The whole thing looked a bit strange to me. First the interview started with a basic presentation of who Edward Snowden is and what he did... at the Websummit.<p>His talk brought nothing new if you follow him, maybe it brought attention to the issues to a wider public (it was all over the news in Portugal).<p>On the other hand I feel his presence could serve to white wash the whole thing. How many companies represented there would be out of business if they embraced Snoden's beliefs?
Tracking needs to be illegal. Period. As long as it's legal, even conditionally, we will be playing whack-a-mole. There's a helluva lot of trash on the internet that's there <i>only</i> because somebody is trying to game the advertising industry.<p>If you allow conditional tracking, and invite workarounds, we are in a race to the bottom. Ethical players are caught in a position of play dirty or die. When growth/profits sag a bit, they will have no riposte to the board member who questions their unwillingness to engage in cutting-edge gamesmanship to get around the law.<p>On the other hand, if you make it strictly illegal, and make the penalty an <i>existential threat</i> to the company, then everybody can play a fair game. The board member who pressures the company to do such things will be putting the company at risk, and the ethical folks have their response.<p>Advertisers don't need to track people. They don't need our personal information.<p>Case-in-point: Alphabet just bough Fitbit. Fitbit knows your <i>most intimate details.</i> They know when you sleep, when you are awake, where you are. They know when you go up and down stairs. I'm guessing they have a pretty good idea of when you make love, where you make love, and with whom (if you're both wearing). And they just sold their data-collection to a company that <i>exists</i> to exploit your data.<p>This needs to be stopped. Now.
Data protection suggests that it is okay in the first place to collect data, as long as it is going to be protected. But this is a problem. Data shouldn't be collected in the first place, because you can't probably protect it properly anyways (leaks etc.).<p>He's totally right imho, but to defend the GDPR at least a bit: It does have the concept of "consent" so that data should only be collected if people agree to it being collected. However, I still have my doubts that it works like that in reality for several reasons:<p>- Too many websites place tracking cookies first and then let you disable them<p>- Too many apps use some kind of analytics without any consent<p>- The GDPR has different mechanisms to give companies a "legitimate interest in collecting data". How this is enforced is kind of unclear.<p>- The GDPR issued fines in the past, but <i>what's gone is gone</i>. It maybe helps that companies stop collecting more data in the future after they were caught, but you, as an individual, are still screwed.<p>So, the only way indeed is to stop SOME data collection in the first place and do it yourself. And you certainly can forget cookie banners and all that junk. Only thing that works is:<p>- don't sign up to abusive services<p>- use tracking protection on the web (uBlock Origin)<p>- possibly use something like pi-hole to prevent tracking for all your devices and apps<p>But of course, this doesn't stop data collection where you really have no choice but to agree to something.<p>Edit: Clarification
Confused, doesn't GDPR prohibit you from collecting data in the first place unless you satisfy some criteria? Meaning it <i>is</i> data collection regulation?
Mr. Snowden is right. If you don't start with the assumption that ALL SECRETS LEAK SOONER OR LATER, your information security plan is definitely flawed.<p>Not even state actors with unlimited resources (that's you, NSA) can prevent stored secrets from leaking. It's ALWAYS something, whether teenaged hackers or far-flung contract system administrators with too much access (that's you, Mr. Snowden).<p>Rule 1. Don't collect data you don't need.<p>Rule 2. Don't store data you don't need.<p>Rule 3. Assume all data you store will leak, according to Murphy's law (at the worst possible time).<p>Rule 4. Make your stored data has limited utility. Eternal Blue (hi again NSA) was not such a secret.<p>Rule 5. Make sure your stored data has limited useful lifetime. US Social Security numbers do not have limited useful lifetime. Strangely enough, credit card numbers do have limited lifetime.<p>Rule 6. Do your best to set up leak detection. For example, seed your financial secret caches with fake social security numbers that raise flags when used.<p>Rule 7. See rule 3.<p>Secrets should be stored under the legal concept of strict liability. They're just like bulls in a farmer's field. If the bull escapes and causes damage, the farmer pays for it. No excuses. No need to prove negligence.<p>We have, up and running at scale, workers' compensation and the vaccine injury fund. Both of those assume strict liability. A dangerous factory sees its premiums go high enough to put it out of business. Same for a sloppy vaccine manufacturer.<p>Why can't NSA and Equifax be held to the same standard? (I'd hate to be POTUS announcing a tax increase to cover the damage caused by Eternal Blue.)
He misrepresents the GDPR a bit.<p>At least in theory, the GDPR is meant to restrict collection, not just how the data is used and stored. It has a big loophole in allowing for vague "business interests" to be taken into consideration whether collection is legal or not.<p>More than that, the GDPR clearly establishes ownership of PII and asserts that owners have the right to request information about how their data is handled as well as demand that data be destroyed, exported or corrected.
I'm sick of this whole situation. We need to ban "opt out". Everything businesses do should be "opt in" with "informed consent", and noncompliance should be be punished with summary closure and dissolution after the first offense.<p>And while we're at it, let nuke the data brokers. Preferably literally.
Here's a link to the full talk for anyone interested:<p><a href="https://www.youtube.com/watch?v=X4_7A-SGLo8" rel="nofollow">https://www.youtube.com/watch?v=X4_7A-SGLo8</a><p>It helps frame the response a bit more in the context of the question the host asked. (~"is GDPR the panacea?")