 So, good news, everybody. We have a new data protection regulation which was formally approved last week by the European Parliament and it's going to enter into effect in two years. Now the fines in the new data protection regulation were raised by quite a bit, so it's about five percent of the annual turnover. That is the maximum risk for any company or enterprise that doesn't fulfill the requirements of the regulation. So this has caused quite a lot of activity around data protection now, with a lot of law firms getting involved, big firms, small firms. Everyone is very interested. And we hope that we will be able to convince you today that it doesn't need to be so difficult as it might appear a lot of the time. So you may ask yourself, what is the purpose of having a data protection law? Except I'm in Germany, so in Germany the Datenschutz tradition is quite a bit stronger than in many other parts of Europe. So perhaps you already know that it's an imperative part of human rights and how you're on the government and we all protect our own identities and our right to self-determination in this way. We make a distinction between data protection and data security, where data protection is something that very, very focussedly protects individuals and their right to determine what happens with data and their personality and who influences them under what circumstances. This can be contrasted with data security, which is when things go through as foreseen. The data protection legislation in Europe is about data protection. It's not necessarily about data security. I tried to exemplify with the German B&D, which I'm assuming are quite secure in their operations, but I think a lot of us will agree that they may not always consider data protection and self-determination properties of their activities as they undertake them. So the data protection regulation, which is now approved, is based on five relatively simple principles or more principles. It depends. We haven't consolidated around the fixed set yet, but for me, this is what really is the core of the regulation. So you have the right to know what happens with your data. You have the right to consent to what happens to your data. The regulation is meant to be user-centric, meaning that you put the individual at the center of your development process of your technical system and your data management and you always ensure that the individual has in its power the ability to decide what happens to them, their friends, family, and how they're influenced by their surroundings. There's also the principle of data minimization, which I think is important enough to raise on its own because it's the most clear intersection of data security and data protection in the regulation. You can't leak information, you can't have, you can't misuse information that you don't have. Every principle that you apply should normally be taking into account data minimization principles. There are some effective sanctions which I already mentioned, they're quite severe. One can keep them in mind if one wants to know why one should take care to respect these four prior principles, but I think the major benefit of having effective sanctions is essentially that we're going to see a bigger push for legal clarity than we've had in the past around data protection laws. So our work has started last year. We work with websites predominantly in the public sector and we've looked at various ways in which you can cheaply and quickly and without having a lot of meetings make websites that conform with the data protection principles. In order to do this we have mapped how municipalities in Sweden organized their web information towards citizens. We had quite good results in that at least two municipalities out of 290 in Sweden seemed to comply with data protection principles last year in July. Now when I looked back at one of those municipalities this year, it turns out they're now using Google Analytics so they must fall off the list of approved principles, but one out of 290 isn't bad. The reason that we focused on the public sector was that we were looking for something, we were looking for an organization that doesn't have a commercial interest in tracking users. We concluded that in the public sector there are no real advantages to tracking or mapping consumer behaviors. Municipalities don't need to sell anything because anyone who lives in a particular city already lives there. They need information on healthcare or kindergartens and this type of thing. Our experience of interacting with municipalities has however been somewhat different. It turns out that even when something is cheap and simple and quick it takes a lot of meetings and a lot of bureaucracy and administration to get stuff done. One municipality that's specifically gone in touch with us to help them stop tracking the citizens that visited their website took them six months to change from Google Analytics to some other analytics tool which is more previously preserving. It's quickly turning into a challenge which is larger than we thought. On the other hand, we receive a lot of positive comments as well and so from libraries and other municipalities that are now also opening their eyes to this. I thought that I would make a specific mention of some of the problems that we've encountered when we've been speaking at developers conferences in the past. These are principled problems that developers face in their daily activities but where you have simple ideological questions that need I think an answer in the context of these five principles of the data protection law. The first one is I've had the experience that web developers invent obligations on end users. Municipal organizations do the same thing. For instance, you say I need to track my users in order to optimize my website because if I can't track them without informing them about it, how do I know what to improve? The problem with this type of reasoning is that end users that visit the website don't have an obligation to help normally. If you phrase the question differently rather than thinking how can I make people help me improve myself, you should ask do they have an obligation to assist me and as long as your