Unfortunately that doesn't stop my friends and family from uploading my name, various home, work and mobile numbers, email addresses and photos of me to Facebook when they install any of their apps or choose to let Facebook "Find your friends". Ideally that feature should be renamed "Fuck your friends privacy".
I still don't understand how that kind of feature is even remotely legal under the data protection laws in most if not all EU countries. I suspect that it isn't, but the under-staffed and under-budgeted privacy regulators don't want to pick that fight with an organisation as powerful as Facebook, even though it is exactly the kind of fight they should be picking.
I believe the real crux is that if any data protection law is voilated by passing on your details via a friend that the whole onus of responsibility is laid soley at your friend via some EULA and the like they never even bothered to read.
So in short it is your privacy laws and rights being violated, though by your friends on behalf of Facebook and the like. Morally wrong on Facebooks part as they know what they are getting but legally, they are covered more than your friends who have facebook who grassed you up to Facebook. Could call it viral peer micro marketing list scraping. I call it bad form.
I believe the real crux is that if any data protection law is voilated by passing on your details via a friend that the whole onus of responsibility is laid soley at your friend via some EULA and the like they never even bothered to read.
It doesn't work that way. The usual EU legal position, absent any special case, is that any entity acting as a data controller is subject to data protection rules.
Given explicit consent by the subject of the personal data, Facebook might have a way around this. I could believe they escaped with legalese in their terms and conditions for anyone who has a Facebook account themselves, for example, whether or not we might agree with legislation that allowed them to do so.
That would not cover data about anyone else who had not given such consent, however. I suspect they'd also have trouble arguing that position for any subject who had previously had a Facebook account but had ceased using it and effectively withdrawn their consent.
(Just to be clear, I'm not any sort of lawyer. I'm just a guy who runs businesses that sometimes deal with these issues in Europe, so I'm broadly familiar with the rules and I've taken advice from real lawyers about some aspects of them.)
Edit: It's possibly also worth noting that the EU doesn't have a general rule prohibiting all collection of personal data without consent, nor a general rule compelling a data controller to delete data on request. The situation is more nuanced than that, and has all kinds of legal wriggle room.[1] The question is whether Facebook's lawyers are somehow using that room in this sort of situation, or whether they're just hoping they'll get away with the behaviour even if they aren't sure it's legal.
Wait do in the EU you cannot disclose things like phone numbers without permission of the numbers owner? So if I told my brother the phone number of my mother without her permission I could be charged by thee state?
The rules about registering as a data controller and restricting the use of personal data usually apply to organisations rather than private individuals, so as far as I know, the kind of situation you describe isn't illegal anywhere in Europe. Similarly there are different rules for things like non-profit community groups and the like.
A company doing the same thing, however, might need either the consent of the data subject or a good reason to process or disclose that data without consent. The actual laws cover this in much more detail. But again, this is a tricky issue, because on the one hand there are supposed to be rules about when an organisation is allowed to process personal data in the first place, but on the other hand, the legally enforceable rights of individuals to prevent processing can be quite weak in practice.
In any event, if you were processing data outside the rules, it's highly unlikely you'd wind up with the state coming to arrest you for it. Normally if an individual did object it would be handled via the regulator and you'd have to be a very long way down the path before any sort of police action was involved. I suppose if you completely ignored the regulator's decisions and any resulting fines for long enough, eventually someone would probably see handcuffs.
I'm not sure whether FB would even be the right target for such an action. From my understanding of data protection laws here in Germany, the individual FB users would be the violators. I assume that the Safe Harbor treaty allows US companies to expect uploaded data to be legal.
I've seen my information all over the web which was data scraped from public government databases. A few years ago I went through the trouble of taking my information down (names, aliases, previous places I lived, employment) from these websites according their policy. For each I was request to send in snail mail to their postal address etc. I didn't need to create a login/profile to contact them. they did stop listing me, or at least I'm not as searchable online in as much depth.
not sure if Facebook has a policy for deleting information in the same regards as these spam sites. They might be legitimate and large enough to not care.
I told Facebook to delete my account as soon as they implemented this feature, years ago, and I found that (at least at the time) I could not block it on my Android phone. So, at least, I've not since then been party to giving Facebook information (they most likely have anyway) about other people, since the Facebook app is not installed on my phone.
Is this an official warning from the Commission, or a statement by somebody on the commission? It sounds like the hearing/case/whatever is still ongoing, so it's kind of premature to announce that they've said anything, no? You'd think the EU itself would post some kind of notice.
It was a statement by the person representing the Commission in Court. I'm really curious how this will play out. (Safe Harbor is more or less the justification for using US cloud services for anything having to do with personal information. If it gets killed, a lot of people on both sides of the pond are going to have a very fun time figuring out what to do next.)
