If it is "industry standard", does that make it ethical?
Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time. If you only take it away from one corporation, that corporation will be temporarily outcompeted by the corporations you haven't yet taken the business strategy away from, so they heavily resist that.
But heaven forbid governments hold a dominant corporation accountable in the public interest.
Not so if it is the only way for the business model to be profitable. More generally, this argument assumes that there is a fixed profit to the business, and the only thing to compete for is a bigger share of that fixed profit. The reality is that corporations are amenable to increasing the profit all around so long as they get part of it, and don't particularly care who gets exploited in the process. Conversely, they do tend to protest when the pool is reduced, even if it affects their competitors similarly.
If I go to the police to complain that my neighbour is spying on me, it's only natural that the police only investigates that neighbour.
"But, officer, everybody else was speeding, too!"
Well, you are just the fisrt one and the biggest one.
"Officer, The guy in front of me was driving fast too, so why not him?"
However, regulators like to make examples of bigger corporations since the publicity is more effective with them, and also they are able to both pay up and/or change.
I read that as: why are you only paying attention now? (i.e. after allowing the industry to reach its current, pathological state)
Also: from the jurisdiction's point of view, this is perhaps the only efficient way to allocate legal / judicial resources. You go after a small handful of big-name "make an example" cases, and hope that this deters use of the business strategy by the long tail of smaller companies you can't afford to go after.
That's not true in this case. As the large incumbent in social media and advertising, Facebook are the company most impacted by this, whether or not their competitors are impacted.
"Why have you singled us out for dumping 1000 tonnes of ash into environment each day? Look, this guy is dumping his ashtray on the grass right now!"
Nope, not at all. Standard practice does not override ethics. Tobacco companies would consider advertising and promoting smoking as industry practice, but we cracked down down on that because encouraging people to do something that is demonstrably bad for their health was something we decided wasn't ethical and would be cracked down on.
FB's system is much more reliant on tracking though. Google's can at least work anonymously, eg searched 'dentists' in some area. FB's is almost useless without tracking.
Seems innocuous enough until you really think about what they're saying. "But, tracking these people without their consent allows companies, including us, to make money off of them".
That's actually a pretty brazen thing to say; as if the fact that people can be monetized should trump their right to privacy.
Industry here is essentially Google and Facebook. The other "players" fight for the crumbs. Ethical? They need growth, every quarter.
1. I don't have an account on Facebook. 2. Blocked Facebook domains via /etc/hosts 3. Use ghostery
And despite all of these steps it feels like we are wasting our brightest minds to always be a step ahead in surveilling what the humans of this world are doing to exploit it for targeted advertising.
Very much not an excuse. It's up to the business to work out how to do this within the law.
> and reach customers
If I am not a Facebook user I am not your customer.
It is even worse to be made into a product that FB sells when you aren’t even a FB user.
A bit like when you wait for the green light to walk over the street; if you see someone walking the red light, you walk it too.
Of course you still get flattened by a semi-truck doing 50 kph.
I also don't see any advantage for the user, getting ads is not in their interest.
EU doesn't care about this. Like this argument works only in the US.
Yes, tracking cookies is ethical. If some internet users do not want to get tracked - they can run their browser in Incognito Mode.
* Explicit consent for non-essential data use, you always need to provide opt-out without degrading the service
* Opt-in/out separately for every activity (no more "research purposes")
* Data deletion and takeout. Maybe in the future EU will also introduce some standards for the takeout, which will allow us to migrate between services much easier (as we now can switch between banks or telcos in a semi-automatic way)
Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.
This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).
With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).
You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.
There are rules about things banks have to inform you of, or pharmaceuticals. On the academic side, this can be effective. Disclosure and making information public. On the consumer side it is almost always disingenuous. Small print meticulously written by compliance officers and reviewed by regulators. No one seems capable of stepping back and asking "are consumers better informed."
When internet service X wants you to know your card is about to expire, they make sure that you are informed. When a regulator wants you to be informed about cookies.... we get small print, and a nag screen making us promise that we read it.
> Explicit consent for non-essential data use, [...]
This raises a bunch of questions. Anyone know the answer to any of these?
1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
> [...] you always need to provide opt-out without degrading the service
2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?
3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.
If they say they are, I just send them to a page that says EU people are not allowed to use my site.
What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?
[1] In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.
If you use the data for bank transactions or paypal subscriptions it's essential.
If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.
>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.
>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.
>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.
