RE SN 788 Data Protection Laws May Kill Small Websites

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

rfrazier

Well-known member
Sep 30, 2020
549
187
@Steve Greetings to you and Leo. SN 788 was cool, as usual. Thanks for the good info. This post is about privacy, not about the podcast. I figured it would be better off in here in the security sub forum than in the none of the above sub forum. You may wish to add a privacy sub forum or change this to a security and privacy sub forum. Just a thought.

I may not be able to respond immediately to replies in this thread as my upcoming week is extremely busy. But, I will respond as I can. I wanted to get it out there for people to consider.

In the podcast you mentioned DNT (do not track) with teeth, and mentioned some kind of data protection laws that are coming about in California. While this is good for consumers, I think this trend will be harmful, even fatal, for small websites. The following is just my opinion. Could be right, wrong, or in the middle.

As mentioned in this thread:


I have a small blog where I have, in the past, posted a good number of technical articles, many of which are security related, and many of which were inspired by SN. I have few readers but the blog does get traffic. I get no money. And I have nothing for sale. There are no ads. Hopefully the information is helpful to some.

A few years ago, I was deep into fighting hackers with many thousands of attacks per month and messing with WordFence settings and monitoring traffic logs almost daily. Because I was getting attacked from all over the world, I ended up blocking out most countries. I left a few countries open which included the European Union. It's hard to find time to write good articles, much less be my own security department.

Well, these new data protection regulations make things even worse. They came out with GDPR, which makes it much more complicated to play host to European visitors. Not having time to master all that, I ended up blocking off all the countries in the EU. (Sorry to anyone reading this from Europe.) Now, as a result of discussions in that other thread, I find out that the UK has it's own separate data protection regulation. Now, you say California is coming out with their own regulations. I simply don't have time to get my own law degree to figure out if I'm violating some law every time someone visits my website. I already mentioned in the other thread that I'm considering moving to a static site for security reasons. But, I have no idea what I'm going to do about these legal issues. If I have to spend copious time or money to deal with these things, I may just shut the site down entirely, although I don't wish to do that. I will eventually have a website for my EMF Analysis business, and I'll have to figure all this out for it too.

Not directly related but conceptually similar is the situation with Unmanned Aerial Vehicles, IE drones. For those of you that may not know, if you want to fly any kind of remote controlled aerial vehicle now, you have to pass a basic test on regulations and get a permit from the FAA and you're supposed to get insurance from the AMA, etc. This in itself is enough to keep me from flying as I don't believe I should need a federal permit to fly my TOY! Before you flame me, I do get both sides of that coin. You've got all kinds of morons flying (sophisticated) toys near airports and disasters and endangering people. I get it. But, the point is, now a whole bunch of local jurisdictions are passing their own drone laws which you have to learn and consider in addition to the federal laws. It's a total nightmare. That, combined with the danger from lithium battery fires (google it), and my drones sit in the corner collecting dust, unfortunately.

Tons of local regulations for data privacy could, likewise, relegate lots of small time websites to the digital junk bin. Just something to think about.

Ron
 
FYI, blocking EU countries from accessing your blog won't subtract from GPDR obligations. GDPR doesn't apply on countries, but on individuals.
Here's a prime example: Since EU resident in a visit to Canada can visit your blog, you are required to comply to GDPR as if the EU countries weren't blocked.

The European Union has a good website about GDPR: https://gdpr.eu/what-is-gdpr/ and https://gdpr.eu/companies-outside-of-europe/

Also, as a company, you have the obligation to comply to all the legislation applicable to your clientèle. I'm Canadian, so I'll use my nation as an example.
Canada has a stringent anti-spam legislation, which requires your customer's tacit or explicit consent to send them unsolicited commercial messages, and a Canadian can remove consent at any time and the removal must be processed within 10 calendar days, among other obligations. Failure to comply can lead to fines under the CASL, plus as a business owner you have to comply to the Personal Information Protection and Electronic Documents Act (PIPEDA) and all the applicable provincial legislation.

Knowing your expected and real clientèle is key to see what applies where.
 
@Ed7789 Hi Ed. Thanks for that info. You reinforce my exact point. There's no way I can determine where every visitor is a citizen of and comply with the rules of 5000 legal jurisdictions all over the planet. It's completely impossible. Not only that, those jurisdictions have no authority over me here in the US anyway. Not sure what I'll ultimately end up doing, but it's a problem!

