Taxing cryptocurrency transactions

Posted on by
1

For the past several years, I have prepared my taxes using the H&R Block software. This year I noticed something different, a series of questions about any cryptocurrency holdings and transactions. Ruh-oh, I thought to myself, those crypto-chickens have come home to roost. The IRS wants its tribute.

Actually, the IRS has had some ruling on cryptocurrencies for several years, but last fall wrote some new guidelines that have clarified some things and made others more confusing. One of the pitches I recently got from a PR person started off with this line: “The IRS is cracking down on properly reporting taxable crypto transactions, even going as far as issuing tens of thousands of audits.” It was time to get some advice, so I asked my accountant, who does my business tax filings, what was up.

She told me that “Tens of thousands of audits is probably an exaggeration – as they don’t have the manpower. What is probably more likely is that they have sent out many letters to taxpayers” asking for clarification. But not full-blown audits. The Next Web reported last summer that taxpayers got these letters and some were told they owed thousands of dollars in back taxes.

The form that the IRS requires is called a 1099-K, which is what my tax software was trying to figure out if I needed filing. “The IRS has used 1099-K information in audits – although they had at one time said they wouldn’t. I haven’t seen a crypto audit based on a 1099-K. The important thing is – if you have cryptocurrency, do keep track of it. Do  report to the IRS your sales if you’re using it as an investment. And do report your income from it if you’re using it for business. If you have crypto transactions showing up on a 1099-K just make sure you can document what the transaction is.” Some of the coin exchanges now automatically generate an annual 1099-K form, like your mutual fund or IRA operator.

But the problem that isn’t yet solved by the IRS is what happens when your coin account forks because the developers have a food fight and split into two separate coins. This creates what the IRS calls a taxable event and “That means that anyone who forks a blockchain can, without warning or notice, create new tax obligations for every holder of coins on the old chain,” says one coin news site. The taxpayer holding the coin hasn’t done anything to acquire this new asset. That isn’t great, but I think it is somewhat analogous to holding shares in a pre-IPO company. When such a company goes public, those shares are now worth something and that is a taxable event that is outside the control over the taxpayer. Many of you know exactly this situation, and had to sell off your shares to pay the feds during that particular year.

So make sure if you have significant holdings in crypto, you track it when you bought it — or when you got it as payment for services rendered — and when you traded it in for hard currency.

“People don’t seem to realize that Bitcoin was designed as an immutable evidence trail. It is anything but an anonymous system,” says Craig Wright in his blog post here. “If we want to be treated like adults, we need to start acting in such a way and understand that we live in a world of rules.” I agree.

Red Cross blog: Volunteer serves Red Cross at home and abroad through his high-tech skillset

Posted on by
Reply

Over the years, David Sewell has worked for many different Red Cross departments, including a shelter worker and a damage assessment worker. With this history, it is no surprise that he has done about 40 different deployments all across the country. He now has two positions with the Red Cross where he is both the Disaster Services Technology Chief and a member of the international Information Technology and Telecommunications disaster response roster. As part of these assignments, he manages between 40 and 60 volunteers across the western part of the U.S. and puts in roughly three hours per day on Red Cross activities.

You can read my profile of his activities for various Red Cross chapters here.

Yep, I got cancer

Posted on by
6

Last week I got my biopsy results back and yep, I got prostate cancer. I know — “the good cancer” or “the one cancer to get” or “very slow moving and curable cancer.” 

But it still is cancer. Or CANCER, which is how I and many of us think about it. It is larger than life itself. Here is a brief introduction to my journey.I was going to say that it all began last May, when I got my PSA results that “something was wrong.” Actually, that timeline isn’t completely true. I should go back further in time, when I wasn’t able to control my urine one night. I will spare you the details for now. I was so ashamed of myself. What is happening to me? Did I have too much to drink? Was I losing control over my bladder? Was I becoming an “old man?”

