Cybersecurity, VPN myths, and the GDPR idiocy
These are three distinct topics, but in my opinion they all deserve attention, and once you consider all the facts, you might conclude that so many people are barking at the wrong tree.
1·The Cyberhavoc
I don’t know how to put it, but you’re terribly unaware of how much we are vulnerable to cyberattacks. You all, bar some security experts.
No, this is not just about what you know as malware (and used to call viruses and trojans a couple of decades ago).
No, this isn’t about the more recent fad—ransomware.
This is about the fact that the complexity of nowadays’ software made it ridden not just with bugs, but with security vulnerabilities that are atrociously numerous, being present virtually in every single piece of software that has any way to be accessed from a network.
I suggest you to spend a couple of days perusing the archives of security newsletters such as the short selection below; you’ll be frightened to death if you really spend the time to do it!
- Risky Business News
- Seriously Risky Business
- Zero Day
- The Info Op
- Cyber Defence News for Blue & Purple Teams
No, seriously: spend some serious time reading at least the newsletters for the last 3 months by the first two sources above. Unless you’re a security expert, you’ll most likely find out you don’t know how fucked-up we are in this “all-IT” and “all-Cloud” society we’re so stupidly created!
I’d also suggest you top follow some IT security guys on Twitter; there are probably thousands who know what they’re talking about, but I only could make a very short list. You wouldn’t have enough time and motivation to read even those selected by me—that’s because the security vulnerabilities are overwhelmingly overabundant!
- Catalin Cimpanu (@campuscodi)
- Patrick Gray (@riskybusiness)
- BleepingComputer (@BleepinComputer)
- Last Week in Security (LWiS) (@lastweekinfosec)
- The Hacker News (@TheHackersNews)
- Zero Day Initiative (@thezdi)
- Tom Uren (@tomatospy)
- Łukasz (@maldr0id)
- Chris Evans (@scarybeasts)
- ΔĐVΔŇƀРƤ€ŘŞƗŞŦ€ŇŦ Ŧ€ΩỮƗŁΔ is in beast mode (@shad0wbits)
- Casey Smith (@subtee)
- Mark Lechtik (@marklech)
- Kurt Baumgartner (@k_sec)
- Michael Koczwara (@MichalKoczwara)
- Wietze (@Wietze)
- Paul Rascagnères (@r00tbsd)
- Ivan Kwiatkowski (@JusticeRage)
- Vitali Kremez (@VK_Intel)
- 0xor0ne (@0xor0ne)
- raptor (@0xdea)
- Duncan Ogilvie (@mrexodia)
- Paul L. (@am0nsec)
- vx-underground (@vxunderground)
If the list seems random, that’s because there are so many of such people out there (especially white hat hackers, reverse engineering gurus, etc.)! I just retrieved some of those whose recent tweets were deemed relevant by me; I might follow many more on Twitter, but I just can’t be bothered to look into the list of people I’m following.
Almost one year ago, I wrote about The Ongoing Cyberwar Nobody Talks About. Things didn’t change a bit or, if they did, it was for the worse. Most companies are hushing up their security incidents when they can. Nothing happened if nobody knows that it happened, right?
As for the IT companies tens or thousands of millions have accounts with, things are eventually disclosed. But there isn’t much you can do about it.
This is the result of our society relying on everything to be connected to the Internet, on everything being in the fucking Cloud.
This is the result of blindly trusting the “digital transformation” (that’s an EU policy) and the “Artificial Intelligence” to fix our bureaucracy and stupidity. 30 years ago, we’ve been told that the “digital age” means less printed paper, yet it seems to me that the opposite is true: the digital version of everything still needs to be printed out in most cases. You know, legal reasons and whatnot.
On the other hand, everything, from your CCTV camera to your “intelligent house” and passing through your supermarket’s cash registry, is connected to the Internet. You also need the Internet to connect to your bank, to make an appointment with a public service (COVID-19 oblige), to do everything. Your “intelligent assistant” and your smart TV (which isn’t a TV anymore, but a computer) can’t live without Internet. Terrestrial analog TV has been phased out (it’s called “digital television transition”) in most “civilized” countries; similarly, AM radio broadcasting has ceased (in some countries FM radio too, being replaced by DAB+). The idea is to replace everything with digital streaming, which is stupid both in terms of energy consumption and of security.
The fucking stupid politicians who decided what I described above have a match in the very competent IT people (competent but lacking common sense, which makes them retards by my definition) who always want something “better” and “more advanced” for everything that worked just fine! You see, a pencil, a brick, a screw, a roof tile, millions of things are still looking exactly as they looked 50 years ago; but a software cannot stay unchanged for more than 1-2 years, or people would get “bored”—not the regular people, but the idiots who want to sell the software or the products that include that software! Unfortunately, the open-source developers aren’t any better: they forgot the old “KISS principle” (“keep it simple, stupid”) or “if it ain’t broke, don’t fix it!”
But greed was even more powerful than boredom. They wanted to make “better” software not by optimizing it, but by developing it quicker, and by making it have “a better, more scalable architecture.” That’s why nowadays you can’t run a graphical multi-user OS on a system with i486 at 25 MHz (Pentium recommended) and 12 MB of RAM (16 MB recommended) as it was with Windows NT 4.0 Workstation, but on systems with at least a dual-core 8th generation 64-bit CPU at 1 GHz or more, and 4 GB of RAM, and let’s not mention other requirements (disk space, TPM, etc.).
