It’s been one year since GDPR became the law of the land for standard-bearers in the privacy industry. For all the saber-rattling and scrambled planning, it might feel like it’s been a surprising non-event in the world of web development. Even though the dust has settled, there’s still plenty going on, and plenty to come. This week we look at what’s happened the last twelve months and why it’s not time to take our foot off the gas just yet.
- About the California Consumer Privacy Act
- CSS-Only Chat
- A Designer’s Guide to GDPR
- Europe’s sweeping privacy rule was supposed to change the internet, but so far it’s mostly created frustration for users, companies, and regulators
- How Is the GDPR Doing?
- Majority of companies still aren’t GDPR-compliant
- Privacy professionals begin to look back at year one of the GDPR
- Representatives under Art. 27 of the GDPR: All your questions answered
- The State of GDPR, One Year Later
- The Status of the GDPR As the One-Year Mark Gets Closer
- What does GDPR mean for UX?
- Why GDPR remains challenging, one year in
The following is a machine-generated transcript of this episode. I will contain errors until it has been reviewed and edited, and we apologize for the difficulty that may cause for screen readers. Do you want to help us speed up our transcribing process? Consider sponsoring an episode.
Everybody you’re listening to the drunken UX podcast? This is episode number 36 GDPR launched and I
am your host Michael fienen. I’m a co host Aaron Hill. Welcome
I you know I I’ve been thinking about this Aaron and we’ve talked about it a lot and I think the the trick is I need to stop introducing myself as the host. I should also that I am one of your co hosts Michael fienen. That way it levels that playing field, right? We’re not hosting co
it’s like, it’s like that episode of The Office when when you have Jim and Michael and they’re both managers and like Mike Michael handles the big picture ideas, and Jim handles the day to day stuff.
If you’re listening this week, you should thank our sponsors over at New cloud run by their firstname.lastname@example.org slash drunken UX that will let them know that you heard about them from us and make that all be worthwhile and we would appreciate it but they do good stuff, maps and things. Such.
This is a good drink. Be sure to connect with us on Twitter and facebook.com slash dragon UX. And also on Instagrams trek new x podcast and drinking our slack comm slash slack. Come sign up and chat with us in slack. You can ask us questions.
I if you’re following us on Instagram I’m actually recording this episode on the microphone that I shared on there this week. I find a nice my god like I got my holy grail microphone Finally, which was sure SM seven be you chose wisely. I have wanted one for a long time. It just randomly came up for sale locally from a fella and had to snatch it up. So we’ll see how this sounds. Hopefully everybody enjoys it. If it sounds like garbage when I get it out of the mix, then I guess he’ll just have to suffer me for an episode until I switch back but I like it. So I’m departing a little bit from my normal drink this evening. I I don’t I like bourbon, but I’m picky. I’m still like, you know, finding the Bourbons I like and I don’t like jack daniels. I don’t like jack daniels. Unknown Speaker But
I have a bottle of gentlemen jack. Because it came highly recommended to me and I must say it is quite excellent. It’s not super like interesting, necessarily. Like it’s it’s a What does the band here say? It says it is double mellowed. And I feel like that is probably a relatively accurate way of describing this. Like, it’s just sort of kick back. Relax. You know, it’s not super fancy. It’s not super crazy, but you can definitely enjoy a glass.
They play Grateful Dead in the story. Well, let’s just tell me.
I feel like that probably is not part of their culture. But sure. Yeah, okay. What Yes, drink. You have a drink. What do I do? I have
it’s a it’s an experiment. And it’s actually not bad. I took some 1800 tequila coconut flavored, and I mixed it with some Bailey’s. And sounds like a weird drink combination. But it’s it’s actually not bad.
Um, did it curdle, when you mixed
it together? They didn’t. Surprisingly, the coconut flavor in this 1800 is pretty strong. So it um, you know, coconut has kind of like, it has the same kind of like, shape sort of as like a vanilla like it’s like big open waiver and the went well with the the Irish dream. So it’s
a cement mixer is isn’t a cement mixer, tequila and and oh, cream, is it?
that hurdle though. Yeah, that’s why I was asking maybe a vodka? I don’t know.
No, this didn’t curl. I mean, it’s it’s there’s no like particulate matter in it at all.
Fair enough. If you like it, that’s all that really matters.
Yeah. I would drink it again. You were telling me
earlier today about this chat. I say chat software, quote unquote.
It’s not. Okay. So it’s circled. It went through the Twitter’s. And then someone on my work slack posted it. And I was like, Oh, I know that guy. So it’s this guy, Kevin, and I don’t know how to pronounce his last name. But he actually worked on my tech based project at Ruby by the bay last month. And it’s very cool, dude. Very good developer, he made this thing. And it’s a CSS only, well, HTML and CSS only chat tool. It’s like bi directional communication. Using just CSS, it uses stuff that we kind of talked about before with the background image, kind of hacking its way like smuggling data, excellent trading through background image. And you have here in the show notes, Ian Malcolm, and on on the GitHub repo. He actually has that exact in Malcolm GIFs.
Yeah, I made the joke earlier. And we’re talking about and then I went and looked at his read me and I’m like, oh, you’re already beat me to that choke? Though your scientists were so preoccupied with whether or not they could they never stopped to think if they should?
Yeah, because I’ve
made this argument before with some of this stuff. That’s, you know, it’s sort of the the proof of concept CSS sort of things like the one thing I always remember is the guy that made Homer Simpson in only CSS. Okay. And like it, it looked good. It looked correct. And but it was, you know, this huge thing of like, Dibs, crazy CSS, it’s like, you would never make an image that way, that is not a thing you would do. Right, right. And I used to always think about it in those terms. And I’ve kind of as I’ve gotten older, and more mature about it, it’s become one of those things, I realized that it’s an exercise, it’s not about the result. It’s about how you got there and practice it takes to do that.
Do you know the this is is isn’t in our show notes, but it’s kind of related. Do you know the story about the the inverse square calculation they did in the quick game? Remember that?
Man, I haven’t had a math class since college?
Okay, it’s like if you’re calculating distance right there, you have to do some business square root calculations to calculate distance. But I want to say it was john Carmack. But I might have been, might have been one other devils, but one of the devils in the quake team figured out that you could approximate a square root by using the bit shift operator. And so and so the pitch of operator is an x86 instruction. So it’s super fast. And it’s it’s close enough and have an approximation, that it gets you a good answer. So it allowed really complicated distance calculations to be done in a lot of different places. Very quickly, which made the game awesome. I mean, a lot of things made the game awesome. But that added to the awesomeness. Yeah, so But I mean, I’m sure that started as like, oh, check this out. Look, if they do this, you can basically do the distance calculation. That’s Yeah.
That the thing that just came up the other day that I’ve that this made me think of and and this application of these ideas. So this guy, rich Harris, he’s on the New York Times. He’s on their investigations team, and they have this article on Trump’s taxes. All the politics aside, if you’re into web development, will have a link to this in the show notes. Go look at the article, scroll down about a third of the way. There’s a bar graph.
this is a bar graph with a it’s the bars are aligned along along an X axis, but they go down. Yeah. And what they did was they built this bar graph with the story text blowing around the bars, to really the explanation was that it was to really kind of accentuate the because the scale, is
it towards the end, it gets pretty big.