It's a call for attention. Someone has asked a difficult question. If there are enough eyes on the question, the answer might be different than if there weren't.
> European Commission admits Safe Harbour framework cannot ensure privacy of EU citizens’ data when sent to the US by American internet firms
Press 1 if you would like to send your data to the US to be processed by the NSA. Press 2 if you would prefer your EU country's intelligence services to take care of it instead.
There is a principle of sovereignty here. You may not like the actions of your own country's intelligence agencies, but at least they are in principle subject to your own legal system and your own government can therefore hold them to account.
Of course we could debate the practical reality vs. the theory here, but exporting data to somewhere without the same culture and formal legal safeguards of privacy that Europe has offers no protection or accountability even in theory.
> There is a principle of sovereignty here. You may not like the actions of your own country's intelligence agencies, but at least they are in principle subject to your own legal system and your own government can therefore hold them to account.
That's the theory. The government of my country just passed a bill legalizing the snooping practices - apparently practiced in complete illegality for years - of the intelligence services. How is that for accountable?
> Of course we could debate the practical reality vs. the theory here, but exporting data to somewhere without the same culture and formal legal safeguards of privacy that Europe has no protection or accountability even in theory.
I think it's tremendously important to take reality into account. The same Angela Merkel complaining about her phones being hacked is perfectly happy to collaborate with the NSA, and is so concerned about the privacy of EU citizens that she would ship Snowden to the US without thinking twice.
I totally agree that the practical reality matters.
However, even if our supposedly democratic and representative governments in the West are far from perfect, that isn't a good argument for unnecessarily supporting other measures that are even further from perfect as well.
It took too long to bring down the last Labour government in the UK after its succession of abuses and war-mongering, with their third term in particular a freak result of our awful electoral system, but we did kick them out eventually. And while the current coalition can now fairly be judged on its track record as we come up to our general election and its record has also been far from perfect, the influence of the minority partner (the Liberal Democrats, who had not been in government here for generations prior to 2010) is probably more clearly evident in their efforts to defend civil liberties than anywhere else.
That same Lib Dem party has been almost unbelievably naive politically since entering the government and has been so comprehensively outplayed by its coalition partner that the Lib Dems are likely to be all but wiped out at the coming election. However, the fact that the party most likely to replace them as the protest vote of choice is heavily against foreign interference in UK business and seems to have become very popular almost immediately despite most people knowing little or nothing about either the party leadership beyond one key figurehead or the party's other policies might tell us something about popular sentiment and the desire of the UK electorate not to be taken for granted by the two big (and both heavily authoritarian) parties.
Hypocrisy does not mean what you think it means. An example of hypocrisy is EU governments talking about protecting privacy while tapping transatlantic cables.
What you could accuse me of is cynicism, if the collaboration between the main EU intelligence services and the NSA was not so well documented.
> hypocrisy: the practice of claiming to have moral
> standards or beliefs to which one's own behavior
> does not conform;
> cynicism: an inclination to believe that people
> are motivated purely by self-interest;
You comment (kind of) implies that there's no point in doing anything because we've lost anyway. That's hypocrisy, not cynicism (because we're all doing something to protect our privacy).
Anyway, I figure your original comment wasn't entirely serious which is why I'm not actually accusing you of anything. It's just that I've heard these kind of comments way too often.
> You comment (kind of) implies that there's no point in doing anything because we've lost anyway. That's hypocrisy, not cynicism (because we're all doing something to protect our privacy).
You're over-generalizing. What helps against, say, East European gangs (SSL) is not necessarily useful against state-level actors influencing crypto standards. And a rule supposed to protect our privacy against a specific state-level actor (the US government) is obviously pointless if the same data is handed to the US under the table.
Whether it's "obviously pointless" or not depends on what you care about. The result is the same but the way you got there changed. Feel free to disagree with me though; I'd rather not turn this into a philosophical debate.
>Outside of the UK, the EU at least pretends to be outraged.
And in a glaring act of hypocrisy, David Cameron came out yesterday to extoll how upset he was over the ruling that the lobbying letters Prince Charles sent government members had to be published. What a breach of privacy it was. Can nobody communicate privately anymore?!
Correct situation if you are on the civil liberties and accountable representation side:
Government has no privacy by default. Government is required to defend any need to keep secrets from individual citizens (and other parties such as the media or businesses).
Individuals have privacy by default. Government (and other parties) are required by law to justify any invasion of that privacy.
Practical situation today:
Government keeps secrets by default. Individual citizens (or other parties such as the media) may need to make considerable efforts to force disclosure, which may be denied repeatedly even where there is no basis in law for doing so.
Individuals have little privacy by default. Government (and other parties) routinely collect and process whatever data they feel like with little consequence, with the notable exception of some explicitly enumerated sensitive areas such as religious beliefs or health information.