Incidentally, this also meant they invented the speculative execution and branch prediction, a veritable Pandora’s box that made possible “hardware” vulnerabilities such as Meltdown and Spectre, and, more recently, Redbleed. All Spectre patches that actually work reduce the performance by 12-28% by some accounts, or in the case of the Linux kernel, by up to 39% for Intel CPUs and 14% for AMD processors. Now, guess what? Patches for Redbleed slow down the Linux 5.19 kernel by up to 70%, according to VMware’s Manikandan Jagatheesan who reported on running kernel 5.19 VMs on ESXi.
That’s the price for the greed we had to obtain more in terms of performance, no matter we can’t audit the algorithms and ascertain that they really work well. The same with ALL the millions of pieces of software used on billions of computers worldwide: every week, dozens of important security vulnerabilities are disclosed—and usually patched, but more and more often after having disclosed personal data of millions of customers!
Color me a Luddite (which I am!), but I’d have been happy if the “progress” had stopped in 1996: I was pretty happy with the operating systems of the time, and also with Linux 1.2.13 and 1.3.18. Today, I’m afraid we simply cannot control the complexity of our software. The world is a mad machine running towards its destruction!
2·Those VPN myths
How can people understand the dire situation of the cybersecurity we have in 2022, and what’s at stake (EVERYTHING! Our entire civilization, because we made it ENTIRELY dependent on the bloody Cloud!), if they can’t even understand what a VPN can do and what it cannot do!
I wrote before about what I consider to be the legitimate uses of a VPN, and most of them aren’t what most people think they should be. There are also countless articles on what a VPN cannot do, and why nowadays you don’t really need to use a VPN when connecting to a public access point, but they are fewer than the VPN-promoting articles. (Yes, I do use a VPN, but for different reasons.)
Let’s add some more tidbits from the huge ocean called Twitter:
Myths about VPN providers
– they protect your identity
– they’re safe
– they don’t log
– they are competent
– they’ll shield you from the law
– NSA can’t…no, just stop. Really.— Kenn White (@kennwhite) August 16, 2019
Can’t help but laugh (and be a bit sad) when people say “Use VPN for safety and anonymity. They can’t track you.” VPN does NOT hide your identity. That’s a myth. It simply allows you to pretend that you are in a different location. But your steps can be tracked right back to you
— Wooden donkeys (@WoodenDonkeys) August 30, 2022
Depends on what you’ll use them for.
VPN’s are only useful for Torrenting and Streaming.
Anonymity with VPN’s is a myth.— Mak the Seer (@mak_seer) May 7, 2022
This article promoting a VPN (sent to me by @martijn_grooten) is just terrible.
Users usually don’t need a VPN and the ads for VPNs are really bad, but this one makes some points which are ridiculous.
Let’s do a thread! 🧵👇https://t.co/bHBtipUZLu— Łukasz (@maldr0id) August 31, 2022
“VPN makes all kinds of online activities more secure—like banking, shopping, and checking up on your finances”
VPN doesn’t make ANY of these activities more secure. Shops have to use encryption to transmit financial information, banks and financial institutions use TLS.
— Łukasz (@maldr0id) August 31, 2022
“By masking your whereabouts and your IP address (…) “
VPN doesn’t mask your “whereabouts” and doesn’t do anything about apps which access your location.
VPN *can* make it *slightly* harder to discover your location, but this is *very limited* in the world of apps and phones.— Łukasz (@maldr0id) August 31, 2022
The article also suggests that VPN can make you secure from Bluetooth tracking and GPS services.
This is just silly and ridiculous, but there’s more:
“Even scanning a QR code with your phone can reveal location information.”What?!
— Łukasz (@maldr0id) August 31, 2022
“think about all the activities you do on your phone, (…) the apps you use and the data they create, about your health, your shopping habits, your travels, who you’re chatting with, and what content you’re posting online”
VPN won’t stop you from shitposting, this is silly
— Łukasz (@maldr0id) August 31, 2022
The misrepresentation of VPN benefits is one of the biggest recent cybersnakeoils.
VPNs present themselves as some kind of a magical anti-hacking tool that you just install and all the problems are solved.
Most people don’t need VPNs.
— Łukasz (@maldr0id) August 31, 2022
If your non-techy friend asks you about VPN just show them a password manager instead.
If they desperately need to spend money, tell them to buy a Yubikey and show them how to use it.
Also, they should update their devices. All of them. Like right now. You should too.— Łukasz (@maldr0id) August 31, 2022
What about while using public or hotel wifi? Does VPN prevent snooping?
— Britt McEachern (@brittmce) August 31, 2022
Assuming you use DNS over HTTPS and provided that almost all websites are HTTPS nowadays the amount of information that “leaks” is very small.
Also, why is snooping over public wifi in your threat model?— Łukasz (@maldr0id) August 31, 2022
I’m not an expert. But I was assuming that if I’m at Starbucks (wifi sponsored by Google) or Hilton and using their wifi, the companies could access and sell browsing data.
— Britt McEachern (@brittmce) August 31, 2022
That’s somewhat farfetched. The browsing data gathered this way are severly limited (due to HTTPS).
Your ISP can be doing the same thing, why is public wifi different?— Łukasz (@maldr0id) August 31, 2022
You are using an ISP: they know a lot about what you’re doing (yes, with a VPN you can nonetheless minimize that).
