GDPR

Blindered by the GDPR

Doc Searls — Sat, 25 May 2019 11:58:24 +0000

I usually don't like new tech regulations.

One reason is that technology changes so fast that new regulations tend to protect yesterday from last Thursday.

Another reason is that lawmakers tend to know little or nothing about tech. One former high U.S. government official once told a small group of us, roughly, "There are two things almost nobody in Congress understands. One is technology and the other is economics. So good luck."

Still, I had high hopes for the GDPR (the EU's General Data Protection Regulation), which famously went into effect one year ago. I suggested that we re-brand 25 May "Privmas Day" (hashtag #privmas), since I expected the GDPR would go far toward protecting personal privacy online, which prior to that date had been approximately nil. Back in 2017, I said (onstage, in front of thousands) the GDPR would be "an extinction event for adtech in Europe."

Here in Linux Journal, I put up an FUQ for the GDPR (the U meaning "Unanswered"), meant to provide guidance toward new developments that could give each of us many new forms of agency online, as well as some privacy. Because I really did expect the GDPR to encourage both.

Alas, mostly it hasn't. Worse, most of its early effects have been negative. For example,

Go to Full Article

Now Is the Time to Start Planning for the Post-Android World

Glyn Moody — Mon, 08 Oct 2018 11:30:00 +0000

by Glyn Moody

We need a free software mobile operating system. Is it eelo?

Remember Windows? It was an operating system that was quite popular in the old days of computing. However, its global market share has been in decline for some time, and last year, the Age of Windows ended, and the Age of Android began.

Android—and thus Linux—is now everywhere. We take it for granted that Android is used on more than two billion devices, which come in just about every form factor—smartphones, tablets, wearables, Internet of Things, in-car systems and so on. Now, in the Open Source world, we just assume that Android always will hold around 90% of the smartphone sector, whatever the brand name on the device, and that we always will live in an Android world.

Except—we won't. Just as Windows took over from DOS, and Android took over from Windows, something will take over from Android. Some might say "yes, but not yet". While Android goes from strength to strength, and Apple is content to make huge profits from its smaller, tightly controlled market, there's no reason for Android to lose its dominance. After all, there are no obvious challengers and no obvious need for something new.

However, what if the key event in the decline and fall of Android has already taken place, but was something quite different from what we were expecting? Perhaps it won't be a frontal attack by another platform, but more of a subtle fracture deep within the Android ecosystem, caused by some external shock. Something like this, perhaps:

Today, the Commission has decided to fine Google 4.34 billion euros for breaching EU antitrust rules. Google has engaged in illegal practices to cement its dominant market position in internet search. It must put an effective end to this conduct within 90 days or face penalty payments.

What's striking is not so much the monetary aspect, impressive though that is, but the following: "our decision stops Google from controlling which search and browser apps manufacturers can pre-install on Android devices, or which Android operating system they can adopt."

Go to Full Article

FOSS Project Spotlight: Pydio Cells, an Enterprise-Focused File-Sharing Solution

Italo Vignoli — Fri, 13 Jul 2018 14:20:00 +0000

by Italo Vignoli

Pydio Cells is a brand-new product focused on the needs of enterprises and large organizations, brought to you from the people who launched the concept of the open-source file sharing and synchronization solution in 2008. The concept behind Pydio Cells is challenging: to be to file sharing what Slack has been to chats—that is, a revolution in terms of the number of features, power and ease of use.

In order to reach this objective, Pydio's development team has switched from the old-school development stack (Apache and PHP) to Google's Go language to overcome the bottleneck represented by legacy technologies. Today, Pydio Cells offers a faster, more scalable microservice architecture that is in tune with dynamic modern enterprise environments.

In fact, Pydio's new "Cells" concept delivers file sharing as a modern collaborative app. Users are free to create flexible group spaces for sharing based on their own ways of working with dedicated in-app messaging for improved collaboration.

In addition, the enterprise data management functionality gives both companies and administrators reassurance, with controls and reporting that directly answer corporate requirements around the General Data Protection Regulation (GDPR) and other tightening data protection regulations.

Pydio Loves DevOps

In tune with modern enterprise DevOps environments, Pydio Cells now runs as its own application server (offering a dependency-free binary, with no need for external libraries or runtime environments). The application is available as a Docker image, and it offers out-of-the-box connectors for containerized application orchestrators, such as Kubernetes.

Also, the application has been broken up into a series of logical microservices. Within this new architecture, each service is allocated its own storage and persistence, and can be scaled independently. This enables you to manage and scale Pydio more efficiently, allocating resources to each specific service.

