Hacker News new | ask | show | jobs
by mooman219 2421 days ago
Being honest, some of the most egregious handling of PII is by small companies who don't have the resources to understand that it is PII, or how to store it, or how to be in compliance. I don't think it's failing in that case. A small company wouldn't google how to build a bridge then DIY it, but that's what's happening with storing PII. If I had a dollar for every article I read where a doctor's office had records on an un-restricted FTP server...
2 comments
McDev 2421 days ago
I work at a lot of startups as a contractor. The disregard for privacy and user data everywhere I go is astounding. They're all in survival mode.
link
baroffoos 2420 days ago
Its funny how we let this all slide when it comes to tech. Imagine if someone said "Food safety regulations only hurt the small businesses, they don't have the resources to wash a cutting board after cutting chicken while McDonalds serves unhealthy but legally safe food"
link
Mirioron 2420 days ago
But that's exactly what happens in the world though. In some poorer countries like China, street vendors are literally using gutter oil to make food.

If you want rules to be respected then you must be able to enforce them. Poorer places just can't afford to enforce those rules. If rules aren't enforced equally then people won't follow them, because if they have additional costs that their competition doesn't then they'll likely be outcompeted.

link
bjelkeman-again 2420 days ago
But I don’t think McDev above was talking about a software startup in the poorest part of the world. I have implemented GDPR in a small non profit open source SaaS business. A funded startup should have no issue doing the same.
link
Mirioron 2420 days ago
But I wasn't talking about poorest parts of the world either. China is richer than some EU countries, eg Bulgaria.
link
em-bee 2420 days ago
they can and they do enforce it. street vendors are much less common in china than they used to be.
link
Jommi 2420 days ago
Yes, in now richer cities. But they still thrive in lower gdp cities.
link
AnthonyMouse 2420 days ago
> Imagine if someone said "Food safety regulations only hurt the small businesses, they don't have the resources to wash a cutting board after cutting chicken while McDonalds serves unhealthy but legally safe food"

But that's exactly what we do. The health inspector doesn't come to your home to verify that you wash your cutting board, even on the day you have a dinner party to entertain business clients. Depending on local law you may or may not be expected to follow the same rules as McDonalds (getting a food service license etc.) when you hold a high school bake sale, but people commonly don't actually do it and governments commonly don't actually enforce it in those circumstances.

Because it's more important, and justifies a higher compliance burden, to ensure that the company serving billions of hamburgers isn't giving people food poisoning than the individual serving four.

link
TheSpiceIsLife 2420 days ago
I believe your being down voted because it is common knowledge that food service legislation only applies to those selling food, and therefore intentionally doesn’t apply to dinner parties.
link
AnthonyMouse 2420 days ago
Does the GDPR only apply to those selling personal information?
link
jacobolus 2420 days ago
If your European friend tells you their phone number and you write it down on your refrigerator (or your public blog for that matter), the French government isn’t going to come fine you for violating GDPR.
link
DaiPlusPlus 2420 days ago
My experience with startups lately is if it’s a greenfield project that started within the past 3 years then they’ll do everything by the book: sometimes even down to storing email addresses as hashes in the database, requiring a user to login first for the software system - and the company - to know their email address).

Older systems which depend on having PII and even financial information as cleartext in the database are the problem - and its essentially technical debt with far-reaching consequences, so no-one will fix a system that uses tenants’ customers’ SSNs as a primary-key (yup).

link
baroffoos 2420 days ago
I am aware of a legacy system powering a local business which runs on Rails 1 on a version of debian from 2012 and stores users passwords in plaintext, downcased.

I have tried to explain so many times that this system needs to be replaced urgently not for security reasons but because no one actually knows how to use rails 1 anymore.

link
dwoozle 2420 days ago
I have a Rails 1 product making $10K a year but I don’t have even the ability to log into the box anymore so if even the tiniest thing falls over that revenue is permanently gone for me.
link
mjfisher 2420 days ago
I'm curious about the economics of this - is it big enough to not be worth redeveloping when you consider over the income over say, 3-5 years?
link
dwoozle 2420 days ago
I’m too busy with my kids and my job to deal with it.
link
beher 2420 days ago
Do you consider it difficult to survive as a startup while protecting the privacy of users?
link
Mirioron 2420 days ago
You're right, but they probably can't afford to do it right. And since enforcement on this is lackluster it makes sense for the companies to just ignore it altogether, because if they get caught then it probably doesn't really matter if they took some steps to help privacy or none at all.

I think there should be some exceptions to it for small companies based on the impact of the PII. Eg if the company handles email addresses or first names then that should be far less strict than if a company handles medical information, home addresses or credit card information.

