Start reading

Preface

Facebook is now called Meta (the company, not the platform) and Google Analytics has recently become illegal in some European countries. Google Fonts, too. And so are those multi-page cookie banners with pre-selected „legitimate interest“. There is something going on in data protection and privacy and I hear less often „I have nothing to hide“, but more often „I care, but I can’t do anything“. That’s only partly true. There is a lot we can do to keep our own little front yard clean and tell other people about how to make things better. Because doing nothing is a bad option since we are responsible not only for our own data but also for that of all those from whom we have contact information, photos, videos, or other personal information on our devices, in cloud storages, or on social media.

I’m having a hard time pinpointing an exact time where the issues of privacy and data protection really took off. The newspaper clippings that I receive from family members via messenger are increasing. In small local magazines and national newspapers, there is an increasing amount of information and reporting about Google, Facebook, WhatsApp … Critically, by all means, and with opportunities to cheat the respective companies. We are on the right track.

For the last edition, the Privacy Shield case was a decisive event. For this one, it is rather supposedly smaller events, court decisions, and decisions of data protection authorities, which accumulated in a short time.

Three important decisions already happened during the last months: As recently as December 2021, the data protection authority in Austria ruled that Google Analytics, Google’s more widely used website analytics tool, is illegal. Less than four weeks later, there was a decision by the Munich Regional Court that Google Fonts, i.e. fonts on websites that are fetched from Google servers, are illegal. In early February, the Belgian data protection authority declared the technical standard behind consent for advertising to be illegal. And just one day later, the Irish ICCL ruled that cookie banners are illegal according to the iab standard. Iab stands for Interactive Advertising Bureau, and their cookie banner design standard is the one with the multiple, partly hidden sub pages and also pre-selected »legitimate interest«.
That was the day I decided to finally tackle this new edition before I can’t keep up with the revisions. Please check my website for possible further changes.

All this doesn’t happen out of the blue or because people »up there« care about it or because it’s on their to-do list. It happens because many people like you and me deal with the issues, research and talk about them. With the neighbor, for example. Then she meets the father of another child at kindergarten when she picks up her kid. That father has a job in the government. And so it goes on. We call this a »grassroots movement«. A movement where issues trickle up from the bottom.
And a little over two years after the publication of the first edition, I’m sitting here updating yet another non-fiction book about data protection, where more parts have changed for the better. Thanks to you and all the people who read about the issues, continue to research them, talk about them, blog, podcast, and post on social media. And who question when certain software is to be used by US corporations, for example in education? Who don’t accept everything that guys in suits flog off for a lot of money to unsuspecting people in traction. That’s a good thing. That’s how an enlightened society works, and that’s how democracy works.

Yes, some debates are tedious and no fun at all. Who knows it better than me, who, as a woman, tries to take up the cudgels for data protection… But it’s good when we have those debates. Nothing is more deadly to a debate than »toxic positivity«—a word I learned in 2020. This is when there is a prevailing mood or group culture that allows nothing frictionous to be said. When any conflict or discussion of grievances has to be avoided at all costs. When discussing and building a common consensus regarding all known facts is undesired. Toxic positivity gets our societies nowhere, just as it gets the Flower Arranging Committee nowhere, if we must never point grievances out. The same goes for »trolling«—the opportunistic bashing of everything until the parties to the discussion are so divided that communication is no longer possible. And for »derailing«, too. Meaning distracting from the topic, including »whataboutism«, which does the same, but with the question »but what about XY, who also has a problem?!«.

In 2022 I add to this list that I have increasingly met people who blare that one may not speak one’s mind freely any more because one would be »ostracized«, as the last person put it who said this loudly and publicly. Oh, the irony! To all those, let me say: We—fortunately!—live in a democracy, to which freedom of opinion is an essential part. Other people in this world don’t have this privilege. Because freedom of opinion means that we may express our opinion freely in public, as long as it expresses opinion and is not an illegal expression (e.g. Nazi propaganda or call for criminal acts, which are illegal in Germany and Austria), and we are not prosecuted for this expression. Freedom of expression does not mean that I have one opinion and everyone else has the freedom to share this one, my opinion. Everyone else may have their own opinion and express it freely, and we all have to put up with the fact that those opinions may differ. »Agree to disagree« is what the British call it. And they can probably sing a song about divided opinions.

Data protection is a slowly changing but still upsetting issue. It’s great you are dealing with it. As a society, we need people who deal with critical issues. Who trust in scientists and, in this case, data protection experts and IT forensic experts. Who look closely at such software—what actually happens in it, what data might be collected and transferred somewhere where it has no business being. People who ask the big, universal question: cui bono? Where does the money go?