Yeah, yeah, it’s, it’s a case of where the bar graph itself, like at one end, it’s, you know, it’s pretty shallow, and then you start getting really, really long, and it would take up a ton of vertical space. Yeah, and you have a lot of white space, then on the left hand side. So they came up with this idea, using a bar graph. Now the bar graph is done with like SV GS and stuff. You can go into that if you want to. But what they figured out was, by using a little bit of CSS overflow, which isn’t a big deal, but using then before pseudo selectors and a fancy shape outside, saying, they basically made a clipping path along the overflowed section of the chart to make it look like and this is really exactly what you were just saying here. Yeah, it’s not flowing around the bar graph, right, flowing around the clip path they created, right, which just happens to approximate the shape of right, our graph line close enough that it looks correct. Yeah. So it’s like, it isn’t the exact they probably, you know, it’s not the way it would look if it was a perfect kind of low. But yeah, it’s certainly the kind of outcome that you would want from that. And it’s that kind of like, it’s a super creative solution to making that text flow in a way that isn’t just, you know, cut off, or floated.
Back in the mid 2000s, we did a similar trick called idea of sandbags. And I don’t have the link, because I don’t think the blog is up anymore, but I guess I could walk. But it was essentially you had like an image that had, maybe it was right aligned. And then the left side of the image had kind of a curvy profile. And so you would stack gives that were floated towards the side that the image was on, and just a varying width. And they would all be like, you know, float. Right? Clear, right? And so it just be like a series of boxes of varying width, and then the text would, you know, flow around those. And it was it was kind of cool. Like it gave it a neat, like visual appeal. That was non nonlinear.
You were basically creating a really low resolution outline. Yes,
yes, exactly. The edges. Not nearly as cool as this.
The chat thing reminds me a lot to have that the old malicious CSS story, remember? Yeah, right. People use it figured out, you could use CSS to track people, right? Because of, you know, using the background images and things like that, that you could create behavior triggers, basically. And that’s, that’s kind of what the CSS chat is doing. It’s exploiting the same kind of technique, just not maliciously, but that is how the if you go in and read the GitHub that will have linked he’s got in the read me like kind of how it works. And we sat here ourselves and, and mulled over, its I kept reading it. And I kept saying over and over. That doesn’t work that way.
But it does, because it’s really almost novel The way they accomplished it by leaving the page in a loading state, Ryan, because I was like, Oh, I see how they’re receiving data. But like, you can’t send it CSS doesn’t send data, right? Does. They use a server sitting in the middle of that to translate these GET requests and feed it to both pages that are receiving data? It’s real wild, quite frankly,
there was there was a I think we mentioned this before, maybe on the last time we talked about this stuff, there was a thing where someone would take like an animated GIF, and they would, they would send it down to the user. But then it would be sent without the terminating bytes in the life. So like, and they would use that as an open channel to send out data. And it was basically like creating an open socket connection with the browser. Using this image time.
One of these days, somebody gonna message us and be like, you guys are idiots. You’re now I want to design a shirt. For us. It’s just like Jay Z across.
I always spell it whenever I saw it on Twitter, I always thought z h. o like rhymes with wife,
Jai for life. So if you’re interested in all of this stuff, the CSS hover, how data is getting passed back and forth and all of this. There was one other guy that you found Aaron that Oh, yeah, it was just Davey on Twitter.
Yeah, maybe WTF. He was, it was linked. It was the the Kevin on the GitHub, Kevin says that this is the person that inspired the idea. And he basically did essentially the same thing, but tracking your mouse position by seeing what you’re hovering over. And then just having a big grid of dibs on the page. And then, when you hover over an image, it’s it makes a call to in a background image that makes it GET request with the coordinates. Yeah, it
it when you see because he’s got a video of this in action. And that was where the light bulb went off for me for ya how the chat was accomplishing. Right? Right. Seeing it done, like unit directionally, then made Yeah, make sense by directionally. So go go check that out. It’s, it’s cool. It’s absolutely not usable, like you would never, in your life build a chat system this way. It is purely proof of concept. But it’s I could see like no experiment. Maybe other data being transferred. This I don’t know. Like, I think that if it says have an application, that’s going to be something kind of maybe oddball, or haggis, or dangerous. Yeah, problem. I mean, probably dangerous. That’s why we say like all of this reminded me of the militia tracking stuff. And that’s I don’t like that.
Cool stuff, though. Thank you, Kevin.
I want to get into our main topic first, by doing one of these standard boilerplate disclaimers that I am not a lawyer, Aaron, is definitely not a lawyer, my God, put a shirt on once in a while, man, we we are not giving you legal advice. The bar exam that we take is not
not the barrister exam.
That’s clever. I like that. But we are going to be talking about GDPR. Tonight, it is the one year anniversary of the launch of GDPR on May 25. And so we wanted to take this time, we had Episode 11 was when this first came up, that was on right it was May 28 of last year. So GDPR had just launched. And so we were like, Hey, here’s a bunch of stuff. So you can get started. And now is one year later. And so I thought it would be neat to sit down and kind of look at some of what’s come out since then, where we are at and where you should be as a developer. So and I will apologize in advance because this will be more of a policy show for lack of a better term. But if you want to jump in the later in the show and just get the dictionary bits, but you should listen to the whole you should listen to the whole thing. I think Yeah, there will be definitely agree Michael
will surely make some funny jokes in the first half.
Thank you for giving me that opportunity.
there’s a quote in a CNBC article I came across, which is kind of what said, Oh, yeah, we need to talk about this because it’s it’s funny. It is that among some consumers, GDPR is perhaps best known as the bothersome series of rapid fire. Privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations and with those tension and confusion. And it’s unclear if the EU data authority that oversees the law is adequately staffed to handle demands. Like it. The thing is, just like Mike Tyson coming into the ring, middle finger to GDPR. It’s like this thing sucks for everybody.
It says it’s like, it’s like if Iris didn’t exist before, and then suddenly it does, and it has like three people working. And they’re like, All right, everybody send us money.
Oh, yeah. And that has been a big part of the problem. And we’ll get into this a little bit more here in a little bit that staffing is a problem, quite frankly. And it’s in part because you’re trying to staff up, not just hit the companies, but within the government organizations for something that didn’t exist before 2016. And so corporations are going to lawyers and asking how do we comply with this? There aren’t a lot of lawyers that know it? Well, and the lawyers that just read it and try to interpret it are don’t understand. They don’t have have somebody to go to to ask questions, because most of the places are already, you know, getting buried by actual work related to this. Right? It has created a big problem. So there’s this article from the International Association of privacy professionals say that three times fast, but I sure as hell can’t.
People in popsicles,
they they put out an article looking at one year of this, and one of the things that they noted is that a lot of the problems and challenges folks have faced with GDPR have been very logistical in nature, not technical, not like on the development side. It’s it’s problems with like, Who needs to know what collect what and have access to what,
which is to go on the side of the people serving content or logistical on the side of I’m Mike the consumer. Yes. Okay. A lot
of these issues do very much cross apply, as far as you know, where the where the problems lie. And it makes for an interesting tug of war over whose needs went out. Now, folks in the EU and in the GDPR offices would tell you, the consumer always wins out in these in these arguments, because, man, there was there was a good quote on this in one of the articles in the show notes, but I couldn’t tell you which one, but it’s this idea that businesses don’t exist to process data. They they process data to do business.
It’s, it’s it’s sort of like that. But it’s this idea that the businesses need to come to this realization that they can’t just hoard all this data on the hopes that they may need it later kind of thing is right driving it right. Even though a lot of businesses do work in that mentality. And sometimes they don’t even realize they’re doing that, you know, sometimes they’re collecting data, just because they think it’s reasonable.
