On [2021-11-04 2359](tel:2021-11-04 2359) I received a letter from
CISPA Helmholtz Center for Information Security
Stuhlsatzenhaus 5
66123 Saarbrücken
Germany https://notify.cispa.de/
stating that airframes.org allegedly has a “data protection issue”:
“Use of third-party cookies without consent notice”
and providing the helpful hint that
“Fines for noncompliance with ePrivacy requirements may vary depending on national laws.”
which I consider threatening.
They call it “research”, however.
That Helmholtz entity can’t be trusted in any way, as they blatantly lie right into my face: they offer an “anonymous feedback” through a personalized link. Doh!
Apparently, there are different "data protection issue"s, good ones and bad ones.
They promised to re-check this site “to verify if the issue has been fixed”.
I don’t want to be denounced in any way, and so, finally, the “issue” has been fixed immediately today 2021-11-05 and this site is clean now.
Case closed.
Talk about over-reacting. If his site wasn’t in compliance with German or EU privacy laws the authorities would have been the ones that contacted him and told him to fix it (by adding one of the annoying “This site uses cookies blahblahblah” pop-ups, most likely.) Instead he gets an auto-generated email from a spider run by a private organization and rather than ignoring it, marking it as spam, opting-out his domain from their “research project” as per their instructions on their notify page, blacklisting cispa.de’s IP addresses from being able to access his site, or whatever, he decides to shut it down! I know, it’s his site, his server, his rules, but it seems rather childish of him. Anyway, cispa doesn’t offer an “anonymous feedback” link, just their email addresses. If he has a problem with using his real email account to send something to them he could always create a free throw-away account somewhere and use that.
They have reviewed the site amd made a recommendation statement that there’s a potential security risk on his site. Nothing about “you have to take it down by law”.
Germany is not simply taking a site down just because of that.
If he has problems with that, he should not host his site on a server in germany.
Instead of simply taking the friendly notification and fix it he reacts like that.
Childish
However the question is who reported the site as dangerous to cispa…
Maybe somebody did not like the site at all
It’s an expensive site to run i’d assume with people who know nothing about scripting and sensible requests probably hammering it.
That’s how it goes when something is public.
His prerogative to turn it private and give access only to people who contribute data / have donated.
It’s not childish he doesn’t want to deal with a potentially very expensive fine for having a missing cookie popup banner that does no good.
Now i find it unlikely that research group will turn him in or sue him.
Maybe the mail just put that stupid fine back in his head and he doesn’t care to take the risk.
No you can get hefty fines and i wouldn’t trust that you get a reminder first.
I’d say those calling him childish should band together and create a free online DB for aircraft then, that seems like a good way how childish he’s being and how to do it properly
Adding a cookie according to the german regulations with opt-out and the required terms of use is not rocket science.
There are other data protection cases which to be fixed are a lot more complicated.
If this is the way to prevent a fine he should go for it. But from his reaction it looks like he’s takiing it personal.
Anyways, his site, his decision. It is just my opinion
I would raise more the question why they checked his site. Normally they are notified by someone else. Maybe someone does not want that this site is running and tried to find a way to get it down
There are thousands of sites not following the regulations, normally only warning attorneys are sense their chance to make money with it
If he wants to take his site down rather than modify it to allow users to opt-out of cookies, that’s fine, it’s his site after all. What I find childish are the histrionics. He might have posted something more professional-sounding: just “airframes.org is unavailable until further notice” would have done nicely rather than the diatribe and accusations against the Helmholtz Research Association which cispa dot de is a part of.
He is pissed and does not see himself as root cause for the problem. That’s a reaction which can be identified pretty often. Not sure what he is expecting with it.
Don’t know how that works i Germany, but here in Sweden, you don’t get fined unless there’s been an investigation by the data protection agency where you have the opportunity to explain why things are the way they are before they slap you in the face with a fine.
I suspect that the Data Protection Agency in the relevant state (Land) has a similar process for handling complaints about unlawful data processing and don¨t send out fines to be paid within 30 days without a proper investigation to at least motivate the fine (it can vary a lot depending on what kind of data that’s been mishandled, if it’s been leaked/sold and so on).
