A former colleague of mine who was a distinguished academic and successful tech executive grew up in East Germany. After the Berlin wall fell, he was able to enter the building where they kept the dossiers. He found his own file and was astounded by the information they had on him. His friends, his work, his habits. Photos of himself going about his business. His social circles. His friends were equally shocked by the collection of the most trivial details. They weren't fomenting revolution or doing anything remotely disruptive. They thought nobody would pay much attention to a bunch of harmless random students. They were wrong.
Memories like this still have force in Europe. I have to believe that their history makes many Europeans queasy about the collection of mass information. It is also easy to see how these laws could be exploited by large companies in Europe for their own commercial interest. Still, these laws have a moral force and US companies are stupid to try to circumvent, belittle, or ignore them. The desire for privacy has deep roots; it is not a nuisance to be swatted away on the path towards maximal profits.
> (from the article) While WhatsApp has framed the changes as a way to give people a better service, not everyone is convinced.
Need I remind everyone how another american company called IBM helped to collect information about people in Germany and how it ended, so it's not strange that germans are "not convinced".
Absolutely true for older generations, but among those under, say, forty years of age, the 'I don't have anything to hide' fallacy is alive and well just as anywhere else.
I'm German and it's been a huge ordeal to get my closest friends to migrate to Telegram at least. Signal was debated, but the lack of a good desktop client killed it. XMPP and IRC and all, not with these guys.
Germany has some vocal proponents of privacy ideals, like the Chaos Computer Club, but we also have politicians who pull the very same crap as anywhere else.
> it's been a huge ordeal to get my closest friends to migrate to Telegram at least. Signal was debated, but the lack of a good desktop client killed it.
I realize it's difficult to get people to change messaging platforms, but if you have such a chance again after sometime, I would suggest trying out Wire [1] sometime. I have been recommending it over the last few months for people to try because it has superior UX (though not on par with Telegram). It has desktop clients, all chats are end-to-end encrypted (there are no unencrypted chats at all) and messages are synced across devices. I'm guessing the end-to-end encryption makes it a bit slow to startup to sync messages. Notifications also seem a bit unreliable or not working as expected (that's why the after sometime before).
Wire also has cool features like doodling and allows voice and video calls too. All this said, Telegram is still the fastest in delivering messages, and keeps adding new features quicker than any other messaging platform I've seen in the last few years (WhatsApp is not a platform I monitor because I left it when it was acquired by Facebook).
> Notifications also seem a bit unreliable or not working as expected (that's why the after sometime before).
If you mean mobile notifications on Androids, it's worth noting that you need to whitelist the app in any battery saver modes be it vendor one or Googles Doze. Since Wire doesn't use GCM (websocket instead) for push, Doze might cause the unrealiable notifications.
I've been using it for a month now, whitelisted the app under Sony STAMINA mode and the notifications are instant on mobile & desktop. Also brought family and friends over and they're satisfied with the experience.
May I suggest Matrix/Riot?
It's been posted on HN a few times and seems to be growing really nicely - I've gotten pretty into it over the past few days. Open source, federated, syncs between devices, interoperable with bridges to other protocols like IRC, web/Android/iOS clients, e2e encryption (similar algorithm to Signal) is being tested on web and is planned to arrive on mobile in a month or two.
http://matrix.org/
I've heard about this on HN a few times, but usability and flexibility really trump other factors on adoption rates. Federated secure communication sounds wonderful. I'm currently using Wire, Telegram and Signal, and I don't prefer the fact that all of them are run by single entities.
from this url: "This is version 1.0 of our scorecard; it is out of date, and is preserved here for purely historical reasons. Please visit Surveillance Self-Defense[1]"
compared to signal, telegram can be used by android users without gapps (the telegram client can be installed via f-droid). as much as I would like to use signal, I can't.
I know. But that's really where I, personally, make the decision to not care. Group chat with two dozen mates equals stupid banter, exchange of memes, lately some pictures of the young ones everyone seems to suddenly have, recaps of school day mischief. I don't say anything there I wouldn't say in a crowded room and neither does anyone else.
For something as deviously criminal as 'you got pot man?', the private chat function is alright.
Obviously the 'nothing to hide' fallacy is nonsense, but so is pretending every communication warrants the highest security parameters at our disposal.
Signal is a nice app, have it installed among pretty much every other messenger. But none of my friends, colleagues and coworkers use it. I have one contact out of almost a thousand on there. The desktop client only runs in a browser, Telegram can be open on all kinds of devices and synch up (ncTelegram on a VPS where pretty much all my communication is relayed, in my case)...
I know all the criticism, from the question of why they had to cook up their own crypto and nonfree server to the Russians behind it. It's still the best app I could sell to a lot of people who're not even close to tech literate.
> Obviously the 'nothing to hide' fallacy is nonsense, but so is pretending every communication warrants the highest security parameters at our disposal.
I don't agree with this view that every communication, especially online, does not warrant the highest security parameters at our disposal. Assuming there are alternatives with better privacy and security available, I believe we (or the ones who care about such things) should adopt those and evangelize those among others we know. The default should be to treat communication between different parties as nothing but their own business, and nobody else should be snooping around for any purpose.
Other than the above are concerns of a larger magnitude - most people don't understand the true implications of not having privacy/security until it personally affects them. So I always try to push people to use something that's better (may not necessarily be perfect) privacy-wise. Also, when the lowest common denominator is filled by privacy invading platforms, all of humankind stands to lose because of the way money is made by these platforms and how "easy" or "free" those appear to be in the eyes of the users. In a larger sense, we're probably sabotaging the availability and legality of private/secure/easy-to-use communication platforms for the people it matters most to, like those in a repressed regime, journalists/investigators who go against the current powers, etc.
TL;DR: (Usability concerns aside) We have nothing to lose by treating every communication as warranting the highest privacy and security. But we do have a lot to lose by doing otherwise.
Secret chats are only for person-to-person communication in Telegram. You cannot have group secret chats. They're also restricted to the specific device that started the conversation and do not sync across devices. For a platform that does, look at Wire [1].
I'm not using any group chat, so for me personally that's fine.
so far wire is not available on f-droid either, although it's unclear (for me) whether their client now runs without the google play framework. there's discussion about it [0] but no clear answer yet (or I'm missing something).
the moment it's available through f-droid, it's a different story overall.
Same affect achieved with social media. But instead of coercing us with barbed wire and machine gun nests... they watch us drug ourselves with dopamine-jerking apps that let us feel "connected" to people we aren't really all that connected to... and ah, that tingly feeling every time someone likes a photo we've shared, or a comment we made. Or "swipes right" on us.
And the beauty is that these days, the guardians of State Security don't even have to do anything for all that metadata, all these photos, likes and heartfelt confessions of lust and ardour to be neatly digitized... they just have to sit back and (carefully) suck it all up.
Except this time around their "cabinets" are about 850 million times bigger:
And yet Germany operates a massively well-funded federal security service that is conducting exactly that sort of mass surveillance today -- only now far more sophisticated than even Facebook, since they can surveil the entire Internet, in exactly the same manner as the NSA does. Other European countries are doing the same.
It's at best naive and at worst hypocritical to pretend that Europeans care so much more about personal privacy than Americans do while that is going on.
What a "democratically elected" government does and what private people think is acceptable are not necessarily the same thing. There's often a surprisingly strong discrepancy between government action and the will of the people.
Also, a lot of people feel that the government (in a Western/Northern European country) is mostly trying to protect its society even if some actions are misguided, while it's hard to make a statement about the benevolence of large corporations. Governments ought to be loyal to its citizens, while corporations only answer to their shareholders; their actions have no moral leeway nor are they beneficial to the majority of people. Facebook is not trying to protect society, it's trying to benefit from it.
In most EU countries you are entitled by law to request to see and even demand removal of any data any company has on you at any time. This has been problematic in the past but will clash hard in the future with companies based outside the EU wanting to do business – or whatever name you want to call the activities of internet giants – with EU citizens.
The original thesis I was responding to was the theory that, due to historical experiences, Europeans are somehow much more concerned with personal privacy (in general) than others, which is is empirically false.
State versus corporate surveillance was not the topic. Europeans may indeed be more mistrustful of corporations than others, I don't know; but Europeans are clearly not so concerned about personal privacy in general as compared to others (though they seem to like to believe that they are.)
The BND, and its local equivalents in other European countries, are now openly conducting mass surveillance and citizen profiling on a scale that neither the Stasi nor Facebook could ever dream of achieving. Most of the citizens of Europe don't seem to care much at all about this. Therefore, the theory that Europeans are especially privacy-conscious as compared to others is false.
Incidentally, with corporate surveillance, you (at least in theory) have the option to simply not use that corporation's products. You can't opt out of state surveillance.
There's a difference between "concerned with personal privacy" and "privacy-conscious". Europeans, like people pretty much anybody in the world, are oblivious, ill-informed or simply don't care about what goes on above their heads or behind their backs. People just want to live their lives.
But when revelations and news reports bring up issues concerning privacy violations – by the state, other countries or companies – it does invoke memories and provoke visceral responses. A lot of Europeans are not totally apathetic to privacy concerns, especially when brought to their attention.
And Europeans are somewhat irritated with the freedom given to big corporations and (lack of) free market regulation in the US, lumped in with Wall Street and banking systems. In a sense, simplistically put, our current governments are (with) us, while some of those internet giants are billboards of unfettered capitalist excess, trying to exploit us.
In short, I do think a lot of Europeans are more concerned about privacy than Americans, once it gets on their radar; and it's always worse when it's done by somebody far away.
While I agree with spirit of your comment, in practice I have to check my beliefs.
I don't think Europeans really care that much. As evidence I present the title of the article which conspicuously doesn't read "Facebook ordered to stop collecting data on Facebook users".
If people really cared about mass surveillance would they actively participate in Facebook et al?
I don't use Facebook, Twitter, etc, ostensibly because I'm not keen on mass surveillance. But if I'm truly honest with myself it's because I know I'll post things I'll later wish I hadn't.
> If people really cared about mass surveillance would they actively participate in Facebook et al?
The problem is: These people weren't using Facebook. They were using WhatsApp which promised to not send their data to Facebook.
I don't use either because I personally think it's silly to assume they won't sell your data to someone, but they did make the promise that they wouldn't.
> They were using WhatsApp which promised to not send their data to Facebook.
I've seen that mentioned before, but where does it say that? On WhatsApp's ToS it says they won't share WhatsApp data for others to see on Facebook, not that Facebook itself wouldn't use that data.
So now facebook has your data, has a shadow profile of you (already had that from your friends) and adds your whatssapp metadata to. You have to trust all current and future facebook employees who ever have access to that data. You have to trust facebook can now and will always in the future be able to secure that data. Then you have to trust anyone they sell that data to in all these dimensions. Moreover if data exists it can be retrieved by government through legal or other means so you have to trust all current and future public servants in countries in which you may not even have or want citizenship rights.
If you knowingly made that bargain and said, "Yes, I trust all these classes of people." Ok, fair enouhg. I imagine a number approaching 0% of facebook users, let alone whatsapp users actually thought through that bargain and knowingly agreed to it.
But yeah, you're mom might not see who you talk to on whatsapp via her facebook account. So there's that.
>He found his own file and was astounded by the information they had on him. His friends, his work, his habits. Photos of himself going about his business. His social circles. His friends were equally shocked by the collection of the most trivial details.
Facebook has all of that and way more. They even know which sites you visit when you're not on Facebook (think Like buttons and logins and various JS libraries that your browser might request as you browse around the web).
WhatsApp users were estimated to have a seven year useful life at the time of their sale. Facebook will want a profit on them, but if the estimate was accurate, there are only five years left until they are used up. Facebook may become increasingly desperate to transfer any remaining users into their primary product.
Leave facebook, you miss information your friends and family post to facebook because that's enough.
Leave whatsapp - you now can't message with encryption to a large number of your contacts.
But yes, absolutely you should have signal. Everyone should. That's not the reality we're faced with. Whatsapp message to Dad is better than plaintext - that doesn't mean facebook can be as crooked as they like when they provide that.
You can go get an off-contract sim card, use it on a clean Android, create a fake gmail account in order to download and install Whatsapp. Now you make connections (you add family and friends to your contacts) and start communicating. By now both FB and Google know who you are simply b/c other people in your network, not concerned with privacy, have you saved on their contacts list, pressumably under your first and last name. Using analytics data that you inadvertedly share through your usage habits, both companies build a detailed online persona that will never be forgotten. B/c we are creatures of habit and social bonds, it is quite easy to determine who you are and what you do, by indirect information like your locations (gps), connections (contacts), online presence (IPs), browsing habits, etc.
THERE IS NO ESCAPE. Unless you do what they themselves say you should do if you do not agree with the terms: don't use their services.
You could always, I dunno... stop using Facebook and WhatsApp and other software that you find harmful. I know, totally crazy idea. Just throwing it out there.
Not just contacts, some users obsessively tag photos with full name even when they captured non-fb users in their photos. And often there is no way for non-users to find out about it other than by joining facebook.
Because for example you could have sent them an Email, SMS or called at some point and are in their phone contacts/contact book. That user then shared their phone contacts with FB.
So even though you may not have signed up for FB, they have [your name]{your number} in a table somewhere so that when and if you do sign-up it will be easy to link you with people you already have contacted.
I haven't activated my FB account in years now, but can't members still add you as a family member even if you don't have an account?
I avoid FB more out of principle, not because of some deluded idea that I can avoid FB having my information. The solution "stop using Facebook and WhatsApp and other software" is harmful at worst and flippant at best.
Unless you never get your photo taken, your face is on FB and any other social media service your friends and family use. Unless you only have friends and family who never use FB, WhatsApp, LinkedIn, etc., your name, phone number, and email are on those services.
The idea that not using these services stops them from getting your information is fanciful, because your friends and family have no problem giving your information.
> The idea that not using these services stops them from getting your information is fanciful, because your friends and family have no problem giving your information.
The problem is that sometimes this information is incorrect and based on gossips. When would you know that it resulted in real life consequences, can fb sell this info to e.g. insurance companies?
That snark is uncalled for. Stopping using WhatsApp and Facebook would make communication with some groups much more difficult for me, for example, because everyone uses them.
Ok, so in return Facebook and WhatsApp get to learn about you. That is the cost of doing business with them.
Why is that cost so different than the normal cost we pay for things (cash money)? Yes, things we value have costs. It is always a sacrifice to go without that thing, but if we want to AVOID having to go without it, we have to pay something.
"I can't believe you are making me pay this cell phone bill! I have no choice but to use it, and you are CHARGING ME MONEY for it?! This is outrageous!"
I mean, there are things we need even more that we have to pay for - food, shelter, etc. In order to get something from someone else, you have to give them something in return that they value. That is just how the world works.
If I give someone money, it is their money and they can do what they want with it, it does not matter to me. If I give someone information about myself, it's still connected to me, but now it's under their control. They can use it to exploit or harm me, and so can anyone they sell it to, or anyone who steals it. It's that indeterminate potential for future abuse that makes it important. That's why we consider it differently.