The move to Golang has delivered a ten-fold improvement in performance. At the same time, by breaking the application into logical microservices, larger users can scale the application by targeting greater resources only to the services that require it, rather than inefficiently scaling the entire solution.

Built on Standards

The new Pydio Cells architecture has been built with a renewed focus on the most popular modern open standards:

Go to Full Article

Let's Solve the Deeper Problem That Makes Facebook's Bad Acting Possible

Doc Searls — Fri, 08 Jun 2018 14:16:07 +0000

by Doc Searls

Finding that Facebook has "data sharing partnerships" with "at least sixty device makers" is as unsurprising as finding that there are a zillion ways to use wheat or corn. Facebook is in the data farming business.

Remember that the GDPR didn't happen in a vacuum. Bad acting with personal data in the adtech business (the one that aims advertising with personal data) is the norm, not the exception.

This is why the real fight here is not just for privacy. It's for human agency: the power to act with full effect in the world. The only way we get full agency is by operating as first parties at scale across all the entities we deal with online. THEY have to agree to OUR terms.

For that we need standard ways to signal what's okay and what's not okay, and to reach agreements on our terms, as first parties. It is as second parties that we click "accept" dozens of times every day, acquiring cookies with every one of those clicks, each recording certifications of acquiescence rather than of consent.

With full personal agency, the whole consent system goes the other way, at scale.

This is both long overdue and totally do-able, with work already started.

If you're interesting in doing it, let me know.

Bonus link: https://youownitdownloadit.com/, which I was briefed about this morning.

Go to Full Article

An FUQ for the GDPR

Doc Searls — Thu, 24 May 2018 14:49:23 +0000

by Doc Searls

I started writing this on Privmas Eve: the day before Privmas, aka GDPR Day: the one marked red on the calendars of every company in the world holding an asset the GDPR has suddenly made toxic: personal data. The same day—25 May—should be marked green for everyone who has hated the simple fact that harvesting personal data from everybody on the internet has been too damned easy for too damned long for too damned many companies, and governments too.

Whether you like the GDPR or not (and there are reasons for both, which we'll get into shortly), one thing it has done for sure is turn privacy into Very Big Deal. This is good, because we've had damned little of it on the internet and now we're going to get a lot more. That's worth celebrating, everybody. Merry Privmas!

To help with that, and because 99.99x% of GDPR coverage is about what it means for the fattest regulatory targets (Facebook, Google, et al.), here's an FUQ: some Frequently Unasked (or Unanswered) Questions about the GDPR and what it means for you, me and everybody else who wants to keep personal data personal—or to get back personal data those data farmers have already harvested. (The GDPR respects both.)

A note before we begin: this is a work in progress. It's what we know about what's now possible in a world changed by the GDPR. And "we" includes everybody. If you want to help, weigh in. For some guidance on this, see Privacy is still personal. Also our Privacy Manifesto, still in draft form. Here goes...

Why do we have the GDPR?

The GDPR is a privacy regulation. We have it because technologists failed to develop personal privacy technologies that could be widely used, and in turn drive norms, and regulation based on those norms.

In other words, the regulatory cart got ahead of the development horse.

Yes, we do have some privacy tech, for example crypto, onion routing, and tracking protection. But these are wizards' tools. Muggles hardly know about them. So there are no norms here. We attempted to create a standard way to signal the need for sites to at least respect our human dignity, with Do Not Track. But the "interactive" advertising business and its dependents killed it, causing ad blocking to skyrocket. (Some history.)

And now we have the GDPR. Hopefully it will spur the development, widespread adoption and respect for personal privacy tech and norms online. Maybe then the tech and norms horses will get back in front of the regulatory cart.

Go to Full Article

Cookies That Go the Other Way

Doc Searls — Mon, 21 May 2018 14:39:31 +0000

by Doc Searls

[24 May 2019: A year after I wrote this post, Global Consent Manager an indirect descendant of the work described below, is in the world and doing the job. Check 'em out.]

The web—or at least the one we know today—got off on the wrong hoofs. Specifically, I mean with client-server, a distributed application structure that shouldn't subordinate one party to an other, but ended up doing exactly that, which is why the web today looks like this:

Clients come to servers for the milk of HTML, and get cookies as well.

The original cookie allowed the server to remember the client when it showed up again. Later the cookie would remember other stuff: for example, that the client was a known customer with a shopping cart.

Cookies also came to remember fancier things, such as that a client has agreed to the server's terms of use.

