Gartner Blog Network


My GDPR – Inspired Rant: Privacy, WTH!!!

by Anton Chuvakin  |  May 25, 2018  |  23 Comments

This has been brewing for years, and May 25 (aka “the GDPR Day”) is the perfect day for my epic privacy rant. So, WTH is privacy?! WTH is this obsession with privacy?!

Look, I get secrecy or confidentiality. I do NOT want my health data in your hands. Is this privacy? Hell no. This is me protecting my secrets (and those who say “we do not have secrets” often do too).

In fact, why do these people protect so-called personal data or PII (personally identifying information)? Look, my name is Anton Chuvakin (oh, no, nooo, nooo…this is “pee-ai-ai” leak … nooo!!!) , and I had my main email on my website www.chuvakin.org since 1997. It is not that hard to find where I live. I don’t need a chocolate bar to disclose my email – it is PUBLIC [amazingly, my Twitter handle is public as well :–)]. You don’t own this information about yourself, the idea that you do is just bizarre and alien.

For god’s sake, have these privacy crusaders heard of phone books? White pages? In recent years, I’ve seen many ”data breaches” where the attackers essentially steal a phone book, and no other information at all. Yet we’ve heard throngs of clowns scream “Oh no!! They got PII!!!” IMHO, much of “securing PII” is just wasteful busywork, that has no security or risk value whatsoever. Secure the secrets, not names and emails!

Further, if you pass by my house following the public street, you will be recorded on my cameras. If you see me drive by, you will be recorded by my car dashcam. Public space is public. Therefore, I find the discussion about privacy in the public space to be thoroughly idiotic. Yes, it is OK for our police to record your license plate as you drive on the public road – just read it again … PUBLIC road.

Please, don’t be stupid, PRIVACY IS NOT A HUMAN RIGHT. Privacy is at best a preference of some people; at worst, a luxury for spoiled neurotics. Just as living in a cave and eating paleo is a preference of some people. If certain countries prefer to think of it as a right, they can easily regress into being a Digital Third World, where computers are frowned-upon because – OMG! – they cannot explain their decisions (as if most humans can?)

Look, some cultures has no concept and no word in their language for “privacy.” Doesn’t it just give you a hint that it is NOT a universal thing of any kind?

Now, some people like to quote “if you are not paying for the product, you are the product” which I find idiotic. Look, I enable “share location data with Google” because I know the data will be pooled and put to good use. Can you build a system to optimize road navigation in your city with just your own data? No, you cannot. So, the value of this data for this purpose for you is $0, and I am VERY happy that it provides value to all of us when I share it. You pay nothing – and get value, so share more!

Further, unlike some, I am OK with being profiled online and seeing well-targeted ads. Here is a quick test: if you are shopping for a new bicycle, which ads you’d rather see: a/ bicycle ads or b/ penis enlargement ads? Think about it – some of it may feel creepy (uncommon, unexpected, weird, etc), but there is no harm to you and there is definitely value for you.

Similarly, if my hospital wants to share my health data with a pharma company and they pool it and then use it to develop cancer cure and make billions – you know, I am OK with that. Will you holding on to your data cure cancer? Hell no. This is why some [admittedly biased] say “GDPR will murder people” by slowing down or killing some medical research.

As a side note, I consider the “right to be forgotten” to be evil. Stalin evil, to be precise. In Stalin’s times, in USSR, the government censors edited people our of pictures and then republished history books without them. This is your brain on “the right to be forgotten.” I wish Google and others will fight this menace harder than they do today.

Finally, I have to take a personal risk and consider the final argument people bring up for privacy in Europe. It did come up in a few discussions with my European colleagues, typically as their “argument of last resort.” Let’s call it “the Holocaust argument.” They relate European psycho-obsession with privacy to historical lists of certain groups or nationalities collected by governments for the purpose of killing them. And, look, I know and respect history, but seriously – do you think in today’s Europe this risk is real at all? To me, this argument is purely neurotic, and not factual.

