Microsoft spent decades aggressively lobbying European governments and companies to use their stuff. Even if this finding has any short term impact (see the other comments about this point), I find it hard to believe Microsoft wouldn't swallow the pill and simply become compliant. If not - yeah, companies who are entrenched in Microsoft products have to find alternatives, which is gonna cost them significant efforts, but also open the door to more competition. Sounds like a short term problem for European businesses even in the worst case scenario.
The only way for Microsoft to become compliant is to carve out its European business into a separate organization (not even a subsidiary -- it could be that even a joint venture would not be enough to escape the reach of the CLOUD act).
Having this discussion on HackerNews is useless, because people here are at best very light users of Office and at worst don't use it at all.
How many hours per week does your work involve Office software? Because for a lot of people it's 40, but those people are not on HN.
Like Google (US) or Zoho (Indian).
I do not know European companies providing a cloud solution easy to deploy (I wild truly be glad to know one).
I have to admit though that O365 is handy for collaboration. I hope we can do something like a LibreOffice-based similar thing that companies can star using as a platform for online collaboration.
Where I work we already have lots of regulations on what we can and what we can't store on SharePoint or work on O365. My job is mostly safe from those inconveniences, but one of my first jobs was to build an asset delivery system that would comply with a number of US and EU regulations on what asset can be delivered to whom from where. Took lots of meetings with legal.
It will keep these already slow organizations busy trying to find and implement alternatives. Instead they could focus on growing their businesses.
Good luck Europe.
Something-something auto makers conform to California emission laws, same argument.
I think that's a bit more nuanced. There's definitely a lot of "nobody gets fired for MS", and lots of big companies use O365 because of existing licenses. At the same time, there's lots of small companies using Google suite. There are companies relying on specialised software. There's lots of those that don't use anything beyond a simple text editor where switching is trivial.
And yeah, huge companies rely on O365, but those will get fixes that get them to compliance very soon.
How many data was copied because of the MS chain of Windows->Exchange->Office?
People in most of Europe are truly convinced finance, money and growth are mirages made to enslave them in eternal pursuit of an unreachable state, and instead prefer to cool it down. It's not a pragmatic strategy because it ignores we re not alone.
Instead MS brought back productivity-tracking.
That's a No-Go and MS only gets away with it because of their desktop monopoly in the industry.
I think they'll do just fine without Microsoft harvesting your precious data
I think they'll do just fine without being forced to use Microsoft products
I think they'll do just fine without having Microsoft as only choice
I think it's important to fight lobbies and monopolies
I think it's sad that many European companies died because they couldn't compete with Microsoft lobbies
Europe is the home of many big open source projects and open standards
Maybe this will result in a proper open alternative to Microsoft 365
Yeah, right. Plenty of companies will fail if they are forced to use some of the almost perfectly equal alternatives.
People from the US tend to underestimate the EU, the EU could easily give a bit of cash to a competitor along with some juicy contracts, the US is not the only bloc that can throw millions at a problem.
https://matrix.org/blog/2021/07/21/germanys-national-healthc...
That's nothing even for a middle sized EU state.
Considering the whole EU such costs would be a rounding error; even really hard to spot in the budget.
But it would be an investment in domestic economy and a step towards independence form the empire. Should be a nobrainer therefore.
Open source isn't all upside with no down and that is why co.mercial software still dominates and will unless someone decides to take the hit and carry the load for those downsides.
Besides, in terms of MS365 there is the added problem that there is no good alternative. There are some reasonable alternatives for individual instances but not for the delivers of using 365.
If you want to save some cash, I can recommend Syncthing. You don't need to host a server for it unless you want to - it is peer-to-peer with all devices you want to be linked via their discovery servers (you can host your own as well).
I used to host my own Nextcloud for about 3 years, moved to Syncthing a few weeks ago, pretty happy so far.
Who supports it when something goes wrong?
Who ensures there are a wide base of users trained to use it?
How good are the transition resources?
How much will it really cost to transition to the "free" option...
As far as I know, they shut it down two years ago citing higher costs and operational issues.
The main point I am trying to make, though, is that investing in software that can be used and improved by anyone is (IMO) the appropriate allocation of tax money. Right now, the money is used on licenses (and, of course, support). What if it was used on development (and support) and the byproduct is a software that ideally can be used by anyone who paid for it, too?