Well, you know, I remember When, when, when I was at Cornell, and we first rolled out Google Analytics, know, when we didn’t have anyone to use it. Like, no one was asking for it or anything, but it was just like, we might as well collect this data. And I think it was like two or three years before anyone asked for it. Yeah. So
but and so a corollary question to this head that is getting raised at a lot of places is, how do you adapt? Not the technology, but the business processes? You know, there are a lot of organizations and I’m even with our company, where I work at one of the big challenges has been this idea of getting everybody to understand that we can’t just collect all the information we want, because we want it and we can’t keep it if we’re not using it. Those go against GDPR. And right as a as a consequence, it’s leaving, especially marketers, because marketers, at least US based marketers aren’t thinking about this a lot, right? The people who are thinking about it are the legal offices, the HR offices and the web developers, and you’re left with these groups constantly, you know, sort of talking to each other occasionally, and trying to patchwork these solutions together. But more often than not trying to explain why they can’t do something or how to, you know, change the way they’re doing something even though the business doesn’t want to.
Right. So like, or is it? I mean, is it doing things that are helping consumers? Like is it doing the thing it’s meant to be even though its implementation is maybe not perfect? I mean, like are, what kind of what kind of complaints are coming in?
Well, so so far, like, from a website standpoint, if you go over to Lex ology, they’ve got an article that kind of breaks down some of this. And one of the things they noted was that a majority of the complaints are non named websites. Hmm. They noted like, they’re the complaints that are coming to data protection authorities were things like complaints about telemarketing complaints about getting promotional emails that they didn’t request. And, you know, and this is something that’s maybe a little more specific to the EU than the US but requests to meet to have, like, surveillance and CCTV data.
oh, because that applies, like right APR is not just based on websites, it’s based on
data privacy, it’s Yeah, it’s data. Fascinating.
Data covers a huge umbrella of information. And so a lot of those requests have been coming into that. One of the problems that, like businesses have found as a consequence, is that, like, they’re supposed to have a data protection officer so that when data protection authorities come to them there, is this person responsible for executing on these requests, okay? Okay. This is how, because you will have, you inherently have to hire somebody who might be working against the business interests of your company. Because this is the person they are there to be an advocate for the consumer, not for the business, they can you can outsource it a business, you can hire out the the role of a data protection officer to a service, certainly. But a lot of companies want that in house because that person may have to deal with, you know, proprietary information, or you know, this other. That’s a challenge, because let’s say, you know, marketing is sitting on a database of, you know, 10 million records that they’ve collected over the last 20 years.
it’s the DPS job to go in there. Look at that, and say, we need to delete every record over like, five years old. Yeah. Because we can’t retain data indefinitely. If we aren’t using it. Now, let me be clear, you know, let’s presume that that’s just a database of stuff they’ve collected, they aren’t using. Sure. Because we’re digital hoarders, you know, we there, there isn’t really a cost or hasn’t up until now been a cost to just keeping data in case.
Interesting. side effect of that is there was an article see if I can find I hadn’t thought about it before this, but there was an article about AI training. Ai inherently needs it was something because it was it was an article dealing with like Alexa and Google Home and the way Yes, I just said Alexa, and it came on. Sorry, Alexa, don’t Don’t mind me. I’m not talking to you. Hey, turned off it, but they use like all the voice recordings that they save up to, okay, be continuously training the voice models. And of course, this right, freaks people out, they hate the idea that their voices are being kept and all this stuff. I personally have my own feelings. Not important. But that there is a valid thing there to say, Yeah, but we need large data sets of historical information to train against.
Without that was what Google voice was, wasn’t it? When you signed up for Google Voice, there’s a privacy thing in there that I’m sure no one read, where they were using Google Voice data, because, you know, you get your voicemails, and then
they they’re supposed to like on it?
Yeah, you’re supposed to tell it like, Oh, this word was wrong, and then you correct it. And then that helps train their AI to better understand the voice. And then now they have, then they turn that into Google Translate. And then now they do all kinds of crazy stuff without
calling robots. And, and so there’s this very real sort of thinking in the business world that well, we may need that later. But most data doesn’t fall into that, like, those are, I think, very specific cases, a lot of them and in many of those, you can anonymize it do other things that would allow, you know, strip it of its personally identifiable, you know, information, if you just need like an archive of images, you know, you could have that blur out the faces or whatever, but still use it to do like road recognition or things like that.
So there’s also this confusion that I mentioned between like the technical and the legal and the business responsibilities. And the GPO is that person who sort of needs to be able to speak all of those languages to pull those people together?
Because they’re just chat about this recently. That’s like, kind of like having accessibility person getting a little bit. Yeah,
yeah. Cuz they have to have a foot in several of those worlds. Because if you know, if somebody puts in a GDPR request, like they, they want to have their stuff deleted. And the technical people haven’t built the stuff. And the business can’t respond within 30 days. And then legal gets a letter that says you have not complied. You know, the GPO is the person who kind of gets on the hook for whether or not those three parts of the wheel are working together. So let’s talk about enforcement of this, because that’s really where we get into, like the boondoggle of all of this.
Let’s, because one of the things you haven’t heard a lot of right, are things about fines. Yeah. Where all the fines that because you were asking, Is it effective? Has it done what it was set out to do? On one hand? The answer is yes. We’ll talk about that here in a little bit about like it, the mandatory reporting component of it. mandatory reporting has worked extremely well. But the fighting aspect of it, the part that is meant to make companies be more considerate of user privacy hasn’t really worked. One of those reasons is that there are five different you nations that still haven’t ratified it.
So see, Bulgaria, Czech Republic, Greece, Portugal, and Slovenia, Libya.
None of them have ratified GDPR yet, so there’s a giant space of gray.
what’s the what’s the consequence of that? Like, if they don’t ratify it?
Oh, man, I couldn’t back that’s getting into the EU politics that I don’t have the slightest idea.
Oh, I wonder if they have like a time limit? Or else they have like sanctions from the minute or something? My
guess is it doesn’t matter. Well, no, I, you laugh, but it thinking about it. Like, if somebody you know, if there was a proposed amendment to the Constitution in the US two thirds of the states ratify it, it doesn’t matter if the other third do or don’t ratify it.
It’s still going to become the law. And so I think that’s kind of the case here is whether or not they individually ratify it is probably irrelevant to the fact that they’re, they’re going to be required to still meet it. Okay. And then if they don’t, it becomes an internal EU affair, like that has nothing to do with the data side. Unknown Speaker The
so far, fines have been in the area of 58 to $60 million US. Sounds like a lot, doesn’t it?
I mean, it does. But I see that that is for what Google was assigned.
Which is Google gotta change Adelina that. Yeah. So Google, one find to Google was like 90% of the total finds in 2018.
by humans suck it. big numbers. I’m looking at
it’s point 04 percent of their revenue. Thank you. I remember that number. Yeah, Facebook got fined. Folks probably heard about that a whopping $645,000.
So by By comparison, wait, you said point 04 percent point point four. Yes. It’s nothing. said I’d be if you earned a median, the median income of $50,000. That’d be getting fined $20. Right. So you got like a parking ticket? Basically? Nothing? Yeah. Yeah.
Now granted, and this was this had to do with I think AdSense or AdWords, one of those. And how they were processing data and not getting consent or something, is there something there and that that becomes problematic? There’s a quote from ODI, Kagan, the chair of the GDPR compliance program for Fox Rothschild. And she said, I still feel like unless there is a very significant increase in staffing, they’re probably going to have to pick and choose the enforcement actions that they bring.
that is a terrible way to apply law. Like that is the worst way to apply law. And that’s, I think, where like I see these fines. And while you know, it’s only a handful, I think, you know, I think it’s less than a dozen fines and total have been levied.