You do have a Google, Microsoft, Apple, Facebook, Twitter, Instagram, TikTok, Amazon account: you have zero privacy.
Your phone is using whatever apps it’s using: most of them are leaking a lot about you.
You can’t be “safe” and have “privacy”—unless you’re living under a rock. (Or not living anymore, 6 ft under.)
3·The GDPR is a creator of Bullshit Jobs and does more harm than good
The General Data Protection Regulation (GDPR) is one of the most cretinoid inventions of the EU! Absolutely nobody asked for such an inept legalese, yet it has been adopted, and implemented, and it has created tens of thousands of “GDPR experts,” “compliance officers,” and (obviously) GDPR-specialized attorneys.
This is the culmination of Europe’s fight with the windmills, which included, among others:
- The mandate of pestering the users with the cookies acceptance dialog boxes.
- The right of having your data removed from the databases of an authorized personal data processing entity (e.g. your electricity provider, your bank, etc.) upon demanding it in writing (the utmost absurdity ever).
- The concept of the “right to be forgotten” by the Web search engines.
- The non-storage of the personal data unless really necessary, and the interdiction to transfer such personal data unless in special situations (already present in 2002/58/EC, previously in 97/66/EC and in 95/46/EC, repealed by the GDPR).
Not related to the privacy, but to “choice”:
- Imposing fines to Microsoft for shipping Windows 7 and newer with Windows Media Player, leading to the creation for Europe of the “N” editions (and for South Korea of the “KN” editions) that lack Windows Media Player and Windows Media Center (Win7), or Windows Media Player, Groove Music, Movies & TV, Voice Recorder, and Skype (Win10).
- Imposing fines to Microsoft for not forcing the users to choose a default web browser different from IE.
- Imposing fines to Google for shipping Android with Google as the default and preinstalled search engine.
- Imposing fines to Google for being basically an advertising company.
I’m puzzled by EU’s choice: why didn’t they fine Microsoft for shipping with Notepad.exe, WordPad.exe, MSPaint.exe and Calc.exe? This surely “distorts the market” and “cripples the competition”! Also, how about the built-in antivirus? How can the other security companies live with the fact that Windows does include a (pretty decent now) security solution?
But let’s go back to the GDPR and the previous forms of privacy-related EU regulations.
■ The “right to be forgotten” is an EU concept since the Directive 95/46/EC, now included in the GDPR. Even before the GDPR, Google has removed 1.4M URLs prior to May 2014—but only if you were trying to access them from the EU. Obviously, Google does not have to remove links to sensitive personal data globally, the European Union’s ECJ decided in the cases C-507/17 Google and C-136/17 G.C. e.a. Courts or data regulators in the UK, France or Germany should not be able to determine the search results that internet users in America, India or Argentina get to see.
Maybe someone should refer the ECJ to this explanation from 2014 on why “the right to be forgotten” can’t possibly work. Not to mention the VPNs & stuff. Judges seem to be the most retarded creatures on Earth.
From 2019: It’s time to forget the right to be forgotten:
Furthermore, where does the right to be forgotten fit into a world that increasingly functions through blockchain, which is designed precisely to record everything permanently? How will the right to be forgotten work when someone asks for a transaction to be eliminated that technically cannot be eliminated? Will a judge ask someone to rebuild the blockchain with his or her bare hands and try to eliminate something that cannot be eliminated?
I said it at the time, and I say it again: there is no “right to be forgotten”: from a physiological or neurological point of view, no one can be forced to forget. Laws fail when they cannot be enforced. Privacy is a very important right that must be enshrined and protected, but there are limits. If you did something, you did it. If something happened, it can’t be unhappened. If something was published, it cannot be unpublished.
The right to be forgotten is a monument to human stupidity created by incompetent people who never understood how the internet works, and which is now the right to have a search engine erase a result you don’t like, but only for Europeans who don’t have a VPN. What the ECJ must now do is not limit the right to be forgotten, but instead to recognize that what they ruled on May 13, 2014 was wrong, and completely overturn that absurd decision. Trying to create a Ministry of Truth that decides what can be published and what not is a legal aberration.
Anyway, now you know: the ECJ has provided a get out on its previous ruling: when you want to find something out about a person, just launch your VPN, point it to a node outside Europe, and avoid censorship. Let’s be clear: the “right to be forgotten” does not exist, it never existed, and yesterday’s ruling makes that even clearer than it already was. The ECJ may be the court of final appeal, but it got this one seriously wrong. It’s time to forget the right to be forgotten.
This is the meta-version of the “criminal record” certificates, in which the crimes “expire” something like 5 years after one gets out of jail. OK, you might have a paper that says “this person is not a criminal,” yet by consulting the publicly accessible archives of the courts, it’s easy to find the sentence that has put you in jail! Also, there are newspapers, in physical form, and they cannot be censored the way a Web search can!
Censorship. It’s all censorship that protects the corrupt and the snowflakes.
■ The GDPR, per se, does more harm than good to people trying to read newspaper or websites from e.g. the US, Canada, Australia. This is what I get when visiting some non-European websites:
I’m not sure why they even considered observing the GDPR, as long as they’re not an EU entity and don’t have any EU branch (so they simply cannot be fined), but they have obviously considered not worth paying a “GDPR compliance officer” as long as their main public was not in EU.
