Facebook’s tracking of non-users ruled illegal again in Europe(techcrunch.com) |
Facebook’s tracking of non-users ruled illegal again in Europe(techcrunch.com) |
Maybe send the army or CIA to change some governments, some citizens dare not have FB accounts, they must have something to hide /s
Even if I have an FB account I do not want FB to follow me and say scrape my HN comments and mine them for data.
If it is "industry standard", does that make it ethical?
Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time. If you only take it away from one corporation, that corporation will be temporarily outcompeted by the corporations you haven't yet taken the business strategy away from, so they heavily resist that.
But heaven forbid governments hold a dominant corporation accountable in the public interest.
Not so if it is the only way for the business model to be profitable. More generally, this argument assumes that there is a fixed profit to the business, and the only thing to compete for is a bigger share of that fixed profit. The reality is that corporations are amenable to increasing the profit all around so long as they get part of it, and don't particularly care who gets exploited in the process. Conversely, they do tend to protest when the pool is reduced, even if it affects their competitors similarly.
If I go to the police to complain that my neighbour is spying on me, it's only natural that the police only investigates that neighbour.
"But, officer, everybody else was speeding, too!"
Well, you are just the fisrt one and the biggest one.
"Officer, The guy in front of me was driving fast too, so why not him?"
However, regulators like to make examples of bigger corporations since the publicity is more effective with them, and also they are able to both pay up and/or change.
I read that as: why are you only paying attention now? (i.e. after allowing the industry to reach its current, pathological state)
Also: from the jurisdiction's point of view, this is perhaps the only efficient way to allocate legal / judicial resources. You go after a small handful of big-name "make an example" cases, and hope that this deters use of the business strategy by the long tail of smaller companies you can't afford to go after.
That's not true in this case. As the large incumbent in social media and advertising, Facebook are the company most impacted by this, whether or not their competitors are impacted.
"Why have you singled us out for dumping 1000 tonnes of ash into environment each day? Look, this guy is dumping his ashtray on the grass right now!"
Nope, not at all. Standard practice does not override ethics. Tobacco companies would consider advertising and promoting smoking as industry practice, but we cracked down down on that because encouraging people to do something that is demonstrably bad for their health was something we decided wasn't ethical and would be cracked down on.
FB's system is much more reliant on tracking though. Google's can at least work anonymously, eg searched 'dentists' in some area. FB's is almost useless without tracking.
Seems innocuous enough until you really think about what they're saying. "But, tracking these people without their consent allows companies, including us, to make money off of them".
That's actually a pretty brazen thing to say; as if the fact that people can be monetized should trump their right to privacy.
Industry here is essentially Google and Facebook. The other "players" fight for the crumbs. Ethical? They need growth, every quarter.
1. I don't have an account on Facebook. 2. Blocked Facebook domains via /etc/hosts 3. Use ghostery
And despite all of these steps it feels like we are wasting our brightest minds to always be a step ahead in surveilling what the humans of this world are doing to exploit it for targeted advertising.
Very much not an excuse. It's up to the business to work out how to do this within the law.
> and reach customers
If I am not a Facebook user I am not your customer.
It is even worse to be made into a product that FB sells when you aren’t even a FB user.
A bit like when you wait for the green light to walk over the street; if you see someone walking the red light, you walk it too.
Of course you still get flattened by a semi-truck doing 50 kph.
I also don't see any advantage for the user, getting ads is not in their interest.
EU doesn't care about this. Like this argument works only in the US.
Yes, tracking cookies is ethical. If some internet users do not want to get tracked - they can run their browser in Incognito Mode.
* Explicit consent for non-essential data use, you always need to provide opt-out without degrading the service
* Opt-in/out separately for every activity (no more "research purposes")
* Data deletion and takeout. Maybe in the future EU will also introduce some standards for the takeout, which will allow us to migrate between services much easier (as we now can switch between banks or telcos in a semi-automatic way)
The jurisdiction stuff is disturbing. Having separate rules/rulings for Belgium, Turkey, Venezuela, etc... It's (a) not practical and will end up helping incumbents .(b) It really curbs the internet's ability to promote an open information norm.
Privacy is an issue and we need to do something about it. But, I have a real feeling cencorship, corporate-protectionism, copyright and other agendas will tag along, once the legislature-courts-enforcement complex is up and running. The sorry state of international law/governance isn't helping, including even the EU.
Meanwhile, the recent history of legislative action (eg, the "cookie laws") are not encouraging. I don't think legislators were even aware that it would amount to nothing more than nag screens and terms of use. Don't use incognito, or every site will nag you again, your consent is mandatory and stored as cookie, for extra irony.
Ultimately, these things would have been better dealt with at the standards/protocols/browsers level, but I think that ship has sailed.
"Ghostery’s B2B Digital Governance solutions will reassume the company’s original Evidon brand, which focuses on monitoring and consent solutions ...Evidon will retain aggregated data about trackers, ensuring no change to the service currently provided to its enterprise clients..."
Stick to something like uMatrix
I would think just say ok we stop doing it because we're going to have to stop doing it anyway. But they're not stopping, what is the plan?!?
sure, I guess the entire tech industry would be dead without tracking users
Even behind an ISP or corporate NAT with cookies disabled, there are other ways of tracking. If JavaScript is enabled, browser fingerprinting can be very disturbing in its ability to single you out, depending on your configuration.
More generally, I always found this obsession with tracking non-users one of the creepier aspects of Facebook when I finally used it circa 2011 - 2012. The amount of information it had about me that could only have come from web browsing before I had signed up, such as local takeaways and restaurants I had used, was impressive but unnerving.
For Facebook to lie in such a lawsuit would require hundreds of their employees being willing to lie under oath. It just doesn’t make sense, considering they would risk harsh criminal sanctions and have only their usual salary as an upside.
As for IP-based tracking: if it were as effective as cookies, websites would use IPs and not cookies.