Yeah. Most of it at Google, Facebook, another small one, Uber got one I remember, it’s interesting that Facebook’s fine is so much smaller than Google’s given that Facebook is still a huge revenue generator and all the stuff in Well, yeah, I
don’t I don’t remember what the nature of Facebook’s fine was. Because all there’s mitigating factors that come into play was intentional, was it ongoing? Right one time, you know,
but with all the stuff in the news recently about Facebook’s data collection stuff, you know, like, I’m surprised that Facebook wasn’t closer to Google’s
this still, you know, half the cases that have been filed, like half of them are still open. Because again, and just back to this quote, that there is a staffing problem, what we were saying earlier, that the nations themselves are still working to try to figure out how to get enough people into these bureaucracies to handle the volume of stuff that’s coming in. And it’s a vault that is only going to increase over time. And right, that’s that’s a huge problem, because it creates inconsistency, and sends no clear messages to companies with respect to how to apply this law to their processes. And more to the point, it becomes a huge problem because it like it the way it’s being applied. Now, it’s getting thrown at the big companies and none of the small ones, basically. Yeah, I remember and the Facebook one had something to do with Cambridge Analytica, by the way. Okay, I do remember Oh, right. Yeah, it was like an ancillary component of that. We’ve seen some of the reverse of that in the US when it comes to like copyright and patent trolling. Right? A lot of that gets aimed at the small companies, you know, they’re they’re going after the the little, you know, bite sized chunks trying to get settlements and they cast a wide net?
Well, because that’s about revenue generation. And GDPR is about extensively about consumer protection, right?
Because here’s the thing, keep in mind that at least my understanding is the fines under GDPR. They don’t go to the person making the complaint, right, that’s just money the government is collecting.
So and I’m, that’s one of those, I’m going to reserve the right to be wrong on that. But, you know, it’s that as far as like, people cashing in, that’s just not a thing. So the incentive is actually reversed there. They want to get the big settlements and smack down these giant corporations that are kind of wanting the law, there’s nothing to be gained by the work that would have to go in to policing all the small ones.
a problem, as you know, because it’s it’s creating two sets of standards where there isn’t. Now there is an article over at align calm that and this is actually it’s I’m going to share their article, but it’s mentioned in all lot of them that pretty much everybody does think that stronger enforcement is on the way. Yeah, everybody’s kind of referred to this. When France issued their fight against Google. They mentioned like, this is a transition year. This is Yeah, year one of GDPR. We’re all figuring it out. We’re all getting our processes and people and steps together. So they’re all looking towards the next two to five years of really figuring this out. And once you do, that’s where they are going to see strong reinforcement. And we don’t know what that looks like
yet. Here’s a question. So let’s imagine the GDPR was applied 3030 years ago, would would all these companies and countries be in compliance, then I know that like Internet didn’t exist in the way that it does now, then. I just mean, like, the data that companies were collecting, would it be easier or similar or more difficult back then to comply with it?
Back then, if you’re talking about like, literally back then? And not like, totally, but third, or like not not saying like, let’s jump ahead to, you know, 2050 and look back?
No, I mean, like, literally, before we had, because we have so much big data now. So imagine it’s like in the 80s, or maybe the late 70s, when almost everything was paper based, or maybe mainframe based in some cases, we because that that goes back to this when I said, you know, digital hoarding doesn’t have a cost.
I mean, for lack of a better term, it does. I mean, I know realistically, there is a negligible, yeah.
Yeah. So is this is this? Is this a problem that has come because of the big data and data collection? data hoarding? Oh, absolutely. Yeah. Okay. So like, because there’s, this is
until now, there’s just never been a consequence.
Right. You know,
think about I think about in the US every time target announced a data breach, you know, think about all of these companies that have had, you know, Adobe, LinkedIn, all these companies that have had user data leaked out and stolen? And what are the consequences of that ever been?
right? I know, there have been a couple cases that were buying some happen. Let’s go, let’s go to the big one. That was recent Equifax.
Right. That one, there was a well, they had the thing where they could you could sign up a free credit report. I but but I think we covered this on the podcast before someone made a fake Equifax site. Yeah, I collected collected, they didn’t even know.
They were one of the companies also have been fined under the GDPR. Not a lot. But they, they were one of the few that have gotten fines in the last year. But you know, that that too, though, that cost to them was effectively, you know, 50 bucks worth of credit monitoring the people? Unknown Speaker Yeah. And you know, if it if they often,
yeah, if they opted into it, and then it’s, you know, it was that classic joke of, I don’t want to give Equifax more of my data to get to do that. Now. Why would I trust them to do that? Now?
That’s ridiculous. But so the reason I asked that question, though, is it sounds it sounds like, the problem is that we’ve been undisciplined with our data collection protocols? Because totally if this, if this problem wouldn’t have existed in the way that does now, back in the 80s? Like, if if these laws were applied back then then it seems like maybe we’ve just been kind of drunk on what’s possible, like the Malcolm thing from earlier. Yeah. You know, like, we never even think of we should be collecting this just if we could.
And it also comes back to this idea, and this isn’t a cop at the end of the show about having to retro actively apply. Now is a huge problem. Most of these systems were not built from the ground up to comply with things like you know, right to be forgotten. Right, right, right to data, transportation, all these things. Because they weren’t built to support it, trying to retroactively go back and build this stuff on is just like to go back to the other comment you made accessibility is so hard to retrofit these things on the these giant data silos and companies that have had think about a big organization like Google or Microsoft or Facebook, and
it’s not like, your information is in one table in one’s right. Like it’s scattered across systems. Yeah. And how to unify that like they, you know, have internal things that unified into your Facebook page or whatever, but to be able to go in and delete that, you know, from other people’s mistakes and things because on your right to be forgotten is absolute across their system, not just your account.
Right. It’d be completely Annette not exist. Yeah. You know, I wonder, I was just thinking like, if you know, if we had GDPR here, and someone filed a complaint against a company soon. So if that happened, how do you know if they’re, if you’re compliant? I hundred they know if you’re compliant? I mean, you can you can erase the superficial stuff. That’s actually not that hard. But like, you’re required to scrub logs and caches and backups, and they mean, everything.
This is a great segue into our next section, which is the catch 22 of GDPR.
Imagine it’s like I planned it or something.
So here’s the thing about all of that. Let’s talk about the people side, because GDPR at its heart and soul is about us. Or right more accurately, are you specifically you? And you and I yes. Yeah, you and me are we actually wrote the law, so blame us. Yeah,
it only applies to
us. People are inherently untrustworthy of corporations and the way they handle our data. I can’t
yet. We absolutely fork it over to them. Even though, I’m going to say something that may be unpopular, by and large, I think corporations are relatively trustworthy. I, I am not. I am not a firm believer that things like you know, data retention policies and stuff would significantly reduce the risks of data leaks and breaches and things like it, yes, it would mitigate some of it, but I don’t think it would mitigate much of it. I was just, I was just thinking, how you were saying how we readily fork over our data to the these companies and to remember, before social media existed, you could get those tool bars for your browser.
Oh, God, yeah. And, and sometimes they wouldn’t be malware, like, you know, or like, you could get the
they sent me a check every month, man Shut up.
Remember, like they had the thing, you could get the animated smiley faces for yahoo messenger or whatever. But by loading that plugin, and it was also tracking every data,
I still remember the name, I used a tool called all advantage was the name of the one I had. And yeah, you and I did the thing where you got the tool that moved your mouse around the screen randomly so that it would track your usage of the computer, even when you were there. Because they were, you know, they paid you a dime an hour or whatever, for letting you run it. I was a kid I didn’t care to check every month, I got like, 30 bucks a month out of nice. got those whole thing collected on me during that period. That was the 90s I don’t even know what their was useful to get out of that at that point.