I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.
IANAL, but intuitively, I'd say no.
In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)
Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.
In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".
The jurisdiction stuff is disturbing. Having separate rules/rulings for Belgium, Turkey, Venezuela, etc... It's (a) not practical and will end up helping incumbents .(b) It really curbs the internet's ability to promote an open information norm.
Privacy is an issue and we need to do something about it. But, I have a real feeling cencorship, corporate-protectionism, copyright and other agendas will tag along, once the legislature-courts-enforcement complex is up and running. The sorry state of international law/governance isn't helping, including even the EU.
Meanwhile, the recent history of legislative action (eg, the "cookie laws") are not encouraging. I don't think legislators were even aware that it would amount to nothing more than nag screens and terms of use. Don't use incognito, or every site will nag you again, your consent is mandatory and stored as cookie, for extra irony.
Ultimately, these things would have been better dealt with at the standards/protocols/browsers level, but I think that ship has sailed.
The GDPR will not allow blanket consent statements, it will not allow “permission bundling” (eg. allow acces to everything or you can’t use the site).
The changes Twitter rolled out in preparation of the GDPR look like a good thing.
We’ll see how it turns out, but I think the GDPR will actually force companies to change, beyond cosmetic changes. And since it is valid for all “data subjects” in the EU, companies will have to consider that. The EU is too large a market that companies can ignore it.
This is something I have not been able to come to terms with. I can understand requiring express consent to each item individually, rather than burying everything into a long ToS. But what I cannot understand is forcing me (as a service provider) into a contract with a customer even if the customer rejects some of my terms.
I realize generality and such get in the way of this, but... I think it would have been better if this move specifically targeted the 100 biggest companies, who have the scale an resources to actually use all this tracking data.
The jurisdiction stuff is disturbing. Having separate rules/rulings for Belgium, Turkey, Venezuela, etc...
It's (a) not practical and will end up helping incumbents .
(b) It really curbs the internet's ability to promote an open information norm.
I don’t think so. Only really large corporations are able to serve all areas anyways. Most small companies in the world already cannot afford to serve multiple jurisdictions.
HN is serving all countries right now, as it did when there were 54 people reading it the day it launched.
Geographic borders may be relevant online, but they may not.
- single Internet jurisdiction, overriding national sovereignty; in practice this means letting America run the Internet
- National Internet jurisdictions, which potentially come with some sort of virtual border policing; Great Firewall(s)
- lawlessness, which libertarians will like but produces outcomes increasingly unacceptable to the public
One of the things lawlessness produced was internationalization and de-censorship of media. That hasn't been without cost, we've had several (mostly failed, but still) political revolutions as a consequence, from Cairo to Hong Kong. At the heart of it was the ungovernability. Countries had to deal with a more or less "take-it-or-leave-it" proposition. China was the first to really break out of that restriction, and I don't think it's a coincidence that (a) a powerful country led the charge or that (b) political cencorship was the leading reason.
Another benefit (again, in my view) was a relatively open playing field, commercially. We're worried about power concentrating in the few hands fo FB, Google, and such. But, the internet economy is still a lot higher resolution than most other markets. The big markets are usually highly concentrated (eg, supermarkets, FMCGs, financial services, media, logistics, transport...) or practically confined to small scale niches: local services, real estate...
I think we've been getting cynical about this as the winners dig in, but the internet really has been a place where part time tinkerers could compete with $bn mammoths.
This is not an anarchist statement, or part of an overarching political ideology. There are, as you say, tradeoffs. There are choices that can create more or less good or bad.
Anyway, lets not count chickens just yet. We've seen China regulate the internet effectively for political control and industry protectionism. We've yet to see any country be effective on privacy. We've got the GDPR playing out this year. We've got a more active courts & legislatures. Lets see if privacy actually improves.
The worst case scenario is that we end upp with all the negative trade-offs, but all we end up with is a privacy bureaucracy that doesn't affect privacy much.
remember that we've seen one (IMO) embarrassing failure go unacknowledged: the cookie law. We got nag screens and compliance audits. We didn't get any privacy.
If you dislike that, you should be happy about the GDPR since it's harmonizing data protection law across 28 EU member states.
That's like saying that democracy is disturbing, but it's the best we have got. FB should respect laws in Belgium, that's it.
I don't trust "governance", I trust "government": because it is only at a national level that we see a bit of democratic accountability.