Actually it would only require a handful of people hiding the truth. Given how most of facebook's development is done in the US and not in Belgium, they won't even have to appear in court.
Also IP-based tracking is very effective, and it's used alongside cookies. Nothing beats cookies with Javascript, but IP will do just fine, especially for companies like Facebook and Google who can track you on pretty much every click you take.
People considering to buy stock and people owning stock should hopefully be informed enough that noticed this.
There's also the GDPR upcoming in May. I cannot imagine that Facebook won't make losses when that hits. They might be able to defer the impact by mostly ignoring the law until they get sued, but ultimately it really just seems like it's going to be downhill from here on, which is not what anyone looking to buy stock is after.
Just awesome...
Although I should say, not without hesitation, given the extreme discrepancy between rates of change in tech and law. I would hate to see seemingly well meaning legislation passed for something like this and then turned against us by our friends at the NSA, for example.
Is it because the article relates to evil Facebook and not Google?
Also give me examples of EU companies that track users on most of the internet.
Not sure if I understood what you meant. I'm not saying that they should, I'm saying that they often do. At least on HN.
Well, FB is headquartered in Ireland...
Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.
This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).
With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).
You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.
There are rules about things banks have to inform you of, or pharmaceuticals. On the academic side, this can be effective. Disclosure and making information public. On the consumer side it is almost always disingenuous. Small print meticulously written by compliance officers and reviewed by regulators. No one seems capable of stepping back and asking "are consumers better informed."
When internet service X wants you to know your card is about to expire, they make sure that you are informed. When a regulator wants you to be informed about cookies.... we get small print, and a nag screen making us promise that we read it.
> Explicit consent for non-essential data use, [...]
This raises a bunch of questions. Anyone know the answer to any of these?
1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
> [...] you always need to provide opt-out without degrading the service
2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?
3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.
If they say they are, I just send them to a page that says EU people are not allowed to use my site.
What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?
[1] In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.
If you use the data for bank transactions or paypal subscriptions it's essential.
If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.
>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.
>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.
>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.
I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.
IANAL, but intuitively, I'd say no.
In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)
Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.
In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".
The GDPR will not allow blanket consent statements, it will not allow “permission bundling” (eg. allow acces to everything or you can’t use the site).
The changes Twitter rolled out in preparation of the GDPR look like a good thing.
We’ll see how it turns out, but I think the GDPR will actually force companies to change, beyond cosmetic changes. And since it is valid for all “data subjects” in the EU, companies will have to consider that. The EU is too large a market that companies can ignore it.
This is something I have not been able to come to terms with. I can understand requiring express consent to each item individually, rather than burying everything into a long ToS. But what I cannot understand is forcing me (as a service provider) into a contract with a customer even if the customer rejects some of my terms.
I realize generality and such get in the way of this, but... I think it would have been better if this move specifically targeted the 100 biggest companies, who have the scale an resources to actually use all this tracking data.
The jurisdiction stuff is disturbing. Having separate rules/rulings for Belgium, Turkey, Venezuela, etc...
It's (a) not practical and will end up helping incumbents .
(b) It really curbs the internet's ability to promote an open information norm.
I find it disingenious of FaceBook to be serving all the EU equally, then claim that Belgium's jurisdiction doesn't cover them because they're based in Ireland. That sounds like having your cake and eating it.I don’t think so. Only really large corporations are able to serve all areas anyways. Most small companies in the world already cannot afford to serve multiple jurisdictions.
HN is serving all countries right now, as it did when there were 54 people reading it the day it launched.
Geographic borders may be relevant online, but they may not.
- single Internet jurisdiction, overriding national sovereignty; in practice this means letting America run the Internet
- National Internet jurisdictions, which potentially come with some sort of virtual border policing; Great Firewall(s)
- lawlessness, which libertarians will like but produces outcomes increasingly unacceptable to the public
One of the things lawlessness produced was internationalization and de-censorship of media. That hasn't been without cost, we've had several (mostly failed, but still) political revolutions as a consequence, from Cairo to Hong Kong. At the heart of it was the ungovernability. Countries had to deal with a more or less "take-it-or-leave-it" proposition. China was the first to really break out of that restriction, and I don't think it's a coincidence that (a) a powerful country led the charge or that (b) political cencorship was the leading reason.
Another benefit (again, in my view) was a relatively open playing field, commercially. We're worried about power concentrating in the few hands fo FB, Google, and such. But, the internet economy is still a lot higher resolution than most other markets. The big markets are usually highly concentrated (eg, supermarkets, FMCGs, financial services, media, logistics, transport...) or practically confined to small scale niches: local services, real estate...
I think we've been getting cynical about this as the winners dig in, but the internet really has been a place where part time tinkerers could compete with $bn mammoths.
This is not an anarchist statement, or part of an overarching political ideology. There are, as you say, tradeoffs. There are choices that can create more or less good or bad.
Anyway, lets not count chickens just yet. We've seen China regulate the internet effectively for political control and industry protectionism. We've yet to see any country be effective on privacy. We've got the GDPR playing out this year. We've got a more active courts & legislatures. Lets see if privacy actually improves.
The worst case scenario is that we end upp with all the negative trade-offs, but all we end up with is a privacy bureaucracy that doesn't affect privacy much.
remember that we've seen one (IMO) embarrassing failure go unacknowledged: the cookie law. We got nag screens and compliance audits. We didn't get any privacy.
If you dislike that, you should be happy about the GDPR since it's harmonizing data protection law across 28 EU member states.
That's like saying that democracy is disturbing, but it's the best we have got. FB should respect laws in Belgium, that's it.
I don't trust "governance", I trust "government": because it is only at a national level that we see a bit of democratic accountability.
In this case, I like the courts decision and FB is big enough to deal with it. What about a much smaller service dealing with polish cencorship laws, Turkish political content laws and 12 incompatible eu privacy laws. It can only end in either (a) overall ineffectiveness or (b) internet balkanization.