Oh, there’s actually the website GDPR Shield | EU data privacy compliance made easy:
Obviously, the best way to make something compliant to an absurd regulation is to make that thing unavailable in the respective jurisdiction. Thank you, GDPR!
From a Twitter thread from May 2018, by the well-known security expert Mikko Hyppönen:
Online game Ragnarok shutting down servers for European users, because of GDPR. https://t.co/bq0qyslIgp
— @mikko (@mikko) May 5, 2018
Verve shuts down European operations, because of GDPR. https://t.co/GH42c5h0zJ
— @mikko (@mikko) May 5, 2018
Brent Ozar Unlimited stops selling to European customers, thanks to GDPR. https://t.co/CSAbSqBQh5
— @mikko (@mikko) May 5, 2018
Unrollme to stop serving European customers, because of GDPR. https://t.co/tYrmsXlHvS pic.twitter.com/j4W0cBBHYR
— @mikko (@mikko) May 5, 2018
SMNC online game to shut down, blaming GDPR. https://t.co/R6XPTJR2Y2
— @mikko (@mikko) May 5, 2018
Tunngle Service shuts down due to pending requirements of the GDPR. https://t.co/VbkllRu5zd
— @mikko (@mikko) May 5, 2018
Steel Root is the first security company that I know that’s blocking access to their site from EU, because of GDPR. https://t.co/9HxmGzycHl
— @mikko (@mikko) May 5, 2018
Another example of a company leaving EU due to GDPR. https://t.co/4zzITclFrT
— @mikko (@mikko) May 6, 2018
This thread on #GDPR went sort of viral and got half a million views.
There’s a big split in reactions and replies based on whether the commenter is from Europe, or from outside of it:
— @mikko (@mikko) May 6, 2018
Typical reactions from EU:
* That’s not what the regulation was supposed to cause
* Good riddance
* Services like Unrollme are awful for privacy, I’m glad GDPR caused this
* Don’t the stupid americans know there are hundreds of millions of more customers in EU than in the USA?— @mikko (@mikko) May 6, 2018
Typical reactions from EU:
* This weeds out trashy websites
* Wow how ignorant
* Bye bye, data harvesters!
* Enjoy your reduced revenues!
* Our freedom is more important than their business— @mikko (@mikko) May 6, 2018
Typical reactions from the USA:
* This should teach those smug EU regulators a lesson
* You can’t tell us what to do
* These regulations were designed to hurt US tech companies
* Blocking EU users serves the EU right
* Just ban the whole continent— @mikko (@mikko) May 6, 2018
Typical reactions from the USA:
* Lol, smart
* This law is trash
* Jokes on them: there are NO services in EU
* Thanks to GDPR, EU will become a dark swampland of digital era
* No need to block all EU visitors. Just all EU regulators#GDPR— @mikko (@mikko) May 6, 2018
For fuck’s sake my MOUSE DRIVER is giving me GDPR popups and access requests. @Razer this is bloody ridiculous :-/
— Dan Puzey (@DanPuzey) May 18, 2018
Hi!
Just letting you know you can’t use your lights anymore because we’re slathering your data around and GDPR is here.
good luck! bye! pic.twitter.com/3ZI2WkqPAI
— Internet of Shit (@internetofshit) May 24, 2018
European Payver Users, Reminder: We will discontinue service in Europe on May 24th due to #GDPR.
— Payver (@getpayver) May 15, 2018
And so it begins. Fetching, for example, the website of US newspaper Arizona Daily Star [ https://t.co/xNnQxKNme5 ] from Europe results in a 403 Forbidden error, blaming #GDPR pic.twitter.com/6NWv1RcROc
— The Register (@TheRegister) May 24, 2018
Well, many US newspapers are still unavailable if you have an EU IP (one of the reasons a VPN is useful).
Note that the penalties under the GDPR are not a joke: up to €20M or 4% of your company’s annual worldwide revenue, whichever is higher. So far, Amazon was hit with a €746M GDPR fine, but they won the appeal; and WhatsApp got a €225M GDPR fine, and is appealing.
■ The GDPR harms even the EU small projects, such as the various independent forums, including those related to open-source software.
Take an example: LiveSystem-pro.de Forum:
Rough translation:
The LiveSystem-pro.de forum has finally closed. We have been active 2011-2018. We had multiple forums, topics = 1,227, posts = 21,820, users = 5,838.
Why have we closed:
1. The legal basis can no longer be implemented in the EU as a private forum operator. GDPR and Cookie Guidelines etc. One needs a lawyer, a data protection officer and is exposed to many external dangers. This is no longer fun.
2. Without an active forum that lives with users, there is no point in maintaining everything. Running a forum involves a lot of work and costs. Why do all this, when the EU annoys you more and more, and few users participate.
3. A team must work together and pull together. It is not enough to only fulfill wishes unilaterally.
It’s been an interesting time over the years. But there is always an end.
Thank you, GDPR!
But what could a forum “expose” as private data, in the case of a security breach due to not having GDPR-vetted procedures? Let’s say a user has: a username (not revealing anything, say it’s “ludditus”), a hashed password (not usable as is), an optional real name, an optional self-declared location, an e-mail. The only thing that cannot be “unleaked” is the e-mail (the password has changed).