> Outside of the UK, the EU at least pretends to be outraged.
Yeah, right before grounding any plane that might contain Snowden. In the meantime, France is busy retroactively legalizing the snooping powers of its intelligence service, Denmark is going the same way, and the UK would like to flat out abolish encryption.
While it's certainly no surprise, it's fascinating to see the discussion focus so candidly on the root of the issue: whether economical and political expediency trumps justice (as set out in the law).
At least we can stop pretending that our court systems are impartial arbiters of truth.
Trust isn't really the point. The Safe Harbour scheme is what makes it lawful for European businesses to use US services to process personal data about their customers. Without Safe Harbour, any European business that did this without explicit consent from users would be at risk of legal action under the usual data protection legislation. A few activist lawsuits and/or formal action by national data protection regulators would make things like using US-based SaaS or processing payments with services like Stripe a complete no-no. It would also put multinationals with any US element, such as Google and Microsoft, in a difficult position, because even if their formal in-house policy is to keep all such data exclusively within the EEA, EU data protection laws can then conflict with US disclosure requirements.
The article makes it seem like this is a new concern, but in reality this has been on the radar of European businesses concerned about privacy and personal data since at least the initial Snowden revelations that rendered the polite assumption that US companies could actually meet their obligations under Safe Harbour no longer credible. Everyone is just hoping that the obvious economic damage from preventing this kind of trade will be so dangerous that either the US government will back down (highly unlikely) or the European authorities will cave and pragmatically overlook obviously illegal (and rightly so, if you're on the privacy side of the debate) data sharing.
Note that there is no general exception to the European data protection rules permitting disclosure of personal data outside the EEA upon request by foreign authorities under their own laws[1]. Specific international agreements have been created to cover specific cases like PNRs for people travelling abroad. So arguing that the US Safe Harbour scheme is still OK because it's only the US government breaking the rules for its own official purposes has no weight in EU law.
I'd argue that facebook is as big a threat as gmail, especially when you see how younger generations use it to communicate.
Also, keep in mind that facebook tracks and collects your moves all over the internet (hint: look for the little 'like' button on every newspaper/forum/random website and take a look at your cookies from time to time) even if you don't have an account with them. De-anonymization and identification with so-called metadata (cookies, ip addresses, phone numbers, etc) is extremely easy to perform these days.
You can't trust users to make sane choices when it comes to privacy in the exact same way that you can't expect drivers to decide if a car is safe to drive or not. Joe Sixpack isn't going to use browser privacy extensions, clear their cookies, use tor, etc.
Some entity (probably a government/administration of some kind, but I can see NGOs doing that too) needs to be tasked with enforcing privacy laws in the same way that (at least in most of Europe) you are required to have your car inspected for safety and maintenance every few years.
EDIT: Across the EU, the Commission for the Protection of Privacy [1] would be that entity. There are additional government instances in various member states, like CNIL [2] in France.
Imagine there are people who want to rob, harm, or blackmail you. They might be the government, ex-lovers, ex-employees, business rivals, people who disagree with you (as in GamerGate), or just insane.
Now say one of your many Facebook friends posts a photo of you or your child on Facebook and tags you in it. They might not even realize that the photo has been automatically geotagged by their phone.
In a situation like that, you'd care about the info posted on Facebook, and you'd have no control over it. You can't force someone to remove a picture of you.
>Who cares about the info you post on Facebook? Aren't services like gmail a bigger threat?
Expand it to Google services and the answer is definitely yes. Facebook takes the data you supply it with, but it also quietly takes things like details of the sites you've visited while logged in that has a "Like" button on them, geo location from the mobile apps, etc.
Google, however, takes everything. Your search history, everyone you've contacted through gmail, your purchases that you've received receipts for through gmail, your location data from Android phones or Google apps, your phone contacts if you've them synced across Google accounts and more.
If you leave location services on, on an Android phone, you can literally view your movement history on Google. Where you've been, when you went there, etc.
I'll be forthcoming and say I mindlessly use these services and serve up the data to Google in exchange for convenience, but in terms of threats to our privacy Google is way, way ahead of Facebook.
It's very hard to decouple from Google. Facebook is easy. I've a Facebook account with minimal information about me on it that I use to keep in contact with family members as I live abroad now. I log in through incognito mode and when I'm done log out. I don't have Facebook owned apps on my phone. The amount of information I serve up to Facebook is nothing compared to what Google get from me every day.
I think it's the fact that they have your real name and face from multiple angles that makes Facebook so dangerous/valuable. Google knows a lot about you but if they don't have your face it's not worth as much when they start using facial recognition everywhere.
It's a really great way to understand your network of associates and form groups. Probably more so than e-mail. Although I'd imagine text messages would be the best cache of information a lot of that runs through European telecom companies and probably isn't as easily routed through to the NSA.
