undefined | Better HN

0 pointsdanarmak9y ago0 comments

> None of those licenses are for the user of the software

Of course licenses are for the user! Without a license, copyright law forbids you from downloading and running an application, let alone copying it to your other PC or emailing a copy to your friend. Addressing copyright law doesn't makes licenses longer, it makes them exist in the first place.

It's true that the GPL talks about some additional things like access to the source and the right to modify it, which ordinary, non-programmer users don't care about. But you also need it, or some license, to use the software at all. The BSD one is much simpler, but it's still a license and still needed.

Networked services don't fall under copyright law, but other laws exist that prohibit accessing a service (if it requires authentication) except under such terms as the service provider offers to you in a license or other contract.

Another example: when you edit a Wikipedia page, you are presented with this text:

> By saving changes, you agree to the Terms of Use, and you irrevocably agree to release your contribution under the CC BY-SA 3.0 License and the GFDL. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.

The linked Terms of Use, CC BY-SA, and GFDL contain many thousands of words combined, and require a grounding in copyright law to fully understand. Very few people ever give informed consent when editing Wikipedia.

> the higher standard of informed consent should be used before collecting any data

The Wikipedia article about informed consent says:

> Capacity pertains to the ability of the subject to both understand the information provided and form a reasonable judgment based on the potential consequences of his/her decision.

Most of the people in the world, and a significant part of the population even in Western countries, won't be able to understand the potential consequences of sharing their data.

I can't be sure I fully understand them myself! Twelve years ago, when Gmail was opened, I didn't know de-anonymization of large datasets would prove to be so easy. I didn't imagine Internet mobs doxxing and swatting people. What might be possible ten years from now with the personal data I share today?

If the law puts the burden of verifying the user's understanding on the service - meaning they can't trust the user's assurances - the service would need to administer an exam or interview to each prospective user. And indeed Wikipedia says to get informed consent, "the investigators must ensure that subjects have adequate comprehension of the information provided [....] assessing the level of understanding during the meeting". Obviously this isn't practical for Internet services.

The biggest source of personal data Facebook gathers is what its users post themselves. This would be true even if they didn't gather anything from Whatsapp messages, tracking cookies, etc. So should any services letting users post often-private content, like blogs and image hosters, require "informed consent"? That's just not practical.

I agree there's a problem. I don't see a solution yet. Banning everything until there's a solution is neither practical nor desireable.

0 comments

3 comments · 1 top-level

pdkl959y ago· 2 in thread

> Without a license, copyright law forbids you from downloading and running an application

That is an idiotic interpretation of copyright that has only been upheld in some court cases. The only copy being made by the user is the transient "copy" in memory. Selling someone a download to use as software while later claiming the necessary and transient copy in memory is a violation of copyright is simply fraud at the point of sale.

> copying it to your other PC or emailing a copy to your friend

Making additional copies is an entirely separate matter. Do not confuse use of software (or any other creative work) with copying. You seem to be intentionally conflating these terms, probably because of your erroneous belief that some type of permission is needed for use.

> GPL talks about some additional things

The GPL only talks about distributing extra copies. Have you even read it? From The FSF's FAQ[1] on the GPL:

    You are not required to agree to anything to merely
    use software which is licensed under the GPL.

The only reason to accept the GPL is if you are redistributing GPL-licensed software and want the additional distribution rights it grants.

> But you also need it, or some license, to use the software at all.

If this was true, we'd be in real trouble because the GPL does not grant any kind of usage license. When you last used a typical Linux distro you used software without usage licenses.

> Networked services don't fall under copyright law,

Correct, though their output may fall under copyright. This is why the AGPL exists to help with the problem of immoral Services as a Software Substitute[2].

> Very few people ever give informed consent when editing Wikipedia.

Nor do they need to. The copyright issues are orthogonal to the risks associated with logging personal (meta)data. As far as I know, there isn't any hidden safety risk associated with editing Wikipedia.

> I can't be sure I fully understand them myself!

While I have studied a lot about data-exposure risks, I know that I only see a tiny portion of the risk-space. Similar to the Schneier Principle where anybody can make crypto that they themselves cannot break (i.e. you're not the smartest person in the world), the risks of data aggregation are probably more numerous than anybody realizes.

That's kind of my point: when we have potentially open-ended risk, you need to minimize your exposure. More data stored in more locations is all additional attack surface.

> Obviously this isn't practical for Internet services.

Security is often in conflict with usability. I personally think that the impact on usability can be minimized through better UI or other solution (which may not exist yet).