Facebook following Belgian law isn't the issue; the issue is that jurisdiction questions have to answer a lot of less-palatable questions the same way.
From that sample size I'd estimate the percentage of engineers who don't care about ethics to be at least around 10%.
Even apart from people without any values.. most engineers don’t hang out on HN, and don’t care much about global scale politics. They care about things that affect them in a very immediate way - family wellbeing, friends, coworkers, and how to pay the bills. I think many don’t infer how much of an impact their actions actually have, since they are „only spokes in the wheel“.
* Turn up to job. Nice people, good desk, good canteen. Benefits good.
* Work is interesting - working on cutting edge, dynamic web experiences that are changing the way we interact with people.
* Solved a knotty engineering problem today. Was very pleased, boss was impressed.
* Shipped product today. New sprint starts tomorrow. No defects!
The actual implications of any one feature, the borders between personal data and pure engineering problems blur. Your effort is only a small part of hundreds of effort-hours taken to ship and maintain a product. The decisions about where the lines are drawn were taken months or years ago by people who may or may not be at the company and who were also probably just trying to solve the problem that was in front of them.
You, the engineer, are never sat alone in a room with a user story that breaks GDPR for a product that is fully compliant. The future of the product never rests with you and only you.
One thing that always stands out to me on HN is how obsessed Silicon Valley is with money, from top to bottom. There's plenty people on here that would happily implement invasive tracking if they were compensated well enough for it.
Another way they could deal with it is by disputing the EU-US privacy shield[1] or disputing the decision that overturned the original privacy safe harbour[2]. IANAL so I have no idea how they would do this, but it will be costly for ECJ and FB.
[1] https://en.wikipedia.org/wiki/EU-US_Privacy_Shield [2] https://en.wikipedia.org/wiki/International_Safe_Harbor_Priv...
So, you can't just continuously pay fines whenever a court rules another time that it's illegal. The fine for a felony is much higher and at some point, you'd also simply be thrown out, or blocked in the case of Facebook, I suppose.
My impression is FB allows targeted advertising without selling anything. In fact, why would FB sell their most valuable asset?
And that's a maximum fine for a particular decision not the maximum fine annually. They can certainly be fined once and ordered to stop processing the data within, say, 30 days; then fined once more after the 30 days have passed for noncompliance with that order, and then so on.
There also is personal liability for the responsible executives and employees who'd be violating the regulator's order.
on edit: looking here https://www.i-scoop.eu/gdpr/gdpr-fines-guidelines-applicatio... it seems the second level of fines go up to 2% and are on a per case basis.
To answer your question, though, if you live in the EU, then the GDPR, due to be enforced on the 25th of May, does make this practise of Google most definitely illegal. So, in like two years from now, when the lawsuit regarding this concludes and Google is actually forced to follow the law, then you should be able to.
If you still cannot be convinced to drop Gmail, there might be a technical solution to your problem, too.
For Firefox, there's an official extension called Multi-Account Containers, which allows you to have different sets of Cookies in different groups of tabs. And you can tell it to always open certain webpages in certain containers.
So, you would install the extension: https://addons.mozilla.org/en-US/firefox/addon/multi-account...
Then click the new Multi-Account Container button in the toolbar and from there open a new tab in a Container (you can also create a Container specifically for this, if you want).
Then in this new tab, open up Gmail and log in, and again click the Multi-Account Container button in the toolbar and tick "Always open this website in ...".
Finally, open up a new (non-Container) tab and log out from Google there.
Google doesn't "read your email", they index it. Which allows you to search it. And then they show ads that are targeted to keywords that appear in the index. Gasp!
I seriously don't understand what the big deal is. Genuinely, what is the risk or concern here?
And I really doubt that GDPR is going to kill Gmail. They need that index to provide the search capability, if nothing else.
I think many of you who are fans of GDPR are going to be gravely disappointed.
A major tech company tracking users across the web beyond their own limited use-case platform is a relatively new phenomenon but now that it's been established in the courts as a big financial and PR risk then there is a big deterrent from future companies doing it. And often courts in other western countries take note of precedence defined in major foreign courts to define their own.
Formalizing this in legislation always seems to sound like a good idea in the short-term. But in practice it's often really hard to define preemptive regulatory systems that work efficiently (and relevant to todays realities), especially in technology, as well as more expensive to enforce via agencies/auditors, and will likely end up wastefully crossing over into many areas/situations which are totally harmless in practice or having negative side-effects which outweigh the benefits, such as harming innovation.
I'd rather we deal with negative behaviour on a case-by-case basis.
Simple: that the courts won't handle it. It is not reasonable to expect either customers or the courts to actively go after companies that use this sort of tracking internationally.
They can go after companies with a global presence, by doing so locally, and of course because these companies will actually fight it instead of just ignoring them. So Facebook is a target of convenience, but convicting it will not yield any results (if necessary Facebook will just use an intermediary, besides Facebook is being targeted because politicians like to stick it to Facebook atm).
You can say "just change the law", but a lot needs to happen beside that to make this practice stop. None of that is happening, so this practice won't stop as a result of this. It's just a PR grab for some politicians.
The corporate response to long hours and low pay is to put up suicide nets. In the U.S. we have minimum wage, hourly restrictions, break, and overtime laws.
You can't trust the market to weed out bad players when the bad players are the ones with enough money to buy public perception and government influence. You have to force them to do the right thing through legislation.
You also seem to neglect that the government all over frequently takes advantage its position in ways that make things worse for society.
The thing about corporations, though, is that with minimal regulation, they can be forced to compete, and ultimately bad ones are orders of magnitude more likely to change or die than any given government. In fact I'd argue that a constant churn of negative companies is still better than some of of the worse tyrannical states that ever existed, by a large margin, because of the forces of competition.