Thank you for being a part of this slow but steady movement. Enjoy reading and discovering the many ways to do things differently.

How I went from being a »normal user« to a »certified data protection expert« myself

Feel free to skip this part. The exciting stuff, why deal with privacy and what is possible, starts in chapter one.



It wasn’t so long ago that I was a normal Internet user with a Facebook account. I used Gmail and web.de and before that also Myspace and StudiVZ. I worked with Google Docs and used Google Maps when I didn’t know my way around. Also, I »skyped« regularly with my mother and my grandmother, had Evernote and Dropbox on all my devices and overall little idea of how the Internet worked. Or how advertising technologies worked and all the other things that will come later in the book. I even had loyalty cards once. (Okay, I still have two.)

Then I moved from university to a full-time job as a project manager in web development and learned how the Internet works, how to build big websites, online games and apps and also how to incorporate and use tracking, which means counting visitors and analyzing users’ behavior. At that point, my job was to accompany and implement clients’ projects, and in my private life, I was still busy with Facebook events and photo albums and all the above.

There were several events in my life, after which I had the vague feeling that »they« were getting too close to me. Personalized advertising across multiple devices made me uncomfortable. On a skiing holiday, my ex-husband knew exactly where I had been before I told him because the family share on our phones showed him in real time where my phone—and therefore I—was. Apart from that, I increasingly felt that targeted offers and information were encroaching. It was not at all about me having »something to hide«. After all, I told my ex-husband myself that I had raced down the beginner’s slopes with my ski course death-defyingly at probably 10 kilometers per hour. I just found it irritating that he already knew.

Just like many others, I was under the illusion that »having something to hide« was synonymous with »having done something wrong«.

I cheered when Anonymous took over IS websites and put ads for sexual enhancers on them. I cheered on the guys and gals of Anonymous: »Go, guys, go!« Then, I decided I wanted to know more about Internet security.
Later that year, I attended my first »crypto party«, one of those evenings that are being organized in almost every major city, where you can learn from experts how to protect your privacy; for example, how to encrypt e-mails, how to make your phone more secure, etc. By then, I wanted to know how encryption basically works. Not because of my ex-husband, but because I am terribly curious. A little later, I moved out of his place and lived on a buddy’s couch for ten weeks until I had my own place to stay. During this time, I often went to the Vienna hackspace, the Metalab, because I had more »privacy« there than on a strange couch. Not only did I learn how encryption works and which messengers are more secure than others and why, I also got to know many people who know what they’re doing in data protection and IT security.

That same year, I spontaneously went to Hamburg to the annual congress of the CCC, the Chaos Computer Club in Germany. It overwhelmed me. Besides a vast amount of color and flashing and many fun projects, such as a Teletype machine, you could send messages to over the Internet, which it then printed out on punched tape. There was a lecture program that was quite something. Almost everything offered by the participants themselves. No paid speakers and certainly no »keynote speakers«, but people who worked in their day jobs with the stuff they were talking about. The lectures were of such a high standard that I have rarely experienced at university. Until today: kudos.
After this congress, we re-founded the local CCC branch in Vienna that had been dormant for the last ten years. Right at the beginning of the association’s activities, we started two major projects: »Chaos macht Schule«, probably best translated as »chaos goes to school«—we brought this from Germany to Vienna. In this project, people volunteer in schools in their free time and hold workshops on Internet safety and media literacy for pupils, teachers and parents. Many of them take half a day or more off in their day job to compensate for what other people miss in their working hours for a lot of tax money. The other project we started in the same year is the »PrivacyWeek«, which has taken place annually since then. In 2020 and 2021, it was an online event because of the circumstances during the Covid-19 pandemic. PrivacyWeek is an entire week of workshops, lectures, art projects, film screenings, discussions and exchange. Target group: everyone who is interested in the topics of privacy, media literacy, Internet security and democracy—because we want to bring our knowledge and experience into the society. I am thrilled to have helped shape this project to this day.

