What exactly is GDPR

I'm your host, Jonathan Strickland. I'm an executive producer at how Stuff Works in I love all things tech, and today we're going to tackle a fairly topical subject, something that really came into play in the spring of and chances are you have received an email or two or two dozen or more from various companies about new policies that relate to g d p R. Often they will ask you for your permission to continue to communicate with you.

So what's it all about? A Well, g d p R stands for General Data Protection Regulation and it's a data protection law, as the name suggests, and it's from the European Union or EU. But the Internet, as it turns out, is a mobile entity, so even if you do not live in the EU, you will likely be affected by this new law. In this episode, I'm going to go through the history of the law, what the law is actually all about, and how companies are doing

as far as complying with that law. And here's a hint, there are some companies that are not even close to compliance. But we'll get to that First, let's look back to nineteen That's when the European Union adopted the Data Protection Directive or d p D. There was a different world

back in the Worldwide Web was still a baby. Heck, I was still in college in n The heart of the Data Protection Directive was an effort to protect the privacy of citizens in the EU, and the EU as a whole has placed a high value on privacy, something that has been treated with uh, let's say, a more casual ual demeanor here in the United States, except in cases where something has gone terribly terribly wrong. The directive specifically covered how data can be processed and in what

context it might be processed within the European Union. It didn't matter if the data was collected manually or automatically as and it didn't matter if there was a human in charge of it or if it was an algorithm. The rules were a broad overview, leaving up specifics to the member countries to actually adopt those those rules and

incorporate them into their own laws. But some of the general tenants included that personal data could only be quote collected for specified explicit and legitimate purposes and not further process in a way incompatible with those purposes. End quote. Further, only the data needed for those purposes should be collected. There should not be a case of an entity collecting practically everything if that entity stated purpose is to run a process on just a narrow scope of all that data.

This might remind you of the old days of Facebook apps, where you could uh or add ons. You know, there's little things that you could attach to your Facebook profile and they would ask you for permission to view certain parts of your information. Well, in the old wild West days, that could be anything, it could be absolutely everything, even though the app itself may only use a tiny bit of information at any given time, especially for whatever the

app was supposed to do. Well. Eventually, Facebook cracked down on that and said, you know what, you should only ask permission to get access to the data you need to do whatever it is that you do, and otherwise you should leave everything else alone. That's kind of what was going on back in with this this directive. Further, the data was meant to be as accurate as possible, and if there were any indications that the information was inaccurate or it was out of date, it would be

quote erased or rectified. End quote. And finally, the data would have to be kept in such a way that the identity of the individuals involved would only be knowable for as long as it was necessary to run the process. Once the entity has done whatever it needed to do with all that information, it was supposed to anonymize the data so that there would be no way of knowing

who it pertained to. So once you had finished running whatever the process was, you had to make sure that the information would no longer be traced back to the people who gave you the information. In addition, the directive required entities to obtain user consent before collecting their information in the first place, and that consent had to be unambiguous.

In addition, the data collector was under the obligation of providing the individuals with information about who was ultimately getting the data and to what purpose, as well as provide for an opportunity for the individual to review the data for any potential errors, so that way, you, as the person involved, could say, well, let me take a look at what you've gathered and make sure that you don't have any information that is inaccurate or out of date.

Now already it might sound to you like this directive might have been a challenge to implement for a lot of reasons. In two thousand eleven, the European Data Protection Supervisor published an opinion titled quote a Comprehensive Approach on Personal Data Protection in EU end quote as sort of an update to this policy. By two thousand eleven, the Internet was much more mature than had been back in at least in the sense that there are a lot

more people and businesses using it. There's still no shortage of immature content on the Internet anyway. By two thousand eleven, e commerce was a really big deal, and Internet access was increasingly being viewed as a right. But that also brought with it threats to privacy. Many of the Internet connected services we enjoy are constantly collecting data on us, either about no information about us in particular, or tracking our behaviors over time, and that data is kind of

like currency. It's got value to it, So you and I might enjoy a service while simultaneously supplying information to the service provider, which in turn could potentially sell that information off to other buyers. This applies for everything from apps,

