>“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU,” said Facebook’s VP of public policy for EMEA
If it is "industry standard", does that make it ethical?
I think the implication is more, "why are you only paying attention to us? If you think this is a bad practice, then you should be going after our competitors, too."
Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time. If you only take it away from one corporation, that corporation will be temporarily outcompeted by the corporations you haven't yet taken the business strategy away from, so they heavily resist that.
Funny. If your site drops dramatically on Google's search results, or if YouTube/Facebook bans your account for reasons, tough luck. They are a corporation and can do whatever they want without resorting to any sort of internal consistency.
But heaven forbid governments hold a dominant corporation accountable in the public interest.
>Funny. If your site drops dramatically on Google's search results, or if YouTube/Facebook bans your account for reasons, tough luck. They are a corporation and can do whatever they want without resorting to any sort of internal consistency.
That's not really relevant to the parent's observation that Facebook is likely arguing that they're being singled out in an environment where their practices are so rampant as to be standard.
>But heaven forbid governments hold a dominant corporation accountable in the public interest.
"accountable to the public interest" is an incredibly disingenuous way to say "enforce their laws". The difference matters in this context because the counter argument would be "why is the law being enforced predominantly against a handful of American companies instead of the industry at large?"
Either it is enforced against Facebook first, and Facebook complains "Why don't all of the the small fries have to do it yet" and if it is enforced against the small fries, they will say, "Why doesn't Facebook have to do it yet"?
And the answer is, the justice department will probably enforce the law in the way that the expect to have the best effect for themselves. It is not necessary to wait until you are sued before you become legally compliant?
When a government agency (think IRS or FAA) decides on a specific interpretation of a law, rule or regulation, they don’t go after a random guy to prosecute. They publish an opinion, a guideline, or interpretation and a compliance deadline. The industry is given a choice to comply or present an alternative interpretation (through courts, lobbyists or legislative representatives).
It’s one thing if one company out of a hundred doesn’t comply, and somewhat different when the standard industry practice goes against new interpretation.
Selective encorcement is more typical of countries with weak judicial systems and endemic corruption, where “friends” of the current government get compassionate understanding, but everybody else is subject to the strict rule of the law.
Europe hews to somewhat different legal and administrative philosophies from the US, and I don't think the EU is any more corrupt than the US, arguably less so. This subject is discussed very well in a favorite little book, Adversarial Legalism by Robert Kagan.
I don't think corruption is the worry so much here, it's the erosion of the rule of law when regulators and courts are seen to bask in the popularity of enforcing the law against certain high-profile targets, especially when the perception is that this target has been particularly zealously pursued, instead of dryly and boringly applying the law equally to everybody without passion.
That erosion is not corruption on its own, but can lead to it.
Facebook, being huge and hugely invasive, is among those doing the most damage to EU citizen privacy with their collection, so it makes plenty of sense to focus on them.
> It'd be more like vigorously investigating a kidnapping case in a wealthy, high-profile neighborhood while ignoring kidnappings in other places.
I don't see the point of this sort of "but johnny did it too" line of argument. So authorities are looking into a report of widespread abuse. Where's the relevance of not advertising how they may or may not look into other small-scale and lower-profile cases? In fact, aren't resources better spent by going after the single largest and more eggregious source of abuse that has a global reach and has been continuously abusing its position for over a decade?
By all means name all the social media sites that are breaking the law on this scale and the EU is ignoring. I'll be sure to contact my local ombudsman.
You can simply use Google and check the facts out for yourself, it's common knowledge (children even learn this data in school in the EU). There were no sources in the comment I replied to either. Someone also replied with one of these sources. How can my argument be US centric when I'm European and have never even visited the US?
I was explaining why your comment was likely downvoted, it's clearly not common knowledge (hence the downvotes) and the fact someone else provided sources for you doen't absolve your comment from lacking them.
> How can my argument be US centric when I'm European and have never even visited the US?
You don't have to be from the US for your post to sound US centric. It sounds exactly like every other "USA is da best! The east is inferior in every way. We have zero problems." argument which is found everywhere online, especially on sites with a large proportion of US users (like HN).
> the fact someone else provided sources for you doen't absolve your comment from lacking them
The comment I replied to had no sources as well and yet it isn't downvoted.
> It sounds exactly like every other "USA is da best! The east is inferior in every way. We have zero problems."
Actually my comment says the exact opposite, it says that at least the western part of the EU is less corrupt than the US. Do you realize that I said the west [of EU], not the west as in the US? You're the one who is thinking US-centric after all, thinking that when someone says "the west" they mean the US even though it's in a sentence that talks about parts of EU, this possibility didn't even occur to me - that's how foreign it is to me.
> The comment I replied to had no sources as well and yet it isn't downvoted.
Read it again. It stated much less confidence in those baseless claims, inviting sourced rebuttal. You claimed to be "obviously" right without any sources, and apparently you were not.
Edit: also, complaining about downvotes, especially without even trying to admit mistake is considered as a bad behavior here.
That kind of hand-wavy stuff doesn't fly here. If you're going to make a claim like "EU Countries are more corrupt than the US", YOU have to provide a credible source for that claim.
From their technical methodology note[1], they require their data sources to account for "state capture" and the usage of "public office for private gain". Take that as you wish, and feel free to look further at their sources[2]; however, I'd assume from that statement that they do account for lobbying and donations.
The US is not unique. If you see something happening here, it is almost always happening in other western countries, and acting like we are the only to have a problem does a disservice to worldwide development.
> I wonder if the index treats lobbying and donation millions to support elections as corruption. Such activities are illegal and considered corruption in most countries.
Lobbying has nothing to do with donating money, and lobbying elected representatives is definitely not illegal in most democracies.
> I explicitly wrote "lobbying AND donation". Please don't twist conversation into debates about semantics: it's not helpful.
Yes, and you said that both are illegal in most "other" counties. Except lobbying isn't illegal in any healthy democracy, including in Europe. Donating "millions of dollars" isn't really legal in the US either.
Lobbying as a term in the US is pretty synonymous with donating money. If there was a lobbying group that did not donate money you would have to specify that in conversation
> Lobbying as a term in the US is pretty synonymous with donating money.
This is flat-out untrue, and repeating this incorrect meme ad nauseum simply makes it harder to address actual problems when they arise. Lobbying is simply the process of petitioning elected officials. It's a necessary part of any functioning democracy, or else there's no fundamental feedback loop connecting elected officials to their constituents in between elections.
> If there was a lobbying group that did not donate money you would have to specify that in conversation
Corporate entities are prohibited from donating money to campaigns, whether or not a quid pro quo is implied.
What you've stated is true by the technical definition of the term, but lobbying in the _common vernacular_ of the United States is synonymous with paying money. You can throw dictionary definitions around all you want but it doesn't change how it's commonly used.
The same issue comes up with the word theory to scientists vs it's meaning in the common vernacular.
As to your second part about corporate entities being prohibited from donating money to campaigns, excuse me while I set up a PAC to donate funds to a senator who is aware that I donate to the PAC and that I would really appreciate it if I got a tax break.
What the law intends != what is actually happening
> The same issue comes up with the word theory to scientists vs it's meaning in the common vernacular.
Yes, and just as we ignore people who dismiss evolution because "it's just a theory", we should take the same attitude towards people who conflate lobbbying and campaign contributions, because they clearly don't understand how the democratic process works, and acting on their demands is actively harmful.
> What you've stated is true by the technical definition of the term, but lobbying in the _common vernacular_ of the United States is synonymous with paying money.
Yes, and the "common vernacular" is wrong and actively harmful. The two things are completely unrelated, and perpetuating the conflation makes it harder to understand what's actually going on.
If you think something is broken, you actually have to understand how it's broken in order to fix it. There's no virtue in going out of your way to make it more difficult for people to understand how things work. That's how you end up with people wasting time advocating "reforms" that span the range from "well-intentioned but redundant and/or ineffective" to "completely self-contradictory and nonsensical".
Yeah, but in context, is the claim of being less corrupt being made about pan-EU institutions, or does it extend to the countries making up the union? The relevancy of individual country statistic depends of that distinction.
Yeah but the great-GP's statement is incorrect if he means the European Union as it is now, so he logically must mean something else, e.g. EU before the 2004/2007 enlargement (he might not know that it happened, the most corrupt countries joined during those and thus moved the average) etc. He also might've meant the EU as in the organization itself which is a completely different meaning with completely different results.
> the great-GP's statement is incorrect if he means the European Union as it is now, so he logically must mean something else
E.g. your assumptions being incorrect. You could have avoided a lot of downvotes with showing some humility. Assuming someone does not know about large shifts in EU membership seems like argument in bad faith.
While there's nothing wrong with opining that state interventionism is a form of corruption, be warned that people will not infer your custom definition if you drop the word "corruption" in a conversation. I'm in favor of sticking to popular word definitions for the sake of clarity.
Do you even know your checks and balances?
This is not about government, it's about court. Facebook only has to pay because individuals (or in that case, a privacy organisation) decided to sue Facebook
The entire tech industry can now consider themselves warned. Not even giant American corporations with direct links to the White House are above the law.
Well I personally despise all tech companies selling out their users whether they are from the US, France or Peru. Its a fact on the ground many are from the US though.
GDPR had been announced 2012, implemented fully in 2016. Active enforcement will start May 2018 with again a temporary period to allow companies to correct. Refusal to comply after that can result in penalties up to a maximum of 4% of the companies global revenue.
How much courtesy lead time does a company actually need to comply?