I hate to break it to you, but when you make a payment online, the recipient learns your legal name, probably a billing address i.e. where you live, and you probably don't even think about it.
I do see a lot of double standards in these discussions. People never articulate who is specifically being hurt or what the specific problem is. Instead allusions to fascist governments are made, which would be fine, if these companies were governments. But they aren't: they have no power. If you're rightly scared about the combination of information and force, it's government surveillance that deserves the attention, not harmless chat apps.
> ... if these companies were governments. But they aren't: they have no power. If you're rightly scared about the combination of information and force, it's government surveillance that deserves the attention, not harmless chat apps.
In the meantime government surveillance agencies can piggyback just fine on information collected from fb, emails etc and can continue to spend money on even more scary surveillance tools.
I can give you personal example of harm: family member was a victim of fraud because of the leaked information online. I would argue that the existence of social media and it being promiscuous with our data makes it extremely easy for criminals.
> it's government surveillance that deserves the attention, not harmless chat apps.
Oh, but it's not harmless when it gets in wrong hands. The only precaution is to get assurance that those services don't collect your data indefinitely and more than necessary.
> allusions to fascist governments are made, which would be fine, if these companies were governments. But they aren't: they have no power.
It only takes one affected person to know what it's like to be spied on and abused with the information at hand. We don't need an entire country to come to shambles to know what such vast information collection could result in. You also seem to be making assumptions that governments cannot force a private company to part with data or that those in power cannot manage to create a warrant just to pay lip service to "due process". Additionally, there is also potential for abuse of the data by the private company's employees. Like how LOVEINT [1][2] exposed the fact that NSA employees used their privileges to spy on and track people in their personal spheres of life, Facebook employees may be doing the same without any kind of monitoring at all. We just don't know yet.
Even if that were true, nothing prevents them in principle from serving as the eyes and ears of a fascist regime. Nothing prevents a government, in principle, from compelling them to reveal sensitive information.
At the risk of being conspirational, need I remind you that Facebook was funded by DARPA? Need I remind you that the NSA is installing backdoors in ISPs and other service providers?
Do you really not see the problem being described by the parent comment, or are you just being contrarian?
It looks like you hit reply on my comment by mistake instead of on the parent comment (which was the one that said "But they aren't: they have no power", and I quoted that to add some counterarguments). :)
If you think it takes the power of the state to cause trouble, you're not imaginative enough. If you need convincing, just download your information from all the sites you visit (I know FB and google provide an easy way to do this), send it to me, and I'll help you understand the problem.
True, but no reason to let companies collect even more data than they need to perform the transaction.
Your argument goes a bit like "every lock can be picked, so why are you opposed to just keeping your door open?"
That's a terrible straw man. My counterargument to the "indeterminate potential for future abuse that makes it important" is that the same logic applies to all human transactions, so it's a moot premise.
Increased security standards on metadata for human transactions is actually the right response to the existence of bad actors, but increased security != forcing bans on the use of metadata.
It's not about outright banning, it's about limiting to the minimum amount required to perform the service.
Btw. nobody complains about WhatsApp holding metadata about connections between people. We complain about WhatsApp transmitting this data in a quite hidden fashion to Facebook.
An article in NY Times does not help to make it less hidden, particularly for German users. What is required is to inform every user individually and ask for his/her permission to transmit the data to another party. Explicit permission (= informed consent) is necessary because this data transfer is not required to perform the service (see above).
The larger point: Has it been meaningfully asked, and conclusively decided, that that amount of communication with those groups is a positive benefit to your life, large enough to justify all the hassle and humiliation of dealing with Facebook? Without adding any further snark, I would just like to offer my (probably fairly extreme on the continuum) viewpoint of, maybe fuck those groups.
This is a great point. And for convenience, the price you pay is your privacy. Today, anyone is capable of communicating via encrypted email. You can use OpenPGP with an email client, for example.
On every Android phone I've used, you can always disable the carrier-provided apps, so they won't show up in your app tray, or run any processes. iOS doesn't pre-install it, and I've no idea what Windows Phone does.
I had an HTC Droid Incredible. Facebook was included in the factory build, was always running per the process list even after force quitting, and with the exception of rooting the phone [0], was impossible to remove from the device.
[0] Corporate-provided and payed-for phone, so I was prevented from rooting because of "security reasons." Even after (or, especially because) the phone developed the surprising habit of snapping pictures at random times -- as evidenced by the distinct sound made by my DInc's shutter -- after the corporate-required malware was installed. I'm sure someone, somewhere really enjoyed the view of the inside of my pocket.
It seems the population is literally addicted to FB hence the cognitive dissonance. If anything should be lobbied for it's better mental health services related to social media addiction.
It's scary: the litany of "reasons" that always get brought up to explain why its literally impossible to stop using Facebook often sound a lot like the reasons addicts can't stop doing whatever it is that they do compulsively.
What's even more scary: you get the same litany of "reasons" explaining why people can't stop eating hot meals every day.
Comparing Facebook to alcohol/drug abuse is like comparing piracy to theft - it misrepresents both issues while making it more difficult to discuss their impact and ways to solve them.
No; what both FB and a hot meal have in common that they're things we do for pleasure, that are not necessary from biological standpoint, that you can stop using them at any time without much issue, but which many people use anyway because of the benefits it brings - in terms of both personal pleasure and strenghtening social ties.
Instead of calling people addicts, it'd be better to give them an actual compelling reason to stop. Hint: that whole privacy thing is not good enough of a reason.
But people don't just want a hot meal. They want Zuck to heat their meal for them AND they want Zuck to wear a blindfold.
So instead of heating your own food, or finding someone else to heat it - they demand politicians to intervene - to make sure Zuck - and all future food heaters - are properly blindfolded to respect your delicate sensibilities.
My fear is for the future of food heating technologies that don't involve Zuck. Hint: All the rest of them.
It's an addiction that can be quit instantly with no ill effects using nothing more than the willpower it takes to turn down a second slice of cake. Unfortunately I can't imagine what sort of social service can teach all these progressively-more-coddled generations how to tap willpower.
One could certainly stop stop Facebook, WhatsApp, Twitter, Snapchat and so on. But you'd have to consider what the impact is; maybe you'll become more distant from friends and family. Maybe you'll miss out on events. These things are pretty important, for obvious reasons, and it's a shallow argument that everybody can simply walk away "instantly with no ill effects".
It's up to the individual to decide if the trade off is worth it. Clearly, for some, it is.
Both the "friends and family" and "events" arguments sound like something Facebook itself might say, in the course of its browbeating you with subtle fear-mongering. Take it from me, the impact might actually turn out to be much less than you think. In some cases (like mine), it's even a positive. For example, not going to every single "event" leaves more time for all sorts of productive activity. Not keeping up with what everybody else is doing, leaves more time for you to actually do something yourself. And a certain amount of distance from friends and (especially in my case) family is actually fucking GREAT.
I'm not arguing, just stating simple facts. I have quit many of these things and went back to phones for communication, which still works perfectly well. Do I miss out on things? Maybe. It doesn't harm me in the least.
I certainly made no proclamation as to how anyone should live, which you seem to have mistakenly inferred. I suspect that level of unprovoked defensiveness to have an interesting underlying cause.
It's pretty baffling. When you suggest that people try simply not using Facebook or WhatsApp they act as though you just suggested they stop eating and breathing.
It's because most of those suggestions try to imply that people can't quit Facebook, because they're stupid or addicted or something. One should stop and consider here that just because you can, doesn't mean you should. A lot of people, myself included, get actual value from using Facebook and thus don't have a reason to stop using it, even though they are perfectly able to.
But if you have a database of the entire population and can correlate relationships in data - what exactly does this legislation look like? "Ok Zuck, here's all my data. But don't run a `SELECT *` because that would violate my privacy".
The solution here is obviously open-source and protocol based mediums. Proprietary social networks exist to extract data and sell ads. But let's ignore that and give politicians more power to regulate internet services as a whole. I'm sure the German government would love that.
> But if you have a database of the entire population and can correlate relationships in data - what exactly does this legislation look like? "Ok Zuck, here's all my data. But don't run a `SELECT *` because that would violate my privacy".
Yes, there are laws restricting how and when data can be processed.
That someone has the ability to do something bad does not mean they cannot be restricted from doing it by the law.
>But if you have a database of the entire population and can correlate relationships in data
That's exactly what the legislation constrains - Zuck's select * from where user_id = 'technofiend' returns 3 rows not hundreds or thousands, or zero if I've opted out of data collection entirely.
You can't simply throw your hands up and say "Well Facebook has a billion users too bad so sad if they collect data you don't like" because there are in fact plenty of laws elsewhere that restrict their activity. It's entirely possibly to tell them to keep their grubby hands of my bits and their cookies out of my browser. And yes if that means I have to pay for sites I use for free now, so be it. I can't help but think that'll drive content towards quality anyway.
Adopting an alternative to Zuckernet is the exact opposite. Continuing to hand your life's data to Zuck is to throw your hands up. Begging your politician for a little privacy from Zuck when strong encryption exists is to throw your hands up.
People care enough about privacy to complain about it but not enough to do anything. I don't have much sympathy for them.
One problem is that they collect "shadow" profiles of people who aren't even on the service. If someone who has your contact info is on the service, they'll start a profile of you based on that. Plus, there's many web sites that are connected to Facebook and send info back to it without you even knowing about it, just by having a Facebook share button on the page. It's very difficult to avoid having any of your data on Facebook's servers.
Maybe the real problem here is that people talk about "your data". There's no "your data" in a shadow profile of you. There's data about you. I have a feeling that talking about the data as if it belonged to the person it refers to makes people reach weird conclusions.
I'm having problems with articulating clear examples, but I don't like the very concept of ownership of facts - whether they're algorithms or phone<->name associations.
In my mind, it's one thing if a Web site that I go to learnt about me based on my interactions and a whole another thing when people start correlating data across sites. That's what Facebook is doing with its stupid buttons on nearly every news site.
Amazon knows a great deal about my buying habits but that makes complete sense. Facebook knowing what articles I read from the Globe and Mail and the CBC is something else.
Short of using tor I'm not sure anything else really can work. You can dump all the cookies, block all the javascript and use all the VPNs you want but ad companies are working very hard to break through those protections. And until there is a law forbidding them to do so, they'll just keep doing it.
WhatsApp is end to end encrypted. Facebook/WhatsApp can't see the contents of the messages. It's the best technology available at the moment - there are no non-toy systems that also scramble metadata.
Yes, just because you can do something with someone's data doesn't mean you should be able to do so.
That this sort of restriction is largely missing from US data laws is one reason we see so much fuss about data centre locations and 'safe harbour' provisions.
But even after the device has detected the (B)SSID, you have to enable either Wi-Fi or your mobile data connection for the device to communicate with Google's servers. Still, just as worrisome.
That's a nice way to put it, but it may not be that inevitable.
Here is a very simple idea: next time you talk to one of your friends who works at FB/Goog/etc. ask them pointedly how they can work at a place which obviously lacks any morals/ethics. Their first reaction would be to defend their actions, of course, but if a few people start doing this, my guess is that the message will start going up slowly but surely.
After all, what are they going to do? Stop having friends?
Those are the words that the head honchos at FB/Goog/.. etc are telling themselves about the viability of their privacy violations. At this point, no shame in turning it against them.
Facebook said on Tuesday, after the order had been issued, that
it had complied with Europe’s privacy rules and that it was
willing to work with the German regulator to address its
concerns.
Two Indian students challenged Facebook on WhatsApp privacy policy changes [0]. The following is what WhatsApp counsel told [1]:
Using the messaging service is a voluntary decision, we have
not forced anybody to use it. Users have an option of opting
out of it.
Disclaimer: I don't have an account on either Facebook or WhatsApp.
Interesting when you confront this with those decisions of Brazilian courts of suspending /blocking WhatsApp during some days.
Because the response, from the court order, is always "Facebook and WhatsApp are separeted companies, you are asking Facebook (that has a office in Brazil) to answer for WhatsApp (that hasn't), Facebook doesn't have access to any meta-data from WhatsApp (including which user talked to another one)".
The relevant part is:
"the other company, based in the country, has no "powers" on the company of your own conglomerate".
Note: in the same paragraph it says "a company does not have established in Germany". It's a Translator bug. The correct is: "one company is not established in the country".
> Using the messaging service is a voluntary decision
Once a critical mass uses a messaging service, it's not a completely voluntary decision, especially when there is no open standard with interoperable competing apps.
This is false. Market dominance does not transform a proprietary product into a basic utility. What I mean is that simply because a proprietary product has a large mass of users does not mean the users have the right to demand that it be regulated like a public utility.
I imagine the electric companies made similar arguments at the start of the 20th century.
> Market dominance does not transform a proprietary product into a basic utility
Agreed. Isn't it more that it becomes so ubiquitous and expected that it starts to be considered a basic utility by the public? In the case of social and IM it's the network effect that matters - where are family and friends.
Once a certain tipping point was reached you'd be hard pushed to find many willing to live without mains water or electric. These days you'd be hard pushed to find many willing to live without internet, social networking, and IM chat. They're becoming utilities, and quotes like from their counsel "well just don't use it, it's optional" ring, for the majority of the public, increasingly hollow.
Just as our definition of essentials, poverty, minimum income and inflation (in the UK at least) have all been adjusted to reflect the internet age and provide for internet connections, mobile phones etc, our defnition of utilities should too.
Not really... If all of my friends buy a Starbucks latte, I'm not forced to also buy a Starbucks latte just to interact with them. I could hang out with them at Starbucks drinking a Caribou latte, or not drink any coffee at all. If all my friends buy Jordans, I don't have to buy a pair of Jordans to join their game of pickup basketball. Heck I don't even need shoes (not recommended but to each his own).
If all of my friends choose to use WhatsApp messenger, my options are to not communicate with them at all (a non-starter), or to also use WhatsApp.
Or to call them on the phone, talk to them in person, send them an E-mail or letter.. You know, the things we all did in ancient times like 5 years ago?
Yes, it's completely reasonable to replace real-time group chat with... a conference call among 6 friends?
Hey guys, I know ALL of you chat with WhatsApp, but can we move to email just for me and my concerns around security that you don't care about at all?
Seriously... you can make completely unreasonable suggestions until you're blue in the face but it's not going to change reality. There are very real social pressures at play in this discussion. Yes, it turns out peer pressure is a real thing and has a very prominent role in this discussion.
Do you really think Facebook would've spent $19* BILLION on WhatsApp if they thought people would be willing to drop it at the first sign of inconvenience? They know they've got lock-in through sheer market adoption of the platform. If they didn't, they would've just stuck with the facebook messenger path they were already heading down.
I don't know what app-of-the-week my friends use to chat with each other, but they return my E-mails and answer my phone calls. If one's friends won't communicate with them unless they're using a particular brand of messaging app, are they really friends?