to social media networks to smart devices. On January two thousand twelve, the European Commission proposed a reform of the data protection rules that came from in order to better represent the new digital landscape and protects in privacy while simultaneously supporting the digital economy, which is a really tough job. You've gotta balance a lot of stuff that way. So it was in fact so difficult it would take four

years just to draft the new rules. In fourteen, the European Parliament voted on adopting a new set of rules, though those rules were not yet actually written. This was just the Parliament saying, yeah, I think it's time for us to actually have new rules. Regarding this, six votes were in favor of developing new rules, only ten votes were against it, and there were twenty two abstentions. The various governing bodies of the EU reached an agreement on the g d p R rules on December fifteen, two

thousand fifteen. On April two thousand sixteen, the EU officially adopted the g d p R set of rules, but they would not be enacted for another two years. In other words, they said, hey, everybody, you have two years to get your act together. Here are the rules that you need to abide by go, You've got two years to get there. This decision also, by the way, repealed that previous nine directive. It said, it's not in addition

to that directive. This replaces it entirely. As of the spring of the g d p R s provisions became directly applicable and all member states of the EU, and late in the spring, the EU published a corrigendum to the regulation. That means the EU published a list of corrections and clarifications relating to the law. And in the interest of full disclosure, I have to admit I needed to look up the word corrigendum because I don't think

I've ever seen it before. One of the biggest differences between the g d p R and the earlier Data Protection Directive is in its binding nature. The dp D, as I said, was a set of policies that had to be transposed into the national law of each of the members of the EU, which created a somewhat fragmented and messy set of policies. The g d p R, however, is different. It has direct legal effect on all EU member states, with no need for the policies to be

incorporated into those nations laws. So let's start talking about the specifics in the law. What does it cover and in what ways might a person's data still be used without their knowledge or consent. Much of the regulation affirmed the earlier Data Protection Directive, but here are some of

the key points. And first I'm gonna look at the opening statements of the g d p R. The EU has identified the protection of persons in relation of the processing of personal data as a fundamental right, and that right includes the right of protection of personal data. At the same time, there's a need to allow for the free flow of data between member states of the European Union, so any regulations in place must not create obstacles between

different member states. Citizens of the EU are allowed to move freely through the EU taking jobs in different member states, so their data should also be free to move through the EU with their consent. This next bit is pretty important, so I'm going to quote it directly. Quote the processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an

absolute right. It must be considered in relation to its fun in society and be balanced against other fundamental rights

in accordance with the principle of proportionality. The regulation respects all fundamental rights and observes the freedoms and principles recognized in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial,

and cultural, religious, and linguistic diversity. So, in other words, they were saying, yes, this is a fundamental right, but it does not take precedence over other fundamental rights. So there will come times when you have to take various things into consideration and you can't just say the privacy is the most important element in this particular scenario. You have to consider all the different parts and weigh them against each other. But what do we mean when we

say processing data. Well, essentially, it means any sort of operation on information, whether performed automatically or manually. That includes collecting data, recording data, structuring it in different ways, organizing it, altering it or adapting it, consulting the data, using it in some way, transmitting the data, or even erasing the data. All of that is considered processing, so essentially, if you

touch that data, you're processing it in some way. The document goes on to acknowledge that it is increasingly difficult and complicated to protect personal data in today's world. Globalization and the rapid exchange of information, coupled with platforms that encourage people to share their personal data, either explicitly or otherwise, have made it pretty hard to regulate. Gdp ARE also identifies two major categories of parties in addition to EU citizens.

These are the data controllers and the data processors. The can trollers are the entities that determine why and how data will be used, and the processors are the entities that actually carry out those operations on behalf of a collector. One single company can be both a collector and a processor, or they could partner with other companies. All right, those are the basics. When we come back, I'll get into more specifics with the g d p R, but first

let's take a quick break to thank our sponsor. One tricky thing in the policy is that it covers all entities that process data that belongs to EU citizens, even if those entities themselves are not in the EU. So, for example, let's say I have set up a new social networking platform and I'm calling it Strict Book. So I've got Strict Book, and I've built a data center in my garage here in the United States. But there are bowl in the European Union that have made accounts

on my platform. And let's say that I make money by dealing in data to parties that want that information. So I gather information from my users and I sell it to various entities that want access to it. Maybe they want to market to my users directly some advertising to them. Well, I would be the subject to the regulations of g d p R because there would be EU citizens using my service even though my services located