So, here is my closing thought: re-think privacy! Much of what you think you know about its goodness is perhaps not so certain – and occasionally just plan evil. BTW, some further reading that matches this world view is here (Gartner access required, Maverick research does not represent the consensus view of the analyst community).

P.S. And, no, for the record, I do NOT think “GDPR will be the model privacy regulation.” I think GDPR will either die a slow bureaucratic death or will destroy Europe’s chance to be a part of the digital future.

 

Category: philosophy  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on My GDPR – Inspired Rant: Privacy, WTH!!!


  1. Richard says:

    You seem to not get it or more likely you don’t want to get it. If you choose to publish your personal information, it’s absolutely fine and no one prohibits this. And many people do just that, they post on Facebook, use location services, shop with Amazon, answer surveys etc. The key is, it’s your choice and what happens with your data should stay your choice. if I decide to give someone details about myself for a specific purpose they should not be allowed to sell it to someone else.

    GDPR is a good thing even though it’s a lot of work. The outcry about it stems mostly from people and organisations that didn’t implement measures properly to comply with existing European data privacy laws and of course GDPR now has a much broader reach even outside of the EU.

    • Thanks for your thoughtful comment, Richard. Indeed, I made this point (re: OK for people to share, etc), and you correctly pointed out that this is really not the point of privacy. Indeed, this is true, but I also shared that I think that forcing others (via laws, etc) to protect such info is not a good idea. My reason is NOT “because I think I can share it” (this would be too self-centered for me), but because much of this info really should not be protected for anybody…

      Indeed, I think some European views re: privacy are not my own (e.g. about management of personal data) and some are (IMHO) just plain crazy (e.g. treating IP of a home model as PII)

  2. Jason Keirstead says:

    @Richard if GDPR was restricted to controlling of “selling your data to someone else”, then I may agree. However the scope is not limited to that whatsoever, and furthermore the language throughout the regulations is ridiculously vague to the point that it is impossible to guarantee you’re actually compliant.

    Point of fact – under a liberal interpretation of the definitions in GDPR, it actually may make retaining any email in your inbox from an EU citizen illegal without their express consent – you have to delete immediately after reading (aka “processing”), or ask if you can keep it for later to follow up on. Sound like a ridiculously broad interpretation of “processing”? Maybe, maybe not. Are you ready as the council of a Fortune 100 to stake billions of dollars on having your interpretations correct? Unlikely, and this is why the whole world is falling apart today with people’s smart homes going offline and whole swaths of the internet disappearing for Europe.

    This is the problem with GDPR. GDPR is a bunch of good intentions, ruined by a very horrible implementation. What I have yet to figure out is if it was crafted purposefully horrible (to force it to fail), or not. We shall see as it shakes out I suspect.

    • Jason, thanks a lot for your comment. Even though my post was not intended as a criticism of GDPR (only inspired by it), IMHO it can “increase the crazy” and shift sec spend in a not-so-useful direction, away from real threats and away from real assets coveted by the threats.

  3. Golan Ben-Oni says:

    While it may be easy to argue that privacy is not a right; I prefer to categorize it as a responsibility. Every nation on this earth balanced the concept of personal privacy with other important elements that are a right such as personal safety. If not for the rule of law, man would eat man alive. Yes, we can put forward that one of these or perhaps both are not rights, but in a free society we need elements of both. If we look at them as a shared responsibility, the playing field changes a bit; but let’s not get caught up in semantics here. There is no question these are important. Can we regulate responsibility? Perhaps not. We do however have a responsibility to be good actors in our republic. There is a price to pay for being a bad actor. We can penalize people and organizations for violating that basic principle: don’t be evil. The free market can’t fix everything. Here we don’t have great alternatives, and left unchecked our privacy deteriorates to the point that we need to be concerned. When private industry combines with out of control government collection programs we run the risk of losing our freedom. Let’s not do that. If we upset our citizens, they will leave. If we upset our organizations they will leave. Finding that balance is not easy. GDPR will probably make things worse for organizations while attempting to make things better for people. We need more discussion before we regulate here in the states. Let’s not make the same mistakes Europe is making with their approach.