Yes, they're really friends. If my friends all use whatsapp to organize parties, and I refuse to use it and force them to email me as a special one-off, am I really a friend? Because I know they'd love to have a back-and-forth conversation about timing/place/duties related to the party, then have to constantly send one-off emails to get my feedback.
Let me guess - in your world they're all assholes for not constantly inconveniencing themselves to cater specifically to what you want. Or you just literally have no social life, because picking up a phone isn't really a viable option to plan a party with a large group of friends. And while email will work, when nobody else wants to use it and you try to force the issue, you're an asshole.
I'm not sure I understand what's motivating the hostility. I don't force my friends to not use whatever social media apps they enjoy, and they don't force me to use them. I'm not sure how either of these attitudes make anyone an "asshole".
>Let me guess - in your world they're all assholes for not constantly inconveniencing themselves to cater specifically to what you want. Or you just literally have no social life,
It is probably this. It is not a hard concept to understand. I do not force my friends to use other services, and doing so would just be causing them an inconvenience and annoy them. Yes they are friends, but having to be a special butterfly doesn't mean they have to like that.
The difference is of course the network effect: If I'm not happy with the shoes I'm wearing, there is a huge range of shoes I can buy without any negative consequences for me.
Switching messengers or social networks can have the obvious consequences that you lose your network. That way, even if there are plenty of competitors in theory, the lock-in can be the same as with a monopoly.
Fair point, I was only thinking of things at that scale when writing, so requiring big investment and infrastructure - phone networks, social networks, water, etc.
Natural monopolies are very often regulated because of the negative side effects of not doing so.
Which is to say, market dominance has transformed products into utilities in the past.
You can argue that should not be the case, but, historically, it very much has been.
There's surely a balance to be struck between incentivising firms to innovate by allowing them to earn profits when they develop a good product and allowing a firms to lock-in economic rents forever.
How you strike that balance is a value judgement about the kind of society you want to live in.
Most classic utilities were at one point or another provided privately - water, telephones, electricity are examples. In each of these examples the delivery infrastructure makes them a natural monopoly.
Almost any activity you can think of has been carried out by both the public and private sector in different societies (or the same one).
In all industries, very dominant firms are likely to see action from the state.
Your electric company. Running two or more sets of power wires to every house so you can have competition on provision of electricity at the last-mile level doesn't really make sense.
>>> Using the messaging service is a voluntary decision
>>
>> Once a critical mass uses a messaging service, it's not a
>> completely voluntary decision, especially when there is
>> no open standard with inter-operable competing apps.
>
> This is false. Market dominance does not transform a
> proprietary product into a basic utility. What I mean is
> that simply because a proprietary product has a large
> mass of users does not mean the users have the right to
> demand that it be regulated like a public utility.
(Emphasis added). Messaging services are special because of network effects. The postal service, the telegraph, the phone system, the Internet are all special services.
I would argue that email should probably have some special regulation beyond SPAM - the way big players like Google and Microsoft handle email is actually a problem already - perfectly good email, from a perfectly valid domain, from an ip without any terrible history - can sometimes end up as SPAM. This in turn makes it harder for people to compete by hosting their own email, in essence market dominance prevents competition -- and harms the commons.
(Yes, the initial harm has been caused and is being caused by spammers -- but the dwindling possibility of running decentralized services on the Internet could very well end up being much more damaging than the cost of SPAM ever was).
And IM and video chat and so on could probably also need some more regulation at some point - because it seems obvious the big players are actively working towards artificial monopolies in order to control the flow of data, so that they can sit on the biggest pile of meta-data (and sometimes data/content) in order to make money (in the short term from simple meta-data/network analysis and advertising, in the long run from having the richest data set on which to do more advanced, automated machine learning).
In this crazy world in which water and other natural resources, previously controlled by and for the public, I can see how people would argue that it somehow makes sense for a private entity to curate and profit from the information that hides in the rich metadata of all human electronic communication -- I think it would be a very good idea to regulate this along the lines of other commons. An example might be parks and spaces accessible to the public - where there are certain things that owners cannot do - or have to do.
Users have the right to demand anything they want within the free speech laws of their country.
They also have the power to impose regulation on any kind of activity not already protected by precedent or constitution, if they can use the democratic process of the courts and lawmakers to impose it.
"It can in some cases and in some cases they should be turned into infrastructure. We've done the same with power plants and highways.
"
This is precisely because there are no real alternatives.
In fact, when and if solar + batteries becomes an actual viable solution to powering you + your neighbors, ...
As for rights, yes, you do have the right, and in fact, personally, while i'm not in favor of trying to turn internet companies into regulated utilities, i am pretty much in favor of killing the LLC and going back to "officers and shareholders are liable" model that used to exist.
I think we need to start looking at the meta-data generated by communication networks (who talks/chats/tweets/etc whom, and when) as a commons, that needs to be regulated. Beyond the European privacy laws designed to protect privacy, I think there should probably be limits on who is allowed to do what, and how one is allowed to store and profit from the knowledge. It should be a regulated privilege to be able to handle this information, in a similar way that it's a privilege to run passenger trains, or even postal and phone services.
And why not, given that the network effect means that messaging apps are effectively natural monopolies, and even Milton Friedman of the Chicago school allowed for government regulation and intervention in the two cases of 1) externalities and 2) natural monopolies?
There aren't alternatives to a telephone system: there is essentially 'one' telephone. What's App is hardly a monopoly. Users could use SMS, Skype or any number of alternatives that provide almost identical utility. It isn't like comparing a telephone with hand written notes.
Interestingly, what led to What's App? Telephone company monopolies on SMS. The internet itself could be considered a public utility -- not what flows over its wires.
One solution to this, assuming we want to take the public utility route, is to start charging users like it were a utility. Perhaps €10 per month for German users to offset the lost revenue from the data FB won't be allowed to collect. Then the Germans can tax that €10 just like it taxes phones and everyone will be happy. What's App isn't 'free.' Using that service has a cost. Should Facebook just give away their product? Why would a business do that? Facebook employees don't work for free, so why should Germans get to free ride? A really popular service ought not be regulated by the virtue that it's really popular.
There is a mostly free market. What's App isn't essential or even necessary. It's about as 'vital' as Instagram. It isn't like it's the only game in town.. not even close.
I disagree. Some of my clients and contractors use specific messaging platform (mostly skype, facebook and wechat) and I do not have the power to make them change.
It is not fair to ask people concerned about privacy to pay a toll in terms of professional outreach.
Things just took a few hours longer, making planning a party a thing of days or weeks.
With whatsapp, I can plan a birthday party in 20 minutes, on the same day as the birthday, while also ensuring everyone who couldn’t answer a call got the message.
Indeed. But the difference is that it is legal (and possible) to program a very open (and privacy-conscious) messaging service.
On the other hand, it is completely illegal (in the US by FCC ruling) to develop a completely free and open baseband processor and use it. It is also nearly impossible to set up an alternative cellphone network since you need licenses for using the parts of the spectrum.
At least in Germany, where I live, there are similar regulations concerning permission to build your own radio device for CB band as for baseband processors (i.e. if you want to legally use your self-built device there are strong restrictions (CE certifications are nearly unaffordable for makers).
Also in CB bands you are not allowed to encrypt the sent data. Thus not an option for people caring about privacy.
In the US, for pretty much all open frequencies that require either no license, a de facto license (owning a device gives you a license, CB), or a certification test based license do not allow any sort of scrambling or encryption unless the gov't is able to decode what you are sending. A third party successfully listening in defeats the entire purpose of obscuring what you are saying.
But, if you can afford an expensive license from the FCC for operating on other (commercial) bands, you can secure your communications from prying eyes.
Post office really isn't voluntary. When I get my required tax forms from France, if I don't have the post office, I'm unable to complete an action required by the State. That means the Post Office isn't voluntary unless you want to break the law.
When my kid's school requires What's App in order to submit required documents, then there might be a claim that What's App rises to the importance of the Post Office or the telephone.
Right. However there's many competing post services providers in my country, and the ones used by the government and institutions change from time to time (there's open competition every few years and for a while courts were using different provider than the usual national post for example). And no matter which one was "mandatory" at any given time - all of them have to keep the secret of correspondence and have to comply with the law regarding storing private informations etc.
> Using the messaging service is a voluntary decision
Yes, it is voluntary, but it would be socially alienating not to be on that service.
Here's a relevant talk [0] by Moxie Marlinspike talking about that.
> Yes, it is voluntary, but it would be socially alienating not to be on that service.
On the other hand: Do people who care about privacy very much really get along well with people who don't and force you in subtile ways to use such a messaging service? I rather think it's the completely different mindset of these two classes of people that is socially alienating and the message service is just a symptom (I believe I know what I'm talking about since I think I am one of these very privacy-caring people).
We're different people, but I think my friends are just not aware of how their rights are violated and how important privacy is in a digital world. Mainstream media also rarely publishes content related to this issue, so most people have no clue about what happens in this field. Pretty hard to make good judgements if you don't know the details.
For activists I think you are biased by the fact that by definition you only perceive activists that are rather social. I, for example, consider myself as very acivist, but also very unsocial.
For politicians my perception is different: one might be tempted to call them privacy activists, but only for their own privacy (for obvious reasons), but not for passing laws protecting the privacy of the ordinary citizen.
> Can you square that circle for me and explain what you're doing to be an activist while eschewing the social sphere?
I don't eschew the social sphere, but I strongly lack charisma/am socially rather clumsy and rather the kind of person who has difficulties forming friendships, thus I'm not very social.
OK--so how are you, as you define it, an "activist"? Activism, to my mind, requires social interaction and engagement. I'm curious as to what I'm missing.
Now, going without Facebook or IM is "socially alienating"? People's social lives must be pretty fragile these days if they really require things that did not even exist for the majority of humanity's existence.
Interesting question: do we think the Facebook people actually believe the "usage is voluntary, so we can do whatever we want" line of reasoning? It's clearly a very persuasive PR argument, but there are some smart people at FB, especially working on WhatsApp.
Now things are going to get interesting! I completely understand the desire for privacy but I think it's unrealistic to expect that Facebook won't consolidate its data by user across all their applications. Facebook (and Google, etc.) are now in the same business as the credit reporting agencies ... You are their only product.
My hope is that the increasing outrage will drive users to one of the secure messaging applications.
Disclaimer: I have neither a Facebook nor a WhatsApp account.
Now things are going to get interesting! I completely understand the desire for privacy but I thinkmit's unrealistic to expect that Facebook won't consolidate its data by user across all their applications. Facebook (and Google, etc.) are now in the same business as the credit reporting agencies ... You are their only product.
The difference in this particular case is that Whatsapp made an explicit promise that they would not start sharing their data.
Respect for your privacy is coded into our DNA, and we built WhatsApp around the goal of knowing as little about you as possible: You don't have to give us your name and we don't ask for your email address. We don’t know your birthday. We don’t know your home address. We don’t know where you work. We don’t know your likes, what you search for on the internet or collect your GPS location. None of that data has ever been collected and stored by WhatsApp, and we really have no plans to change that.
If partnering with Facebook meant that we had to change our values, we wouldn’t have done it. Instead, we are forming a partnership that would allow us to continue operating independently and autonomously. Our fundamental values and beliefs will not change. Our principles will not change. Everything that has made WhatsApp the leader in personal messaging will still be in place. Speculation to the contrary isn’t just baseless and unfounded, it’s irresponsible. It has the effect of scaring people into thinking we’re suddenly collecting all kinds of new data. That’s just not true, and it’s important to us that you know that.
Make no mistake: our future partnership with Facebook will not compromise the vision that brought us to this point. Our focus remains on delivering the promise of WhatsApp far and wide, so that people around the world have the freedom to speak their mind without fear.
I read that blog post when the acquisition was announced ... And laughed! While it feels like the (then) WhatsApp CEO was sincere, did anyone really believe that Zuckerberg would be a hands-off owner? Or that his public-only data content ideas wouldn't become dominant? I'll agree that I think this move contradicts his blog post but I also don't think the purchased entity gets to set the terms after agreeing to be bought ... That would be an interesting contract to read.
you wouldn't pay 2 billion for messaging app with few hundred millions of users that is without ads and doesn't make any money to be philanthropic about it, would you (or anybody else)
I remember it said 1$ from next year onwards and first year was free. May if they weren't not bought out by FB that would have been their option and it would have been a better one. Not sure why any of the lead not start new clone and start charging
I for one didn't believe that blog post and deleted my WhatsApp account the moment the acquisition notice came up. It didn't make much sense why a messaging platform would be bought for $19 billion and not used by Facebook to better target advertising.
This all comes back to the two-faced saying of one thing loud and publicly while in the small print buried in legalese proclaiming something else. That practice needs to be illegal. It is basically fraud.
One aspect of European data protection is "freely given, informed consent". You can only do what the user has consented to. If a company loudly says "We'll never share it" and the ToS says "We can share it", then what has the user consented to? You could make a case that the user is consenting the loud proclamations. EU data protection law doesn't allow dense legalise behind a click-through as "consent".
So maybe EU law is already doing what you say it should do. :)
German law basically says that terms of service and end user license agreements can't contain surprises. If a service explicitly states it doesn't do certain things, the user hasn't consented to the service doing those things, even if the ToS or EULA contain a snippet in fine print saying the service may actually do these things after all.
This already bit WhatsApp when they tried to ban users for using alternative clients. A German court ruled while they may block those alternative clients, banning the user is unexpected because most other services don't have that kind of policy on alternative clients.
So they could have still kept that policy but they would have to make it unambiguously clear and draw attention to it outside the ToS or EULA because it's something users wouldn't expect from that kind of service.
The EU is way ahead in protecting consumers. Thankfully I am an EU citizen (for now, #Brexit) but unless other major economies follow corporations will keep trying.
Part of the "product/service" is the protection of privacy that was promised and since breeched. It is because of network effects that make it hard for users that understand privacy and value it to move to another service such as Signal. If there were that form of "user liquidity" then our privacy would not be violated for users would simply switch to a product that valued their privacy.
We could ask this question recursively ad infinitum. Because their intention to respect wherever it says they'll respect the blog post can be questioned too.
I'm not sure I mind FB collecting data on my when using FB directly.
OTOH today I read a 10 minute article on an unrelated site about loneliness. When I got to the end of the article an in page popup appeared that said something along the lines of "Liked by 9571 people including your friend John Smith".
I was extremely creeped out. What right does FB have for knowing that I read some article on an unrelated website?
I immediately installed Ublock Origin, blocked facebook.com and messenger.com. My plan is to delete all my cookies and run a separate chrome profile for facebook. Not sure I'll be able to keep the discipline.
I keep Facebook script blocked on my main chrome instance. I therefore can only check Facebook on incognito (where script block is disabled).
The added friction of signing in every time to check Facebook has had the added benefit of stopping me visiting Facebook unconsciously. The amount of free time clawed back has been substantial!