Now, consider this:
- No matter what the GDPR says, and no matter what the TOS and the EULA and whatever crap is shown to you when you register to a website, there is no way to be sure they don’t sell your data! As a matter of fact, I’m pretty sure every single one of them (banks, online shops, utility providers) is selling your data! This is the only explanation of the increasing level of spam. The GDPR is not enforceable, as it simply cannot be proven that your data has never been transferred, voluntarily, to a third party! Conversely, it can’t be proven that it has been sold. Furthermore, in 2021, the district court of Hamburg-Bergedorf clarified in a ruling that receiving an unsolicited e-mail doesn’t constitute a significant impairment, so you’re not entitled to compensation under the GDPR. Once again, the GDPR is useless shit—but incurring costs to anyone in the EU.
- Therefore, your right to be removed from the databases of banks, online shops, utility providers, etc. are totally pointless, since your data has already been sold to third parties! Try to find those third parties…
- Spam aside, why would anyone be so offended that their mail is publicly known? Decades ago, there were telephone directories (telephone books) in which everyone having a landline connection was listed with: name, address, telephone number. Somehow, the world was able to survive with this “data breach by design”!
■ Another example of contemporary idiocy: the right to image—regulated by law in most “civilized” countries. Knowing that anyone can take photos of you or can film you with their smartphone (Google Glass?), this can be understood to a point. Also, the protection of the kids kicks in—mandating the blurring of children’s faces in publicly available or broadcast images or shows. But then:
- How was the world able to cope with the “lack of the right to image” in the times of great photographers such as Robert Doisneau, Henri Cartier-Bresson, Brassaï, Paul Almásy, Willy Ronis, etc.? Back then, you didn’t need to ask permission to take a photo in a public place, even if it included persons, not just monuments! (Until 2016, it was illegal to take photos of the Louvre ugly Chinese Pyramid; now there is a partial Panoramafreiheit to that.) But even if, out of courtesy, you were asking people for permission, in almost all cases you would have received their approval. Oh, and there were kids in those photos too!
- In what way could a picture of a child be “abused” by a maniac?! It’s just a picture! As I said, it has never been a problem before, as we weren’t (yet) as stupid as to blur everything! But even today, when a child’s face is hidden in the press and at the TV, there are plenty of unblurred pictures on Facebook (some retards are even having their profile avatar showing them alongside their kid or grandchild!), not to mention… the underage children acting in so many films! How is the “image” of the children not “abused” when they play in a movie? Even when the parents are giving their approval, who says that the child, upon reaching the adult age, will not regret having taken part in a film?
- Finally, if the UK has millions of CCTV in public areas, it’s not the only country to so do. CCTV is extensively used in some French town. How come the EU is OK with filming everyone—in public places, that’s right, but by millions of CCTV cameras that keep the recordings up to 30 days!—but taking an innocent photo is a no-go? Try to take a photo in public in Germany! Should your photo include people, or even buildings, as seen from the street, chances are that someone caught in your shot, or the owner of the building will aggress you at least verbally! (There’s also a debate in Germany as to whether police officers can be filmed while on duty and abusing people. The police says you shouldn’t, claiming that your phone also records what they’re saying, which is “private”—but that only means that cops can be bastards even here in Germany, and the Bundestag doesn’t want to legislate on that.)
No logical answers can be given to the above questions. No, don’t bother. Today’s society is regulated by utter morons. “Let’s forbid everything” is their motto.
The more ridiculous implication is however this: blurring a car’s license plate. Since when is a car part of one’s “personal image”?! I tried to find a law, a single law, that specifically includes a car’s license plate as having the right to “dignity”—and I failed. Cars are required to bear license plates that unambiguously ties them to their owner, but not directly (the directory is not public), so I fail to see what’s private in a photo of a piece of machinery on a public road! And how come this was NEVER a problem before the age of the Internet and of the “data protection” / “privacy protection” / “image protection” / “dignity protection” / “retarded snowflakes protection” laws and regulations?
Here’s a proof of the mental retard of some German judges:
In Germany, cars are persons or extensions to persons (sort of penises), and therefore they have a right to privacy. (From CHIP 10/2022) #GDPR #DSGVO pic.twitter.com/UU0nHaHH6V
— Ludditus ex-Béranger 🤟 🇺🇦 🇹🇼 (@ludditus) September 14, 2022
A look at Bavaria shows how absurd the application of the GDPR sometimes is. The local State Office for Data Protection (LDA) warned Heiner Fuhrmann from Munich because he had taken photos of illegal parkers on sidewalks and cycle paths and handed them over to the police.
LDA President Michael Will accuses him of violating the GDPR. Currently, however, the authority has to refrain from charging the fee because, among other things, the German Environmental Aid is suing against their actions.
Well, I’d rather trust a judge from Rwanda.
Oh, something from 2021. If you didn’t know, faxes were a legal requirement in Germany, for “privacy reasons”; e.g. your GP couldn’t send your blood test results by mail, but only by fax. But then… kaboom! In 2021, the Landesbeauftragte für Datenschutz (the data protection commissioner in Bremen) decided: fax machines do not transmit in compliance with the GDPR, so their use for sending personal data is not permitted.
And don’t start me on dashcams! They’re legal to use in some EU countries as long as you don’t upload people’s faces and license plates on the Internet (if I’m not wrong, such restrictions are not imposed in Italy and Spain), they’re not clearly regulated in some other countries, but it’s illegal to own one in Portugal (even in the original packaging in one’s car trunk!), and completely illegal to use one in Luxembourg, Belgium, Austria! Fucking retards.
■ The GDPR parasites. Let’s start with a GDPR-compliant joke:
— Do you know a good GDPR consultant?