That's not how the law works in most European countries. Class actions don't exist, so the usual strategy is to sue the biggest company or greatest offender, since that results most likely in the best defence or the best case.
The summary of the court of the case, if ruled in favor of the one suing or in favor of the public interest, will be used to prosecute all other offenders if they do not comply. If the defense wins, it can be used by others as a defense.
While not 'fair' it works as the smaller fish will probably go bottoms up trying to mount a proper defense against larger governmental or lobbying groups which results in a no-win scenario for all: The company is dead and there is still no ruling, or a ruling lacking proper defense.
What, if you get screwed by Google do you ue all the companies or only Google?
Or say Intel users that are now sewing on the meltdown bug should they get involved in AMD too from some feeling of solidarity?
In this case someone did something illegal and someone else complained to the justice, should they first find all (I hope you understand what all means, aka don't forget anybody) and try to do what? start 1000 processes in justice? It makes sense to start with the bigger criminals, if the court decides favorably then you continue to the next ones.
1. Why should their be a "courtesy heads up"? Most of these defendants know they're breaking the law. The regulatory agencies have made their interpretations of the statutes known.
2. Do you realize how much manpower it would take to require that all separate cases be tried at once? You might as well just come out and say you don't want any cases to be tried at all, as that would be the outcome.
> why is the law being enforced predominantly against a handful of American companies instead of the industry at large?
Because the largest companies that European citizens are using and that breaking the law are American. There is no point in targetting first the Chinese and Russian companies doing the same tracking, as few European citizens are affected. And as far as I know, there is zero European company doing the same thing on such a level.
> The difference matters in this context because the counter argument would be "why is the law being enforced predominantly against a handful of American companies instead of the industry at large?"
That's not a counter argument but dissatisfaction. Are you saying that EU companies also don't follow their laws?
>That's not a counter argument but dissatisfaction.
You're correct but mainly because I wasn't paying attention and phrased it as a question. Written instead as a statement, it's a valid counter argument because it's criticizing the parent comment's ridicule of a different instance of criticism.
> Are you saying that EU companies also don't follow their laws?
I'm insinuating that if someone wanted to defend Facebook's position one avenue would be to argue that the law is being selectively enforced. Obviously this isn't a comprehensive argument but it's an easy platform to jump in other directions from.
> You're correct but mainly because I wasn't paying attention and phrased it as a question. Written instead as a statement, it's a valid counter argument because it's criticizing the parent comment's ridicule of a different instance of criticism.
I doubt a statement expressing dissatisfaction is a valid legal argument responding to a legal ruling. Clearly the term argument in this context is for a legal argument not a colloquial use of the term, since a legal appeal is what is being discussed.
When people get traffic tickets, the judge won't let them off for saying, "But, your honor, the police officer didn't pull over any of the other speeders around me."
I was using the term "argument" in the more broadly applicable but also literal sense of the word. Your explanation is correct but you've either misunderstood what I was saying or I've misread your reply.
There is a rule in Germany called "Im Unrecht gibt es keine Gleichberechtigung". Meaning when you are breaking the law you cannot point to others also breaking the law as defense.
> Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time.
Not so if it is the only way for the business model to be profitable. More generally, this argument assumes that there is a fixed profit to the business, and the only thing to compete for is a bigger share of that fixed profit. The reality is that corporations are amenable to increasing the profit all around so long as they get part of it, and don't particularly care who gets exploited in the process. Conversely, they do tend to protest when the pool is reduced, even if it affects their competitors similarly.
"The privacy lawsuit dates back to 2015 when the Belgium privacy watchdog brought a civil suit against Facebook for its near invisible tracking of non-users via social plug-ins and the like.
[…]
The same year, after failing to obtain adequate responses to its concerns, the Belgian Privacy Commission decided to take Facebook to court over one of them: How it deploys tracking cookies and social plug-ins on third-party websites to track the internet activity of users and non-users."
If I go to the police to complain that my neighbour is spying on me, it's only natural that the police only investigates that neighbour.
> I think the implication is more, "why are you only paying attention to us? If you think this is a bad practice, then you should be going after our competitors, too."
To be pedantic, I can attest that in California drivers ed they teach you that it's safest to keep with the flow of traffic. The difficulty is in proving that traffic was going as fast as you.
They both can apply. The flow of traffic laws, such as the one in California, are to prevent people from going significantly below the speed limit. Its a better approach, in my opinion, then a minimum speed limit law that many states use.
That said, you'll end up driving white-knuckled and fearful of your life if you dare go the speed limit on the Mass Pike. You'd have to drive 70-75 minimum here just to feel safe.
Yes, it makes sense for the minimum speed, here in Europe the max speed can't be exceeded and on top of that you have to adapt your speed to the actual condition, if is ice or the road is wet, or there is fog the law says you have to reduce your speed until you are safe, if you did not reduced it enough and did an accident you are guilty.
I hate when someone drivers respecting the limit and you get jerks with big cars or trucks behind you and force you to go faster(by force I mean get close behind you, use the horn and other bad behavior that can intimidate a new driver).
However, regulators like to make examples of bigger corporations since the publicity is more effective with them, and also they are able to both pay up and/or change.
Fair application of regulations is essential to rule of law. Going after one company for a common practice but not others is simply the more tyrannical rule by law.
It's a matter of priorities as well. There's hardly funding to prosecute everyone that breaks any sort of law. So you aim for the big fish. Many more are "hurt" by FB's practices than some random other small player. In that sense, FB is committing the larger crime.
Picking the large foreign company is always an easy target, it can easily lead to protectionism: enforce laws on the outsiders but not the insiders. China is an extreme case of this: foreign companies must walk on egg shells while domestic companies are able to easily break laws now and ask for forgiveness later if the party decides to crackdown.
You are suggesting that the EU is picking on the outsiders. However, do you have any proof of that? For example, if you look at fines handed out by the EU, some of the largest ones concern companies from the EU:
If you look at EU court decisions concerning privacy, you see that it mostly concerns European companies and government bodies (e.g. people storing their fingerprints being stored for passport applications). Those cases just don't get as much exposure in the US:
Another factor here may be that EU companies generally stick more to privacy rules, because it is easier to get sued directly by their citizens. E.g. in Germany many institutions and companies are paranoid when it comes to privacy and go out of their way to avoid lawsuits.
You add in the word "foreign" for no apparent reason. What makes you think the EU is targeting FB for being American? I see no proof of this. Size, sure, but the EU also has many regulations for the internal market. For example, we actually have net neutrality, and there's now regulations to limit roaming charges.
The argument they’ve made is that they are targeting FB and not their competitors. If true, it has many possible abusive implications, one of the common ones being protectionism. It might not be that, but it is a huge red flag that it could be that.
I did not edit my original comments where I clearly said “leads to”. If you think that meant an accusation, then that’s your right of course, but it isn’t correct to then say I was using similar language to back out of it.
But is in this case an EU institution selecting FB or a civil rights organization selecting the biggest offender?
If the citizens complain about FB and going after justice why are you asking the citizens to find first other smaller and non US company that maybe did much less damage and start with them. Citizens should have the right to demand justice for illegal behavior of US company that makes business in EU without having the other camp calling protectionism.
It is like the Microsoft anti competition case would not take place until we find some small non US OS vendor to punish first so the Americans won't get upset.
If the law is no cookies or no tracking, then they can literally pick a random internet company within their bidders whose offending. In practice, such broad laws can only be selectively enforced.
And how many people are actually going to pay attention to that? Further, how is that not any different than the "selective enforcement" that you claim is happening against FB?
>they can literally pick a random internet company
In this case they are the citizens, the citizens would not pcik at random but the company that affects them.
This business strategy is only viable if your market penetration is huge. No wonder the biggest infringer is tackled first. Also, this probably is a precedent-setting decision with more to follow.
That leads to writing a law for every little technological innovation, which is an arms race legislators can't possibly win. Prosecuting a corporate body for violating a general principle sends a clear signal to other market players using an unethical tactic: comply or you're next.
EU is working for years on laws to protect the citizens rights from this internet companies, the laws take years to be created and when done are announced and it also takes a long period of time before the laws will start to apply.
Do you prefer that we create laws for fixing problems that do not exist yet?
You misunderstand. Facebook probably knew that the new law was in the making, but they probably thought: by the time this law passes, everybody is doing it!
I don't think many of their competitors have the same reach as Facebook. Nowadays sites have social plugins to allow their customers to "share" content. This in turn adds the problematic cookie/pixel.
I think this is an odd defence to follow if indeed this is a defence. It's as if a convicted criminal demands to overturn the conviction because some other (alleged) criminals haven't been on trial yet.
...and one obvious answer is: as one of the largest companies doing this, they benefit more than all of those other corporations.
Also: from the jurisdiction's point of view, this is perhaps the only efficient way to allocate legal / judicial resources. You go after a small handful of big-name "make an example" cases, and hope that this deters use of the business strategy by the long tail of smaller companies you can't afford to go after.
>Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time.
That's not true in this case. As the large incumbent in social media and advertising, Facebook are the company most impacted by this, whether or not their competitors are impacted.
I'm sure other companies do this, but I'm way more familiar with Facebook's indiscretions. If they're made an example of what's going to be a standard, I wouldn't be surprised if it happens to other companies soon.
Whataboutism isn't an argument... if you're going to start somewhere, you have to start with someone, especially in civil court. Setting precedents will open up other websites to lawsuits
> if it is "industry standard", does that make it ethical
Nope, not at all. Standard practice does not override ethics. Tobacco companies would consider advertising and promoting smoking as industry practice, but we cracked down down on that because encouraging people to do something that is demonstrably bad for their health was something we decided wasn't ethical and would be cracked down on.
