[HN Gopher] CNIL makes Google Analytics almost illegal in France
___________________________________________________________________
CNIL makes Google Analytics almost illegal in France
Author : nephanth
Score : 93 points
Date : 2022-07-27 18:16 UTC (4 hours ago)
(HTM) web link (www.cnil.fr)
(TXT) w3m dump (www.cnil.fr)
| bumper_crop wrote:
| This is great news! For far too long, Website owners have been
| collecting data on their users at no benefit to the users
| themselves. When website owners try to collect data on their
| users (for any and all reasons) it just violates the privacy of
| those people and needs to be put to an end. Those French website
| runners should really create their own, CNIL and GDPR compliant
| anonymized data storing, rather than using off the shelf, low
| cost alternatives. After all, things have been a bit too easy for
| them. (Running a website is pretty easy, I would know!). In fact,
| The fact that other, compliant-data aggregators, offer fewer
| features and lower reliability is actually a good thing. Trying
| to improve your website or even pester me with whatever you made
| is just irritating spam; I can't believe those independent owners
| would even dare. They should just be flushed out of existence.
|
| HEY! Why is everything being centralized to just a few services?
| Why is the web dying?!
| MR4D wrote:
| Actual title is "Q&A on the CNIL's formal notices concerning the
| use of Google Analytics".
|
| This editorializing by the OP is a bit too far.
| gigel82 wrote:
| Server side GTM (and similar devious tactics) should be what gets
| legislated (since that's the thing that adblockers can't protect
| us against).
| tremon wrote:
| The GDPR legislation is about means and goals, not specific
| implementations. What makes you think GTM isn't similarly
| illegal already?
| gigel82 wrote:
| That's great, and we need more legislation (on this side of
| the pond as well).
| closewith wrote:
| Adblockers can still (and do) protect against server-side GTM,
| as the requests are not obfuscated in any way. That may change
| in the future, but it's not the case now.
|
| Besides, the CNIL ruling already applies to server-side GTM
| implementations.
| pieterhg wrote:
| How?
| gigel82 wrote:
| Once server-side analytics get implemented widely, we've
| lost. We'll keep chasing each other with tricks like renaming
| the api endpoints, randomizing the javascript hash, etc. for
| a while but if we end up having to run an ML model in the
| browser to attempt to detect when our data is being stolen
| we've lost a long time before.
|
| Might be better to shame any website caught using it with
| some crowd-sourced list of some kind - then at least we'd
| know who the bad actors are and force their content through
| an isolated container / proxy / VPN, or simply stop using
| them altogether.
| closewith wrote:
| If that's the case, then the war is already lost.
|
| But happily, in the EU - the market I operate in - server-
| side analytics is seen as an avenue towards compliance.
|
| Obviously server-side GTM will be abused in the absence of
| regulation, but that was also true of the existing
| technologies. Strong and consistent enforcement can and is
| bringing companies into compliance.
| gorhill wrote:
| > as the requests are not obfuscated in any way
|
| How do you know for sure that the requests are "not
| obfuscated in any way"?
| closewith wrote:
| Right now, because the requests are identical to the same
| requests sent to Google Analytics but with a different
| hostname. It's trivial to identify and block them, and
| current ad blockers already do.
| gorhill wrote:
| > same requests sent to Google Analytics but with a
| different hostname
|
| There are instructions out there to also modify the path
| of the requests[1]. Consider this paragraph in the
| Summary section:
|
| > Cynics could say that this is an improved way to
| circumvent ad blockers. And they'd be right! This does
| make it easier to circumvent ad blockers, as their
| heuristics target not just the googletagmanager.com
| domain but also the gtm.js file and the GTM-... container
| ID.
|
| * * *
|
| [1] https://www.simoahava.com/analytics/custom-gtm-
| loader-server...
| closewith wrote:
| You can do that, and you can also proxy encoded requests
| which obfuscates all data, but you could also do that
| with the previous version of Google Analytics via the
| Measurement API.
