GDPR – How Not to Protect User Privacy

Today, I have read a tweet praising positive impact of GDPR on security and privacy. As a founder of several security companies (being on the “receiving” end of this regulation – clients must use their services to pass GDPR checklists), I have a different experience.

This is the reality of GDPR:

  • It’s more about paperwork than actual security improvements. Companies invest money, but most ends up as documentation sitting in drawers ready for potential audits
  • GDPR is most “needed” for government agencies and the public sector, who intrude on privacy the most. Paradoxically, GDPR doesn’t apply to them
  • Security is about risk management. GDPR introduced two new risks: audit and fines risk, and data breach and subsequent fines risk. The budget to cover these risks (risk=cost) often comes from the budget for real security with actual impact
  • We still click annoying cookie notices and sign personal data processing consents with no real benefit
  • Most entrepreneurs don’t even want to collect personal data. They are forced to by the state, for example due to EU VAT rules: An e-shop must collect billing address, payment method, phone number or IP address – varying amounts of this data depending on whether they tell a consistent story about the same tax residency. If I want to provide someone with an online service (like software as a service), I really don’t need their phone number and address. But the state needs it and wants me to collect it for them.

Where Did It Go Wrong?

For years I attended hacker conferences where activists highlighted privacy issues. Working groups emerged from this community wanting to solve the problem with large-scale regulation. However, they missed two key aspects:

  1. The state requires tracking. It needs banks, mobile network operators and entrepreneurs to collect data. All purchases and bank transactions end up in state systems. A cookie in your browser is negligible in comparison.
  2. Internet economy is built on “free” services. Users and their attention are the product. Data centers don’t run themselves, and regulators can’t prevent them from monetizing our attention. We just have to fill out one more form.

Paradoxically, one of the biggest tracking regulations was Apple’s stricter App Store policy. Better than GDPR.

The Result

  • We have less privacy than before GDPR
  • Massive costs on both sides
  • Money that could have gone to real security improvements goes to bureaucracy
  • Some services aren’t available in the EU at all – it’s cheaper to block them than comply with regulation

Thanks to corporations at least for foreign phone numbers and VPNs. And by the way, if the phone number and IP address tell a different story, different VAT rates apply as well.