In spring 2016, a few weeks after my first Congress, I stopped using Facebook. And Google Maps, Google Search, WhatsApp, Gmail, web.de, GMX and a few others that I can’t even remember. I still had Twitter and the e-mail address that came with my domain’s web space. I also still used Skype for the weekly video call with my family on Sundays. In my memory, I didn’t even notice how I had slowly but surely said goodbye to everything else.
I started giving talks about which services are more data-saving than others. I told at writers’ meetings what hackers are and what they are not. Also, that no one who knows anything about Internet security ever says »cyber« without being sarcastic, at least not in the German-speaking parts of Europe. (Because it comes from »cybernetics« and has absolutely nothing to do with what they use it for in marketing and the media).
I learned in my next day job—again project management in web development—how big tracking providers like Adobe, IBM and Oracle work and what their contracts look like. However, I did little project management because there was still another department for that. Instead, they gave me Google banner ads for 14 months straight. I told my employer on a weekly basis that I didn’t want to do that and why, and finally quit when they gave me even more Google banner ads to do.
Instead, I did the training to become a data protection officer. I had learned enough by then that I felt comfortable with the subject, and after the exam, I took another one at the Austrian Chamber of Commerce to become a data protection expert.
25 May 2018: The deadline for the GDPR arrived and, at least in Austria, the topic seemed spontaneously dead. At midnight, everything went quiet. Five straggler-e-mails came in on the morning of the 25th, followed by dead silence. From then on, I looked with admiration at Germany and France, where they actually enforced data protection. Not to mention some Nordic countries. Austria adapted its local legislation three weeks before the deadline and wrote »warnings instead of punishments« into the data protection law. This led to the handling of data protection sometimes being lax, and in many companies, they implement only the minimum. In November 2019, the data protection authority imposed its first serious fine on an Austrian company, the 18-million euro fine against the Austrian postal service; for collecting or extrapolating the political views of people living in Austria and selling them to political advertisers. The Post took legal action against the fine because it saw it as jeopardizing its core business model. They actually got away without a fine. It didn’t even cause an uproar. If a partly state-owned company sees its central business model in data trading with sensitive data, that says a lot. Incidentally, the 18 million represent pretty much exactly 1% of their annual turnover. 4% would have been the possible maximum fine. So the Austrian data protection authority is indeed active—a fact that seeps out slowly among the population and most companies. Maybe the decision on Google Analytics from December 2021 will contribute more to public awareness.
Until now, everyone who can afford it has hired their own law firm, regardless of the fact that data protection is only partly a legal issue. Half of it is also a matter of technical expertise. Some have already understood this and have diversified their teams—diversified in the sense of a mix of technicians and lawyers. Two of my past employers used such mixed teams, and I always found the work with both lawyers and technicians very enriching.
On the following pages, I record what I have learned over the past years.



Chapter 1: Forklifts Don’t Lift Forks

»Data protection« already sounds dusty. But data protection is only to a very small amount about protecting data. 
Data protection is about protecting people and personal rights from abuse and sale. It is about preventing encroachments on our fundamental rights. Most of all, it is about protecting minorities, privacy and highly personal areas of life. It is about what is none of anyone’s business and that it should stay that way. It is about equal opportunities for everyone in our society, regardless of financial power, origin or social position. After all, forklifts don’t lift forks.

The crux of data protection is that it is a team sport and not an individual issue. Of course, everyone should look after their own secrets. But it is only by working together that we can be effective in ensuring that things are equally fair for all people. Anybody can be as careful as they want to be about saving data; as soon as one person in their group installs WhatsApp on their phone, all the data from their address book is automatically transferred to Facebook. Even the data of those people who never had or would open a Facebook account themselves.

The privacy of some ends where the carelessness of others begins.


Who Are »They« Anyway?


Of course, I could write about »threat models« here, and I know that 90% of the readers would close the book in frustration at this point. This is just the technical word for »what is your biggest problem?« or »what is your threat scenario?«.
Threat? But I don’t feel threatened at all! Yes, exactly. Unfortunately, the problems that the Internet and all the technology brings with them are rarely visible. All the data scandals numbed us. Including me. As much as it upsets me, I only raise my eyebrows with every scandal that happens—every week, repeatedly.

»They« are the usual suspects like Facebook, Microsoft, Apple, Amazon and Google. But there are more, for example, insurance companies, also health insurers, who are happy to nibble at the data cake. They considered traffic monitoring, assessment of residential areas and the number of insurance claims of a person in the past, now there are data from card payments, traffic data from navigation devices, vital data from fitness trackers, advertising profiles on individuals and much more available literally in real time to assess how risky or (un)healthy a person lives. Or that Silicon Valley company that commercially analyzes and sells information of people seeking help at suicide hotlines.
Banks and financial services also like to observe our digital selves. They are often watchful of people’s creditworthiness. As are credit agencies, who take a great interest in your circumstances. And when the German »Schufa« will be sold, we will hopefully discuss the topic more broadly.
Many »start-ups« are downright data holes for various reasons. Some simply do not care to be data-saving and use everything that the advertising toolbox offers. Not only for advertising, but when building their apps, services or websites with the software solutions that large providers like Google or Facebook make available for free. Some also deliberately want to get involved in big data and become one of thousands of players in the data trading machinery.

