Comment by elAhmo
7 months ago
> The ICO also confirmed that companies could not avoid accountability by withdrawing their services in the UK.
This is quite a slippery slope. If I host a website in one country, I do not necessarily care where people access my website from. It is not like I actively provide a service to them - they just use internet (decentralised network) to access it. What if I publish a newspaper here, someone takes it where the contents are illegal, am I accountable?
The following paragraph might shed some light on what that means (emphasis mine):
> We have been clear that exiting the UK does not allow an organisation to avoid responsibility for any prior infringement of data protection law
In that context it's completely fair to say "leaving doesn't absolve you of past transgressions".
Edit. If Imgur made any revenue from UK users then it becomes impossible to claim plausible deniability on any definition of "providing a service". If the UK can do something about this is a different matter. They could make CEOs/board personally or even criminally liable for the company's failure to pay a fine but probably won't.
Definition of 'Revenue in the UK' is a bit debatable though isn't it?
I sell a advertising package from my US HQ based self serve advertising portal to a British company who use the service to advertise to customers in the UK. Ok - kinda UK revenue. How about 'To advertise to customers in the US' well it's getting highly debatable.
What about I sell advertising packages to a US company from my US HQ but someone in the UK views and advert on my site and therefore generates me 0.001¢ - debatable.
> What about I sell advertising packages to a US company from my US HQ but someone in the UK views and advert on my site and therefore generates me 0.001¢ - debatable.
Not entirely sure what is debatable about this situation. You quite unambiguously derived revenue from a UK citizen here, although not much. If you didn’t want that revenue, then don’t display ads in the UK. If that makes serving traffic to the UK uneconomical, then don’t serve traffic to the UK, problem solved.
In practical terms, nobody’s give a crap about you making a couple of dollars here and there incidentally from UK citizens. It quite another matter when your business is clearly dependent on deriving revenue from UK citizens, and you take zero steps to try and comply with UK law.
It’s pretty simple, if you want the revenue, the you have to follow the law of the countries your deriving that revenue from. Don’t want to follow the law, then simply don’t try and derive revenue from putting adverts in front of citizens from that country, or by collecting and selling their data.
7 replies →
> Definition of 'Revenue in the UK' is a bit debatable though isn't it?
But I didn't say "in the UK", I said "from UK users". If Imgur monetized anything coming from a user in the UK then they can no longer pretend they weren't offering a service. They knowingly used that data to make money, it wasn't that someone accessed the site and that was the end of it.
It's the difference between going in and out of a restaurant, compared to sitting down, checking out the menu, and eating then refusing to pay because the prices are ridiculous. The latter removes any pretense of deniability. If they disagreed with a ridiculous law they should have put in a modicum of effort to block the service in the UK from the start. Instead they made money for as long as they could and now pretend to stand up for the little guy and fight abuse.
how can you be charged after you leave if you leave before the law goes into effect? doesn't the UK have ex post facto protections?
Thankfully the law, GDPR, went into effect about 7 years ago, so that shouldn’t be a problem here. This article is about the enforcement of that law.
It appears that you are mixing things here.
It's not about "hosting a website", it's about providing services.
If you provide services, like selling a newspaper, in the UK, you need to respect their laws, or you will suffer the legal implications of not doing so.
And regarding the accountability, it refers to the fact that imgur USED TO provide services in the UK:
> We have been clear that exiting the UK does not allow an organisation to avoid responsibility for any prior infringement of data protection law, and our investigation remains ongoing.
Companies providing services outside the UK can infringe all the UK laws they want, the UK doesn't care.
But as soon as you decide to provide services in the UK, you have to follow the law. And, as they explain in the article, if you break the law, stopping to provide services in the UK will not absolve you for your past wrongdoings.
Does every single website that exists and is available in UK automatically provides services in UK? Isn't it just simpler to completely block every request from UK by default to "not provide services"?