Clicking "like" on an article is a action that you take only if you want that like to be seen by your friends. It is an inherently public action, don't see anything wrong here.
GP is not objecting to Facebook telling him that John Smith liked the article, too. He is objecting (I think) to the fact that Facebook knows who he is (as evidenced by knowing who his friends are), and knows that he just read that article (as evidenced by telling him who among his friends liked it).
And that is creepy, I think, and one reason I have all the good adblockers and tracking blockers and cookie cleaners that GP mentions installed, too.
If you're logged into FB and there is a relationship between the site and FB, then why is it a surprise that the site is able to id you? And when I say "you" I don't mean "John Smith from sf working for company X" but a number with some generalized demographic data attached. There are strict pii guidelines that adtech has to follow, no one really knows who you are. FB and other adtech giants need to do a much better job educating the consumer about what actually happens to data and how ad targeting works.
Most people, I submit, don't log out of FB, they just close that browser tab. So, basically, most people are always logged into FB.
Next, there is no obvious relationship between the site and FB - it's some random article on some random other site, say the NY Times, on some random, say potentially embarrassing topic. However, there's a FB "like" button, or some other tracker.
Now, the site might just get some ID with demographic data (and hobbies and what have you). But FB now knows that you read that article (how could it have told you, otherwise, that John Smith read it?). That might not be a surprise to you, having some knowledge in the industry, but I submit that many if not most people find it both surprising and creepy.
Next, your argument seems to be that with some more education people would not find it surprising, and neither creepy, because adtech is so well behaved and under strict guidelines and "no evil" and all. So, at that point we'll just have to disagree.
Sorry, I didn't mean to say that adtech as a whole is well behaved or cares about user experience, if it was, ad blockers wouldn't be as popular as they are. But I do think there is also an education issue where most people think that PII is being exposed that makes it sound creepier than it actually is.
I didn't click "like". I didn't in any way directly interact with Facebook. I googled articles on loneliness, picked one, read it. When I got to the bottom without clicking anything I was effectively informed that Facebook knew and recorded I had just read the article.
I misunderstood what you were uncomfortable with, I thought you were uncomfortable on your friend's behalf that FB was showing his other friends that he liked an article.
But I'd like to better understand where you're coming from, because personally, I wouldn't be bothered by the relationship between the site and FB while I was logged into FB. If FB's algorithm knows I visited a specific site and uses that to improve the relevancy of what is shown to me in my feed, then everyone benefits. Help me understand what's creepy here?
I'm curious how you find it not creepy. Imagine every company you every interacted with spawned a flea sized drone to spy on you at all times. Are you saying you would not find that creepy?
Sure, they could potentially provide you with better service by spying on you 100% of the time. Would you accept that trade off?
I'm curious why is FB knowing every site I visit (or every site that has FB related analytics/ads/comments/like buttons/etc) embedded not creepy to you?
I get that when I visit the GAP or Target or Walmart there are security cameras. I get that they could use that info to decide how to better arrange the store. I get that they could even do something like notice what I'm looking at, put displays on the aisles and beam useful help/ads at me (I see you're looking at diapers, maybe you'd like some wet tissue on aisle 3)
But I'd find it creepy if their surveillance extended outside their store. I'd find it creepy if they could partner with every security camera with every other store. I look at shoes at Ecco an get a message from Walmart "We noticed you looking at shoes. We have lots of shoes on sale!" or "We saw you looked at jackets at Nordstroms. Your friend liked that green one you looked at".
Why is that any less creepy when I visit non-FB websites?
I don't find it creepy because no person in FB doesn't actually know it is me, to them I'm a number in an algorithm. The only way it could become creepy is if they publicly associate my name with the actions and start displaying this information publicly, but I trust them not to complete suicide by taking that action, just like I trust that my ISP won't post all my info somewhere with a history of all the sites that I visit.
Actually google just very recently changed their privacy policy to show you ads based on your bookmarks and places you surf the web on. Its started about 3 weeks ago.
Whatsapp gained massive users with their "no commercials ever" claim. They were a small independent company. And people arguably got invested in the network as a result. Now they reverse on that but the public feels locked in. I myself think... just switch to Signal or Telegram, but the amount of WA users is simply massive here in the EU. Everybody uses it.
Sometimes I wonder if the strategy of announcing "due to the anti commercial data privacy demands in Germany we are forced to suspend all German WA accounts for the next couple of days" is ever discussed at Facebook.
I'd be interested to see the political pressure it would create. I think the network is strong enough that people won't switch to other apps instantly and there would be a pretty big "just gimme back my WA" outcry which politicians would probably need to respond to.
Obviously the Datenschutzbeauftragte are theoretically independent but I'm sure they'd feel the heat. At least I'd be interested in seeing this play out if a law is being discussed. It won't ever happen but I have a feeling people would want WA enough that it could theoretically be used as a strategy.
My understanding is that the German people generally are very wary of data being moved around and collected 'unnecessarily'. I think a ploy like this would only backfire on FB.
Yes, I'd second that. While there would no doubt be some sort of outrage from the users, I don't think it would be nearly as strong as suggested. Germans in general, and especially the more educated, tend to be very protective of their data protection rights. If FB attempted something like this, it would be torn to shreds by German media.
> Germans in general, and especially the more educated, tend to be very protective of their data protection rights.
Indeed being German I can say this is true for Germany because of the experiences with two dictatorships on German ground in the 20th century - the last one ending only about 26 years ago. Many people living in the GDR that were under supervision by the Stasi (often without knowing) have read the Stasi file (if it exists) and know what details have been recorded about their lifes and what kind of kompromat could in principle be derived from it.
And oddly, Germany requires to to declare your religion to the government. So I guess the question would be: what is considered necessary? If Facebook needs data to offer a free service, that seems necessary unless Facebook employees are volunteers and servers run on kitten sneezes and rainbows.
This is not a requirement by the government. The question is asked on behalf of the communities of faith that explicitly tasked the government with that. That is a right religious communities have guaranteed by the constitution.
The government is not asking you if you are a member of a religious community that has not choosen to use that service.
> And oddly, Germany requires to to declare your religion to the government.
I trust my government with my data (well, mostly) because if it abuses that trust, I know that I and my fellow citizens can vote it out of power. We have no such control over FB.
Do you mean on tax forms or the declaration that you are not a member of Scientology?
Afaik you can enter whatever you want on the tax form, it is just used to collect membership fees/church tax on behalf of a church. Mostly part of an old deal between the state and the catholic church.
Scientology on the other hand counts more or less as an enemy of the state, stability and not something you let near children. So you need to fill out a corresponding form for specific jobs. If even half the stories of what they get up to are true that is a good thing.
I think also that it would backfire, if you look at what happened in Brazil [0], the blockade made Telegram very popular and again with what's happening here, they benefit [1].
Extreme non-techies will say "WhatsApp is broken, use this app instead". People who read the news will know it's about the US companies wanting to spy on your data (remember Germans don't have US 4th Amendment rights), and will switch apps.
I'm not convinced German constitutional protections are weaker than the 4th Amendment. The constitution even includes a right to the guarantee of confidentiality and integrity of information technology systems as ruled by the constitutional court. https://www.bundesverfassungsgericht.de/SharedDocs/Entscheid...
Basically: Unlike the EU Charter of Fundamental Rights, US 4th Amendment doesn't cover non-US people outside the US, and it only covers government warrents. What Facebook does with your data is not covered by the 4th Amendment. What Facebook does with your data is covered by Article 8 of the EUCFR.
I think the argument is more that Facebook is a US company, Facebook isn’t bound by German law (unless they operate in Germany, which they do), and the 4th Amendment only applies to Americans.
> Facebook isn’t bound by German law (unless they operate in Germany, which they do)
If you're not in the USA or Canada, and use Facebook, your agreement is with Facebook Ireland Ltd, and bound by Irish, and European, data protection law.
A Facebook user in India has EU data protection rights.
I think people would switch pretty quickly. Most people will have friends locally and regionally - there will be some cut off internationally but they'd be the minority. And if everyone you know is prevented from using the same messaging service, the expedient solution is to change to a different one.
Maybe encryption-wise but function-wise it is miles ahead of both WA and signal. There are bots, stickers, live preview of gifs and (YouTube) movies, an audio player built in, an API, real desktop clients (yes I understand that breaks e2e encryption but it's nice when my phone battery is dead I can still send people messages), channels, cloud storage. Still it feels faster than WA. WA is a (very) local minimum and moves very slowly, we can do much better as users.
Could you elaborate? I am using Telegram not because of privacy concerns but because of the desktop and tablet clients. I had absolutely no issues so far.
* chats not end-to-end encrypted by default (only secure chats), so clear text is on their servers
* group chats can't be secure chats
* the crypto is somewhat unconventional. While the developers had their reasons (constraints of mobile platforms), and no exploit has been found so far, AFAIK, any self-rolled crypto is a bit of a red flag to cryptographers.
* I have no reason to distrust Pavel Durov or his motives, but I am somewhat skeptical of services based in Russia (also, just to be clear, of services based in the USA or other five eyes).
To me, Wire might be the best of both worlds (as I've said in another post in this thread, and BTW I am not connected to them in any way):
Signal protocol; based in Switzerland; smartphone, desktop and web client; free; text and voice chat and group chat; open source (GPLv3, and on github); signup with phone number or email.
It's not end-to-end encrypted, so telegram still has access to all your messages and can turn over data in the case of a subpoena or if they just feel like it.
the desktop client was not encrypted at all last i checked, only the mobile client.
signal is e2e encrypted, it's in a completely different ballpark
No, what's more interesting is previously Whatsapp users had a reasonable expectation of privacy. Facebook acquired the company without first checking with the EU or anyone else if they would oppose them removing that privacy and mining user data. Now they're caught between a rock and a hard place because they need to spy in users to justify the purchase price, but they never bothered to ask if it was OK with regulators first.
Saying "users don't have to use us" after there's already a massive, massive installed base is ridiculous and Facebook knows it. If it were just as easy as switching to another messaging service they NEVER would've paid that much money for Whatsapp. It brings almost nothing unique to the table outside of it's user base/momentum.
Google etc. are not in the same business as the credit reporting agencies.
The latter collect your data and sell it to third parties. The former collect your data, keep it a tightly-guarded secret, do not sell it to anyone, and use it to make their own product more profitable.
I think the difference is important to keep in mind.
Regardless of how this ends up working or being decided, I'm very happy to see such discussion occurring. The large scale collection of data on users has benefits both nominally 'good' and 'evil' - from app UX to advertising profits. But equally interesting are the potential drawbacks involving privacy concerns, and lack of user awareness.
It is this last point that I find best remedied by articles like this appearing in widely available media publications. When a discussion is on HN I might learn a lot and reflect upon my choices. When the nytimes and German privacy commissioner start a conversation, I consider that even more valuable.
Hopefully a balanced outcome will occur, but I don't see that as important as the inevitable education that comes with such public debate.
This is probably nitpicky, but I'm not sure I buy this idea that "advertising profits" are "evil" - last I checked I happily use a Facebook account and all its features, built by extremely hard-working and intelligent engineers, without paying a dime. Not to mention the fact that I don't want to pay, and some people just can't.
“It has to be their decision, whether they want to connect their account with Facebook,” Johannes Caspar, the Hamburg data protection commissioner, said in a statement. “Therefore, Facebook has to ask for their permission in advance. This has not happened.”
That's a fair point. I don't use WhatsApp, so did it asked to accept new privacy policy, terms & conditions or smth? Anyway, I'm happy to see that institutions in Europe take a stance against big corps to protect its users lately.
This is a real problem. What's the alternative? The TOS does need to express the desired purpose and to hold up in court if required. Some licenses are much simpler than others, but some are necessarily complex. The GPL is much shorter than most click-through TOSs, but an average user still isn't going to read it.
German law requires to use opt-in, i.e. the default setting of agreements to transfer data to other parties must be 'no' (or the checkbox must be empty). That way, it is very easy to make sure there is explicit consent to transfer of data, and the service provider can't hide it in the TOS. Of course, the service provider is also free to limit or close its services to users that do not consent.
That is actually what the German data protection watchdog refers to: the WhatsApp setting that controls if the data is transmitted is by default enabled (opt-out), but should be disabled (opt-in).
I don't think this is very useful in most cases. Suppose a service requires data transmission to operate, either intrinsically, or it just chooses to require it. It displays a checkbox, unchecked by default, and unless the user checks it, the service isn't going to work; checking the checkbox is functionally equivalent to the "I Agree" TOS button. I expect users will check the checkbox without reading any explanations, just as today they click "I Agree" without reading anything.
And if this is a legal requirement, then service providers are greatly incentivized to require data transmission as a condition of using the service. If it's optional, then very few users will go into settings and enable it. If it's mandatory, then all users are going to agree, in order to use the service.
> Suppose a service requires data transmission to operate, either intrinsically, or it just chooses to require it
No services really requires data transmission. It's just the owners have decided to run it that way.
> I expect users will check the checkbox without reading any explanations, just as today they click "I Agree" without reading anything.
Within EU Data Protection law, you have to get "freely given, informed consent" for things. And a checkbox which links to 30 pages of legalese does not necessarily count as informed consent. Just because your users clicked a checkbox/clickthrough, that doesn't mean you're in the clear legally.
> if this is a legal requirement, then service providers are greatly incentivized to require data transmission as a condition of using the service
Unrestricted data transmission (and processing) is not legal in the EU. EU fundamental rights law specifies that. So you can't necessarily create a service which from the start requires that sort of agreement.
Oauth popups is a good example of how to give consent. They are opt in and usually say exactly to whom you share information and what kind of information they will get.
German data law is very strict, so yes, it is useful:
- You can only take as much as you need
- You cannot ask for data for one thing and use it for another
- You have to clearly state what data you will use for what purpose
- The opt-in has to be distinct from other opt-ins (so, 100 pages of EULA and then a checkbox "I accept" doesn't cut it)
The only problem here is that the penalities for breaking the data protection laws aren't very high .. I'd like to see percentages of a companies revenue.
Technically this law is European-wide, not just Germany. It's from the EU, and the Charter of Fundamental Rights of the European Union (Basically the EU's Bill of Rights). Article 8 lists your personal data rights.
The EU/US Safe Harbour was invalidated by the Court of Justice of the EU, after an Austrian person took a case against Facebook in Ireland.
> The only problem here is that the penalities for breaking the data protection laws aren't very high ..
DPAs have the authority to force companies to stop doing things. They might not be able to fine Facebook a meaningful amount, but they can get a court order to stop them doing it.
> I'd like to see percentages of a companies revenue.
> The TOS does need to express the desired purpose and to hold up in court if required
Why? What if the "desired purpose" (desired by the company) is illegal? Then such a ToS/contract is not, and should not be legal. What the Data Protection agency is doing here, is saying that what WhatsApp/Facebook are doing is illegal.