— Yes.
— Can you give me his e-mail address?
— No.
As for the parasites, the other day I happened to run over a Twitter thread that at some point involved a second person. The two of them are:
- Associate Professor in Technology Law. All about Digital Rights, Personal Data, Privacy, AI & Open Data.
- Assistant professor in civil law and technology. PhD in Damage(s) and Data Protection.
Nice field(s). Making money out of a failed ideology! Oh, but the thread:
Does infringement alone of the GDPR gives rise to a right to compensation, or does there need to be harm as well?
The AG’s opinion in the Österreichische Post case is out! I will briefly discuss its findings…
👇https://t.co/y6SqvjTC6l— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
▶️ The AG considers the recognition of punitive damages as a potential threat for the overall data protection system (§ 50). The AG is afraid that punitive damages might encourage individuals to go to court instead of doing complaints with supervisory authorities.
— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
In my view, this is a very unsettling interpretation. People should be able to court and obtain compensation for GDPR’s infringement! It is another way to make GDPR effective.
Data Protection Authorities are only one of the many ways to make sure the GDPR is correctly enforced.— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
This is especially true when we look at the slow and convoluted enforcement by some DPAs!
It is even more troubling to retain such interpretation while recognizing how rarely this right has been exercised in the past (§2)…— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
▶️ The AG excludes the existence of presumption of damage in the GDPR. To justify this it looks at the literal interpretation (GDPR’s wording), at the legislative history (none), and at the contextual and teleological interpretations.
— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
Quest° 2: Does the compensation’s assessment depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
▶️ The AG reviews different compensation mechanisms in Member States and leave room of interpretation for national courts (§83 s).— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
There I have to say, I am left a little bit wondering how this might help national courts… But I don’t have much more comment.
— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
Quest° 3: Is the award of compensation for non-material damage presupposes the existence of a consequence that goes beyond how upset the individual might feel?
In other words, is there a lower limit below which an individual will not be awarded compensation?— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
After indicating how GDPR went further than the directive which did not specify the damage that was eligible for compensation, the AG affirms (in a very peculiar way) that it is not possible to infer that all non-material damage is eligible for compensation (§105).
— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
The AG therefore considers that if there is a GDPR’s violation that only upset an individual, that individual does not have a cause for action under the GDPR (§114). The individuals must prove another non-material damage to have a case.
— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
Personally, I am afraid that this interpretation might be in contradiction with some civil liability principles (notably in France) regarding full compensation of the damage suffered. The individual should have a right to compensation even if the damage is “only” to be upset!
— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
Non-material damages are highly difficult to demonstrate and prove. Sometimes “just being upset” results in endless nights of sleeplessness or irritation…
— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
Overall, I am disappointed with this opinion and I believe it might put in peril a lot of potential actions.
By relying on Data Protection Authorities, while also recognizing they generally protect the public interest, it does not offer individuals a proper and actionnable right— Suzanne Vergnolle (@SuVergnolle) October 6, 2022
For those you want to go a bit further, I tried to develop in my PhD dissertation a taxonomy of non-pecuniary damages resulting from data protection infringements. It is primarily based on French court decisions relating to privacy infringement.
Here it is 👇 pic.twitter.com/ZE8LAydZQg— Suzanne Vergnolle (@SuVergnolle) October 7, 2022
Yes, here is the suggested citation:
S. Vergnolle, On the Effectiveness of Protecting Individuals’ Rights by Data Protection Law published as L’effectivité de la protection des personnes par le droit des données à caractère personnel, th. Paris II, 2020, p. 541.— Suzanne Vergnolle (@SuVergnolle) October 7, 2022
Here is the pdf: https://t.co/noPzTLanBz
Here is the published version at Larcier that can be ordered: https://t.co/tcOExqTRm1`
— Suzanne Vergnolle (@SuVergnolle) October 7, 2022
The relevance of establishing a taxonomy is detailed on pages 426 and subs. The methodology itself is explained in pages 430 and subs (§§ 570 and s.).
Sorry, it’s in French but you might want to use DeepL to translate it! 🙂— Suzanne Vergnolle (@SuVergnolle) October 7, 2022
Thanks Suzanne, I totally agree with you. This saves me a lot of time in writing my own thread 🙂
— Tim Walree (@TWalree) October 7, 2022
I already wrote a ‘response’ to these arguments of Campos. It will be published next week in a Dutch journal for civil law. I will share it with you!
— Tim Walree (@TWalree) October 7, 2022
Quite concerning is the contradiction between the compensatory function and punitive function: the AG basically says that if it’s not compensatory, it must be punitive. This is in contradiction with the jurisprudence of the CJEU.
— Tim Walree (@TWalree) October 7, 2022
I mean damages have many functions, one of them is also being a deterrent. By creating a minimal threshold under which damages cannot be asked (and therefore repaired) is setting a dangerous precedent.
Please send me your article! I’d love to read it ☺️— Suzanne Vergnolle (@SuVergnolle) October 7, 2022
Very nice indeed, and professional, but treating of imaginary and non-enforceable rights, this is pure intellectual masturbation. Also, such people have Bullshit Jobs, yet they are ecstatically happy with them!