On the other side, we should have audits in companies to see how the personal data is handled. Particularly in ones that deal with sensitive information.

link
goto11 2420 days ago
> can't afford to do it right

The simplest way to comply is to not obtain and store personally identifiable information at all. Luckily this is also the cheapest. So I don't really buy that you "cant afford to do it right".

If you want to obtain and store personally identifiable information, then you have to mange it properly, just like selling food, medicine, financial services etc. need to follow certain regulation.

Note that all the competitors in the space will have to follow the same regulation, so it is not like it put you at a disadvantage.

link
im3w1l 2420 days ago
I don't want to live in a world where inviting people over for dinner is practically illegal because of food safety regulations. And I don't want to live in a world where I'm not allowed to write down my friends' birthdays and phone numbers.

I'm not sure if we have passed the line of too many regulations, but I know it's out there.

link
beher 2420 days ago
The EU even considers an IP address as personally identifiable information...
link
ikiris 2419 days ago
If you remove "IP" and it still seems like a bad idea... i just dont understand what your problem is.
link
goto11 2420 days ago
Of course.
link
phs318u 2420 days ago
> they probably can't afford to do it right

Two things occur to me here.

1) it's a cost of doing business. Costs of doing business change over time. Step changes as a result of regulation are typically introduced with windows to allow businesses time to respond. If you can't reasonably cover the cost of the change then...capitalism. You will fail and someone else will succeed. No one is guaranteed a profit.

2) Sounds like a business opportunity? GDPR/Privacy as a Service. e.g. https://privaon.com/ (first search hit).

> here should be some exceptions to it for small companies

This would effectively become a get out of jail for companies that want to outsource their (lack of) privacy with sufficient arms-length plausible deniability.

link
Mirioron 2420 days ago
>1) it's a cost of doing business. Costs of doing business change over time. Step changes as a result of regulation are typically introduced with windows to allow businesses time to respond. If you can't reasonably cover the cost of the change then...capitalism. You will fail and someone else will succeed. No one is guaranteed a profit.

Except that foreign companies won't have this same limitation. The end result is that all of your online services will be provided by foreign companies, which ironically is already the case in the EU.

A foreign company that's beyond the jurisdiction of the EU can abuse GDPR as much as they want. If they get caught then they'll just lose their business. The EU can't actually fine them, but that same company likely outcompeted EU companies for years.

>This would effectively become a get out of jail for companies that want to outsource their (lack of) privacy with sufficient arms-length plausible deniability.

They can do the same thing with foreign companies though. If you can set up a system where you would use your small companies to escape regulation, then the same can be done with companies run by foreigners.

>2) Sounds like a business opportunity? GDPR/Privacy as a Service. e.g. https://privaon.com/ (first search hit).

And said business opportunity is additional inefficiency on businesses in the EU that their global competitors don't have to follow.

link
lagadu 2420 days ago
You're getting downvoted because you're incorrect: it doesn't matter where a company is from, if they're conducting business with people in the EU, they're bound by it. Which is why several non-EU companies have paid fines and plenty are implementing GDPR-based privacy measures (and I speak from experience here).
link
Mirioron 2420 days ago
Foreign companies paid fines because they still wish to operate in the EU. If they were willing to give up on that then they wouldn't have to pay anything. Eg a Chinese company could collect and abuse as much data as they wanted. Once they get caught the EU can levy fines on them, but the company can just choose not to pay, because the EU can't reach into China.

The EU can't force a foreign company to pay, just like China can't force an American company to pay. Or am I mistaken and there's some international agreement that allows the EU to force them to pay up?

link
phs318u 2420 days ago
I recently did a stint as a contractor at one of Australia's "big 4" banks. I can assure you that they are so active in the privacy space, and foresee more and more GDPR-like regulations, that they've created their own privacy framework based on GDPR plus likely similar frameworks to come in other jurisdictions. It is one of the biggest funded projects in that bank (it helps that Australia recently had a negative spotlight on the banks' behaviour. Thanks Royal Commission!).

The point I'm trying to make is that if you have European customers, then the GDPR applies. Therefore, "foreign companies" competing for EU customers, definitely do have this limitation. Fines have been issued for companies that don't comply, and the sizes vary immensely (e.g. over 200 million euro for British Airways down to 118 euros (not millions, 118) for the Data Protection Authority of Saarland).

http://enforcementtracker.com/

link
Mirioron 2420 days ago
GDPR might apply and the EU can levy fines on foreign companies, but that doesn't mean that a foreign company has to pay like a European one. The EU can't force a Chinese company to pay if they are willing to give up their EU business. That's the problem - you can't enforce it where you have no legal jurisdiction.

Or do I have it wrong and that there is an enforcement mechanism that can make a Chinese company do things the EU says?

link