May 10, 2018
G.D.P.R.
Read the below article for a brief outline.
Note that point 4 accurately describes what will probably happen, because companies/organisations will try to get away with paying lip service to the legislation but evade complying with its spirit: technically, it will comply with the letter of the G.D.P.R. but, if the choice is to either agree or else not make use of the service/site/resource in any way, then that is no choice at all and the provisions of the G.D.P.R. are not being met except insofar as the user has the option to not be a user of the site/service/resource at all.
So, insist that the spirit of the legislation is adhered to as well before you make use of such services: contact the service/site/resource providers and insist upon an alternative if they wish to retain your custom/patronage.
Also note, for instance, that support requests to Medium itself are handled by medium.zendesk.com, not <something>.medium.com, and a third party (at zendesk.com) is handling your data as well as Medium therefore.
Support requests to Medium also require you to allow Google to act as a ‘middle man’ in your relationship with Medium (most notably via Google Analytics) as you must complete a ‘I Am Not A Robot’ task before you may submit one.
Below are the requirements for the Medium ‘Help’ page — unless you block them in some way, these elements interact with your account before you do anything more than simply view it.
The numbers represent how many of each resource type are present.
The ‘cookie’ type includes not only cookies but any local storages (as browser API allows) — i.e. Long Term Storage Objects (like Flash cookies, ‘ever’ cookies and ‘super’ cookies.)
The ‘css’ type includes stylesheets and fonts.
The ‘image’ type is self-explanatory.
The ‘media’ type includes audio (<audio>), video (<video>) and plugins (<object>, <embed>).
The ‘script’ type is self-explanatory.
The ‘XHR’ type is of particular concern. At the risk of overwhelming you with science, as it were, read this description. Basically, it’s what is known as a ‘cross-host reference’ because it allows data to be pulled from any server, anywhere, not just the webserver serving the page you are looking at. What this means is that you think you are looking at a page served from medium.com but in fact, you are looking at a page served from medium.com and one or more servers that are (potentially) owned/run by one (or more) unnamed third parties; the page I am writing this article on, for instance, contains twenty-eight (28) such XHR elements and, as I’ve explained before, you have no way of knowing what they are or what they do (N.B. I‘ve updated that story since I first wrote it, so it’s worth casting an eye over, even if you’ve read it before). As much as anything else, this is a way of delivering XSS (cross-site scripting) … which is another thing you don’t want anyone to do in your browser.
The ‘frame’ type includes embedded documents (<iframe>, <frame>) — these are a really bad idea, have been the source of a lot of malware infections over the years and it has been recommended, for a very long time indeed now, that iframes in particular be blocked by default in your browser/internet settings.
The ‘other’ type includes everything which does not fit in previous types:
beacons, CSP reports, ping, Web App Manifest, XBL, DTD, XSLT, and other unspecified types.
And here is the NoScript report …
So, what does the ‘Support’ page look like?
There’s a good chance that the elements on both pages are identical but note that p6.zdassets.com is no longer part of the picture. That may well be insignificant but, equally, it might mean that it has already done what is required of it before you got as far as the support page and it’s already too late, as it were — any ‘damage’, so to speak, already done.
Also, what scripts are being run by/on behalf of Google here … and, more significantly, why? I’m using Medium’s support service — what’s it got to do with Google?
What about CAPTCHA?
Quite apart from the ‘I Am Not A Robot’ task to be completed before you may submit a support request, when you want to log in to Medium via email rather than with a Facebook/Google/Twitter account (and, whatever you do, if you value privacy, don’t log in via one of those), you have to complete a CAPTCHA … sourced via Google — presumably the reason for the aforementioned scripts.
How does that adhere to the G.D.P.R.?
Now let’s look at those elements about which you might think “so what?”
You load a webpage into your browser and it loads some images. That’s safe, isn’t it?
Not really, no. Websites have, for a number of years now, relied upon large third-parties for content delivery, via their CDN (Content Delivery Network) services.
This means that, when you load the page, a large number of resources (including images) are pulled from the CDN and … surprise, surprise … that means that the CDN almost certainly logs a lot of information for its own purposes — what resources, when, by whom, from where, etc. … all of which chip away a little bit more at your privacy.
From the Decentraleyes wiki/FAQ:
Can CDNs track me even though they do not place tracking cookies?
Absolutely. Requests to Content Delivery Networks contain the "Referer" HTTP header (originally a misspelling of referrer) that reveals what page you're visiting. Techniques like IP address tracking and browser fingerprinting can then be used to associate the aggregated data with your identity.
My browser caches downloaded CDN libraries, doesn't that protect my privacy?
Sadly, no. Even if the file in question is stored inside of your cache, your browser might still contact the referenced Content Delivery Network to check if the resource has been modified.
