Facebook to ask everyone to accept being tracked so they can keep using it(independent.co.uk) |
Facebook to ask everyone to accept being tracked so they can keep using it(independent.co.uk) |
Also known as "Hobson's Choice": a free choice in which only one thing is offered.
https://en.wikipedia.org/wiki/Hobson%27s_choice
Naturally the vast majority will just click through and accept the defaults.
But what if a small number does not? Could Facebook see 6% or 4% or 2% attrition because of this?
2% attrition of 2.2 billion users is like the entire population of California and Oregon.
This many people leaving the network makes it a little less connected and a little less valuable for the 98% who remain.
That's a lot of people wandering about, discovering new alternatives to connect with their friends and family.
Facebook will be with us for a long time, but reducing their influence would be a big net positive.
Even outside of me and my friends, I mostly just hear of people using it to connect directly with people, like joining some Facebook groups for specific discussions.
You exist.
They don't need you to participate. They need your email or your phone number that can link you to the rest of the matrix. With a mobile app, they get your phone number automatically.
Everything else you post is icing on the cake. They don't need your relationship status. They don't need your address. Maybe your phone number will link to one, but they don't need it to be accurate.
Now you're part of the data pool. You're one more audience member. You're fueling facebook and their profits.
You're being sold.
Not only that, non-participation grants a false sense of security. As does the data they ask for; as if the data you post is all that they know or that is being shared. As do all their privacy settings. As does deleting your account. Facebook might mark you as deleted, but your data has already been used, sold, and transferred to 3rd parties, none of whom are inclined to delete your data.
If the data hasn't changed, and you haven't changed, then deleting yourself from facebook doesn't change anything.
I still have an account for instance, but I log in only once/mo. and keep it solely for the API keys.
My friends seem to be a little less active then 10 years ago, as well.
In the height of Facebooks data scandal, daily deletions — people who deleted their accounts and quit Facebook — was at about 4000-5000 users a day.
It has now returned to normal levels, of about 1000 a day.
Facebook has 1.86 billion users. Look upon these numbers, and despair.
Also, FB revenue and users are increasing - which indicates they are not seeing any downturn like what you are talking about here.
I would assume a large percentage of this number are bots / automated content.
"(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. [...] For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
Are people free to leave Facebook?
Me, I need an account with Google for my job. Will they now only be allowed to demand I consent to the parts of the data processing necessary to provide the services I use? Or in other words, since I don't rely on their advertising, does GDPR mandate that opt-in to tracking for ads must be optional?
GDPR, Article 4: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
> We use cookies to enhance your visit to our site and to bring you advertisements that might interest you. Read our Privacy and Cookie Policies to find out more.
Bottom line, even if you give them consent in such forced manner, they will pay the fine if they use the data. Not only that, I bet that in this moment there is a lawyer preparing class action against FB for forcing the consent (And they will win! After 25th of May, FB is breaking the EU law). Max Schrems gave FB hard time before and I bet he is just waiting for new chance, this is his site https://noyb.eu/ , check it and check how many donations he got. I am stockpiling myself with popcorns as this is going to be fun to watch. I really thought that FB is going to be smarter, probably Zuck got another of his tantrums and did another really stupid business mistake, that will cost him a lot.
But, as FB user, please consider something else: Facebook is trying to downplay your rights, which directly proves that don't care about you. Do you really want to continue using such service? Do you really value yourself so low that you are prepared to bend over?
https://www.politico.eu/article/facebook-ecj-european-court-...
"Europeans will in future be able to bring US-style class actions for (alleged) privacy violations, instead of having to sue individually and expensively. It’s thanks to a little-known clause of the EU’s GDPR, which comes into force in May."
And maybe for non-EU users, don't complain about GDPR, back it up, you will give your legislators a powerfull signal and you might also get the protection of your fundamential human right.
uBlock Origin is great for blocking Ads though. If you really need to block scripts, there's NoScript.
I recommend using at least the adblocker and the tracker blocker, even if only to reduce memory usage of the browser and take back a couple of CPU cycles from your computer stolen by pesky ads.