answer to this question is no, then probably you shouldn't be doing tracking without informing them. The other thing is curiosity. So a problem frequently faced by web developers when they interact with companies or with even the public sector as we've experienced is that there are demands from up top. The bosses want to know how many people visit particular parts of the website, which type of information is important to visitors, which information isn't important. But there's this expression that curiosity killed the cat and sometimes you may want to actually object to curiosity because similarly as end users do not have an obligation to assist anyone in improving themselves, they also actually don't have the obligation to silence or still down somebody's curiosity. This is a place where I think one can be more straightforward with people who request tracking of end users, but it's also of course something that people who buy web development services need to take into account that when they make demands there's always an end user somewhere at the bottom. A third problem which I guess a lot of people are familiar with is just doing things the way that they're always done. A lot of the time tracking tools are just put in by habit. Whenever there's a new tracking tool you add it to the old one rather than evaluating whether there's any need for tracking at all and rather than changing processes in your organization you continue to do stuff the way that they've been done since the old age. In the public sector I can assure you this seems to be an extremely big problem but it's also something that I've heard from developers who work in professional environments and I think now that we have a new law and we have all of these discussions on surveillance in the world. This is a good time to sit down and think can we do something differently and probably you'll find that the answer is yes. So I thought that I would also give a small update on the legative status. First of all we have a new privacy shield agreement about data transfers to the US, maybe not so interested in for most web developers and it's looking likely that it's not legal in either case so we'll see what the European Commission does about that. The general data protection regulation will enter into effect in two years it's the main piece of legislation from now on concerning websites. There's also a law enforcement data protection directive which will not I think in any way influence any web developers. The ePrivacy directive is up for review right now so if you're very concerned about European legislative processes they have a consultation about how the privacy and electronic communications affects industry or citizens. Part of that directive is the cookie legislation which some of you may have come into contact with or being confused by and so if you have had any particular troubles with knowing how to implement it or you haven't received any notifications from your local data protection authority on how to do it in the right legal way this is really the time to tell the European Commission about it because then that could be fixed or not as it were. The right to be forgotten is here mostly because it seems complete to add it. One of the problems that European data protection law is likely to face in the last in the upcoming years is that there's been very strong case law development at the European Court of Justice and that means basically the legislators haven't resolved conflicts in the data protection regulation and the court steps in and says that according to the Charter or according to the Convention on Human Rights that all of the European Union Member States have signed we need to specify these requirements in a seemingly different way than the legislator had envisaged. The general data protection regulation is likely to be a victim of this because it has a lot of exceptions. I think there's more exceptions in the general data protection regulation than there were articles in the previous directive from 1995 so we can quickly see how the court might become a very busy entity indeed with respect to these legislations now that there's so much money at stake. Personally I would have preferred if the legislator had expressed themselves more clearly on the legislation and I think the court would have done so also but because of the circumstance it's also difficult to say at this time what exactly the regulation will mean because the court might change or specify the meaning of the legislation at the later time in a way which was not foreseen by anyone in the process and I guess this is exactly what happened in the privacy shield and safe harbour discussions as well that all the legislators said no this is okay we can continue to do it this way and then the court said actually you can't and then suddenly everyone has a really big problem for at least eight or like now almost a year. If you have any questions on legislation we will defer them until after. Anders talks more about the specific advice that we've been providing to individuals and organizations about how you make a privacy-protecting website. I will leave over to you. Right, so in practice two principles that you can follow is increase as much as you can and don't expose your visitors to third parties at least not without a consent. So things like HPS is not just for sensitive use data or your admin website or whatever it could be the fact that your visitors on the page is self-sensitive. Like for example this is the web page of the HIV clinic at Söderkukipset, one of the biggest hospitals in Sweden and they don't use encryption which means that anyone between you and the website can see exactly what you're meaning and this person or entity could be in the workplace or a school, maybe your roommate, your spouse, your work, anyone, me in between or I mean the nodes between you and the server you can see everything, it's all in the clear and it's not really rocket science it's all a packet snifter so it's kind of scary. Now how do you use HPS? This is what the attacker or listener would have seen. Everything is encrypted except the server name which is sent as part of the TLS handshake so you can someone can see that