The GDPR situation poses an opportunity to make that switch.
What they mean is that FOSS is more likely to be developed with product quality and value in mind. Proprietary software need to satisfy corporate goals too. And these are often contradictory to the spirit behind GDPR.
Everybody knows you must use Microsoft products and if those don't comply with regulations, the regulations will have to change...
I doubt the EU can prevent MS365 from being used, and MS can say "we aren't paying a fine here. Ever. Good luck with it."
Who will succeed? No idea.
TBH, i used to work at a bank (and now at an energy company), and anecdotal evidence i have is that no big business use M365 cloud services(2 for 2 now). At least not in the IT departement, even where we have people using access to mash .xlsx together and get actionnable data from it.
[edit] I must add that the bank used azure (as an AWS backup mostly), and still, we had no M365 product installed on our microsoft computer.
I'm not a hater or anything, i do have a FOSS bias, but i try to stick to the facts here.
I suppose Office went "everything is flat and coloured rectangles" but I don't think that's necessarily a good thing.
Basically separation of encryption and decryption key in a location other then azure for example.
Nobody cared, nothing happened. People still store both in azure.
As long no one gets fined ( here companies) nothing will happen
They have more power over MS than they think if they're willing to exercise it, but they're mostly not willing. (Examples like the Dutch public sector do exist, where they were able to get different terms from MS that are more compliant with the GDPR, including effective audit rights that have successfully verified compliance with these terms.)
The EU has provisions for very similar "hostile surveillance law" in its own member states. It just gave them a get out of jail free card in the GDPR. There is a considerable amount of hypocrisy about the EU's positions on privacy and data protection.
The trouble with this whole subject is that you get grandstanding politicians trying to make big statements that go so far that it becomes unrealistic to enforce them because you'd cause catastrophic economic and/or social damage. If you really want to improve things what you need is steady, incremental progress towards restricting unwanted invasions of privacy. You can start with the most invasive commercial spyware. After a while you have moved the Overton window so that the worst excesses of governments' own surveillance programmes start to become viable candidates for reform as well. Ideally you eventually move societies away from the politics of fear that motivates those kinds of mass surveillance laws but that doesn't seem likely any time soon.
Privacy Shield was canned years ago but your company is most likely moving data to an American "Anti-Virus" provider under this framework.
It might imply that o365 sevices in the EU/EEC will increase in price - but I'm quite certain the data privacy will be better.
Remember that this has implications for all businesses that deliver on government contracts in the EU - they would all have to move away, for example not hosting email with o365 because government won't communicate details involving GDPR protected data over untrusted services (even with encryption enabled).
However, due to enforcement being absent or taking ages, there are too few legal decisions and big expensive enforcement actions that one can point to. Currently everything is really still fear, uncertainty and doubt, the hammer hasn't come down yet. I'm not sure if it ever will, at least not before EU institutions or other member states such as France force Germany to stop dragging its feet.
I understand the hope is that companies will comply rather than forego the entire European market, but if they don't, the last consequence is ultimately on the consumer, not the company.
It seems like the same type of thing as when Quebec recently decided any service that serves customers in Quebec must offer a French version of all their services. Quebec is a much smaller market than Europe, so the effect was that companies just stopped offering services to people in Quebec, but it seems like these are the same kind of issue.
Government wants services to be provided in a certain way. Service provider declines. Consequences disproportionately impact the consumer, not the service provider.
Why should it be up to a governmental agency to tell you you are not permitted to use a service because they think the service is being provided in a way they don't like?
This isn't TikTok and what people do on their private phones. This is a foreign company that has the capability to siphon off a lot of data about business decisions, businesses connections, contracts etc.
because china is a totalitarian country and the us isn't
In some cases it's rather trivial, in other cases its dependent on the survival of the nation state to enforce the rules on the corporation.
Therefore forbidding some types of contracts for everyone does have established precedent.
However, there does not appear to be a limit to this.
For example, can governments ban their residents from signing contracts to distribute or host porn, gambling, etc.?
This is one hope sure but at least in Germany the simple thing about it is that people don't want to lose control over their data if they don't have to (we even have a word for it: "Datensparsamkeit" = data econonomy/thriftiness). If that means that some German company won't be able to use O365, so be it.
