights that apply globally, and having a new set of teeth in the form of substantial penalties.)

AVG mindmap
My colleague Paul facilitated the session and showed this mindmap of GDPR aspects. I think it misses the more future oriented parts.

The session today had three brief presentations.

In one a student showed some results from his thesis research on the implementation of the GDPR, in which he had spoken with a lot of data protection officers or DPO’s. These are mandatory roles for all public sector bodies, and also mandatory for some specific types of data processing companies. One of the surprising outcomes is that some of these DPO’s saw themselves, and were seen as, ‘outposts’ of the data protection authority, in other words seen as enforcers or even potentially as moles. This is not conducive to a DPO fulfilling the part of its role in raising awareness of and sensitivity to data protection issues. This strongly reminded me of when 20 years ago I was involved in creating a QA system from scratch for my then employer. Some of my colleagues saw the role of the quality assurance manager as policing their work. It took effort to show how we were not building a straightjacket around them that kept them within strict boundaries, but providing a solid skeleton to grow on, and move faster. Where audits are not hunts for breaches of compliance but a way to make emergent changes in the way people worked visible, and incorporate professionally justified ones in that skeleton.

In another presentation a civil servant of the Ministry involved in creating a register of all person related data being processed. What stood out most for me was the (rightly) pragmatic approach they took with describing current practices and data collections inside the organisation. This is a key element of QA as well. You work from descriptions of what happens, and not at what ’should’ happen or ‘ideally’ happens. QA is a practice rooted in pragmatism, where once that practice is described and agreed it will be audited.
Of course in the case of the Ministry it helps that they only have tasks mandated by law, and therefore the grounds for processing are clear by default, and if not the data should not be collected. This reduces the range of potential grey areas. Similarly for security measures, they already need to adhere to national security guidelines (called the national baseline information security), which likewise helps with avoiding new measures, proves compliance for them, and provides an auditable security requirement to go with it. This no doubt helped them to be able to take that pragmatic approach. Pragmatism is at the core of QA as well, it takes its cues from what is really happening in the organisation, what the professionals are really doing.

A third one dealt with open standards for both processes and technologies by the national Forum for Standardisation. Since 2008 a growing list of currently some 40 or so standards is mandatory for Dutch public sector bodies. In this list of standards you find a range of elements that are ready made to help with GDPR compliance. In terms of support for the rights of those described by the data, such as the right to export and portability for instance, or in terms of preventive technological security measures, and ‘by design’ data protection measures. Some of these are ISO norms themselves, or, as the mentioned national baseline information security, a compliant derivative of such ISO norms.

These elements, the ‘police’ vs ‘counsel’ perspective on the rol of a DPO, the pragmatism that needs to underpin actions, and the building blocks readily to be found elsewhere in your own practice already based on QA principles, made me realise and better articulate how I’ve been viewing the GDPR all along. As a quality assurance system for data protection.

With a quality assurance system you can still famously produce concrete swimming vests, but it will be at least done consistently. Likewise with GDPR you will still be able to do all kinds of things with data. Big Data and developing machine learning systems are hard but hopefully worthwile to do. With GDPR it will just be hard in a slightly different way, but it will also be helped by establishing some baselines and testing core assumptions. While making your purposes and ways of working available for scrutiny. Introducing QA upon its introduction does not change the way an organisation works, unless it really doesn’t have its house in order. Likewise the GDPR won’t change your organisation much if you have your house in order either.

From the QA perspective on GDPR, it is perfectly clear why it has a moving baseline (through its ‘by design’ and ‘state of the art’ requirements). From the QA perspective on GDPR it is perfectly clear what the connection is to how Europe is positioning itself geopolitically in the race concerning AI. The policing perspective after all only leads to a luddite stance concerning AI, which is not what the EU is doing, far from it. From that it is clear how the legislator intends the thrust of GDPR. As QA really.

Today is the day that enforcement of the GDPR, the new European data protection regulation starts. A novel part of the GDPR is that the rights of the individual described by the data follows the data. So if a US company collects my data, they are subject to the GDPR.

Compliance with the GDPR is pretty common sense, and not all that far from the data protection regulations that went before. You need to know which data you collect, have a proper reason why you collect it, have determined how long you keep data, and have protections in place to mitigate the risks of data exposure. On top of that you need to be able to demonstrate those points, and people described by your data have rights (to see what you know about them, to correct things or have data deleted, to export their data).

