Over the past few days, the much-vaunted[1] GDPR has come into force. In case you missed this[2], GDPR is a set of rules around managing user data that all organisations with data about European citizens must follow for those citizens. Which basically means that it’s cheaper to apply the same rules across all of your users.
Here’s my favourite GDPR joke[3].
Me: Do you know a good GDPR consultant?
Colleague: Yes.
Me: Can you give me their email address.
Colleague: No.
The fact that this is the best of the jokes out there (there’s another one around Santa checking lists which isn’t that bad either) tells you something about how fascinating the whole subject is.
So I thought that I’d talk about something different today. I’m sure that over the past few weeks, because of the new GDPR regulations, you’ve received a flurry[4] of emails that fall into one of two categories:
- please click here to let us know what uses we can make of your data (the proactive approach);
- we’ve changed our data usage and privacy policy: please check here to review it (the reactive approach).
I’ve come across[5] suggestions that the proactive approach is overkill, and generally not required, but I can see what people are doing it: it’s easier to prove that you’re doing the right thing. The reactive approach means that it’s quicker just to delete the email, which is at least a kind of win.
What I’ve found interesting, however, is the number of times that I’ve got an email of type 1 from a company, and I’ve thought: “You have my data? Really?” It turns out that more companies have information about me than I’d thought[6], and this has allowed me to click through and actually tell them that I want them to delete my data completely, and unsubscribe me from their email lists. This then led me to thinking, “you know what, although I bought something from this company five years ago, or had an interest in something they were selling, at least, I now have no interest in them at all, or in receiving marketing emails from them,” and then performing the same function: telling them to delete and unsubscribe me.
But it didn’t stop there. I’ve decided to have a clean out. Now, when an email comes in from a company, I take a moment to decide whether:
- I care about them or their product; OR
- I’m happy for them to have my information in the first place.
If the answer to either of these questions is “no”, then I scroll down. There, at the bottom of each mail, should be a link which says something like “subscription details” or “unsubscribe me”. This has, I believe, been a legal requirement in many jurisdictions for quite a few years. The whole process is quite liberating: I click on the link, and I’m either magically unsubscribed, or sometimes I have to scroll down the page a little to choose the relevant option, and “Bang!”, I’m done. No more (semi-)unsolicited emails from that source.
I see this as a security issue: the fewer companies that have data about me, the fewer chances of misuse, and the lower the change of leakage. One warning, however: phishing. As I admitted in this blog last week, I got phished recently (I got phished this week: what did I do?), and as more people take to unsubscribing by default, I can see this link actually being used for nefarious purposes, so do be careful before you click on it that it actually goes to where you think it should. This can be difficult, because companies often use a third-party provider to manage their email services. Be careful, then, that you don’t get duped into entering account details: there should be no need to log into your account to be deleted from a service. If you want to change your mailing preferences for a company, then that may require you to log into your account: never do this from an email, always type go to the organisation’s website directly.
1 – I’ve always wanted to write that.
2 – well done, by the way.
3 – I’d provide attribution, but I’m not sure where it originated.
4 – or maybe a slurry?
5 – again, I can’t remember where.
6 – though I’m not that surprised.
Alice, Eve and Bob - a security blog 