Ron
 
Disclaimer: I'm not a lawyer, don't take this for an absolute truth. These are discussions based on my own understanding of the world's legal structure :) In case of doubt, consult your regional (EU, Canadian, etc.) lawyer.

Here's a quick way to reduce the risk. Don't use web features that you absolutely don't need (e.g.: geolocation, comments, cookies, etc.). For those that you need, collect the strict minimum and erase it as soon as you no longer need it, and protect it appropriately while in transit and storage. Disclose to all the applicable authorities when there is a breach. The alternative is to allow only "::1" to connect on your server's firewall and don't store any data (incl your own), which is useless.

Also, if your blog is a personal thing and not tied to a company, typically you shouldn't worry about. Most privacy laws have carve-outs for personal activities (see this one for GDPR, https://gdpr.eu/article-2-processing-personal-data-by-automated-means-or-by-filling-system/, here's one for the CASL https://laws-lois.justice.gc.ca/eng/acts/e-1.6/page-1.html#s-6ss-(5)ID0EEDA )

While you are correct in saying that Canada and the European Union don't have authority in the USA, they still have methods to apply penalties to organizations. The reverse is also true by the way, you can look at Huawei's CFO that was arrested at the YVR Airport in Vancouver, BC, CA at the request of the US government.

Side note: I never used the term "citizen" on purpose. Residence is not citizenship. GDPR, CASL, etc. also apply to USA citizens, as long as they are residents of a country where the law or regulation applies.
 
Last edited:
  • Like
Reactions: rfrazier
Thanks again for all that info. I don't know what to say except what a total hot mess of mud. There are so many pieces of red tape in the way of starting any business, it's a severe disincentive to try to start one at all, even with a great product or service. With legal spaghetti like this, plus all the tax stuff, plus all the liability stuff, plus all the accounting stuff, and per a recent Supreme Court ruling in the US I have to potentially collect and remit sales tax in every state; it makes me want to give up before I start. I'll have to have a 50 person legal staff for a 1 person business. But I do most certainly appreciate you sharing the information you did! :cool:

Ron
 
@PHolder I don't think that will work. Think about it. An active internet user like me or probably you or probably many people here may visit hundreds of websites in a month. If those websites each ask me my zip code of residence and citizenship, you know what my answer is ... Heck NO, go JUMP. It's none of their business. I'm logged in here because I want to post. Even so, there's no location data in my profile. I'm always on a VPN for security reasons. If I choose to create a relationship with Steve's forum, or with Steam, since I was discussing gaming in another thread, and I decided to give them location data, then so be it. But, just to visit a website, absolutely not. Besides which, I'm not sure if the customer lying about it gets the business off the hook.

This is the problem with these lawyers and legislators coming up with the grandiose "reach out and touch someone" laws. They sound oh so cool on paper. And, Amazon, with I'm guessing 500 lawyers, may be able to accommodate them. But I, as a sole proprietor, cannot. If I create a physical business in my state, and @Ed7789 , a Canadian, comes in the door, I have to comply with city, county, state, and federal laws for the US. That's difficult enough, but maybe doable. But, I DON'T have to comply with Canadian law, because he's on my turf. It should be the same if he visits via the internet.

Let's consider the new sales tax laws in the US. With the new supreme court ruling I mentioned, if a California visitor comes to my website for a business based in Georgia, and I ship him a $ 5 widget, and make maybe $ 1, I may have to have a permit for, collect, itemize, and remit California sales tax. Just doing that for my own state is a nightmare. Many of our 285 (I think) counties have different tax rates, and I have to itemize the taxes for each one. I don't know what the counties are in California, and I don't want to know. Yes there are quotas like I have to do over 200 transactions in a state, etc. But each state is different, and I could cross that quota at any time, and become libel for sales tax in that state, without knowing it. For small transactions, my profit may not even cover my overhead of having a sales tax permit and doing business in the remote state. And, once you have the sales tax permit, you have to pay a fee of maybe hundreds $ every year and file tax reports every quarter usually.

Anyway, end of rant ... for now. I see these laws that require people like me to comply with the laws of the VISITOR's location to an internet site to be almost completely impossible to comply with and onerously burdensome and expensive, perhaps PROHIBITIVELY burdensome, for small businesses and individuals.

Ron
 
Well I was thinking specifically about users who choose to create an account. If they don't, then it seems unlikely you would ever collect enough information about them to cause them to pursue a remedy of any kind... but never the less:

I was more suggesting, similar to the "cookie notice" something like "You appear to be visiting from [Norway]. If you continue, then [conditions] will apply to you. If we got it wrong, choose your jurisdiction of origin here: [drop down list]." I'm no expert, but this would seem to cover the obvious... not that it would be easy or fun.
 