Besides being a weak argument in such a context, it's disingenious. FB set the industry standard. Maybe half the standard along with Google.
FB's system is much more reliant on tracking though. Google's can at least work anonymously, eg searched 'dentists' in some area. FB's is almost useless without tracking.
>enable hundreds of thousands of businesses to grow their businesses
Seems innocuous enough until you really think about what they're saying. "But, tracking these people without their consent allows companies, including us, to make money off of them".
That's actually a pretty brazen thing to say; as if the fact that people can be monetized should trump their right to privacy.
1. I don't have an account on Facebook.
2. Blocked Facebook domains via /etc/hosts
3. Use ghostery
And despite all of these steps it feels like we are wasting our brightest minds to always be a step ahead in surveilling what the humans of this world are doing to exploit it for targeted advertising.
Rest assured, many of the brightest minds are aware of Facebook's business models and incentives, and many of them predicted the current situation and rejected the company many years ago.
...and promptly took a job at a Google? Sorry, but someone is working for these companies, and they’re clearly bright enough to make the necessary tools. I’m sure some extremely bright and principled people refuse to work with anything like an Orwellian nightmare, but enough do to make up the difference.
Do you think that the code that tracks loggedin and not loggedin users differs much? I assume is the same tracking code, but if you are not loggedin FB and Google will give you an unique ID but after that they collect same data, they will need to add some code for merging data if they find that 2 different IDs are the same person.
I am not defending FB, my point is that you do not need an army of geniuses to extend the tracking to everyone.
If you apply your mind doing something evil you're evil and no amount of brilliance can justify it. The visceral example I like to use is: I admire efficiency and leaders, hitler was efficient and a leader, yet I don't admire hitler.
Perhaps there should be a central clearinghouse for people who don't want to be tracked by certain sites. How can you tell facebook to not track you without a facebook account? The best you can do is block various known IPs or other patterns which are bound to change over time.
Someone should invent a http header that lets you signal that you don't want to be tracked. It could be named something like DNT, for do-not-track. People could then set DNT=1 and websites such as Facebook would know not to track you...
>- it was on by default. You shouldn't have to 'opt-out' of invasive surveillance.
Conmppanies did not liked when IE did this but I think the solution would be simple,
when you start the browser for the first time you will be asked if you want to get tracked or not, you will have 2 big buttons to chose.
Then FB. Google and others should ask the users to switch this because they want to track you on a different website and explain to the users why.
Yeah, I found it very disingenuous back then from Google to push against this. It could be a widely accepted standard by now, and it makes a lot of sense. Unfortunately, as long as companies like big players as Facebook and Google ignore it, it won't succeed.
>How can you tell facebook to not track you without a facebook account?
That's the wrong question to ask. You shouldn't have to tell it not to track you. That shouldn't be able to do it, unless you explicitly tell them "hey you can track me."
Precisely. The Overton window for this topic seems to have shifted pretty far. The default position should be one of positive consent and assumed privacy. But then again, I think it’s all moot considering that Facebook’s existence is predicated on them collecting data. Asking them to do less of it is like asking a plant to stop photosynthesizing. That is to say: it’s their whole raison d’être, which means they won’t change it without a little encouragement from third parties.
A typical scenario: Your friends and acquaintances have your contact info stored on their mobile phones. Your phone number, an email address or two, maybe a photo and a birth-date so they don't forget to wish you happy birthday. They install Facebook/WhatsApp/Twitter, etc, all of which upload your personal data from the phones to their own servers without your knowledge or consent.
It's more complicated than deciding not to have a Facebook account, though that's a great first step.
Are you seriously proposing to ban uploading pictures that contain other people to third parties computers without consent? That would go way beyond Facebook. Would I need to track down everyone in a picture before annexing it to a Yahoo e-mail?
I'd think the most pro-privacy reasonable approach would be to stop companies from identifying them beyond "someone who did not consent to being tracked".
How about not maintaining shadow profiles, not allow tagging nor allow facial recognition to be applied to third parties on uploaded photos?
Facebook has such incredible smart engineers that they can file patents to identify you based on the dust of your camera lens [1]. It should be a cinch to them not to track such third parties in any way, shape or form.
The problem was that they gave zero fucks about the privacy implication to third parties, which have nothing to do - and no business relationship with Facebook. It seems quite the opposite: That the go through great length to maintain shadow profiles and track everybody.
I really hope that the GDPR forces them to clean up their act.
I think he's really proposing regulations that limit how such data can be used once uploaded.
For instance, it could still be legal for Facebook to slurp your friend's address book (and your profile, indirectly), but the regulation could require them to discard and purge that information if they can't immediately match it to an account.
Yes, I'm aware of this (and thankfully have never been stupid enough to entrust my address book to any such service), but what I'm really looking forward to is how Facebook and their ilk will be dealing with shadow profiles in relation with the GDPR.
Since I'm not a member of their service there's no valid reason for them to maintain personally identifiable data about me. Let alone that they never asked for my permission and that I never, ever consented to their gobling up of my data and that of other non-members.
At least according to my understanding this is a very clear violation of the GDPR, which - if the courts agree - could cost them dearly.
I wonder how Facebook intends to deal with that. If I interprete the directive correctly they are obliged to delete all such data since storing, mainting and proecssing it clearly violates the law.
>Perhaps there should be a central clearinghouse for people who don't want to be tracked by certain sites. How can you tell facebook to not track you without a facebook account?
There should also be a central place for us to put our emails there so spammers won't spam us?If this seems a horrible idea then your suggestion is exactly the same.
>Perhaps there should be a central clearinghouse for people who don't want to be tracked by certain sites.
This the most G. K. Chesterton-esque comment I have ever read on this site.
Poe's law may apply, but if you're actually being serious, "Let's build a list tracking all the people who want to avoid tracking" first, probably wouldn't work, and second, is the surveillance equivalent of a "standards problem" [1]
This comment suggests Facebooks ability to "grow their business" via third-party hosted beacons, etc. relies on users not editing their /etc/hosts files. (or on not changing the DNS settings on their mobile device to use a nameserver that blocks Facebook domains)
How much "brightness" is required to carry out such a strategy? If millions of users followed step 2 (or blocked Facebook domains through another means), what would happen? How would the "brightest minds" respond?
As the unethical nature of the practice is an important argument for it being illegal, it is important that this self-serving nonsense is challenged wherever it shows up, and especially where it is not illegal.
It doesn't. And it is a mistake to take ethics for granted and think of it as a norm because the majority of people, including those who govern and implement businesses make unethical things every day. I hope this might change once but for today the only constructive strategy is to accept this fact and defend yourselves.
I don't get why you are being downvoted so many huge things are literally funded by ads. Google Maps is funded by ads, so is all of Google X. The money that started the development of self driving cars and made people believe it was something we could be done soon was funded by ads. Where did Facebook get 2 billion dollars to by Oclous to provide funding for VR? Ads. Perhaps in a future we will have a good model for micropayments and you can pay .1 cents for every webpage you visit be in the meantime ads provide the revenue streams that make this work.
What other monetization schemes? Noone is going to pay for access to a page with funny pictures, the site will cease to exist. Everything else will be behind a paywall and you call that an improvement? Up to this point in time, everyone had access to news, videos, science articles etc - for free. Those who didn't like being tracked had numerous options to avoid it. They also had the option to stop using these tracking sites. How is 13 year old poor kid going to read the news after everything is behind a paywall? How about a poor adult?
Because that destroys a whole industry of sites that are not good enough for people to pay for them, but thanks to the economy of scale, they can create quality content (and a living out of it) anyways. Your claim that it is not needed is proven not true by the very existence of these sites. There are many blogs that are sole income of many people, this will now cease to exist. How is that a good thing? This argument works on a free market; the free market that we had no longer exists and your argument is thus invalid, the state of market no longer represents the needs of people, it represents the will of the government and nothing else.
A free market only ideally represents the needs of people if people in fact express their needs. Aggregating user data and using it without consent does not fit that model. There is no obvious reason to believe tracking users "represents the needs of people".
Thanks to data collection and aggregation, the ads are targeted better, and thanks to that, the sites are earning more, and thanks to that, small scale content creation is a viable career. Now that ad revenue will be most definitely cut down to almost zero, a whole sector of small content creators will be destroyed and move to centralized platforms such as Facebook will be encouraged (because only on centralized platforms enough data can be collected in order to properly target ads, because that is the only remaining way how to have at least some audience and because it's free).
What is your reason to believe ad revenue would drop to almost zero?
Revenue might be lower. That is not in itself proof of a worse outcome. Maximising numbers like revenue or GDP is not good per se. Neither is maximising the amount of content created. If you want to know the trade-off is worth it you also have to look at the costs. The impact of tracking on privacy is not zero. The impact of ever more attention grabbing ads is not zero. The impact of persuading us to buy ever more stuff is not zero.
Also, the vast majority of small scale content creators are hobbyists.
This assumes that because it was viable in the past, it must be viable today. Maybe ads had more revenue then, but times and people change, and now ads aren't that lucrative anymore. One needs to factor this in the decision to continue hosting a blog or whatever else. This trend was forseeable. On a personal note, this is good. Ads are either annyoing or outright dangerous. So the less, the better.
If you want to host your blog, then just pay for it. I do the same. Not because I want to earn money with it, but because I want to. I can see why this is a problem for commercial entities, but not for personal stuff.