> The GPL is much shorter than most click-through TOSs
The GPL is a copyright licence so doesn't require consent. It's a different type of "licence" from most ToS's.
> Why? What if the "desired purpose" (desired by the company) is illegal?
My comment was badly worded. What I meant was that, if the license's meaning was disputed in court, the court should agree that it meant what the company intended for it to mean. And that is one purpose of unclear legalese in TOS. (Deliberate obfuscation, and increasing lawyers' fees, are also purposes, but not the only ones.)
> What the Data Protection agency is doing here, is saying that what WhatsApp/Facebook are doing is illegal.
It's saying WhatsApp didn't get the user's consent in a legal way. It is not saying that what WhatsApp wanted consent to is itself inherently illegal. My comment was about the general problem of meaningful agreement to online click-through contracts.
> The GPL is a copyright licence so doesn't require consent. It's a different type of "licence" from most ToS's.
It's the same in the relevant respect: that to use the GPLed software in certain ways, e.g. to install copies of it on many computers (which counts as copying), you have to do certain things outlined in the license. And since copyright law by default forbids such actions, the user has to read the license to know they can do it.
> What I meant was that, if the license's meaning was disputed in court, the court should agree that it meant what the company intended for it to mean.
And my point is that sometimes what the company intends/wants is illegal. And the courts should
For example, a company might want employees to sign away rights to minimum wage. We can clearly see what the company intends in that contract, but the courts will not agree with it.
"Contracts are sacred and unbreakable" is an ethical/legal stance associated with libertarianism, and it is not what many countries follow.
Yes, of course, some things are illegal and cannot be agreed to in contracts. I'm not saying contracts should be sacred. I'm saying the contract's meaning should be as clear as possible so courts will agree the license meant what the company intended it to mean. The court can still say the license is illegal or unenforceable, but there should not be a dispute whether it means one thing, which is legal, or another, which isn't.
Interesting when you confront this with those decisions of Brazilian courts of suspending /blocking WhatsApp during some days.
Because the response, from the court order, is always "Facebook and WhatsApp are separeted companies, you are asking Facebook (that has a office in Brazil) to answer for WhatsApp (that hasn't), Facebook doesn't have access to any meta-data from WhatsApp (including which user talked to another one)".
It’s unfortunately a good example of how easy it is for products to change: in our current system, any nice thing is just one buyout away from becoming something entirely different.
It’s a bit like when a restaurant starts out good or bad, and changes under new management: it’s “the same” restaurant and yet it’s really not the same anymore, and consumers may or may not have gotten the memo. And it almost doesn’t matter if it goes through 3 managers, from good to bad and back to good, as the brand has already been tarnished and the damage is done.
I believe strongly that the hard work of hundreds of people shouldn’t be easy to screw up just because the wrong people bought you out, and yet this happens frequently: good projects are killed, and excellent work may end up going nowhere. This is why open-source projects have so much value: they are very difficult to screw up because there is always the option to fork it from a good spot and keep all the good work alive.
If you're paying $1 a year you don't have privacy: you just gave your banking details to the provider. Why do you think this is better than optional linking to a Facebook profile that may or may not even use your real name, and almost certainly does not have your street address on it?
Banking details are far from then most damaging thing you can reveal. Things like credit card fraud are usually insured by your bank and WhatsApp is not getting access to peer into your account balance when you pay for something.
Facebook's data mining allows it to form a profile of your preferences, which political groups you belong to, where you spend most of your time, and who you associate with. This is all potentially damaging information - especially under the right circumstances like the political tumult happening in Turkey.
Hamburg's data commissioner is influential because he is very active and outspoken (the previous one was even more so), but that also means that he's a bit fast and loose.
His opinions and rulings are not always held up by the courts, and the other states' data commissioners (there are fifteen more, plus a federal one) quite often don't agree with him.
This could send shockwaves throughout the entire web.
If the premise of the complaint is that users connecting with a facebook account didn't explicitly give permission to use the data associated with it then I imagine a swooping change will have to happen with all services that use Facebook, google sign on as they'll have to explicitly gain user's consent to use the exact information they're mining.
You might go, oh well they already do, I doubt it honestly and they likely rely on implicit consent but I can see this having major shockwaves
This is an important discussion, but nobody seems to be asking the question - what is the end goal here for either side?
Lets take the extremes as a beginning..
1. Lets assume every action a person takes is logged. That means every keystroke, cough, heartbeat, meal, path taken etc... for everyone on the planet is tracked somewhere in some system.
2. On the flip side lets say that nothing is logged and we stop using systems that track our behavior altogether.
- What are the costs and benefits to either extreme and where would the people of the future prefer to lie on that extreme? Is there a realistic middle ground?
If the question is about informed consent then I am afraid it's a losing battle. Consumers do not understand even the basic externalities of different behaviors - and even if you printed them on the label it would mostly be noise. So to expect that people will understand all possible negative externalities with sharing data is a bridge too far.
I personally think that more accurate lifestyle data, provided by users to Machine systems, with the purpose of affecting behaviors, based on stated and revealed preferences of the users would be the best long term outcome. Offloading decision making to a machine is the best decision we will ever make as a species - and that requires a lot of training data and other data to optimize.
Otherwise we might as well just go back to everyone being a farmer.
Yesterday, I opened whatsapp on my phone. During the last weeks I have been clicking on the `Not Now` option when whatsapp gave me the new terms and conditions. Yesterday, the not now option did not exist. This is not good.
I think he means that he can't say "no" to the new terms anymore. But you are right. But you're right, if the parent doesn't like whatsapp it should just uninstall it.
I guess that's Facebook's problem now. WhatsApp uses phone numbers as logins though, doesn't it? Shouldn't be too hard to map providers to different countries.
I have free choice on which messenger to use, but no choice at all on which messenger to reach my friends. And sadly I know I'd loose all the less close long distance friends if I refused to talk about private things on facebook all-together.
It was hard enough to make some people switch to telegram, but at least some of my frequent contacts arrived there. On signal I've been lonely ever since, no Idea how to make people switch again. For PGP I lost my passphrase because no one ever supported it and OTR doesn't work with my phone and nobody uses it...
Yeah, I use PGP routinely, but really mostly as a way to get servers to encrypt SQL backups and things. So my own system admin purposes without a lot of PGP-encrypted communication with anyone.
Tried to use Wire recently. On both the "native" app and the web one, it takes from 2-5 seconds for my message to appear in the window.
I wanted to use it instead of Hangouts, but I can't if it's 3x slower. They need to do something about it, and they need to do it soon. This has happened since they launched the desktop client, but at first I thought I'd just give them sometime to fix the initial bugs. But it's still as slow as ever.
My guess is their HTML5 app code sucks, so if I were them I'd scrap it and start over with a higher-performance alternative.
Give it another try in a day or two (we're close to a small performance release). Browser based encryption has performance issues but at least now we're showing the sent message immediately (in grey while it's sending, in black when sent).
If I were German I would feel pretty good that my government was willing to stand up for my privacy. In an era when both civil liberties and expectations of reasonable privacy seem to be falling by the wayside, even in countries that purport to espouse such principles I think this is pretty awesome.
Facebook asked WhatsApp users to give consent before collecting data, which some did. Why should the government intervine between consenting adults agreeing on a contract willfully? Isn't this the definition of tyranny and why we oppose things such as the war on drugs?
They did not. Opt-Out is not asking for consent. And even if you Opt-Out, WhatsApp will submit your data to facebook for analytic purposes.
The real problem here was quoted as "misdirection of the [whatsapp] users and the public" because WhatsApp stated that there wont be any data exchange between them and facebook, when they were accuired two years ago.
Doesn't the Whatsapp TOS says that they can update that TOS whenever and however they want? Do you have to accept that TOS before using Whatsapp for the first time? So users accepted a TOS that says Whatsapp can change their rules as they wish and now they are angry because they did just that? I totally support people who don't like these kind of TOS and use open source alternative, but people who accepted these kinds of TOS and then complain when they do what they state they would do, that I don't support.
> but people who accepted these kinds of TOS and then complain when they do what they state they would do, that I don't support.
German law says ToS can not contain surprising terms.
That also means if an ad says "we won’t share your data, ever", no ToS change, unless it’s more publicly published than the original ad, and as easily noticeable and understandable, can undo that.
Here in Germany, saying that, after being accuired by facebook, you wont exchange any data with facebook, was a huge sales pitch because people started to get really worried about data privacy.
Even people like my mother, who normally has no idea about whats going on, were worried back then but then calmed down by that statement. And the media, where this had quickly became an issue, stopped reporting, because everything seemed to turn out fine.
But now, they broke that promise and altered their product, which now results in those accusations of misdirection of the users and the public. They made that statement, people everywhere became reliant to whatsapp and now everything stated before turned out to be a lie.
But do they need to warn you? I always assume that the information I send to a server is being stored forever by its owner, unless he tells me otherwise. If Whatsapp said it wouldn't share user info and dit it without informing users then yes it should be punished for it and prevented from doing so. But as far as I understand what happened was a TOS upgrade. Don't like it, go to Telegram.
Think about it this way:
You get a product, its free to use. The Company running the service is telling you, they wont share your data ever. You get reliant to the product, everyone uses it. Then they start sharing your data.
There are some things you cannot contractually agree to in most countries. A government would also intervene if I agreed that you can kill me to harvest my organs if the money goes to my family and similar scenarios.
It's an interesting ethical debate where the lines in the sand should be drawn (or if there should be any lines at all for that matter) but traditionally some lines exist and there are some things governments feel they need to control on behalf of consenting adults.
Additionally it's a question of discrimination laws in certain countries. If WA gave you the option of opting out but in return not being able to use their service at all that could be seen as discrimination. If you take the stance that personal information are a very essential good that isn't all that unreasonable (once again I'm not making a value judgment only a logical one).
I believe in most societies there's a somewhat solid majority support for the idea that government sets some rules for the marketplace. How many/if there should be any is open for debate but these frameworks exist and are typically backed by majority votes.
> Why should the government intervine between consenting adults agreeing on a contract willfully? Isn't this the definition of tyranny and why we oppose things such as the war on drugs?
The idea that contracts between adults are sacred is basically a libertarian philosophy. Many countries (incl Germany) often limit what contracts can do.
You can also make a case that people did not "freely consent" to transferring data. A click-through multi-page legalise doesn't count as "consent"
> Many countries (incl Germany) often limit what contracts can do.
Coming from Syria myself, I'm well aware that many countries do not respect people's freedom to contract freely. Doesn't mean that they are not tyrannies. Also, the Whatsapp TOS pretty much says that they can update their TOS whenever and however they want, so when you first try to use it, you should not expect any kind of control over your data, if you care about that, use an open source alternative. I will never understand people who consent to proprietary software TOS and then complain about these TOS changing in certain ways when this is what they are all about. I mean this has been Stallman arguments against proprietary software for like 40 years now. Want complete control? Use free/open source software. Don't care about that, use proprietary software such as Whatsapp. What makes less sense to me is using something such as Whatsapp and demand and expect what only free open source software can deliver.
Isn't this the definition of tyranny and why we oppose things such as the war on drugs?
In my experience, many people don't argue against the war on drugs due to being against any imposition on consensual transactions but because it harms the people intended to help. They'd be fine with it otherwise.
Personally, I have some sympathy for your view, but I'm of the opinion that contracts require meeting of the minds, and that it's plainly obvious that many, possibly most users have no real idea of what they're trading away, evidenced by the fact that the T&C conditions of these services are unreadable and not even expected to be read.
> intervine between consenting adults
Buried in a setting that defaulted to the change that FB wanted. If you were to sneak in a change to a contract in the same way, I think a lot of courts would throw it out, or maybe even consider it fraudulent.
> isn't that the definition of tyranny?
Seems more like just the definition of government. The German government seems like both the underdog and the less capricious actor in this case.
Funny definition of tyranny. Going back to the case itself: a) the German government is elected; b) most Germans are glad to have strong privacy protection rules in place. So it is simply democracy, and agreement on a different set of social rules than the set you would prefer.
You can opt-out by uninstalling Whatsapp. I mean, if you don't trust them with their analytics, why do you trust them with the rest of their features? Doesn't make much sense to me.
There is such a thing as being a good citizen on the net and part of that should be that these privacy violating features be "opt in" so that people can use them if they want to.
Maybe NY State where I live will pass some privacy laws.
I would like to see a federal Staute inacted regarding the collection of user data in the US. Enacted quickly!
Something on the lines of don't collect any data, besides name, password, email address. This information can never be sold.
I have weird feeling, in the near future, we will find that information/data has been abused. No just abused by marketing/big data, etc..
And I'm not even arguing about the obvious--personal privacy. Although personal privacy should be the number one reason for this hypothetical statute.
I have a feeling, it will be the next big financial insider trading scandal. It will involve people we talk about here-- Google/Bing/FB insiders(the ones who can see individual IP's, and their data.), took all that information, and traded stock upon it.
I have a hard time believing every email that Warren Buffet/George Sorrows/every sussessful trader makes isn't looked at by someone. And it's not just email; it collating search histories, in order to get a "feeling" of where the money to is to be made.
They are then using that info. to invest in stocks, bonds, real estate, etc..
And yes, they will claim we don't care about getting insider info. on investments--we make a killing selling the data to marketers. Why would we do such a thing? Because you can. I would have a hard time not looking at that information, and I don't have a penny to gamble.
I think it will be a huge story.
(Edit to a legitimate question about the poor websites that depend on advertising.)
Yes--I didn't bring up advertising. They could advertise like the old days, like newspapers did. They just couldn't target market their advertising--like they presently do at nausium.
I still think they would make their nut. They would still be winners!
And yes--I would pay for the right service, if they couldn't manage to compete by being hobbled with not targeted advertising. I paid for many websites before Google made advertising a science.
My post has nothing to do with advertising. I get advertising. Just leave my detailed, personal info. out of it.)
If a sale person stood on the street and offered people to install tracking software in their phones that will record every move, every call, every text, which the customer is told will be sold at a nice profit to any one thats willing to buy it with no oversight. At the end of one year, non-poor customer that the company earned profits from from will get a one time compensation of $20.
How many people will accept the deal, and why doesn't it already exist?
Or to ask a different question, will companies demand $20 for the services instead of offering it for tracking-as-payment? How will they fare against less polished services that are given away for free by people who run it on their spare time?
They exist, and they do very well. Things like Nielson and others have been doing something similar for many years, as well as countless surveys that can pay you, and both of my parents have installed on seperate occasions a toolbar which pays them pennies per day they keep it enabled, and when asked about it they were fine with it recording everything as long as they get their payout.
I have seen those, but they are like you say about "pennies per day". Google could not survive on that.
If we are comparing a regular $40-$20 software sale to pay-by-tracking, then the people being tracked need to generate personal information that is worth equal amounts. It need to have mass market appeal in order to generate billions. How will pennies per day tool-bars do that?
Well the information is not "sold" per se, as much as it's bundled with many other people, decoupled from PII, and is the equivalent of saying "10% of people talked about the football game today."
