back to article Dear America, you can't steal a personality: GDPR godfather talks privacy with El Reg

"Now I've heard that one before. Let me think, where was it... Ah yes. It was Google!" Jan Philipp Albrecht is the biggest thorn in the side of US data slurpers, and fortunately he has a good memory. The German Green MEP is the architect of Europe's new privacy regulations, GDPR, and we were discussing a rhetorical question …

  1. James 51 Silver badge
    Pint

    Nice to see an MEP doing their job. Have one of these (see title)

    1. Anonymous Coward
      Anonymous Coward

      True! A refreshing change from officials bending over for U$ corps. Reminder of what came before:

      https://qz.com/993995/how-facebooks-fb-sheryl-sandberg-personally-lobbied-irish-prime-minister-enda-kenny-as-shown-by-2014-emails-published-in-the-irish-independent/

      https://qz.com/162791/how-a-bureaucrat-in-a-struggling-country-at-the-edge-of-europe-found-himself-safeguarding-the-worlds-data/

  2. big_D Silver badge
    Coat

    Car data...

    It's easy, I bought the car, if Google or Mercedes want data from it, they can pay me for it...

  3. NohSpam
    Big Brother

    My Data, My Rules!

    There's a whole new business sector in the offing here!

    If Europe were to legislate that we own our own data, then businesses who currently treat our data as their private property would have to start to reveal the actual value of the data in order to access it.

    Each contractual relationship with a supplier would be predicated around ONLY the core data actually required to deliver the product, utility or service and any data over and above that would be the customer's to keep private or reveal, with control over the granularity, purpose, time, reuse rights, etc. If you begin a contract with a new electricity supplier, the core data might be your name, address, bank & standing order details, and quarterly meter readings (whether manual or smart meter). More frequent readings are useful to them and the customer should have some quid-pro-quo on that value AND the right to all the data in a form they can read and store. Any legislation would need to protect from suppliers changing terms so that you're effectively forced by price or features to hand over more data.

    I'm not suggesting anyone would want all of their suppliers to bombard them with data they have no interest in and mostly wouldn't know how to read or exploit. I'm suggesting, coming back to the idea of a new business sector, that if the data is mandated to be available in an open, semantically rich format (e.g. XML or JSON), then there would be a niche where we have a proxy who stores the data for us. The data storers could compete on reputation, security, price, ease of use, value add and insights. Particularly value add or insight. With all our data aggregated from across our data generating lives in a semantically rich format these storers could mash up, analyse and correlate across disparate data streams giving us genuinely useful insights into our lives that have value for us and which should we wish to, we could make available to other companies, for a reasonable market value but with the surety that we can contractually control the usage.

    I am under no illusion that pretty much every company on the planet would rather maintain the status-quo and would lobby strongly for it but the EU has a reputation for standing up to that corporate strong-arming.

    Anyone else like the idea?

  4. Lysenko

    I remind him that the auto industry is adamant that there's no internet access to the CAN bus

    What's that supposed to mean? As it stands, it is equivalent to saying there's no internet access to USB, which is true only insofar as USB signalling isn't a native internet protocol, but that doesn't stop you streaming a webcam over the internet. CANBus is essentially RS485 with packet collision detection so (just like ModBus) it can be thunked over TCP/IP as well.

    Any vehicle with an OBD-II port sold in the last decade is surfacing CAN to the outside world, so with a few days hacking (or blog reading) you can graft a cellular modem onto an OBD dongle and route CAN traffic anywhere on the planet. Exactly what you can do with that obviously depends on what features the CAN interface surfaces (intentionally or otherwise).

    1. NohSpam

      Are you referring to the mandatory in-vehicle SIM cards, nominally for crash detection and emergency response automation etc? (where the 'etc' is the scary bit)

    2. Anonymous Coward
      Anonymous Coward

      "Any vehicle with an OBD-II port sold in the last decade is surfacing CAN to the outside world, so with a few days hacking (or blog reading) you can graft a cellular modem onto an OBD dongle and route CAN traffic anywhere on the planet."

      For a standard OBD-II port there is no internet access to it. That is true. Just because it has a connector does no 'surface' it to the outside world. It is just a port that sits in your car that you can connect to. If you choose to fashion a modem to to the ODB port then that is your doing, the same way that you could say my fridge isn't connected to the internet but you could fashion an IP thermometer to it if you wanted to. So I'm not sure of your point - almost anything could be re-engineered to allow it access to the net if required.

      The question is whether Data links in current cars can externally be adjusted to read/write to the CAN bus.