Eh, what's the problem? That a business (someone's living) was pointlessly destroyed, maybe? How do you know that people thought it had no value? It had enough value that they didn't care about all the ads, at least.
Nobody owes artists a living, a vocation that traditionally was engaged in alongside traditional paying work.
Nobody owes advertisers living, or their eyes and attention.
Nobody owes a living to the person who makes their money from ads all over their blog.
I'm sorry, but if your business model boils down to using your unknown blog and barely visited web site as a vehicle to bombard people with ads for money then you don't have a business model at all.
Many businesses were destroyed by abolishing slavery as well. Just because a business exists currently doesn’t mean it should always deserve to continue existing.
>Up to this point in time, everyone had access to news, videos, science articles etc - for free.
I really don't like your definition of 'free'.
wikipedia has been relying on donations for quite some time. guardian.co.uk is one of the recent examples asking for donations and working out for them.
>science articles
Ok that has to be a joke, the paywall journals subscriptions are nothing like ads.
Please, don't conflate any pay method with pay wall (which is a pretty good one). If business cannot retain itself w/o breaking the law and has to shove unwanted images/videos/etc. straight in the face, it may as well not exist. The ads have degraded user experience in so bad ways that having a page with little content and 'next' button just to show more ads is pretty much the norm now.
You overgeneralize. There are many sites with normal ads than don't disturb the users much. And again - no user experience (on a non-existent site) is better than degraded user experience? Why don't you just stop visiting the site when it doesn't matter to you if the site ceases to exist and let us others do what we want to do?
> breaking the law
No one is breaking the law yet. The law has been changed, and has been changed in a way that destroys businesses and people.
A somewhat related note: Relying solely on ads is a bad idea. Personally, I'll install an adblocker on every PC I get access to (family and friends stuff).
Looking forward to May (when GDPR officially comes into force). Provided that it doesn't end up like the cookie law (and there are explicit provisions in GDPR and ePrivacy to avoid that) this might shake up the ad industry:
* Explicit consent for non-essential data use, you always need to provide opt-out without degrading the service
* Opt-in/out separately for every activity (no more "research purposes")
* Data deletion and takeout. Maybe in the future EU will also introduce some standards for the takeout, which will allow us to migrate between services much easier (as we now can switch between banks or telcos in a semi-automatic way)
What we are seeing is that the ad providers are considering themselves "controllers" under the GDPR and the tracking of device ad identifiers as critical to their business. Hence, their plan is to inform of the collection via a privacy policy but not to offer users the opportunity to affirmatively consent to allowing their advertising ID to be tracked. It's dispiriting.
I'm pretty sure that this kind of behavior will be shot down by EU or Local courts. The GDPR contains parts where it explains what kind of reasons might lead to overriding of legitimate or critical interests.
If this is the case, I imagine a lot of profitable sites will be geo-banning EU users who don't subscribe to a payment plan as a non-profitable drain on resources.
Sounds like a good business model. Look at what US tech companies don't want to abide by EU law. Copy their app, but without all the privacy issues, make it free for all, incl EU. You already know what to copy, you don't need to do any research. Development and business risk is much less.
The GDPR does forbid hinging service quality/availability on consent
Although this is one of the areas where it seems some sort of challenge is inevitable. Requiring businesses to give people more control over data about them is one thing. Requiring businesses to do things that make no business sense, like providing services to people despite getting nothing in return, is something else entirely.
It doesn't forbid you to provide free service, to my understanding, you can charge for the service but you can't provide a worse free experience when a user opts out.
Additionally, this does not affect data that is necessary to operate the service. When you run a GPS tracker app then it is entirely okay to ask for the right to process someone's position as part of that contract (as long as you don't share it with a third party).
There doesn't seem to be any problem with either totally free or paid services. The potential problem is with business models that are free in financial terms but instead rely on some form of data or advertising for their source of revenue.
Personally, I value my privacy. I don't tend to use services like Facebook, mostly because I don't want to encourage that sort of perpetual surveillance or volunteer that much data about myself (or encourage my friends/family/colleagues to do so for me) to be used for purposes I don't fully understand.
On the other hand, apparently there are literally billions of people in the world who disagree with me. Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.
Requiring such a business to allow users more control over how data about them is being processed is one thing, and there are pros and cons that reasonable people can debate in that area. But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.
>But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.
I would say that being popular does not correlate with being good and moral. Being successful does not correlate with being good and moral either.
>Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.
The patient is not always right. A lot of people would give up privacy for facebook because in the faustian bargain, the short-term benefit outweighs the long-term consequences.
Hopefully it specifies opt in instead of opt out. I can't tell you how many things I've forgotten to do while being conscientious because it was just so out of the way.
GDPR wants absolutely undeniable consent including that if you give consent, the corporation involved has to keep proof that you consented. It is very much opt-in.
Can you elaborate on what you mean by "doesn't end up like the cookie law"? I'm an American and don't have much awareness of this other than I've noticed that sites in the EU like the Guardian tend to have annoying banners saying they use cookies at the bottom of their splash screens.
Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.
This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).
With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).
But what's the alternative approach to the cookie law? A yes/no consent page before your site, and if you click no, the user doesn't get to access it? Because that's basically the same thing, but even more annoying.
If you click no, a single, non-tracking cookie (i.e. "optout=true", not a session ID) is set, and you get to use the parts of the web site that don't require cookies to function (which, for 99% of the cookie banners I've seen, is all I wanted).
Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.
So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:
a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes
b) stop tracking users unnecessarily in general
As it is written, the options are:
a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong
b) slap an annoying banner on your web site
One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.
Which is why there is the "And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service)." point - you're not allowed to deny access to a newspaper article if somebody does not consent.
You can only degrade when the users denial exactly relates to the function of the service.
I have history turned off in google maps. I can’t name the points I make, it tells me I need to turn history and tracking back on. I hope that becomes an unjustifiable degrade.
I may have understood wrong, but it seems to me that for your maps degrade, the tracking may relate very much to the function of the service. How is the server supposed to remember the name you gave to each point without tracking you? Remember, there are many round-trips to the server when you're scrolling and resizing a map. They could always move point-naming override client side, but that's a pretty big change.
If you're made aware of the terms and can choose to leave, that's pretty much consent. Do you sign a paper agreeing to all the terms when you enter a car park? Of course not! It's a class of contracts called contracts of adhesion. [0]
EU consumer rights specify many (types of) terms that are considered unfair in various common contracts, so if they're included in a standard form contract offered to consumers, they're automatically considered null and void. I.e. it's a general legal principle that because such contracts aren't negotiated, there's one-sided leverage, and certain classes of terms are inherently abusive to consumers, therefore even if a consumer "agrees" to them and signs a contract including these terms, they shall not be considered binding.
GDPR extends this concept also to consent for processing private data - there are some ways how that consent can be granted and received, but contracts of adhesion are not (will not be when GDPR comes in force) one of them. In particular, GDPR specifies that anything included in such a "take it or leave it" contract is not considered "freely given" consent and thus such a contract does not and can not give you any rights to use that data, no matter what is written there.
The cookie banner does not put me in a "take it or leave it" position. By the time I get to learn of the terms—by any reasonable definition a prerequisite for consent—the other party has already set a bunch of cookies.
You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.
There is currently no detailed description as to what the definition of "sufficiently" is. For example:
- can I use your data to build a targeting machine learning model?
- can I use it to target you?
- do I need specific opt-in for every model?
Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.
This is a corporate regulation, not a criminal case. When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws. I don't see why auditing for GDPR compliance should be different to auditing for VAT compliance.
> When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws
Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.
> This is a corporate regulation, not a criminal case.
Most of European constitutions don't limit this principle to criminal cases - actually most of the time it specifically says that it especially applies to interaction with government on top of criminal cases.
The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.
TL;DR: sites were obliged to provide information and ask for consent when using marketing cookies. That is, cookies required for the site to work (e.g. session) were fine, but tracking/analytics were not. Everyone started to show banners saying "we use cookies [OK] [what cookies?]", users just got used to clicking OK on them, and almost nobody has any clue what this was all about.
You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.
I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit
Hello. I have moral objections to excessive tracking, and none of my businesses use things like retargeting based on tracking pixels, even though this would almost certainly improve the conversion rates for our online ads significantly.
There, now you've seen a case where a business self-regulated out of potential extra profit in exactly this area. :-)
Explicit consent is the principle I'm most curious (and pessimistic) about. It's one of those things that are very easy to describe in everyday terms, but almost impossible for legal enforcement to work with.
There are rules about things banks have to inform you of, or pharmaceuticals. On the academic side, this can be effective. Disclosure and making information public. On the consumer side it is almost always disingenuous. Small print meticulously written by compliance officers and reviewed by regulators. No one seems capable of stepping back and asking "are consumers better informed."
When internet service X wants you to know your card is about to expire, they make sure that you are informed. When a regulator wants you to be informed about cookies.... we get small print, and a nag screen making us promise that we read it.
Its pretty easy: The law says, that you always have to set a willing action to opt in. There can be check-boxes, but they need to be unchecked by default ("privacy by default"). Simple. I have already received multiple communications from Banks and credit card companies, and they are all very explicit about it and it was very easy to see the choices and the effect of the law.
I guess I can't go forward without reiterating the argument, so I guess I'll stop. But, I think considering it easy is naive, considering the mountain of experience to the contrary.
At least in Italy, this has been the way it works for years. When I sign something privacy-related I get at least two boxes: one for the treatment of my information for functional purpose (that is, "we can't even take this paper back if you don't give us permission"), the other for research and marketing purposes (that is stuff not essential to the performance of the service). It's working quite well, in my case at least.