In this case, I like the courts decision and FB is big enough to deal with it. What about a much smaller service dealing with polish cencorship laws, Turkish political content laws and 12 incompatible eu privacy laws. It can only end in either (a) overall ineffectiveness or (b) internet balkanization.
Facebook following Belgian law isn't the issue; the issue is that jurisdiction questions have to answer a lot of less-palatable questions the same way.
From that sample size I'd estimate the percentage of engineers who don't care about ethics to be at least around 10%.
Even apart from people without any values.. most engineers don’t hang out on HN, and don’t care much about global scale politics. They care about things that affect them in a very immediate way - family wellbeing, friends, coworkers, and how to pay the bills. I think many don’t infer how much of an impact their actions actually have, since they are „only spokes in the wheel“.
* Turn up to job. Nice people, good desk, good canteen. Benefits good.
* Work is interesting - working on cutting edge, dynamic web experiences that are changing the way we interact with people.
* Solved a knotty engineering problem today. Was very pleased, boss was impressed.
* Shipped product today. New sprint starts tomorrow. No defects!
The actual implications of any one feature, the borders between personal data and pure engineering problems blur. Your effort is only a small part of hundreds of effort-hours taken to ship and maintain a product. The decisions about where the lines are drawn were taken months or years ago by people who may or may not be at the company and who were also probably just trying to solve the problem that was in front of them.
You, the engineer, are never sat alone in a room with a user story that breaks GDPR for a product that is fully compliant. The future of the product never rests with you and only you.
One thing that always stands out to me on HN is how obsessed Silicon Valley is with money, from top to bottom. There's plenty people on here that would happily implement invasive tracking if they were compensated well enough for it.
"Ghostery’s B2B Digital Governance solutions will reassume the company’s original Evidon brand, which focuses on monitoring and consent solutions ...Evidon will retain aggregated data about trackers, ensuring no change to the service currently provided to its enterprise clients..."
Stick to something like uMatrix
I would think just say ok we stop doing it because we're going to have to stop doing it anyway. But they're not stopping, what is the plan?!?
Another way they could deal with it is by disputing the EU-US privacy shield[1] or disputing the decision that overturned the original privacy safe harbour[2]. IANAL so I have no idea how they would do this, but it will be costly for ECJ and FB.
[1] https://en.wikipedia.org/wiki/EU-US_Privacy_Shield [2] https://en.wikipedia.org/wiki/International_Safe_Harbor_Priv...
So, you can't just continuously pay fines whenever a court rules another time that it's illegal. The fine for a felony is much higher and at some point, you'd also simply be thrown out, or blocked in the case of Facebook, I suppose.
My impression is FB allows targeted advertising without selling anything. In fact, why would FB sell their most valuable asset?
And that's a maximum fine for a particular decision not the maximum fine annually. They can certainly be fined once and ordered to stop processing the data within, say, 30 days; then fined once more after the 30 days have passed for noncompliance with that order, and then so on.
There also is personal liability for the responsible executives and employees who'd be violating the regulator's order.
on edit: looking here https://www.i-scoop.eu/gdpr/gdpr-fines-guidelines-applicatio... it seems the second level of fines go up to 2% and are on a per case basis.
sure, I guess the entire tech industry would be dead without tracking users
Even behind an ISP or corporate NAT with cookies disabled, there are other ways of tracking. If JavaScript is enabled, browser fingerprinting can be very disturbing in its ability to single you out, depending on your configuration.
More generally, I always found this obsession with tracking non-users one of the creepier aspects of Facebook when I finally used it circa 2011 - 2012. The amount of information it had about me that could only have come from web browsing before I had signed up, such as local takeaways and restaurants I had used, was impressive but unnerving.
For Facebook to lie in such a lawsuit would require hundreds of their employees being willing to lie under oath. It just doesn’t make sense, considering they would risk harsh criminal sanctions and have only their usual salary as an upside.
As for IP-based tracking: if it were as effective as cookies, websites would use IPs and not cookies.
Actually it would only require a handful of people hiding the truth. Given how most of facebook's development is done in the US and not in Belgium, they won't even have to appear in court.
Also IP-based tracking is very effective, and it's used alongside cookies. Nothing beats cookies with Javascript, but IP will do just fine, especially for companies like Facebook and Google who can track you on pretty much every click you take.
To answer your question, though, if you live in the EU, then the GDPR, due to be enforced on the 25th of May, does make this practise of Google most definitely illegal. So, in like two years from now, when the lawsuit regarding this concludes and Google is actually forced to follow the law, then you should be able to.