Users that don’t accept the terms or use various tech to block this, would receive misappropriated ads. Bad ads make companies lose revenue while annoying the users with extremely irrelevant info.
This method should be extremely effective in removing false positives.
Personal observation: ads are never going to go away and I personally prefer receiving ads about some local beer brand and not about lipstick or sake in Japan.
Anyway perhaps these no-decline 'permission' screens will cause a few people to reconsider their presence on Facebook. After all the company's Chief Privacy Officer endorses it! “People can choose to not be on Facebook if they want"
Yes, but not more than a few. Privacy is not a big concern for most.
“People can choose to not be on Facebook if they want"
I made my choice a number of years ago.
https://www.accc.gov.au/consumers/contracts-agreements/unfai...
I tabled the idea of the group leaving fb for somewhere else, as now would be the time people would be receptive to that idea.
The consensus was, nah, dont bother, this is fine... welp.
edit: I suppose it comes from how optimistically/pessimistically you view someone saying that a decision is on the table, I guess. Funny.
I do wonder how this will affect Instagram, which is where most of my peers and friends are.
IANAL. The only argument I'm aware of that data controllers can make for processing data without consent is if there is a legitimate interest: if the data controller needs to process the data in fulfillment of a contract/service. I wonder how this will play out for non-users. It would seem there's no legitimate interest there.
Something like that, I expect, although I'm not a lawyer either.
FB, as with all third party trackers, isn't the one actually responsible for notifying you about the use of their pixels etc. on third party sites. The site operator using it is. See https://developers.facebook.com/docs/privacy
if there's a hosted image from a facebook domain (e.g. a like button), unless that image is loaded after consent is given, facebook can already associate that users' IP address with having visited that web site by nature of sending the image over. in other words, facebook is tracking pre-consent (unless those images are loaded post-hoc, which is just not happening in today's world)
as a result, it's fundamentally impossible to consent before visiting a particular website, because there's no way to know what other domains will be triggered by visiting that website.
the only way i've found to defeat this behavior is by using ublock's origin's default deny policy which prevents all 3rd party domains from being accessed by default. it's a bit of a usability pain as one often has to add e.g. stack overflow's CDN to use its website "well", but does prevent visiting a website which has an embedded image hosted on a FB domain from being loaded, which defeats the more nefarious FB tracking.
https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-de...
If you're running a website with one of these, I strongly suggest you make sure you record whether people accept and actually boot them off the site of they don't. GDPR article 7 section one requires a website to be able to demonstrate that I have given consent, and recital 32 requires that that consent be specific and unambiguous. It's doubtful that "by continuing to use this site you agree..." statements will be satisfactory, especially if you start the tracking the instant they hit the page, before they can click that ok button.
I noticed their 'opt out for interest based ads' was through a cookie set by some consortium of creeps companies. at the time I remember thinking its like 'if I dont want you to track and follow me all over the internet then I need to allow you to track me and follow me all over the place so you know who I am.. Riiight'. plus that setting resets if you delete the cookie. so I dont know how will that work with the container. perhaps somebody who knows more can enlighten me.
honestly given that FB is after my healthcare data, my patience has worn quite thin with them. IMHO the creep factor and unintended consequences are way to many.
What? Can you provide a link to that? I hadn't heard this before, and find that really disturbing. I'd like to learn more.
Or non-Facebook related, why can't my smart TV just let me choose PC Gaming, Technology, and Concert advertisements as highest priority. I might actually look forward to watching an Oculus or Vive advertisement, instead of putting the TV on mute, or leaving the room when I see another health insurance commercial for someone 60+.
As an example of stupid targeted ads: I bought a Casper mattress a couple of months ago and pretty much every single ad I've seen since then (on devices where I don't have them blocked) has been for mattresses. How many mattresses does the internet think I need?
If I'm reading about something on the internet it's generally because I'm interested in it. Why not try to sell me something related to that rather than something I already bought!?
If they would just ask me what my interests are and stop allowing shady/malicious ads, I'd probably just turn off adblock.
If you pick "videogame", unless they ask you if you like RPGs, which videogame do they advertise to you?