in the United States. So as long as those EU citizens were using my services while they were in the EU, I would have to play by this policy's rules. From the EU g DPR dot org site quote, the g d p R will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens, irrespective of whether payment is required, and the monitoring of

behavior that takes place within the EU. Non EU businesses processing the data of EU citizens will also have to appoint a representative in the EU. So essentially, what that's saying is, if you want to use the data that our citizens create, whether it's to market to them or you're tracking their information for some other purposes, you've got to play by our rules. Doesn't matter that you don't

have your operations here in the European Union. The introduction also explains that the policy does not protect in all cases. For example, it says this regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning

national security. This regulation does not apply to the processing of personal data by the Member states when carrying out activities in relation to the Common Foreign and Security Policy of the Union. Likewise, in the case of law enforcement conducting an investigation, the policy does not protect personal data. The policy does, however, point towards other regulations in the EU that govern how law enforcement can access personal information, because it's not just willy nilly, they have to go

through the proper procedures. However, they say there are obviously cases where persons private data may become an important element in some state level or law enforcement level UH process, and in those cases this does not protect him. You can't, as a citizen say no, police, you can't look at my personal data as part of this investigation, even though you lawfully obtained it by going through all the right processes.

That would not be allowable under g d p R. Another limitation of the g d p R is that it applies only to information for a person who is identified or is identifiable by that information, which includes suit oonymization. What means the data is quasi anonymous, that if you were presented with the information, you might not be able to immediately identify who that information pertained to, but that with additional information you would be able to identify the person.

So this is pretty important stuff, it turns out, because not that much information is actually needed to identify a person. For example, here in the United States, there was a Harvard professor named Latanya Sweeney who conducted the study a few years ago, and she discovered that all she needed was a zip code, a gender, and a birth date to identify up to eight seven percent of all people

in the United states that's it. Three data points. Those three pieces of data was all it would be needed in order for you to say that those pieces of information specifically refer to this person, and it worked eighty seven percent of the time for all us adults. It doesn't take much to single someone out. That is why the pseudo not nymization term is used. It's pseudo anonymous.

The policy goes a little bit further with this, stating that if it were to take an unreasonable amount of effort or money to ascertain the identity of a person based on this limited information, it's probably okay because it's unlikely anyone would actually go to those lengths. But the easier it is to identify a person based on the data, the more it falls under the protection of g d p R. But then, what about anonymous data? What about data that really seems to have no connection with any

particular individual. The g d p R does not protect truly anonymous data. If there's no way to identify a single person out of a collection of anonymized data for statistical or research purposes, that's fine. So if you were doing an academic study that took demographics into account and the population size, you were looking at were sufficiently large enough to ensure no respondent could be identified from the information,

you'd be all set. Not if you're worth king with a really small population size, anyone who is an outlier would be easily identifiable, and that would therefore fall under g d p R because it's not truly anonymous data. But if you're working with really big data sets, then outliers you will have enough of them to kind of make sure that anonymity is preserved, So again it's all spectrum. The g DPR also does not apply if you happen to be dead, but then at that point you're probably

past caring about your personal data. Also, it's hard to have personal data if you, you know, if you're no longer a person. The g DPR also says that any party that intends to collect and process data must be transparent in its policies. So those policies have to be easy to find, and they have to be written in such a way as to be easily understood. You aren't supposed to obfuscate your intentions with unnecessarily complicated jargon or

legal lease. This includes not just how data is collected, but to what purpose that data will be put so, if a cop he wants to collect information in order to sell it to other parties, it would have to disclose that in this policy and do so in a way that was pretty transparent, easy to understand, and the

g d p R does not mess around. When it comes to the concept of a user consenting to have his or her data collected or processed, I quote, consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subjects agreement to the processing of personal data relating to him or her, such as by a written statement, including

by electronic means, or an oral statement. This could include tacking a box when visiting an Internet website, choosing technical settings for information society services, or another statement or conduct which clearly indicates in this context the data subjects acceptance of the proposed processing of his or her personal data. Silence, pre ticked boxes, or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the

same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subjects consent is to be given following a request by electronic means. The request must be clear, concise, and not unnecessarily disruptive to the use of the service for which it is provided. So yeah, it's a big deal, and companies are supposed to be real clear about this whenever they present a user with the option to opt