Further, I believe a service like Google Contributor does what you're implying, but it doesn't get much press - which doesn't surprise me: the overall market deems free content worth that privacy "trade-off."
I don't understand why this is necessarily a "bad" thing -- it's like the equivalent of a real-estate broker telling me that 10/20 houses on a block have 2 bedrooms, and the other 10 have 3 bedrooms, even though I know nothing about the people living in those houses.
Maybe yes, maybe not. So what? It should still be forbidden. If it turns out that not enough people want to pay for it, then tough luck for the company, they should design something that people will pay for.
For example it is forbidden to take organs from people as payment. We could forbid taking certain private data from masses of people as payment.
If you put trade in organs in the same basket as trade in conclusions from personal data, then I have to wonder what you put in the other basket, the one where consenting adults are allowed to freely enter into agreements.
If you are criticising that people are not willingly and knowingly entering into agreements with Facebook or Google, that is another debate. Yes I think there should be the utmost level of transparency and regulatory action on that front is justified in my view.
But telling people that they cannot trade access to personal data for access to services goes way beyond the role I think governments should have.
If that sort of thing is prohibited, how can a government allow its people to make any decisions that potentially affect their safety and their future, like choosing a career path, choosing a place to live, making decisions on health, education, kids, etc?
The reason why government should forbid it is not to protect the individual that's agreeing to give away their data, but to protect society from the externalities of those transactions when they occur en masse. Privacy is a necessity for a democracy, without it, democracy falls apart, that is extremely dangerous, and that's why a democratic society should protect itself against it.
>The reason why government should forbid it is not to protect the individual that's agreeing to give away their data, but to protect society from the externalities of those transactions when they occur en masse.
And now please explain to me what sort of voluntary agreement does not have negative externalities when it occurs en masse! Voluntary agreements inevitably create markets and markets have well known negative externalities. Even the democratic process itself has negative externalities. On that basis you can ban everything.
I'm not against all regulation, but your justification is way too general. It leads straight into authoritarianism.
Because there are no personal freedoms that cannot be taken away if negative externalities alone are a sufficient justification.
Outright bans are the strictest form of regulation. They should only be used as a last resort.
We don't even ban industrial scale cruelty towards animals and now we should ban voluntary trade in personal data? That seems completely out of proportion.
Fwiw, I actually agree with much of what you're saying. The contention others seem to be having might just be from perceived absolutism. Funny, since you're actually arguing for the opposite.
No, I just think the bar for banning consenting adults from entering into an agreement should be very high, because the negative externalities of doing it too often are extremely grave as well.
Which seems to be a different argument entirely, namely one of weighing the positive externalities against the negative externalities? I guess I would agree with that.
Now, there is actually precedent for banning consenting adults from sharing private information in order to ensure the survival of the democracy that is quite common in stable democracies: You are usually not allowed to prove to third parties how you voted in an election. That's only because of the externalities that that can have on the democracy if third parties can pressure you into voting a certain way/can buy your votes.
>Which seems to be a different argument entirely, namely one of weighing the positive externalities against the negative externalities?
Not just that, it's also about weighing the restrictions on personal freedoms against the extent of negative externalities. In some cases the protection of personal freedoms is absolute. The ban on torture is a precedent for that.
>Now, there is actually precedent for banning consenting adults from sharing private information in order to ensure the survival of the democracy [...]
It's a precedent only if it's comparable, which it isn't.
You are overstating your case. There is no reason to believe that letting an algorithm parse some of your data for clues as to what you might want to buy makes democracy fall apart.
What is likely to have an effect on democracy is when governments analyze data for political reasons. Where that happens, people will simply stop volunteering so much private information. They don't need to be banned from doing that.
> What is likely to have an effect on democracy is when governments analyze data for political reasons.
What if companies analyze data for political reasons?
> Where that happens, people will simply stop volunteering so much private information. They don't need to be banned from doing that.
Except that they don't. Heard of a certain Edward Snowden, maybe?
Except that they can't because the data is already there and isn't under the control of the affected people?
Except that the nature of data is that people don't know how it's being processed?
Except that there are network effects that limit people's actual freedom to decline using a quasi-monopolist's services?
Your argument could pretty much be applied to the Stasi in the GDR: Do you have an idea what the consequences were when individuals simply stopped providing more data?
I never disputed that there are dangers and negative externalities to lack of privacy. But democracy falling apart isn't one of them.
Your logic is flawed. You are reversing cause and effect. Where there is a lack of democracy, privacy is often taken away in order to make it easier to oppress political opponents. But giving up some privacy in exchange for services doesn't make that happen. Yes the Stasi would love Facebook's database, but using Facebook doesn't cause the Stasi.
Snowden isn't proof of that at either. The NSA hasn't hunted down and imprisoned supporters of Bernie Sanders after all, has it? American democracy hasn't fallen apart and where it is lacking it has little to do with Facebook.
But please don't get me wrong. I find it very problematic when governments scan everybody's data. It could have an effect on how people behave even if it doesn't make democracy fall apart. It may deter people from doing perferctly legal things because they could be misinterpreted. None of that is voluntary though. I haven't given the NSA permission to scan my data at all.
I don't use Facbook and I am very careful with information I make available publicly. I just don't feel very threatened by any negative externalities created by those who choose to use Facebook.
My problem with your line of thinking is that you are extrapolating every single danger to the extreme until you arrive at the conclusion that people must be banned from ever making these choices. As I said, you can ban everything based on that sort of thinking.
> Your logic is flawed. You are reversing cause and effect. Where there is a lack of democracy, privacy is often taken away in order to make it easier to oppress political opponents. But giving up some privacy in exchange for services doesn't make that happen.
Your logic is flawed. You are reversing cause and effect.
There simply is no unidirectional causation between lack of privacy and lack of democracy. Obviously, the Stasi took away privacy in order to suppress democracy. And at the same time, the lack of democracy helped with establishing and maintaining the Stasi. It's a positive feedback loop.
> Yes the Stasi would love Facebook's database, but using Facebook doesn't cause the Stasi.
Does using Google cause the NSA? No. Did the NSA take advantage of the data collected by Google (by eavesdropping on their internal communication), thus increasing their power? Yes.
Things aren't simply a linear chain of causes and effects. There are lots of factors contributing to certain historical developments, there are feedback loops, it's complicated. In particular, the development of power structures doesn't care about intentions behind a source of power. When the Netherlands collected information about the religion of their citizens prior to WW2, they didn't have an intention of killing all jews. But the database confers the power to find them very efficiently. Which is what the Nazis did when they invaded.
As you yourself say, the Stasi would have loved Facebook's database. Does that mean that Facebook is the Stasi? No. Does that mean that it cannot possibly attract interest from people who want to use it like the Stasi, who might end up getting access to it, thus contributing significantly to the establishment of an authoritarian dictatorship?
> Snowden isn't proof of that at either. The NSA hasn't hunted down and imprisoned supporters of Bernie Sanders after all, has it? American democracy hasn't fallen apart and where it is lacking it has little to do with Facebook.
1. So, even if that abuse by the state did not happen, what about all the abuse by the state that indeed does happen? What do we know about which role the NSA plays in those cases?
2. More importantly: What kind of evidence would you accept to consider something a risk to democracy? So far, it seems like democracy needs to have been destroyed before you accept that whatever has caused it to fall apart could indeed cause a democracy to fall apart.
> But please don't get me wrong. I find it very problematic when governments scan everybody's data. It could have an effect on how people behave even if it doesn't make democracy fall apart.
Well, except that is a major way in which it does? Surveillance changes how people discuss their opinions. People changing how they discuss their opinions is how people end up making different choices in elections. An idea that's not being discussed is less likely to gain support in an election.
Imagine a world where everything was being monitored by a Stasi-like entity, but with the exception of actually fair, secret, democratic elections, where citizens actually knew and could verify that the elections were fair and secret. Would you consider that a functioning democracy?
> It may deter people from doing perferctly legal things because they could be misinterpreted. None of that is voluntary though. I haven't given the NSA permission to scan my data at all.
1. The externalities of people using facebook aren't voluntary either.
2. The point wasn't whether you have given them permission, but whether the majority of people have given them permission. Your claim was that people would stop volunteering their data. If you go by the general reaction to Snowden's relevations, people don't care. It's probably not informed consent, but neither is it with Facebook.
> My problem with your line of thinking is that you are extrapolating every single danger to the extreme until you arrive at the conclusion that people must be banned from ever making these choices. As I said, you can ban everything based on that sort of thinking.
Except I don't, that's just your interpretation. Just because I don't write pages upon pages for a short HN comment, doesn't mean that there isn't any more reasoning behind it.
I think we can agree at least on one thing. Lack of privacy makes undemocratic regimes more effective (at oppressing people) and possibly longer lasting provided they can actually access any data that people give up to advertisers.
I'm not convinced that this is reason enough to ban advertising based business models in democratic countries. We can't live our lives preparing for the day democracy ceases to exist. Any negative effect the lack of privacy has on stable democracies seems small and rather speculative in the first place. I don't believe it's a real threat. You do believe that. So we're going to have to agree to disagree on that one.
Also, I'm not convinced that globally the effect of Facebook, Google or Twitter on democracy is a negative one. On the contrary. Free services provided by overseas companies are often the only way for people in undemocratic countries to get around their local police state. Pay services are even more at odds with privacy than ad based business models.
> I think we can agree at least on one thing. Lack of privacy makes undemocratic regimes more effective (at oppressing people) and possibly longer lasting provided they can actually access any data that people give up to advertisers.
Well, yes, but I think it's a mistake to divide the world into "undemocratic regimes" and "democratic paradise". It's a sliding scale and not a binary distinction, and every democracy on earth has some rather undemocratic stuff going on.
> I'm not convinced that this is reason enough to ban advertising based business models in democratic countries.
Not advertising based business models, but surveillance based business models.
> We can't live our lives preparing for the day democracy ceases to exist.
The point isn't to prepare for the day democracy ceases to exist, but to prevent it from ceasing to exist. Why can't we do that?
> Any negative effect the lack of privacy has on stable democracies seems small and rather speculative in the first place.
How do you know that?
> I don't believe it's a real threat. You do believe that. So we're going to have to agree to disagree on that one.
Nope, we don't have to "agree to disagree". I don't just believe that because I believe that, I believe that for what I think are good reasons, which can be examined for their logical consistency and for consistency with reality/evidence. Now, possibly you aren't interested in doing that, which is your decision to make, but that's not some kind of unavoidable fate, it's simply your disinterest in the matter.
> Also, I'm not convinced that globally the effect of Facebook, Google or Twitter on democracy is a negative one. On the contrary. Free services provided by overseas companies are often the only way for people in undemocratic countries to get around their local police state. Pay services are even more at odds with privacy than ad based business models.
Possibly. Though it should be noted that free services do not necessarily have to be surveillance-based services. There are lots of free to use IRC networks, for example. Or Tor is also free to use. But those are not surveillance-based offerings. And not even advertisement has to be surveillance-based.
>> Any negative effect the lack of privacy has on stable democracies seems small and rather speculative in the first place.
>How do you know that?
I don't claim to know anything with any certainty. That's why I used the word "seems". You are the one who is making extraordinary claims based on extremely thin evidence. You are claiming with great certainty that giving up any private data to advertisers makes democracy fall apart, and yet you are unable to point to a single stable democracy that has fallen apart for that reason. Your sample size is zero.
>I believe that for what I think are good reasons, which can be examined for their logical consistency and for consistency with reality/evidence.
I have examined your reasons, and even though I can follow you on many individual details, I find your main conclusion contrived, exaggerated and inconsistent with the thin evidence we have. You are overstating your case.
This is a very common way in which predictions of doom tend to go wrong. Take one aspect, follow it to extreme conclusions as if there were no other variables or counter forces or reactions to what is happening. This isn't logic or consistency.
And this lack of a good model starts where we haven't even discussed what privacy or private data is in the first place. It's definitely not one thing that you can switch either on or off. We always have to trust someone with some of our data. Much of our "private" data isn't ours exclusively as it may be about interactions with others. The data we give up to advertisers isn't used exclusivly for advertising either. It's also used to provide some of the services we want (like search or spam filtering).
"Ban it all!" is neither proportionate nor even possible.
And even if I did follow your argument that giving up any privacy at all makes democracy fall apart, I see no alternatives to advertising that are better for privacy.
Just look at the numbers involved and you will quickly find that funding everything like Tor or a few IRC channels is impossible. Donations, self-funding and sponsorship involve payment and are subject to extremely detailed surveillance. There is nothing more heavily regulated and traced than payment and you can be absolutely sure that governments will never allow large anonymous money flows because everything that could fund something like a Google data center could also fund organized crime and terrorism.
That said, I also see a lot of negatives in the excessive and brazen behavior of the ad industry, and I also think there is a need for regulation. A better regulated ad model is our best shot at more privacy and fewer negative externalities.
> I don't claim to know anything with any certainty. That's why I used the word "seems".
Sure, I don't expect certainty, just some justification. Are you saying it's just wild speculation on your part?
> You are the one who is making extraordinary claims based on extremely thin evidence. You are claiming with great certainty that giving up any private data to advertisers makes democracy fall apart,
First of all, I don't actually make that claim. I can see how you maybe can get the impression from the short version (as I mentioned, it's kinda hard to condense a complex topic into an HN comment), but really, it's a matter of the severity of the possible consequences combined with non-trivial probability. Which is one reason why the comparison to laws regulating how you cannot prove to other people how you voted in an election is an insightful one: Those restrictions don't exist because the probability is particularly high that any given election would be corrupted, they exist because the downside is massive if it happens even once under the wrong circumstances. We make every single election more complicated than usually necessary, in order to help protect against the few cases where the consequences would be catastrophic, even though there is not even remotely a guarantee that that would ever actually happen.
An important question to ask is: Does a stable democracy protect against those risks, or is preventing those risk by other means what keeps the democracy stable?
> and yet you are unable to point to a single stable democracy that has fallen apart for that reason. Your sample size is zero.
May I suggest that your categorization is counterproductive?
Suppose I build a bridge from papier-mâché made from cardboard that was used to package the iphone 7. You might argue that that's not a reliable bridge and it shouldn't be opened to traffic because of the risk that it might collapse, given the track record of papier-mâché and our knowledge of physics. Now, I would reject all your arguments by pointing out that no bridge built from cardboard that was used to package the iphone 7 had ever collapsed and that your sample size is zero, and that we therefore have no clue whether that bridge is a risk to public safety. Would you agree?
It's hardly surprising that that specifically hasn't happened yet, given that the technical developments are relatively new, and some of it is yet to happen. That doesn't mean that we can't draw any conclusions from similarities to other power structures in history, or that we have no clue how current or expected future technology could be abused.
> This is a very common way in which predictions of doom tend to go wrong. Take one aspect, follow it to extreme conclusions as if there were no other variables or counter forces or reactions to what is happening. This isn't logic or consistency.