(not saying it's WORTH it, but ad tech is pretty darn sophisticated these days)
The online ad business is just complete and utter bullshit. They have all this data and have utterly failed at using even the most basic data points ("where does he live?" "what language does he speak?"). And all they can think of is "hmm probably need more data"
If the webpage is written in french (or visible as such) that reviews computer hardware, pick hardware ads first and if available in french. That is IMO a reasonable assumption to make and I don't believe that a lot of users will be mistargeted that hard.
Bigger publishers like newspapers could run ads depending on section, ie the politics section shows political ads and the weather section shows a raincoat ad.
The only downside I see is that localized ads don't work as well (ie, "local restaurant has cheap burgers" and "99+ women in <your area> want to talk to you on tinder!!!!"). Such places could put their ads on relevant pages though, ie the internet page of a local newspaper or the local communities' internet presence.
I run ABP and there are still ads all over the place in Facebook. I've taken to reporting every ad I see in my Timeline as spam.
I never accepted the change in the expectation that everything will now be ad supported. That's a fundamental, massive shift. You can still say no that imposition, it's not actually baked into any of the technology, just a bunch of bloat glued on afterwards.
Yes there are ads. Yes I dislike those ads but they pay for the tv programming and broadcast.
No, broadcast tv does not keep a massive dossier on me or even know I exist.
Almost nobody expected nor understood that they are now "free from having privacy." It's not usual nor expected nor was it ever made clear. It was also done where there was no consent (shadow profiles for people without facebook accounts) and where consent was expressly withdrawn ("I now know what facebook does and would like you to close my account and delete all data and all backups of data relating to me"). Wildly evil stuff going on there, argue about what the law "says" all you like it's foul and should be illegal. It probably is illegal too if you haven't got billions to buy out of the problem. Que the apologists...
There are plenty of other media consumption businesses paid by advertising where you aren't being monitored in a manner the stasi could only dream of. Free printed newspapers supported by advertising have been around my entire life. This was the expectation.
Could facebook and google have grown if they had stated on their front page, every login that they were keeping records of everywhere you went on the internet? They wouldn't have got any traction whatsoever so they lied. Android will keep track of everywhere you go physically and add that to our file on you. Apple are better is just such BS you have to be a huge fanboy to swallow it.
Everyone concerned should be facing criminal charges for that kind of lying. Trying to claim they didn't know they were lying at the time and it was a bait and switch fraud instead.
That's a good question, but once GDPR is in effect, the law is going to require that all consent is genuine, informed, active consent. A consequence of that is that someone must be able to withhold their consent without suffering for it, unless the thing they're consenting to is essential to whatever else they're doing.
If you're thinking this fundamentally undermines the current business model of sites like Facebook, you're probably right, and given the political rhetoric around the GDPR, it's possible that this was the intention of the EU from the start.
You can't claim that because you need to provide service for someone else you need to process data of non-users.
The users of which you collect data is required to be part of the service or contract to fulfill unless you have a damn good reason not to and "we need to provide this service because we go belly up otherwise" won't fly, IMO. A legitimate interest would be stuff like "we will make backups of our data, ensuring that deletion requests are carried out upon restore, to continue providing service in case of disaster" or "we will log your IP temporarily because we need to provide essential network and information security"
[Laid out in https://gdpr-info.eu/recitals/no-40/]
Ad revenue may be essential to Facebook being commercially viable, but it's not required at all to provide the social networking features that users actually want.
My guess is that FB will continue to work even without this other data just given what they know on the site.
But if they have data acquired with users' consent for social networking purposes, they won't be allowed to process that data for purposes such as targeting ads without consent.
The only other business model I’ve seen work is “be owned by a billionaire”.
I just check the privacy list options in uBlock Origin.
https://github.com/gorhill/uBlock/wiki/uBlock-vs.-ABP:-effic...
FWIW, Google's commercial terms are not the same as consumer terms ... again, like every other software vendor.
That fails the test:
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Again, this is how things generally work in commercial contracts outside of GDPR (including Safe Harbor and EU/95/46 before it), and I don't see why this would be different.
The number of facebook user accounts never goes down with new bots getting accounts constantly but people activty logging in and sharing, posting or caring is down.