$30 in the 90 that’s like $100,000 today
as a kid, that was awesome. Yeah. No, they just sent me a check. They
didn’t care. I was like two CDs. Anyways, yeah.
I mean, long story short, I mean, I know there’s the whole argument about Yeah, our companies really trustworthy, whatever the reality is, you know, I don’t care if they market to me, I don’t care if they know, when I poop, I don’t care if they know what my house temperature is set to. That’s not useful data to me. And, frankly, I don’t really see the point and being protective of it. And by and large, I don’t feel like I’ve ever had that abused by a company. Sure. I’ve had gotten like a mailer when I’ve looked at something on a website. And then something came in the mail. It’s like, I don’t know, I even got my address. But it’s not like they’re a criminal.
To see the thing that I’m worried about, though, is we sort of saw this a little bit with the data from was it ancestry? Or what one of the like, you spit in the tube and send it off? And they tell you like, yeah,
where your people are, I think was 23andme is the thing you’re thinking of?
Okay, so there was a thing where they were potentially sharing your information with third parties, right? And, and I, I, I did do 23andme before, and I immediately went on, and I was like, opt out of everything, please, I don’t want to be part of that. And I’m just trusting and having that they will honor that. But it’s the thing that I’d be concerned about is like, so you know, Google’s wiretap may know what your home temperature is. And they may know, they may hear you talking. And they may know how often you have a dog in the room, you know, those sorts of things. And like on their own, like, those individual items aren’t particularly like, juicy or anything. But then like, as this rolls out more to more places, and the Internet of Things, starts collecting data from everywhere, and they start sharing data across each other, you can then draw connections about people. And and I can’t even fathom the ways it could be used against you. But I’m just imagining anything where there’s like, risk mitigation or risk minimization for against the consumer. That’s where it’s going to be exploited. If, for example, with 23andme, sharing your genetic data with an insurance company, and how that might affect your life insurance or health insurance premiums or something like that. But like looking at all, how often does he keep this? You know, how swarm and then if it’s like, frequently low, then they’re going to infer that you probably aren’t home very often, or something you don’t I mean, I mean, it because it
does come down to a lot of different factors. And to your question about like, you know, the people side of this, one of the challenges is actually that it’s good to put the user in control of this stuff. But that doesn’t mean they get it. Yeah, and one of the things that has come up, and you’ll hear this again, later, is privacy blindness. And we’ve been hit with so many of the emails, because of the launch of GDPR. We’ve been hit with so many of the pop ups, we’ve been hit with so many of the consent checkboxes that you’re not paying any more attention to what consent you’re giving most of the time, then, when you hit the accept button on Terms of Service. The eu la they Yeah, they nobody is paying attention. And even if they were, I would reckon that most people wouldn’t know the actual details of the things they aren’t aren’t giving authorization to, especially at a company where they may have 10 1215 different consents that they ask you for.
this makes it incredibly hard to build a solution that is right for those users. There’s an article over at payment source that broke down a couple different surveys that were sent out to evil corporations and one, they said that 20% of the companies thought they were compliant, and another 50% had started work on it. You know,
I hate the way it sounds. I mean, I’m not going to try to sugarcoat it. It sounds terrible. That sounds like a internet. I don’t want to use.
But they’re already doing that. I know, they just have this habit in like fine print the little notification pop ups,
can I use your location? Do you want to get notifications from us? I hate all of them. They’re annoying. Yeah, I don’t, because if I’m going to your website to read an article, how to build something, or what happened in in Alabama yesterday, or whatever, that information doesn’t impact your ability to complete the thing I need to do.
Right? What What if it was just something like in the browser chrome itself, and not the Chrome browser, but the browser like? frame? Yeah, where it had a series of different icons, maybe like, one was like location service, one was like, I don’t know, contact your email or whatever. And, and it would just, it only show the symbols that were possibly being used by that were wanting to be used by the page. And then you would have to, like, opt into any of them. You’re okay, Sherry, like some, like on on weather. com, I don’t mind sharing my location, because it helps, right, my experience, but on a site like, like, if I was buying clothes or something, you don’t even know my location.
The thing is, I don’t think that that is the crux of the problem. Because we know, the thing is that the the whole consent issue deals with the things each individual company is doing, and every company is doing different, you know, different things, that the other stuff that was in this payment source article said that 20% of companies don’t think compliance is even possible.
Because, like with what you’re describing? Yeah, I mean, that’s all well, and good for like, services. Yeah, we’re not necessarily I mean, services certainly are included in that. But it’s definitely not the deep end of the pool where everybody is, is swimming at,
I guess I’m trying to think about in terms of communicating to consumers, you know, the problem with fine print is that it says have a lot of very important things in a very hard to consume and hard to read way. And they present it at a point when it’s preventing you from getting the thing you want. Like you mentioned earlier, yeah, there has to be a way to kind of distill down to like, general terms that are fair and reasonable to the consumer. But also are easy to understand, you know, like, like, for example, like location tracking? Or, you know, this site is going to collect your, your name, are you okay with that? Yeah. I don’t even know all the things that they have. There’s
a name for this, and I’m going to save it, because I’ve got it here towards the end. So I’m gonna I want to let me get into one more stat. And then Okay, talk about that. The other stat comes from Tech radar real fast. That is, they were looked they asked a bunch of corporation or not, they didn’t ask corporate corporations, they were reporting on a study done. And a guy went out and put out GDPR requests to a bunch of companies and then measured the outcomes. And what he found was that only 17% of his requests were in compliance with the requirements GDPR with nine percent of them coming that came back on top of that, delayed or incomplete. Wow. So a and incredibly small 25. To 26%. You know, yeah, met the request. But to what you were saying earlier, and to the idea of the catch 22. How, as a user, do you even know?
Yeah, like if they tell you like, Oh, yeah, like, you’re completely gone for a databases. Quick, how do you? How do you know,
there there is a measure of trust that has to happen there. And there’s a gap in coverage that I don’t know how to cover? And I don’t know, I maybe maybe it doesn’t need to be maybe there’s no value in trying to solve that particular problem. Because the thing is, if they say, Oh, yeah, we scrubbed you from our system, and then next week, you get an email from them, then right, when you have immediate and instant information that they didn’t scrub you from their system, or or worse, if if they said that they scrubbed you from their system, but then they have a data breach? Maybe let’s say a year later, oh,
yeah. So like, if you if you wrote to Equifax and you said, purge, GDPR. I’d like you to remove, like, make me not exist as far as you concern. And then the year later, they got hacked, and there’s a data breach.
The Scarlet Letter version of this is the Ashley Madison hack from what, three years ago? Oh, yeah, that’s all man, that would be a good example of that. Like it. Obviously, this wasn’t an effect then. But if something like that were to occur with a site like that, especially. So the end of the show is this big section called Why do I care as a developer? And if you’ve got part two, because you’ve heard us talk about some of this, and some of this will be repeated, but it’s because it’s still important. And I think people still need to hear it. Step number one, I do not care. If you are a developer based in the US, the GDPR still affects you and stop pretending like it doesn’t. It is dangerous to take that mentality. Unknown Speaker I’ll
tell you and Aaron, I don’t know if you are in any, like Ruby subreddit or not. But I kick around some of the WordPress credits and things like that and watching conversations about GDPR. Makes me want to cry the way people talk about it outside the you because it’s dangerous.
I don’t really use Reddit, I haven’t used read it like a few years, because I just got tired of using if Dunning Kruger was a website. Because that was most it sounds like that hasn’t changed.