you've been to any page on Söderkukipset.se but not which page. That's crucial difference. This person doesn't know if you're reading my HIV or the flu or looking at opening hours or whatever and you mean you can make the same but you do use HPS by default. It makes a big difference. The fact that Söderkukipset is sent in a clear is a problem but hopefully this would be fixed in the next version of TLS maybe there are discussions ongoing about this. It's not just a matter of privacy or privacy. What's good from privacy is usually also good for security and vice-versa. So Nicos we've had a great talk to use Nix in January. We talked about how to build mass surveillance systems, how cheaply to build subsystems, how easy it is to monitor people and inject traffic and how NSA loves ad networks and things like this. And he concluded that the traffic is not just an information leak. It's actually an attack factor. Because it's so easy to work. If you don't use encryption you have no idea whether you're getting what you get. I sometimes find a reading and I can honestly do a man-in-the-mil attack on every site that he visits. They inject some JS and CSS to get to a tool bar and this might seem pretty harmless but it just shows this is so trivial to do. And it couldn't just follow anyone trying to steal card card details or rewriting links or making a login form point to something else or you know could be some douchebag trying to inject malware or to be a state actor. Targeting a specific user, serving modified content to that specific IP only. Another example, Github suffered a massive, massive attack last year. What happened was that so by the result of Google China and like Google had the automatic service that our websites use, what happened I think was that one or two percent of the people visiting a site that used by the visitor from outside China visiting a by the analytics using sites would be served and modified JS so the great firewall intercepts and modified JS by the send to include some code that would just constantly reload two specific pages in Github.com over and over and this is pretty hard to defend against. And point to the encryption like you don't know where you use my IP or where they are or what countries or entities traffic passes you so for both security and privacy you should always encrypt everything. It used to be cumbersome to do this because you have to pay with the SNRacket to get certificates but now that's the trip that finally set the certificate screen for all and it's out of bed just last week this week maybe. As a WordPress.com started using it for custom domains it works brilliant thing and the screen is so amazing. There's no excuse anywhere. Also if you use certificate you might want to consider turning on HSDS district security. It's basically just an HTTP header instructing the browser not to load any resources from your websites unencrypted for a specified amount of time. If the browser begins to instruct you or you try to use HTTP as a request it will just refuse. So it's great it's great for tech against management attacks for example. We have to be careful to make use of the first you should use in testing for return run. Right here's another example. Saal Grynska, the biggest hospital in Sweden. They do use encryption which is cool. But if we scroll down we'll see that they also had the apparently obligatory social media buttons. So this page of HM was on Grynska and you scroll down and if you click on the Facebook button your browser will happily tell Facebook that you were just reading about HM because of the referral here. You might not want Facebook to notice the number of business. But it's not really Facebook's fault in this case because usually by default if you click a menu or if you like what page it almost images or whatever from somewhere it will send the referral header as part of the request which is the full URL of the page that generated the click or the request. This might have seemed like a good idea in the mid 90s when it was implemented in the dark. So when the web was called the dark but darker and colder place and more civilized. But now it's just told in privacy nightmare. But finally you can do something about this. It doesn't involve URL redirection tools. There's something called refer policy which lets you specify one line. A policy that will apply to all the links click on your page as well as all the reasons of JS, CSS, images, whatever. And there are some different policies like only send nothing at all or send only the base domain and the full URL as or from someone. This never or no refers is what you refer first because you kill the first totally. And it's actually supported by automated browsers even Edge. So with this one single line you can make some small measurable improvement in privacy. Right. There are lots of third-party stuff to talk about like why you shouldn't use the pen via social media buttons and things like this which always self-host names from self-response and discuss it also nightly. But we don't have too much time so I'll just go for the main topic analytics. We found that 239 had a two night switch which means you use Google analytics but it doesn't have to be this way. This probably the nicest alternative I know of is Phoenix. It's very similar to Google analytics but it's free and open source and you self-host it. It has various privacy settings and crucially you won't take that which might also be required legally in some countries. So yeah check this out. It's super easy and it's also pretty. It's just PHP in my screen. Good stuff. Of course there's also the alternative not to track me at all which is of course sometimes for some websites it's crucial to have statistics but maybe you shouldn't always track you just because you can. Also PeeWeek unlike and Google analytics can be used without cookies. You do lose macros here it's still usable. I mentioned the HSTS header before but the most important thing to think about today is content security policy. There's also a header that your server sends and the browser interprets it and by default if you set the policy at all it will disable inline JavaScript, inline CSS and you can specify you can basically