      1. Doctor Syntax Silver badge

        "If you choose to fashion a modem to to the ODB port then that is your doing,"

        And if you can, so can the vehicle manufacturer.

      2. Lysenko

        That's why I queried the original comment. It seemed to mean either:

        a) nothing .. or..

        b) that there is some sort of "security" that definitively stops CAN being externally hacked.

        The former is a pointless comment and the latter is hogwash. Take the (TI) AM3352 or DRA746, for example. Both are automotive SOCs with dual gigabit ethernet and CAN interfaces. The only thing that keeps the CAN away from the ethernet is whatever firmware the chipset is running (and you can guess why they've got dual ethernet interfaces).

        I mentioned OBDII simply because it's a supported/non-destructive way to patch into the CANBus that anyone can play with. Getting to CAN by hacking a Spotify downlink is hacker territory, but there's nothing to stop it besides (hopefully) flawless software/firmware which is exactly the same protection you have against remote activation of your USB webcam.

  5. Yet Another Anonymous coward Silver badge

    Actual result

    Checkbox added to EULA saying "can use all my data" before you can install the product

    Politiian is happy - they have "saved the consumer"

    Manufactuer is happy - it gets the data anyway

    Laywer is happy - fees for the small print meant they could get the AMG upgrade

    Even the intern who implemented the extra tick box is happy

    The same way that the Eu protected us from cookies

    1. israel_hands

      Re: Actual result

      Not so fast, Monsieur.

      GDPR specifically forbids pre-ticked boxes and assumed opt-in of any kind. They can't even refuse a service if you refuse to opt in to data sharing*. This means that if you want to sign up for a Google account you don't need to provide them with any data you don't want to. They could probably use the "required-for-service" clause (see footnote) to force you to provide a phone number by making 2FA a requirement for the account but they can't force you to be tracked or allow them to sift your e-mails for data if you don't want them to.

      Also, the whole "you've accepted the EULA by opening the box" has never applied in the UK/Europe and that will be blocked even harder after GDPR lands.

      The comment about cookies is entirely valid. But having read the ICO's notes on GDPR implementation it looks as though they've got a lot more canny since they wrote the well-intended but shamefully broken rules on cookies.

      An interesting article with some salient points. And kudos to the MEP for actually doing a proper job and not just collecting money and guffawing like whiskey-soaked ballbag with a grinning face drawn on it**.

      Somewhat annoying I had to cut through the author's constant axe-grinding against Google (it's not just them, it's every fucker out there), pointless sideswipes against Wikipedia and current obsession with Dave Eggers' book. If he could have at least worked in a dig against Stephen Fry I'd have completed my Orlowski Bingo card for today.

      I think GDPR is going to be a massive step forwards for privacy in the EU and hopefully, if the idiot Tories try to sidestep it after Brexit (because it will come in prior to that) the EU will be able to force them to keep it if they want to use any sort of data services involving EU citizens.

      And it's something that is sorely needed. At the moment it's just insane the amount of data is collected, collated and passed around to a terrifying number of people. It's slipped completely under the radar of most people and has grown out of all reasonable scale and this is exactly the sort of situation that governments are meant for: Stepping in and providing safeguards for the vast group of citizens that are literally their only actual reason for existing.

      *The exemptions that exist to this cover something that is required in order to perform a service. So a courier company can refuse you service if you won't provide them with your address, as this is something they legitimately require in order to provide you with their service of delivering to your address.

      **Any resemblance to that cunt Farage is entirely intentional.

      1. sabba
        Pint

        Re: Actual result

        You, sir, would have been upvoted solely for "Any resemblance to that cunt Farage is entirely intentional"!!

    2. Doctor Syntax Silver badge

      Re: Actual result

      Checkbox added to EULA saying "can use all my data" before you can install the product

      And any court in the EU would throw it out as non-binding.

      1. Yet Another Anonymous coward Silver badge

        Re: Actual result

        It's easy enough to make it so that the data has to be collected to make it work.

        If I choose to make my home assistant collect all your audio and process it in the cloud and have small print telling you that I do this - then I'm compliant.

        The law doesn't say that I HAVE TO re-engineer the device to only transmit after a keyword, or to process the audio locally.

        1. israel_hands

          Re: Actual result

          @Yet Another Anonymous Coward

          It's easy enough to make it so that the data has to be collected to make it work.

          If I choose to make my home assistant collect all your audio and process it in the cloud and have small print telling you that I do this - then I'm compliant.