In the last decade, cookies also arrived from third parties, some for site analytics but mostly so clients could be spied on as they went about their business elsewhere on the web. The original purpose was so those clients could be given "relevant" and "interest-based" advertising. What matters is that it was still spying and a breach of personal privacy, no matter how well its perpetrators rationalize it. Simply put, websites and advertisers' interests end at a browser's front door. (Bonus link: The Castle Doctrine.)

Thanks to the EU's General Data Protection Regulation (GDPR), which comes into full force this Friday, that kind of spying is starting to look illegal. (Though loopholes will be found.) Since there is a world of fear about that, 99.x% of GDPR coverage is about how the new regulation affects the sites and services, and what they can do to avoid risking massive fines for doing what many (or most) of them shouldn't have been doing in the first place.

But the problem remains structural. As long as we're just "users" and "consumers," we're stuck as calves.

Go to Full Article

The GDPR Takes Open Source to the Next Level

Glyn Moody — Wed, 02 May 2018 12:00:00 +0000

by Glyn Moody

Richard Stallman will love the new GDPR.

It's not every day that a new law comes into force that will have major implications for digital industries around the globe. It's even rarer when a such law will also bolster free software's underlying philosophy. But the European Union's General Data Protection Regulation (GDPR), which will be enforced from May 25, 2018, does both of those things, making its appearance one of the most important events in the history of open source.

Free software is famously about freedom, not free beverages:

"Free software" means software that respects users' freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, "free software" is a matter of liberty, not price. To understand the concept, you should think of "free" as in "free speech," not as in "free beer".

Richard Stallman's great campaign to empower individuals by enabling them to choose software that is under their control has succeeded to the extent that anyone now can choose from among a wide range of free software programs and avoid proprietary lock-in. But a few years back, Stallman realized there was a new threat to freedom: cloud computing. As he told The Guardian in 2008:

One reason you should not use web applications to do your computing is that you lose control. It's just as bad as using a proprietary program. Do your own computing on your own computer with your copy of a freedom-respecting program. If you use a proprietary program or somebody else's web server, you're defenseless. You're putty in the hands of whoever developed that software.

Stallman pointed out that running a free software operating system—for example Google's ChromeOS—offered no protection against this loss of control. Nor does requiring the cloud computing service to use the GNU Affero GPL license solve the problem: just because users have access to the underlying code that is running on the servers does not mean they are in the driver's seat. The real problem lies not with the code, but elsewhere—with the data.

Go to Full Article

May 2018 Issue: Privacy

Carlie Fairchild — Tue, 01 May 2018 18:57:47 +0000

by Carlie Fairchild

Most people simply are unaware of how much personal data they leak on a daily basis as they use their computers. Enter our latest issue with a deep dive into privacy.

After working on this issue, a few of us on the Linux Journal team walked away implementing some new privacy practices--we suspect you may too after you give it a read.

In This Issue:

Data Privacy: How to Protect Yourself
Effective Privacy Plugins
Using Tor Hidden Services
Interview: Andrew Lee on Open-Sourcing PIA
Review: Purism's Librem 13v2
Generating Good Passwords with a Shell Script
The GDPR and Open Source
Getting Started with Nextcloud 13
Examining Data with Pandas
FOSS Project Spotlights: Sawmill and CloudMapper
GitStorage Review
Visualizing Molecules with EasyChem

Subscribers, you can download your May issue now.

Not a subscriber? It’s not too late. Subscribe today and receive instant access to this and ALL back issues since 1994!

Want to buy a single issue? Buy the May magazine or other single back issues in the LJ store.

Go to Full Article

What's the Geek Take on the GDPR?

Doc Searls — Mon, 12 Mar 2018 15:19:52 +0000

by Doc Searls

Let us know how the GDPR is affecting your work.

The amount of geekery and hackage required to bring companies into compliance with the EU's General Data Protection Regulation (aka GDPR) must be huge. I say that for five reasons:

The fines for violating the regulation's rules are attention-forcing (up to 4% of global turnover in the prior fiscal year).
The deadline for compliance is May 25, 2018, just 77 days from now.
Nearly every booth at every tradeshow I've been to in Europe during the last year or so features the GDPR in its promotional verbiage. (The image above is courtesy of the PORT.im booth at the PIE 2017 conference last November in London.)
Many (maybe all) the developers I know and work with are busy addressing the GDPR as a Big Issue.
All that compliance stuff must require a lot of new technical work.

So I'm looking to get some perspective on this from geeks doing that work, and from others who simply know about it and have useful tings to say. If you're in either group, please weigh in on the comment stream below. Thanks!

Go to Full Article