All those google-analytics, node.js, gstatic.com, fonts.googleapis, googleapis.com, aws.<something>, <something>.aws, azure, .s7 references … every one of those tells the provider of that service/resource who needs access to them, when, where, what page they are viewing, what page they were viewing before that, what pages they visit afterwards and all kinds of useful extras hidden behind the scripts and css elements they deliver along with images, videos, audio, pdf files, buttons, widgets, Facebook ‘like’ buttons, Twitter ‘share’ buttons, beacons, you name it, the list keeps growing by the day.
Have a look at the list of common (not all) CDNs here and think about how many of them log all the references and what information they might be mining about you from your browsing habits.
Think you’re relatively safe on Medium, do you? What happens when you view a publication here — where do they draw their resources from?
And the page I’m writing this on draws sixty-one (61) objects from XHR sources along the way. Sure they’re probably all from Medium’s own CDN, but I don’t know that … in reality I have no idea whatsoever — and is Medium’s CDN in-house or does it outsource storage to the ‘cloud’ (like AWS, for instance)?
Add the matter of canvas fingerprinting to the mix and you start to get some idea of the problem: all these elements add up to a huge invasion of privacy that has become such a fundamental part of the Web today that untangling it all might be akin to trying to extract the eggs from a cake after it has been baked.
Unlike the cake, the individual elements of the Web can be unravelled and new technologies implemented to replace them but the point is that this has been going on for so long that even something like the G.D.P.R. isn’t going to fix it. At most, E.U. companies will be founded to offer the same services: Facebook (Europe) Ltd., Google (Europe) GmbH, Twitter (Europe) et Cie. and so forth … the data ‘anonymised’ and, yeah, right — there’s no such thing as anonymous data.
I have to block canvas fingerprinting attempts by Medium on a not infrequent basis ¹—daily at least, if not multiple times daily (it depends upon how many ‘publications’ I view).
So …
As the World Economic Forum article mentioned, you may notice pop-ups appearing in your browser or emails asking you to agree to a company’s new privacy policy or terms of service.
Do not simply agree to these. If you do so, you are simply saying that you agree with U.S. companies ignoring E.U. legislation designed to protect your rights.
Instead, email them and insist that they offer you alternatives that are in keeping with the legislation. Insist that any third party resources are compliant — including CAPTCHAs, support services (you don’t want your data held by <anyone at all, thankyou very much>.zendesk.<anywhere outside the E.U.>), CDNs, the works.
It will take a while but, if enough people do it … often enough … then, eventually, they will have to take heed and do so — because their customers are demanding it.
Otherwise they will simply attempt to do what one company did in Germany, at which a friend of mine was a senior manager, and ignore them because they don’t understand that the rest of the World is subject to different laws ².
Remember, the ball for this legislation started long before the recent Facebook/Cambridge Analytica scandal, because it was already recognised that things had gone too far over two years ago (C.f. the case brought by Max Screms that resulted in the Safe Harbor agreement being declared null and void). It is designed to protect you from that and also such things as organisations like (the oh, so careful with the data ⁵) Equifax building life-changing dossiers on you without your consent.
Don’t let them ignore it or get away with paying lip service to it — remind them that, as I recently mentioned, 4% of global revenue multiplied by every E.U. citizen affected is a whole load of bankruptcy.
And remember, whilst the U.S. may be the most obvious offender when it comes to privacy matters, it’s not the only one and the G.D.P.R. is designed to protect you wherever your data is gathered (from China to Russia and even within the E.U. itself) — make sure you inform every service you use of your expectations.
—
¹ I could set a permanent rule and spare myself the inconvenience, but prefer to be alerted to the fact that it’s happening — that way I know when and where attempts are being made … and by whom.
² The company was bought out by a U.S. business that wanted to capture usage data for the European intranet. It attempted to add Google Analytics tools to the Intranet. Upon being informed by the Legal department in Germany that that was not an option and supplied with the relevant E.U. legislation, the U.S. company lawyers tried to make amendments to the legislation by crossing things out and adding things to it — they didn’t understand that E.U. legislation is not subject to the whims of U.S. legislators and that the company’s options were limited to either a) adhering to E.U. law or else b) not doing business in the E.U. at all ³.
³ This is what all the fuss was/is about Transatlantic Trade and Investment Partnership (TTIP) trade agreement; in particular the fact that the Investor-State Dispute Settlement (ISDS) would allow (notably U.S.) corporations to demand compensation for having to abide by the laws implemented by democratically elected governments — which is basically a means by which U.S. companies can effectively re-write E.U. legislation as and when they see fit or else make the citizens of the E.U. pay the U.S. for the privilege of making their own laws ⁴.
⁴ As I’m sure you can imagine, an awful lot of people outside the U.S. are of the opinion that that would be a step too far.
⁵ N.B. the Yahoo breach was ultimately determined to have affected 3 billion accounts, not the previously declared 1 billion mentioned in the article.