The law is already far behind in this case. It implicitly assumes all databases allow for a CRUD workflow. But now we have blockchains/distributed databases where the UD part of CRUD is literally impossible. It will be very interesting to see how the courts deal with personal data stored in this manner...
Why don't you put your faith in data? If you're a engineer that's presumably what you're already doing in every other respect of your life. It doesn't seem to me that starting out already having decided on what the best approach is will lead to the best decisions.
Them indexing it, correlating it with all that other data they already have on you, storing and actively working with this data, including allowing 3rd parties to run near-arbitrary JavaScript on your client, based on near-arbitrary criteria they can specify, is in my opinion much worse.
Opens you up for this data being stolen off of Google's servers and for all kinds of attacks:
- Spear phishing
- Narrowing down the criteria, so that it only targets you, then reading out the IP that you're connecting from. If you're travelling from public WiFi to public WiFi, this can describe your path extremely precisely.
- Malware distribution in those ads. As the ads can be targetted to relatively small groups, they aren't going to be as thoroughly vetted and malware can go unnoticed for quite a while.
As for the GDPR killing Gmail, that's not what I meant. They'll have to make a good few adjustments, but they'll be able to continue operating it.
What I meant is killing Google's practise of having every question of consent being ticked off with one global ToS. That is something where the GDPR is quite clear that it's not legal. You have to ask for consent for each piece of information individually (exempt is information that you actually need to operate the service) and you're in general not allowed to bury questions of consent in ToS.
Years ago I remember hearing about the Normalization of Deviance and in many ways that's exactly what we see. Even Facebook's argument of others do the same is in alignment with such normalization. If everyone at jumps in a well, would Facebook to the same?
Minus the part where you're giving away your product for free with legally mandated nothing in return.
The GDPR does forbid hinging service quality/availability on consent but I don't think it forbids putting it behind a paywall as alternative.
Although this is one of the areas where it seems some sort of challenge is inevitable. Requiring businesses to give people more control over data about them is one thing. Requiring businesses to do things that make no business sense, like providing services to people despite getting nothing in return, is something else entirely.
Where is this specified? It's not what I understood from Recital 23†; as far as I can tell, it applies if the business is established in the EU or if the user is in the EU, but not to EU citizens outside the EU (if the business is foreign).
Some things are hard to solve with laws.
Hello. I have moral objections to excessive tracking, and none of my businesses use things like retargeting based on tracking pixels, even though this would almost certainly improve the conversion rates for our online ads significantly.
There, now you've seen a case where a business self-regulated out of potential extra profit in exactly this area. :-)
Sad you don't link to your businesses in your profile; now that you made me want to check them out and maybe reward with money.
That said, you'll end up driving white-knuckled and fearful of your life if you dare go the speed limit on the Mass Pike. You'd have to drive 70-75 minimum here just to feel safe.
Corporations are not divorced from the people that run them, but the people that run them are divorced from the people they impact by their decisions.
Which countries are moving towards shorter workdays without government intervention?
Governments do frequently take advantage of their position. I do not dispute this.
We can prevent a constant churn of negative companies as well as tyrannical states. It's not an either or.
As an example in Romania, Microsoft was caught doing illegal things, they corrupted government people to buy tons of licenses, we should not wait for an EU company to do the same before investigating this MS issue. The fact that some other companies also bribed some other people should not affect the MS case.
I am not sure if the MS case even reached MSW top page, but if it were some small software company outside US it would not appear on HN at all, only on local press, so HN from page has a bias for big US companies
Cookie restrictions basically amounted to an additional clause in terms and conditions, the thing we're disingenuously treating as a contract.
Realistically no one reads them, not even lawyers. That is the expectation they we re written under. If people actually read before accepting, they would be 250 characters long. Very few services would put up with that much of a roadblock to signing up. Do you really think apple would tolerate an average iPhone sitting unopened for months while the user has the "contract" sitting on their todo pile along with mortgage refinancing and insurance paperwork?
It makes a mockery of the whole thing, reductio ad absurdum for the whole concept of consent...with side effects.
The dynamic this has created is one where the "contract's" job is to reserve all rights that can legally be reserved. There is no trade-off, no reason not to reserve any right. It's just silly to treat these as agreements.
The idea with unbundling is to break this dynamic. Encourage some semblance of informed consent where the user is party to these decisions.
Giving users an all or nothing proposition is a part of the problem. along with the insane levels of user engagement in legal boilerplate that would be required for the system to actually work the way we're pretending it does.
That said, I think it won't work. We'll probably have a more complex version of the current system. Services will still have an incentive to obscure... and turn consent into a click-without-readung-or-fuck-off nag screen. They may just need 4seperate ones now.
This just now means you have to be pretty darn sure you're choosing the right one (because, you've always had to protect and limit the amount of information you collect and process, now it's just much more explicit).
As with everything GDPR (and most digital regulations in general), the large companies will win as they have the legal teams to draft the statements and scores of developers in order to get the UX process sorted (or argue their case in the event something goes awry).
Examples include distance selling regulations (that provide the right of withdrawal) and limitations on what's considered an acceptable mid-contract price increase. GDPR adds extra restrictions on what privacy rights businesses are allowed to require consumers to opt out of.
So if you've done it correctly, the customer isn't rejecting your terms: they're exercising their options under the contract you've offered them.
In practice, this seems difficult and the relations of power in modern EULAs are fairly asymmetric. For example, in many areas there is only one provider of some needed service. like e.g. an ISP. Partial contracts and a certain emphasis on customer protection seem like a reasonable compromise.
I'm not sure what gives you that impression. If the customer rejects the terms, you are free to walk away.
The GDPR position is that the privacy rights are not something that customers can "trade away" in a contract, they're not for sale. If the customer genuinely wishes you to do that processing, you're allowed to do so; and if they don't, then that processing shouldn't be done at all.