That being said, it’s the site-owners prerogative to do whatever he wish in a situation like this. I may not agree with his decision, but it’s his money that pays for the free-to-use-service.
Personally I find his actions to be a bit over the top, but that may be due to the fact that I’ve been representing my employer in numerous investigations regarding data protection issues. And we’ve never been fined despite lacking cookie-consent or using third-party-cookies (google analytics).
I found a website that creates a snippet of javascript code which adds a cookie consent banner. It has a wizard that lets you set it up the way you want it. I emailed the webmaster/hostmaster with the link. All he’s need to do was create a static text webpage containing his cookie policy and add the code to the main web page and he’s done and in compliance. Shouldn’t take but 5 minutes at most. We’ll see if he takes my suggestion or would rather throw tantrums.
Germany has opened a business once the GDPR rules have been updated.
As i wrote earlier, you can simply raise a request to an attorney. If the request looks valid, the attorney send a warning letter to the owner. Even this can cost lots of money.
Even some consumer centers are known for doing this, some without getting notified.
Reminds me of the so called “settlement offers” some copyright holders send to Swedish ISP-customers that have (according to the offer) downloaded a specific torrent of a move or tv show. Doesn’t hold up in court but it’s effective since it comes from a law-firm and is written in formal, legal language.
It has subsided quite a bit in the recent years since people now are aware that they don’t have to pay (provided that they are willing to possibly meet the law-firm in court where the case almost always get dismissed before even setting a date for negotiations).
Are these consumer centres sanctioned by the local (land) government to handle these matters?
Can they act on all kind of GDPR-related issues or just a subset? Who handles the more complex issues, like what a company registers about their employees or customers, or for that matter, a hospital and how they handle information regarding the patients? Or even more complex, like if you use cloud services from American based companies?
Anyway, this is a separate discussion from the original one and I doubt that more than a handful of the readers are interested in GDPR issues. I really would like to know more about how this works in Germany since I’m quite involved (more or less on a daily basis) in these kind of questions. I’m happy to continue this via a private conversation if someone is interested in doing so.
I cannot answer that.
From Wikipedia, unfortunately in German only:
The German consumer centers are associations organized at the state level that are dedicated to consumer protection and provide advisory services on the basis of a government mandate. They are recognized as non-profit organizations and are affiliated with the political umbrella organization Verbraucherzentrale Bundesverband e. V. (vzbv).
They are not bound to governmental data protection/privacy/breach cases
So the question regarding US based cloud services for European data is as you said something completely different.
In this case they can only make suggestions. Government is checking this on a different level and other purposes.
Another story is downloading illegal stuff to your devices. In these cases you need a trigger (mainly the owner of the copyright) and finally an attorney giving you the warning letter.
But i am not that deep involved in this topic to say properly.
And meanwhile we are completely leaving the purpose of this case which is more a misconfigured web page without the risk of compromised data.
The cookie regulation in Germany is somewhat annoying to most of the users. You have to have a cookie policy and the clients must be able to opt out. A single notification is typically not sufficient.
For me it’s still not clear how they came to the case to verify the web page. There are attorneys or competitors checking it to make trouble to the owners, but not the Helmholtz institute. They do not have any benefits from it by just referring to that cookie issue.
We received a similar mail a few days earlier for our Dutch website. So it’s not related to German websites only. That organisation is just scraping websites and has no official status at all. We ignored the mail.
They can burry a business only by lawsuit costs themselves. I don’t know how is in EU, but in US you can’t find a lawyer specialized for those kind of cases with less than $500/hour.
The claimant doesn’t have to be “right” 100%, just a little bit, and the law suit is not considered frivolous.
In germany you will find, and some of them are meanwhile so specialized that they do it without a mandate of a customer.
Just to make money with it.
Finally it’s under responsibility of the website owner to cover that GDPR process.
I compare it with driving to fast or wrong parking. You can’t complain if you get caught and then fined for it. Simply drive slower or put your car where it is allowed