If you still cannot be convinced to drop Gmail, there might be a technical solution to your problem, too.
For Firefox, there's an official extension called Multi-Account Containers, which allows you to have different sets of Cookies in different groups of tabs. And you can tell it to always open certain webpages in certain containers.
So, you would install the extension: https://addons.mozilla.org/en-US/firefox/addon/multi-account...
Then click the new Multi-Account Container button in the toolbar and from there open a new tab in a Container (you can also create a Container specifically for this, if you want).
Then in this new tab, open up Gmail and log in, and again click the Multi-Account Container button in the toolbar and tick "Always open this website in ...".
Finally, open up a new (non-Container) tab and log out from Google there.
Google doesn't "read your email", they index it. Which allows you to search it. And then they show ads that are targeted to keywords that appear in the index. Gasp!
I seriously don't understand what the big deal is. Genuinely, what is the risk or concern here?
And I really doubt that GDPR is going to kill Gmail. They need that index to provide the search capability, if nothing else.
I think many of you who are fans of GDPR are going to be gravely disappointed.
People considering to buy stock and people owning stock should hopefully be informed enough that noticed this.
There's also the GDPR upcoming in May. I cannot imagine that Facebook won't make losses when that hits. They might be able to defer the impact by mostly ignoring the law until they get sued, but ultimately it really just seems like it's going to be downhill from here on, which is not what anyone looking to buy stock is after.
Just awesome...
Although I should say, not without hesitation, given the extreme discrepancy between rates of change in tech and law. I would hate to see seemingly well meaning legislation passed for something like this and then turned against us by our friends at the NSA, for example.
A major tech company tracking users across the web beyond their own limited use-case platform is a relatively new phenomenon but now that it's been established in the courts as a big financial and PR risk then there is a big deterrent from future companies doing it. And often courts in other western countries take note of precedence defined in major foreign courts to define their own.
Formalizing this in legislation always seems to sound like a good idea in the short-term. But in practice it's often really hard to define preemptive regulatory systems that work efficiently (and relevant to todays realities), especially in technology, as well as more expensive to enforce via agencies/auditors, and will likely end up wastefully crossing over into many areas/situations which are totally harmless in practice or having negative side-effects which outweigh the benefits, such as harming innovation.
I'd rather we deal with negative behaviour on a case-by-case basis.
Simple: that the courts won't handle it. It is not reasonable to expect either customers or the courts to actively go after companies that use this sort of tracking internationally.
They can go after companies with a global presence, by doing so locally, and of course because these companies will actually fight it instead of just ignoring them. So Facebook is a target of convenience, but convicting it will not yield any results (if necessary Facebook will just use an intermediary, besides Facebook is being targeted because politicians like to stick it to Facebook atm).
You can say "just change the law", but a lot needs to happen beside that to make this practice stop. None of that is happening, so this practice won't stop as a result of this. It's just a PR grab for some politicians.
The corporate response to long hours and low pay is to put up suicide nets. In the U.S. we have minimum wage, hourly restrictions, break, and overtime laws.
You can't trust the market to weed out bad players when the bad players are the ones with enough money to buy public perception and government influence. You have to force them to do the right thing through legislation.
You also seem to neglect that the government all over frequently takes advantage its position in ways that make things worse for society.
The thing about corporations, though, is that with minimal regulation, they can be forced to compete, and ultimately bad ones are orders of magnitude more likely to change or die than any given government. In fact I'd argue that a constant churn of negative companies is still better than some of of the worse tyrannical states that ever existed, by a large margin, because of the forces of competition.
The law is already far behind in this case. It implicitly assumes all databases allow for a CRUD workflow. But now we have blockchains/distributed databases where the UD part of CRUD is literally impossible. It will be very interesting to see how the courts deal with personal data stored in this manner...
Why don't you put your faith in data? If you're a engineer that's presumably what you're already doing in every other respect of your life. It doesn't seem to me that starting out already having decided on what the best approach is will lead to the best decisions.
Is it because the article relates to evil Facebook and not Google?
Also give me examples of EU companies that track users on most of the internet.
Not sure if I understood what you meant. I'm not saying that they should, I'm saying that they often do. At least on HN.
Well, FB is headquartered in Ireland...
Maybe send the army or CIA to change some governments, some citizens dare not have FB accounts, they must have something to hide /s