The way it's written it has some similarities with sexual consent - just as a valid signed contract stating "I'll allow you to violate my arse for $1000000" legally cannot be a binding contract term (even in places where prostitution is legal) doesn't really give you the unconditional permission to violate my arse and that consent can still be withdrawn at any time; in the same manner a contract stating "I'll allow you to violate my privacy for $1000000" cannot be a binding contract term in any consumer contract according to GDPR. Just as many, many other terms in EU consumer contracts (e.g. binding arbitration clauses, voiding of warranties, excessive penalty clauses, unilateral changes in terms, etc) - even if the company puts it into the agreement and the consumer signs, they are considered automatically unfair and unenforceable.
Are we conflating two things here?
There are agreements which you ask the customer to sign which are required to provide the service: e.g "In order to send you the goods you required, you have to give us your postal address. These must only be used for the purposes of the business - you can't sell the addresses, without consent.
Then there are consents which are for non-essentials. e.g "We would also like to send you our newsletter and for that you need to give us your e-mail address".
The agreements are things that everyone needs to sign in order for you to carry out the business with them. Consents are the optional things and should be separated out.
Or am I misunderstanding you?
Do you prefer that we create laws for fixing problems that do not exist yet?
Maybe there can be no next Facebook (as in, one multinational actor is position of monopoly on one type of service) and maybe that's not a bad thing.
If the only way to have the same kind of service from now one is to use a network of separate entities each smaller than Facebook and interoperating between themselves, it might be a good side effect of the law.
What I fear is that there is no next FB because fewer people can "enter the market" that in this case is necessarily international .. can't because you need to start with a team of lawyers and compliance officers.
FB is unlikely to get injured. They're big and rich and have a deep moat. It would take a lot to shave 5% off its revenue. Making a potential FB competitor restrict itself to a smaller market, and a more localized service... It doesn't take as much.
You can have "take it or leave it" agreements, and you can have consent, but these are two separate things; it's not possible to obtain consent by putting some words in a "take it or leave it" standard agreement.
That's not really relevant to the parent's observation that Facebook is likely arguing that they're being singled out in an environment where their practices are so rampant as to be standard.
>But heaven forbid governments hold a dominant corporation accountable in the public interest.
"accountable to the public interest" is an incredibly disingenuous way to say "enforce their laws". The difference matters in this context because the counter argument would be "why is the law being enforced predominantly against a handful of American companies instead of the industry at large?"
Either it is enforced against Facebook first, and Facebook complains "Why don't all of the the small fries have to do it yet" and if it is enforced against the small fries, they will say, "Why doesn't Facebook have to do it yet"?
And the answer is, the justice department will probably enforce the law in the way that the expect to have the best effect for themselves. It is not necessary to wait until you are sued before you become legally compliant?
When a government agency (think IRS or FAA) decides on a specific interpretation of a law, rule or regulation, they don’t go after a random guy to prosecute. They publish an opinion, a guideline, or interpretation and a compliance deadline. The industry is given a choice to comply or present an alternative interpretation (through courts, lobbyists or legislative representatives).
It’s one thing if one company out of a hundred doesn’t comply, and somewhat different when the standard industry practice goes against new interpretation.
Selective encorcement is more typical of countries with weak judicial systems and endemic corruption, where “friends” of the current government get compassionate understanding, but everybody else is subject to the strict rule of the law.
Still, the lawsuits should be simultaneously served to all companies. Preferably with a courtesy heads up.
The courts are just agreeing with these citizens/rights group. It's not like an EU agency is targeting Facebook unfairly.
Personally I can only see this as a good thing. As a non-user I don't want Facebook tracking me. Same as I don't want tracked by any other company.
Because the largest companies that European citizens are using and that breaking the law are American. There is no point in targetting first the Chinese and Russian companies doing the same tracking, as few European citizens are affected. And as far as I know, there is zero European company doing the same thing on such a level.
That's not a counter argument but dissatisfaction. Are you saying that EU companies also don't follow their laws?
You're correct but mainly because I wasn't paying attention and phrased it as a question. Written instead as a statement, it's a valid counter argument because it's criticizing the parent comment's ridicule of a different instance of criticism.
> Are you saying that EU companies also don't follow their laws?
I'm insinuating that if someone wanted to defend Facebook's position one avenue would be to argue that the law is being selectively enforced. Obviously this isn't a comprehensive argument but it's an easy platform to jump in other directions from.
I think rather than arguing in general terms that regulation is bad, it is more helpful to address any specific problems you have with GDPR. I've spent a few months looking at it at a small organisation that is having to implement it. My take is that its goals and the way they are implemented look pretty sound.
Incumbent friendliness is a real concern. In my experience, it is taken as a given by industries facing potential "regulation".
>I realize generality and such get in the way of this, but... I think it would have been better if this move specifically targeted the 100 biggest companies, who have the scale an resources to actually use all this tracking data.
then they'd outsource it, hide it, whatever. See: tax laws. Law is like exercise, you can't specifically target abdominal fat,nor can you specifically target Fortune100 excesses
In almost all cases, industry regulation (what this is, more or less) tend to be incumbent friendly. Ie, we could be moderating FB slightly in exchange for killing its future competition.
It is like the Microsoft anti competition case would not take place until we find some small non US OS vendor to punish first so the Americans won't get upset.
As for your belief that American companies are being unfairly targeted, this also doesn't make much sense to me. European companies wouldn't break the laws in the first place, Asian companies don't really compete in the European "web services" market, so the only major source of rights violations is going to be American companies.
If American companies don't want to follow European laws, they shouldn't be doing business in Europe. And why are you complaining about in which order those companies are being punished for breaking the law?
I hate when someone drivers respecting the limit and you get jerks with big cars or trucks behind you and force you to go faster(by force I mean get close behind you, use the horn and other bad behavior that can intimidate a new driver).
If lots of people can "enter the market" the one of these might succeed. FB is just an example, but I also mean them. Most of these potential fb-killers don't know that they're competitive with FB.