Well, yes to all above. But it turns out that my prostate is ginormous. I didn’t know that at the time, at least not until last May, when I got my PSA and got checked physically. I will spare you those details here. But that just meant more tests, starting with more PSAs.
These were high but not consistently higher and certainly not as high as I have seen elsewhere in conversations with friends and associates. That meant another blood test called 4K, which also confirmed that I had a higher-than-normal result. Next stop on the diagnostic train: a MRI. That happened in January. The scan didn’t find any cancerous lesions, which meant that if I had cancer it was going to be hard to find.That meant my next step was a biopsy. My doctor took ten samples, four came back with cancer. It turns out that have a little bit of it, I can wait a few months to figure out what I need to do, but I definitely need to do something. That officially began the “end of denial” period for me.

Denial is a great management tool: I see this all the time in the IT world where managers deny that they will be a hacking target, or that their aging Windows 7 infrastructure will be the digital equivalent of a welcome mat and punching bag. But when it comes to cancer, you have to make the move at some point from denial to action. Writing this blog officially marks my transition.

Why I am I telling you this? When I wrote a few years ago about my first hearing aid, I got a lot of feedback and encouragement about sharing my story. So it seems like here we go again, into the medical/industrial complex.
I have come to realize that my newly minted membership into Cancer Fight Club means that I have to operate with different rules than regular Fight Club. If you haven’t seen the movie you probably still know the first (and second) rule of Fight Club is not to tell anyone about the club’s existence. Well, Cancer Fight Club turns this (and some of the other rules) on their head: tell everyone you know you have cancer. Don’t keep it to yourself. So here we are.
I have already written a bunch of posts on a CaringBridge journal and you are welcome to send me a request for access, or to share your own cancer journey here (in public) or via a private email if you’d like. And thanks for your support.

FIR B2B podcast episode #134: Fred Bateman on the evolving role of PR in a fragmented media world

Posted on by
1

Fred Bateman has been around the tech world as long as Pual Gillin and I have: At the dawn of the PC era he worked for various PR firms and then founded the Bateman Group, which grew to 90 staffers doing tech-focused PR and content marketing. Fred recently announced that he will sell his majority ownership to his three co-owners, who have re-branded the company as Mission North. He plans to partner with nonprofits to teach disenfranchised groups of people the business, writing and communications skills required for a successful career in tech-focused PR.

Paul and I spoke with Fred about how far the PR profession has come sine the dawn of the Internet era, how PR and content marketing people need to work hand-in-hand and how branded news sites such as Adobe’s CMO.com have created new avenues of influence for marketing organizations. Fred also reflects on the skills that distinguish the best PR pros he’s worked with from all the other and the complex role of influencers in today’s media landscape. You can listen to our 20-minute discussion here:

Becoming a digital vagabond? Here are ways to be secure

Posted on by
3

A friend of mine is nearing retirement and thinking about spending some extended time living and working abroad. He has a few years to plan how to manage this transition, and asked for my advice. Here are a few recommendations on gear, process, and managing his security. In the past year I have been to London, Prague and Israel, so I have some ideas. I also asked some long-time fellow vagabonds to help provide some guidance based on their own experiences.

Your phone. At the heart of your communications is going to be your smartphone. My recommendation is to have at least one country-based SIM card when you travel, which is what I do when I am abroad. The issue is that some countries can recognize others’ cards, and some can’t. If you have a European cell plan, you can easily roam around the entire continent. For those of us from the States, we can use the GiffGaff SIM — it works really well there and it is very inexpensive. Another recommendation is to limit your use of voice minutes, and get the biggest data plan that you can afford for the period of time that you will be traveling. If you are going to be someplace for a month or longer, you should consider buying the SIM when you arrive, as you often can get the best deals at a local drugstore or supermarket.

The issue is whether to have an Android or an Apple one. I am biased towards Apple. Do you need to buy the latest and greatest iPhone model? No, and lately the American cellular carriers are offering all sorts of discounted (and sometimes free) phones if you agree to a two year contract on an older iPhone, such as the iPhone 8.  One issue with using different SIMs on an iPhone is that it can mess up iMessage and deregister your American phone number from your iCloud account. A way to avoid this is to start originating your iMessages from your iCloud account instead of from your phone number.