You are suffering from confirmation bias at this point. What data apart, apart from your anecdotal experience, do you have which shows that sharing and caring about FB post is down?
Since we don't have access to Facebook logs and can't know how many times people sign in and to what percentage are bots wandering around the site, we can only talk about our impressions.
uBlock Origin with either "Fanboy's Third Party Social" or "Fanboy's Social Blocking List" selected will block all third-party connections to Facebook servers, period. Of course Facebook can still spy on you via other spy companies, but the "EasyPrivacy" list cuts that down a lot too.
On the other hand, Facebook Container still happily connect to Facebook servers from third-party websites, leaking your IP, useragent, the URL of the webpage you're viewing, headers containing fingerprinting information like fonts , etc. Facebook Container does one thing and one thing only: strip off the Facebook cookie. But this is almost worthless from an information theoretic perspective, because Facebook can trivially de-anonymize you through IP/timestamp/header correlation.
What? How do you open a non-Facebook website in the Facebook container? When you open external links on Facebook, from the Facebook container, they open in the normal container.
This is the part I'm most excited about. (Or would be if I lived in the EU.) I'll be very interested to see how that works out. I'd love to see something like that in the US.
I imagine that you simply won't be able to use websites anymore if you are from the EU and don't give consent. You'll just be told to go away.
1. I bought one of those spinning face brushes for my girlfriend. A few minutes after purchasing online, I started seeing advertisements from that same store, for the same exact brush. Literally 90% of the page views were showing that advertisement.
2. I was browsing Airbnb accommodation for a trip to let's say Mexico. I was checking apartments on and off for weeks. I didn't see any Airbnb advertisements during that time. The minute I book that accommodation, Airbnb starts showing advertisements for rooms in Mexico.
3. I'm browsing barbers in a new city. No advertisements until I book an appointment with one online. Then, I start seeing advertisements for the same barbershop. Now, that has potential, but the advertisements stopped after a week. Why do I need to book a second hair appointment in the same week? Why not recognize I booked a men's haircut, and start showing me ads in a few weeks?
For all the tracking, privacy invasion, and fancy "machine learning", advertising sure is dumb.
> Our results indicate that more sophisticated targeting algorithms might not gain, and might even harm, the advertiser as those seeing the ad would convert in the absence of advertising.
There are a bunch of ad-tech people on this site; maybe some of them could chime in and share how many more sales they make using total surveillance versus basic keyword-in-page.
[1] https://poseidon01.ssrn.com/delivery.php?ID=7020000840130690...
For almost A YEAR afterwards, I would constantly see ads about RAM trucks and various dealerships in my area (including the one I Googled and bought the truck from) when browsing the web on my iPad. Not every ad, of course, but certainly often enough that I would notice it a couple times a week and just laugh and shake my head at the dealerships who were just throwing their ad dollars away.
Any links?
So basically prior to serving any content, you do an IP check. If they are from a GDPR country, you serve the delay loading script. If they aren't, you just load as normal. Pretty straightforward. I don't think you'd want to do it universally for all users, as you'd be at a competitive disadvantage to other sites. But you can easily enough just do it for EU countries. The other option is to just block them entirely if you have no need for EU traffic. Many sites - US local businesses etc. have no use for EU traffic or the liability that comes with it.
On a side note, with all the walled garden stuff that will be going on due to GDPR, I'll be interested to see how badly the SERPs get fractured, since every site will have a different scheme to require consent and not all of them will have people behind them that are savvy enough to make it not ask Googlebot for affirmative consent. This will put smaller businesses in the EU that don't have the resources to hire someone to deal with these issues at a serious disadvantage if they can no longer be indexed.
it could very well be that an EU citizen in Asia or the US is collected upon given your algorithm. if that's the case, are you not in violation of GDPR?
but, at the risk of rabbit-holing, your suggestion would be a pretty fundamental change to how the web works. in effect, you'd be moving toward a splintered web, where content is basically region locked.
to be fair, i don't have anything else to offer here; it just doesn't seem so easy to me.
