[mmgu]

More background: The fine is mainly based on the fact that Disqus forgot to enroll Norwegian IP-addresses into their GDPR «privacy mode».

That meant that websites that had enabled a specific setting ("Enable anonymous cookie targeting") in Disqus were tracking Norwegian without informing them. Most of the websites in Norway and elsewhere did not know they were sharing users data through Disqus.

Major sites like the Wirecutter, The Hill, 9to5mac, Breitbart had enabled the setting in 2019. Of the 23 websites I contacted, all 11 that responded told me they were unaware of the tracking and had turned the setting off.

(I wrote the investigative articles in 2019 for the Norwegian public broadcaster NRK.)

A thread in English from then explains most of the findings: https://twitter.com/martingund/status/1207327648093003777

[sslalready]

You could already download most of the comment data from them by querying their API. Similar to profile pictures on Gravatar, emails were only hashed with MD5. They’re easy to reveal with some wordlist attacks.

[colejohnson66]

Is there a website to allow me to check my own email address?

[KingOfCoders]

"Most of the websites in Norway and elsewhere did not know they were sharing users data through Disqus."

Not to sound too clever, but I would assume if I embed a third party on my website, all bets are off considering privacy/data flow. Only the biggest services with the biggest publicity like GA have rudimentary privacy (opt-out, IP anonymization).

[xxs]

> embed a third party on my website, all bets are off considering privacy/data flow.

That's definitely not the case. It'd be true only if there is no contract w/ the 3rd party at all. Many contracts cover data leaks and the like and the contractual obligations are "non-trivial" to put it mildly.

[KingOfCoders]

Then our experiences differ somehow. Most Disqus users don't look like they have a contract, rather they accept terms and services than can be unilaterally changed by Disqus.

I've signed some DPAs and those that I've signed were very vague and liberal on what data they take - at least none of them felt that they would not try to get all the data that they can.

[skinkestek]

> Most Disqus users don't look like they have a contract, rather they accept terms and services than can be unilaterally changed by Disqus.

In that case the terms are invalid.

You cannot use terms of service to take away consumer protection in Europe.

[KingOfCoders]

Yes.

[wlll]

> Not to sound too clever, but I would assume if I embed a third party on my website, all bets are off considering privacy/data flow.

That you have to take care of these things is kind of the point of GDPR. If you don't know what some embedded server will do with users data, don't use it. No more fast and loose.

[KingOfCoders]

Yes I agree.

My point was more about companies embedding Javascript on their sites and "did not know they were sharing data".

Sadly European data protection agencies are vastly understaffed. I've filed some complaints, and have been waiting for an answer for them for years in some cases. I regularily get letters sent from agencies which say "we're still on it, but it takes more time".

One complaint was about an UK company ("Boden") filed with the Berlin data protection agency. Then they transfered it to the UK, then back to Berlin, it currently is in the Netherlands.

[chirau]

"forgot"

[maccard]

Forgetting for a single country (which is also not part of the EU) certainly seems plausible, more plausible than a targeted attempt at undermining the GDPR in a very specific country

[zepolen]

They probably used yaml for their config...

[speedgoose]

For people who are not aware, if you write the value no in YAML, it parses it as the boolean false which is then usually converted back to the string "false". The solution is to write "no" and not no, but Norway is the only country code requiring this so a lot of people forget about it.

For example I noticed this week that an environment variable in a few of my Norwegian company's deployments was "false" and not "no".

[colejohnson66]

Syntax highlighting to the rescue! I’ve almost been bitten by that “feature” before, but the VS Code extension for YAML caught it.

[speedgoose]

That's how I noticed the issue this week. The no value was green, which was a bit suspicious.

[StavrosK]

This actually sounds extremely plausible.

[eitland]

Agree, but they probably aren't off the hook just because of that.

I think user data is "fissile material" and the "fallout" from a high profile "meltdown" at certain places can easily destroy more lives than the Chernobyl actully ended up destroying.

Given this yaml and a number of other known problematic technologies probably shouldn't be used anywhere near the "reactors".

[wdb]

It's EU regulation and Norway is part of EEA which adapted these GDPR regulations. Feels like some risk and compliance officer at Disqus has been sleeping