|
| In practice - in the EU, at least - I haven't seen any
| examples of this, and it would be unlawful without
| consent anyway, thanks to the GDPR.
|
| It's also still fairly easy to classify requests (if you
| have access to the unencrypted request in the browser)
| based on heuristics. That's partly what the company I
| work for does.
|
| Separately, thank you for your contribution to the
| Internet - it's as big and important as all the
| behemoths, but unfortunately will never be rewarded in
| the same way.
| jeppester wrote:
| It's been known for years - and hardly takes a lawyer to
| understand - that sending user data to US-owned companies is
| illegal according to GDPR. The US laws are simply incompatible.
|
| Yet everyone (including government entities) have been dragging
| their feet on and on hoping for some divine intervention to help
| them continue using Google, Amazon and Microsoft. And those
| companies have kept the hopes high by incorrectly claiming to be
| GDPR compliant.
|
| It's been embarrassing to witnes how little willingness there's
| been shown towards protecting user data. Especially compared to
| the amount of whining over how difficult it is to comply.
|
| Hopefully these - very predictable - rulings will finally start
| to get the ball rolling.
| mminer237 wrote:
| I think it's because over 40% of EU business use the cloud[1]
| and 70% of those use AWS, Azure, or GCS.[2] Enforcing the law
| consistently would devastate tons of EU businesses as you would
| suddenly eliminate all of their tech infrastructure overnight
| with no real alternatives.
|
| [1]: https://ec.europa.eu/eurostat/statistics-
| explained/index.php...
|
| [2]: https://www.fiercetelecom.com/platforms/european-cloud-
| provi...
| jeppester wrote:
| The businesses have had more than enough time to comply with
| the law.
|
| Now is the time to start enforcing the law enough to make
| them actually care.
| macinjosh wrote:
| Clearly, even the EU doesn't care enough to enforce the law
| or they would have already. They've literally had years.
|
| What does it say about the credibility of the EU that it
| passes laws it doesn't even enforce?
| oliwarner wrote:
| It _was legal_ under the "Privacy Shield" until Schrems II,
| and is still legal under Standard Contractual Clauses with
| extra caveats for the US.
| shakamone wrote:
| This answer is accurate but no one seems to realise it. Under
| standard contracts users waive their rights including privacy
| rights under GDPR. Their are no user agreements anymore, only
| contracts.
| rlpb wrote:
| "makes Google Analytics almost illegal" is an editorialized
| (biased) title and that's not what the linked article says. Just
| because use of a product is determined to contravene a country's
| law doesn't mean that the product itself is made illegal; it can
| be adapted to be compliant instead.
| kergonath wrote:
| The title is not great, but the Q&A is very explicit:
|
| > All data controllers using Google Analytics in a similar way
| to these organisations should now consider this use as unlawful
| under the GDPR.
| rlpb wrote:
| > > _in a similar way to these organisations_
|
| If you use axe in a similar way to an axe murderer then that
| would make your use illegal. It wouldn't make axes "almost
| illegal".
| naniwaduni wrote:
| There are any number of things you can have that are not
| technically illegal to acquire or possess _per se_ , but
| would almost certainly be illegal to use in any expected
| capacity. I think it's reasonable to describe those as
| "almost illegal". Google Analytics is, apparently, in that
| category.
| kmeisthax wrote:
| The product cannot be adapted as the concern is specifically
| that Google can be legally compelled to violate GDPR. Schrems
| II is _very explicit_ that EU companies cannot send data to the
| US for as long as the US CLOUD Act is on the books.
|
| "Banning Google Analytics" actually downplays it. Even Google
| _Fonts_ is actually illegal now; and it will continue to be
| illegal until the US does the smart thing and copypastes GDPR
| into local law.
| cyral wrote:
| So really every website, even HN, that doesn't shard all EU
| data away in a separate EU datacenter (if they aren't already
| based in the EU) is illegal?
| jacquesm wrote:
| No.