If you are an Android fan, I would stick with Samsung, because they have updated their phones’ security software. Avoid other Androids, because they are so easily compromised: all it takes is downloading a phony app, or clicking on a phished email. You might say that you will pay careful attention and not download anything, but it is just human nature.

What about getting a dual SIM card phone such as the iPhone XR or Samsung Galaxy S10? I don’t think this feature is worth it, especially as these tend to be the more pricey phones. They also don’t really have two physical SIM sockets, so you will have to make use of a virtual or eSIM, which adds another layer of complexity and compatibility. Many non-US carriers offer free inbound calling from US numbers anyway. 

Your American cell provider. Reading articles about SIM attacks such as this one on c|net, I think the best US carrier for secure international use is T-Mobile. It also has a very flexible travel plan. This doesn’t mean that it works everywhere, and you should map your planned route with its coverage area, otherwise you will run up a nasty roaming bill in those unsupported places.

You should definitely add a wireless PIN to your online cellular account. Depending on how long you will be out of the USA, you might be able to get by without having any American cellular account. Given that there are so many data-based voice apps (WhatsApp, Skype, Viber, Facetime), you probably can limit your actual voice calls anyway. For example, WhatsApp seems to be the app of choice that many AirBnB owners use to get in touch with you, and in Israel it is really the main communications tool among locals.  

Google Fi also has some interesting plans, especially for international travel, and has expanded their geographic coverage. If they offer service in the countries that you intend to be in, then give them consideration. They also might work better on Android models. One of my friends uses this and finds it very handy: “I can touch down in 170 countries and immediately have data access plus have coverage for when I’m in the States. I cannot stress enough how important it’s been to have data when I land somewhere for both safety and convenience. When I’m able to respond to messages at touchdown and get an Uber from the airport without needing to hope there’s Wifi it’s been a genuine lifesaver.” That reminds me when I was in London for a few days and just had Wifi coverage: I had to run back and forth between the terminal and the car park and almost missed my ride because the garage had no coverage. 

One other recommendation for navigation is the mobile app Maps.me. You can easily prepare digital maps and download them to your phone in situations where you don’t have decent data coverage. One downside is that the maps are in their native language.

Your American banking provider. If you take a look at the twofactorauth site, you can see that Capital One, HSBC and USAA all support phone authentication apps. There may be others — my friend pointed out that his local credit union also now supports the Google Authenticator app. Now I know that changing banking providers is painful, but if you are planning this in advance you might as well start now and choose one of them that supports one of the auth apps. Also, if you haven’t gotten a Yubikey or a Google Titan key, you might want to purchase one of these as well. 

While supporting the local credit union has some appeal, you want a bank that has a larger footprint, and is able to make deposits and withdrawals from overseas ATMs with minimum fees. If you are going to be sticking around in one place for several months, you might want to open up a local account, and then consult the twofactorauth website to see if there is a bank that offers additional authentication support. 

Speaking of other accounts, I have been experimenting with the mobile app Revolut. It makes it easy and inexpensive to move money around the world. You can use the app to find low-fee ATMs and hold funds in multiple currencies.

What other accounts do you have that handle money transactions? Amazon, for example, is an obvious one. But you might have set up accounts for bitcoins that you have forgotten about, or other online merchants that you do business with. You should use this time to flag them and if they don’t have an authentication app option, delete them. I had set up a Yahoo.com email account back in the early days, and had about 100 contacts on this account. When Yahoo got breached, that account was compromised. I had forgotten about this account and its contents. It didn’t help matters that Yahoo made it difficult to completely delete it too. 

Harden all of your passwords. If you don’t use a password manager, now is the time to get on board with one of them and start changing your passwords to something more complex, and of course unique. Watch yourself and take note when you create a new online account and let the password manager take over – rather than typing in one of your old standbys. I use Lastpass, but there are others that are just as good. Should you be concerned about storing your entire password collection in the cloud? Yes, but the better password managers also use authentication apps to secure your master password, so make sure you use this option. BTW, you should not store your passwords in any of your browsers. This is because if you cross an international border, you might have to unlock your phone at the checkpoint. This also means that you should sign out of all your email and other sensitive accounts when you reach a customs barrier, especially when entering and leaving the USA.