into this kind of data collection and processing. Moreover, consent should be just as easy to withdraw as it is to grant, so if a user decides after giving consent to revoke that consent, it has to be possible to do so, and the entity collecting or processing the data has to knock it off. Citizens are will allowed to ask for all their data from a controller, and then those citizens can even send that data to another controller. So, in other words, potentially the g d p R could

allow citizens to act as their own data brokers. Granted, personal data on an individual level is not worth all that much. It's mostly valued when it's in bulk, when you have thousands of people's data. Selling one person's data not that big a deal unless you're talking about things like, you know, credit card numbers and stuff like that. Even then it's not that expensive, So you might wonder how much is all your data worth? Well, that depends on the nature of the information and how much of it

you're providing and who you are really. But there's a great post on medium titled quote how much is your data worth? And that uses some basic industry analysis to conclude that, on average, a person's data is worth about two forty dollars per year. But this calculation was done with a lot of assumptions, and that is something the author of the piece readily admits to. It's a tricky question, but still it could now be a question answered by

individual citizens rather than data brokers. Related to this is the concept of data erasure, or better known as the right to be forgotten. A lot was written about this a couple of years ago when the EU first agreed to these rules, and I'll probably chat a little bit more about that later, but it is pretty tricky generally speaking.

This policy says the data subject has the right to tell a data collection entity to cut it out, to delete all the collected data about that person, and potentially have third parties that partnered with that data collection entity to stop any data processing of the information. However, this has to be done with a consideration toward quote the public interest in the availability of the data end quote.

So in other words, let's say you go and do something really really dumb, like colossally stupid, and news outlets pick it up and they cover your lostly stupid mistake, and now your name is associated with this terrible mistake you made, and you know you made it honestly, you didn't set out to make it. It just happened. But

now it's attached to your name. Well, you wouldn't be able to just sweep that under the rug by asking all search engines to delete information about you, thus reducing the chance anyone would ever see that information about your dumb mistake, because it goes against the public interest of the availability of that data. This is one of the points that I was talking about just a second ago that a lot of news outlets were really focusing on.

Because imagine you are, let's say, a political hopeful, and you decide you want to wipe out any references to your past that are online as best you can, and so you contact all of these different search engines to have all the information be quote unquote forgotten because you don't want people to dig up something you did, you know, fifteen years ago that would look really really bad while you're thing for office, that would be considered against this

policy at this point. But there was a lot of discussion back when these rules were first being proposed that said this might end up causing some huge problems down the road. And it turns out and it needs to be a case by case basis. It's not like something that is clearly spelled out within the charter of g DPR. Well, we're going to take another quick break, but when we come back, I'll tell you a little bit more about this and how companies are doing as they try to

measure up to g DPR. But first a quick word from our sponsor. So another change from the earlier Data Protection Directive is that the g d p R requires all system designers to incorporate privacy as part of the design from the start of their system, Like as soon as they start designing any kind of online system, data

privacy protection has to be part of the design. Previously had been treated more as an addition to previously existing systems, but now system designers have to buy law incorporate privacy design into the actual development of their systems if they are to operate within the European Union. If a data collection or processing company detects a data breach, it is obligated under g DPR to notify affected parties within seventy two hours of detecting the breach, so three days afterwards

they have to disclose this. That means that gone or the days when a company would sit on that information for maybe months or longer at a time. A data processor has to alert data collectors quote without undue delay in the quote upon detecting a breach. So let's say that Facebook is the data collector, and let's say there's an app out there are an add on, some form of enhancer for Facebook that is operating, and then the

enhancer detects that air systems have been breached. They would be obligated to alert Facebook to that problem without undue delay in order for Facebook to take any measures it could under the g d p R, and then it would also have to alert all the people affected by

this within three days. The g d p R also sets up the basis for a mandatory data protection officer for organizations that have core activities that quote consist of processing operations which require regular and systematic monitoring of data subjects. On a large scale, or of special categories of data or data relating to criminal convictions and offenses end quote. Other organizations can have a data protection officer, but it's

not mandatory if they are outside of that definition. However, all the really big companies out there kind of fall into this, So I expect we're going to have data protection officer as a new type of UH employee at most of those large companies, either employed directly by the company, or they will be offering their services as a data protection officer and it will be a contract issue with, you know, some sort of provider that specializes in this.