Note: the following questions are not because I'm trying to figure out how to work around GDPR. They are to help figure out just what the meaning of it is. Imagining hypotheticals that try to work around a law is a common method in legal circles for clarifying the law. My employer does not keep any data that would be problematic, and compliance looks like it will be pretty easy for us [1].
> Explicit consent for non-essential data use, [...]
This raises a bunch of questions. Anyone know the answer to any of these?
1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
> [...] you always need to provide opt-out without degrading the service
2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?
3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.
If they say they are, I just send them to a page that says EU people are not allowed to use my site.
What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?
[1] In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.
>1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
If you use the data for bank transactions or paypal subscriptions it's essential.
If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.
>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.
>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.
>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.
Where is this specified? It's not what I understood from Recital 23†; as far as I can tell, it applies if the business is established in the EU or if the user is in the EU, but not to EU citizens outside the EU (if the business is foreign).
I read your link, and I think it depends on what "being in" means in the phrase "data subjects who are in the [European] Union". It could refer either to physical location (as in "I am in Germany") or to membership (as in "Germany is in the EU"), or possibly to both. I would also expect it to refer to physical location after reading this, but I'm most definitely not a lawyer.
> What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?
I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.
> 1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
IANAL, but intuitively, I'd say no.
In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)
Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.
In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".
The jurisdiction stuff is disturbing. Having separate rules/rulings for Belgium, Turkey, Venezuela, etc... It's (a) not practical and will end up helping incumbents .(b) It really curbs the internet's ability to promote an open information norm.
Privacy is an issue and we need to do something about it. But, I have a real feeling cencorship, corporate-protectionism, copyright and other agendas will tag along, once the legislature-courts-enforcement complex is up and running. The sorry state of international law/governance isn't helping, including even the EU.
Meanwhile, the recent history of legislative action (eg, the "cookie laws") are not encouraging. I don't think legislators were even aware that it would amount to nothing more than nag screens and terms of use. Don't use incognito, or every site will nag you again, your consent is mandatory and stored as cookie, for extra irony.
Ultimately, these things would have been better dealt with at the standards/protocols/browsers level, but I think that ship has sailed.
I’m looking forward to the GDPR. It seems to target all the failures of the cookie law.
The GDPR will not allow blanket consent statements, it will not allow “permission bundling” (eg. allow acces to everything or you can’t use the site).
The changes Twitter rolled out in preparation of the GDPR look like a good thing.
We’ll see how it turns out, but I think the GDPR will actually force companies to change, beyond cosmetic changes. And since it is valid for all “data subjects” in the EU, companies will have to consider that. The EU is too large a market that companies can ignore it.
> it will not allow “permission bundling” (eg. allow acces to everything or you can’t use the site)
This is something I have not been able to come to terms with. I can understand requiring express consent to each item individually, rather than burying everything into a long ToS. But what I cannot understand is forcing me (as a service provider) into a contract with a customer even if the customer rejects some of my terms.
I think this is just a really hard one to solve....
Cookie restrictions basically amounted to an additional clause in terms and conditions, the thing we're disingenuously treating as a contract.
Realistically no one reads them, not even lawyers. That is the expectation they we re written under. If people actually read before accepting, they would be 250 characters long. Very few services would put up with that much of a roadblock to signing up. Do you really think apple would tolerate an average iPhone sitting unopened for months while the user has the "contract" sitting on their todo pile along with mortgage refinancing and insurance paperwork?
It makes a mockery of the whole thing, reductio ad absurdum for the whole concept of consent...with side effects.
The dynamic this has created is one where the "contract's" job is to reserve all rights that can legally be reserved. There is no trade-off, no reason not to reserve any right. It's just silly to treat these as agreements.
The idea with unbundling is to break this dynamic. Encourage some semblance of informed consent where the user is party to these decisions.
Giving users an all or nothing proposition is a part of the problem. along with the insane levels of user engagement in legal boilerplate that would be required for the system to actually work the way we're pretending it does.
That said, I think it won't work. We'll probably have a more complex version of the current system. Services will still have an incentive to obscure... and turn consent into a click-without-readung-or-fuck-off nag screen. They may just need 4seperate ones now.
IANAL, but if you deem the processing necessary, then you can use "fulfilment of a contract" or "legitimate interests" as your legal basis and argue on that. There's no "right" legal basis, and you can choose whichever you deem necessary.
This just now means you have to be pretty darn sure you're choosing the right one (because, you've always had to protect and limit the amount of information you collect and process, now it's just much more explicit).
As with everything GDPR (and most digital regulations in general), the large companies will win as they have the legal teams to draft the statements and scores of developers in order to get the UX process sorted (or argue their case in the event something goes awry).
It's already the case that many contractual terms will be considered invalid even if both parties agree. In the EU, there are also -- especially for B2C contracts -- a number of terms that are implied and can't be waived.
Examples include distance selling regulations (that provide the right of withdrawal) and limitations on what's considered an acceptable mid-contract price increase. GDPR adds extra restrictions on what privacy rights businesses are allowed to require consumers to opt out of.
So if you've done it correctly, the customer isn't rejecting your terms: they're exercising their options under the contract you've offered them.
Yes, ideally the customers would sent back their modifications of your EULA, and then you would negotiate a new contract to the benefits of both of you or not do business with each other.
In practice, this seems difficult and the relations of power in modern EULAs are fairly asymmetric. For example, in many areas there is only one provider of some needed service. like e.g. an ISP. Partial contracts and a certain emphasis on customer protection seem like a reasonable compromise.
GDPR requires consent to be freely given. If customer A rejects the terms and you "walk away" and deny the service, then if customer B clicks accept, you still can't interpret it as freely given consent and nothing customer B does will give you the permission to process customer B's data.
The GDPR position is that the privacy rights are not something that customers can "trade away" in a contract, they're not for sale. If the customer genuinely wishes you to do that processing, you're allowed to do so; and if they don't, then that processing shouldn't be done at all.
The way it's written it has some similarities with sexual consent - just as a valid signed contract stating "I'll allow you to violate my arse for $1000000" legally cannot be a binding contract term (even in places where prostitution is legal) doesn't really give you the unconditional permission to violate my arse and that consent can still be withdrawn at any time; in the same manner a contract stating "I'll allow you to violate my privacy for $1000000" cannot be a binding contract term in any consumer contract according to GDPR. Just as many, many other terms in EU consumer contracts (e.g. binding arbitration clauses, voiding of warranties, excessive penalty clauses, unilateral changes in terms, etc) - even if the company puts it into the agreement and the consumer signs, they are considered automatically unfair and unenforceable.
> GDPR requires consent to be freely given. If customer A rejects the terms and you "walk away" and deny the service, then if customer B clicks accept, you still can't interpret it as freely given consent and nothing customer B does will give you the permission to process customer B's data.
Are we conflating two things here?
There are agreements which you ask the customer to sign which are required to provide the service: e.g "In order to send you the goods you required, you have to give us your postal address. These must only be used for the purposes of the business - you can't sell the addresses, without consent.
Then there are consents which are for non-essentials. e.g "We would also like to send you our newsletter and for that you need to give us your e-mail address".
The agreements are things that everyone needs to sign in order for you to carry out the business with them. Consents are the optional things and should be separated out.
You're right, that's the whole point - the commonly accepted (pre-GDPR) practice conflates these two things; and GDPR now requires them to be separated, which is a major change both in practice and in attitude.
You can have "take it or leave it" agreements, and you can have consent, but these are two separate things; it's not possible to obtain consent by putting some words in a "take it or leave it" standard agreement.
Idk... Some of it could be good, but a legislative approach like this could just turn into a compliance bureaucracy that doesn't help much, but has all sorts of side effects. A lot of people are keen on industry regulations (which GDPR sort of is) but i think are not aware of (a) how bad the bad ones are and (b) the very dominant corporate/incumbent bias they give a market. You can't start a financial firm, tobacco company, etc. There are good sides to that, but some serious (and largely unacknowledged, at least in Europe) aspects to it too.
I realize generality and such get in the way of this, but... I think it would have been better if this move specifically targeted the 100 biggest companies, who have the scale an resources to actually use all this tracking data.
> A lot of people are keen on industry regulations (which GDPR sort of is) but i think are not aware of (a) how bad the bad ones are and (b) the very dominant corporate/incumbent bias they give a market.
I think rather than arguing in general terms that regulation is bad, it is more helpful to address any specific problems you have with GDPR. I've spent a few months looking at it at a small organisation that is having to implement it. My take is that its goals and the way they are implemented look pretty sound.
I don't think that I did. Just pointing out some recurring themes, generally. We don't have that many examples and "regulation" is a fairly squishy category. But, I think anyone who's worked in a business where the word "compliance" comes up regularly has a clear idea of what this means.
Incumbent friendliness is a real concern. In my experience, it is taken as a given by industries facing potential "regulation".
The other side of that is how much mental energy do you give to the ways companies are allowed to lie or mislead. If you’re renting an apartment is the sticker price what you’ll actually pay or are there admin costs both to starting the contract and every month. The UK has recently started to crack down on excessive charges relating to starting a renting contract, with broad positive support.
Idk if it's a case of mental energy. The legal/regulatory toolkit just isn't good. Every little point needs to be detailed, legible and explicit in order to be enforceable. "Informed" just isn't a yes or no point. Boiling it down to such an explicit set of requirements... you can easily boil out all the nutrition.