What online accounts use your present cell phone number as part of your identity? This is a lot harder to figure out, even with your password manager. Facebook and Twitter are the biggest issues here. I don’t think you can easily change your cell attached to your account, but if you can you should set up Google Voice as a phone number for use just in authentications. It will forward both voice and texts to your “regular” cellular number too. One issue: you can’t use both Google Voice and Google Fi on the same account. 

Laptop physical security. I got a “disposable” – meaning cheap – laptop so I don’t have to worry about it being stolen when I travel. But when you are living somewhere else, you might have to rethink this. How can you travel with your data without worrying that something will happen to your laptop if it is all on your computer? I have heard that thieves in Silicon Valley are going around with Bluetooth scanners looking for laptops in cars. It is only a matter of time before this catches on elsewhere. This means you might want to consider either a laptop with a removable hard drive, or else keep everything in the cloud with a Chromebook.  

How about a VPN? I use ProtonVPN, made by the same folks that do ProtonMail. The basic free version is fine. One issue, though: when transiting some airports and staying at some hotels, you have to turn it off in order to connect to the venue’s WiFi hotspot web portals. The nice thing about this VPN is that you can use it on both your phone and laptop. The paid versions have fancier features, such as being able to pick an originating network.

Thanks to Paul, Bryan and Joel for their help with this article. Feel free to share your own digital nomadic experiences in the comments here. And good luck with your travels!

RSA Blog: The Tried and True Past Cybersecurity Practices Still Relevant Today

Posted on by
Reply

Too often we focus on the new and latest infosec darling. But many times, the tried and true is still relevant.

I was thinking about this when a friend recently sent me a copy of , which was published in 2003. Schneier has been around the infosec community for decades: he has written more than a dozen books and has his own blog that publishes interesting links to security-related events, strategies and failures..

His 2003 book contains a surprisingly cogent and relevant series of suggestions that still resonate today. I spent some time re-reading it, and want to share with you what we can learn from the past and how many infosec tropes are still valid after more than 15 years.

At the core of Schneier’s book is a five-point assessment tool used to analyze and evaluate any security initiative – from bank robbers to international terrorism to protecting digital data. You need to answer these five questions:

  1. What assets are you trying to protect?
  2. What are the risks to those assets?
  3. How well will the proposed security solution mitigate these risks?
  4. What other problems will this solution create?
  5. What are the costs and trade-offs imposed?

You’ll notice that this set of questions bears a remarkable resemblance to the IDEA framework that RSA CTO Dr. Zulfikar Ramzan presented during a keynote he gave several years ago. IDEA stands for creating innovative, distinctive end-to-end systems with successful assumptions. Well, actually Ramzan had a lot more to say about his IDEA but you get the point: you have to zoom back a bit, get some perspective, and see how your security initiative fits into your existing infrastructure and whether or not it will help or hurt the overall integrity and security.

Part of the problem is as Schneier says that “security is a binary system, either it works or it doesn’t. But it doesn’t necessarily fail in its entirety or all at once.” Solving these hard failures is at the core of designing a better security solution.

We often hear that the biggest weakness of any security system is the user itself. But Schneier makes a related point: “More important than any security claims are the credentials of the people making those claims. No single person can comprehensively evaluate the effectiveness of a security countermeasure.” We tend to forget about this when proposing some new security tech, and it is worth the reminder because often these new measures are too complex. Schneier tells us “No security countermeasure is perfect, unlimited in its capabilities and completely impervious to attack. Security has to be an ongoing process.” That means you need to periodically audit and re-evaluate your solutions to ensure that they are as effective as you originally proposed.

This brings up another human-related issue. “Knowledge, experience and familiarity all matter. When a security event occurs, it is important that those who have to respond to the attack know what they have to do because they’ve done it again and again, not because they read it in a manual five years ago.” This highlights the importance of training, and disaster and penetration planning exercises. Today we call this resiliency and apply strategies broadly across the enterprise, as well as specifically to cybersecurity practices. Managing these trusted relationships, as I wrote about in an earlier RSA blog, can be difficult.