Then there are corporations, companies, government agencies, people who want to make money and last but not least: people who are responsible for Brexit and Trump’s election as US president and even more concerted political influence worldwide. Between them, thousands of data traders are making a lot of money buying, matching, merging and reselling volumes of data. 
If you want to learn more about government surveillance and the machinery behind it, I highly recommend Edward Snowden’s biography »Permanent Record«.
And they explain the machinery behind Instagram, Facebook, Google, Twitter etc. impressively in the documentary »The Social Dilemma«. I also fully recommend this docu.

That the state’s use of our private data is an issue we see when we look at the Clearview incident in January 2020. A company called Clearview was taking photos from Facebook, Twitter, YouTube, and others—about three billion images. »Scraping« is what it’s called. From these, they created an enormous database of people’s faces. They offer this database and their associated services to over 600 authorities, but also to private companies. An article in Die Zeit stated: »Clearview monitors people the police are looking for«. The particularly disturbing part is that authorities buy data from start-ups and marketing companies and base their investigations on them. They also use photo and beauty app providers. There is the petition »Reclaim Your Face«. The website of the civil society initiative to ban mass biometric surveillance has more information on how our images are being used against us.


Clicking, Clicking… Gone. GDPR.


No, go away! It’s all just rubbish and everything has become much more complicated! My doctor wants my consent to send my blood to an external laboratory for testing! …
Yes, I know. Much nonsense has happened and the word »GDPR« is completely burned, just like »data protection«. These words make most people’s hair stand on end. Apart from a few who work in the field voluntarily (me, for example), hardly anyone has positive associations with it. Unfortunately, this is for a good reason.

Let’s try anyway, shall we? So: What is the GDPR and why do we want it?



The GDPR, the European General Data Protection Regulation, is indeed a big win on the part of citizens. In 2022, I can say that the good sides of the GDPR are slowly emerging in my perception, also in the media and in people’s awareness.
Unfortunately, the governments in most European countries failed to produce and distribute helpful information within the two-year lead time between the entry into force of the GDPR in May 2016 and its actual implementation on 25 May 2018. Instead of two years, that would have allowed for relatively comfortable, in-depth information and a halfway relaxed implementation, in the end only two months remained to fulfill the GDPR. These two months before the deadline of 25 May 2018 were hectic everywhere. Website operators, small and medium-sized enterprises, lawyers, bloggers, entrepreneurs, podcasters, associations, doctors etc. were unhappy about having to implement the strict requirements for their parts in far too short a time and without sufficient information. The communication by politicians and business representatives was clearly not a brilliant achievement and, in my eyes, it still has not become one in the two-and-a-half years since 2018; although there are now some helpful handouts for companies and self-employed people, at least in most countries. The data protection authorities often offer helpful information and some also advice and are often out and responsive on social media (at least on Twitter and Mastodon). There even is movement in punishing data protection offenses. In some European countries faster, in some… slow.

Since 2018, something has already happened through the activities of the German data protection authorities with public educational offers, brochures on the websites, etc.. The data protection authorities of the federal states offer excellent information. Some offer individual advice, some are approachable on social media (at least on Twitter and Mastodon). And there is more movement on penalties for data protection violations.
Many complained in 2018 that the GDPR was vague and many details were unclear or missing. That is true. But the plan was to launch the GDPR together with the ePrivacy Regulation. The ePrivacy Regulation would have contained everything that is missing in the GDPR in terms of specific implementation. Unfortunately, the lobbyists of the advertising industry have prevailed and the ePrivacy Regulation got sidelined. At the beginning of 2021, Portugal took over the EU Presidency and came up with a new draft of the ePrivacy Regulation only a few days later. Let’s hope that the matter will now gain momentum again. In 2016, however, only the GDPR remained, with all its difficulties.

