I was lucky to have the opportunity to present to a group of advertising professionals concerning GDPR and its impact on digital marketing recently (this, btw, is not just the lead-in but also my excuse for the delay in posting, so there). I analogized the current state of affairs to Dante’s Purgatorio, the second of three books comprising the Divine Comedy, primarily because both pain and, hopefully, salvation lie ahead. And because, alas, there will be costs in the meantime. A coin in the regulatory coffer sings, and a controller from GDPR springs.
It is not a perfect analogy of course. Purgatory almost by definition was of finite, if long, duration and the uncertainty surrounding some elements of GDPR may truly last forever. But judging by the volume of the lamentations, I think it’s fair to say we are out of hell. At the very least, we are beginning to see some proposed solutions.
Help Me Help You
Speaking of ongoing uncertainty, we have yet to see any entity become accredited to provide compliance certifications. Worse, no supervisory authority has yet published criteria for accreditation, even though this is promised in the regulation itself. It’s like scheduling a ballgame for Sunday, and the ref won’t let you play, changed the rules, and won’t tell you the new ones.
GDPR specifically provides for the accreditation of “certification bodies” to ratify a particular process as compliant with the regulation. These “certifiers” may be private enterprises. The goal is provide some confidence to controllers, processors, and the broader market that certain conduct is kosher. Imagine, for instance, that a company gets a consent process for an email list certified as compliant. It would then be widely copied by controllers, with the fully valid expectation that their process too is compliant. My conversations with counsel for GDPR controllers and processors, again and again, come back to this. The market needs a reliable certification mechanism, and frankly, the sooner the better.
In the meantime, let’s hope that supervisory authorities, who appear to be quite busy at the moment with over 95,000 complaints in eight months from EU data subjects, are spending time developing positive regimes like accreditation criteria, not just investigating and issuing fines to controllers and processors. And by the way, if this is not clear already, anyone promising a valid GDPR compliance certification right now is a selling you a bridge.
51% Attacks and Rental Market
Coindesk published a fascinating article over the weekend about rentable hashpower and the total cost of 51% attacks. The scary news: it is actually pretty cheap to attack a lot of coins. And if you merely double or 5x the available-for-rent hashpower for certain algorithms, some pretty big names become somewhat vulnerable (like ETC, which was already attacked, and Dash).
The author argues that the market dynamics are such that more and more hash power will be available for rent. Much like cloud computing, it simply an alignment of incentives. Cloud storage providers focus on capacity. It makes sense for them to acquire and provide it to the market, with the expectation that users will find the best deals, the best service, and rent only the capacity they need. Users, meanwhile, get to focus on their project, rather than running and maintaining servers. Here is what Bezos said about the cloud a few years ago:
Whether you are a startup founded yesterday or a business that has been around for 140 years, the cloud is providing all of us with unbelievable opportunities to reinvent our businesses, add new customer experiences, redeploy capital to fuel growth, increase security, and do all of this so much faster than before.
Perhaps this is where mining is headed too. It makes sense that mining hardware providers and large owners would choose to rent some or all of their hashpower to downstream users. The effect of such rentals is to diversify their hashpower across tens and sometimes hundreds of coins (and convert the hashpower into fiat currency immediately). Speculators meanwhile can purchase hashrate for their chosen coins without the upfront capital cost of buying miners and finding space to operate them (miners are loud and really, really hot!). Of course, the idea of mining contracts is not new–Genesis for one has been offering them for sometime.
But the big claim–namely, more and more hashrate will come on line because the market compels as much–is fascinating and potentially problematic for smaller blockchains. The author does an excellent job of describing the mechanics of a 51% percent attack, how it works, why it would be profitable under certain circumstances, and the (limited) countermeasures available to victims. The most likely victims are exchanges. If this does indeed become the case, and weak coins (coins without a lot of hashrate) start getting attacked, we should expect aggressive delisting policies from all exchanges.
How to See Europe on 50 Million a Day
Google and Facebook, like Napoleon, find themselves in perpetual war in Europe. The CNIL, the French supervisory authority under GDPR, issued a 50 million Euro fine against Google, and now German antitrust regulators are attacking Facebook’s consent process. This will get worse before it gets better. Entities with large European establishments should strongly consider acquainting themselves with GDPR’s “one-stop shop” mechanism. It is better to be investigated by one lead regulatory authority with whom you have a relationship, than 20 who don’t know you from Adam.
The Most Expensive Prius Ever
One thousand bitcoin! Three million dollars! And I’m not even sure about the color.
As always, thank you for reading.