Transactional services (I don't know if that's the right word), where you have a known user, is different from passively providing web pages that people can read and you don't track them or ask them to register for an account.
But I think that distinction was pretty moot when web 2.0 came along.
Imgur's entire purpose is clearly to host user generated content though, so you can't argue it's not "providing services".
3 replies →
> that imgur USED TO provide services in the UK
Meaning that the servers were located in the UK, or that the users were, or both?
It's so ambiguous. Let's say I'm a citizen of country A, currently residing in country B. I'm using a VPN headquartered in country C to make my traffic appear to originate from country D. I access a web site with servers physically located in country E, that uses a load balancer / cache hosted in country F. The company that runs the web site is headquartered in country G but has employees in countries H, I, and J.
Whose laws need to be followed?
4 replies →
What service is Imgur providing in the UK specifically?
Memes.
3 replies →
Advertisement.
It’s you who are mixing things. Putting up a website outside the UK and “deciding to provide services in the UK” are two decidedly different things.
UK legal imperialism is self centered and unrealistic and undermines speech the world over.
The US does exactly the same thing, including at the state level. See e.g. https://en.m.wikipedia.org/wiki/United_States_v._Scheinberg
2 replies →
I’m guessing that Imgur happily accepted the ad revenue from UK users while it served them images. If you genuinely were “not providing services” to UK users, you wouldn’t do that.
I’m not happy with extraterritorial assertions over internet services either, but you can’t wish them away with sophistry about “we’re not providing services to them!” if you’re happy to take their money and serve them a page in exchange. That’s the definition of a business providing a service to a customer.
14 replies →
I think it's a conflict that was baked into the Internet at its conception. A non-geographic service overlaid on top of a world with a huge amount of geography and borders.
Yeah. We had a chance to invent our own governance on the internet. But we abdicated, and made the internet a free for all. As a result, national governments have stepped in to provide the governance we didn’t program in. And they do it - of course - in an inconsistent, ad hoc way.
There was a period a couple hundred years ago when it was all the rage internationally to write constitutions. Lots of countries got constitutions within a few decades, and almost no constitutions have been written since then. I wonder sometimes how the internet would be different if it were implemented in an era or culture in which people believed in that sort of thing.
I don't think it would make much difference; an internet constitution would be worth about as much as the paper it's not written on.
3 replies →
The bordered nature of geography is just as much of a social construct as the borderless nature of the internet is. It's not a given that this war will be won by the former.
"The ICO also confirmed that companies could not avoid accountability by withdrawing their services in the UK.
Mr Capel said: "We have been clear that exiting the UK does not allow an organisation to avoid responsibility for any prior infringement of data protection law, and our investigation remains ongoing."
When read in context, it's obvious the statement quoted in the HN conmment refers to only to accountability for "prior infringement", i.e., acts committed before withdrawing services in the UK
You already need to care depending on what you are serving, and this has been the case for at least 20 years to my knowledge.
The most obvious example of this is websites from the UK or Europe which operate any kind of gambling. [1] This may well be legal (based on licensing) in their jurisdiction, but they still need to restrict access to prevent US people from accessing the service or they will be breaching the US's gambling laws.
Likewise many US firm geofence access for EU residents out of fear of GDPR.
People hosting news sites have often had to geofence to prevent UK residents from accessing their site if they are hosting any kind of reporting of UK court cases that are under embargo or matters that are subject to one of the UK's famous "Super injunctions" [2]
[1] eg this guy was on the board of a listed UK company operating as far as they were concerned entirely legally who was arrested in NYC https://www.theguardian.com/business/2006/sep/14/gambling.mo...
[2] eg In the "Ryan Giggs" super injunction case https://en.wikipedia.org/wiki/2011_British_privacy_injunctio...
> People hosting news sites have often had to geofence to prevent UK residents from accessing their site if they are hosting any kind of reporting of UK court cases that are under embargo or matters that are subject to one of the UK's famous "Super injunctions" [2]
…and if the site has no UK assets, how enforceable is the injunction?