It’s tough because people are anchored to this idea of well, it’s, it’s, you know, if it’s in the EU, why I don’t have to care? Yeah, you do. Because a, you may work for a company someday that does business in the EU. And now you got to care about it. But more importantly, this idea that Oh, the EU laws don’t apply to the US is extremely bad advice to give somebody because that’s not the way law works. The US has things called trade agreements. And with those trade agreements, comes a, a reciprocity component for certain laws, especially as they apply to anything related things like intellectual property, trademark, and data privacy. Now, as far as I know, this has not been tried in the US yet. Right? There hasn’t been a fine levied against a purely US company, Facebook, Google, Uber, these are companies that have a presence in the EU. But that doesn’t mean that it couldn’t work. It just means nobody has pushed it hard enough. But they totally could. And they would very likely be able to win it. And that’s something telling people not to worry about it is terrible advice.
We had at Ruby by the bay and a fellow from I want to say he was from Russia, is from Eastern European somewhere. But he was asking if we were a GDPR compliant, and for diaper base, and and um, I mean, we’re, we’re not. But what we also only service people in the US. Yeah,
so you’re only dealing with us based entities purely.
Yeah. So I it’s such a limited audience, too. So
let me ask this question, though. If I’m in France, and I want to set up a night Burbank I could still download diaper bass and run my own version of it. Good night?
Oh, absolutely. I mean, you could I mean, you could be in front, and you could use our, our application in France, and it would probably still work. I think like, the addresses and things that we use are formatted for us addresses. But like if we had an international user, I’m actually kind of hoping, like, I, rails has all this really cool internationalization stuff built into it. Like where it just automatically translates stuff when you provide it with the content. And I really want to use it. But we just don’t have any reason to yet.
I mean, it’s a it’d be interesting to see that theory tested. Yeah, if somebody wanted to set up a diaper bank in another country using your software, now you are you are processing the data of you people and you are now. Yeah, then then it would apply or under the umbrella. So what what I would think there is you either need to, like build in a hard limitation to the US into the tool?
Well, we would know Yeah, well, yeah, cuz you
got a finite and manageable number of hours. or build the tooling into it that allows, you know, proper, proper compliance. And I don’t think it would be hard in your case, but
I don’t know, there might already be a gem for this. But if there isn’t, I bet there would be a lot of use for like a GDPR gym, where if you give it like a name, or a user record or something is sort of like facilitates the scrubbing process.
That’s kind of what WordPress is added. Yeah, they’ve added that ability to, I forget, I haven’t used it yet. So I don’t know how the implementation itself works. But it’s basically a way you can flag things you add to the database as being like GDPR tag the so to speak to, because they have a tool now in the back end, where you can go into delete people out of your system and to facilitate requests.
Oh, that’s cool. So you like you flag something as being this is GDPR, right. And then that way, if you ever have to pull it, it’s just you have all the hooks in place.
And you can do it in a way, like if you get clever. For instance, if there’s user contributed data, like posts or something, you know, you could pull off the personally identifiable pieces without getting rid of like the like comments, I think are one of those spaces. You don’t necessarily want comments to be deleted, because it would break the flow, you know of that. But you can remove all of the personal identifiable pieces to that still huge problems when it comes to what if I type my name into the comment, right? Because that is still subject to a DD GDPR right to be forgotten. From a
very technical standpoint, oh, by the way, last the gentleman that I just looked, and there is a GDPR rails GDPR underscore rails gem, that is specifically about GDPR compliance management for rails. So
your homework is to bring that back come out and tell us how.
There’s also just the plain GDPR Ruby gem. I don’t know I literally just look these up. I don’t know if they’re any good. But those do exist. So if you’re, I don’t know if we have any European listeners. But if we do your real stuff, there you go.
The last point on why you should care in the US is because it’s coming to the US next year. Because if you haven’t heard of the California consumer Privacy Act in covenant 2020. And it’s the California version of the GDPR. And you may not do business in France or Germany, but a better probably have a good chance of doing business in California.
I can’t tell if California version of this is going to be better or worse.
Yeah, I really don’t. And for all the reading, I
would, I would think worse. But like the GDPR seems as such a cluster, fuck that. Maybe it’s better. For
everything I’ve read about GDPR. And how deep my nose has gotten into it with the work we’ve been doing. I don’t know much about California is version they they have if you go to their website, they’ve got like a 10 point list of all the things that it’s supposed to do, which you know, it stopped me if the sound familiar but right to know all data collected by business on you, right to say no to the sale of your information, information security, right to delete data that you have posted, right to not be discriminated against if you tell a company not to sell your personal information up. Interesting point about that. Because this comes back to what like what you were saying with like the browser bits and pieces, nothing. This idea that if I say no to things, I should still be able to get a minimum amount of service from your application, right? Like if I don’t consent to the way you want to use my data. And that lack of consent is irrelevant to the action I’m asking to take. Yeah, I should be able to take that action. And that’s
it. Even if it’s something where you have to set up a profile, like if they need a name, they don’t really need your name. Unless your name is somehow actually necessary. You could give them
Joe Schmo if your forum needs your birthday,
you could just give them the year of your birth. Or I mean, you just lie Not
at all. Let’s try not at all, we’re just
or just say yes, I’m over this age, just testing. I am this old
at well, as part of that. It’s funny, you mentioned that number seven on the list is mandated opt in before sale of children’s information under the age of 16. Books. So there’s this whole list and all of these will sound very familiar as far as that goes. So if you think the US is safe, and we didn’t we just mentioned what two or three shows ago, I think one of the the warmer topics that we started with was the deal going through Congress that they have been given the green light to pursue legislation that would mimic what the GDPR is doing. Right. Yeah, that’s right. So the wild I mean, that does nothing has been written yet. The door was kicked wide open that said that he was the CEO or one of those are one of the one of the watchdog organizations came back and said, Yeah, cool, go for it.
It’s it’s a good thing that there aren’t any like really big companies in California that deal a lot with user data, you know. Unknown Speaker So, this gets into this idea
as a developer. And we I run into it a lot. And there was something I was talking to somebody about the other day that fell into this, this idea that HTML and CSS is so easy, like, it’s so easy to become a web developer and it’s like, Yeah, okay. But being good at being a web developer is incredibly hard.
We have we have parent tool analogy. Yeah. Aaron.
And that’s are going to describe
this. No, I was I was thinking that it’s like, you know, anyone can swing a hammer or saw a plank, or like screw, a screwdriver, whatever. But it doesn’t mean that if you don’t use screws, screws
with the screwdriver, you don’t screw the screwdriver. We need to keep you away from tools.
That’s what I’m doing wrong. Well, you can use tools, but it doesn’t mean you can build a house with them. Yeah, and like HTML CSS isn’t hard to learn. I mean, like to a degree I’ve heard of the stuff we talked about earlier. It’s like what
else but you can’t guarantee you can get a wheelchair through the door you can’t be certain that your electrical won’t start a house fire or that you won’t die of oxide poisoning. We didn’t put this in the show notes but before the show Michael and I were looking at weird things on the internet and we found was a garden house What did they call it? Yeah, garden house that’s for sale and
yeah, we shared it in the random channel on our Slack channel. I’m joking you x.com slash life but you could for like five or 5000 bucks or $7,000 you can buy this little like hundred and 40 square foot um you described it as like a deck with a
little hot but like sunroom
yeah sunroom. That’s kind of what it looks like. But you know, it’s it’s just it’s basically just like a chassis. It’s an Ikea whatever you want. Yes, that’s actually really nice. Yeah, house Yeah. If I can make a small my guest house like this would be it. And but that’s, that’s kind of like, you know, like a website that, you know, you might build with Wix, WordPress, Squarespace. Squarespace.
