GDPR and me…

This is not the first blog I had, but after the whole GDPR thing, it simply didn’t seem worth the time, too much of a hassle to do all the stuff that seems to be required nowadays. This is why I deactivated the old blogs and didn’t think about it much for a while.

Don’t get me wrong, the basic idea of the GDPR is great, giving back more control over your data back to you, forcing site owners to actually think about where they send their user’s data (instead of blindly stacking plugin upon plugin) and all that stuff. Also the fact that it unifies the rules instead of having different rules for each country, great. I really appreciate the idea behind the thing, but somehow, I feel the actual implementation is… lacking.

Let’s face it, what is the biggest change compared to what you saw before before? Bingo, every blog now has to have 4+ pages of privacy policy where it describes en detail what data it collects, how it stores it, how it can be deleted, etc. – together with legalese descriptions about why it is allowed to stored it, what the user can do, etc. In theory, this may sound like a great idea, but let’s face it, will the typical user really read all of that before commenting? Does it help that there are now thousands of different privacy policies out there, all slightly different but also somehow basically the same?

For me, my first attempt was to create a valid privacy policy for this blog. Basically, it would end up being a hardly comprehensible version of…

  • Yes, if you commented, your username, email and written text would be stored here – what a surprise
  • Yes, if you commented, the system would store your ip address because if you put illegal stuff there, I might need it – who would have expected that?
  • Yes, if you commented, your data would be sent to some anti-spam system that will in some magical way decide if you are really a Nigerian prince or just a spammer – this must come as a shock… for everyone who has never seen spam before.
  • Yes, if you commented and I used some stupid (gr-)avatar system, your username and email would also be sent there to see if you already got an avatar with them – no, really?
  • Yes, like many others, I used google fonts here (because I have no clue about design and use a free template), which will be loaded from Google – another horrifying revelation!
  • etc. etc. etc.

This is all not rocket science and for anyone with more than 5 minutes of internet experience it should be totally expected and not worth mentioning at all. Putting it into a much more formal version with legalese mixed in (“I may do this because of §123 of whatever and if you do not like it, see §234 of another whatever”…) does not make this any more clear or helpful, it’s ridiculous.

Let’s face it: I actually do not need anyone’s data. I do not care about how many people visit here. I do not do “market research”. Ok, it would be nice to allow comments here, but if I have to pay this with a 4-page document just to prevent getting into legal trouble for allowing people to voluntarily comment here… No, thank you (at least currently).

This is why I decided to go the other way… I stripped everything out that sends data to third-party websites, stores personal data (including log files and ip addresses) and produces cookies. This implies that there are no comments here on this page and the only way to contact me is e-mail. But at least, your personal data is safe.

Ironically, this lead to a surprising amount of work… I started by disabling all the comments, that’s easy. Next I needed to hide the login page (because it produces a cookie – also it’s improves security slightly) by changing the default url and by removing the link from the “meta” widget. But then, there are also google fonts and only Buerocratos (the god of people who care about this stuff) knows if I’m allowed to do that, so back to the drawing board and replace all links to google to local ones. Oh, I also found out that emojis are produced by some third-party site (instead of simply using Unicode ones), so I had to remove that, as well. In the end, we are talking about four different plugins here just to make it not collect or send any user data somewhere.

Aaaaaaaand done. Hopefully. Who knows? Whoever wrote this GDPR thing should be forced to actually read every privacy policy that resulted from it. But on the other hand, I learned a bit more about the software and where data get’s actually sent to, so, not a total waste of time.