Because the person who is the data protection officer is supposed to have a specialty in that field. It's not just supposed to be Hey, Bob, do you want to be data protection officer this week? It's not supposed to be like that. In addition, this data protection officer becomes a liaison with data protection authorities or d p a s. The data protection authorities are kind of like the overseers of this system. They're the ones who are making certain

that everyone is is complying with the rules. If anyone's not complying with the rules, they can take action uh, And they have a lot of power. So for example, they can impose corrective actions such as a temporary or definitive limitation on data processing activities, including a complete ban on data processing, or or to order the suspension of

data flows to a recipient in a third country. So in other words, they could say, hey, Facebook, you are not allowed to process any data from any citizen in the European Union ever again, because you broke this rule. They technically have the power to do that. Uh. In addition, if a controller is found to be in breach of g d p R, it can be hit with a fine of up to four percent of its annual global turnover or twenty million euro whichever is greater. Well, global

turnover is a European phrase. It's a way of saying total revenues. That's what we would call it in the United States. So if you want to look at global total revenues, that can be a truly mind numbingly huge sum of money depending on the company. Let's go with a big one. Let's think about Apple. So Apple made two nine point two billion US dollars in revenue in If we convert that to your oh, that's one billion eight hundred ninety three million, eight hundred two thousand euro.

So let's take four percent of that. That would be a fine. Let's say Apple has committed this, this breach of g d PR, this this worst case scenario, and the data protection authorities levy this four percent fine. That four percent fine would amount to seven billion, eight hundred thirty five million, seven hundred fifty two thousand eighty euro,

almost eight billion euro in a in one fine. That's it's it's crazy, and that's why a lot of companies have really been taking a lot of effort to try and at least appear to comply with g d p R because the consequences are truly scary. And that's if, obviously, if your company is operating at a level where more than four percent of your your or your four percent rather of your total revenue is greater than twenty million euro. If it's less, then you still have to hey twenty

million euro. Now the penalties are tiered, so it's not like it's that fine for any infraction. The example I just cited was for the absolute worst case scenario, But if it were for a smaller infraction, Let's say that it's like you didn't conduct a proper impact assessment for something like a potential data breach, and the d p A S found that out. They said, oh, well, you

didn't take the necessary steps. According to the g d p R, you could be hit by a smaller fine, but by smaller fine, it could still be two percent of your total revenues. I mean, half of seven billion euros is still a huge amount of money, right Anyway. The full GDPR document is available online and in many different languages. The English language version is eighty eight pages long, so there's a lot more in there that I kind

of skimmed over for the purposes of this episode. I wanted to take a bit of time, however, to talk about the effect this has had on the world already. I'm recording this at the beginning of July two, team, and already we're starting to see the effects of GDPR. And first you probably received some of those emails or messages from different organizations about their efforts to comply with g d p R. A lot of companies have been working toward compliance ever since the policy was approved in

twenty sixteen. That's exactly what they were supposed to do. They were supposed to get their acts and gear within those two years, but according to analyst firm Gartner, more than half of all companies affected by g DPR will not be in full compliance with his regulations even by the end of ten. On a related note, there's a

consumer advocacy group called the European Consumer Organization. Its initialism is b e u C because it comes from the French name for the group, which I am not going to attempt to pronounce because I love you French speakers and I don't want to hurt you with my terrible pronunciation. But anyway, the b e u C conducted a study of big tech companies and how they hold up to

g DPR policies. And they analyzed a bunch of privacy policy sees by fourteen major companies, including Facebook, Apple, and Google, and they said that most of them had privacy policies that might not meet the g d PR standard at all. They said a lot of them included vague and insufficient language. One big reason for that comes down to the era

of big data. So big data or big data if you prefer, refers to enormous data sets that can include all sorts of information, including stuff that upon first glance might be useless or completely unrelated to whatever you want to analyze. But data analysts have found that you can discover really interesting patterns and associations and trends. If you have really large sets of data, sometimes you can find new ways to make use of that data that are