It seems like you are just filling in the holes in what I wrote with the most idiotic ideas that I could possibly have, and then you pretend that strawman is what I actually wrote.
BTW, as far as I can tell you are making that exact mistake in the opposite direction: You find some aspect that isn't necessarily quite as bad as my simplified model desribes it, as there is some other influencing factor or some counteracting force that could decrease the impact, and from that you conclude that therefore a catastrophe is completely unrealistic.
> And this lack of a good model starts where we haven't even discussed what privacy or private data is in the first place. It's definitely not one thing that you can switch either on or off. We always have to trust someone with some of our data. Much of our "private" data isn't ours exclusively as it may be about interactions with others.
As you say, we haven't discussed it. From that it doesn't follow that my concepts are idiotic.
And yes, I agree that privacy is not a binary distinction, nor is privacy an end in itself, nor is some sort of "total privacy" a sensible goal, let alone achievable.
The root problem is that personally identifiable information confers power. Power is not inherently bad either, nor something that could realistically be avoided completely. But if there is one lesson we as humanity should have learned from history, very much the hard way, it is that concentrations of power are dangerous. There is no clear line between how much concentration of power is harmless and where the danger begins, but it still is quite clear that too much of it in one place/in one person's hands is a terrible idea.
If you think about it, the whole point of democracy (and the rule of law and checks and balances) is to prevent concentrations of power. And we accept a lot of inefficiency in the government, compared to dictatorships, in order to maintain that distribution of power. The laws governing the election process are only a small part of how we build democratic societies with lots and lots of expensive safeguards to prevent the concentration of power.
> The data we give up to advertisers isn't used exclusivly for advertising either. It's also used to provide some of the services we want (like search or spam filtering).
I think most of the data shouldn't really be necessary to achieve a sufficiently similar result.
> "Ban it all!" is neither proportionate nor even possible.
Depends on what exactly you mean by "it all".
> And even if I did follow your argument that giving up any privacy at all makes democracy fall apart, I see no alternatives to advertising that are better for privacy.
Is it intentional that you are equating advertisement and surveillance?
> Just look at the numbers involved and you will quickly find that funding everything like Tor or a few IRC channels is impossible. Donations, self-funding and sponsorship involve payment and are subject to extremely detailed surveillance. There is nothing more heavily regulated and traced than payment and you can be absolutely sure that governments will never allow large anonymous money flows because everything that could fund something like a Google data center could also fund organized crime and terrorism.
Why is it necessarily a big problem that payment is subject to surveillance in this context? How is surveillance of the fact that the average human in the industrialized world pays a certain amount of money per month for telecommunication and data storage services equivalent to surveillance of the contents of their interactions with each other?
Also, who says that we need something like a Google data center?
> That said, I also see a lot of negatives in the excessive and brazen behavior of the ad industry, and I also think there is a need for regulation. A better regulated ad model is our best shot at more privacy and fewer negative externalities.
And I don't think there is one that's going to improve much other than to forbid the collection of personally identifiable information, possibly unless it's completely optional (not in exchange for anything) with requirement for informed consent before any data is collected and with the option to revoke consent at any point, in which case all collected data about a person would have to be deleted immediately.
Just one last thing from my end on the dangers to democracy. I never said or thought that your bringing this up was idiotic. It is a valid concern that is worth thinking about. I'm just not reaching the same conclusions as you at this point in time.
>Why is it necessarily a big problem that payment is subject to surveillance in this context? How is surveillance of the fact that the average human in the industrialized world pays a certain amount of money per month for telecommunication and data storage services equivalent to surveillance of the contents of their interactions with each other?
If payment wasn't for specific websites or content then it wouldn't be a privacy problem at all. But how does that money get allocated fairly to individual websites without putting governments (or someone else?) in a position to say yay or nay to funding pornhub.com or alt.com?
> If payment wasn't for specific websites or content then it wouldn't be a privacy problem at all. But how does that money get allocated fairly to individual websites without putting governments (or someone else?) in a position to say yay or nay to funding pornhub.com or alt.com?
... which is a completely different problem than funding services such as those provided by facebook and the benefits in terms of communication possibilities those services provide.
One problem is the funding of infrastructure, another problem is the funding of the production of "content". Those happen to be intertwined a lot at the moment, but that's not a technical necessity, but rather a result of the current business models that build on surveillance (and the creation of de-facto monopolies and the subsequent potential for vendor lock-in).
It would be relatively unproblematic to fund development of infrastructure with donations or even tax money--think development of open standards/protocols and possibly reference implementations of those protocols. Then, it's unproblematic for most people to pay directly for the operational costs of processing and storing their own data (that is, computers running implementations of those protocols, storage devices, bandwidth). None of that requires anyone to have any access to or control over the actual content that people communicate. For that aspect, there is no need to have "websites". The central entity is completely unnecessary, you simply pay directly for the actual costs of the technology without the need to reveal anything about what you communicate or process or store.
As for the funding of content production: I think we have to have some possibility to pay for that anonymously if we want to keep democracy stable. We can buy newspapers with cash without leaving much of a trace in anyone's database as to which paragraphs of which articles we read. Letting terrorism paranoia destroy that would be a terrible idea. Also, as I have repeatedly said, I don't understand why you seem to be constantly equating advertisement and surveillance. Just because you can use surveillance to make advertisement more efficient, doesn't mean that advertisement without surveillance is useless.
We already allow our government to make decisions on access to personal data for services -- it's called HIPAA.
The difference between that and seemingly "ordinary" data is that HIPAA data can be used against us unfairly.
I argue that's the case now, and we have proof it is already happening. You better bet your bottom dollar insurance companies and the likes are mining social media to charge different prices based on silly facebook posts
It's only a matter of time before police forces will begin to use these same techniques to "optimize policing"
We live in a different time now. Our data is not as harmless as it used to be. Hackers can attack various sources of services and build complete picture of peoples lives. Companies are using data mining techniques to leverage people's private interaction with friends and families against them. The worst part about it is -- it's complicated, and we have a technically inept Congress that barely understands the implications of all these technologies, and we will soon have a technically inept soon to be incumbent president, so these legal issues are not going to get any better.
this, plus what zAy0LfpBZLC8mAC mentioned, until we have the right to "be forgotten" or the ability to have our records completely purged after a period of time -- like you do with debt, like you do with criminal records, like you do with basically any public record, we will have these privacy issues. Right now if you want to purge false information about yourself on the internet, you have to go through hell and back (trust me, I've tried, Salon has had a completely fabricated story about me for almost 10 years now. I send an email every week asking them to redact my name from that article. Unless I seemingly spend hundreds of thousands to fight their legal arm, it's probably never going to change.)
Out of curiosity, how do you feel about regulation on the disclosure side of this, and/or informed consent.
For example, if you are not allowed to accept personal data without detailed (and interactive) information about possible uses, perhaps signed. Or if you constrain the actual uses to those that have been enumerated, in full detail, before consent was given.
One the primary "banning" arguments I hear basically boils down to "people don't understand what they are agreeing to", which I think holds some truth.
Yes it does hold a lot of truth, and I am in favor of regulating to ensure radical transparancy (not just in this business). I also think there needs to be protection against switching on opt-out features without notice.
What we cannot do is to completely protect people who don't give a shit from any and all consequences of their own laziness.
consenting adults are allowed to freely enter into agreements.
I accept as a fact of modern life, that I unless I want to go be a hermit in the woods, I'll find myself entering into many contracts of adhesion that go against my ideals. And that as much as I try to limit this (not using facebook or whatsapp) I can't actually escape them entirely.
It is disingenuous to think that either (a) people fully understand and knowingly make the agreements they do w/r/t data or (b) do so willingly.
To draw the conclusion that it's just adults freely consenting in light of the previous paragraph is sophistry.
I don't deny these issues at all. That's why I said regulating to make sure people understand what they agree to is fine. I also think people need to be able to change their mind. There are a lot of specific things that I think are unacceptable (such as employers or landlords demanding access to facebook accounts). As I said, I'm not against all regulation.
But if most people are in fact fine with granting access to their personal data in exchange for services then peer pressure on the rest of us who refuse the deal cannot be justification enough to ban the entire business model.
I'm in the same boat as you. I refuse to use Facebook.
Absolutely! I am a big believer in paying for things. I wish sites would give me the "option" of paying and thus not being mined and spammed with stupid irrelevant advertisements (advocates often saying these two phenomena should cancel each other out and I have yet to see it ...) but most sites that I do pay for want to do all this stuff anyway!
To be honest I don't mind the mining so much, as long as I know there is some "protection" for my data - as is under discussion here. I do object to annoying poorly targeted ads though.
This I could get behind. Make legislation that forces a company to disclose the information they collect in an explicit way.
As a consumer I'd also like a way to force my data to be deleted, and be notified if my data is being sold or transferred by an acquisition or something, but I'm not sure how that would work.
What I don't want is not having the ability to "pay with data". I don't want to subscribe to everything out there, and paywalls threaten the web as we know it. Plus there are times where I want to be tracked. If a company has info on how I use the product, they can improve it for me.
I say make any company collecting info (beyond maybe some very bare-bones basics that any company providing a service pretty much has to have, like name, address, phone number) about its users provide that info, say, once a year, on request. Kinda like the annual free credit reports from the credit agencies.
ALL of it, too. Every time. Not just what was collected since last report. Even require that they provide it on physical media if desired. Again, for free, including postage.
"But that will be so expensive because we collect so much and never get rid of any!"
... yeah, so what?
Now they're free to do it but can't hide what they're collecting and can't hold your data hostage. And there's some cost associated with collecting more than is absolutely necessary.
This particular case is proof that yes: for certain services we happily pay a modest recurring service fee.
Edit, clarification:
- this does not mean that I want to pay an monthly fee to use pro features on static apps. Anyone who does this instantly loses a star in the review as soon as I get around to it.
- however I also understand and appreciate that I sometimes can pay a higher up front price to support the developer(s) for apps that works offline without a service connection.
- feature keys or even donation addons etc to support further development are also well received. This nicely aligns the incentives for developers/users.
- and finally, for some select projects I would think it would be OK with a subscription that gave me all new features as they arrived.
I for one would pay for a service that agreed not sell my data and afford me basic privacy assurances. I don't think I am alone in that either. And Whatsapp did have a subscription fee in the past, before it was bought by a dominant player for 19 Billion.
But I can't see why a company like FB would be interested in offering a privacy enhanced version of this service. What could they reasonably expect a user to pay, 10 dollars a month? User data brings in far more revenue than that 10 dollars per user per month. I would think that 10 dollars is peanuts to them by comparison.
I would gladly pay for every single service I use - email, messaging, social networks, various sites - in exchange for no advertising and no user data collection.
It's a mere launch rock page, but i am gauging interest on the project. I actually have a big portion of ready, and rest under work, but finding people to pick up the idea is tough.
Everybody say they'll pay, but it's different from actually doing.
That's interesting, but from the copy on the page it seems to target micropayments for reading content published on websites. Which is an important and hard problem.
On the other hand, paying a dollar a month to use a service like email doesn't pose a technological problem. But since most services, unlike email, are walled gardens, I can't pay a provider to give me access to e.g. WhatsApp or Facebook without serving ads or collecting my data.
Right. Web is first target, apps is second. Think of an app you install on device, and apps registering as a publisher can talk to this app to get your subscription status, and not show you ads.
The promise is with sufficient adoption by users and pubs, new pubs will have incentive to do this. Except maybe apps by large corporations.
Yes--I didn't bring up advertising. They could advertise like the old days, like news papers did. They just couldn't target market their advertising--like they presently do at nausium.
I still think they would make their nut. They would still be winners!
And yes--I would pay for the right service, if they couldn't manage to compete by being hobbled with not targeted advertising. I paid for many websites before Google made advertising a science.
(My post has nothing to do with advertising. I get advertising. Just leave my info. out of it.)
> I have a feeling, it will be the next big financial insider trading scandal. It will involve people we talk about here-- Google/Bing/FB insiders(the ones who can see individual IP's, and their data.), took all that information, and traded stock upon it.
I have a similar prediction. There will come a time when companies with the USP of user data would be struggling to keep themselves afloat. What happens to user data, then? Will the organizations sell user data to keep them afloat?
The funniest part will begin when Google start sharing user data with Facebook and vice versa, for mutual benefit. Perhaps only then regular users will start thinking about privacy.
That's never going to happen. The reason they make so much money is because they're the only ones who have that amount of interconnected user data. Sharing it would be the stupidest thing they could possibly do.
I'm not so sure about this. When a market becomes consolidated ans stable enough, big players often decide to divide it and cooperate where possible, rather then compete fiercely. Look at the property, insurance and other stable markets.
Well, you are sort of on the right track. If they interconnect the data even more, they'll make more money. Why is a merger that impossible in your books. It will be just business between two advertising companies.
Yes, but if they share their data with anyone else, it loses its value. That's why they go to such great lengths to collect all data on their own instead of working together.
Look at Google Analytics for the perfect example: Millions of websites help Google collect data, but they only ever get anonymized data in return. Google keep the valuable stuff to themselves.
It's a collaborated effort to develop an AI. Where did they announce that they'll share their user data?
So many clueless people are freaking out over this, completely ignoring the fact that sharing user data between companies like that would be highly illegal in many countries and get them fined to hell and back if they were seriously stupid enough to consider it, which they aren't.
Collect any data you want if and only if you have the informed consent of the user. This means explaining in detail what you're intending to collect and gaining permission first (opt-in).
> This information can never be sold.
Sell the information if you want (that was collected with informed consent of the user), but collecting data brings a responsibility of care for that data and liability for any problems that happen because those records were stored.
Users already opt into using a service like WhatsApp. They are presented with TOS on first use / account creation. Whatsapp changed their TOS and presented the new TOS to existing users when they first opened the app after the change.
Doesn't this already satisfy your requirements?
It is, of course, well known that users never read TOS / EULA for software or services.
Exactly. So I printed it out, made the changes I wanted to see, signed it and send it to Facebook with a notice that continuing to provide me with service constitutes acceptance.
I didn't really do this, but it seems like it should be as legally binding as a click through EULA.
"Clicking means agreement" at least makes sense, even if it might not be enough to satisfy contract law in some countries. "Keeping doing what you were doing anyway and ignoring me means agreement" is clearly nonsense.
If your argument is that click-through agreements are invalid in general, then no Internet services at all are legal, no matter how benevolent their TOS is to the user, how simple it is, or how clearly it's written and presented. The same goes for software licenses.
The law says that by default, absent a contract that says otherwise, you are not allowed to use software, and you are not allowed to use online services that require login and a TOS click-through. If you want to use them, you have to agree to some offer made by the provider or the copyright holder. And you can only agree to an offer they actually make.
Then the user hasn't given informed consent! It's the responsibility of the collecting party to make sure that the user is aware of all aspects of the transaction.