    • “GDPR will probably make things worse for organizations while attempting to make things better for people.” <- not sure at all it is better for people as some of the "privacy abuses" have NO HARM (e.g. tracking for targeted ads)

      • Chris says:

        I would say that the teen girl whose father found out she was pregnant because Target figured it out from her purchases of unscented lotions and generic over-the-counter health supplements and sent her targeted ads through the mail, was harmed by that instance of targeted advertisement, as were probably other women who weren’t necessarily ready to announce their pregnancy status with anyone else who might view their mail. There is a lot of information you can pick up on someone based on what ads they’re getting that could be harmful to them. If you belong to a repressed group that has an option to go stealth — maybe you are gay or trans — do you necessarily want to advertise services related to that to anyone behind you when you open your PC? What if you were researching some medical condition that you may have but don’t want to feel comfortable announcing to the world yet and ads for a related medication come up, or you’re looking to get out of an abusive relationship? Well-targeted ads mean that you could be “outed” on any one of a million fronts at any time and using incognito mode isn’t adequate protection anymore because instead of cookies, advertisers can grab your digital fingerprint and keep your profile server-side instead.

        • Leaving aside that the story is fake (source: https://www.kdnuggets.com/2014/05/target-predict-teen-pregnancy-inside-story.html) and that perhaps parents should know about teen pregnancy of their children, I think you have a good point about repressed groups.

          Now, we probably need to separate “fake repressed” from REALLY repressed, and then the solution is “simple” (well, conceptually!): you do need to protect the secrets. HIV status is a secret. Will deducing HIV status from public data be a privacy violation? Perhaps [see, I agree!]. In some remote repressive regime [but for sure not in EU / US?], the danger is higher, I agree.

          But how on earth can you prevent it / control it? Not with laws, now with reversing the technology evolution?

  4. (a little piece I wrote on the subject)

    Hasta la vista baby, you won´t visit the future….right now

    Today we´ve got the tech to do Matrix/Terminator stuff without having to deal with a terminator coming through a time-portal. Great…… Finally, the future is here. Perhaps we could invent a “Helpinator” to better benefit our needs, terminators tend to work in ways that are not compliant with current security standards……

    This could have been a time of rejoice, if it weren´t for GDPR gunning down a large portion of technical evolution…..

    The rise of AI (machines) couldn´t have come less appropriate, since we´ve got GDPR coming into force in about a month, ruining all the fun with automated data collection, automated application of repetitive tasks, and all other problems that AI eradicates.

    That´s really what it is, GDPR is a blanket that inhibits evolution for the moment. Of course, it won´t take long before we learn to live with it, but it comes at a really bad time, when tech innovators are doing a lot of progress, that for once is “touchable” and understandable to the common man as well, but it will periodically slow down while we adapt and find ways to invent under this new jurisdiction.

    So, for the moment, congratulations U.S, Russia and China. Europe is pulling out of the race to invent the first Helpinator…. On the other hand, we won´t be bothered by hyper-targeted advertising on Facebook, but I guess that´s a weak comfort…..

    Let us hear from you and your work towards compliance, perhaps we could give you some space within the Executive report frame to guide the rest of our readers.

    Hasta la vista!

    Editor in chief
    Johan Lennström

  5. Tim Turner says:

    It’s not hard to imagine that someone cocooned within a big, elitist organisation like Gartner might want to allow large internet companies owned by a tiny number of spoilt little rich boys to accumulate data and therefore control over citizens across the world, and if the author doesn’t want to retain any control over his identity and private characteristics, that’s his choice. The problem with this article is that it ignores the fact that other people might want to exercise different choices. Innocent people may not want to be spied on by the police. People who have been inaccurately or unfairly depicted may wish to have data about them removed. I know a victim of domestic violence who is using the right to be forgotten to stop their ex-partner tracking her down by using publicly available data, but presumably the author thinks that this is Stalinist and evil.

    Given the rise of race-based populism across Europe, and the current US president is obsessed with racial identity, the sentiments of the final paragraph are the stupidest thing I have read in a long time. It’s not surprising that the author is a privileged white man, but it explains the aggressive complacency. Worrying about government control is a serious concern for every citizen – the rest of the world can pretend that the worst mistakes of the 20th century cannot be repeated, but the continent that suffered the most brutal consequences of those mistakes has the shared intelligence not to be so forgetful.