make a white list of approved content sources. So you can tell the browser only load JS from this domain or from the self-domain or only load ingress from this and this domain or only CSS from here or there or a domain A and B and C. It's very powerful for battling about cross-size scripting and code injection and making sure you don't extend the leak data to third parties. So check this out. Also I can recommend security headers that I know is available on the website. You can easily check your domain to tell you what intelligence you have and what intelligence you might want to have and expect how to set them, how they're working for you. Right now we're also building a tool to check many of the things I've talked about. Like in all my services you send to your other button and it will do some magic and check things like requests and cookies and services and refer to things and tell you how and why you should do things. We've gotten funding from the non-profit information to be able to do this and it should be publicly available next month. Yes. So to summarize, always include, don't need stuff, kill your own, refer to self-hosting, can't, everything can be solved. Embrace content security policies. It's a very powerful thing that you can do. And it supports our native browsers. And it's good for privacy. So this concludes our presentation. If anything that you found here was interesting, you can always refer back to our tool which we hope as Anders said to be available later. Don't forget to contact your local municipalities and ask them to implement these good advice. At least for the public sector I believe there should be no commercial conflicts or these are really sound and they're simple advice that can be implemented technically at least in a very short amount of time and at no additional expense to the organization. We hope that you've enjoyed this talk. If you have any questions you're welcome to address them now or you can also talk with us at the later time during the conference. We'll be around. Thank you. It's just chocolate. I hope you enjoyed it. Never let us take it away. And thanks again. Situation right now in Germany we have to implement it as far as I can understand it's not legally required yet to implement like the tiny The cookie the cookie policy is a problem for all of Europe because all of the member states have basically interpreted this article differently. There were about nine member states in the month after the adoption of the directive said that actually we don't believe that this directive says what it quite clearly says and therefore we cannot enforce it. And so now that the European Commission is doing a review of the directive on assuming this is going to take a lot of their time because there's been such a consistent enforcement. For Germany the only advice that I can give is go to your local data protection authority and hassle them for having specific advice. We know for instance that the small boxes that are recommended in some countries are usually distracting to people who have reading difficulties or otherwise can't access content on a website. And so the small box clearly is not the preferable solution. In the UK they had this other policy where if you visit the website you implicitly consent to having a cookies based on your computer but this is a very strange interpretation of the law because you implicitly consent to cookies by visiting a website. What else can you implicitly consent to by by surfing the web? I mean it becomes from a contract law perspective that type of interpretation is legally problematic you would say. And part of the thing I think goes also to the European Commission for not engaging positively and constructively with standardization processes. So at the World Bar Web Consortium for a long time they were discussing this do not track policy that some of you may have heard of but because there was such a large dominance of American industry actors and very little representation of the European oversight or data protection authorities or telecoms authorities that are also somewhere in some places responsible for this law. The do not track procedure didn't have the opportunity to lead to good standardization for the European law which of course creates a major hazard for everyone making websites. But if you're uncertain about this or you find that your data protection authority won't help you then please give the time to go to the European Commission Your Voice in Europe website and ensure that you communicate as much on these parts as we previously directed to the European Commission. The consultation is very nice and made out. There's a question 33 at the very end where you can write whatever you want. So if you don't want to look through the entire consultation and figure out specifically which question you should answer to go to question 33 and do whatever you want there. And then that's the commission's problem to interpret that. You're also allowed to answer in German. The commission is obliged to receive in all of the member state languages. So it's also good for your friends maybe a different question or two different. You hear first. Maybe it's important. The consultation is a huge policy because I first time I know the other department. So if you are like you can list the URLs of the external script or just let's say you have a website that you know that is not that really easy to see the resources also comes in the end. You can just list that again. So you can specify. This is just to prevent the injection. Yeah, cross-executive injection. Yes. Can you tell us more about the previous issue? What? The previous issue. There isn't much to say about the previous issue. The European Commission negotiated a new decision for data transfer adequacy with the Americans. And then there were some industry players and big law firms that said, oh, this new decision looks very great. And then the article 29 group said, well, it's an improvement, but it's not so much of an improvement actually. And so now the question is whether the European Commission doesn't have to listen to the article 29 group. So even if the data protection order is in Europe, I said that we'd leave you