| mminer237 wrote:
| Correct. Also note that IP address are counted as PII, so
| even sending an IP address (as required by any TCP/IP
| request) to a US-located or US-controlled server is illegal
| without getting consent beforehand.
| tomkarho wrote:
| I'm not sure that's how it works. Couple of things
| (IANAL):
|
| 1. I don't think ip address alone constitutes PII but
| needs to be combined with other data to be applicable
|
| 2. Even if it were, I would imagine it falls under
| article 6 provisions where ip is required information to
| fulfill a contract which in case of HN as an example
| means delivering the web page to the browser
| ricardobeat wrote:
| Only if they are storing personal data (including IP
| addresses).
| kmeisthax wrote:
| No. This part of the rules only applies to EU businesses.
| If an EU citizen deals with a US business, the US business
| still has to follow GDPR, but not the export rules. EU
| businesses do have to follow said rules.
| robertlagrant wrote:
| I don't see there's a difference. Say they lowered the speed
| limit, making driving at current top speed illegal. You could
| say that speed's not illegal, it just needs modifying, but that
| would seem a strange point to make.
| bryanrasmussen wrote:
| I think that's a strange way of arguing actually, you would
| say the speed is illegal and the car and driver behavior just
| needs modifying. Google analytics would by analogy be closer
| to a car that can go a certain speed.
|
| But the question is if the law says that any car that can go
| that speed is no longer street legal, then it is a problem
| because it is probably difficult to modify the car. Just as
| there are structural issues about Google Analytics where GDPR
| is concerned that makes altering it really difficult if not
| impossible, and if you can't fix GA to make it legal it is de
| facto illegal.
| BlueTemplar wrote:
| I guess the parallel works even better with *minimum*
| rather than maximum speed limits ?
| kmitz wrote:
| Speaking of adapting the product, the article explicitely
| states : "Is it possible to set the Google Analytics tool so
| that personal data is not transferred outside the European
| Union?"
|
| "No."
|
| So right now it is practically impossible to use Google
| Analytics in a legal way in France.
| jeppester wrote:
| It's a very common misunderstanding (which is happily spread
| by US cloud providers) that it matters _where_ the data is
| stored.
|
| What matters is that the data is stored by - and accessible
| to - a company which submits to the US laws.
| retcon wrote:
| Equally it's a sorry indictment of our economic times that
| the meaning of unlawful has been hammered into a
| understanding that non prohibition is permission. This
| aggressive and putative new use is refuted by every
| founding principle of the common law in Anglo Saxon
| countries and most of the western world. See the argument
| of letter vs. spirit for a effect.
|
| Ed. cleared up phrasing around new use, replaced meaning
| with use for .. meaning.
| 8ytecoder wrote:
| I don't think it has been tested in court. It's akin to a
| U.S. Court issuing a search warrant on a house in Paris.
| eftychis wrote:
| My applause to CNIL on the action.
|
| I don't understand the "almost." The title is editorialized -- as
| commented elsewhere. There is no almost. It is illegal the way
| they act and store data. That nobody is going to come and place
| you on handcuffs doesn't make something legal...
|
| Mainly though this is old news -- https://iapp.org/news/a/cnil-
| is-latest-authority-to-rule-goo... -- CNIL and the Austrian one
| did so in the beginning of the year.
|
| I would add a February 2022 tag on the post.
|
| I hope the whole EU agency pool does the same and start applying
| fines and every tooth they can.
| agluszak wrote:
| I hope more and more such laws will be passed in the EU. We need
| stronger privacy protection against big tech corporations.
| WaitWaitWha wrote:
| >We need stronger privacy protection against big tech
| corporations.
|
| ... We need stronger privacy protection;
|
| ... be it corporations, governments, or individuals.
| joe-collins wrote:
| We need stronger protections at all levels of social
| organization. Every group has incentives to exploit each
| other. The ever-evolving trick is to arrange the balance of
| power to minimize each faction's capacity for overreach.
___________________________________________________________________
(page generated 2022-07-27 23:00 UTC)