[volak]

I would pay a subscription to a news site if they spent all their time evaluating 2-5 year old events and determining which side was right.

2 years ago comments of "this will only benefit the lawyers" would be -50 points. Turns out... actually yeah.

[exabrial]

Reminds me when the EU "Fixed" Cookies and now we have these stupid click-through warnings everywhere that have pretty much ruined the user experience. Root cause: people passing laws they have idea what about.

[growse]

Nothing about the EU law requires sites to put up cookie warnings and degrade the ux. They choose to do that.

[ohazi]

But they all choose to do that, so that's the actual outcome of the legislation.

I don't understand why I keep seeing this argument. We all have to deal with cookie dickbars regardless of whether or not your armchair lawyer argument is technically correct. If this is what the law does in practice, and the behavior is generally seen as compliant, then it's a dumb law.

[growse]

Plenty don't. Hyperbole isn't helpful.

Lots of websites seemingly actually break the law, with full page "can't see the page unless you click accept" etc. The problem seems to be under-enforcement, and then we're right back at the point of TFA.

[ohazi]

I agree that (under) enforcement is part of the equation, but I don't think it's the primary issue.

The problem starts when legislators write vague or ill-posed laws because they don't understand the underlying technical issues. If your understanding of the problem is that "cookies are some sort of tracking token and tracking is bad," you will not be able to write effective legislation. You need to have a basic understanding of HTTP, you need to know how cookies fit into HTTP, and you need to be aware of some basic cookie usage patterns. You need to be able to identify that some things that certain companies build using cookies are problematic, and other things are totally benign and are required for basic functionality. You need to be capable of understanding that a user's "allow/deny cookies" preference usually can't even be saved without a cookie.

When the law actually comes out, it's so vague and seemingly self-contradictory that lawyers at these companies are going to say "We have no clue WTF they meant here, or how they intend to enforce this law, or if they even intend to enforce it at all, but just to be safe, let's just do it this way that's obviously stupid, but appears to be what everyone else thinks will pass the sniff test."

Then the law isn't actually enforced, because the enforcers don't understand the law either, so the lawyers are like, "Well, no guidance based on patterns of enforcement, in fact, they don't seem to be enforcing this thing at all, so let's just do whatever we want," which is how you get your laundry list of obviously non-compliant websites.

Legislation needs to be clear, enforcement needs to actually happen, and needs to happen consistently in order to reinforce the clarity of the original law. If you don't have these things, your legislation is going to fail. Cookie law used in this example, but the same thing applies to GDPR. So far, very little enforcement, and enforcement has been extremely inconsistent. It's a really bad start.

[Semaphor]

> You need to be able to identify that some things that certain companies build using cookies are problematic, and other things are totally benign and are required for basic functionality. You need to be capable of understanding that a user's "allow/deny cookies" preference usually can't even be saved without a cookie.

But they did all that. Functional cookies (shopping carts, preferences, etc.) all need no consent. This is not some kind of complicated thing. It only gets complicated if you want to try to trick users into allowing other cookies and/or hope that whenever those things get enforced, they’ll start with bigger fishes than you.

[contravariant]

The worst part is that all alternatives to cookies are worse privacy wise... Or at least it would have been if every single browser didn't tacitly accept and keep all cookies. It's getting better, but making cookies permanent should really count as an additional privilege (I mean it does for browser extensions, so why on earth not arbitrary webpages?), also session cookies should really just go away when the tab closes, and first party isolation should probably be the default.

[asldfhasdf2]

hate to say that but "check your privilege".

You know what cookies are and made your informed decision to accept them in your browsers. I do not, for example, and block most of them.

99% of internet users do not had that knowledge before those "stupid click-through warnings everywhere".

So if you want to write off the outcome of the EU cookie law, it is not "entitled Californian software engineers got a little annoyed", but instead "the whole world woke up to the fact advertising companies are tracking everything they do online via cookies".