really transformative. But you might not have that idea before you actually get hold of all the information, and therein lies a huge problem. G d PR requires companies to spell out in clear terms why they want a person's information. They're only soupposed to collect the data relevant to whatever process they wish to perform, and they have to get the users consent to do it. So I have a feeling that if you were to ask a data collection company why do you need all this information about me

and my behavior? You might get a responsive oh no, and that won't cut it. There are companies right now that have so much information about us that they don't even know what they have. It's kind of like going to an auction and buying a locked storage unit and you don't get to look inside it. You have to buy it site unseen. You have no idea what you're going to get once you open that storage unit stores. It might be a gold mine of antiques, or it could just be a bunch of worthless junk, or might

even be empty. Well, some companies have enormous repositories of information that effectively amounts to the same thing. They don't know what they have yet. Having these companies comply with g d PR requires them to sift through all that information and to determine which bits are identifiable as defined by g d p R, and then be able to produce it or destroy it upon request, which is a pretty tall order, all right. So what does this mean

to the average person. Well, if you live in the EU, you now have some pretty darn powerful legislation looking after your data protection, and if you so choose, you can exert your rights to request data or even have it deleted, assuming doing so does not go against the public interest in general, and you should be able to expect that

to be delivered upon. Although I've listened to some podcasts, my buddy Nate Lankson did one for Bloomberg where he talked about how difficult it was to get his information from certain organizations h even going through the g d p R process. So companies aren't really necessarily prepared to do this, but they are supposed to comply with it. But if you're outside the EU, like me, you're probably just getting a ton of emails about this, and for

the most part you can ignore them. Some of them are likely asking you if you consent to being included on mailing lists as kind of a protective measu. You're there people who aren't certain if this is absolutely necessary yet, But a lot of companies are like, we'd better, We'd rather we'd rather send an unnecessary email out now and cover our bases, then find out later on that we should have done that. So if you want to keep getting email from those companies, you might need to skim

the message. There might be a link you have to click in to indicate you've opted in to receive that mail. But if you're like me, you're probably just deleting the emails and then relishing in the thought that you're not gonna have to deal with as much spam on a regular basis now. I noticed on zd net that there is a theory going around about clout. That's the company that assigned people a social media score based off the reach and impact of their various social media accounts like

Twitter and Facebook. Cloud closed up shop right around the time the gdp R compliance was to go into effect, which was May two thousand eighteen. And the theory is that's that it's possible Cloud went and closed up partly because it was so hard to comply with g d p R. I mean, they're an organization that's dependent upon many other entities that are collecting and processing data. So the owners of Cloud may have opted just to walk away rather than try and work that out. But again

that's just a theory. It may have nothing to do with the g d p R, but it is interesting the timing. And also there's some sites like news organizations such as the l A Times or the Baltimore Sun that have restricted the access to their sites within the European Unions. So if you're in the EU and you try to visit one of those sites, you might get a message stating that due to g d p R, the users would be unable to access the site at

that time. Now that's not necessarily permanent. These sites are more more likely just trying to find ways that they can comply with g DPR that might even require them to set up a different web portal for their various articles and services that operates on a different set of rules than the ones than the rest of the world do, which creates sort of a fragmented experience, But it might be the only way they're able to comply with gdp

R without overhauling their entire system. But the penalties for failing to comply are so high some companies would rather step back in the short term and lose all that traffic from the EU while they're trying to work on a more compliant implementation, rather than risk and enormous fine. And that brings us up to speed on what g d p R is and why it's causing so much

ruckis in the text sphere right now. I'm sure we'll have plenty of stories relating to g d p R unfold over the next few years, and I'm I'm certain that in the future I'll cover some of them. But I wanted to do this episode just in case some people out there were like me, wondering what this was all about. And you don't have time to read all eighty eight pages of that legislation. It's a real page turner. It's actually not that bad to read, um, but it's

a lot, so hopefully this was helpful. If you have any suggestions for future episodes of tech Stuff, whether it is a technology, a person, a company. Maybe there's a particular story in tech that you think really deserves deep treatment, send me a message asked me to cover it. I would love to hear from you. The email address for the show is tech Stuff at how stuff works dot com.

Or draw me a line on Facebook or Twitter. The handle of both of those is tech Stuff H s W. Don't forget to follow us on Instagram and I'll talk to you again really soon for more on this and thousands of other topics. Because it how stuff works dot com