Don’t misunderstand me. 40 years ago, I was reading the Criminal Code and the Code of Criminal Procedure. A few years later, some civil jurisprudence regarding the succession. Having so many interests, I’ve read in all these years legal theory and practice relative to the legal and judicial systems of: “socialist” Romania, “democratic” Romania, France (3rd, 4th, and the various changes in the 5th Republic), Belgium, the UK (England, Scotland, Wales), the US (Federal Law, SCOTUS, California, NY, FL, TX, AZ, NV, GA, UT), and I’m struggling with the German law. I’m curious, you see. The problem is that I became increasingly annoyed with the ever-increasing (there is no other word for it) complexity of such legal systems, and their total lack of celerity and efficacy. I’m sick of this world that increased the number of the Bullshit Jobs first and foremost in the judiciary, but not by increasing the number of judges!
So, back to the GDPR case involving the Austrian Post (Österreichische Post AG, should have been referred to as “OP” instead of “AG”—but try to find common sense in law experts!), I don’t give a rat’s ass! (Still, as a small side reading, I’d suggest Liability Exclusions under German Law, which tangentially hints to the Austrian law, of which I literally know nothing.)
Still, should you be curious, a relevant excerpt:
II. Facts, dispute and questions referred for a preliminary ruling
8. From 2017 onwards, Österreichische Post AG, an undertaking which publishes address directories, collected information on the political party affinities of the Austrian population. With the assistance of an algorithm, it defined ‘target group addresses’ according to certain socio-demographic features.
9. UI is a natural person in respect of whom Österreichische Post carried out an extrapolation, by means of statistical calculation, in order to determine his classification within the possible target groups for election advertising from various political parties. From that extrapolation it emerged that UI had a high affinity with one of those political parties. Those data were not transferred to third parties.
10. UI, who had not consented to the processing of his personal data, was upset by the storage of his party affinity data and angered and offended by the affinity specifically attributed to him by Österreichische Post.
11. UI has claimed compensation of EUR 1 000 in respect of non-material damage (inner discomfort). UI claims that the political affinity attributed to him is insulting and shameful, as well as extremely damaging to his reputation. In addition, Österreichische Post’s conduct caused him great upset and a loss of confidence, and also a feeling of public exposure.
12. The first-instance court dismissed UI’s claim for compensation. (7)
13. The appellate court confirmed the first-instance judgment. It ruled that compensation for non-material damage does not automatically accompany every breach of the GDPR and that:
— since Austrian law is applicable as a supplement to the GDPR, only damage that goes beyond the upset or the feelings (‘Gefühlsschaden’) caused by the breach of the applicant’s rights is eligible for compensation;
— the principle underlying Austrian law must be adhered to, namely that mere discomfort and feelings of unpleasantness must be borne by everyone without any consequence in terms of compensation. To put it another way, the right to compensation requires that the damage claimed must be of a certain significance.
14. An appeal against the judgment of the appellate court was lodged with the Oberster Gerichtshof (Supreme Court, Austria), which has referred the following questions to the Court of Justice for a preliminary ruling:
‘(1) Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
(2) Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
(3) Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?’
Both disquieting and frivolous (not necessarily juridically speaking). Such situations most surely happen all the time, not only with entities you have a commercial contract with, but also with the various websites you’re visiting! Strictly from a legal standpoint, I fully agree with the first instance that awarded NOTHING to the plaintiff. No data has been transferred to third parties, so I’m not even sure that there is infringement of the GDPR. On the other hand, the general provisions of the Austrian law are applicable as a supplement to the GDPR, because the GDPR, while being “supranational,” cannot contradict the Austrian law (or the German law, etc.). Still, as I said, it’s a frivolous case in my opinion.
■ To close this post: what is the only thing the EU should care and regulate about? COOKIES, specifically third-party cookies (of which some are called supercookies), which are definitely NOT NECESSARY, and are only used to target the user with “more relevant” ads, since a user’s behavior is shared between different websites! Then, FINGERPRINTING.
Unfortunately, third-party cookies and fingerprinting are NOT ILLEGAL under the GDPR! Ironically, only Google’s Chrome and Mozilla’s Firefox are committed to block them, not the EU! (Chrome, only in Incognito Mode; Firefox, by default.) The GDPR remains useless, annoying, dumb, and harmful, as previously shown.
I don’t know of any single individual to consider that such things provide them with “choice” and “freedom”:
Most people just click on whatever is green! If one really wanted to protect the users, they should have imposed by law to web browsers to have a default mode that blocks the unnecessary cookies and other tracking mechanisms such as the fingerprinting!
If the GDPR is about letting the users make their choices, even if they don’t understand what they agree on (this was never of concern to any lawmaker!), then it should also allow non-GDPR compliant sites to exist if they inform their users about that! This way, all the havoc created by the GDPR would go away: forums shouldn’t need to close, websites wouldn’t need to refuse visitors from the EU.
But there are so many Bullshit Jobs that have been created by the GDPR, so this isn’t going to happen.
Also, the user will continue being “the product,” for the simple reason that this is the only way so many websites and online services are free. Would you pay €5/mo to be able to use GMail? Would you pay €10/mo to be able to access YouTube? Would you pay another €5/mo to be able to perform a Web search?
BONUS·Special case of paranoia and mental retard regarding the “privacy”
I forgot about this short blog post: Stop using DICT dictionary apps (such as GNOME/MATE Dictionary) | Ctrl blog. Excerpt:
With the apps’ default configuration, your word queries are looked up online via an arcane old internet protocol called DICT (RFC 2229). The protocol was standardized in 1997 and it doesn’t include any encryption or other privacy protections.
