[oytis]

I can't get into Simon's head, but I've got a feeling that GDPR contradicts the basic maxim of hacker culture that my computer belongs to me. The website seems to teach how those who care enough can protect their privacy by getting control over one's own computer, not imposing requirements on the others'.

[pluma]

Your computer belongs to you. My data belongs to me. I can give you my data and you can keep that data if you tell me what you are going to keep it for and how you are going to use it and when I agree with all of that, but you don't get to abuse it for anything else and I can revoke that permission at any moment and you have to comply.

It's not "imposing requirements", it's called "respecting consent".

The more I hear arguments like this the more it reinforces my impression that "hacker culture" isn't really about experimenting with technology but more about self-entitled rich kids abusing other people and shared property for their own fun and profit (like young Zuckerberg marveling at being trusted with access to people's private information without understanding the implied mutual understanding his users assumed to be self-evident).

I feel like the GDPR is the Code of Conduct of privacy laws: it codifies a modicum of respect that should need not explicit mentioning but seems to have been entirely lost on entire generations of (aspiring) Silicon Valley hacker types and thus catches them by surprise when it really should be the least you can do.

At the very least you are now aware that when you're violating your users' privacy (if only by handing off their data to random BigCo's you have no formal contract with) you're breaking the law just as clearly as those cool '80s kids were breaking the law when they whistled into phones to cheat their way to free phone calls.

[oytis]

Not to start a long philosophical discussion, but hacker culture (you might not like it, but the author seems to be sympathetic to it) has been traditionally critical to the notion of 'intellectual property', that is that by creating some intellectual work I can prohibit the others from redistributing it. The idea that I 'own' my personal data seems to be another step further is diluting the notion of property: this time I don't even need to create anything to impose limitations on the others.

It is also not about 'rich' and 'poor', it's about clear rules that are the same for the rich and for the poor alike.

[pluma]

I would have considered myself a "hacker" in my teenage years when I was teaching myself programming by digging through language specs online and looking at other people's code to understand what makes it work.

However it seems that "hacker culture" as the author likely sees it (also as described in Steven Levy's "Hackers") is really more about privilege than anything else. A lot of the antics that have entered hacker lore were only possible because the kids performing them were in relatively risk-free environments (particularly the notorious MIT Tech Model Railroad Club). Not necessarily privilege in the modern social sense but certainly in the sense of class (unless you believe being able to study at MIT is 100% about merit and nothing else).

It doesn't matter whether the "rules" of hacker culture are the same for those with privilege and those without: just as in startup culture, you're fare freer to experiment if you have a safe environment to fall back on if you screw up. If you're an MIT kid with wealthy parents a botched prank is less likely to land you in jail and this knowledge allows you to take risks more easily.

Sure, there's a level of anarchism in hacker culture but too often the kind of "hacking" that lands you venture capital for your startup (especially "growth hacking") also includes a blatant disregard for others (again remember Zuckerberg and the "suckers").

You may argue that this is a deviation from the original hacker ethos or not "true hacking" but there doesn't seem to be anything in hacker culture to exclude these people by (which is why I mentioned the formal rules you now often find in codes of conduct, which many decry as superfluous and unnecessary because they seem to state the obvious).

As to your real point: the idea of owning data is the polar opposite of what copyright has become to be about (at least in the US): data is owned by the individual. You can grant a company usage rights but they're always highly specific and easily revocable. Personal data is not "intellectual property", it's an aspect of your own identity.

In the years since the "Social Web" we've seen many failed attempts to allow users to "reclaim" ownership of their data. Microformats, decentralisation, software like Diaspora, the Unhosted movement, and so on. Most of them failed for practical reasons. Few of them really addressed privacy concerns, even fewer really enforced data ownership. The GDPR is promising to accomplish what hundreds and thousands of hackers have tried to do for years: not by rebelling against the BigCo's, but by redefining privacy and data ownership as human rights.

If you understand hacker culture, you will also remember that before the Social Web the norm was to be anonymous: "on the Internet nobody knew you were a dog", "men were men, women were men and 14 year old girls were FBI agents". You'd go by pseudonyms by default and freely pick new ones to swap identities. Unmasking people was possible, to a degree, but difficult because of dial-up and dynamic IPs.

Nowadays every single coffee pot in your home could theoretically have a dedicated IP address and most of the Internet we use to share information is accessed using a browser that's often uniquely identifiable without even looking at the IP. It's no longer enough to rely on technology to grant us anonymity. The GDPR restores some of that early '90s anonymity. Not by outlawing technology but by enshrining new human rights and forcing us to respect them.

/rant

[oytis]

I would'n agree that these attempts were completely failed. Like the whole free software world works, they created better and better tools that at some point could have become good enough to actually protect one's privacy and at a later point could have become usable by non-hackers as well.

Now at the time when it's easy as never before for every (well, not every every but you get my point) schoolboy/girl to create their own standalone page with comments, own e-mail server and whatever they want, they will probably not be able to do so, without risking being drowned by an Abmahnungswelle. Not to say that all decentralized social networks projects are at risk for approximately the same reason.

One might hope that in the future we'll have a reproducible technology for creating GDPR-proof websites and the world will be a happy place again, but solving legal issues with code is a notoriously difficult problem. Legislative acts are not code, and something as vague as GDPR is not even a spec.

[icebraining]

young Zuckerberg marveling at being trusted with access to people's private information without understanding the implied mutual understanding his users assumed to be self-evident

I disagree; he understood just fine, hence saying "they trust me". I'd say he was marveling at the naivety of those users for putting such faith in a random stranger. He probably, like so many of us into computers back then, had an understanding that you didn't use your real name online, let alone pictures or addresses. Seeing 4000 people blindly disregard basic safety rules would certainly be remarkable.

Where I diverge from him is that my action after calling them dumb fucks would be to kill the experiment and warn people of the dangers of what they were doing, not doubling down.

[pluma]

Sure, it was seen as a social faux pas at the time but mostly because the web was much more personal: companies had no need to do anything nefarious with your data, so they wouldn't have cared, but a lone individual running a random website could potentially know you and ridicule you in front of your friends (especially when it's some random kid at the same university).

What Facebook did was prove that you could make a business out of exploiting those users' personal data without needing to cause obvious harm to them directly (i.e. in ways that were still potentially unethical but 100% legal).

The reason I'm saying he was being unethical at the time is that he saw their misplaced trust as an opportunity to exploit them (initially by snooping for fun, later by exploiting their data for profit). The ethical response would have been to either reject the responsibility (as you describe) or acknowledge it and start thinking about how to protect that data for the users.