Oth: it's a calibration process. If the regulations are to onerous, we can loosen them again, or companies will spring up that make compliance easy. https://www.chargebee.com/ solves the European VAT nightmare for example, until we have harmonization on that front. Is it inefficient? Depends on your model of the world: I'd rather pay a bit more for my goods/services and know that my privacy and data autonomy are preserved, and some people might argue that having the freedom of fiscal policy in differing regions is worth paying chargebee their premium. And if we figure out a way to slide into a better pareto point, cool.
>I realize generality and such get in the way of this, but... I think it would have been better if this move specifically targeted the 100 biggest companies, who have the scale an resources to actually use all this tracking data.
then they'd outsource it, hide it, whatever. See: tax laws. Law is like exercise, you can't specifically target abdominal fat,nor can you specifically target Fortune100 excesses
I don't have too much confidence in calibration. The legislative/regulative systems we have are not great at that. Legislation is principles and inflexible. Flexibility requires a more uprincipled, goal oriented approach. Also, goals (mine, anyway) like openness, cosmopolitanism, low barriers to entry and even playing fields... These are hard to measure.
In almost all cases, industry regulation (what this is, more or less) tend to be incumbent friendly. Ie, we could be moderating FB slightly in exchange for killing its future competition.
The jurisdiction stuff is disturbing. Having separate rules/rulings for Belgium, Turkey, Venezuela, etc...
It's (a) not practical and will end up helping incumbents .
(b) It really curbs the internet's ability to promote an open information norm.
I find it disingenious of FaceBook to be serving all the EU equally, then claim that Belgium's jurisdiction doesn't cover them because they're based in Ireland. That sounds like having your cake and eating it.
I agree, but they're swimming in disingenuous waters. Surely, they can't run 100 versions of the site to suit 100 legislative/court systems. Well, maybe Facebook can. Can tinder? What about the next Facebook?
Maybe there can be no next Facebook (as in, one multinational actor is position of monopoly on one type of service) and maybe that's not a bad thing.
If the only way to have the same kind of service from now one is to use a network of separate entities each smaller than Facebook and interoperating between themselves, it might be a good side effect of the law.
What I fear is that there is no next FB because fewer people can "enter the market" that in this case is necessarily international .. can't because you need to start with a team of lawyers and compliance officers.
FB is unlikely to get injured. They're big and rich and have a deep moat. It would take a lot to shave 5% off its revenue. Making a potential FB competitor restrict itself to a smaller market, and a more localized service... It doesn't take as much.
Yes, such rules would make companies focus on specific local market first and expand slowly. I'm not so sure this is a bad thing. As you said, it doesn't make a difference to existing big companies. Slower growth for new ones could make it more likely we end up with different competitors in different markets (fb west, vk russia, ...) instead a single winner taking it all. And if some potential ideas won't make it cause of slower growth and a some more administrative overhead, I still prefer that over some large foreign evil empire pushing its social norms onto my country.
Few people already could "enter the market" given the enormous resource requirements to compete with Facebook on it's own. That's not a regulatory thing; that's just a reflection of the reality that these large companies have massive amounts of resources, and similar amounts are needed to effectively compete.
I think we may be talking past eachother. No one can beat FB directly, with a half-decent chance of success. Lots could, with a very low chance of success.
If lots of people can "enter the market" the one of these might succeed. FB is just an example, but I also mean them. Most of these potential fb-killers don't know that they're competitive with FB.
Think of WhatsApp (again, just an example). They entered the market, at an angle. Within a few years, they threatened FB enough to get bought, just to eliminate the threat.
The end result isn't all that heartening, but everything up to that is. I'm not saying GDPR makes this impossible, just worried about the accumulation of these things. Even a handful of reasonable rules could make things harder, especially if they are different in every country. WhatsApp might have decided to focus on a few core markets, and limited their idea to more local things.
> The jurisdiction stuff is disturbing. Having separate rules/rulings for Belgium, Turkey, Venezuela, etc... It's (a) not practical and will end up helping incumbents
I don’t think so. Only really large corporations are able to serve all areas anyways. Most small companies in the world already cannot afford to serve multiple jurisdictions.
If you run a blog, yes, the global nature of Internet ensures that. If you're running a business, you must abide the law of every jurisdiction you operate in. Companies invest lots of money and effort doing this, from operational (having a physical presence in each region) to technical (e.g. how Amazon has separate sites for each region).
Lawlessness also produces some good things, that people like. Most people are not fuundamentalists, so idk if libertarians looking for theoretical purity are all that relevant (especially here in europe).
One of the things lawlessness produced was internationalization and de-censorship of media. That hasn't been without cost, we've had several (mostly failed, but still) political revolutions as a consequence, from Cairo to Hong Kong. At the heart of it was the ungovernability. Countries had to deal with a more or less "take-it-or-leave-it" proposition. China was the first to really break out of that restriction, and I don't think it's a coincidence that (a) a powerful country led the charge or that (b) political cencorship was the leading reason.
Another benefit (again, in my view) was a relatively open playing field, commercially. We're worried about power concentrating in the few hands fo FB, Google, and such. But, the internet economy is still a lot higher resolution than most other markets. The big markets are usually highly concentrated (eg, supermarkets, FMCGs, financial services, media, logistics, transport...) or practically confined to small scale niches: local services, real estate...
I think we've been getting cynical about this as the winners dig in, but the internet really has been a place where part time tinkerers could compete with $bn mammoths.
This is not an anarchist statement, or part of an overarching political ideology. There are, as you say, tradeoffs. There are choices that can create more or less good or bad.
Anyway, lets not count chickens just yet. We've seen China regulate the internet effectively for political control and industry protectionism. We've yet to see any country be effective on privacy. We've got the GDPR playing out this year. We've got a more active courts & legislatures. Lets see if privacy actually improves.
The worst case scenario is that we end upp with all the negative trade-offs, but all we end up with is a privacy bureaucracy that doesn't affect privacy much.
remember that we've seen one (IMO) embarrassing failure go unacknowledged: the cookie law. We got nag screens and compliance audits. We didn't get any privacy.
Having jurisdictional restrictions on things like tracking cookies and other invisible forms of surveillance doesn't prevent the internet from working, it does interfere with malicious business models though.
I agree, national politics is the only politics we have. But, the internet does not exist within national confines, and I don't want it to.
In this case, I like the courts decision and FB is big enough to deal with it. What about a much smaller service dealing with polish cencorship laws, Turkish political content laws and 12 incompatible eu privacy laws. It can only end in either (a) overall ineffectiveness or (b) internet balkanization.
Should Facebook also respect laws in Thailand and remove content for lese majeste? If I lease out a server in the US for $10/mo to serve my blog, should I?
Facebook following Belgian law isn't the issue; the issue is that jurisdiction questions have to answer a lot of less-palatable questions the same way.
One of the good things about HN is that the engineers working and building these features are likely reading these posts too, I'm curious how one implements these things. Are engineers (some of the brightest ones) not realizing that some of their actions are ethically questionable, or is the big picture not visible to the average engineer in a large company like FB? I assume that many have the exact same reaction and don't think it's okat when discussing this topic - can hardly see anyone defending the current status quo.
In an ideal world, engineers would be perfectly ethical. But, you know, said hyperbolically, sociopaths can be engineers too. You should not induce from your own values to people in general.
Even apart from people without any values.. most engineers don’t hang out on HN, and don’t care much about global scale politics. They care about things that affect them in a very immediate way - family wellbeing, friends, coworkers, and how to pay the bills. I think many don’t infer how much of an impact their actions actually have, since they are „only spokes in the wheel“.
* Turn up to job. Nice people, good desk, good canteen. Benefits good.
* Work is interesting - working on cutting edge, dynamic web experiences that are changing the way we interact with people.
* Solved a knotty engineering problem today. Was very pleased, boss was impressed.
* Shipped product today. New sprint starts tomorrow. No defects!
The actual implications of any one feature, the borders between personal data and pure engineering problems blur. Your effort is only a small part of hundreds of effort-hours taken to ship and maintain a product. The decisions about where the lines are drawn were taken months or years ago by people who may or may not be at the company and who were also probably just trying to solve the problem that was in front of them.
You, the engineer, are never sat alone in a room with a user story that breaks GDPR for a product that is fully compliant. The future of the product never rests with you and only you.
Your post resonated with me, and it might be the social construct of being part of a large organization that allows these things to happen without any single one individual feeling responsible or in the wrong.
Years ago I remember hearing about the Normalization of Deviance and in many ways that's exactly what we see. Even Facebook's argument of others do the same is in alignment with such normalization. If everyone at jumps in a well, would Facebook to the same?
One thing that always stands out to me on HN is how obsessed Silicon Valley is with money, from top to bottom. There's plenty people on here that would happily implement invasive tracking if they were compensated well enough for it.
Was about to post the same. Ghostery for me reports 22 trackers on the website, 3 of which are from facebook, including the "pixel" tracker that is mentioned in the article.
Ghostery was bought out by another company looking to expand a privacy browser, but original firm (now called Evidon) is in the business of data mining information from Ghostery plugins -
"Ghostery’s B2B Digital Governance solutions will reassume the company’s original Evidon brand, which focuses on monitoring and consent solutions ...Evidon will retain aggregated data about trackers, ensuring no change to the service currently provided to its enterprise clients..."
What is Facebook's end game here, I don't get it. GDPR is around the corner, it certainly won't fly under GDPR so why the jurisdiction argument even, the days for tracking people without consent is numbered - a rational organization would realize this.