Compliance can be complicated if you don’t have your house fully in order, and need to do a lot of corrective steps to figure out what data you have, why you have it, whether it should be deleted and whether your protection measures are adequate enough.

That is why when the law entered into force on May 4th 2016, 2 years ago, a transition period was created in which no enforcement would take place. Those 2 years gave companies ample time to reach compliance, if they already weren’t.

The GDPR sets a de facto global norm and standard, as EU citizens data always falls under the GDPR, regardless where the data is located. US companies therefore need to comply as well when they have data about European people.

Today at the start of GDPR enforcement it turns out many US press outlets have not put the transition period to good use, although they have reported on the GDPR. They now block European IP addresses, while they ‘look at options’ to be available again to EU audiences.

From the east coast

to the west coast

In both cases the problem likely is how to deal with the 15 or so trackers those sites have that collect visitor data.

The LA Times for instance have previously reported on the GDPR, so they knew it existed.

A few days ago they asked their readers “Is your company ready?”, and last month they asked if the GDPR will help US citizens with their own privacy.

The LA Times own answers to that at the moment are “No” and “Not if you’re reading our newspaper”.

Some links I thought worth reading the past few days

At least I think it is…. Personal blogs don’t need to comply with the new European personal data protection regulations (already in force but enforceable from next week May 25th), says Article 2.2.c. However my blog does have a link with my professional activities, as I blog here about professional interests. One of those interests is data protection (the more you’re active in transparency and open data, the more you also start caring about data protection).

In the past few weeks Frank Meeuwsen has been writing about how to get his blog GDPR compliant (GDPR and the IndieWeb 1, 2 and 3, all in Dutch), and Peter Rukavina has been following suit. Like yours, my e-mail inbox is overflowing with GDPR related messages and requests from all the various web services and mailing lists I’m using. I had been thinking about adding a GDPR statement to this blog, but clearly needed a final nudge.

That nudge came this morning as I updated the Jetpack plugin of my WordPress blog. WordPress is the software I use to create this website, and Jetpack is a module for it, made by the same company that makes WordPress itself, Automattic. After the update, I got a pop-up stating that in my settings a new option now exists called “Privacy Policy”, which comes with a guide and suggested texts to be GDPR compliant. I was pleasantly surprised by this step by Automattic.

So I used that to write a data protection policy for this site. It is rather trivial in the sense that this website doesn’t do much, yet it is also surprisingly complicated as there are many different potential rabbit holes to go down. As it concerns not just comments or webmentions but also server logs my web hoster makes, statistics tools (some of which I don’t use but cannot switch off either), third party plugins for WordPress, embedded material from data hungry platforms like Youtube etc. I have a relatively bare bones blog (over the years I made it ever more minimalistic, stripping out things like sharing buttons most recently), and still as I’m asking myself questions that normally only legal departments would ask themselves, there are many aspects to consider. That is of course the whole point, that we ask these types of questions more often, not just of ourselves, but of every service provider we engage with.

The resulting Data Protection Policy is now available from the menu above.

What this is

You are at https://www.zylstra.org/blog, which since 2002 is the personal weblog of me, Ton Zijlstra, its author. Although personal weblogs aren’t subject to the GDPR (the European personal data protection regulations), I do write about my professional interests here, and one of those is data protection. So I added a data protection policy anyway. My contact info is listed in the right hand column.

What personal data my site collects and why

When you visit this site, some technical data is automatically collected, such as your IP address. This is used for anti-spam, security and a few very basic analytical purposes. When you comment on a posting, a name and email address will be asked. When your own website alerts my website that you link to me (Webmention), your name and website address may appear in my comment section. In some postings other website’s content may be embedded (like a Slideshare presentation, a Youtube video, or an image on Flikcr), that track some of your data themselves. Posts and pages have sharing buttons. These sharing buttons do not track you, however if you click on them the corresponding service you post to will track you.

Comments and Webmentions

When visitors leave comments on the site the data shown in the comments form is collected (name and email address), and also the visitor’s IP address and browser user agent string to help spam detection. The name you use in the comment form is shown publicly on the website once your comment is approved.

The email address you provided will not be published, but will be stored with your comment, for as long as that comment is published. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your Gravatar profile picture is visible to the public in the context of your comment.