I think you're spot on, but that was the danger of implementing heavy-handed legislation like GDPR all along. I believe that EU citizens are going to find themselves locked out of a whole world of content. But that's the world they've chosen to create for themselves. Further, if the overwhelming support that GDPR has on HN is representative of that of the entire EU population, they welcome this newly splintered world and its consequences - both good and bad (though I believe that this support is the product of the mistaken belief that the world will simply play ball and be dictated to by the EU, rather than the rest of the world simply taking their ball and going home).
This just leads to a bunch of questions: where an image is loaded from FB by a site, who is the data controller? Surely it's the primary site, not FB? In that case, then is FB a data processor (and subject to more restrictions)? If FB is a controller in its own right then how does FB gather consent in this case?
per GDPR, without consent, fb cannot legally use that data (for EU residents).
And you don't need to trust that; fb knows they're going to be spending some quality time in front of their privacy regulator.
Otherwise, think of the havoc. You decide that you want to get Facebook in trouble. So you place a Facebook button on your site and don't notify users or ask consent. Then you go call regulators. In this case, you'd find yourself in trouble, not Facebook.
Also, OP was the first one to make the assertion that fb is losing users and thus the onus falls on him to prove vs. me trying to disprove it.
I know it is not the answer you want to hear but FB is doing well in terms of their user growth. Get over it.
If the likes of Facebook and Google all turned off their services across the EU for a day, and replaced them with a SOPA-blackout-style message explaining that they can't afford to continue providing services without the ad model that pays for them, a lot of people would notice, and the EU probably wouldn't get nearly as easy a ride afterwards. I don't know how much damage would be caused if those same big tech firms cut off EU citizens permanently, but for better or worse, very many people now rely on the likes of Facebook and Google Mail for their everyday lives, and I'm betting the damage would be worse to the EU citizens than it would be to Facebook's and Google's financial statements (assuming the alternative is that they continue to operate but with a heavily damaged business model).
Yes, but that's the entire point. That's why this regulation exists That's why it has so many fans here on HN.
Not sure if there's a qualitatively different way of achieving the same goal with a different method. There probably isn't, so it boils down to a careful balancing act - how to damage those business models without going overboard and having all US companies show EU the finger.
That part of what he said is incorrect. The EU may be able to do alot of things, but they can't make me give you access to private documents on my server that is not based in the EU if I don't want to. You can simply tell them to go away if they disagree with your terms, or you can block all EU users from the beginning.
What are you going to do if the US adopts a similar law? Move all your holdings to mexico?
I read the entire document a few weeks back and recall no such provisions. Could you cite one for me? I'm trying to be as informed on this as possible.
Article 3, "Territorial scope", lays out where GDPR applies, and it contains no derogations for "but I didn't know they were european, honest". It is not, in fact, specifically about european citizens. It covers the processing of data for "natural persons in the Union", which is a bit unclear to me but I interpret it as covering anyone physically located in a country that forms a Supervisory Authority under section 51.
How this will ultimately interact with your websites and/or businesses if you are not based in the EU is unclear at this time.
"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."
So if someone is going out of their way to mask the fact that they are from the EU, and you aren't otherwise seeking out EU users, you're not going to get in trouble for that. One issue I have with it though is that translation may trigger GDPR exposure, and since Spain is part of the EU, many sites aimed at Spanish speakers (but not aimed at the EU) may have this beast of a law apply to them. I operate a few sites that have Spanish content, so that is deeply troubling.
[1] https://www.gtlaw.com/en/insights/2018/2/the-gdpr-deadline-l...
This thread is now too deep for me to respond to your comment.
"The reach of GDPR is broad but is not unlimited. The mere fact that a U.S.-based website can be accessed in the EEA isn’t enough. If the company does not have a physical presence in the EEA, it must be determined whether that company engages in more than incidental contact with EEA residents."
This statement seems to have misinterpreted article 27, which states that if your processing is merely occasional, or if you are occasionally a processor for an EU controller, you need not specify a designated representative to the EU.
Read more here: https://gdpr-info.eu/?s=occasional
But the exception you think exists pretty much doesn't. It's got a small exception for occasional sharing of data without consent when it relates to active legal proceedings.