I would think just say ok we stop doing it because we're going to have to stop doing it anyway. But they're not stopping, what is the plan?!?
If Facebook's business model is built around collecting and selling personal data, and more than 4% of their revenue globally comes from EU citizens, then they could decide to wilfully flout GDPR and just pay the maximum fine every year.
Another way they could deal with it is by disputing the EU-US privacy shield[1] or disputing the decision that overturned the original privacy safe harbour[2]. IANAL so I have no idea how they would do this, but it will be costly for ECJ and FB.
If a court rules that something you're doing violates the law, then that also means that you actually have to stop doing it. Not stopping with it would be a felony.
So, you can't just continuously pay fines whenever a court rules another time that it's illegal. The fine for a felony is much higher and at some point, you'd also simply be thrown out, or blocked in the case of Facebook, I suppose.
I keep reading this statement that Facebook sells personal data. Where is it stated that Facebook does this? Where is this fact of information defined?
My impression is FB allows targeted advertising without selling anything. In fact, why would FB sell their most valuable asset?
A fine doesn't imply that you can continue processing the data. GDPR also requires them to stop handling all such data if they don't have a legal right to do so (since the default case, if they can't show a valid legal reason, is that they're not allowed to do it).
And that's a maximum fine for a particular decision not the maximum fine annually. They can certainly be fined once and ordered to stop processing the data within, say, 30 days; then fined once more after the 30 days have passed for noncompliance with that order, and then so on.
There also is personal liability for the responsible executives and employees who'd be violating the regulator's order.
What's even worse is that they are effectively shafting everyone using their pixel to track sales through Facebook. If my understanding of GDPR is correct, Facebook's clients are liable under GDPR because they are giving their customers' data away (Facebook is data processor in that case). Facebook maintains 100% radio silence over it, and even if they come up with something tomorrow, it's too late for many to become compliant in time.
Any delay is money, so Facebook doesn't have an incentive to comply early.It makes more sense for them to appeal until all legal options are exhausted, even if it is clear that they will lose the lawsuit.
a sale or merger of the company. maybe a company like MSFT or Google would buy it, along with all the data. just think of the integration opportunities!
By saying "cookies and pixels" they are trying to downplay what they are really doing.
On a website where facebook pixel is installed, they track pretty much every form submitted and even the contents of those form submissions.
I think you dramatically overestimating the value that you might get from form submissions, provided you are intending to commit identity fraud. Which literally no-one is suggesting ad tracking is doing.
In order to make these decisions enforceable we need to collaborate with ISPs to anonymize traffic. Government action is necessary.
I've contemplated far too long on this problem and there's no other solution. You can make them say that don't store your data, but that's pretty much always a lie. We can build browsers that reject cookies, but you can't get rid of your IP. All these services can simply track you through your IP. A significant change in networking infrastructure is required, and I'm hopeful that quite a few countries will resort to that soon for reasons of national security.
There are many situations, think university or corporate networks, where you cannot rely on the IP address for tracking. There are ISPs that don't have enough IP addresses for users so they many-to-one NAT them and most users won't even notice.
Even behind an ISP or corporate NAT with cookies disabled, there are other ways of tracking. If JavaScript is enabled, browser fingerprinting can be very disturbing in its ability to single you out, depending on your configuration.
More generally, I always found this obsession with tracking non-users one of the creepier aspects of Facebook when I finally used it circa 2011 - 2012. The amount of information it had about me that could only have come from web browsing before I had signed up, such as local takeaways and restaurants I had used, was impressive but unnerving.
What do mean? Isn’t this verdict a pretty good example of how the law actually is enforceable?
For Facebook to lie in such a lawsuit would require hundreds of their employees being willing to lie under oath. It just doesn’t make sense, considering they would risk harsh criminal sanctions and have only their usual salary as an upside.
As for IP-based tracking: if it were as effective as cookies, websites would use IPs and not cookies.
>For Facebook to lie in such a lawsuit would require hundreds of their employees being willing to lie under oath.
Actually it would only require a handful of people hiding the truth. Given how most of facebook's development is done in the US and not in Belgium, they won't even have to appear in court.
Also IP-based tracking is very effective, and it's used alongside cookies. Nothing beats cookies with Javascript, but IP will do just fine, especially for companies like Facebook and Google who can track you on pretty much every click you take.
Good thing the EU exists as a human rights and consumer watchdog, even if some may argue the protectionist angle, as the US is sure to do f all about it.
My question is, will I be able to use gmail without my google searches being tracked?
Google did a great job to "bundle" its ToS into a single generic agreement for all the services under that "Your Google account" umbrella.
I would love to opt out of that agreement, retroactively, and still be able to use gmail.
It would seem that GDPR requires this ability to exist. Let's wait a few months and see what actually comes out of this and how Google will handle that; AFAIK they haven't laid out how exactly they will comply.
You can't interact with Google in any way without being tracked. Use DuckDuckGo and another mail service like ProtonMail or your own self hosted solution.
I would also strongly recommend not using Gmail. Google sifts through your e-mails, which compromises a cornerstone of your digital identity. People needing to send you an e-mail will also seldomly appreciate their e-mail being read by Google.
To answer your question, though, if you live in the EU, then the GDPR, due to be enforced on the 25th of May, does make this practise of Google most definitely illegal. So, in like two years from now, when the lawsuit regarding this concludes and Google is actually forced to follow the law, then you should be able to.
If you still cannot be convinced to drop Gmail, there might be a technical solution to your problem, too.
For Firefox, there's an official extension called Multi-Account Containers, which allows you to have different sets of Cookies in different groups of tabs. And you can tell it to always open certain webpages in certain containers.
Then click the new Multi-Account Container button in the toolbar and from there open a new tab in a Container (you can also create a Container specifically for this, if you want).
Then in this new tab, open up Gmail and log in, and again click the Multi-Account Container button in the toolbar and tick "Always open this website in ...".
Finally, open up a new (non-Container) tab and log out from Google there.
Google sifts through your e-mails, which compromises a cornerstone of your digital identity. People needing to send you an e-mail will also seldomly appreciate their e-mail being read by Google.
Google doesn't "read your email", they index it. Which allows you to search it. And then they show ads that are targeted to keywords that appear in the index. Gasp!
I seriously don't understand what the big deal is. Genuinely, what is the risk or concern here?
And I really doubt that GDPR is going to kill Gmail. They need that index to provide the search capability, if nothing else.
I think many of you who are fans of GDPR are going to be gravely disappointed.
Well, tell me what the big risk or concern of a Google employee sitting down and actually reading your e-mail is?
Them indexing it, correlating it with all that other data they already have on you, storing and actively working with this data, including allowing 3rd parties to run near-arbitrary JavaScript on your client, based on near-arbitrary criteria they can specify, is in my opinion much worse.
Opens you up for this data being stolen off of Google's servers and for all kinds of attacks:
- Spear phishing
- Narrowing down the criteria, so that it only targets you, then reading out the IP that you're connecting from. If you're travelling from public WiFi to public WiFi, this can describe your path extremely precisely.
- Malware distribution in those ads. As the ads can be targetted to relatively small groups, they aren't going to be as thoroughly vetted and malware can go unnoticed for quite a while.
As for the GDPR killing Gmail, that's not what I meant. They'll have to make a good few adjustments, but they'll be able to continue operating it.
What I meant is killing Google's practise of having every question of consent being ticked off with one global ToS. That is something where the GDPR is quite clear that it's not legal. You have to ask for consent for each piece of information individually (exempt is information that you actually need to operate the service) and you're in general not allowed to bury questions of consent in ToS.
Morals and ethics are just a temporal deterrent in a social markup. We should grow out of that fallacy and start facing issues directly. Until this is not technicaly impossible to achieve, we will keep going down this path.
It seems like there have been many recent setbacks for FB on the privacy side. When do these setbacks begin to have material impact on the stock price?
I'd be surprised, if it hasn't yet had an impact. As you say, there's been a lot of losses for Facebook recently. I think, we're now up to 4 rulings of Facebook's data use being illegal in the past two weeks.
People considering to buy stock and people owning stock should hopefully be informed enough that noticed this.
There's also the GDPR upcoming in May. I cannot imagine that Facebook won't make losses when that hits. They might be able to defer the impact by mostly ignoring the law until they get sued, but ultimately it really just seems like it's going to be downhill from here on, which is not what anyone looking to buy stock is after.
You know, I am a pretty staunch supporter of minimalistic restrictions on corporate behavior, putting faith instead in markets. But this seems like the kind of problem I'd consider looking to solve through legislation.
Although I should say, not without hesitation, given the extreme discrepancy between rates of change in tech and law. I would hate to see seemingly well meaning legislation passed for something like this and then turned against us by our friends at the NSA, for example.
If you're a supporter of minimal legislation then what's wrong with the courts handling it, as in this case?
A major tech company tracking users across the web beyond their own limited use-case platform is a relatively new phenomenon but now that it's been established in the courts as a big financial and PR risk then there is a big deterrent from future companies doing it. And often courts in other western countries take note of precedence defined in major foreign courts to define their own.
Formalizing this in legislation always seems to sound like a good idea in the short-term. But in practice it's often really hard to define preemptive regulatory systems that work efficiently (and relevant to todays realities), especially in technology, as well as more expensive to enforce via agencies/auditors, and will likely end up wastefully crossing over into many areas/situations which are totally harmless in practice or having negative side-effects which outweigh the benefits, such as harming innovation.
I'd rather we deal with negative behaviour on a case-by-case basis.