Think of WhatsApp (again, just an example). They entered the market, at an angle. Within a few years, they threatened FB enough to get bought, just to eliminate the threat.
The end result isn't all that heartening, but everything up to that is. I'm not saying GDPR makes this impossible, just worried about the accumulation of these things. Even a handful of reasonable rules could make things harder, especially if they are different in every country. WhatsApp might have decided to focus on a few core markets, and limited their idea to more local things.
European companies are just as capable of violating the law as American companies. Part of the argument being made by critics is that there's been little sign that comparable effort has been made by European governance to investigate its domestic companies as rigorously as it's been investigating America's.
>If American companies don't want to follow European laws, they shouldn't be doing business in Europe.
The counterpoint would be that the companies are only breaking the law because the EU decided that its laws can be applied globally.
>And why are you complaining about in which order those companies are being punished for breaking the law?
Because it's difficult to believe that there's only enough resources to prosecute a handful of companies at a time.
I never said they aren't capable, I said that they would generally choose not to (not to mention that "hosted in Europe" is actually now becoming a bit of a selling point because of the pro-privacy regulations there).
> Part of the argument being made by critics is that there's been little sign that comparable effort has been made by European governance to investigate its domestic companies as rigorously as it's been investigating America's.
European regulators are very strict with European companies in a variety of ways. Just because it doesn't make international news every week is not proof that it doesn't happen (I work for SUSE remotely and my impression is that the German government is very meticulous about verifying that companies aren't breaking the law.)
> The counterpoint would be that the companies are only breaking the law because the EU decided that its laws can be applied globally.
Facebook and Google do business with people in Europe (provide a service and use them as ad-fodder). This is similar to exporting goods to Europe -- you need to obey the laws of the country if you want to do business there. They actually have an even better deal than than that, because there are no tariffs for online communication! Not to mention that Facebook and Google have physical hardware in European countries.
They aren't enforcing their rules globally, they're saying "if you want to engage with our citizens you have to play by our rules." Facebook and Google can always choose to block those countries (like they do Iran).
> Because it's difficult to believe that there's only enough resources to prosecute a handful of companies at a time.
This case was by a privacy watchdog, a private organisation. I find it very believable that they don't have enough resources to sue the likely several thousand American companies that are potentially violating EU laws. I also would be surprised if the Belgian government had enough cash lying around to do that too.
The decision in question was in a civil suit. The suit was brought by a "privacy watchdog" organization that's presumably at least partially government funded to investigate cases like this, but that doesn't prevent anyone else from suing as well.
So if you know of a European company with similarly privacy-violating practices, what's stopping you from filing suit? Or if you're not an EU citizen, you might still be able to get some less corporate-friendly group to investigate.
And let's be honest, most ads are total garbage.
If users want your service, they will pay for it. If they don't, well then your services is not needed.
So the site will die, because nobody thought it had any value.
What's the problem?
I really don't like your definition of 'free'. wikipedia has been relying on donations for quite some time. guardian.co.uk is one of the recent examples asking for donations and working out for them.
>science articles
Ok that has to be a joke, the paywall journals subscriptions are nothing like ads.
Please, don't conflate any pay method with pay wall (which is a pretty good one). If business cannot retain itself w/o breaking the law and has to shove unwanted images/videos/etc. straight in the face, it may as well not exist. The ads have degraded user experience in so bad ways that having a page with little content and 'next' button just to show more ads is pretty much the norm now.
A somewhat related note: Relying solely on ads is a bad idea. Personally, I'll install an adblocker on every PC I get access to (family and friends stuff).
Additionally, this does not affect data that is necessary to operate the service. When you run a GPS tracker app then it is entirely okay to ask for the right to process someone's position as part of that contract (as long as you don't share it with a third party).
Essentially the GDPR makes such a business model almost unsustainable. IMO rightfully so.
I am not defending FB, my point is that you do not need an army of geniuses to extend the tracking to everyone.
Someone should invent a http header that lets you signal that you don't want to be tracked. It could be named something like DNT, for do-not-track. People could then set DNT=1 and websites such as Facebook would know not to track you...
- it was on by default. You shouldn't have to 'opt-out' of invasive surveillance.
- it was enforceable and backed by a vigilant regulator and credibly enforced legal deterrents. We're far beyond a 'pinky-promise' being enough.
That's the wrong question to ask. You shouldn't have to tell it not to track you. That shouldn't be able to do it, unless you explicitly tell them "hey you can track me."
Google, Criteo and other have long had a default opt-in policy for their retargeting products, etc.
By not having a fucking Facebook account! it seems to me that's actually the crux of that court decision.
It's more complicated than deciding not to have a Facebook account, though that's a great first step.
There should also be a central place for us to put our emails there so spammers won't spam us?If this seems a horrible idea then your suggestion is exactly the same.
This the most G. K. Chesterton-esque comment I have ever read on this site.
Poe's law may apply, but if you're actually being serious, "Let's build a list tracking all the people who want to avoid tracking" first, probably wouldn't work, and second, is the surveillance equivalent of a "standards problem" [1]
How much "brightness" is required to carry out such a strategy? If millions of users followed step 2 (or blocked Facebook domains through another means), what would happen? How would the "brightest minds" respond?
The obvious counterpoint here is the Volkswagen emissions scandal. Europe generally went "oh, maybe we should make it harder to cheat on emissions" whereas the US went "here's the fine for not meeting emissions, here's the fine for cheating, oh by the way, you can't sell these cars anymore since they don't meet emissions, and mind the class action lawyers on your way out." That said, it could well be the cause that the EU would have been equally nonplussed had GM been the heart of the scandal instead of VW, but there is room to argue that Germany isn't treating domestic companies with the same vigor that it does foreign ones.
But neither have not done as well as Switzerland (banning VW diesel cars entirely), South Korea (criminal case against VW executives), Netherlands (class action and investigating the reacquisition of the subsidies paid to VW previously), Australia (forced recalls and class action lawsuits), or America (as you've already mentioned).