Perhaps something like a small set of standardized licenses that are very clear and specific in scope. People could be expected to know what those "standard agreements" mean because those licenses could be taught outside of any particular business transaction.

> Banning everything until there's a solution is neither practical nor desireable.

If the Underwriters Laboratories didn't exist, you wouldn't think it was acceptable to continue using cheap wire ("A more desirable price for the consumer!") and unsafe designs ("it isn't practical to redesign all of our products"). You would (hopefully) insist that your products shouldn't set your house on fire and that we probably need some sort of higher standard (like those provided by the UL and other safety standards).

The precautionary principle cautions that when you don't know the risk, you should take the safer path. Making products or services that create massive amounts of new attack surface with completely unknown risk is not the safe path.

[1] https://www.gnu.org/licenses/gpl-faq.en.html#ClickThrough

[2] https://www.gnu.org/philosophy/who-does-that-server-really-s...

danarmakOP9y ago

> The only copy being made by the user is the transient "copy" in memory.

I'm not talking about that. The user is making a permanent copy on disk when downloading. IIUC this has been ruled by various courts to require a copyright holder's permission.

Some courts and countries disagree and say that only uploading is illegal. Some countries say that downloading is illegal but not criminal, and do not prosecute people for it. But, IIUC, they are in the minority.

Naturally, the fact that this is so does not imply that I like it being so or that I want it to keep being so.

> Do not confuse use of software (or any other creative work) with copying. You seem to be intentionally conflating these terms,

I am not conflating them. In addition to the apparent illegality of downloading, ordinary users often do create extra copies, and that is another reason the copyright license affects them.

> As far as I know, there isn't any hidden safety risk associated with editing Wikipedia.

Wikipedia logs edits, including IPs for anonymous ones. (This includes inter-user discussion on talk pages and the like.) They probably expose this data in aggregate form in their periodical database dumps (though I haven't checked). A person's edit history can contribute to building a profile of their online activity and their life and beliefs, just like their Facebook posts or Whatsapp messages.

> The precautionary principle cautions that when you don't know the risk, you should take the safer path.

We don't have good estimates of the future risk of sharing data now (as you agree above). We don't want to blindly maximize security either - both of us are posting personal opinions here on Hacker News. Without good risk estimates, people will keep disagreeing greatly on how much risk to take, and many of them will prove wrong in their predictions or hopes for the outcome - but we don't know in which direction.

To go with your analogy, it's good that Underwriters Laboratories exists. But before it existed, the correct action wasn't necessarily not to sell or buy any electrical products. People had to make their own decisions somehow.

pdkl959y ago

> I'm not talking about that. The user is making a permanent copy on disk when downloading.

The copy was made by the party that distributed it to the user, which was implicitly authorized by the fact that they sold it to the user.

> IIUC this has been ruled by various courts to require a copyright holder's permission.

This is wrong on several levels. First, no copy is being made by the user. Second, copyright only applies when copies are made and distributed. Third, no court has ruled that copyright even applies to the user when a copy sold by the copyright holder.

Please read about basic copyright law if you want to argue on this topic.

> Some countries

I can only speak about US law.

> the apparent illegality of downloading

Downloading is never a violation of copyright. Clearly you have never read anything about copyright and it's history.

> ordinary users often do create copies

That would be a violation of copyright, but recent rulings have ruled that transient copies that are a temporary and part of the normal technical process of using the software (such as RAM copies) are not a "copy" as far as copyright is concerned.

> Wikipedia logs edits, including IPs for anonymous ones.

Are you being obtuse on purpose? There is an obvious difference between voluntary edits made by the user, who is necessarily aware that Wikipedia will record when and what you edit as part of the editing process, and unknown "telemetry" or "analytics" that happen invisible to the user and may apply to data that was not directed at Facebook/etc. Obviously Wikipedia will log your edit; that's the intended result. Facebook reading messages you sent to your friend is spying that requires informed consent.

> We don't have good estimates of the future risk of sharing data now

We know they can be incredibly damaging right now, and I don't see this risk getting any smaller in the future. It will only get easier to de-anonymize data.

> the correct action wasn't necessarily not to sell or buy any electrical products

Of course. The moral action would have been to sell products that err on the side of caution, even if that makes them more expensive or less usable. To do otherwise is to willingly risk your customer's safety.

How about this: if you are so sure the risk is acceptable, you should indemnify your users against any future problems that result from data collection and sharing. If you think this is unreasonable, then you're admitting the risk is too large and you simply want the user to bear that risk. On the the other hand, if you think this risk is fine, then you shouldn't have any problem accepting liability.

j / k navigate · click thread line to collapse