[bonoboTP]

That's actually a good idea. It's really frustrating how (in other types of news) a lot of buzz can be generated and then just silence and we forget it all and move on. But it's not really something that would sell well. Not many people care about yesterday's news, people want to know what's coming next and not what came out of some magazine's prediction several years ago.

[volak]

I agree it wouldn't sell very well.

But postmortems in the tech world do trend sometimes

a news cycle postmortem - someone pitch this in an elevator

[colejohnson66]

It’s a great idea, but I doubt it would succeed. Human nature tends to include not admitting fault. Also, many readers seem to choose their news (at least political news) for confirmation bias (whether intentional or not), so a news site/paper saying they were wrong would defeat that.

Not saying that retractions don’t happen, but they seem to be always buried under the headlines.

[bonoboTP]

They could call out the news sites/papers of the opposite side though.

[colejohnson66]

That is something I considered. Many partisan sites love to point out the errors of the other side. I know Fox News loves to call out CNN all the time. However, if every site did it, I fear that would just lead to more confirmation bias. And why report that the other side was right? That hurts your viewpoint.

What we need is a non-partisan non-profit to do it. But then there’s the problem of funding (which results in conspiracy theories).

[bonoboTP]

Seems like the best way now is for the reader to make notes to themselves and regularly check back to them and see how things changed, compared to where the hive mind was earlier.

[Mirioron]

Since we're talking about ideas for news services: I would love to be able to get a list of the most important news in a month or a year. Not a top 10 list but simply a way to try to catch up if you miss a few months.

[bonoboTP]

There are various newsletters for this (mostly weekly), as well as those "what happened this year" summaries everywhere in December.

Also, there are physical magazines that get issued monthly (though it's rarer for political and "news news" topics).

[kodablah]

There is a bit deja vu, since at that time we were pointing out similar flaws in the DPD (lack of enforcement, lack of clarity, govt inefficiencies, the inability for proponents to separate intent from reality, etc).

Sadly, there is an absolute "for or against" mentality out there. You can't make it clear that the implementation of such a law would be poor enough to not justify it being enacted in the first place lest you are told "well, should we do nothing?". We can easily start with easy-to-understand/implement transparency requirements (maybe even just as guidelines or requirements for a form of certification at first while encouraging technical solutions in the meantime). Never-realized scary fines might as well have never been brought forth.

[volak]

I think the app should be called "Captain Hindsight"

[JumpCrisscross]

There was a popular pushback against American tech in Europe at the time. Criticism of GDPR was conflated with criticism of that pushback.

[blub]

Do nothing is an untenable position. Software companies have become so brazen and scummy that even a law which is unevenly enforced is absolutely necessary.

The GDPR brought privacy to the front and into the attention of software companies. It gives us individuals at least a chance to control our data.

[Mirioron]

I think the reason why these situations boil down to "for-or-against" is because people craft narratives about these measures/changes to law. If the narratives are pushed hard enough then they end up overpowering nuanced discussion.

"If you don't agree with GDPR then you must want to steal my data". It's difficult to make nuanced arguments against it when you get shouted down by statements like that. These narratives are used to label someone and it seems to be common in modern politics.

[flemhans]

I thought that’s what everyone thought back then. At least all my friends were like, the lawyers will have a good time and be the only ones benefiting from this

[bonoboTP]

That's a pretty default thing that most educated people know though. Regulation and bureaucracy usually benefit the established behemoths with enough lawyers, while gray zones, sluggish laws or easy processes benefit new players or small ones without all the legal armor.

No wonder that Facebook is lobbying for getting regulated and Microsoft proposed regulating some computer vision uses (faces) etc. Some people of course eat it up and think it's because they are just mature now and understand their responsibility and want to benefit the public etc. In reality it's because they have armies of lawyers who can follow all the legal minutiae, have the internal processes for compliance and documentation, audits etc. Which allow them to do whatever they did before (obviously they lobby for laws that allow their use cases) but make it difficult for others to enter. It's the "kicking the ladder" idea.