Only few here will care what happens to Microsoft because of this. It's not about Microsoft. It's about people who use it (and/or force you to use it).
I don't see a downside here. There are other solutions within the Microsoft product portfolio and outside.
The fact that a government agency looks it up and gives you a result saves you actually money because you don't have to hire somebody to check that for you and save you from lawsuits. It's a service you already paid for with your taxes. I don't see the problem here either.
Essentially you are asking „why should a government expect anyone to follow the law“
Personally I run a small business, GDPR came out, our solution is to just violate it and not care. They have no legal jurisdiction over us so their laws do not matter.
If we had to comply with every jurisdictions special laws on the entire planet we'd surely waste most of our time doing it.
Just applying this to medicine, car safety, building codes and fire, food safety, industrial regulations saying 'you can't dump toxic waste around', etc etc makes me really surprised someone would actually hold such a bizarre opinion.
Put it another way.
Most sensible Americans would rather have European employment law and healthcare provisions.
Well, the same goes for privacy legislation....
The first misconception is that governments do what people want. They do what serves their national and personal interests. What people want plays a rather small role in it. Far to often they do the exact opposite.
> I understand the hope is that companies will comply
Not at all, they can comply or fuck off. The US gov just runs things differently from the EU. They want full access to everything in secrecy and will hand over or sell data to corporations if it serves US interests.
It means for EU enterprise all information on suppliers, customers, orders, road maps, finances etc etc can be forwarded to your US competitors.
You also forget how easy it is to make software. If [say] Microsoft no longer wants to do it there will be others.
The whole point of the EU is to instruct how business is done here. It was specially designed to stand up to uncle Sam and his army of evil automatons.
If it’s my small business animal shelter, or my grocery store, or even just my little SaaS… leave me alone, please, from requirements like the Quebec translation law, or similar.
Microsoft 365 is different. Odds are that there are dozens of businesses you interact with, who store their data in 365 without your knowledge. Microsoft 365 is a “in the shadows” method you probably don’t know of that is sending your data to the US.
If I could lay down a principle, it would be that the privacy rule should be determined on the privacy level of the company I the consumer interact with. If I interact with a EU business, I do not expect my data to enter the US by any method. If I interact with a US business, that is implied consent.
So what you think of as freedom of choice often isn't for students, employees, and consumers. It's why we need drastically more business regulation to guarantee individual rights.
Then we can discuss if the GDPR protects important rights or not , but that's a different discussion.
Because they (the government) think it is the minimum required for a dignified, safe society. And they are placed in a position of power and must make those judgment calls, because that is their job.
Why would people want that? Because they understand, in general, that government is important and don't want an unhinged libertarian abandonment of mutual assistance in society. And in specific, because many of them value privacy enough to put up with this type of restriction. But of course there will always be people who find this or that law too intrusive, and in the EU that means they are free to organize, protest, be activists, vote, run for office, etc.
Ha, this is a naïve view of it. In the US, this is only kinda-sorta true. Building permits can often be a lucrative source of income for the city and sleazy inspectors who often come out without the faintest idea of what they are looking at.
It often turns into holding previously-recognized rights captive and selling them back for cash. People get angry real quick.
(My father owns a small business in fireplaces. The inspectors often are idiots, and the city charges hundreds of dollars, sometimes more. Total grift we have to suck up. So much so they sometimes ask us what to look for. I doubt the inspectors have stopped any residential fires, ever, in some of these cities.)
The EU stance is this: "a person's data belongs to the person, and you can't obtain, collect, sell, or transfer this data in any way, shape, or form without an explicit consent from the person".
The US on the other hand: all your data belongs to the US government regardless of where you are on the globe: https://en.wikipedia.org/wiki/CLOUD_Act?wprov=sfti1 And this is on top of all the large scale data collection already performed by companies.
Complaints to a data protection official take forever, are usually dismissed at first, even if counter to published opinions or decisions such as TFA. And only if you still care after a few years of waiting and at least one appeal you might get a decision, however usually a very cheap one for the perpetrator.
I have the exact opposite impression. Even in small start-up, every new external supplier will be judged whether the is any customer data processing in the US. People are super afraid of Google analytics. If you use the Google Fonts on your website you will get an cease and desist letter in no time from scummy lawyers. You pratically need an external company to manage your cookie banner because it is a legal risk.
