[maximente]

this is fundamentally insufficient, though.

if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent (unless those images are loaded post-hoc, which is just not happening in today's world)

as a result, it's fundamentally impossible to consent before visiting a particular website, because there's no way to know what other domains will be triggered by visiting that website.

the only way i've found to defeat this behavior is by using ublock's origin's default deny policy which prevents all 3rd party domains from being accessed by default. it's a bit of a usability pain as one often has to add e.g. stack overflow's CDN to use its website "well", but does prevent visiting a website which has an embedded image hosted on a FB domain from being loaded, which defeats the more nefarious FB tracking.

https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-de...

[downandout]

Yeah, but that's easy enough to deal with. You simply don't load any third party stuff (or allow them to see your content) until they click "OK". Some simple javascript is all it takes to delay loading of everything not on the current server.

So basically prior to serving any content, you do an IP check. If they are from a GDPR country, you serve the delay loading script. If they aren't, you just load as normal. Pretty straightforward. I don't think you'd want to do it universally for all users, as you'd be at a competitive disadvantage to other sites. But you can easily enough just do it for EU countries. The other option is to just block them entirely if you have no need for EU traffic. Many sites - US local businesses etc. have no use for EU traffic or the liability that comes with it.

On a side note, with all the walled garden stuff that will be going on due to GDPR, I'll be interested to see how badly the SERPs get fractured, since every site will have a different scheme to require consent and not all of them will have people behind them that are savvy enough to make it not ask Googlebot for affirmative consent. This will put smaller businesses in the EU that don't have the resources to hire someone to deal with these issues at a serious disadvantage if they can no longer be indexed.

[maximente]

what you've suggested seems OK technically, but i feel like you're making an assumption that originating source of traffic determines citizenship of the user.

it could very well be that an EU citizen in Asia or the US is collected upon given your algorithm. if that's the case, are you not in violation of GDPR?

but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.

to be fair, i don't have anything else to offer here; it just doesn't seem so easy to me.

[downandout]

but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.

I think you're spot on, but that was the danger of implementing heavy-handed legislation like GDPR all along. I believe that EU citizens are going to find themselves locked out of a whole world of content. But that's the world they've chosen to create for themselves. Further, if the overwhelming support that GDPR has on HN is representative of that of the entire EU population, they welcome this newly splintered world and its consequences - both good and bad (though I believe that this support is the product of the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home).

[freehunter]

Hmm. I'm not sure about that. If Apple and Google won't pull out of China even though China makes them do all sorts of business stuff they disagree with, I highly doubt they (web companies) would pull out of the entire EU.

It would be absolutely incredible if Facebook et al "took their ball and went home" throwing away 500 million customers.

[jonas21]

Google did effectively pull out of China in 2010 [1].

But in the case of the GDPR, it probably helps Google and Facebook more than it hurts them -- they can afford to jump through all of its hoops while smaller competitors might have trouble. It's essentially a barrier to entry.

[1] https://en.wikipedia.org/wiki/Google_China

[downandout]

Of course not, because Apple, Google, Facebook et al have the resources to spend millions on attorneys to implement the GDPR. My comment comes from the perspective of an operator of several small sites that get a total of a few million visitors per month combined. I'm not spending millions on attorneys, and EU traffic is only incidental to my sites anyway, so I am indeed taking my ball and going home.

This will make a difference for some users on some of the forums I run, as they will be banned with an apology and an invitation to come back if they ever move out of the EU. But it's not worth taking on the liability of potentially millions of dollars in fines for accidental non-compliance with a heavy handed, massively complex law that is up for different interpretations in the courts of no less than 28 unique countries. Unless you're in the EU or are a multi-billion dollar company with a large legal department, accepting EU traffic post-GDPR is an act of insanity.

[KozmoNau7]

Are you hosted in Europe, and/or do you do business from the EU?

No? Don't bother instituting a stupid ban like that, then. And stop scaremongering.

GDPR applies to businesses.

Besides, compliance isn't too bad for something like a forum. Just purge the relevant user records and posts, if requested to or when a user deletes their account.

Source: I am doing GDPR compliance on web applications for a major telco.

[michaelmrose]

You seem to have complected extensive indiscriminate data collection with simple advertising and the more fundamental point of connecting and serving people.

You can use a combination of advertising and payment to fund services that connect people and facilitate commerce without extensive privacy destroying data collection. This model worked fine previously and it will work fine in the future. If anything hardware and tools are damn near amazing compared to the bygone past.

I struggle to think of any service in the world that is impossible or even challenging to replace. If anyone decides to take their ball and go home they will be replaced by a competitor who will use that extra revenue to improve their positions in other market to the original fools detriment.

There is in fact no reason to believe other markets including the US wont ultimately discover the merits of protecting their citizens privacy considering that in the US perhaps 171k work in the advertising industry out of 300 millions.

How the 0.02% can do an effective job without trampling the rights of the 99.98% is an exercise I leave to them and if they can't figure it out, then I hope the food stamp program still exists so they wont have to stand outside 7-11 with placards reading "will lie for food".

[KozmoNau7]

>"the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home"

And leave millions and millions in profit on the table for everyone else?

That the same argument used against changing the tax codes so companies would actually have to pay taxes in the countries in which they do business, by closing the loopholes.

They're not going to throw away profitable markets just like that. And if they do, good riddance.

[edoloughlin]

if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent

This just leads to a bunch of questions: where an image is loaded from FB by a site, who is the data controller? Surely it's the primary site, not FB? In that case, then is FB a data processor (and subject to more restrictions)? If FB is a controller in its own right then how does FB gather consent in this case?

[x0x0]

It doesn't matter if you load an image off fb.

per GDPR, without consent, fb cannot legally use that data (for EU residents).

And you don't need to trust that; fb knows they're going to be spending some quality time in front of their privacy regulator.

[downandout]

You're actually wrong. It is the responsibility of the website to notify the user. Facebook has placed in its policies a rule that says that you cannot use its code/buttons/images on your site without obtaining consent by the user for FB to place cookies there. They have a reasonable expectation that you have complied with this, or the image/whatever would not have been caused to load by your site.

Otherwise, think of the havoc. You decide that you want to get Facebook in trouble. So you place a Facebook button on your site and don't notify users or ask consent. Then you go call regulators. In this case, you'd find yourself in trouble, not Facebook.