Anyway, end of rant ... for now. I see these laws that require people like me to comply with the laws of the VISITOR's location to an internet site to be almost completely impossible to comply with and onerously burdensome and expensive, perhaps PROHIBITIVELY burdensome, for small businesses and individuals.
Herein lies the problem with the Internet.

(Usual disclaimer applies) Laws seem to apply to be specific to the location where the transaction occurred.
In my case, if I buy groceries from ABC inc. from my own house or if I go to the nearest XYZ grocery store, I expect provincial and Canadian laws to be applied because 100% of the transactions occurred in Canada, on a Canadian network. I would be required to pay the Canadian sales tax (GST) and the Provincial Sales Tax (PST), or the Harmonized variation of these (HST), all of which are created by legislation in Canada. And I wouldn’t be subject to the USA sales taxes. (Side note: for small businesses that sell below X CAD to Canadians, it’s up to their customers to report and pay the taxes.)

If I’m buying from a Canadian company, from the USA side of the border, it’s the USA laws that I would be subject to.

And it gets weirder with digital goods and the wills of the deceased (see https://www.cbc.ca/news/business/widow-apple-denied-last-words-1.5761926). Which law should apply here? I would say Canadian because the goods are of a Canadian resident, like it would apply to physical goods.

There is no simple answer to that question for virtual goods. I personally think the laws of where the transaction occurs should apply, which means wherever the customer did the transaction.

Sadly for SMEs, but it’s because of the abuses of the few (e.g.: Amazon, Apple, Desjardins, Google) that they now suffer of.

I was more suggesting, similar to the "cookie notice" something like "You appear to be visiting from [Norway]. If you continue, then [conditions] will apply to you. If we got it wrong, choose your jurisdiction of origin here: [drop down list]." I'm no expert, but this would seem to cover the obvious... not that it would be easy or fun.

Simply asking that question will automatically trigger privacy protection clauses, because you are asking for personal information.
 
Last edited:
Well you can't assume which laws applies to someone, and as each jurisdiction gets more and more demanding (we have at least the EU and California, but I am sure more will come) then you have no way to know what to do without asking where someone is from. This gives them the chance to lie if they want, knowing they will forgo any protections they might otherwise have had. Can't think of any other solution that works effectively, short of logging nothing, and not using cookies (so having no state) and basically being a read-only site.
 
@Ed7789 How do you quote two people in the same post like that? You bring up some good points. @PHolder You also bring up some good points.

I had to google a few acronyms. So, SME's are Small and Medium Enterprises. SMB's are Small and Medium Businesses. And, SOHO's are Small Offices Home Offices. I'll just use the term SMB's.

The technical aspects of preparing my business are substantial. But, at this point, I see the legal, logistical, and accounting aspects to be more problematic as we're discussing. We all "love" clicking those cookie notices on every website. :cool:

Like I said. It's a mess, and it only looks to be getting worse. By the way, if you use affiliate links to sell things, now they want you to collect affiliate tax in many states that are remote to you. I wish they would make the laws more tech / internet friendly and more SMB friendly, something which the legislators seem incapable of doing. Maybe one of the Entrepreneur member groups can help.

I've found a few resources for handling the sales tax situation in the US. Here's one:


Not that it matters to anyone, but, in terms of taxes, I think MY STATE should just collect 10% of my revenue and distribute that out to the Federal, County, and City tax offices. I should have ONE sales tax return the size of a post card for the state I'm in. Even now, if I collect sales tax in my state, it's a nightmare. I have to itemize tax distributions for 285 or so counties. If another state wants tax money, they can collect it from businesses in THEIR state, not from me. For the privacy stuff, we need some sort of common international treaty that is still SMB friendly. Oh yes, and world peace too. :cool:

Ron
 
@PHolder… I didn’t know that. I copied the BBCode to a text document and then inserted in the appropriate place in my reply.
 
Just to clarify this story about the French bar, this is a law that was approuved by the French goverment in 2006, anti-terrorist law of January 23rd 2006, not even known by everyone in France https://www.vie-publique.fr/rapport...loi n° 2006,pour objectif de révolutionner le

In France, there is a saying, nobody is supposed to ignore the law. But in my opinion, they should communicate more, I believe the Police wanted to send a signal after all terrorist problem emerging now.
Thanks for your show, keep the good work!
Francois, Paris