negotiated a bad text, which is essentially what they're saying. The text isn't good enough, they're saying. But the European Commission can go ahead and approve the decision anyway. And then it will be up to some industrious citizen, maybe Max Jones, from Austria to take the decision to the European Court of Justice again. And then the European Court of Justice, we didn't have to say that the data protection authorities were right or the European Commission was right. So we're now in a continued state with legal uncertainty. And this is also because the court also created a problem for the Commission. The Commission had already known for 10 years that the state primary agreements weren't up to standards for the European data protection law. But in 2004 when they found this out, they didn't do anything. In 2008 when they found this out, they didn't do anything. When the European Parliament said in 2012, they said we're not going to do something about this, the European Commission said that no, the state primary agreement isn't illegal, it's just unsafe. So we will keep it in this. And then the European Court of Justice finally says that all of these suspicions that have been around for a decade, that this decision isn't valid, or true, everyone acts as if it's a big surprise. And after you've been commissioned by its own political, I don't want to say incompetence, but you'll have to infer from that, ensure that there's continued legal uncertainty, which is a problem for everyone. And I think it's a problem also on both sides of the Atlantic, right? It's essentially it's turned now into an international negotiation, so it boils down to who has the best negotiators, who has the most loyal negotiators. And the member states aren't helping the commission either, to be fair. It's fairly common in the European Union that the member states that have insight into negotiations will go around the back of the commission and tell, you know, a third negotiating party that if you, you know, we're going to do this. So if you do this for me, I will give you more information on how to side attract the commission in its negotiation efforts, and this type of political, top-level, political, non-acceptance of the European Court of Justice's supremacy over what data protection in Europe is, is that going to cost nothing for a long, long time, right? And I think the European Court of Justice is also interesting because they're acting as if they are a Supreme Court, which I think the member states haven't envisaged when they signed the Charter of Fundamental Rights. Was that, you know, it's sufficient? I would like to know your personal perspective on, well, the fact that, that you see huge corporations collecting huge dollars from consumers, but giving them basically three gadgets, three platforms, three shit, whatever. And your personal perspective is any sort of legislation or law enforcement and law enforcement basically because any legislation is useless without law enforcement. Is any legislation ever going to keep up with the speed of innovation in that technical sector of collecting data? Well, I mean, what I hope that we have illustrated here today is that legislation can also be a tool for innovation. We identified all these number of technical measures that have been developed over time in order to make better use of protection. We used to not have easy access to ELS, now we have easy access to ELS. We used to not have a way to give you the first, now we have a way to give you the first. Data protection can, in its own right, be a means of innovation. But of course, as long as it's cheaper and simpler not to protect data, and as long as it's easier and simpler to exploit the technical inability of the user to guard against previous invasions, then that is probably what's going to happen. So a very important part of the new European data protection framework are exactly these sanctions, right, that they raised sanctions by quite a bit. So now, companies that do not innovate in line with data protection run the risk of it costing them a lot of money. But only then that provides itself with data protection enforcement, which we can go back with the cooking organization for that actually, but data protection authorities in the EU are often underfunded, they don't have technical competence, far too many organizations deal with data for them to be able to keep up and administer with guidance. In Belgium, what happened with the Facebook case that was recently tried on Facebook's use of cookies to monitor non-members of Facebook in order to enhance their security, they said. Facebook was technically complying with the recommendations set forth by the data protection authority, but the court decided that Facebook was in compliance with the Belgian law because Facebook cannot claim to have had consent from people who aren't members of Facebook to be tracked. And so in this case, Facebook was following the advice of the data protection authority, and these people were convicted in the court for doing something wrong, and that means the data protection authority provided by the EU on sound advice, which is a big problem for a company. If there's a lot of money at stake for that company, you have to be able to rely on that protection authorities. So one of my expectations for the future is also that we're going to see a lot more demands of data protection authorities being adequately funded, similar to how telecommunications authorities are. I forget what the journal money's called, but they're the people that do specialized competition rules for telecommunications markets. And they are quite well funded. They often have a large staff with lots of legal experts and technical experts to be able to provide good advice and distract us, and that's going to be necessary enough for data protection as well. You can just add this. It's a great website called report-urio.io, where you get a nice sort of content security policy, and also they have a nice tool with which you can build these policies. So extremely useful websites. Report-urio.io. So I'm done. It's all the rest of the seconds that we will wrap up. Thank you all for your kind attention and your interest in questions.