Often, we tend to forget what happens when security systems fail. As Schneier says early on: “Good security systems are designed in anticipation of possible failure.” He uses the example of road signs that have special break-away poles in case someone hits the sign, or where modern cars have crumple zones that will absorb impacts upon collision and protect passengers. He also presents the counterexample of the German Enigma coding machine: it was thought to be unbreakable, “so the Germans never believed the British were reading their encrypted messages.” We all know how that worked out.

The ideal security solution needs to have elements of prevention, detection and response. These three systems need to work together because they complement each other. “An ounce of prevention may be worth a pound of cure, but only if you are absolutely sure beforehand where that ounce of prevention should be applied.”

One of the things he points out  is that “forensics and recovery are almost always in opposition. After a crime, you can either clean up the mess and get back to normal, or you can preserve the crime scene for collecting the evidence. You can’t do both.”  This is a problem for computer attacks because system admins can destroy the evidence of the attack in their rush to bring everything back online. It is even more true today, especially as we have more of our systems online and Internet-accessible.

Finally, he mentions that “secrets are hard to keep and hard to generate, transfer and destroy safely.” He points out the king who builds a secret escape tunnel from his castle. There always will be someone who knows about the tunnel’s existence. If you are a CEO and not a king, you can’t rely on killing everyone who knows the secret to solve your security problems. RSA often talks about ways to manage digital risk, such as this report that came out last September. One thing is clear: there is no time like the present when you should be thinking about how you protect your corporate secrets and what happens when the personnel who are involved in this protection leave your company.

Steer clear of Plaid for your small business accounting

Posted on by
6

If you are looking for a small business accounting software service, don’t consider WaveApps, Sage or the site And.co. All of them use the banking connector Plaid.com and have a major shortcoming. Let me explain my journey.

When I first began my freelancing business in 1992 (can it be?), I used the best accounting program at that time: QuickBooks for DOS. It was simple, it was easy to setup, and it did the job. I stayed with QB when I went to Windows and then to Mac, upgrading every few years, either when my accountant told me that they couldn’t use my aging software or when Intuit told me that I had to upgrade.

I use my accounting software for three things:

  • To keep track of my expenses and payments, entering information once or twice a month to stay on top of things.
  • To produce invoices and to accept credit card payments from my clients
  • To produce reports once a year for my accountant to produce my business tax filings

That isn’t a lot of requirements to be sure. Naturally, over time some of them have changed: when I first began my accountant directly read my QB file. Now she just wants a few year-end statements, which almost every accounting tool can produce. Also, enabling credit card payments isn’t a big deal that it once was: there are so many other solutions that don’t have to originate from the accounting software tool itself (such as Square, for example).

One thing that hasn’t changed is my goal: having to spend as little time as possible using the software, because this means that I have more time to spend actually writing and doing the work that I get paid to do.

But installing software on my desktop is so last century. Eventually, Intuit stopped making physical software and every QB version is now in the cloud. Their solutions start at $25/month, discounted for the first few months. Actually, that isn’t completely accurate: they also have a “self-employed” version for $15/month, but it has so few features that you can’t really use it effectively – such as producing those yearend reports that I need for my accountant.

Several years ago, I found Waveapps. It was free, it had just enough features to make it useful for me (see above) and did I mention it was free? I started using it and was generally happy. One of the nice features was how it connected to my corporate checking account at Bank of America and imported all my transactions, which made it easier to prepare my books and track my payments.

A few weeks ago, Wave decided to “upgrade” its banking connector to Plaid. And that broke my BofA connection. The problem is that I have setup my banking login to use an SMS text multi-factor authentication (MFA). I wish BofA offered something better, but that is what they have — they call it “extra security” — and so I use it. Plaid doesn’t support my bank account’s “extra security” MFA setting.

This begins The 2020 Accounting Software Evaluation Project. It deserves the capital letters because it meant that I had to start looking around, reading software reviews, signing up for the software service providers, and checking them out. I very quickly found that Sage and And.co (I do hate their domain name) also use Plaid as a banking connector, so I wasn’t getting very far by switching to them. Meanwhile, here we are into February and I still haven’t decided on what to do with my accounting software.