Thanks to advertising lobbying, all that remained in 2016 of the planned duo was the GDPR with all its difficulties. There is an enormous difference between a service being »GDPR-compliant« and being actually data-saving. After all, the GDPR only says that operators have to specify and tell people what happens to the data. It says absolutely nothing about how data-saving a company, app, etc. actually is. This makes an important difference.
Most people who offer websites or online shops or somehow else have to deal with customers, etc. have by now managed to implement the requirements. The most visible thing for us citizens and consumers is the information obligation, i.e. notices with information about camera surveillance and the now ubiquitous privacy statements. Some made theirs with the help of generators, either out of fear of doing something wrong (and being threatened with draconian fines) or out of the assumption that they have to write a legally binding text (and hire an expensive lawyer to do so). Sometimes those generators produce incorrect texts, but they are better than nothing. In most cases, writing the privacy statement themselves would not have taken much longer, and then people would at least know what’s in their own texts. This also got completely lost in the general GDPR panic before 25 May 2018. In the meantime, two years have passed, and it’s time to check the statements and see if everything in them is still correct, or if something has perhaps changed in the past two years: New hosting service? Different contractors? New software in use? All those who have had to write privacy statements can learn something about their own business, and the data that flows into, within and out of it. It’s time to make some adjustments where things could be better.
The GDPR offers completely new possibilities for citizens, website visitors and customers. With this EU regulation, they have handed us a tool that gives us, the citizens, the power to demand our privacy for the first time. We can (and should) learn to use this power. Slowly, more and more people are daring to ask what happens to the data collected about them and their behavior. More people are complaining when they don’t like the way their data is being sold. How the data is »processed« and to whom it is given. The data protection authorities have collected appropriate forms and suggested texts on their websites. We can be the sand in the gears of the entire data industry and rap the knuckles of those responsible. And that’s a good thing. It’s about our digital selves and the effects that the data trade has directly on our lives, our self-determination, our fundamental rights, democracy and last, but not least, on our wallets.


Don’t Be Annoying! F*cking Banners and Pop-ups Everywhere


What’s it with all these pop-ups and warning messages I don’t understand, and which are always just in the way?
Let’s say that many, especially large websites such as news portals, large web shops etc., have half-implemented the GDPR. The GDPR requires easy-to-find information, understandable for everyone, about what data they collect, for what purpose, on which legal basis it’s collected and what exactly (!) happens to the data. Yes, most pages show a notice that personal data is being processed. Only the »why« and the level of detail about what happens to the data, who they pass it on to or sell it to, is already lacking. In addition, the information is usually so convoluted that no one understands what actually happens. The cookie banners are annoying, the pop-ups, too. We don’t even have to start with the double and triple newsletter e-mails, and surfing the net has become exhausting. But:
Users now can make an informed decision about whether they want to use a certain offer. Meaning: whether it is worth the payment to them and by payment, I mean what happens with the information about the users and their behavior on the platform and beyond. Thanks to marketing, the explanatory texts are extra long and so laboriously written that no one wants to read them. Everyone just clicks off the notice, automatically consenting to everything on most sites, including data trading, tracking and profiling across all devices and the entire Internet.

Yes, there is a system behind it. Suppliers of large online shops and hardware manufacturers, etc. have absolutely no interest in competent and informed citizens. They deliberately make it difficult and cumbersome for us to find, read, and understand the information they are legally obliged to provide.



Important: You are not too stupid, they make it extra difficult for us on purpose.



As difficult as possible. I know, I tried to introduce comprehensible privacy statements in a company. I was told that it was not in the company’s interest that customers could read and understand what they were agreeing to by signing the contract. Let’s consider the example of the Austrian Post: According to their own statements, their central business model is data trading. Delivering parcels? A side branch at most.

Speaking of making things difficult and all those annoying cookie banners. Yes, they deliberately designed them to be misleading, too. It would be presumptuous to rely on the clearly visible colored button to confirm the data-saving choice. Watch out like a hawk to make sure you click the right thing! And yes, that’s difficult for everyone. Even people who work in data protection often fall for the confusingly designed cookie banners. The journalist Richard Gutjahr published a video in December 2020 in which he shows this very thing. (To view the video without Google-tracking, you can use Invidio.us.) Starting with the fact that cookie banners all look alike because of the iab, the Interactive Advertising Bureau, i.e. the lobbying association of the online advertising industry. The iab came up with this so-called standard for the design of cookie banners. In the video you can see how the Bavarian data protection president, Michael Will, in the firm belief that he has deactivated all cookies, falls for the nested design. He, too, has fallen into the trap that the advertising industry has set up for us. Millions of times a day. Fortunately, this form of cookie banners was declared illegal in February 2022.


Note: Even behind the inconspicuous gray link »legitimate interest« there are still pre-selected trackers switched on!

The video is a great recommendation for those of you who understand German. In the second half of it, Richard Gutjahr talks to Tiemo Wölken, who works as an MEP in Brussels and commits strongly to data protection.