Google analytics and Google fonts are regularly enforced, but not by data protection officials. "Enforcement" of those is, as you've said, done by scummy private lawyers, scanning websites and sending expensive letters ("Abmahnungen") en masse. Basically, due to a weird precedent, those lawyers are allowed to give you unasked advice on your wrongdoing and billing you for it. But that is, afaik, a specialty of German law, and mostly limited to stuff that can be fully automated. So while you can scan for a website using Google Fonts, you cannot as easily scan for someone using Office365. Although you might, maybe, get a hint by looking at the DNS MX records.
Don't set cookies for visitors. Notify on signup for everyone else.
I mean, yes, that's what it used to be, pre-GDPR.
With GDPR, the data protection agencies have grown teeth. And fangs. And claws and talons.
GDPR enforcement is young, and the goal is compliance, not maximum fines. So depending on the offence and the offender, they start with a warning or a small fine. This will ratchet up and the maximum is € 10 million or 2% of the previous year's annual revenue (not profit), whichever is greater!
Microsoft's annual revenue for FY 2022 (I guess they are early) was almost $200 Billion. So the fine for them could be $4 billion. Yes, that's noticeable and not something you want to explain to your shareholders.
And of course this seems to apply to their customers, for whom margins tend to be tighter, and for whom IT is not their main business, but an operating expense in the first place. For example, Volkswaken has an operating profit of around 6-7%. So 2% of revenue is around a third of their profit. And also around a third of their entire R&D budget. Yeah, compliance is the cheaper option by far.
There were plenty of EU countries with privacy laws. The laws were all ignored by all but the largest companies in the country. Getting FAANG to take note of local law was basically impossible.
On paper, the GDPR is weaker than what it replaced in my country. I lost some privacy rights with the GDPR, and gained some bureacratics if I want my rights enforced. In practice, the GDPR gets some following, even outside the EU. It has teeth.
GDPR, mostly seems like an annoyance to developers while providing little actual benefit to users since countries aren't willing to enforce it and even if you do take it to court yourself the courts aren't doing much. In once case, a German court found that a company breached GDPR by using Mailchimp but because they stopped using Mailchimp they didn't fine them, for the breach. That is realistically a complete joke of a judgement. And honestly, there are lots of judgements that are basically similar.
The kicker is that EU companies are essentially paying to upload their trade secrets to their direct competitors in the US.
We're a minority
For things to change, there would really need to be something like:
- data protection fines the whole of the customer list of Amazon/Google/MS cloud
- data protection fines a high-profile company a lot of money for using Office365
- a court forces a public institution to cease using Office365 (no fines possible there)
- enforcement accelerates to a point where, from complaint to fine, things take only a few weeks, instead of a few years, so that lots of medium and smaller businesses are hit. Currently enforcement seems to be starting with the big cases, and being bogged down in the complexity of those.
Another example was shared recently: Shopify is technically illegal in Germany [1]
That ruling not only invalidated the Privacy Shield agreement, but in fact prohibits the transfer of any data to any company affiliated with a US-based company in any way (including subsidiaries or even mere suppliers or customers), which comprises pretty much every company out there - US-based or not - because in today's globalized economy you'd be hard-pressed to find a company that doesn't in some way at least transitively deal with US-based companies.
Technically, the reason for this is the US CLOUD Act (https://en.wikipedia.org/wiki/CLOUD_Act ), which requires US-based companies to hand over any data, regardless of where that data is stored geographically. This also means that the common naïve assumption that you're safe in terms of GDPR as long as your data is stored in EU-based data centres is false as well.
So, when following GDPR and this court ruling to the letter, we'd (as in "everyone") pretty much have to stop trading and doing business altogether. Since that's (hopefully) not going to happen, none of this is enforced, at least not consistently or according to the rule of law (which in a way is even worse because at that point law and law enforcement becomes arbitrary and fines will be imposed based on how eagerly local authorities pursue these matters rather than universal principle).
Now, it can be argued that the EU and GDPR really aren't to blame because it's the US CLOUD Act that created this issue, after all. That CLOUD Act indeed is hugely problematic, to say the least.