Naturally the EU has no jurisdiction over you if you don't live in the EU and you aren't based in the EU. They may be able to apply pressure on your partners though, be that advertising companies or others. This may flow through to you, in time. We're already seeing Facebook come under pressure to provide US citizens with the same protections that the GDPR provides EU residents.
FYI you can reply to other posts when the thread is this deep by clicking on the "X minutes ago" thing on the comment your want to reply to.
It probably wasn't depth that blocked you. It was probably time. There is a short interval after a comment is posted during which the reply link is not available in the thread. (You can still reply without waiting, but you have to figure out how to get a reply button instead of a reply link. The reply button doesn't have the delay).
> This statement seems to have misinterpreted article 27
I believe that statement is summarizing recital 23, not attempting to interpret article 27.
It would be absolutely incredible if Facebook et al "took their ball and went home" throwing away 500 million customers.
But in the case of the GDPR, it probably helps Google and Facebook more than it hurts them -- they can afford to jump through all of its hoops while smaller competitors might have trouble. It's essentially a barrier to entry.
This will make a difference for some users on some of the forums I run, as they will be banned with an apology and an invitation to come back if they ever move out of the EU. But it's not worth taking on the liability of potentially millions of dollars in fines for accidental non-compliance with a heavy handed, massively complex law that is up for different interpretations in the courts of no less than 28 unique countries. Unless you're in the EU or are a multi-billion dollar company with a large legal department, accepting EU traffic post-GDPR is an act of insanity.
No? Don't bother instituting a stupid ban like that, then. And stop scaremongering.
GDPR applies to businesses.
Besides, compliance isn't too bad for something like a forum. Just purge the relevant user records and posts, if requested to or when a user deletes their account.
Source: I am doing GDPR compliance on web applications for a major telco.
You can use a combination of advertising and payment to fund services that connect people and facilitate commerce without extensive privacy destroying data collection. This model worked fine previously and it will work fine in the future. If anything hardware and tools are damn near amazing compared to the bygone past.
I struggle to think of any service in the world that is impossible or even challenging to replace. If anyone decides to take their ball and go home they will be replaced by a competitor who will use that extra revenue to improve their positions in other market to the original fools detriment.
There is in fact no reason to believe other markets including the US wont ultimately discover the merits of protecting their citizens privacy considering that in the US perhaps 171k work in the advertising industry out of 300 millions.
How the 0.02% can do an effective job without trampling the rights of the 99.98% is an exercise I leave to them and if they can't figure it out, then I hope the food stamp program still exists so they wont have to stand outside 7-11 with placards reading "will lie for food".
And leave millions and millions in profit on the table for everyone else?
That the same argument used against changing the tax codes so companies would actually have to pay taxes in the countries in which they do business, by closing the loopholes.
They're not going to throw away profitable markets just like that. And if they do, good riddance.
Experts say a lot of things on GDPR, one of the really interesting things about reading it myself is that I've found a lot of them seem to be wrong. I've heard a few people talking about a "social media exception" that doesn't seem to exist, for example.
It's possible that there have been preliminary rulings on GDPR that I'm not aware of, because I'm not a lawyer. So I'm not by any means declaring that your experts are definitely wrong, but I am nigh on certain that their source of information for making such statements is not the GDPR text itself.
I disagree that GDPR is an overly broad law by the way. The GDPR text is actually fairly specific. It encompasses a large domain, but it clearly defines that domain (Article 9 is an example of a large but specific definition, although it is only one of multiple such articles) and tells you clearly what you need to do within that domain to be compliant.
People just /think/ it's overly broad because it impacts a lot of tech companies and none of them have actually read the text. The human brain interprets this as "inspecific", whereas it's actually carefully targeted at a handful of specific things that lots of tech companies are doing (or not doing).
I have a business. And yes, I have spoken to GSPR compliance people, so GDPR has already cost me enough money. Compliance is a murky proposition at best, since this law can be interpreted in different ways in 28 different countries - all of whom will be looking for ways to maximize the fines they collect under it from foreign companies.
Since you are in the GDPR compliance space, surely you know that it does apply not just to businesses that are hosted in the EU or do business there. Rather, anyone that knowingly accepts traffic/data from the EU is vulnerable to it.