But it’s it is that idea, though? That? Sure, yeah. Okay. If Joe Schmo down the street can go get their, you know, $10 a month, web flow account or whatever, and set up a website, but they don’t really know what they’ve done. And they certainly can’t do the hard stuff thats related to it. Where GDPR fits into this is, these are the skills and we made a comment. I don’t remember which episode was on but I remember this conversation about like CSS animations. And this idea that Yeah, learning basic CSS is incredibly easy, quite frankly. Yeah. But when you sit down and start looking at, or Well, for instance, what we started the show off with, yeah, building a chat system with CSS. Yeah, tell me CSS is easy, please. I you know,
I know we’ve talked about doing bomb CSS on the show before, but apparently, my bomb CSS is like, I don’t know, like, maybe like World War One grenade. And this is like, like, tactical strike missiles.
Knowing things like how to build privacy aware systems, and how to make something GDPR compliant, is what will set you apart as a developer. It’s the thing that when you apply for that job, I’ve got a job application that right now I think I’ve gotten in my inbox, a dozen different applications for at this point. And I’m going to go through them and figure out who’s going to get an interview, a first interview, let alone a second. And the thing that is going to set people apart is if they can do the little things and show me that. Yeah. And if you can put in there Oh, yeah, I have experienced or at least an understanding of privacy concepts that will set you apart from the people who are just like, heck, yeah, I built websites in high school. It’s like, Yeah, that’s a good starting point. But if you want to be a professional, if you want to be, you know, in this industry, if you want to be a contractor, you know, you want to build houses, you have to know how to deal with legal compliance and things like that. It’s boring, and it’s not interesting. And it’s hard. And it’s counterintuitive, but we still have to do it. An example here is like if you’re building something with a database, it’s not just good enough to know walking through a table in that. Yeah. Okay, making a table on a database is easy. You know, how to include you know, salts and encryption for user data? Do you know how to do pseudonym ization on data? Do you know how to do data warehousing? And siloed? I got it didn’t I said it. You nailed it. It’s the man. Gentlemen. JACK has been talking about a gentleman What can I say? Right now, gentlemen, jack has has me talking proper, like a lady. Joke. I don’t know. The other side of this is not just building but fixing. I think we’ve mentioned this earlier that a lot of places you’re going to get a job and you’re going to walk into stuff that already exists, you’re not gonna have the opportunity to build from scratch as much, you’re going to be helping maintain or build on a system that has existed before you.
I would like in the privacy stuff to like security knowledge, you know, like, we don’t have to be good enough with security that we can do red teaming, gaming. But you have to be aware now, you have to know what SQL injection is you have to know like, how to stop basic cross site scripting, just the low hanging fruit so that you’re not an easy target. Right. So
you asked before, like, Is this working? And I said specifically, let’s wait till the end of the show, because that’s where I feel like you’re almost setting me up for these. I’m not sure if you are. So there were and I don’t know why this number varies, because I feel like this is a number that should be known. But there was a range that I was able to find there were between 40 and 60,000 data breaches reported last year, the GDPR records show. Yeah, talk about if you were to guess I should have asked you to guest guest before I said that, um, is it 13? It’s more than 13. Actually, it is 40 to 60,000.
Wow, wait, wait, is that? Okay, wait, are these numbers? Are they more? Because the threshold has been lowered? Some more are showing up? Are they more because it’s like there’s just more compliance now? Yes. The
answer is yes to everything. So, okay, one. Prior to this, we you know, as far as the EU goes, there wasn’t like a place to report it really, you know, when it to report a data breach, some countries did have like Germany was one that comes to mind that did have a mandated reporting for a data breach. But it was a totally ad hoc burn per country. And who knows. So with the introduction of GDPR, you had mandated reporting and a place to report it to so obviously, reports went up on top of that, in the same way, what constituted a data breach was normalized. You know, they went through and explained like, for instance, if a database table leaked out with IP addresses in the US, a data breach in the US, because I understand I IP addresses are not considered personally identifiable.
in weird court cases, which I still don’t understand. They still used in court as personally identifiable sometimes, but it’s not from a privacy standpoint concerned, personally identifiable in the EU it is. And that’s been a fun question, go look up some things like website access logs and GDPR compliance if you really want to have your brain hurt, because IP addresses are personally identifiable. So that’s that number 40 to 60,000 is a two to three fold increase in the number of data breaches that have been reported as a result. And that is generally viewed as a positive because it means people are getting notified that their stuff is getting out there. Unknown Speaker Yeah, also, that’s a huge like
that that number is crazy is in my eyes. Like that’s a lot of data breaches.
That’s like, what, 5000 a month? Yeah, somewhere in there. Yeah, I think
they started like 1800 a month, and it went up from there. So yeah, talking about like understaffed departments, you know, Unknown Speaker that level of volume. That’s, that’s an average of 1500. Every day,
a lot lot of lot of data breaches. And
basically, just like data is just constantly leaking.
you as a developer every few seconds, you don’t want to be the person getting blamed for one of those,
right? I don’t know, man, if you have, like, 1500 of those having every day. And and your site suddenly has one it’s like, I almost think it wouldn’t be a big deal at that point. But it should be family quick. Oh, it’s Tuesday.
But that’s the thing. And like you were saying, you know, learning security learning these things? And believe it or not, we’ve had an episode on web security. Wow, it has happened. Like, because these concepts are important for you not to know inside now. But sometimes you need to know what you don’t know. Because one of the biggest problems is our this need to say yes, if somebody comes and says, Hey, would you build the site for me, I need it to do X, you say yes. Oh, well, we’ll just make a forum for that and store the data in a database. You can make it work, you can make it technically work. But that isn’t good enough. And you need to know when that is not good enough and when to say, Oh, yeah, we got to do that. But we need to make sure these things are taken care of, you know, it’s going to cost you know, a little extra, because we have to build it this way. And it’s no different than when you have to get your permits to build your house, you know, or, you know, to rip an electrical system out or to get lead remediation. Like you have to go through steps than Yes, it’s bureaucracy. And yes, it’s getting in the way of stuff. But there are good reasons for that. You know,
I saw earlier today I responded to a question on Quora. com. And the question was, is there a way to, the person was using a Rails app, and they wanted to ask for the credit card number. And to do something with it. And I don’t remember what it was, but they weren’t wanting to persist it in a database. They just wanted it to like, have it in the forum and then go to the controller. But I was I, my response was like, Well, here’s how you would do it. But you also want to make sure that you put it in your like, filtered, filtered fields thing in your config so that it doesn’t show up in your log files. And then also, maybe don’t do this at all, because like PCI compliance, so
where where this kind of falls from a, like front end standpoint, in particular, is caring about all of this from a UX standpoint. And that comment we made earlier about like, like, people don’t trust companies, but they also aren’t smart enough to know how to handle all of the consent stuff that’s thrown at them. And I, I mentioned this phrase privacy blindness, we just start clicking buttons. And it’s like, you gave me a pop up and I see the word consent. I just want to read my damn article, I hit yes or no and half the time, right? Oh, yes or no is what I need. Right? Understanding that a as a developer, you need to avoid dark patterns, to trick people into giving consent, you should never be tricking people into giving consent. It should be clear and affirmative what they’re doing. But also making sure that you are building your consent tools and privacy tools in a way that makes it easy for people to understand and know what they’re doing. You know,
last episode, we talked about design systems. And this would have been a great opportunity for the EU to create a design system around GDPR talking about it,
right talk about the the Golden Nugget out of this epic. So, man, I love that idea.