The enforcement of laws matters just as much as the quantity of the laws in my opinion. In this case the argument being made by Facebook is basically "everyone does this so why are we being selectively targeted?" Obviously it makes sense to start with the biggest offenders but it's hard to believe that the EU's apparent tunnel vision on applying the law to American companies is because of a lack of resources.
But Facebook and Google are the biggest and most flagrant offenders. It wouldn't make sense to go after anyone else first, and you want to have a precedent so you can go after other companies (or other companies will stop committing crimes of their own volition because being litigated against is expensive).
As for your belief that American companies are being unfairly targeted, this also doesn't make much sense to me. European companies wouldn't break the laws in the first place, Asian companies don't really compete in the European "web services" market, so the only major source of rights violations is going to be American companies.
If American companies don't want to follow European laws, they shouldn't be doing business in Europe. And why are you complaining about in which order those companies are being punished for breaking the law?
>European companies wouldn't break the laws in the first place, Asian companies don't really compete in the European "web services" market, so the only major source of rights violations is going to be American companies.
European companies are just as capable of violating the law as American companies. Part of the argument being made by critics is that there's been little sign that comparable effort has been made by European governance to investigate its domestic companies as rigorously as it's been investigating America's.
>If American companies don't want to follow European laws, they shouldn't be doing business in Europe.
The counterpoint would be that the companies are only breaking the law because the EU decided that its laws can be applied globally.
>And why are you complaining about in which order those companies are being punished for breaking the law?
Because it's difficult to believe that there's only enough resources to prosecute a handful of companies at a time.
> European companies are just as capable of violating the law as American companies.
I never said they aren't capable, I said that they would generally choose not to (not to mention that "hosted in Europe" is actually now becoming a bit of a selling point because of the pro-privacy regulations there).
> Part of the argument being made by critics is that there's been little sign that comparable effort has been made by European governance to investigate its domestic companies as rigorously as it's been investigating America's.
European regulators are very strict with European companies in a variety of ways. Just because it doesn't make international news every week is not proof that it doesn't happen (I work for SUSE remotely and my impression is that the German government is very meticulous about verifying that companies aren't breaking the law.)
> The counterpoint would be that the companies are only breaking the law because the EU decided that its laws can be applied globally.
Facebook and Google do business with people in Europe (provide a service and use them as ad-fodder). This is similar to exporting goods to Europe -- you need to obey the laws of the country if you want to do business there. They actually have an even better deal than than that, because there are no tariffs for online communication! Not to mention that Facebook and Google have physical hardware in European countries.
They aren't enforcing their rules globally, they're saying "if you want to engage with our citizens you have to play by our rules." Facebook and Google can always choose to block those countries (like they do Iran).
> Because it's difficult to believe that there's only enough resources to prosecute a handful of companies at a time.
This case was by a privacy watchdog, a private organisation. I find it very believable that they don't have enough resources to sue the likely several thousand American companies that are potentially violating EU laws. I also would be surprised if the Belgian government had enough cash lying around to do that too.
> European regulators are very strict with European companies in a variety of ways. Just because it doesn't make international news every week is not proof that it doesn't happen (I work for SUSE remotely and my impression is that the German government is very meticulous about verifying that companies aren't breaking the law.)
The obvious counterpoint here is the Volkswagen emissions scandal. Europe generally went "oh, maybe we should make it harder to cheat on emissions" whereas the US went "here's the fine for not meeting emissions, here's the fine for cheating, oh by the way, you can't sell these cars anymore since they don't meet emissions, and mind the class action lawyers on your way out." That said, it could well be the cause that the EU would have been equally nonplussed had GM been the heart of the scandal instead of VW, but there is room to argue that Germany isn't treating domestic companies with the same vigor that it does foreign ones.
I think that's a fair point, and I completely agree that the emissions scandals were horribly handled by the EU. For the record though, Germany actually did an arguably better job than the EU commision (actually doing investigations into the fraud and raiding several car companies), while the EU appears to have done very little.
But neither have not done as well as Switzerland (banning VW diesel cars entirely), South Korea (criminal case against VW executives), Netherlands (class action and investigating the reacquisition of the subsidies paid to VW previously), Australia (forced recalls and class action lawsuits), or America (as you've already mentioned).
I don't know whether the car industry is the best example of "EU interventionism" done right, given how central the car industry is to Europe's enconomy (which is a whole different issue). I'm not sure whether they would've treated non-EU companies differently.
> Because it's difficult to believe that there's only enough resources to prosecute a handful of companies at a time.
The decision in question was in a civil suit. The suit was brought by a "privacy watchdog" organization that's presumably at least partially government funded to investigate cases like this, but that doesn't prevent anyone else from suing as well.
So if you know of a European company with similarly privacy-violating practices, what's stopping you from filing suit? Or if you're not an EU citizen, you might still be able to get some less corporate-friendly group to investigate.
Your point is valid but it's also separate from the situation I was discussing. The response you quoted was general because the statement I was reacting to was written generally rather than specifically about this one instance in isolation.
> If you're a supporter of minimal legislation then what's wrong with the courts handling it, as in this case?
Simple: that the courts won't handle it. It is not reasonable to expect either customers or the courts to actively go after companies that use this sort of tracking internationally.
They can go after companies with a global presence, by doing so locally, and of course because these companies will actually fight it instead of just ignoring them. So Facebook is a target of convenience, but convicting it will not yield any results (if necessary Facebook will just use an intermediary, besides Facebook is being targeted because politicians like to stick it to Facebook atm).
You can say "just change the law", but a lot needs to happen beside that to make this practice stop. None of that is happening, so this practice won't stop as a result of this. It's just a PR grab for some politicians.
We have lots of restrictions on corporate behavior because markets do not solve human problems, they solve corporate problems.
The corporate response to long hours and low pay is to put up suicide nets. In the U.S. we have minimum wage, hourly restrictions, break, and overtime laws.
You can't trust the market to weed out bad players when the bad players are the ones with enough money to buy public perception and government influence. You have to force them to do the right thing through legislation.
You act like corporations are totally divorced from the people that run them. You also ignore how comfortable in-demand white collar work in many industries can be, and non-government movements toward shorter workdays in certain European countries.
You also seem to neglect that the government all over frequently takes advantage its position in ways that make things worse for society.
The thing about corporations, though, is that with minimal regulation, they can be forced to compete, and ultimately bad ones are orders of magnitude more likely to change or die than any given government. In fact I'd argue that a constant churn of negative companies is still better than some of of the worse tyrannical states that ever existed, by a large margin, because of the forces of competition.
>Although I should say, not without hesitation, given the extreme discrepancy between rates of change in tech and law.
The law is already far behind in this case. It implicitly assumes all databases allow for a CRUD workflow. But now we have blockchains/distributed databases where the UD part of CRUD is literally impossible. It will be very interesting to see how the courts deal with personal data stored in this manner...
> You know, I am a pretty staunch supporter of minimalistic restrictions on corporate behavior, putting faith instead in markets.
Why don't you put your faith in data? If you're a engineer that's presumably what you're already doing in every other respect of your life. It doesn't seem to me that starting out already having decided on what the best approach is will lead to the best decisions.
Minimalistic restrictions work if you also help to ensure a working marketplace with healthy and robust competition. When few players dominate the marketplace, even if they are not technically "monopolies," the market is dysfunctional.
I'm genuinely surprised that in this thread we're not seeing the usual idea that this is just the oppressive EU trying to exploit poor American companies.
Is it because the article relates to evil Facebook and not Google?
So if a court in country X finds the fact that tracking non FB users is illegal the Americans should side with the criminal because X!=USA, Google and FB are the biggest companies that do this illegal things so it is so obvious that citizens and organization with sue this big companies and not some obscure forum in country X(if there is such small company that can even track users outside it's own website)
Also give me examples of EU companies that track users on most of the internet.
> So if a court in country X finds the fact that tracking non FB users is illegal the Americans should side with the criminal because X!=USA, Google and FB are the biggest companies that do this illegal things so it is so obvious that citizens and organization with sue this big companies and not some obscure forum in country X(if there is such small company that can even track users outside it's own website)
Not sure if I understood what you meant. I'm not saying that they should, I'm saying that they often do. At least on HN.
US has many internet and software companies, you have FB, Google, Microsoft, Apple , I can't even name an EU company, I know that SUSE Linux is in Germany so it makes sense that on HN front page you will see this big companies and not some small EU company.
As an example in Romania, Microsoft was caught doing illegal things, they corrupted government people to buy tons of licenses, we should not wait for an EU company to do the same before investigating this MS issue. The fact that some other companies also bribed some other people should not affect the MS case.
I am not sure if the MS case even reached MSW top page, but if it were some small software company outside US it would not appear on HN at all, only on local press, so HN from page has a bias for big US companies
Again I didn't understand what point you were trying to make. That small companies outside the US don't reach the front page of HN? Of course not. Is that your point?
I think it's because most people in this community (hopefully) see invasive tracking as being a terrible thing, which is why most of us run ad-blockers.
Even if thousands of businesses across Europe depend on tracking users, I do not think it's enough of a reason not to fight against it, and i would be very happy if those businesses go belly up tomorrow if tracking is outlawed. A business so dependent on completely immoral, outright evil intrusive surveillance does not deserve to be kept alive by exploitation of our rights.
I was jokingly referring to recent tariffs announced by US administration, trying to think how a potential retaliatory action from US gov could look like. By the way tax doesnt have to be % only, it can have an absolute minimum too.
If it is "industry standard", does that make it ethical?