Two bookmarks, concerning GDPR enforcement. The GDPR is an EU law with global reach and as such ‘exports’ the current European approach to data protection as a key citizen right. National Data Protection Agencies (DPAs) are tasked with enforcing the GDPR against companies not complying with its rules. The potential fines for non-compliance are very steep, but much depends on DPAs being active. Various DPAs at this point, 2 years after GDPR enforcement commencing, seem understaffed, indecisive, or dragging their feet.
Now the DPAs are being sued by citizens to force them to do their job properly. The Luxembourg DPA is sued for the surprising ruling that the GDPR is basically unenforcable outside the EU (which isn’t true, as it could block services into the EU, seize assets etc.) And there’s a case before the EUCJ, based on the Irish DPA being extremely slow in starting investigations of the Big Tech companies registered within its jurisdiction, that would allow other national DPAs to start their own cases against these companies. (Normally the DPA of the country where a company is registered is responsible, but in certain cases DPA’s of the countries of residence of the complaining citizen can get involved too.)
The DPAs are the main factor in whether the GDPR is an actual force for data protection or an empty gesture. And it seems patience with DPAs to take up their defined role is running out with various EU citizens. Rightly so.
...driven by the desire for platform commons and community self-determination. These are goals that are fundamentally at odds with – and a response to – the incumbent platforms of social media, music and movie distribution and data storage. As we enter the 2020s, centralised power and decentralised communities are on the verge of outright conflict for the control of the digital public space. The resilience of centralised networks and the political organisation of their owners remains significantly underestimated by protocol activists. At the same time, the decentralised networks and the communities they serve have never been more vulnerable. The peer-to-peer community is dangerously unprepared for a crisis-fuelled future that has very suddenly arrived at their door.
Another good find by Neil Mather for me to read a few times more. A first reaction I have is that in my mind p2p networks weren’t primarily about evading surveillance, evading copyright, or maintaining anonymity, but one of netwerk-resilience and not having someone with power over the ‘off-switch’ for the entire network. These days surveillance and anonymity are more important, and should gain more attention in the design stage.
I find it slightly odd that the dark web and e.g. TOR aren’t mentioned in any meaningful way in the article.
Another element I find odd is how the author talks about extremists using federated tools “Can or should a federated network accept ideologies that are antithetical to its organic politics? Regardless of the answer, it is alarming that the community and its protocol leadership could both be motivated by a distrust of centralised social media, and be blindsided by a situation that was inevitable given the common ground found between ideologies that had been forced from popular platforms one way or another.”
It ignores that with going the federated route extremists loose two things they enjoyed on centralised platforms: amplification and being linked to the mainstream. In a federated setting I with my personal instance, and any other instance decides themselves whom to federate with or not. There’s nothing for ‘a federated network to accept’, each instance does their own acceptance. There’s no algorithmic rage-engine to amplify the extreme. There’s no standpoint for ‘the federated network’ to take, just nodes doing their own thing. Power at the edges.
Also I think that some of the vulnerabilities and attack surfaces listed (Napster, Pirate Bay) build on the single aspect in that context that still had a centralised nature. That still held some power in a center.
Otherwise good read, with good points made that I want to revisit and think through more.
Really interesting step for IRMA: they’re now offering BigBlueButton enabled videoconferencing for meetings where participants have their identities verified.
IRMA is a Dutch mobile app that allows you to share specific aspects of your identity with different parties, relevant to a specific context. For instance if you have to proof you’re over 18 to order an alcoholic beverage, showing your ID is the current norm. But that discloses much more than just your age, as it shows your ID number, full name, date and place of birth etc. IRMA is an app that you can preload with verified identifying aspects, such as your date of birth as registered with the local government’s citizens database, which you can then disclose partially where needed. When ordering a drink, you can show the bartender that you’re ‘over 18’ as verified by your municipality, without having to show your actual date of birth or your full name.
In our pandemic age video conferencing has grown enormously, including for conversations where identity is important. E.g. conversations between patients and doctors, or job interviews, conversations with your bank, exams etc. IRMA-Meet now offers BigBlueButton videocalls from their site, where all participants have been verified on the relevant identity aspects for the call.
Looking forward to hearing user experiences.
Today at DDW19 I came across some stickers with warnings about personal data, like the warnings on cigarette packages.
They were made by Candle which does smart home devices without storing data in the cloud.
....viewing this data as property that is capable of being bought, sold, and owned by others is in large part how we ended up with a broken internet funded by advertising — or the “ad tech model” of the Internet. A property law-based, ownership model of our data risks extending this broken ad tech model of the Internet to all other facets of our digital identity and digital lives expressed through data. While new technology solutions are emerging to address the use of our data online, the threat is not solved with technology alone. Rather, it is time for our attitudes and legal frameworks to catch up. The basic social compact should be explicitly supported and reflected by our business models, legal frameworks and technology architectures, not silently eroded and replaced by them.
Elizabeth Renieris and Dazza Greenwood give different words to my previously expressed concerns about the narrative frame of personal ownership of data and selling it as a tool to counteract the data krakens like Facebook. The key difference is in tying it to different regulatory frameworks, and when each of those comes into play. Property law versus human rights law.
I feel the human rights angle also will serve us better in coming to terms with the geopolitical character of data (and one that the EU is baking into its geopolitical proposition concerning data). In the final paragraph they point to the ‘basic social compact’ that needs explicit support. That I connect to my notion of how so much personal data is also more like communal data, not immediately created or left by me as an individual, but the traces I leave acting in public. At Techfestival Aza Raskin pointed to fiduciary roles for those holding data on those publicly left personal data traces, and Martin von Haller mentioned how those personal data traces also can serve communal purposes and create communal value, placing it in yet another legal setting (that of weighing privacy versus public interest)
This from Wendy Grossman hits the nail quite precisely on its head.
“The problem isn’t privacy,” the cryptography pioneer Whitfield Diffie said recently. “It’s corporate malfeasance.”
This is obviously right. Viewed that way, when data profiteers claim that “privacy is no longer a social norm”, as Facebook CEO Mark Zuckerberg did in 2010, the correct response is not to argue about privacy settings or plead with users to think again, but to find out if they’ve broken the law.
I think I need to make this into a slide for my stock slide deck. It’s also I think why the GDPR focuses on data protection and the basis for data usage, not on privacy as such.
(Do add Wendy Grossman’s blog net.wars to your feedreader.)