I took time to email the PR person at Plaid, who initially told me that the BofA MFA issue was a bug and they were working on a fix. That was a lie, or perhaps a misunderstanding. Eventually, this is what I got from them: “Plaid supports the standard MFA for Bank of America and most of the other 11,000 institutions on the Plaid network, but we do not currently support BofA’s perpetual MFA setting.” This is also not true. BofA only offers a single MFA method: sending SMS texts to your phone. I wish they offered a smartphone authenticator app, but they don’t.

So my dilemma is this: should I eschew security for convenience? I can turn off the MFA and get my accounting data imported, and then will have to turn it back on. I could try to switch accounting providers to something else  — I haven’t tried all of the small business providers, but I have a feeling that Plaid has them as customers too. I could find another bank that has better security and perhaps works with Plaid, but that would mean changing a lot of my bill paying data too.

No good choices, to be sure. I guess I will just stick with Wave for the time being, but I am not happy about it. Secure users shouldn’t use plaid.com.

FIR B2B podcast #133: How to Construct a Compelling Case Study

Posted on by
Reply

This week we discuss case studies — both ones Paul Gillin and I have written and others we like. The best case studies are really about the storytelling, having a solid narrative arc with a beginning, a resolution and a moral. They bring to life a hero – or in some cases an anti-hero – and describe the drama that led up to a crisis point and how the situation was resolved. The best ones are simple, don’t burden the reader with needless details and have a news hook that makes them compelling during the time surrounding their online posting.

My own story about the Avast CISO Jaya Baloo, who faced a security breach on her first day on the job, was instructive at showing the conflicts over how to respond to a breach and how to rally her staff to fix the problem, but it also provided insight into her personality and her leadership strengths. Paul’s story about the rise of Domino’s Pizza from whipping post to Wall Street darling starts out by describing customers who described Domino’s’ product as tasting like cardboard. It’s an unusual way to start a story but a nice narrative for a turnaround. The chain took control over its digital technologies and saw a 50-fold increase in its stock price as a result.

Sometimes stories – like Paul’s piece on J.C. Penney’s attempted turnaround – don’t bear the test of time. While Penney’s tried to restart its brand with members of a team that led the successful digital transformation at Home Depot, the story shows that sometimes hope is not the best marketing strategy.

And sometimes stories have anti-heroes at their core, as this piece that Kaspersky ran last year about the increase in the number of cities that have suffered ransomware attacks. It drew our attention as a reminder of how devastating these attacks have been, and why they continue to be attractive to hackers, using storytelling as a hook.

Finally, case studies can have a visual element, as this piece on rebranding cranberries for the millennial generation did. The folks behind marketing this seasonal fruit used the fascination that millennials have with taking pictures of their food to put together a nice social media campaign last Thanksgiving that moved what many consider a boring traditional dish into the spotlight.

Listen to our 12 min. podcast here.

Celebrating data privacy day should be everyday

Posted on by
1

Are you familiar with the term dark patterns? You probably are if you do any online shopping. The term has been in use in the UX world for a decade and refers to a design choice that makes a user decide on something that they might not have otherwise chosen, such as adding a product to a shopping cart that wasn’t selected, running a deal countdown clock, or warning that a product you are thinking about buying is running low in inventory. These are also called nudging, where the website designer places the preferred answer in larger font or bigger icons such as the image below.

Last fall a group of academic researchers found more than 1,800 instances of dark pattern usage on 1,254 websites, which likely represents a low estimate. Many of these websites had pretty deceptive practices.

Dark patterns are just the latest salvo in the attempt to keep our privacy private. An article posted over the weekend in the New York Times documents the decline of this notion. “We have imagined that we can choose our degree of privacy with an individual calculation in which a bit of personal information is traded for valued services — a reasonable quid pro quo,” writes the author, Shoshana Zuboff. “We thought that we search Google, but now we understand that Google searches us. We assumed that we use social media to connect, but we learned that connection is how social media uses us.” Our digital privacy is now very much a publicly traded service. Zuboff’s study of this erosion of privacy is just in time to honor this year’s Data Privacy Day. She mentions a series of examples, such as Delta Airlines’ use of facial recognition software at several airports to shave seconds off of passenger boarding times, with almost everyone opting in without nary a complaint.