[marcus_holmes]

Most of my Euro friends didn't think this. There's a huge difference in approach to regulation between the EU and the US.

I would guess that this article is written from a US viewpoint - the "isn't it strange how everyone is approaching enforcement of this differently?" attitude isn't even remotely strange to a European.

As lots of people pointed out at the time, GDPR in Europe isn't that groundbreaking - almost all EU countries had/have data privacy laws that approach the GDPR (not least because the GDPR itself is a continuation of EU regulation in this area). It came as a shock to US companies because of the sudden "well, none of you paid any attention when we didn't give this regulation teeth, so here's the fangs" enforcement change.

And yeah, I'd love to take part in retrospective reviews of old news to work out who was right :)

[volak]

That's why such a news app would be so interesting.

I remember comments from back then slightly differently.

[emilfihlman]

HN was (is) super into GDPR and any dissonance was (is, but fortunately less nowadays) quickly downvoted.

[emilfihlman]

A person commented and asked me about suggestions, but deleted his comment before I could answer so here it is anyways:

Super quickly (I'm sure you have heard of, or can quickly use a search engine to find the commonly listed issues):

Damages: damages need to be scaled according to the company size, severity and amount. GDPR was created to punish Big Players, but the wording that would have fit them is equally (and should be, laws should be equal) applied to small companies resulting in an impedance mismatch. Frankly, the damages are too small for the Big Players, but insane to the small ones. GDPR also does not apply to the state, but holy shit it fucking should!

Enforcement: it needs to be equally enforced and you need to be able to sue by yourself over it instead of just limiting it to a state organisation.

Data: it should be data that is directly tied to you, ie leave the normal web logs etc out of it. PII is just a sham as it's defined today. A factor of usage also needs to play into it, ie normal web server ip logs that are separate and don't feed into a user specific connection into a database should not be a consideration.

Access: access _needs_ to be able to be done online if the data is collected or transferred online. Ie no this "you need to physically mail us a certified mail with your id" shit. GPDR is a fucking failure in this aspect. Also no required strong authentication: access should be just directly through your account you can access normally without strong authentication.

Usage: GDPR does not allow you to trade tracking for access (ie monetisation of content is almost impossible if you care about user privacy): this is insane. GDPR also supposedly does not allow for those complicated "accept all or modify your preferences" windows, but it should have no saying in that: if a site wants to make the experience painful, that's up to them. It is up to the user to select if they want to use that site or not.

[lcsmeeton]

Not quite the time scale you're looking for, but "Delayed Gratification" provides retrospective news and analysis from the previous quarter.

I'm in no way affiliated with the magazine other than I accidentally bought a copy once and enjoyed it.

https://www.slow-journalism.com

[_m7bj]

I have been habitually sending "I have finished using your service, could you please delete my account" emails since around 2008 or so.

Prior to GDPR, 9 replies in 10 would be polite but dismissive responses, basically telling me that I'm making an unreasonably burdensome request.

Post GDPR, everyone responds with a message stating they have followed my request in a timely fashion.

Am I disappointing that GDPR has not fined Facebook into oblivion? Yeah. I was hoping for global scale schadenfreude as much as the next person.

However, GDPR has fundamentally normalized the notion that peoples relationships with companies need not be permanent, and that submitting to eternal spam is not the accepted price of buying a flight online. GDPR has established in law that it's totally reasonable for people to not want to give their local gym an iris scan in order to enter the gym and work out, and it is indeed the gym owner who's the arsehole in that situation. This grants leverage against the arsehole.

In that respect, it's been a smashing success. There is much we could improve on, but on the statement "it only benefited the lawyers"...hard disagree.

[Jommi]

Where in the article did you read that that was the only outcome of GDPR? Did you miss how all European companies now need to take privacy seriously?

[abc-xyz]

> Turns out... actually yeah.

That might be how you feel. For me, GDPR and the “Cookie Law” have been amazing, as they make it incredibly easy to detect which websites and businesses you should avoid.

I do however wish they’d be a lot more aggressive with the fines.