I don't know whether the car industry is the best example of "EU interventionism" done right, given how central the car industry is to Europe's enconomy (which is a whole different issue). I'm not sure whether they would've treated non-EU companies differently.
> breaking the law
No one is breaking the law yet. The law has been changed, and has been changed in a way that destroys businesses and people.
Or: just make it opt-in.
I doubt a statement expressing dissatisfaction is a valid legal argument responding to a legal ruling. Clearly the term argument in this context is for a legal argument not a colloquial use of the term, since a legal appeal is what is being discussed.
When people get traffic tickets, the judge won't let them off for saying, "But, your honor, the police officer didn't pull over any of the other speeders around me."
Conmppanies did not liked when IE did this but I think the solution would be simple, when you start the browser for the first time you will be asked if you want to get tracked or not, you will have 2 big buttons to chose.
Then FB. Google and others should ask the users to switch this because they want to track you on a different website and explain to the users why.
Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.
So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:
a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes
b) stop tracking users unnecessarily in general
As it is written, the options are:
a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong
b) slap an annoying banner on your web site
One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.
From what I understand, the GDPR also disallows denying users access to a site if they don't consent to an unrelated data collection.
Before accessing the website, you get a choice between yes and no.
If you select no, the site will not do any tracking, no analytics — some sites disable ads in that case entirely. You still get to access the site.
If you select yes, you getthe tracking.
GDPR extends this concept also to consent for processing private data - there are some ways how that consent can be granted and received, but contracts of adhesion are not (will not be when GDPR comes in force) one of them. In particular, GDPR specifies that anything included in such a "take it or leave it" contract is not considered "freely given" consent and thus such a contract does not and can not give you any rights to use that data, no matter what is written there.
There is currently no detailed description as to what the definition of "sufficiently" is. For example:
- can I use your data to build a targeting machine learning model?
- can I use it to target you?
- do I need specific opt-in for every model?
Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.
GDPR had been announced 2012, implemented fully in 2016. Active enforcement will start May 2018 with again a temporary period to allow companies to correct. Refusal to comply after that can result in penalties up to a maximum of 4% of the companies global revenue.
How much courtesy lead time does a company actually need to comply?
"You have 20 seconds to comply" says the robocop :-)
The summary of the court of the case, if ruled in favor of the one suing or in favor of the public interest, will be used to prosecute all other offenders if they do not comply. If the defense wins, it can be used by others as a defense.
While not 'fair' it works as the smaller fish will probably go bottoms up trying to mount a proper defense against larger governmental or lobbying groups which results in a no-win scenario for all: The company is dead and there is still no ruling, or a ruling lacking proper defense.
Or say Intel users that are now sewing on the meltdown bug should they get involved in AMD too from some feeling of solidarity?
In this case someone did something illegal and someone else complained to the justice, should they first find all (I hope you understand what all means, aka don't forget anybody) and try to do what? start 1000 processes in justice? It makes sense to start with the bigger criminals, if the court decides favorably then you continue to the next ones.
2. Do you realize how much manpower it would take to require that all separate cases be tried at once? You might as well just come out and say you don't want any cases to be tried at all, as that would be the outcome.
Nobody owes artists a living, a vocation that traditionally was engaged in alongside traditional paying work.
Nobody owes advertisers living, or their eyes and attention.
Nobody owes a living to the person who makes their money from ads all over their blog.
I'm sorry, but if your business model boils down to using your unknown blog and barely visited web site as a vehicle to bombard people with ads for money then you don't have a business model at all.
If you want to host your blog, then just pay for it. I do the same. Not because I want to earn money with it, but because I want to. I can see why this is a problem for commercial entities, but not for personal stuff.
Personally, I value my privacy. I don't tend to use services like Facebook, mostly because I don't want to encourage that sort of perpetual surveillance or volunteer that much data about myself (or encourage my friends/family/colleagues to do so for me) to be used for purposes I don't fully understand.
On the other hand, apparently there are literally billions of people in the world who disagree with me. Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.
Requiring such a business to allow users more control over how data about them is being processed is one thing, and there are pros and cons that reasonable people can debate in that area. But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.
I would say that being popular does not correlate with being good and moral. Being successful does not correlate with being good and moral either.
>Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.
The patient is not always right. A lot of people would give up privacy for facebook because in the faustian bargain, the short-term benefit outweighs the long-term consequences.
Or is my sarcasm sensor not working this morning?
Revenue might be lower. That is not in itself proof of a worse outcome. Maximising numbers like revenue or GDP is not good per se. Neither is maximising the amount of content created. If you want to know the trade-off is worth it you also have to look at the costs. The impact of tracking on privacy is not zero. The impact of ever more attention grabbing ads is not zero. The impact of persuading us to buy ever more stuff is not zero.
Also, the vast majority of small scale content creators are hobbyists.
I have history turned off in google maps. I can’t name the points I make, it tells me I need to turn history and tracking back on. I hope that becomes an unjustifiable degrade.
>all of which upload your personal data from the phones to their own servers without your knowledge or consent.
Our default legal position shouldn’t be one of accommodating a corporation’s existing market-acquisition practices over people’s privacy.
I'd think the most pro-privacy reasonable approach would be to stop companies from identifying them beyond "someone who did not consent to being tracked".
Facebook has such incredible smart engineers that they can file patents to identify you based on the dust of your camera lens [1]. It should be a cinch to them not to track such third parties in any way, shape or form.
The problem was that they gave zero fucks about the privacy implication to third parties, which have nothing to do - and no business relationship with Facebook. It seems quite the opposite: That the go through great length to maintain shadow profiles and track everybody.
I really hope that the GDPR forces them to clean up their act.
https://gizmodo.com/facebook-knows-how-to-track-you-using-th...
For instance, it could still be legal for Facebook to slurp your friend's address book (and your profile, indirectly), but the regulation could require them to discard and purge that information if they can't immediately match it to an account.