The other news item in time for DPD is the UK’s Information Commissioner’s Office (ICO) recent publication of a series of design guidelines called Age Appropriate Design Code to help children’s privacy and online safety. Let’s discuss what they are trying to do, what some of the issues are with enforcing their guidelines, and what this all has to do with dark patterns.

The ICO rules haven’t yet been adopted by Parliament – that is several months away if all goes well, and longer if it turns into another Brexit debacle. And that is the crux of the problem: “Companies are notoriously bad at self-regulating these things. Guidance is great, but if it’s not mandatory, it doesn’t mean much’” says my go-to UX expert, Danielle Cooley. And Techcrunch likens this to the ICO saying, “Are you feeling lucky data punk? How comprehensive the touted ‘child protections’ will end up being remains to be seen.”

Cooley gives the ICO props for moving things along – which is more than we can say for any US-based organization. “It is a step in the right direction and a good starting point for other government entities, much like GDPR was for motivating California to pass their own privacy legislation. However, there is really no way to enforce much of this and there are multiple ways around it too.” She gives the example of American alcohol manufacturers that prohibit people under 21 from entering their websites. Can they really stop a minor from clicking through the age screen? Not really. “At least, the ICO addresses dark patterns and nudging.” One point Cooley makes is proving the opposite of dark patterns is a lot harder to do, and few analysts have done any research.

The ICO has specific examples of nudging, which “could encourage children to provide more personal data than they would otherwise volunteer.” There is a total of 15 different categories of guidelines, ranging from transparency, dealing with default setting and data sharing, and parental controls. The rules are for all children under the age of 18, which is a wider scope than existing UK and US data protection laws that generally stop at age 13. It is extensive and mostly well thought out and applies to a wide collection of online services, including gaming, social media platforms and streaming services as well as ecommerce sites.

Another plus for the ICO rules is how it adopts a risk-based approach to ensure that the rules are effectively applied. However, while that sounds good in theory, it might prove difficult in practice. For example, let’s say you want to verify the age of a website visitor. Do you have one version of your site for really young kids, while another for teens? Exactly how can you implement this? I don’t know either.

Naturally, the tech industry is not happy with this effort, saying they were too onerous, vague and broad. Like GDPR, they apply to every online business, regardless of whether they are based in the UK or elsewhere. The industry reps do have something of a point. What is interesting about the ICO rules is how it places the best interest of children above the bottom lines of the tech vendors and site operators. That is going to be hard to pull off, even if the rules are passed into law and the threat of fines (four percent of total annual worldwide revenue) are levied.

The UK tech policy expert Heather Burns wrote an extensive critique of the ICO draft rules last summer (while there have been some changes with the final draft, most of her issues remain relevant), calling it “one of the worst proposals on internet legislation I’ve ever seen.” The draft proposed a catch-22 situation: to find out if kids are accessing a service, administrators would be required to collect personally identifiable data about all users and site usage, precisely the sort of thing that the ICO, as a privacy regulator, should be dissuading companies from doing. Another issue is that the ICO rules, which were written to target U.S. social media giants, could be onerous for UK domestic startups and SMEs, at a time when many are considering their post-Brexit options. “If the goal of the draft code is to trigger an exodus of tech businesses and investment, it will succeed,” she writes. Additionally, no economic impact assessment of the proposals, as is required for UK legislation, was conducted.

Her section-by-section analysis is well worth studying. For example, she wrote that the draft proposal associated “the use of location data with abduction, physical and mental abuse, sexual abuse and trafficking. This hysteria could lead to young adults being infantilised under rules prepared for toddlers; rules which could, for example, ban them from being able to use a car share app to get home because it uses geolocation data.”

Only time will tell whether the ICO rules are helpful or hurting things. And in the meantime, think about how you can do something today that will help your overall data privacy for the rest of the year. Ideally, you should celebrate your data privacy 24/7.Instead, we seem to note its diminishment, year after year.