          The law doesn't say that I HAVE TO re-engineer the device to only transmit after a keyword, or to process the audio locally.

          No it's not at all compliant. Check the ICO guidelines. You have to make it clear what you're doing, ask me to opt-in (not opt me in automatically and bury the opt-out choice in fine print), explain exactly who you plan to share the data with and for what specific purpose (not simply say "trusted partners" or "3rd-party companies") and regularly check with me that I'm still OK with what you're storing and using at regular intervals.

          Facing reality, GDPR will probably be compromised in all sorts of ways, but my reading is that it's very much been put together with a view to ruling for an outcome (ownership of personal data) rather than against a single limited business model which was fucked from the start because they didn't think through the law of unintended consequences and how various corporate entities would squirm around the rules-as-written.

          If this sort of thinking had been applied to, for instance, taxi operator regulations, something as fundamentally fucked in the head as Uber would never have got started.

  6. Doctor Syntax Silver badge

    I'm not sure I see the use case for this machine readable data extract. If I might well want to stop using a service. I might also want to use another. The two are not necessarily connected. If they're not then I need to input sufficient data into the new service. I'd also want the old service to delete all such data as the GDPR says it must if I ask. But if I were to ask for the data from the old service to save me from inputting data into the new I'd likely find that the formats and maybe content differ. I'd end up either doing the input manually as I'd have to do in other circumstances or I'd have to convert it if possible but although most of us here could do that the bulk of people wouldn't and in any case we'd probably find the job more trouble than it's worth.

    And that "if possible" phrase covers a multitude of possible problems. Just take addresses. Different businesses have different ideas as to how many lines go into an address and how long they are, what the fields are* etc. I have memories of trying to cram reasonable addresses from the order processing system into the unreasonably short fields of the accounts system; the accounts staff had the same problem wrapping individual address lines over multiple lines in the accounts.

    * Why do so many address formats assume I live in a city? Apart from just visiting I haven't lived in a city since the early '70s.

  7. This post has been deleted by its author

  8. amanfromMars 1 Silver badge

    Rules and/or Laws Regulate Slaves to Systems?

    GDPR introduces stiff fines – 4 per cent of global turnover – for offenders.

    Is that supposed to be a punishment and deterrent ..... a simple monetary confiscation/virtual wealth transfer? Does no body do any hard time locked up in a penitentiary with fellow felons any more?

    Aint that the solution which is causing all of the current global problems?

    FFS .... Are human systems incapable of learning and changing and acting differently and are they stupidly designed and defaulted to keep on making the same basic mistakes, over and over again.

    Aren't y'all lucky there be Virtual Machines now available to make and take things to the next higher levels.

    You surely do realise that is where we be at, and what IT is all about nowadays, don't you? Or are y'all trailing way behind the leading curves in those novel fields with Live Operational Virtual Environments?

    Everything easily available with media more than just proves that it is so, with systems petrified in silence to new flashy developments and terrorised with the reporting of Other Aged conflicts.

  9. razorfishsl

    People are forgetting that they don't own other peoples data.

    Take for example UPS or DHL in Europe or Hong Kong, you can allocate your phone number

    so the delivery guy can contact you before delivery........

    only problem is that it uses the delivery mans phone, so if that delivery man is running facebook

    then under the EULA for the delivery man , he said he would share the data from his phone,

    But I never gave him permission to share my phone number with Facebook.

    I live in a private gated estate. google is not allowed in our estate, but since the delivery company is using google API's on its delivery vehicle software & hand helds, my address and full details have been passed to google.....

    worse my house and the address I gave to the delivery company is now on google maps.

    How do I know.... Simple, the spelling/ layout of the address is slightly different for each delivery company used.

  10. Anonymous Coward
    Anonymous Coward

    Consider the lilies of the field

    I used to think that "securing your account with your phone" was a value-add service. Doh. I used to think that "ensure you don't get locked out of your data - register multiple email addresses" was a great idea. Doh. I used to think that having all your documents and photos stored for free was just them being nice, until the penny dropped about facial recognition and location data in pictures. The current debate about "responsible encryption" is so unreal that I wonder if it is a decoy. I am sure there are altruistic organisations out there that only want to help. But I am also sure that they don't use algorithms to work out who to help. Years ago there was a little joke doing the rounds that went "Consider the lilies of the field. And while you're doing that, I'll be over here, going through your stuff". Or something like that.

  11. hubots

    The regulatory noose is finally narrowing down on "data oil"

    https://themarketmogul.com/gdpr-will-trigger-meltdown-data-oil/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019