I mean, in the case of the US, you board a plane in country X going to country Z, it flies over country Y which is friends with the US. The US has country Y land the plane and has the plane boarded by armed men that drag you off kicking and screaming where you are put in a cage and then shipped to the US.
3 replies →
> but they still need to restrict access to prevent US people from accessing the service or they will be breaching the US's gambling laws.
Why not just avoid travel to the US?
The US has a huge reach in the western (and global) world and can impact you in a lot of creative and legal ways (e.g. prevent Google / Apple / Microsoft from offering services to you).
1 reply →
Yes, you can do that. The thing is, that'll apply to all your employees, no matter how junior.
And it also extends to countries with extradition treaties to the US; holiday in the the Dominican Republic? You can be arrested and extradited to the US (Gary Kaplan). And of course if you change planes in the US (David Carruthers)? Arrested. Only broke the laws of one US state, and you change planes in another? Arrested (Peter Dicks).
Although perhaps the real lesson there is to be better at avoiding the US.
There is a huge number of countries that will comply with the US. All of Western Europe, a good portion of Asia and the Pacific and plenty of other places that I've forgotten about.
If you are wanted in the Western world and the US wants you, you are likely to be got.
I agree, but if you sell products or subscriptions to people in a foreign country the situation becomes different. And if you run ads then the situation is more complicated but closer to that than to your personal website.
IMO the question is not if such services should be held accountable by local laws but how they should be held accountable. I think it would make more sense to go after the UK entities profiting from the endeavor: advertizers and financial institutions involved.
This part bothers me. Enforcement seems to be at their discretion. In this case the framing or reality around the fine is very bad, they sort of say it's intentional themselves.
They're leaving and they're getting the fine. Implying if they didn't leave and implemented changes, that there is a chance they may not have been fined.
This situation here is what I sort of implied when lfgss shut down: https://news.ycombinator.com/item?id=42444354
What they mean, and to take an example that it purposely extreme: If you kill someone in a country you cannot avoid accountability in law by fleeing that country.
If they breached laws and regulations then withdrawing their service from the country afterwards does not change anything regarding those breaches (investigation still ongoing, though).
This is neither comparable nor a good example.
It's not comparable because the "crime" has been committed in the hosting country (where it's arguably not even a crime) and it's a bad example because there are many incidents of murderers fleeing to non-extradition countries.
I did say it was extreme on purpose to make the point clear, or so I thought. Looks like it isn't clear to you...
Whatever you think of my example, it is exactly the same legal reasoning at play here. If you broke the law then withdrawing does not change that and accountability.
> It's not comparable because the "crime" has been committed in the hosting country
Obviously not, that's the whole point: They may (investigation ongoing) have breached UK law. So, to really labour the point, if you breach the law in one country then cutting links with that country afterwards does not change anything.
Now, to be a bit more substantive than this tedious bike-shedding, I think the UK are just trying to send a message here even if enforcement may be difficult. The EU could do the same with the GDPR since it is the same type of law (global reach and applicability).
2 replies →
> am I accountable?
If you travel to their jurisdiction, yes.
Many countries countries witch apply their laws outside there jurisdiction and borders
USA (Kim dotcom)
Russia (Skripals)
China (Teng Bio)
Israel (Mordechai Vanunu)
USA BetonSports / https://en.wikipedia.org/wiki/David_Carruthers
1 reply →
The Mordechai Vanunu case is a bit different as he was convicted of treason (he leaked details of Israel's nuclear bombs while in Britain).
It makes sense for treason to apply everywhere. If that were not the case Britain could not have executed Lord Haw-Haw given that he only sent broadcasts from Nazi Germany.
I was thinking of China and also Saudi Arabia, especially that reporter who was killed in Turkey over their dissent.
also because I have to...
Telegram has entered the chat
In the example given the answer is "no" but that's not the same as Imgur's case.
Telegram should be enough to justify why Imgur would pull out of the UK.