How GDPR shows the web is broken

Submitted by Andy on Mon, 27/05/2019 - 17:11

The original purpose of the World Wide Web was to allow free sharing of ideas and information. It was set-up to allow people to research communicate and collaborate.
It has been over a year since the introduction of the GDPR legislation. In the past year it has become clear that web has evolved into a tool for large organisations to track people and harvest personal information.

The EU data protection and privacy legislation known as GDPR came into force in May 2018. The principal of this legislation is that we should have control of our personal data and know how it is used. This caused widespread panic among companies that store and process personal data digitally. It is important to realise the actual information processed hasn't changed since the GDPR was introduced but it is now visible.

Consent emails

The first thing that most people noticed was a large number of emails asking for permission to spam them. These emails often came form companies that had reason to contact you. Some had already been given permission but hadn't recorded it correctly. There are many more companies that have your personal information and "failed" get consent. They never contacted you for permission to store your information. For example, my experience is these companies include "recruiters". They scraped my information off job sites and sites like LinkedIn.

Websites getting consent

Websites now need to get permission to process your information and allow you to opt-out. To achieve this many websites are using annoying popups. They normally provide a big "Accept" with a harder to find or poorly named button to reject. The reject button may be shown as "Change settings". Selecting the change settings button will then show a large and confusing dialog. There will be vague descriptions of the data they harvest a how it's supposed to be used. Somewhere on this dialog will normally be a large collection of company names with checkbox by each one. Sometimes the site visitor will have to accept these conditions to use the site. This common behaviour may be (barely) legal. It is definitely extremely poor practice and not in the spirit of the legislation.

I have noticed that at least one of the (most common) popups actually ignores scripts and cookies from members of an advertising collective. This collective includes most of the largest companies. These companies include the worst offenders for misuse of personal data. Therefore they are not actually giving you a chance to protect your data.

There some sites from USA that now block or redirect visitors from Europe. They do this to avoid complying with the GDPR legislation.

Some sites will claim that they are unable to run their business /pay their staff without it.
There are few websites that rely on affiliate marketing and will require consent to provide their service.  This is only where it is the primary function of the site e.g. voucher sites. The affiliate marketing is provided by companies that specialise in harvesting of personal information. There many others (including new sites) that claim they need to process and distribute your personal information but don't.

To make it perfectly clear these sites are:

  • Giving your personal information to these third parties. Those third parties are then tracking you across many sites.
  • Not getting direct income from this information.
  • Showing targeted adverts that are more valuable than generic ones.
  • Using the tracking to see detailed personal information about who is visiting their site.

Responsible Site

Not all personal data use is bad. Sometimes there is good reason to use personal information and tracking to improve a site or add functionality. Some valid reasons for collecting (normally anonymous) data that include:

  • Website security (blocking known attackers)
  • Website logins.
  • Checking whether the site is being used /popular
  • Handling customer orders /customer service
  • Target specific groups of website visitors.

An example of responsible collecting and sharing of data is to:

  • Block spammers /attackers
  • Prevent spam content
  • Allow visitors to register and login and contribute to the site
  • Check that the site was being used
  • Confirm that the most of my visitors were from the UK (important as much of the information was UK specific)
  • Check what parts of the site were most used
  • Link to social media.

My new sites handle logging website usage and social media in a way that avoids passing personal information onto large organisations. I'm still considering how to protection my website and limit spam while respecting privacy.

Conclusion

The GDPR legislation has shown that the web has changed into a tool for harvesting personal information and surveillance.

Aside

I'm increasingly seeing the phrase "We value your privacy" on these popups. When translated to plain English this would read "We don't care about your privacy but it's very profitable to give or sell your personal data to other organisations."