How? If the TOS text is displayed, and the user clicks OK, how can the service provider make sure the user actually read it, let alone understood it correctly?
Should the user be required to correctly answer some quiz questions about the TOS every time they use the product? I don't think any users would agree to that, for any product.
Do you have a positive example of how to do this successfully?
> Should the user be required to correctly answer some quiz questions about the TOS every time they use the product? I don't think any users would agree to that, for any product.
Well, that's technically a problem of service provider. If you're afraid your product won't be used because of a complicated TOS, then... simplify the TOS. Drop the tons of legal bullshit, and stop hiding shady stuff in it.
The more I think about it the more I like the incentive structure it creates.
The GPLv2 contains 2400 words. The AGPLv3 contains 5090 words. They aren't enough for casual non-technical users to read and grok. And they can't be greatly simplified without changing their meaning.
Licenses are long and complex not only because they have "bullshit" and "shady stuff" in them. This is an unfortunate fact of life.
It's true that some services can do with much simpler TOS. The BSD 3-clause license is 220 words long (most of them in scary caps). But how short and simple does a license need to be to make the average user actually read it before clicking OK? My guess is most users would read 1-2 sentences. But some users, as soon as they see a dialog with a single "OK" or "Next" button or an "I agree" checkbox, will automatically click it without reading any text at all: this can be practically muscle memory for people used to next-next-finish installation wizards.
None of those licenses are for the user of the software. Some are long(-ish) because they address copyright law and are intended to be read by software authors and distributors, who presumably have the luxury of time to read and research which license they would like to use for their software or 3rd party software they want to redistribute.
> Licenses are long and complex not only because they have "bullshit" and "shady stuff" in them.
That's fine. Now find a way to explain it plainly to the user so they can make an informed decision.
> But how short and simple does a license need to be to make the average user actually read it before clicking OK?
Well, that varies, but you can be sure that anybody that clicked OK after only a few seconds did not read anything. Choosing to continue when you know the contract wasn't read is prima facie evidence that no contract was established.
However, the larger problem is you think simply presenting legalease and waiting for someone to click OK can ever meet the standard of informed consent[1], which is a much stronger requirement than the click that's required for some contracts. Contract law is sufficient for most of what's in an TOS, but data is very important and most people have a poor understanding of what is being collected and what is possible when their data is aggregated with other sources. To protect people, the higher standard of informed consent should be used before collecting any data. This would only apply to the data you want to collect, not the entire TOS.
> None of those licenses are for the user of the software
Of course licenses are for the user! Without a license, copyright law forbids you from downloading and running an application, let alone copying it to your other PC or emailing a copy to your friend. Addressing copyright law doesn't makes licenses longer, it makes them exist in the first place.
It's true that the GPL talks about some additional things like access to the source and the right to modify it, which ordinary, non-programmer users don't care about. But you also need it, or some license, to use the software at all. The BSD one is much simpler, but it's still a license and still needed.
Networked services don't fall under copyright law, but other laws exist that prohibit accessing a service (if it requires authentication) except under such terms as the service provider offers to you in a license or other contract.
Another example: when you edit a Wikipedia page, you are presented with this text:
> By saving changes, you agree to the Terms of Use, and you irrevocably agree to release your contribution under the CC BY-SA 3.0 License and the GFDL. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
The linked Terms of Use, CC BY-SA, and GFDL contain many thousands of words combined, and require a grounding in copyright law to fully understand. Very few people ever give informed consent when editing Wikipedia.
> the higher standard of informed consent should be used before collecting any data
The Wikipedia article about informed consent says:
> Capacity pertains to the ability of the subject to both understand the information provided and form a reasonable judgment based on the potential consequences of his/her decision.
Most of the people in the world, and a significant part of the population even in Western countries, won't be able to understand the potential consequences of sharing their data.
I can't be sure I fully understand them myself! Twelve years ago, when Gmail was opened, I didn't know de-anonymization of large datasets would prove to be so easy. I didn't imagine Internet mobs doxxing and swatting people. What might be possible ten years from now with the personal data I share today?
If the law puts the burden of verifying the user's understanding on the service - meaning they can't trust the user's assurances - the service would need to administer an exam or interview to each prospective user. And indeed Wikipedia says to get informed consent, "the investigators must ensure that subjects have adequate comprehension of the information provided [....] assessing the level of understanding during the meeting". Obviously this isn't practical for Internet services.
The biggest source of personal data Facebook gathers is what its users post themselves. This would be true even if they didn't gather anything from Whatsapp messages, tracking cookies, etc. So should any services letting users post often-private content, like blogs and image hosters, require "informed consent"? That's just not practical.
I agree there's a problem. I don't see a solution yet. Banning everything until there's a solution is neither practical nor desireable.
> Without a license, copyright law forbids you from downloading and running an application
That is an idiotic interpretation of copyright that has only been upheld in some court cases. The only copy being made by the user is the transient "copy" in memory. Selling someone a download to use as software while later claiming the necessary and transient copy in memory is a violation of copyright is simply fraud at the point of sale.
> copying it to your other PC or emailing a copy to your friend
Making additional copies is an entirely separate matter. Do not confuse use of software (or any other creative work) with copying. You seem to be intentionally conflating these terms, probably because of your erroneous belief that some type of permission is needed for use.
> GPL talks about some additional things
The GPL only talks about distributing extra copies. Have you even read it? From The FSF's FAQ[1] on the GPL:
You are not required to agree to anything to merely
use software which is licensed under the GPL.
The only reason to accept the GPL is if you are redistributing GPL-licensed software and want the additional distribution rights it grants.
> But you also need it, or some license, to use the software at all.
If this was true, we'd be in real trouble because the GPL does not grant any kind of usage license. When you last used a typical Linux distro you used software without usage licenses.
> Networked services don't fall under copyright law,
Correct, though their output may fall under copyright. This is why the AGPL exists to help with the problem of immoral Services as a Software Substitute[2].
> Very few people ever give informed consent when editing Wikipedia.
Nor do they need to. The copyright issues are orthogonal to the risks associated with logging personal (meta)data. As far as I know, there isn't any hidden safety risk associated with editing Wikipedia.
> I can't be sure I fully understand them myself!
While I have studied a lot about data-exposure risks, I know that I only see a tiny portion of the risk-space. Similar to the Schneier Principle where anybody can make crypto that they themselves cannot break (i.e. you're not the smartest person in the world), the risks of data aggregation are probably more numerous than anybody realizes.
That's kind of my point: when we have potentially open-ended risk, you need to minimize your exposure. More data stored in more locations is all additional attack surface.
> Obviously this isn't practical for Internet services.
Security is often in conflict with usability. I personally think that the impact on usability can be minimized through better UI or other solution (which may not exist yet).
Perhaps something like a small set of standardized licenses that are very clear and specific in scope. People could be expected to know what those "standard agreements" mean because those licenses could be taught outside of any particular business transaction.
> Banning everything until there's a solution is neither practical nor desireable.
If the Underwriters Laboratories didn't exist, you wouldn't think it was acceptable to continue using cheap wire ("A more desirable price for the consumer!") and unsafe designs ("it isn't practical to redesign all of our products"). You would (hopefully) insist that your products shouldn't set your house on fire and that we probably need some sort of higher standard (like those provided by the UL and other safety standards).
The precautionary principle cautions that when you don't know the risk, you should take the safer path. Making products or services that create massive amounts of new attack surface with completely unknown risk is not the safe path.
> The only copy being made by the user is the transient "copy" in memory.
I'm not talking about that. The user is making a permanent copy on disk when downloading. IIUC this has been ruled by various courts to require a copyright holder's permission.
Some courts and countries disagree and say that only uploading is illegal. Some countries say that downloading is illegal but not criminal, and do not prosecute people for it. But, IIUC, they are in the minority.
Naturally, the fact that this is so does not imply that I like it being so or that I want it to keep being so.
> Do not confuse use of software (or any other creative work) with copying. You seem to be intentionally conflating these terms,
I am not conflating them. In addition to the apparent illegality of downloading, ordinary users often do create extra copies, and that is another reason the copyright license affects them.
> As far as I know, there isn't any hidden safety risk associated with editing Wikipedia.
Wikipedia logs edits, including IPs for anonymous ones. (This includes inter-user discussion on talk pages and the like.) They probably expose this data in aggregate form in their periodical database dumps (though I haven't checked). A person's edit history can contribute to building a profile of their online activity and their life and beliefs, just like their Facebook posts or Whatsapp messages.
> The precautionary principle cautions that when you don't know the risk, you should take the safer path.
We don't have good estimates of the future risk of sharing data now (as you agree above). We don't want to blindly maximize security either - both of us are posting personal opinions here on Hacker News. Without good risk estimates, people will keep disagreeing greatly on how much risk to take, and many of them will prove wrong in their predictions or hopes for the outcome - but we don't know in which direction.
To go with your analogy, it's good that Underwriters Laboratories exists. But before it existed, the correct action wasn't necessarily not to sell or buy any electrical products. People had to make their own decisions somehow.
> I'm not talking about that. The user is making a permanent copy on disk when downloading.
The copy was made by the party that distributed it to the user, which was implicitly authorized by the fact that they sold it to the user.
> IIUC this has been ruled by various courts to require a copyright holder's permission.
This is wrong on several levels. First, no copy is being made by the user. Second, copyright only applies when copies are made and distributed. Third, no court has ruled that copyright even applies to the user when a copy sold by the copyright holder.
Please read about basic copyright law if you want to argue on this topic.
> Some countries
I can only speak about US law.
> the apparent illegality of downloading
Downloading is never a violation of copyright. Clearly you have never read anything about copyright and it's history.
> ordinary users often do create copies
That would be a violation of copyright, but recent rulings have ruled that transient copies that are a temporary and part of the normal technical process of using the software (such as RAM copies) are not a "copy" as far as copyright is concerned.
> Wikipedia logs edits, including IPs for anonymous ones.
Are you being obtuse on purpose? There is an obvious difference between voluntary edits made by the user, who is necessarily aware that Wikipedia will record when and what you edit as part of the editing process, and unknown "telemetry" or "analytics" that happen invisible to the user and may apply to data that was not directed at Facebook/etc. Obviously Wikipedia will log your edit; that's the intended result. Facebook reading messages you sent to your friend is spying that requires informed consent.
> We don't have good estimates of the future risk of sharing data now
We know they can be incredibly damaging right now, and I don't see this risk getting any smaller in the future. It will only get easier to de-anonymize data.
> the correct action wasn't necessarily not to sell or buy any electrical products
Of course. The moral action would have been to sell products that err on the side of caution, even if that makes them more expensive or less usable. To do otherwise is to willingly risk your customer's safety.
How about this: if you are so sure the risk is acceptable, you should indemnify your users against any future problems that result from data collection and sharing. If you think this is unreasonable, then you're admitting the risk is too large and you simply want the user to bear that risk. On the the other hand, if you think this risk is fine, then you shouldn't have any problem accepting liability.
Privacy is strongly regulated in EU, there was a strong push for it from both our legislators and normal citizens. We asked the states to be involved and not let the "free market" decide by itself.
In my state one of the most important and independent role in government is the "Privacy Regulator" which has the power to check, verify and impose strong regulations on how you manage others data, and is very active.
I'm sad to inform you, this is a horrible trap you and many Europeans fall into. All of this legislation comes from lobby groups representing the big telcos, who are just desperately looking for ways to keep the OTT's away. Just a couple of weeks ago a draft bill was published indicating that OTT's must be able to comply with the same regulations as a telco, which means, among things like "ability to call emergency services", that end-to-end encryption would NOT be allowed, because end-to-end encryption kills the capacity for "lawful interception". [1]
[1]: FT article, looks like it paywalled, link to google cache: "Brussels to tighten grip on web services in telecoms shake-up" https://goo.gl/MFYaIx
All that I can say is that if we actually had free markets, one's citizenship wouldn't matter at all. For better or for worse, it would be up to individuals to inform ourselves and seek privacy, security and financial profits as we see fit.
And we'd be up individually against huge conglomerates full of lawyers and psychologists trying to trick us. Without some sort of organization with comparable power on the consumer's side, this is not a very bright proposition.
edit: (Bright not as in 'intelligent', but as in 'bright future'.)
I think it is easy to challenge this notion that Corporatism is something that comes to existence due to the absence of regulation bodies and government intervention. If you have solid institutions and a simple code of laws that allows well-intentioned people to work for their self-interest and of their society, we wouldn't have the amount of regulatory capture that we see nowadays.
> some sort of organization with comparable power on the consumer's side.
When Adam Smith was talking about "the invisible hand", it is precisely this kind of organization that is being talked about. All the people need, as a whole, to have "comparable power" is the freedom to choose and access to information.
Whatever you are citing is not competence of the "Privacy Regulator" nor it can take any decision on it.
The Privacy Regulator rather is pushing for strong end-to-end encryption to protect user data, at least in my country. You are citing something totally different and out of his scope.
"The bureaucracy is expanding to meet the needs of the expanding bureaucracy..."
End-to-end encryption, by definition, is something that excludes any third-party from being able to intervene. If you take the Hobbesian view of the State and subscribe to the idea that Government has a legitimate monopoly on violence, how would a government be able to exercise this monopoly without relying on cooperation from any of the end parties? It is not in the interest of Governmental agents to give this much power to its citizens.
End-to-end encryption is something that NO government will ever adopt or actually push to its citizens, ever, unless they are one of the "ends" on this.
I don't buy it, and I hate that I am starting to sound like a conspiracy theorist, but if the concern about privacy was serious, why haven't we seen any legislation about encryption on email? Which country is actually educating people about PGP? Why is the privacy concern only for phone and messaging, where the telcos have been making their money all these years?
You can have a "Privacy Regulator" all you want, in the end it is just a role that is being used to give some sense of legitimacy in this play directed by the corporations.
Data protection legislation long predates OTT services. The original UK act dates from 1984, the EU act from 1995. True, there have been revisions since, but this didn't come into law to prevent Netflix from starting.
That analogy makes no sense, and your view of consumers and individuals as children is patronizing.
Free markets also include the spread of information and signaling. People can learn from the mistakes from others. It is precisely in a free market where the information gets to be spread out the quickest.
So in order for a company to violate your privacy without losing you as a user, they just need to not be acquired by Facebook?
Edit: My point is that you will not automatically have your privacy violated when a service is acquired by Facebook and most importantly your privacy will not automatically be safe on a service merely because they have not been proven to violate privacy for the time being.
The government is involved either way, generally the decision to deregulate a market in order to "let the free market decide" is made by the government - see financial deregulation, airline and energy deregulation in the US.
Memories like this still have force in Europe. I have to believe that their history makes many Europeans queasy about the collection of mass information. It is also easy to see how these laws could be exploited by large companies in Europe for their own commercial interest. Still, these laws have a moral force and US companies are stupid to try to circumvent, belittle, or ignore them. The desire for privacy has deep roots; it is not a nuisance to be swatted away on the path towards maximal profits.