So if hypothetically, if California was going to do that ca privacy thing, if they if they said, Okay, if you have a website, here are some tools, this is a language you can use. This is some icons you can use just to kind of standardize that compliance, to kind of facilitate this is what I was getting back to earlier, you know, communicating to the user, you want to do it as quickly as possible. It’s just the compliance.
And the funny part about that is like that, when cookie compliance came up in the EU, they tried that, and at least in that case, because I don’t think they executed it well. And the Yeah, the way it was done was bad. Like, it was done in a way that was legally correct. But in a way that gave any kind of consideration to user experience. And then they kept changing the rule on top of like what constituted you know, acceptance of cookies and whatnot. But there’s an article over at UX design by Claire Barrett called What does GDPR mean for UX? Go check that out. One of the things she brings up there, and this is kind of an answer to one of your questions earlier about like the what you could do in browser Chrome, right, and the concept she brings up is just in time consent, which is like if you’re let’s take the app analogy you are giving, if you download an app, and you go to use the camera, a lot of apps and pop up a thing that says hey, we need permission to use the camera that’s just in time could send if you install the app, and then it says, Hey, we need to use the camera. But you haven’t even asked to use the camera yet. That’s Yeah, not that.
I I have declined to install apps before because they were asking for permission to use things that I felt they didn’t need rising
and and that you know, that again, gets into all this UX of privacy, like how do you conveyed a people that we need the thing we’re asking for for x y&z because there are cases like file system, let’s say and mobile device, I think is a good example. Because there is at least a privacy model on them. That’s fairly standard that people are used to, like, I need access to your files. And like at a very high level, especially when you’re installing it, it’s like, No, I don’t want to give you access to my files. But the reality is they need that because they, you know, they’re going to allow you to attach, you know, a picture to something or whatever. Like, there is a reason for it. Now, asking with a just in time consistent message gives people at least some context to realize, Oh, I’m asking to do this. You’re confirming with me that it’s okay. So I can connect those things. I can think of better ways to handle those. But that’s neither here nor there. Yeah, just in time, consent fixes part of that. I like that,
because it puts its it puts the sets the context right there, the the Gulf of evaluation, it’s a Donald normal, right? The Gulf evaluation is narrowed, because the user is being prompted very close in time, to the thing that they have to do, or the relevant part and
asking people to consent to like 12 things when they’re signing up for an account or whatever, is you’ll see this phrase thrown around its consent, fatigue, or privacy fatigue. Like, yeah, yeah, asking for a bunch of stuff all at once, is it goes back to what I was saying, You’re tricking people into giving you consensus what you’re trying to do, and I don’t care about GDPR. At that point, you are making a bad decision. As a designer, if that’s what you’re doing, you know,
the easier way around, that would be a baby, don’t ask for this information. And then you don’t have to ask,
right? Yeah, the idea is, like, just in time consent solves the problem of ask for the thing that you need when you need it. Nothing else? Yeah. If you look over at the prolific, interactive, broader ego has an article over there, that also gets into this idea that there is no such thing as implied consent anymore, either. Which is an important note, again, in terms of GDPR, you can’t just say, click Yes. And you also agree to our terms of service, and to get marketing emails and all of that. That doesn’t work. You can’t do that that’s illegal. You have to say, I agree to get marketing emails, and it has to be an affirmative, checkbox kind of consent. Okay. And, yeah, what you’re just saying, at the end of this, it all comes back to encouraging people to do the thing that I love, any opportunity to say this, it’s do less, better, less better. Don’t try to collect every piece of information on the planet about somebody, don’t try to get them to sign up for every single thing. Whether or not that’s what they’re there to do. Let people do the minimum amount of stuff they want to do and give them an awesome way to do it.
I think that the thing I mentioned earlier discipline, like, we haven’t had good data discipline coming this far, because we haven’t had to. And things like privacy, privacy laws are kind of enforcing better data, both with how we manage and store the data, but also in considering whether like it just you know, not hoarding it anymore. Yeah. It’s like, we’ve got to get all caught up with our data.
Does this data bring you joy? Yes, it does. I get to know everything about their personal life. I was going through their recordings. Let me tell you about what I heard there. I think I liked us better. And I think that, you know, if, if you’re concerned about this, I think step one is evaluate what you’re already collecting. And what can you not collect anymore? Do you really we need the name of the users. And every corporation doing business in the EU or with you people is required to have a data protection officer, the data protection officers role is to be an advocate for the users and their requirements and their privacy. But that doesn’t mean that that responsibility begins and ends with them. developers and designers and UX professionals and UI designers and QA people can all take part in that role and shouldn’t be taking part in that role. I said, I don’t know if it’s the last episode of the episode before about this idea that one of the things our industry is missing is sort of an ethical code of conduct for our users. Last episode last episode.
Yeah, I thought
it felt awfully fresh.
Because I mentioned the rude striker stuff.
Yes. But that’s the thing that we’re missing. And and it’s that argument of we have to do right by our users, regardless of the business interest, because at the end of the day doing right by your users is in your business interest. Yeah. And I don’t know I guess a better way to end I actually I think the the joke about the data joy was probably and Alexa recording people having joyful things. Hey, Alexa turned on again. Hi, Alexa.
Hey, later on, tell Alexa to read me the lyrics to Bohemian Rhapsody. It’s like It’s like spoken word poetry. It’s great. If I can do it, do it.
Folks, we’re gonna take a break and stop for just a moment and we’ll see you back here in about 60 seconds.
Everybody, thanks for sticking with us. We’re gonna round this out. Get out of your hair. Thanks for joining us this week for episode number 36. Hey, if you’re in Missouri by chance, at the end of the month, I’m going to be at the web accessibility summit in Springfield, Missouri. I’m doing a talk on transcripts. Ironic, I know because we’re behind. Don’t worry, we’re gonna catch up. I swear. I know we’ve said that a lot too. But trust me, we are in fact working on that. But I will be talking there and we’ll have a table set up and whatnot. And if you stop by Say hi, I might have some, some little stickers and swag to give away. Also, be sure to stay tuned. We have a killer episode coming up for Episode 37. Oh, we’re gonna have Rachel cherry on from WP campus to talk with us about the Gutenberg accessibility audit. I cannot be highly enough about Rachel about WP campus about the work they’ve done for accessibility and Gutenberg. So be sure to stay tuned, because that is not going to be a miserable episode. So we’re excited about that.
I one thing I wanted to announce the rails con was last week from when we’re recording this. And my one of the 14 people did a presentation with involving paper based and the day after that paper based app, hit number one on Ruby repositories and GitHub. That’s awesome.
Yeah, I took a screenshot so proud that my
baby did it. You know, you’ve made it big, right. It’s like making the front page of imager.
For real for real,
everybody. If you want to find us jump on Twitter or Facebook at slash drunken UX or Instagram slash drunken UX podcast, we’d love to chat with you hear what you think of the episodes or what you’re enjoying. You can chat with us on slack at drunken ux.com slash slack. And that will get you to our Slack channel. Connect with us say hi. I one thing I always get a kick out of is when I see somebody Follow us on Twitter. And then like, yeah, follow my personal account immediately after that. That always makes me feel a little good. I think so. Everybody, stay tuned. Join us in two weeks for the Gutenberg accessibility audit review. Otherwise, thanks for listening this week, take care build great things. And the only other advice I have left to give is one single thing. It’s small, but it’s big and its impact and that’s the keep doing better or what? Well, yeah, let’s better die for life and keep your personas close. But your users closer Bye bye.