Webmentions are an automatic way in which your own website alerts my website that you link to it. Metadata in your own website’s markup explicitly makes that data available to my website I only publish metadata, such as your name, url or profile picture of your site, that you yourself submit, underneath my own postings. I only publish a link to your own website along the lines of “this article was mentioned on [your website]“, so no excerpt or fragment of your content will be displayed. I do not use webmention for anything other than trackbacks, and don’t collect and display social backfeeds, such as mentions and likes on Twitter, Facebook and other social media platforms that are walled gardens and do not themselves support webmention. I use the WordPress plugin Webmention for this.

Subscriptions

You have the option to subscribe by e-mail to new postings. Those subscriptions are managed by WordPress.com. The e-mail addresses are not used for anything else. I do ocassionally clean up the list removing e-mail addresses that are connected to spammers.

Contact forms

There is no contact form, so no data is collected there. My contact info is listed on the right hand side.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies stored on your own computer. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. You can delete these cookies from your browser anytime if you want.

My blog does not set any other cookies.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if you have visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

I don’t use specialized analytical tools. However data such as your IP address, and the pages an IP has requested are stored in the server logs of my web hosting company, Your-Webhost. Their data protection policy is at https://www.your-webhost.nl/whois/terms.html. Whenever there are server problems, I may ask my hosting provider to look into their logs to see what happened. The server logs are processed on my webserver into aggregated analytical data with a tool called Awstats, that is available by default from my hosting company. I never look at it, though that may change.

By default WordPress, the tool I use to make this site, does not collect any analytics data. However, I use a plugin that does collect analytical data (such as IP addresses). Jetpack is a plugin by Automattic, the creator of WordPress, that provides me basic analytics concerning number of visitors, most viewed articles, country of origin based on IP address, referrers (the link you followed to come here), and external links clicked (the link you followed away from the site). It does not provide information on your specific visit, nor on the path of links you followed through the site. I am not seeking to increase the traffic to this site, so I don’t try to optimise content, and analytics is not of interest to me. Jetpack also helps me fight spam and malicious attempts to gain access to my site. Find the Jetpack Automattic privacy policy here.

Who I share your data with

I don’t share your data (the little that I may have) with others, except for the plugins that I use for spam and malicious attack protection.

How I retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. The same is true for Webmentions. This is so I can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

If you subscribe to my blog by e-mail, I retain the e-mail address you used until you unsubscribe.

Aggregated statistics in Awstats are kept for 5 years maximum, although I may delete them earlier to free up space on my hosting account.

What rights you have over your data

If you have an account on this site (you don’t, only I do), or have left comments, you can request to receive an exported file of the personal data I hold about you, including any data you have provided to me. You can also request that I correct or erase any personal data I hold about you. This does not include erasure of any data I may be obliged to keep for administrative, legal, security or other legitimate purposes. You can also at any time request the removal of one or all webmentions originating from your website.

Where I send your data

Visitor comments and visitor’s IP addresses are checked through an automated spam and attack detection service. I use Jetpack, Wordfence and Akismet for this.

My contact information

You can contact me using the information on the right hand side. You can use encrypted email to do so.

How I protect your data

All interaction with this website is encrypted traffic, by using https. My webserver, on which all data for this blog is stored, is protected by my web hosting company Your-Webhost. I cannot circumvent or alter their protective measures, nor do so without breaching their terms of service. My own access to this website, the back-end at my hosting company, and the front-end WordPress, is protected with strong passwords and non-standard usernames. I use three plugins, Jetpack, Akismet and Wordfence to shield against spam and attacks.

What data breach procedures I have in place

If you think data on this site may have been breached please contact me. With my web-hosting provider I will look into it, and report back to you.
If I get notified about a breach by my web-hoster I will inform those that have commented, and will post an announcement in my blog itself.
If I suspect there may have been a breach I will notify my web-hosting provider and work with them to prevent futures breaches, inform those who have commented on my site and post an announcement in my blog itself.

What automated decision making and/or profiling I do with user data

If you submit a comment to this site, or if you try to gain access to this website’s controls, you may be automatically classified as spammer or a malicious attacker and automatically blocked or blacklisted. If you submit a comment for the first time, or a comment that contains weblinks, it will be automatically held for moderation, and will not be published until I have looked at it. If you have previously approved comments published on my blog, you will be automatically permitted to do so again using the same credentials.