Since I'm not a member of their service there's no valid reason for them to maintain personally identifiable data about me. Let alone that they never asked for my permission and that I never, ever consented to their gobling up of my data and that of other non-members.
At least according to my understanding this is a very clear violation of the GDPR, which - if the courts agree - could cost them dearly.
I wonder how Facebook intends to deal with that. If I interprete the directive correctly they are obliged to delete all such data since storing, mainting and proecssing it clearly violates the law.
Interesting times...
https://www.cnbc.com/2017/06/27/the-largest-fines-dished-out...
If you look at EU court decisions concerning privacy, you see that it mostly concerns European companies and government bodies (e.g. people storing their fingerprints being stored for passport applications). Those cases just don't get as much exposure in the US:
https://ec.europa.eu/anti-fraud/sites/antifraud/files/casela...
Another factor here may be that EU companies generally stick more to privacy rules, because it is easier to get sued directly by their citizens. E.g. in Germany many institutions and companies are paranoid when it comes to privacy and go out of their way to avoid lawsuits.
To use your example, US has targeted companies from IP-protection-weak countries. Was it directly targeting China? I'd say not necessarily.
Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.
> This is a corporate regulation, not a criminal case.
That doesn't matter in most EU countries.
Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.
That erosion is not corruption on its own, but can lead to it.
EDIT: Downvotes? I'm stating facts. How can you downvote facts?
[0] https://www.transparency.org/news/feature/corruption_percept...
Europe, Germany and France in particular, has a strong history of state involvement in large corporations.
I suppose you could call that an administrative philosophy. To me it sounds like another form of corruption.
And I guess Facebook and others have been trying to lobby it away for years already.
The entire tech industry can now consider themselves warned. Not even giant American corporations with direct links to the White House are above the law.
E.g. your assumptions being incorrect. You could have avoided a lot of downvotes with showing some humility. Assuming someone does not know about large shifts in EU membership seems like argument in bad faith.
Which, granted, is something that happens but people largely regard this kind of unequal protection of the law to be a bad thing.
I don't see the point of this sort of "but johnny did it too" line of argument. So authorities are looking into a report of widespread abuse. Where's the relevance of not advertising how they may or may not look into other small-scale and lower-profile cases? In fact, aren't resources better spent by going after the single largest and more eggregious source of abuse that has a global reach and has been continuously abusing its position for over a decade?
Such activities are illegal and considered corruption in most countries.
The US is not unique. If you see something happening here, it is almost always happening in other western countries, and acting like we are the only to have a problem does a disservice to worldwide development.
[1] http://files.transparency.org/content/download/2183/13748/fi...
[2] http://files.transparency.org/content/download/2183/13748/fi...
Lobbying has nothing to do with donating money, and lobbying elected representatives is definitely not illegal in most democracies.
Please don't twist conversation into debates about semantics: it's not helpful.
> How can my argument be US centric when I'm European and have never even visited the US?
You don't have to be from the US for your post to sound US centric. It sounds exactly like every other "USA is da best! The east is inferior in every way. We have zero problems." argument which is found everywhere online, especially on sites with a large proportion of US users (like HN).
The comment I replied to had no sources as well and yet it isn't downvoted.
> It sounds exactly like every other "USA is da best! The east is inferior in every way. We have zero problems."
Actually my comment says the exact opposite, it says that at least the western part of the EU is less corrupt than the US. Do you realize that I said the west [of EU], not the west as in the US? You're the one who is thinking US-centric after all, thinking that when someone says "the west" they mean the US even though it's in a sentence that talks about parts of EU, this possibility didn't even occur to me - that's how foreign it is to me.
That kind of hand-wavy stuff doesn't fly here. If you're going to make a claim like "EU Countries are more corrupt than the US", YOU have to provide a credible source for that claim.
Telling people to go and verify for themselves a claim that you made is just lazy and disingenuous.
Yes, and you said that both are illegal in most "other" counties. Except lobbying isn't illegal in any healthy democracy, including in Europe. Donating "millions of dollars" isn't really legal in the US either.
Read it again. It stated much less confidence in those baseless claims, inviting sourced rebuttal. You claimed to be "obviously" right without any sources, and apparently you were not.
Edit: also, complaining about downvotes, especially without even trying to admit mistake is considered as a bad behavior here.
This is flat-out untrue, and repeating this incorrect meme ad nauseum simply makes it harder to address actual problems when they arise. Lobbying is simply the process of petitioning elected officials. It's a necessary part of any functioning democracy, or else there's no fundamental feedback loop connecting elected officials to their constituents in between elections.
> If there was a lobbying group that did not donate money you would have to specify that in conversation
Corporate entities are prohibited from donating money to campaigns, whether or not a quid pro quo is implied.
The same issue comes up with the word theory to scientists vs it's meaning in the common vernacular.
As to your second part about corporate entities being prohibited from donating money to campaigns, excuse me while I set up a PAC to donate funds to a senator who is aware that I donate to the PAC and that I would really appreciate it if I got a tax break.
What the law intends != what is actually happening
Yes, and just as we ignore people who dismiss evolution because "it's just a theory", we should take the same attitude towards people who conflate lobbbying and campaign contributions, because they clearly don't understand how the democratic process works, and acting on their demands is actively harmful.
> What you've stated is true by the technical definition of the term, but lobbying in the _common vernacular_ of the United States is synonymous with paying money.
Yes, and the "common vernacular" is wrong and actively harmful. The two things are completely unrelated, and perpetuating the conflation makes it harder to understand what's actually going on.
If you think something is broken, you actually have to understand how it's broken in order to fix it. There's no virtue in going out of your way to make it more difficult for people to understand how things work. That's how you end up with people wasting time advocating "reforms" that span the range from "well-intentioned but redundant and/or ineffective" to "completely self-contradictory and nonsensical".