    I suspect the angry tone of this article is due to the fear in the tech sector that their vampiric tendency to suck every bit of data from everyone they come across – whether they like it or not – is threatened. Europe doesn’t care that Silicon Valley doesn’t like the GDPR; they did it anyway. The techno-imperialism of US corporations isn’t a fact of life, and Europeans can fight back if they want to. I have no idea who is going to win, but I am happy that the EU is pushing back.

    • Thanks for a thoughtful and insightful comment. However, the angry tone is not because I care about the fate of the tech sector [in Europe]. I think if things go badly due to this Euro-bureacratization, the tech companies can simply cut of the Euro-crats from their services and leave them in their digital stone age to enjoy their “privacy.”

      My anger is because I hate stupidity. IMHO, thinking of “name + email” as “PII” is that – STUPID. Much of PII is NOT a secret, it is NOT private, and laws that seek to improve protection of that are IMHO misguided.

      Now, for the main point: I am a bit shocked since IMHO my last point was the least contentious, and also the least relevant. Do you think “the worst mistakes of the 20th century cannot be repeated”? IMHO, these are pretty fucking bad mistakes like say Nazism and Stalinism that killed 10s of millions. So, yeah, I am pretty sure early 21st century Europe is not about to repeat them…

    • Sorry, forgot to add one more argument: could you clarify the connection between “techno-imperialism” (presumably, by ***private*** companies) and “Worrying about government control is a serious concern ” (by some state)? These to me seem totally unconnected, and that is why I am not sure what is your main concern: state vs citizen or corporation vs citizen? Or both?

      • Chris says:

        If companies are collecting it, governments can use the force of the law to demand it, and in fact they already do. Once the information is being collected and stored by anybody, there is a real potential for governments to take it and use it for their own ends. In that way, private companies can end up doing what is effectively cheap surveillance work for oppressive governments. In China, tech companies are basically not allowed to exist unless they agree to help the government with surveillance of private citizens, so they may be the poster child for this, but it’s not like western governments aren’t demanding private data from tech companies either. What did you think warrant canaries were invented for?

        • Thanks for another thoughtful comment. This does clarify why privacy advocates sometimes lash out at *companies* driven by their fear of the *government* (which, until your comment, I found rather silly). This does make me cherish the fact that the US has the 2nd amendment…

  6. Thanks for the most insightful comments; I will respond later today (sorry, we had a holiday here in the US)

  7. Stephen Cobb says:

    Anton – Appreciate you sharing your feeling on this topic. I have two questions:

    1. In terms of malicious exploitation, do you see any practical differences between a printed phone book located in meatspace and an electronic database in cyberspace that contains the same data, that one that can be instantly copied, moved, edited, correlated?

    2. Do you think it is possible that people who are not, like you and I, privileged white male professionals, have more to lose from the exploitation of their personal information?

    Thanks…Stephen

    • Thanks for the insight comment.

      1. Of course I do! A phone book for the town of Podunk, XX sitting in a dumpster in said town has zero contribution to risk, while a database of all US residents with addresses and phone numbers does have some risk. IMHO, a small risk, but sure MUCH larger than a zero risk of a book.

      2. Generally, I refuse to involve topics related to race and gender in a technical discussion. I **100% absolutely positively unquestionably** fail to see what being white and male has anything to do with anything discussed above. Sorry!

  8. […] “Many CIOs and even some security leaders make decisions to proceed with product acquisitions without any regard to corresponding operational practices and personnel requirements. Once this fails, outsourcing becomes the straw they grasp — and then this also fails due to a severe mismatch between security outsourcing promise and reality” [A.C. – this is really depressing. But you know what beats depression hands down? Hilarity!] […]

  9. Fil says:

    What a pile of horse shit. But you got the attention, congrats..

  10. […] My GDPR-Inspired Rant: Privacy, WTF!!! (privacy / rant) […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.