However, the problem remains and it's on the EU to negotiate an agreement with the US that allows companies to legally do business in the real world (as opposed to an ideal world according to GDPR) again.
Wouldn't it be equally on the US to negotiate an agreement with the EU to maintain the global dominance their tech sector currently enjoys? I don't see a categoric reason why the EU should blink first.
it dates back at least to the warrantless wiretapping authorized by Bush with the 2001 Patriot Act and legalized with the 2008 update of the US Foreign Intelligence Surveillance Act,
being incompatible with the 2000-2010 Charter of Fundamental Rights of the European Union,
making the 1998-2000 Safe Harbor agreements between the US and the EU null and void,
as first judged by the Court of Justice of the European Union in 2015 (Schrems I).
GDPR (2016-2018) and the CLOUD Act (2018) are basically just the EU and the US digging deeper into their respective positions.
Redactions? How should the data owners be able to verify Microsofts processes if some of the information is redacted?
IMNHO the most likely outcome is that o365 will come to be GDPR compliant - and so business will be able to (continue to) deliver on government contracts building on o365.
* November 2017 - The city council decided that LiMux will be replaced by a Windows-based infrastructure by the end of 2020. The costs for the migration are estimated to be around 90 million Euros.
* May 2020 - Newly elected politicians in Munich take a U-turn and implement a plan to go back to the original plan of migrating to LiMux.
September 2016 - Microsoft moves its German headquarters to Munich
I shared the excitement, but as so often it was only executed half-way. In essence, instead of recreating processes from the ground up to fit the new reality, they tried to make everything as beforehand. Unsurprisingly, that was a huge uphill battle - in the end they spend more money than beforehand and had a lot of trouble in maintenance etc.
(Regarding the 2020 public announcement; nothing has happened since then IIRC so I would not count that in - just talk no actions)
This is crippling Europe.
A great one is Cryptpad: https://github.com/xwiki-labs/cryptpad
There are hosted instances also if you're not interested in self hosting.
P.S. I'm not affiliated in any way with the project.
It can do documents and „excel“ and „PowerPoint „ and a few other things.
No experience in an „industrial „ environment though so YMMV.
365 is a nice way of collaborate at work, if you are a small business is a nice product, for the big companies this is just going to be more headache for their I.T department, so now instead of relying in the Microsoft servers to allocate and store the documents, they will use any other server from who knows what company and hosted who knows where, some will be hosted with e2ee including at rest while others will end up using some shit show of servers from a company owned by some dude from not so friendly countries.
I understand that privacy for companies is a big risk, but regulating it this way can easily end with a cobra effect.
I've resorted to sending docx back and forward instead.
You can blame this on your O365 admins rather than Microsoft. For admins who want to generally restrict external sharing, it can even be limited to select Document Libraries. https://learn.microsoft.com/en-us/microsoft-365/solutions/co...
For example, the GDPR states:
>An establishment's failure to designate an EU Representative is considered ignorance of the regulation and relevant obligations, which itself is a violation of the GDPR subject to fines of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. The intentional or negligent (willful blindness) character of the infringement (failure to designate an EU Representative) may rather constitute aggravating factors.... Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater...
Why have neither of these been done? Speaking as an American who has spent his entire adult life advocating on these issues, it personally offends me when I basically get myself punted out of so called civil society trying to get a law like this enacted, and then our so called "allies" across the pond refuse to utilize it.
Here in "The States", folks used to joke "I'll believe corporations are people when they execute one in Texas"... given the EU's views on the death penalty, maybe some of these companies should be given what the Chinese would call "death with a suspended sentence"[1] -- fine them the full two to four percent, and use that money to fund things like universal health care, pensions, and the rebuilding of critical infrastructure instead of... well, based on my last trip to Tim Hortons[2], it looks like the new hotness is building a buncha condos that sit empty and drive up the rents -- but it's been a while, so I'll let any Canadians who want to wander in below and give their thoughts the floor.
The above is what I like to call "venture socialism". It is not communism, it is not even really socialism, more just... republicanism. But I can understand why even that feels violent and oppressive to... some people.
[1] https://en.wikipedia.org/wiki/Death_sentence_with_reprieve [2] Fun fact: for many Americans, the cost of a passport, let alone an international vacation is out of bounds -- once you understand this, a lot of the past four to forty years begins to make sense.