So, why is this a problem for dictionary lookups?, you might ask. Some knowledge is forbidden knowledge, depending on your local authorities. For example, it is inadvisable to look up information aboutabortionfrom within some U.S. states,war crimein Russia, ordemocracyandhuman rightsin China.The apps don’t warn you about their privacy implications when you launch them. They’re technically required to inform you about whom they share data with (the dictionary server providers) under the General Data Protection Regulation (GDPR) in the E.U.
Fuck. GDPR again. Plus paranoia.
No, dear retard, it’s not risky to search for the definition of “abortion” in the US, and even if it were, what ISP would log your DICT or HTTP query to a dictionary, only to show it to some “pro-life” groups? Think about it: supposing you’re a pro-life, anti-abortion retard, how would you know what you’re against, if you don’t know what an abortion is? All things considered, the only potentially risky thing were to look for an abortion clinic! But even so, what kind of citizen are you if you’re terrified even by such small things?
Even in China, I expect them to have dictionaries that define “democracy,” even if in a twisted form, and in Chinese, not as given by the (relatively useless) MATE dictionary.
All in all, such chicken-hearted individuals should hide behind a proxy server or behind a VPN, to reduce the chances that their Web queries be used by the local authorities. Alternatively, they could hide under a rock. Oh, wait, even in China, Russia, and the US, the GDPR protects them, but some nasty developers are ignoring THE EUROPEAN LAW!
BONUS 2·A case of “a 21st-century mindset”
Not really on any of the discussed topics, but a solution waiting for a problem… and for hacking!
Here: California legalizes digital license plates for all vehicles. In brief:
- A private company is authorized to produce E-Ink-based digital license plates called Rplates.
- Rplates are managed via Bluetooth using a smartphone app. (Vulnerabilities, anyone?)
- Rplates also have an LTE antenna, “used to push updates, change the plate if the vehicle is reported stolen or lost, and notify vehicle owners if their car may have been stolen.”
- An Rplate for a personal vehicle costs $19.95 a month, or $215.40/yr if paid anually; plates for commercial vehicles run $24.95/month, and $275.40 if paid yearly.
- Privacy risks?
- Hacking risks?
- $19.95/month FOR WHAT? What was wrong with a metal plate? Automatic number-plate recognition cameras can also recognize “old-style” plates!
- An Rplate “can reportedly function in extreme temperatures”: really? A metal (or plastic) plate can do much better, and for no recurrent costs!
Selected comments from the readers of The Reg:
■ Your metal plate is clearly unfit for purpose and inadequate; for the very simple reason that someone can’t charge you $20+ per month for it. You’re just not thinking in a 21st-century mindset.
■ The DVLA approved font is designed with OCR in mind. Given that the registration number isn’t supposed to change, I don’t understand what an electronic plate could do that would be useful. If you want tracking on your vehicle, get a different device for that. The cheapest option is probably to put an AirTag in it somewhere.
■ Yet another IoT hole for no reason? Here we go: what’s the betting someone figures out a way into these (after all, they’re hardly likely to get updates that often) and we find half of the plates in CA start displaying nothing at all….or suitably rude/advertorial messages. Again, this is putting tech in places just for the sake of it. I can’t imagine the license plate needs to change so often that having the ability to vary the display will be a major advantage – certainly not when you look at the cost of having one. Also, e-paper will have issues in the temp range / lighting conditions that a metal plate copes rather well with: this is a problem that didn’t need solving, surely.
■ A license plate you rent? No thanks.
■ For just $20 a month, we’ll ensure your plate remains visible. Isn’t that how a protection racket works?
■ This sounds like a bad idea. How do you keep a person from changing the number on their e-ink plate? The device is in complete control of the end user, even if they use some kind of key to verify operations, this is ripe for exploitation. E-ink doesn’t need constant voltage and as far as I know doesn’t provide feedback of what is displayed. Just disconnect the screen, ‘flash’ the display to a fake reg number. Even if there is cryptographic information on the plate, you might be able to selectively flash the screen.
■ Handy if you want to display a false number, I guess.
■ It’s the modern implementation of the James Bond rotating-numberplate thing that every single driver everywhere has, at some point, fantasized about having.
■ I’d make it look like it did a factory reset. Always good to have some plausible deniability. It would be interesting to hack this and make it show another number when near a speed camera – at present speed cameras and ANPRs are not really analysing for registration discrepancies.
■ I’m looking forward to e-ink numberplates which can change what they display when around speed cameras. BMT216A to 4711-EA-62 to LU6789 in a fraction of a second.
■ The DMV isn’t trying to correct a problem, they just want more money. They won’t care about fake plates unless a high profile case make the news. Then they will probably dole out a grant to the company to cover the fix. Yes, this is probably going to be easier to hack then it is to stamp a convincing metal plate. Also going to be a magnet for theft and vandalism I suspect. DMV only cares about taking as much of your money as possible and giving it to other people. So for them it makes perfect sense.
There are two different ways to look at it:
- California’s DMV, while being as “communist” as the European Union in imposing shit on people, is as corrupt as the European Union in guaranteeing profits to the companies that manage to legislate their wishes, so to speak.
- The digitalization aka “digital transformation” of everything only creates more vulnerabilities! It’s like continuously creating ticking time bombs, or disasters waiting to happen! As if cars weren’t already vulnerable to hacking, now their license plates too!
Leave a Reply