Folks seem to pick and choose when to take me seriously in the hacker scene, which is amusing considering rumor has it "Chapo Trap House" is a reference to what the portmanteau of DNS requests coming out of my college house share looked like to the local FBI field office during the Pittsburgh G20.
Spoiler alert: One guy was playing a lot of illegal poker, one guy was really into certain types of... free expression... and one was discovering the joys of democratic socialism as he did experiments on undergrads like Bill Murray at the beginning of Ghostbusters as he pirated everything on the IMDB Top 250. Guess which one was me, and you win a special prize.
(Also... don't do cocaine.)
Folks seem to pick and choose when to take me seriously in the hacker scene, which is amusing considering rumor has it "Chapo Trap House" is a reference to what the portmanteau of DNS requests coming out of my college house share looked like to the local FBI field office.
(Spoiler alert: One guy was playing a lot of illegal poker, one guy was really into certain types of pornography, and one was discovering the joys of democratic socialism as he did experiments on undergrads like Bill Murray at the beginning of Ghostbusters... guess which one was me, and you win a special prize.)
German state of Hesse has banned the use of Microsoft 365 in its schools - https://news.ycombinator.com/item?id=33741537 - Nov 2022 (115 comments)
Germany Forces a Microsoft 365 Ban Due to Privacy Concerns - https://news.ycombinator.com/item?id=33741300 - Nov 2022 (11 comments)
France bans Office 365 and Google Docs from schools and public administration - https://news.ycombinator.com/item?id=33686599 - Nov 2022 (183 comments)
German state of Hesse has banned the use of Microsoft 365 in its schools (techgenix.com) - https://news.ycombinator.com/item?id=33741537 - Nov 2022 (115 comments)
Any attempts to appoint new leadership to reform the existing corrupt agencies will most likely end up being sabotaged from within by bureaucrats who gain from the system remaining dysfunctional. The only two ways you can effectively change it are:
- setting up complete new ‘start up’ agencies and appointing people to wind down and distract the power players in the existing ones.
- going full nuclear like Elon just did at Twitter and firing the majority of the workforce
https://en.m.wikipedia.org/wiki/Revolving_door_(politics)
https://en.m.wikipedia.org/wiki/Goldman_Sachs#Personnel_%22r...
https://cspl.blog.gov.uk/2017/02/08/regulators-and-the-revol...
If you’re based in the UK, buy an issue or two of Private Eye who will often name such people as well as the staggering amount of general corruption at play in UK politics.
As for the last paragraph, I recently heard some system thinkers express similar sentiments based on how FDR managed to enact real change and how most presidents have failed to achieve much in comparison since.
> During his first term, FDR quickly found that the federal bureaucracy, specifically at the Treasury and State Departments, moved too slowly for his tastes. FDR often chose to bypass these established channels, creating emergency agencies in their stead.
https://millercenter.org/president/fdroosevelt/domestic-affa...
In time however, these new agencies become bloated bureaucratic nightmares themselves. In my opinion, the circle of life extends to organisations as well life forms. I view economic booms and busts as a “changing of the seasons”: old organisations that can no longer compete die and new ones take their place. The problems start occurring when government intervenes to keep zombie companies around because they’re “too big to fail”.
Why is this so hard?
Finding mail and cloud storage alternatives is fairly easy, but as a business operator having this bundled into good identity management is what makes it hard to replace. OIDC provider support with mail and a secure way to store documents and I would be good.
Then slack could be wired in via SAML or apis for account management etc.
Right now its just a huge undertaking to replace the convenience of GSuite or O365 :(
It's very likely that (if this becomes a bigger issue within the EU), the EU itself will provide more convenient options.
[0]:https://helpcenter.onlyoffice.com/installation.aspx [1]: https://www.onlyoffice.com/blog/2018/06/how-onlyoffice-enter...
EDIT: I missed part of your comment for OIDC provider there is Ory[2] (but again not bundled)
[2]: https://www.ory.sh/
Some features are missing yes, but the usability (IMO) is better than Libre-/OpenOffice.
I don't know how good the collaboration is but they seem to advertise for it.
And when you request data from companies, you don't even get what you want a lot of the time because it is often aggregated.
